FUN with Windows EVENTS [.evtx]

Monitoring Operating system and its behavior within the organization is very important. Sometimes, less critical assets are left outside the scope of monitoring which can lead to serious damages in case it gets compromised.

Sysmon, Application, System and Security logs are widely used and most of the times are only focused on some of the basic use cases such as User monitoring and privilege escalation etc..,

The same logs can be utilized to develop advanced use cases as well which can help in detecting at different stages of MITRE [Credential Access, Defense Evasion, Execution, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance] and can also be used in Digital Forensics and Threat hunting.

While use cases are developed and run against the live logs reported from Windows environment, in most of the scenario, especially when in comes to Forensics, its becomes important to process the event files which are historical in nature. This helps in making sure that similar activities didn't happen in the past.

Where is the FUN part ?

Organization who have SIEM solution deployed can validate this easily, since they will have ample retention of logs for such scenarios. For those who have backup of the Windows Events from the Active Directory or Servers or Desktops, They can also need to leverage on these backups.

Organizations who have already backed up the event files in .evtx format or you can export from the existing events viewer to .evtx files. Can easily convert them to readable formats, this can be forwarded to SIEM for validation against use cases.

I have provided a script which converts .evtx files to .XML format files. These files can be easily processed and ingested. Once ingested advanced use cases can be run against them to make sure if any compromise had happened in the past.

Access the link below to get the copy of the script.