PwnSec Notes
  • AppSec
    • General Notes
    • Payloads
    • Fuzzing
    • Code Review
    • ReDos
    • SSTI
    • LFI-RFI
    • PHP Tricks
    • Javascript
    • Serialization
    • SQL Injection
    • JWT
    • GraphQL
    • Side Channel
    • Command Execution
    • WebSockets
    • Ruby
    • 0Auth
    • Latex Injection
    • NoSQL
    • JS Analysis
    • Apache Lucene
  • Forensics
    • Basics
    • Network Captures
    • Windows Logs
    • Memory
    • Browser
    • Threat Intelligence
    • Disk
  • Binary-Exploitation
    • Concepts
    • Binary Analysis
    • Debugging
    • Shellcodes
  • Malware-Analysis
    • Memory Mapping
    • Macros
    • Unpacking
    • Analysis
    • Resources
  • Reverse-Engineering
    • GDB basics
    • MASM Basics
    • Decompilers
    • Useful Codes
  • Services
    • SNMP
    • Grafana
    • Consul
  • Network Pentesting
    • C2 Servers
    • Pivoting
    • CrackMapExec
    • Kubernetes
    • Docker
  • MISC
    • Slack
    • Git
    • Pyjails
    • Privilege Escalation
    • Python LOL Code
  • Cloud Hacking
    • AWS S3
    • AWS Cognito
  • Mobile Pentesting
    • Frida
    • ADB
    • Drozer
    • Smali
    • Static Analysis
    • Dynamic Analysis
    • Bypass SSL Pinning
    • APK Labs
    • Android Malwares
    • Abusing Firebase
    • Root Detection
Powered by GitBook
On this page
  • Windows Event Logs
  • Windows Management Instrumentation
  • Procmon CSV logs
  • procDOT
  1. Forensics

Windows Logs

PreviousNetwork CapturesNextMemory

Last updated 1 year ago

Windows Event Logs

git clone https://github.com/countercept/chainsaw.git
cd chainsaw
git clone https://github.com/SigmaHQ/sigma
cargo build --release  # OR DOWNLOAD BINARY FROM RELEASES
cp target/release/chainsaw .
./chainsaw hunt <EVTX-LOG-PATH> -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Windows Management Instrumentation

Procmon CSV logs

procDOT

If you have a CSV log file produced by procmon (and optionally a pcap file) you can visualize processes behaviors with . (password: procdot)

Installation (linux)

Make sure that you have the required dependencies for procDOT and make sure to provide their path when you start procDOT.:

  • windump (Windows)

  • tcpdump (Linux)

  • Graphviz

sudo apt install tcpdump graphviz

Install procDOT

wget https://www.procdot.com/download/procdot/binaries/procdot_1_22_57_linux.zip \
    && unzip procdot_1_22_57_linux.zip -d procdot \
    && rm procdot_1_22_57_linux.zip

Note: Avoid installing on Kali

Usage

Select a CSV file for ProcDOT, then under Render Configuration (top right of the window) select a Launcher (process) then click Refresh to visualize the process behavior.

You can enable frame-mode to see its behavior step-by-step by clicking on the film icon (bottom left of the window).

For more details on how to use procDOT, check out these on their official website.

APT-Hunter
Chainsaw
WMI Log Parser
procDOT
videos