8000 GitHub - cagivajsp/Zircolite: A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ Zircolite Public
forked from wagga40/Zircolite

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

0 stars 98 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cagivajsp/Zircolite

BranchesTags
 
 

Repository files navigation

Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux or JSONL/NDJSON Logs

python version

Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs

  • Zircolite can be used directly on the investigated endpoint or in your forensic/detection lab
  • Zircolite is relatively fast and can parse large datasets in just seconds (check benchmarks)
  • Zircolite is based on a Sigma backend (SQLite) and do not use internal sigma to "something" conversion
  • Zircolite can export results to multiple format with using Jinja templates : JSON, CSV, JSONL, Splunk, Elastic, Zinc, Timesketch...

Zircolite can be used directly in Python or you can use the binaries provided in releases. Documentation is here.

Requirements / Installation

You can install dependencies with : pip3 install -r requirements.txt

The use of evtx_dump is optional but required by default (because it is for now much faster), If you do not want to use it you have to use the --noexternal option. The tool is provided if you clone the Zircolite repository (the official repository is here). For Apple M1 computers, the --noexternal option is preferred.

Quick start

EVTX files :

Help is available with zircolite.py -h. If your EVTX files have the extension ".evtx" :

# python3 zircolite.py --evtx <EVTX FOLDER or EVTX FILE> --ruleset <SIGMA RULESET> [--ruleset <OTHER RULESET>]
python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json

The SYSMON ruleset used here is a default one and is for logs coming from endpoints where SYSMON is installed.

Rules can be updated using the -U or --update-rules options.

Auditd / Sysmon for Linux / JSONL or NDJSON logs :

python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd
python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux
python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononly

ℹ️ If you want to try the tool you can test with EVTX-ATTACK-SAMPLES (EVTX Files).

Docs

Everything is here.

Mini-Gui

The Mini-GUI can be used totally offline, it allows the user to display and search results. You can automatically generate a Mini-Gui "package" with the --package option. To know how to use the Mini-GUI, check docs here.

Detected events by Mitre Att&ck (c) techniques and criticity levels

Detected events Timeline

Detected events by Mitre Att&ck (c) techniques displayed on the Matrix

Tutorials, references and related projects

Tutorials

  • Russ McRee has published a pretty good tutorial on SIGMA and Zircolite in his blog

  • César Marín has published a tutorial in spanish here

References

Battle-tested

Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on a Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.

License

About

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 98.1%
  • Other 1.9%
0