Support for WEF/WEC ForwardedEvents.evtx
einarssonm opened this issue · comments
Request to add support for WEF/WEC ForwardedEvents.evtx files. Chainsaw seems to process such files, but no results are shown for searches or hunts. See examples below:
Hi @einarssonm
Thanks for raising this. Do you have any example event logs containing ForwardedEvents that you could share so that I can look into adding support please?
Unfortunately I haven't got any ForwardedEvents.evtx file that can be shared publicly, but I will try to create a test file in my lab.
Hi, I can confirm the issue with Forwarded Events.
The behavior is connected to EVTX Parser, see the following bug:
omerbenamram/evtx#201
I can't replicate this with the example provided in the upstream issue. I get the following output:
Event:
EventData:
Binary: ~
Data:
- Set-Mailbox
- "-Identity \"Administrateur\" -DeliverToMailboxAndForward \"False\" -ForwardingSmtpAddress \"smtp:test2@example.com\""
- ave.local/Users/Administrateur
- S-1-5-21-186559946-3925841745-111227986-500
- S-1-5-21-186559946-3925841745-111227986-500
- Remote-ManagementShell-Unknown
- "5668 w3wp#MSExchangePowerShellAppPool"
- ""
- "5"
- "00:00:26.0389557"
- "Afficher la forêt entière : 'False', Portée par défaut : « ave.local », Configuration du contrôleur de domaine : « DC.ave.local », Catalogue global préféré : « DC.ave.local », Contrôleurs de domaine préférés : « { DC.ave.local } »"
- ""
- ""
- ""
- ""
- ""
- ""
- "False"
- ""
- 0 objects execution has been proxied to remote server.
- ""
- ""
- "0"
- "ActivityId: a3591746-a27b-447a-b8be-ff54ae3a46f1"
- "ServicePlan:;IsAdmin:True;"
- ""
- fr-FR
System:
Channel: MSExchange Management
Computer: WEC.ave.local
EventID: 1
EventID_attributes:
Qualifiers: 16384
EventRecordID: 3229
Keywords: "0x80000000000000"
Level: 4
Provider_attributes:
Name: MSExchange CmdletLogs
Security: ~
Task: 1
TimeCreated_attributes:
SystemTime: "2021-11-19T16:52:33.833733Z"
Event_attributes:
xmlns: "http://schemas.microsoft.com/win/2004/08/events/event"
@einarssonm @georgethemarmot - I've confirmed that this issue is no longer present in v2:
Chainsaw v1.1.7
-> % ./chainsaw search -e 4624 ~/Downloads/Archive-ForwardedEvents-test.evtx
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By F-Secure Countercept (@FranticTyping, @AlexKornitzer)
[+] Found 1 EVTX files
[+] Searching event logs...
[+] Found 0 matching log entries
Chainsaw v2 Alpha
-> % ./chainsaw search -t 'Event.System.EventID: 4624' ~/Downloads/Archive-ForwardedEvents-test.evtx | head -n 30
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By F-Secure Countercept (@FranticTyping, @AlexKornitzer)
[+] Loaded 1 EVTX files
[+] Searching event logs...
---
Event:
EventData:
AuthenticationPackageName: Kerberos
ImpersonationLevel: "%%1833"
IpAddress: 130.86.12.201
IpPort: "63090"
KeyLength: "0"
LmPackageName: "-"
LogonGuid: "{17DD4C0B-3344-8FC9-A6BD-790F2572B21E}"
LogonProcessName: Kerberos
LogonType: "3"
ProcessId: "0x0"
ProcessName: "-"
...
v2 is still pre-release, but you can try the alpha versions if you're interested. The sample above uses the new inline TAU feature to search for eventIDs and I'm looking at adding the normal -e flag back in.
I'm going to close this issue out now, but let me know if you see the problem persisting with V2.