Top Related Projects
Investigate malicious Windows logon by visualizing and analyzing Windows event log
A repository for using windows event forwarding for incident detection and response
Main Sigma Rule Repository
Open Source Security Events Metadata (OSSEM)
Quick Overview
EVTX-ATTACK-SAMPLES is a GitHub repository maintained by Samir Bousseaden that provides a collection of Windows Event Log (EVTX) samples associated with various attack techniques. This repository serves as a valuable resource for security researchers, threat hunters, and blue team members to study and analyze event logs related to different types of attacks and malicious activities.
Pros
- Comprehensive collection of EVTX samples covering a wide range of attack techniques
- Organized structure with samples categorized by MITRE ATT&CK tactics and techniques
- Regularly updated with new samples and contributions from the community
- Valuable resource for testing and improving detection capabilities
Cons
- Large repository size due to the nature of EVTX files, which can be resource-intensive to download and store
- Some samples may become outdated as Windows and attack techniques evolve
- Requires additional tools and knowledge to analyze and interpret the EVTX files effectively
- May not cover all possible variations of attack techniques or emerging threats
Note: As this is not a code library, the code example and quick start sections have been omitted as per the instructions.
Competitor Comparisons
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Pros of LogonTracer
- Provides a visual analysis tool for investigating lateral movement and detecting compromised accounts
- Offers a web-based interface for easier interaction and data visualization
- Supports multiple data sources, including Windows Event logs and Active Directory logs
Cons of LogonTracer
- Focuses primarily on logon events, while EVTX-ATTACK-SAMPLES covers a broader range of attack techniques
- Requires more setup and dependencies compared to the straightforward sample collection in EVTX-ATTACK-SAMPLES
- May have a steeper learning curve for users unfamiliar with graph-based analysis tools
Code Comparison
LogonTracer (Python):
def parse_evtx(evtx_file, output_dir):
parser = PyEvtxParser(evtx_file)
for record in parser.records():
# Process and analyze event records
EVTX-ATTACK-SAMPLES (No specific code, as it's a collection of sample files)
4688 - Process Creation.evtx
4624 - Successful Logon.evtx
5140 - Network Share Object was accessed.evtx
LogonTracer focuses on parsing and analyzing event logs programmatically, while EVTX-ATTACK-SAMPLES provides raw EVTX files for various attack scenarios. The code comparison highlights the different approaches: LogonTracer offers a tool for processing logs, whereas EVTX-ATTACK-SAMPLES serves as a reference dataset for security analysts and researchers.
A repository for using windows event forwarding for incident detection and response
Pros of windows-event-forwarding
- Provides comprehensive documentation and guidance for implementing Windows Event Forwarding
- Includes ready-to-use WEF subscriptions and Group Policy Objects (GPOs)
- Offers a scalable solution for centralized event collection in enterprise environments
Cons of windows-event-forwarding
- Focuses primarily on configuration and implementation, rather than providing sample event logs
- May require more setup and infrastructure compared to analyzing standalone EVTX files
- Limited to Windows Event Forwarding technology, while EVTX-ATTACK-SAMPLES covers a broader range of attack scenarios
Code Comparison
EVTX-ATTACK-SAMPLES (PowerShell script to parse EVTX files):
Get-WinEvent -Path ".\*.evtx" | Where-Object {$_.Id -eq 4688} | Select-Object TimeCreated, Message
windows-event-forwarding (WEF subscription XML):
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
<Query>
<QueryList>
<Query Id="0">
<Select Path="Security">*[System[(EventID=4688)]]</Select>
</Query>
</QueryList>
</Query>
</Subscription>
Both repositories focus on Windows event logs, but EVTX-ATTACK-SAMPLES provides actual log samples for various attack techniques, while windows-event-forwarding offers tools and configurations for collecting and forwarding events in a centralized manner.
Main Sigma Rule Repository
Pros of Sigma
- Provides a generic, open-source signature format for describing log events
- Offers a wide range of rule conversions for various SIEM systems
- Includes a large community-contributed ruleset for threat detection
Cons of Sigma
- Requires additional tools or scripts to convert rules into SIEM-specific formats
- May not cover all possible attack scenarios or log sources
- Learning curve for writing effective Sigma rules
Code Comparison
EVTX-ATTACK-SAMPLES typically contains raw Windows Event Log XML data:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4688</EventID>
<!-- ... -->
</System>
<!-- ... -->
</Event>
Sigma rules are written in YAML format:
title: Suspicious Process Creation
status: experimental
description: Detects suspicious process creation
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
CommandLine|contains: 'suspicious_command'
condition: selection
The EVTX-ATTACK-SAMPLES repository provides raw event log samples, while Sigma offers a flexible rule format for detecting such events across different SIEM systems.
Open Source Security Events Metadata (OSSEM)
Pros of OSSEM
- Comprehensive documentation and standardization of security event logs
- Collaborative community-driven project with regular updates
- Provides a structured approach to understanding and analyzing event logs
Cons of OSSEM
- More complex and requires a deeper understanding of log structures
- May have a steeper learning curve for beginners
- Focuses on documentation rather than providing actual log samples
Code Comparison
EVTX-ATTACK-SAMPLES typically contains raw EVTX files, which can be viewed using Event Viewer or parsed with PowerShell:
Get-WinEvent -Path .\sample.evtx | Select-Object -First 5
OSSEM provides documentation and schemas, often in YAML format:
title: Process Creation
description: Windows process creation events
event_log: Security
event_id: 4688
While EVTX-ATTACK-SAMPLES offers real-world examples of attack-related logs, OSSEM provides a structured framework for understanding and standardizing log data. EVTX-ATTACK-SAMPLES is more practical for immediate analysis, while OSSEM is better suited for long-term log management and standardization efforts.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Windows EVTX Samples [200 EVTX examples]:
This is a container for windows events samples associated to specific attack and post-exploitation techniques. Can be useful for:
-
Testing your detection scripts based on EVTX parsing
-
Training on DFIR and threat hunting using event logs
-
Designing detection use cases using Windows and Sysmon event logs
-
Avoid/Bypass the noisy techniques if you are a redteamer
N.B: Mapping has been done to the level of ATT&CK technique (not procedure).
Details of the EVTX content mapped to MITRE tactics can be found here, stats summary:
Overview of the covered TTPs using attack-navigator:
Winlogbeat-Bulk-Read
Included is a PowerShell script that can loop through, parse, and replay evtx files with winlogbeat. This can be useful to replay logs into an ELK stack or to a local file. By default this script will output logs to .\winlogbeat\events.json as configured in the winlogbeat_example.yml file, you can configure any of your own destinations in winlogbeat.yml (excluded from git) and the example config file will be ignored if winlogbeat.yml is found.
Winlogbeat-Bulk-Read Usage:
## Display help along with examples:
.\Winlogbeat-Bulk-Read.ps1 -Help
## Run with defaults (read ./ recursively and look for winlogbeat.exe in your path):
.\Winlogbeat-Bulk-Read.ps1
## If you want to point this script at another directory with evtx files and specify a path to the winlogbeat.exe binary:
.\Winlogbeat-Bulk-Read.ps1 -Exe ~\Downloads\winlogbeat\winlogbeat.exe -Source "..\EVTX-ATTACK-SAMPLES\"
License:
EVTX_ATT&CK's GNU General Public License
Top Related Projects
Investigate malicious Windows logon by visualizing and analyzing Windows event log
A repository for using windows event forwarding for incident detection and response
Main Sigma Rule Repository
Open Source Security Events Metadata (OSSEM)
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot