/Zircolite

A standalone SIGMA-based detection tool for EVTX.

Primary LanguageJavaScript

Battle-tested, standalone and fast SIGMA-based detection tool for EVTX or JSON

python version version version version

Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs (in EVTX and JSON format) :

  • Zircolite can be used directly on the investigated endpoint (use releases) or in your favorite forensic/detection lab
  • Zircolite was designed to be light (about 500 lines of code), simple and portable.
  • Zircolite is more a workflow than a real detection engine (check here)
  • Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
  • Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format (one JSON event per line). It has been successfully tested with MORDOR Datasets and NXlog files

Zircolite can be used directly in Python or you can use the binaries provided in releases (Microsoft Windows and Linux only). Documentation is here.

ℹ️ If you want to try the tool you can test with these samples : EVTX-ATTACK-SAMPLES (EVTX Files), MORDOR Datasets - APT29 Day 1 (JSONL Files), MORDOR Datasets - APT29 Day 2 (JSONL Files), MORDOR Datasets - APT3 Scenario 1 (JSONL Files), MORDOR Datasets - APT3 Scenario 2 (JSONL Files)

Requirements

  • Mandatory - Evtx_dump : The tool is provided if you clone the repo. You can download also the tool directly on the official repository : here.
  • Optional - To enhance Zircolite experience, you can use the following third party Python libraries : tqdm, colorama, jinja2. You can install them with : pip3 install -r requirements.txt

Quick start

Help is available with zircolite.py -h. If your evtx files have the extension ".evtx" :

python3 zircolite.py --evtx <EVTX folder> --ruleset <Converted Sigma rules>
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json

For JSONL/NDJSON :

python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json --jsononly

Docs

Everything is here.

Mini-Gui

The Mini-GUI can be used totaly offline, it allows the user to display and search results. To know how to use the Mini-GUI Check docs here.

"Battle-tested" ?

Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on an Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.

License