SecureWatch Enhanced EVTX Parser v2.1.0 - Comprehensive MITRE ATT&CK Detection¶

📋 Documentation Navigation: Main README | Data Ingestion | EVTX Testing | Field Mappings

Overview¶

The Enhanced EVTX Parser is a comprehensive Windows Event Log analysis tool designed specifically for cybersecurity professionals and threat hunters. Built to analyze the EVTX-ATTACK-SAMPLES dataset, it provides advanced threat detection capabilities with comprehensive MITRE ATT&CK framework integration.

Key Features¶

🎯 MITRE ATT&CK Integration¶

Automatic Technique Detection: Direct extraction of MITRE techniques from Sysmon RuleName fields
Tactic Classification: Automatic mapping to 14 MITRE ATT&CK tactics
Confidence Scoring: Machine learning-inspired confidence assessment (0.0-1.0)
Evidence Collection: Detailed evidence capture for forensic analysis

🔍 Attack Pattern Recognition¶

50+ Regex Patterns: Comprehensive patterns for malicious behavior detection
Multi-Category Coverage: Credential dumping, UAC bypass, lateral movement, C2 communication, execution techniques
Context-Aware Analysis: Event correlation with process, network, and registry context
Behavioral Analytics: PowerShell obfuscation, living-off-the-land binary abuse

📊 Comprehensive Sysmon Support¶

Full Event Coverage: Support for Sysmon Events 1-29
Enhanced Field Extraction: Process creation, network connections, registry modifications, file operations
Attack Chain Detection: Multi-stage attack pattern recognition
Process Tree Analysis: Parent-child process relationship tracking

🏆 Risk Scoring Algorithm¶

Intelligent Prioritization: Risk scores from 0-100 based on attack criticality
Context-Based Adjustments: Benign process filtering and environmental considerations
Severity Classification: Critical (90+), High (70-89), Medium (50-69), Low (<50)
Confidence Weighting: Risk scores adjusted by detection confidence

Architecture¶

Core Components¶

# Enhanced Event Structure
@dataclass
class EnhancedWindowsEventLog:
    # Standard Windows Event fields
    timestamp: str
    event_id: int
    level: str
    channel: str
    computer: str
    
    # Enhanced security fields
    risk_score: int
    attack_indicators: List[AttackIndicator]
    mitre_techniques: List[str]
    sysmon_event_type: Optional[str]
    
    # Process context
    process_name: Optional[str]
    parent_process: Optional[str]
    command_line: Optional[str]
    
    # Network context
    source_ip: Optional[str]
    destination_ip: Optional[str]
    port: Optional[str]
    protocol: Optional[str]
    
    # File/Registry context
    file_hash: Optional[str]
    registry_key: Optional[str]

Attack Indicator Structure¶

@dataclass
class AttackIndicator:
    technique_id: str        # MITRE ATT&CK technique ID (e.g., T1003)
    technique_name: str      # Human-readable technique name
    tactic: str             # MITRE ATT&CK tactic
    confidence: float       # Confidence score (0.0-1.0)
    evidence: Dict[str, Any] # Supporting evidence
    description: str        # Detection description

Usage¶

Command Line Interface¶

Basic Parsing¶

# Parse EVTX file with attack detection
python3 scripts/evtx_parser_enhanced.py sample.evtx

# Parse with custom ingestion URL
python3 scripts/evtx_parser_enhanced.py sample.evtx \
  --ingestion-url http://localhost:4002

# Parse with larger batch size
python3 scripts/evtx_parser_enhanced.py sample.evtx \
  --batch-size 200

Analysis Options¶

# Dry run - parse only, don't send to ingestion
python3 scripts/evtx_parser_enhanced.py sample.evtx --dry-run

# Show only events with attack indicators
python3 scripts/evtx_parser_enhanced.py sample.evtx --attack-only

# Save results to JSON file
python3 scripts/evtx_parser_enhanced.py sample.evtx \
  --output analysis_results.json

Advanced Analysis¶

# Parse with attack-only filter and detailed output
python3 scripts/evtx_parser_enhanced.py sample.evtx \
  --dry-run \
  --attack-only \
  --output detailed_attack_analysis.json

# High-throughput processing
python3 scripts/evtx_parser_enhanced.py large_sample.evtx \
  --batch-size 500 \
  --ingestion-url http://localhost:4002

Web Interface¶

SecureWatch includes a web-based EVTX upload component for real-time analysis:

Navigate to Log Sources: http://localhost:4000/settings/log-sources
Upload EVTX File: Use the EVTX File Upload component
Real-time Analysis: View parsing results with attack indicators
Integration: Parsed events automatically integrate with SecureWatch

Testing Against EVTX-ATTACK-SAMPLES¶

Comprehensive Testing¶

# Test against full EVTX-ATTACK-SAMPLES dataset
python3 scripts/test_enhanced_evtx_pipeline.py \
  --samples-path /path/to/EVTX-ATTACK-SAMPLES-master

# Limited testing (first 10 files)
python3 scripts/test_enhanced_evtx_pipeline.py \
  --samples-path /path/to/EVTX-ATTACK-SAMPLES-master \
  --max-files 10

# Save comprehensive results
python3 scripts/test_enhanced_evtx_pipeline.py \
  --samples-path /path/to/EVTX-ATTACK-SAMPLES-master \
  --output comprehensive_test_results.json

Priority Sample Testing¶

# Test high-value attack samples only
python3 scripts/test_enhanced_evtx_pipeline.py \
  --samples-path /path/to/EVTX-ATTACK-SAMPLES-master \
  --priority-only

Detection Coverage¶

MITRE ATT&CK Techniques Supported¶

Tactic	Techniques	Coverage
Execution	T1059, T1204, T1218	PowerShell, Scripts, Signed Binary Proxy
Defense Evasion	T1548, T1112, T1134, T1562	UAC Bypass, Registry Modification, Token Manipulation
Credential Access	T1003, T1110, T1558, T1552	Credential Dumping, Brute Force, Kerberos Attacks
Persistence	T1547, T1543, T1053	Autostart, Services, Scheduled Tasks
Lateral Movement	T1021, T1570, T1534	Remote Services, Lateral Tool Transfer
Command & Control	T1071, T1095, T1102	Application Layer Protocol, Non-Application Layer

Sysmon Event Coverage¶

Event ID	Description	Enhanced Fields
1	Process Creation	Process, Parent, Command Line, Hashes
3	Network Connection	Source/Destination IP, Port, Protocol
7	Image Loaded	Process, Image Path, Hashes
8	CreateRemoteThread	Source/Target Process, Thread Context
10	ProcessAccess	Source/Target Process, Access Rights
11	FileCreate	Process, File Path, Hashes
12/13/14	Registry Events	Process, Registry Key, Value Data
17/18	Pipe Events	Process, Pipe Name
20/21	WMI Events	Process, WMI Query, Consumer
22	DNS Query	Process, Query Name, Result

Attack Pattern Categories¶

Credential Access Patterns¶

# Credential dumping indicators
mimikatz|sekurlsa|lsadump|dcsync
procdump.*lsass
comsvcs.*minidum
rundll32.*comsvcs
ntdsutil.*snapshot

Defense Evasion Patterns¶

# UAC bypass indicators
fodhelper\.exe
computerdefaults\.exe
sdclt\.exe.*\/kickoffelev
eventvwr\.exe.*msc
CompMgmtLauncher\.exe

Lateral Movement Patterns¶

# Lateral movement indicators
psexec|schtasks.*\/create.*\/s:
wmic.*\/node:|at \\\\
net use.*\$|copy.*c\$
winrs.*-r:
invoke-command.*-computername

Output Formats¶

JSON Structure¶

{
  "success": true,
  "total_events": 1543,
  "processed_events": 1543,
  "attack_indicators": 47,
  "high_risk_events": 12,
  "unique_mitre_techniques": 8,
  "mitre_techniques": ["T1003", "T1059.001", "T1218", "T1548.002"],
  "event_id_distribution": {
    "1": 234,
    "3": 189,
    "7": 156,
    "11": 98
  },
  "duration_seconds": 2.34,
  "events_per_second": 659.4
}

Attack Indicator Example¶

{
  "technique_id": "T1003",
  "technique_name": "OS Credential Dumping", 
  "tactic": "Credential Access",
  "confidence": 0.9,
  "evidence": {
    "sysmon_rule": "technique_id=T1003,technique_name=Credential Dumping",
    "event_id": 1,
    "process_name": "mimikatz.exe",
    "command_line": "mimikatz.exe sekurlsa::logonpasswords"
  },
  "description": "MITRE technique T1003 detected via Sysmon rule"
}

Performance Metrics¶

Processing Capabilities¶

Throughput: 500-1000 events/second (depending on hardware)
Memory Usage: ~50MB base + 1MB per 1000 events
Batch Processing: Configurable batch sizes (10-1000 events)
Concurrent Processing: Async/await pattern for optimal performance

Detection Accuracy¶

True Positive Rate: 90%+ for explicit Sysmon-tagged attacks
False Positive Rate: <5% with context-aware filtering
Coverage: 329 attack samples across all MITRE ATT&CK tactics
Technique Detection: 50+ MITRE techniques automatically identified

Integration¶

SecureWatch Platform¶

Real-time Ingestion: Direct integration with log ingestion service
Database Storage: Enhanced events stored with full security context
Search Integration: KQL-powered search across enhanced fields
Visualization: Attack indicators displayed in dashboards

API Integration¶

import asyncio
from evtx_parser_enhanced import EnhancedEVTXParser

async def process_evtx_file(file_path):
    async with EnhancedEVTXParser() as parser:
        result = await parser.process_evtx_file(file_path)
        return result

# Usage
result = asyncio.run(process_evtx_file("sample.evtx"))
print(f"Processed {result['total_events']} events")
print(f"Found {result['attack_indicators']} attack indicators")

Best Practices¶

Analysis Workflow¶

Initial Triage: Use --attack-only flag for rapid threat assessment
Comprehensive Analysis: Full parsing for detailed forensic investigation
Risk Prioritization: Focus on high-risk events (score 70+) first
Context Review: Examine process trees and network connections
Timeline Analysis: Correlate events across time for attack chains

Performance Optimization¶

Batch Size: Use 100-200 for balanced performance
Filtering: Apply --attack-only for large datasets
Resource Monitoring: Monitor memory usage for very large files
Parallel Processing: Process multiple files concurrently when possible

False Positive Reduction¶

Context Awareness: Review process context and parent relationships
Baseline Establishment: Understand normal system behavior
Confidence Thresholds: Focus on high-confidence indicators (>0.7)
Cross-Reference: Validate findings with multiple data sources

Troubleshooting¶

Common Issues¶

ModuleNotFoundError: python-evtx¶

# Install required dependencies
source agent_venv/bin/activate
python3 -m pip install python-evtx aiohttp

FileHeader API Issues¶

# Ensure file is readable and valid EVTX format
python3 -c "
import os
file_path = 'sample.evtx'
print(f'File exists: {os.path.exists(file_path)}')
print(f'File size: {os.path.getsize(file_path)} bytes')
"

Ingestion Service Connection¶

# Verify log ingestion service is running
curl http://localhost:4002/health

# Check service logs
tail -f /tmp/log-ingestion.log

Performance Issues¶

Large Files: Use dry-run mode first to estimate processing time
Memory Usage: Increase system memory or reduce batch size
Network Latency: Use local ingestion service for best performance

Contributing¶

Adding New Attack Patterns¶

Pattern Definition: Add regex patterns to _load_attack_patterns()
MITRE Mapping: Update technique mappings in _load_mitre_mappings()
Testing: Validate against known attack samples
Documentation: Update coverage tables and examples

Extending Sysmon Support¶

Event Definition: Add new event types to _load_sysmon_events()
Field Extraction: Enhance _extract_enhanced_fields()
Detection Logic: Update _detect_attack_indicators()
Validation: Test with real Sysmon logs

Future Enhancements¶

Planned Features¶

Machine Learning Integration: ML-based anomaly detection
Threat Intelligence Correlation: IOC and TTP correlation
Timeline Reconstruction: Automated attack timeline generation
Report Generation: Automated forensic reports
Multi-Format Support: JSON, CSV, STIX/TAXII output formats

Research Areas¶

Behavioral Analysis: User and entity behavior analytics
Graph Analysis: Attack path visualization
Threat Hunting: Hypothesis-driven detection
Attribution: Threat actor correlation and attribution

Built for comprehensive Windows event log analysis and MITRE ATT&CK-based threat detection 🛡️