Skip to content

Latest commit

 

History

History
133 lines (93 loc) · 5.33 KB

README.md

File metadata and controls

133 lines (93 loc) · 5.33 KB

Use Cases

Please make sure, that all installation requirements (e.g. installed packages in virtual environment) are fulfilled

001 Replace username

This use case replaces a given account name with a new value in all records. All event data field named TargetUserName and SubjectUserName will be modified. Additionally the TargetUserSid and SubjectUserSid will be changed.

See 001_replace_username.py

$ python3 -m usecases.001_replace_username -h
usage: 001_replace_username.py [-h] src dest old_username new_username new_sid

Replace a given username with new value.

positional arguments:
  src           Path to the source Windows EVTX event log file
  dest          Path to the source Windows EVTX event log file
  old_username  Old username
  new_username  New username
  new_sid       SID of new user

optional arguments:
  -h, --help    show this help message and exit
  
$ python3 -m usecases.001_replace_username usecases/Security_1.evtx usecases/001result.evtx Jon Jane S-1-5-21-1830596930-4165969101-2676038822-1002
Original Result
Use Case 001 - Original Use Case 001 - Result

002 Delete logon

This use case deletes all logon records (EventID 4624) for a given account name.

Note: Currently all logon records with resident templates will be ignored and not be deleted.

See 002_delete_logon.py

$ python3 -m usecases.002_delete_logon -h
usage: 002_delete_logon.py [-h] src dest username

Replace a given username with new value.

positional arguments:
  src         Path to the source Windows EVTX event log file
  dest        Path to the source Windows EVTX event log file
  username    Account name of user

optional arguments:
  -h, --help  show this help message and exit
  
$ python3 -m usecases.002_delete_logon usecases/Security_1.evtx usecases/002result.evtx Jon
Original Result
Use Case 002 - Original Use Case 002 - Result

003 Change timestamp

This use case changes the TimeGenerated timestamp for a given event record ID. The timestamp can be incremented or decremented.

Note: Currently the order of the events is not changed.

See 003_change_timestamp.py

$ python3 -m usecases.003_change_timestamp -h
usage: 003_change_timestamp.py [-h] [--days DAYS] [--hours HOURS]
                               [--minutes MINUTES] [--seconds SECONDS]
                               [--microseconds MICROSECONDS]
                               src dest eventrecordid

Changes the time generated of a given record

positional arguments:
  src                   Path to the source Windows EVTX event log file
  dest                  Path to the source Windows EVTX event log file
  eventrecordid         Event record id

optional arguments:
  -h, --help            show this help message and exit
  --days DAYS           Increment/Decrement days
  --hours HOURS         Increment/Decrement days
  --minutes MINUTES     Increment/Decrement days
  --seconds SECONDS     Increment/Decrement days
  --microseconds MICROSECONDS
                        Increment/Decrement days

$ python3 -m usecases.003_change_timestamp usecases/Security_2.evtx usecases/003result.evtx 2104 --days 2 --hours -2
Original Result
Use Case 003 - Original Use Case 003 - Result

004 Generic Eventdata Change

This script is a generic usecase for manipulating eventdata fields based on the old value (e.g. replace all SubjectUserName==Jon with a new value)

See 004_change_eventdata_generic.py

$ python3 -m usecases.004_change_evendata_generic -h
usage: 004_change_evendata_generic.py [-h] src dest field old_value new_value

Replace all old values in a specific eventdata field

positional arguments:
  src         Path to the source Windows EVTX event log file
  dest        Path to the destination Windows EVTX event log file
  field       Name of the Eventdata field (e.g. SubjectUserName)
  old_value   old value
  new_value   new value

optional arguments:
  -h, --help  show this help message and exit

$ python3 -m usecases.004_change_evendata_generic usecases/Security_2.evtx usecases/004result.evtx SubjectUserName Jon Evil
2021-01-23 20:26:58,323 [Workflow.Workflow    (_validate           )] [INFO ]  Evtx file verified successfully.
2021-01-23 20:26:58,323 [Workflow.Workflow    (run                 )] [INFO ]  Starting step ModifyEventdataStep
2021-01-23 20:26:58,333 [Workflow.FilterUtils (find_records        )] [INFO ]  Found 1 records
2021-01-23 20:26:58,339 [Workflow.Workflow    (run                 )] [INFO ]  Execute ModifyEventdataStep(new_value=Evil) for record 2
2021-01-23 20:26:58,348 [Workflow.ModifyStep  (execute             )] [INFO ]  Changed value of element <Data Name=SubjectUserName from Jon to Evil
2021-01-23 20:26:58,349 [Workflow.Workflow    (check               )] [INFO ]  file header chacksum valid