Zircolite: A Python repository from baxitaurus

Battle-tested, standalone and fast SIGMA-based detection tool for EVTX or JSON

Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs (in EVTX and JSON format)

Zircolite can be used directly on the investigated endpoint (use releases) or in your favorite forensic/detection lab
Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format (one JSON event per line)

Zircolite can be used directly in Python or you can use the binaries provided in releases (Microsoft Windows and Linux only). Documentation is here.

ℹ️ If you want to try the tool you can test with these samples :

EVTX-ATTACK-SAMPLES (EVTX Files)
MORDOR - APT29 Day 1 (JSONL Files), MORDOR - APT29 Day 2 (JSONL Files)
MORDOR - APT3 Scenario 1 (JSONL Files), MORDOR - APT3 Scenario 2 (JSONL Files)

Requirements

Mandatory - Evtx_dump : The tool is provided if you clone the repo. You can download also the tool directly on the official repository : here.
Optional - To enhance Zircolite experience, you can use the following third party Python libraries : tqdm, colorama, jinja2. You can install them with : pip3 install -r requirements.txt

Quick start

Help is available with zircolite.py -h. If your evtx files have the extension ".evtx" :

python3 zircolite.py --evtx <EVTX folder> --ruleset <Converted Sigma rules>
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json

For JSONL/NDJSON :

python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json --jsononly

Docs

Everything is here.

Mini-Gui

The Mini-GUI can be used totaly offline, it allows the user to display and search results. To know how to use the Mini-GUI Check docs here.

"Battle-tested" ?

Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on an Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.

License

All the code of the project is licensed under the GNU Lesser General Public License
evtx_dump is under the MIT license
The rules are released under the Detection Rule License (DRL) 1.0

baxitaurus/Zircolite