Active Directory

wget https://github.com/omerbenamram/evtx/releases/download/v0.8.1/evtx_dump-v0.8.1-x86_64-unknown-linux-gnu -O evtx_dump
chmod +x evtx_dump
./evtx_dump example.evtx > parsed.txt

Now we can find sensitive information from the parsed text.

grep -i TargetUserName parsed.txt
grep -i TargetDomainName parsed.txt

Search Suspicious Activity in EVTX

Chainsaw is a command-line tool to rapidly search and hunt through Windows Forensics Artifacts.

git clone https://github.com/WithSecureLabs/chainsaw.git
cd chainsaw
cargo build --release
./chainsaw hunt evtx_files/ -s sigma/rules --mapping mapping/sigma-event-logs-all.yml

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Windows XML EventLog (EVTX)

Read EVTX in Linux

Search Suspicious Activity in EVTX

ON THIS PAGE