Giter Site home page Giter Site logo

events-ripper's Introduction

Events-Ripper

This project is based on RegRipper, to easily extract additional value/pivot points from a TLN events file.

Purpose

Events-Ripper is based on the 5-field, pipe-delimited TLN "intermediate" events file format. This file is intermediate, as it the culmination or collection of normalized events from different data sources (i.e., Registry, WEVTX, MFT, etc.) that are then parsed into a deduped timeline.

The current iteration of Events-Ripper includes plugins that are written specifically for Windows Event Log (*.evtx) events.

This tool is intended to address a very specific problem set, one that leverages a limited data set to develop as much insight and situational awareness as possible from that data set.

Premise

Events-Ripper is built on several core ideas:

  1. Windows Event Logs are retrieved from acquired images, or from "triage" activities. Regardless of how they're retrieved, Windows Event Logs are available.

  2. Windows Event Log records are best described as an event source/ID pair. This is due to the fact that event IDs are not unique; a single event ID can apply to several different events.

  3. Something learned on one engagement or during one incident may likely be extremely useful during a future incident.

  4. Much more data is available than is often thought from various data sources, especially the Windows Event Log.

Installation

To "install" Events-Ripper, simply download and extract all files to a folder, ensuring that "plugins" remains a subfolder.

Windows Event Logs

Value extracted from Windows Event Logs (and subsequently, the events file) is heavily dependent upon the Windows version, audit configuration, software load, etc., of the system from which the Windows Event Logs are retrieved.

At the time of this writing (as of 28 Jun 2022), the current plugins extract value from the following Windows Event Logs:

Security.evtx System.evtx Application.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

As new challenges are surfaced and new plugins are created to address those challenges, value can be derived from:

Microsoft-Windows-User Profile Service%4Operational.evtx Microsoft-Windows-NetworkProfile%4Operational.evtx Microsoft-Windows-Shell-Core%4Operational.evtx

Further, Windows Event Logs can provide insight into devices connected to a Windows system, per:

http://windowsir.blogspot.com/2022/05/usb-devices-redux.html

In short, any Windows Event Log that includes records that can provide value can be included, and plugins written to extract or derive that value.

Usage

To use Events-Ripper, start by creating the events file. Copy/extract Windows Event Log *.evtx files to a central location, and then use the included wevtx.bat to create an events file:

wevtx.bat c:\case*.evtx c:\case\events.txt

Note that wevtx.bat relies on LogParser, which is included here, but also available from Microsoft. Wevtx.bat also uses evtxparse.exe, which (along with it's .pl source code) is also included in this distribution. The batch file does not do any error checking, so if wevtx.bat "fails" for some reason, try removing some of the *.evtx files.

You can then add other timeline events data, using any of the tools in the Tools repository to this Github.

Once you've completed adding data to the events file, and you're ready to parse the events file into a timeline (or following doing so), you can easily create additional context/pivot points by running erip.exe.

Similar to RegRipper, you can run a single plugin against the events file:

erip -f c:\cases\events.txt -p failedlogins

Or, you can run all plugins (you're so very welcome, Dray) against the events file:

erip -f c:\cases\events.txt -a

You can also list all of the plugins available:

erip -l

You can also list the plugins in CSV format:

erip -l -c

Simply redirect the output to a file, and open that file in Excel.

events-ripper's People

Contributors

keydet89 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

events-ripper's Issues

The current "apptelem.pl", "failedlogins.pl", and "restarts.pl" plugins all appear to be busted.

Something appears to be wrong with the "apptelem.pl", "failedlogins.pl", and "restarts.pl" plugins that have been uploaded into your "Events-Ripper" repository on GitHub.

After running a "git clone" against the current "Events-Ripper" repository, those three (3) specific plugin files appear to be filled with blank lines (or some other non-printable special character). When run on Windows, the command "erip.exe -l -c" returns errors when it hits those plugins as well. Lastly, attempting to view the source code for any of those plugins via the github website, appears to just return a bunch of the same repeating special characters (i.e., no source code is displayed).

Below is an example of "erip.exe -l -c" output on my machine:

PS C:\keydet89\Events-Ripper> .\erip.exe -l -c
Plugin,Version,Description
appissue,20230605,Parse Application Hang/Error events
Error: C:\keydet89\Events-Ripper\plugins\apptelem.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.

bitsclient,20230523,Gets info from BITS-Client/3 and /59 events
cleared,20230302,Check for EventLog cleared events
dcom10028,20220930,Parse DCOM/10028 events
defender,20230802,Parse multiple WinDefend events
Error: C:\keydet89\Events-Ripper\plugins\failedlogins.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.

filter,20230802,Parse Windows Filtering Platform events from Security.evtx
filtering,20230302,Parse filtering platform events
hitman,20220930,Parse HitmanPro.Alert/911 events
localsessionips,20230209,Parse LocalSessionManager events for IP addrs
logins,20230714,Parse Security-Auditing/4624 login events
mount,20221010,Get VHD[X]/ISO files mounted
msi,20230504,Parse MsiInstaller events
mssql,20230411,Parse MSSQL/18456 and ../15457 events
nssm,20230525,Parse nssm events
ntfs,20221010,Get NTFS volumes
osversion,20220930,Determine Windows version from EventLog/6009 events
pca,20220930,Gets info from Program Compat Asst Event Log
posh600,20230526,Parse Powershell/600 events for scripts
rdpcore140,20230203,Parse RdpCoreTS/140 events
Error: C:\keydet89\Events-Ripper\plugins\restarts.pl did not return a true value at C:\keydet89\Events-Ripper\erip.exe line 65.

s1,20220930,Parse SentinelOne/31 and /32 events
scm,20230802,Parse Service Control Manager events
sec4648,20220930,Parse Security-Auditing/4648 events
sec4688,20220930,Parse Security-Auditing/4688 events
sec4697,20220930,Parse Security-Auditing/4697 (service install) events
sec4797,20230504,Parse Security-Auditing/4797 (user account checked for blank passwd) events
sec4948,20220928,Parse Security-Auditing/4948 (firewall rule deletion) events
sec5381,20230605,Parse Security-Auditing/5381 (user enum. vault creds) events
sessions,20230307,Parse login/logoff events
shellcore,20220930,Get apps run via Run/RunOnce keys
timechange,20230601,Parse Security-Auditing/616 (system clock changed) events
tsgateway,20230209,Parse TSGateway events
usrmgr,20220930,Parse user mgmt events

Please advise if you have any questions. Regards!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.