Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for WEVT_TEMPLATE mapped event identifiers #18

Closed
Tracked by #4906
J-A-Sec opened this issue Sep 13, 2024 · 3 comments
Closed
Tracked by #4906

Add support for WEVT_TEMPLATE mapped event identifiers #18

J-A-Sec opened this issue Sep 13, 2024 · 3 comments
Labels
enhancement

Comments

@J-A-Sec
Copy link

J-A-Sec commented Sep 13, 2024

Describe the problem:

When running psort against a log2timeline-generated plaso file, message strings from the a custom winevt-rc.db database are applied only to a minority of Event Logs records, despite multiple messages and logs in the database which should apply. The custom database was generated from the same language and OS version as the host where the Event Logs were captured from.

Upon further inspection, I noticed that the custom winevt-rc.db I generated from a fresh Windows 11 install (using instructions from here: http://blog.kiddaland.net/2015/04/windows-event-log-message-strings.html) had prefixed 0xb instead of 0x0 to the majority of message_identifier fields.

A good example is the source "Microsoft-Windows-TerminalServices-LocalSessionManager". The entries in winevt-rc.db look like this:
image

If I manually change line 22 to 0x0 from 0xb, the Message String is correctly displayed in the psort output for that event:
image

Have I done something wrong in generating winevt-rc.db or is this a bug?

To Reproduce:

The versions used:
winevt-kb latest, from https://github.com/libyal/winevt-kb
dfvfs latest, from https://github.com/log2timeline/dfvfs

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):
Ubuntu 24.04

Steps to reproduce the behavior including command line and arguments and output:
Follow the instructions to build your own winevt-rc.db here, running against a fresh Windows 11 installation disk image: http://blog.kiddaland.net/2015/04/windows-event-log-message-strings.html#:~:text=How%20to%20build%20your%20own%20winevt%2Drc.db

Please provide the source data you used when you experienced the problem. For publicly available data please provide a URL or path of the source data:
Fresh Windows 11 ISO from Microsoft > create Hyper-V VM > Run winevt-kb/extract.py against the image

The method you used to install Plaso:
Installed from [l2tbinaries][https://github.com/log2timeline/l2tbinaries] main branch

Expected behavior:

Message Strings are generated for Event Logs, based on message_identifier mappings
@joachimmetz joachimmetz changed the title 0xb instead of 0x0 in message_identifier field Add support for WEVT_TEMPLATE mapped event identifiers Sep 22, 2024
@joachimmetz
Copy link
Member

Have a look at https://osdfir.blogspot.com/2021/10/common-misconceptions-about-windows.html winevtrc.db needs to be extended to support the identifier mappings in the WEVT_TEMPLATE resources.

@joachimmetz
Copy link
Member

Made some more changes, pending initial support in Plaso log2timeline/plaso#4905

@joachimmetz joachimmetz mentioned this issue Oct 5, 2024
Open
6 tasks
@joachimmetz
Copy link
Member

Closing this in favor of log2timeline/plaso#4906

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @J-A-Sec