Windows XML EventLog (EVTX)

Last modified: 2023-03-26

Forensics Windows

EVTX is used for Microsoft Windows to store system log information.

Read EVTX in Linux

We can parse .evtx file in Linux using evtx_dump.

wget -O evtx_dump
chmod +x evtx_dump
./evtx_dump example.evtx > parsed.txt

Now we can find sensitive information from the parsed text.

grep -i TargetUserName parsed.txt
grep -i TargetDomainName parsed.txt

Search Suspicious Activity in EVTX

Chainsaw is a command-line tool to rapidly search and hunt through Windows Forensics Artifacts.

git clone
cd chainsaw
cargo build --release
./chainsaw hunt evtx_files/ -s sigma/rules --mapping mapping/sigma-event-logs-all.yml