Windows Logs

Windows Event Logs

git clone https://github.com/countercept/chainsaw.git
cd chainsaw
git clone https://github.com/SigmaHQ/sigma
cargo build --release  # OR DOWNLOAD BINARY FROM RELEASES
cp target/release/chainsaw .
./chainsaw hunt <EVTX-LOG-PATH> -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Windows Management Instrumentation

WMI Log Parser

Procmon CSV logs

procDOT

If you have a CSV log file produced by procmon (and optionally a pcap file) you can visualize processes behaviors with procDOT. (password: procdot)

Installation (linux)

Make sure that you have the required dependencies for procDOT and make sure to provide their path when you start procDOT.:

windump (Windows)
tcpdump (Linux)
Graphviz

sudo apt install tcpdump graphviz

Install procDOT

wget https://www.procdot.com/download/procdot/binaries/procdot_1_22_57_linux.zip \
    && unzip procdot_1_22_57_linux.zip -d procdot \
    && rm procdot_1_22_57_linux.zip

Note: Avoid installing on Kali

Usage

Select a CSV file for ProcDOT, then under Render Configuration (top right of the window) select a Launcher (process) then click Refresh to visualize the process behavior.

You can enable frame-mode to see its behavior step-by-step by clicking on the film icon (bottom left of the window).

For more details on how to use procDOT, check out these videos on their official website.

PreviousNetwork Captures NextMemory

Last updated 2 years ago

hashtagWindows Event Logs

hashtagWindows Management Instrumentation

hashtagProcmon CSV logs

hashtagprocDOT

hashtagInstallation (linux)

hashtagUsage