EvtxECmd: Record error at offset #187
Description
Description
When I try to parse some of evtx files from this set EVTX samples - EVTX-to-MITRE-Attack, EvtxECmd (latest version) displays some error messages and produces a blank CSV with just the header.
For instance, this is one the files I can't parse: ID1116-1117-Defender%20threat%20detected.evtx
I can view the contents of the evtx with Event Viewer or Get-WinEvent with no issues.
Debug message
Here's a snippet of the message:
evtxecmd -f "c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx" --csv "c:\tools\evtxecmd" --debug
[2022-04-13 01:21:00.3628260 INF] Processing c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx...
[2022-04-13 01:21:00.3698752 INF] Chunk count: 1, Iterating records...
[2022-04-13 01:21:00.3747379 DBG] Processing chunk at offset 0x1000. Events found so far: 0
[2022-04-13 01:21:00.4054372 ERR] Record error at offset 0x1200, record #: 1 error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
at evtx.Tags.Value..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\Value.cs:line 26
at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 271
at evtx.Tags.OpenStartElementTag..ctor(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk, Boolean hasAttribute) in D:\Code\evtx\evtx\Tags\OpenStartElementTag.cs:line 53
at evtx.Tags.TagBuilder.BuildTag(Int64 recordPosition, BinaryReader dataStream, ChunkInfo chunk) in D:\Code\evtx\evtx\Tags\TagBuilder.cs:line 264
at evtx.EventRecord..ctor(BinaryReader recordData, Int32 recordPosition, ChunkInfo chunk) in D:\Code\evtx\evtx\EventRecord.cs:line 44
at evtx.ChunkInfo..ctor(Byte[] chunkBytes, Int64 absoluteOffset, Int32 chunkNumber) in D:\Code\evtx\evtx\ChunkInfo.cs:line 208
[...]
[2022-04-13 01:21:00.4451981 INF] Record #1: Error: Specified argument was out of the range of valid values. (Parameter Value Type NullType is not handled! Handle it!)
[2022-04-13 01:21:00.4457700 INF] Record #2: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4463243 INF] Record #3: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4468750 INF] Record #4: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4474257 INF] Record #5: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4479763 INF] Record #6: Error: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter startIndex)
[2022-04-13 01:21:00.4491654 INF] Processed 1 file in 1,1180 seconds
[2022-04-13 01:21:00.4546050 INF] Files with errors
[2022-04-13 01:21:00.4555647 INF] c:\temp\EVTX-to-MITRE-Attack-master\Antivirus\ID1116-1117-Defender threat detected.evtx error count: 6```