github.com/lucyxss/golang-evtx

Description

This project is a parsing library for Windows EVTX log files. Our goal was to make a resilient parser which provides a nice interface to interact with the events programmatically. We opted for an event representation as a map which is perfect to represent BinXML tree like structure. As a consequence, it is very easy to (de)serialize events with the standard Go API. We also provide the necessary APIs to query specific values of the event.

An example is better than a long talk:

{
 "Event": {
   "EventData": {
     "Hashes": "SHA1=F04EE61F0C6766590492CD3D9E26ECB0D4F501D8,MD5=68D9577E9E9E3A3DF0348AB3B86242B1,SHA256=7AE581DB760BCEEE4D18D6DE7BB98F46584656A65D9435B4E0C4223798F416D2,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5",
     "Image": "C:\\Windows\\splwow64.exe",
     "ImageLoaded": "C:\\Windows\\System32\\dwmapi.dll",
     "ProcessGuid": "B2796A13-E44F-5880-0000-001006E40F00",
     "ProcessId": "4952",
     "Signature": "Microsoft Windows",
     "Signed": "true",
     "UtcTime": "2017-01-19 16:07:45.279"
   },
   "System": {
     "Channel": "Microsoft-Windows-Sysmon/Operational",
     "Computer": "DESKTOP-5SUA567",
     "Correlation": {},
     "EventID": "7",
     "EventRecordID": "116913",
     "Execution": {
       "ProcessID": "1760",
       "ThreadID": "1952"
     },
     "Keywords": "0x8000000000000000",
     "Level": "4",
     "Opcode": "0",
     "Provider": {
       "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
       "Name": "Microsoft-Windows-Sysmon"
     },
     "Security": {
       "UserID": "S-1-5-18"
     },
     "Task": "7",
     "TimeCreated": {
       "SystemTime": "2017-01-19T16:07:45Z"
     },
     "Version": "3"
   }
 }
}

Command Line Tools

Some utilities are packaged with this library and can be used without any dependencies.

evtxdump

Evtxdump can be used to print in JSON format the events of several EVTX files. The events are printed ordered by time and not by their order of appearance in the file.

Evtxdump can also be used to carve Events from raw data. It can be very convenient to recover corrupted EVTX or to carve deleted EVTX files from disk images. We advise you to select the option -t made to print the timestamp as integer at the beginning of each line of the output. This can be used later on to sort the events for timelining purposes (with sort command for instance).

Usage of evtxdump: evtxdump [OPTIONS] FILES...
  -V	Show version and exit
  -brURL string
        Kafka Broker URL
  -c	Carve events from file
  -cID string
        Kafka client ID
  -cpuprofile string
    	write cpu profile to this file
  -d	Enable debug mode
  -l int
    	Limit the number of chunks to parse (carving mode only)
  -memprofile string
    	write memory profile to this file
  -o int
    	Offset to start from (carving mode only)
  -start value
    	Print logs starting from start
  -stop value
    	Print logs before stop
  -t	Prints event timestamp (as int) at the beginning of line to make sorting easier
  -tag string
        special tag for matching purpose on remote collector
  -tcp string
        tcp socket address for sending output to remote site over TCP. Only for type tcp
  -topic string
        Kafka topic
  -http string
        url for sending output to remote site over HTTP. Only for type http
  -type string
        Type of remote log collector. "http" - JSON-over-HTTP, "tcp" - JSON-over-TCP, "kafka" -  Kafka
  -u	Does not care about ordering the events before printing (faster for large files)

docker version evtxdump

docker build -t MonaxGT/evtxdump .
docker run -it --rm -v /tmp:/app/data evtxdump /app/data/log.evtx

evtxmon

Evtxmon is a small command line tool used to monitor in realtime the logs as they appear in the evtx files.

Usage: evtxmon [OPTIONS] EVTX-FILE
  -V	Show version information
  -d	Enable debug messages
  -f value
    	Event ids to filter out
  -s	Outputs stats about events processed
  -t value
    	Timeout for the test
  -w string
    	Write monitored events to output file

Known Issues

Some values are not parsed (because we did not have samples to test), so if you see "UnknowValue: ..." in your output, it means it is not supported. So please provide us a sample of file so that we can implement it.