Last active
September 24, 2022 12:43
-
-
Save mgreen27/3af2bd40bcb8fb02d6e1b30f8ec0df3e to your computer and use it in GitHub Desktop.
Plaso notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Plaso stuff | |
# log2timeline | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME | |
# parsers can be targeted or skipped with --parsers command | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME | |
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME | |
# psort | |
docker run -v $(pwd):/data log2timeline/plaso psort -w /data/$MACHINENAME.csv /data/$MACHINENAME.plaso | |
# cmd to do other things | |
docker run -t -i --entrypoint=/bin/bash -v $(pwd):/data log2timeline/plaso | |
image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image> | |
# base filter to run targetted extraction or processing (modify to needs) | |
https://github.com/mark-hallman/plaso_filters/blob/master/filter_windows.txt | |
image_export -f filter_windows.txt --no_vss -w export_folder_name <image> | |
image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image> | |
# bulk processing | |
for item in ls */ | |
do | |
timeline.sh $item | |
done | |
# best output for searching default plaso logs | |
| sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}' | |
# note the event types in the final csv | |
cat $csv | awk -F "," '{print $3,$4}' | sort | uniq -c | |
# IOC | |
./iocSearch.sh | grep -iv -f whitelist.txt | grep -i -f ioc.txt > ioc.csv | |
Some other examples: | |
# Targetting specific authentication Events | |
| egrep "\[46(24|25|34|35|48)" | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,$4,"\n"$5,"\n"$7"\n"}' | |
# Search with target day | |
./rdp.sh | egrep "2019-01-(17|18|19|20|21|22|23|24)" | grep -i winevtx | grep -v -if whitelist.txt | grep -if ioc.txt | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}' | |
# clear event logs | |
| egrep "\[(1102|104)" | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment