Webcast Replay | Enhancing Event Log Analysis with EvtxECmd using KAPE

This webcast covers:

Understand the basic KAPE workflow with the EZParser Module that calls EvtxECmd
The general outputs from EZParser and how they are formatted
How EvtxECmd’s unique mapping feature works
What a Map looks like with EvtxECmd and how to create one on your own

Tools used in this session:

KAPE – free download here
Eric Zimmerman tools – https://ericzimmerman.github.io/

Notable Passages From Andrew Rathbun During the Presentation

On Application Logs

Using Timeline Explorer, you can filter on the Application event log using the column header filter in the Channel column. As you can see me scrolling within the Providers column header drop down box, you can see all the different Providers that are logging events into the Application log. The Application event log is a great example of where many different and unrelated programs, services, etc. log events in the same location.

KAPE Event log analysis

On Maps

The secret sauce for Eric’s EvtxECmd tool is Maps. Maps are used by EvtxECmd to extract data from parsed event logs and display the data into an easily digestible format (CSV) within various columns. Those columns are Map Description, Username, Remote Host, PayloadData1 through PayloadData6 and ExecutableInfo. These columns are proprietary to EvtxECmd’s outputed and not in any way related to how Windows records event log data.

Even though anyone can make a Map, ideally you want only the most useful Maps because there’s hundreds of events out there, but a lot of the events don’t record any data at all.

On Lookup Tables

A Lookup Table is basically the data that is logged in the event data, looks like just a hex value, doesn't mean anything to me, probably doesn't mean anything to you, but it means something to Windows. And basically, we can take this value, translate it to “username is correct but the password is wrong,” and that is what will show up rather than the hex value on our CSV output when we are using EvtxECmd.

A Lookup Table is most commonly used to convert machine readable data logged within an event log into human readable data. Often, these values are recorded as what appears to be Hex values that, on the surface, don’t mean anything to you and I, but it means something to Windows. Using Microsoft’s official documentation, we can have EvtxECmd look up the meaning of the values that Windows records within certain event logs and translate it to something more meaningful. In this example, we can take this value, which looks like a Hex value, and translate it to “username is correct but the password is wrong,” and this is what will show up rather than the Hex value in our CSV output when we parse with EvtxECmd.

On Event Log Analysis with Maps

In this example, I parsed an event log dataset twice, once with an updated set of Maps, and again with the Maps folder deleted. Without Maps, you can see the aforementioned columns are not being used. Even though the columns aren’t populated with event log data, the data will always exist in the Payload column all the way to the right of the CSV. Looking at the example with Maps, you can see all the high fidelity, low hanging fruit, most important data of each event being put in the various columns by the Maps.

Event Log analysis without Maps

Enhancing Event Log Analysis with EvtxEcmd using KAPE

Event Log analysis with Maps

Enhancing Event Log Analysis with EvtxEcmd using KAPE

On Creating Custom Maps

In order to make your own Maps, you need to convert the EVTX to XML. And the way to do that is by running a command, just like you're going to parse with EvtxECmd, you would run EvtxECmd.exe-f then path to it. And then --CSV, or you'll just switch it to --XML and it'll output and XML.

evtxecmd.exe -f “path\to\evtx\file” --xml “output\path”

At the bottom of every single Map there's documentation that also includes an example of the event. If you're working cases and you find an event that doesn't have a Map and you want to make a Map for it, you can scrub that event data by changing some of identifying data from the sou, and then just paste it in there.

Each of the Maps are a resource for learning about that event, so if there's any sort of blog posts, any sort of forum posts, any sort of YouTube video that's about that particular event, it should be at the bottom of every single Map in the Documentation section.

On Key Takeaways

The Maps are only as good as the author made them out to be. For instance, when you're dealing with the Regex examples, if you're not getting expected output, you may want to go look at the Map itself and see what the actual Regex is doing.

With regards to Microsoft Windows Partition-Diagnostic:1006, there's just no way you can organize and fit 80 different values of data into the PayloadData1 through PayloadData6 columns and maybe some overflow into Username, Remote Host, and Executableinfo. There's still so much that you're going to miss. The Payload column will always be worth examining to see all the data a particular event records.