Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request a new Feature] FastFind check event windows #29

Open
lprat opened this issue Nov 13, 2020 · 0 comments
Open

[Request a new Feature] FastFind check event windows #29

lprat opened this issue Nov 13, 2020 · 0 comments

Comments

@lprat
Copy link
Contributor

lprat commented Nov 13, 2020

Hi,

I would like to know if you possible to add new feature in FastFind to find special event (ID, content, ...).

E.G. :

  • search mimikaz in xml_string
  • wannamine (less file malware, content in memory by wmi subscribtion => OBJECTS.DATA is not readable, you can to find IOC in evtx [powershell, WMI, ...])

I think there are different ways to do it:

If you choose the second case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.yara" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature yara matched">
            <filename fullname="Windows PowerShell.evtx" creation="2019-09-30 13:29:17.691" lastmodification="2019-09-30 13:29:17.691" lastaccess="2019-09-30 13:29:17.691" lastentrychange="2019-09-30 13:29:17.691" />
        </object_match>
    </event>
</fast_find>

If you choose the last case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.tag" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature tag matched">
            <events fullname="Windows PowerShell.evtx" datetime="2020-09-12T14:03:42.000", event_identifier="5805", source_name="NETLOGON", event_level="2", xml_string="<Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><System><Provider Name=\"NETLOGON\"/><EventID Qualifiers=\"0\">5805</EventID><Level>2</Level><Task>0</Task><Keywords>0x0080000000000000</Keywords><TimeCreated SystemTime=\"2020-09-12T14:03:42.000000000Z\"/><EventRecordID>XXXXX</EventRecordID><Channel>System</Channel><Computer>victim</Computer><Security/></System><EventData><Data>mimikatz</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData></Event>"/>
        </object_match>
    </event>
</fast_find>

Thank for you help!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lprat