Sabonis provides a way of quickly parsing EVTX, proxy and PCAP files and extracting just the information related to lateral movements.

It also has the ability of loading all this information into a Neo4J database.

This not only provides a graphic and easy-going way of investigating an incident, but also allows incident handlers to make use of the powerful graph database language “Cypher”

Features

  • Extracts and merge lateral movements from more than 7 different EVTX files
  • Parses Squid proxy events
  • Extracts all lateral movements from PCAP files
  • Quick and low memory comsumption
  • Loads different sources into a Neo4J database
  • Includes a Cypher Playbook to make investigations easy

Getting Started

Make sure that you have evtx_dump binary in src folder

Note: Before running sabonis.py, you must first generate the parsed XML files with pivotfoot.sh

Help

usage: sabonis.py [-h] [--version] [--source_artifact SOURCE_ARTIFACT] [--csv_output CSV_OUTPUT] [--csv_input CSV_INPUT] [--ne04j_url NE04J_URL]
                  [--ne04j_user NE04J_USER] [--only_first] [--ignore_local] [--stats] [--directory] [--exclusionlist EXCLUSIONLIST] [--focuslist FOCUSLIST]
                  [--timezone TIMEZONE]
                  {parse,load2neo} {pcap,proxy,evtx,freestyle}

parse forensics artifacts to CSV and load them into neo4j database

positional arguments:
  {parse,load2neo}      choose the action to perform
  {pcap,proxy,evtx,freestyle}
                        type of artifact

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --source_artifact SOURCE_ARTIFACT
                        forensic artifact file
  --csv_output CSV_OUTPUT
                        Resulting CSV ready to be loaded
  --csv_input CSV_INPUT
                        Processed CSV to be loaded into Neo4j instance
  --ne04j_url NE04J_URL
                        Ne04j database URL in bolt format
  --ne04j_user NE04J_USER
                        Ne04j database user. Pass will be prompted
  --only_first          Just parse first connections of the group source_IP, user, dest_IP
  --ignore_local        Just include remote logins
  --stats               Display stats of processed evidence
  --directory           Parses a whole winevt/Logs directory and merges results
  --exclusionlist EXCLUSIONLIST
                        Excludes all the evidence logs or packets that contain strings included in this wordlist
  --focuslist FOCUSLIST
                        Parser will ONLY process the evidence logs or packets that contain strings included in this wordlist
  --timezone TIMEZONE   All dates with be converted to specified timezone. Ex: Europe/Leon

Examples

Parsing

  • Parse all EVTX files before processing with Sabonis
./pivotfoot.sh source_folder_with_evtx destination_folder

Get CSVs With Lateral Movements

  • Process all evtx files in a directory
./sabonis.py parse evtx --source artifact folder_with_pivotfoot_output --directory --csv_output sabonis_output.csv --ignore_local

Loading Into Neo4J

  • Load sabonis_output into neo4j database
./sabonis.py load evtx --csv_input sabonis_output.csv -ne04j_url NE04J_URL --ne04j_user NE04J_USER

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here