So whilst playing through an element of Kringlecon 2019 I came across a task which didn’t really suit my Christmas challenge of going to Linux full-time. One such challenge involved a Windows Event Log file with no ready access to a Linux derivitive of Event Viewer.
My Kali laptop for my Christmas challenge was already configured with my basic toolsets (on top of Kali itself).
For example, I had already deployed TheHive, Cortex, Splunk and Elasticsearch. Unfortunately Splunk didn’t like the EVTX files I tried to throw at them, instead throwing garble into the fields making extraction almost impossible.
Enter EVTXTOELK, a python library designed to stream EVTX files to ELK without additional steps in the process.
Dragos originally wrote the module for a threat hunt in a access limited environment, and then released it to the world.
So for this element of the challenge I now only needed to install the module through pip, then load the data through python3 command line:
python3 -m pip install evtxtoelk
from evtxtoelk import EvtxToElk
This will import the EVTX into an index called hostlog, from which analysis can be done on the imported data.