mgreen27/plaso.txt

## plaso.txt
## Plaso stuff

# log2timeline
docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME

# parsers can be targeted or skipped with --parsers command
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME
docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME


# psort
docker run -v $(pwd):/data log2timeline/plaso psort -w /data/$MACHINENAME.csv /data/$MACHINENAME.plaso

# cmd to do other things
docker run -t -i --entrypoint=/bin/bash -v $(pwd):/data log2timeline/plaso
image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image>

# base filter to run targetted extraction or processing (modify to needs)
https://github.com/mark-hallman/plaso_filters/blob/master/filter_windows.txt
image_export -f filter_windows.txt --no_vss -w export_folder_name <image>
image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image>

# bulk processing
for item in ls */
do
  timeline.sh $item
done

# best output for searching default plaso logs
| sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'

# note the event types in the final csv
cat $csv | awk -F "," '{print $3,$4}' | sort | uniq -c

# IOC
./iocSearch.sh | grep -iv -f whitelist.txt | grep -i -f ioc.txt > ioc.csv

Some other examples:
# Targetting specific authentication Events
| egrep "\[46(24|25|34|35|48)" | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,$4,"\n"$5,"\n"$7"\n"}'

# Search with target day
./rdp.sh | egrep "2019-01-(17|18|19|20|21|22|23|24)" | grep -i winevtx | grep -v -if whitelist.txt | grep -if ioc.txt | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'

# clear event logs
| egrep "\[(1102|104)" | sort -u | awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'
	## Plaso stuff

	# log2timeline
	docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/$MACHINENAME.plaso /data/$MACHINENAME

	# parsers can be targeted or skipped with --parsers command
	docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=\!filestat,\!mft,\!usnjrnl /data/$MACHINENAME.plaso /data/$MACHINENAME
	docker run -v $(pwd):/data log2timeline/plaso log2timeline --parsers=winevtx /data/$MACHINENAME_evtx.plaso /data/$MACHINENAME


	# psort
	docker run -v $(pwd):/data log2timeline/plaso psort -w /data/$MACHINENAME.csv /data/$MACHINENAME.plaso

	# cmd to do other things
	docker run -t -i --entrypoint=/bin/bash -v $(pwd):/data log2timeline/plaso
	image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image>

	# base filter to run targetted extraction or processing (modify to needs)
	https://github.com/mark-hallman/plaso_filters/blob/master/filter_windows.txt
	image_export -f filter_windows.txt --no_vss -w export_folder_name <image>
	image_export -f filter_windows.txt --vss_stores all -w export_folder_name <image>

	# bulk processing
	for item in ls */
	do
	timeline.sh $item
	done

	# best output for searching default plaso logs
	\| sort -u \| awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'

	# note the event types in the final csv
	cat $csv \| awk -F "," '{print $3,$4}' \| sort \| uniq -c

	# IOC
	./iocSearch.sh \| grep -iv -f whitelist.txt \| grep -i -f ioc.txt > ioc.csv

	Some other examples:
	# Targetting specific authentication Events
	\| egrep "\[46(24\|25\|34\|35\|48)" \| sort -u \| awk -F "," '{print substr($1,1,19),$2,$3,$4,"\n"$5,"\n"$7"\n"}'

	# Search with target day
	./rdp.sh \| egrep "2019-01-(17\|18\|19\|20\|21\|22\|23\|24)" \| grep -i winevtx \| grep -v -if whitelist.txt \| grep -if ioc.txt \| sort -u \| awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'

	# clear event logs
	\| egrep "\[(1102\|104)" \| sort -u \| awk -F "," '{print substr($1,1,19),$2,$3,"\n"$5,"\n"$7"\n"}'