Skip to content

d4rk-d4nph3/exfinder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
exfinder.sh
exfinder.sh
 
 

Repository files navigation

exfinder

Very rudimentary PoC to search Windows's EVTX files like a SIEM.

Requirements

Usage

First convert the EVTX dump to JSON

./evtx_dump -o json Security.evtx > JsonLog.txt

Pre-process to convert it to pure JSON file

sed -E 's/Record [[:digit:]]+//g' JsonLog.txt > ProcJsonLog.txt

Start quering like a SIEM

./exfinder.sh 'EventID=4688 Command=powershell.exe | project Host, User, Command'

./exfinder.sh 'EventID=4688 Command= -ma lsass'

Supported Event IDs

Note

  • project has a definite hardcoded order and does not depend upon the order in the query.

About

Precision Windows EVTX Searcher

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages