Please make sure, that all installation requirements (e.g. installed packages in virtual environment) are fulfilled
This use case replaces a given account name with a new value in all records. All event data field named TargetUserName and SubjectUserName will be modified. Additionally the TargetUserSid and SubjectUserSid will be changed.
$ python3 -m usecases.001_replace_username -h
usage: 001_replace_username.py [-h] src dest old_username new_username new_sid
Replace a given username with new value.
positional arguments:
src Path to the source Windows EVTX event log file
dest Path to the source Windows EVTX event log file
old_username Old username
new_username New username
new_sid SID of new user
optional arguments:
-h, --help show this help message and exit
$ python3 -m usecases.001_replace_username usecases/Security_1.evtx usecases/001result.evtx Jon Jane S-1-5-21-1830596930-4165969101-2676038822-1002| Original | Result |
|---|---|
 |
 |
This use case deletes all logon records (EventID 4624) for a given account name.
Note: Currently all logon records with resident templates will be ignored and not be deleted.
$ python3 -m usecases.002_delete_logon -h
usage: 002_delete_logon.py [-h] src dest username
Replace a given username with new value.
positional arguments:
src Path to the source Windows EVTX event log file
dest Path to the source Windows EVTX event log file
username Account name of user
optional arguments:
-h, --help show this help message and exit
$ python3 -m usecases.002_delete_logon usecases/Security_1.evtx usecases/002result.evtx Jon| Original | Result |
|---|---|
 |
 |
This use case changes the TimeGenerated timestamp for a given event record ID. The timestamp can be incremented or decremented.
Note: Currently the order of the events is not changed.
$ python3 -m usecases.003_change_timestamp -h
usage: 003_change_timestamp.py [-h] [--days DAYS] [--hours HOURS]
[--minutes MINUTES] [--seconds SECONDS]
[--microseconds MICROSECONDS]
src dest eventrecordid
Changes the time generated of a given record
positional arguments:
src Path to the source Windows EVTX event log file
dest Path to the source Windows EVTX event log file
eventrecordid Event record id
optional arguments:
-h, --help show this help message and exit
--days DAYS Increment/Decrement days
--hours HOURS Increment/Decrement days
--minutes MINUTES Increment/Decrement days
--seconds SECONDS Increment/Decrement days
--microseconds MICROSECONDS
Increment/Decrement days
$ python3 -m usecases.003_change_timestamp usecases/Security_2.evtx usecases/003result.evtx 2104 --days 2 --hours -2| Original | Result |
|---|---|
 |
 |
This script is a generic usecase for manipulating eventdata fields based on the old value (e.g. replace all SubjectUserName==Jon with a new value)
See 004_change_eventdata_generic.py
$ python3 -m usecases.004_change_evendata_generic -h
usage: 004_change_evendata_generic.py [-h] src dest field old_value new_value
Replace all old values in a specific eventdata field
positional arguments:
src Path to the source Windows EVTX event log file
dest Path to the destination Windows EVTX event log file
field Name of the Eventdata field (e.g. SubjectUserName)
old_value old value
new_value new value
optional arguments:
-h, --help show this help message and exit
$ python3 -m usecases.004_change_evendata_generic usecases/Security_2.evtx usecases/004result.evtx SubjectUserName Jon Evil
2021-01-23 20:26:58,323 [Workflow.Workflow (_validate )] [INFO ] Evtx file verified successfully.
2021-01-23 20:26:58,323 [Workflow.Workflow (run )] [INFO ] Starting step ModifyEventdataStep
2021-01-23 20:26:58,333 [Workflow.FilterUtils (find_records )] [INFO ] Found 1 records
2021-01-23 20:26:58,339 [Workflow.Workflow (run )] [INFO ] Execute ModifyEventdataStep(new_value=Evil) for record 2
2021-01-23 20:26:58,348 [Workflow.ModifyStep (execute )] [INFO ] Changed value of element <Data Name=SubjectUserName from Jon to Evil
2021-01-23 20:26:58,349 [Workflow.Workflow (check )] [INFO ] file header chacksum valid