Zircolite - A Standalone SIGMA-based Detection Tool For EVTX, Auditd And Sysmon For Linux Logs

Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux or JSONL/NDJSON Logs

Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs

Zircolite can be used directly on the investigated endpoint (use releases) or in your forensic/detection lab Zircolite is fast and can parse large datasets in just seconds (check benchmarks)

Zircolite can be used directly in Python or you can use the binaries provided in releases (Microsoft Windows and Linux only). Documentation is here.

Requirements / Installation

You can install dependencies with : pip3 install -r requirements.txt

The use of evtx_dump is optional but required by default (because it is for now much faster), If you do not want to use it you have to use the --noexternal option. The tool is provided if you clone the Zircolite repository (the official repository is here).

Quick start

EVTX files :

Help is available with zircolite.py -h. If your EVTX files have the extension ".evtx" :

The SYSMON ruleset used here is a default one and it is for logs coming from endpoints where SYSMON installed. A generic ruleset is available too.

Auditd logs :

Sysmon for Linux logs :

JSONL/NDJSON files :

ℹ️

If you want to try the tool you can test with these samples :

EVTX-ATTACK-SAMPLES (EVTX Files) MORDOR - APT29 (JSONL Files) MORDOR - APT3 (JSONL Files)

Docs

Everything is here.

Tutorials, references and related projects

Tutorials

Russ McRee has published a pretty good tutorial on SIGMA and Zircolite in his blog

César Marín has published a tutorial in spanish here

EU ATT&CK Workshop October 2021

Florian Roth cited Zircolite in his SIGMA Hall of fame in its talk dugin the October 2021 EU ATT&CK Workshop.

Related projects

Michel de CREVOISIER is doing an amazing work with SIGMA, MITRE Att&ck (c) and other projects. Check his work on mapping EVTX on the MITRE Att&ck (c) framework.

Mini-Gui

The Mini-GUI can be used totally offline, it allows the user to display and search results. To know how to use the Mini-GUI, check docs here.

Battle-tested

Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on a Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.

License

All the code of the project is licensed under the GNU Lesser General Public License evtx_dump is under the MIT license The rules are released under the Detection Rule License (DRL) 1.0