Sabonis provides a way of quickly parsing EVTX, proxy and PCAP files and extracting just the information related to lateral movements.
It also has the ability of loading all this information into a Neo4J database.
This not only provides a graphic and easy-going way of investigating an incident, but also allows incident handlers to make use of the powerful graph database language “Cypher”
Make sure that you have evtx_dump binary in src folder
Note: Before running sabonis.py, you must first generate the parsed XML files with pivotfoot.sh
usage: sabonis.py [-h] [--version] [--source_artifact SOURCE_ARTIFACT] [--csv_output CSV_OUTPUT] [--csv_input CSV_INPUT] [--ne04j_url NE04J_URL]
[--ne04j_user NE04J_USER] [--only_first] [--ignore_local] [--stats] [--directory] [--exclusionlist EXCLUSIONLIST] [--focuslist FOCUSLIST]
[--timezone TIMEZONE]
{parse,load2neo} {pcap,proxy,evtx,freestyle}
parse forensics artifacts to CSV and load them into neo4j database
positional arguments:
{parse,load2neo} choose the action to perform
{pcap,proxy,evtx,freestyle}
type of artifact
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exit
--source_artifact SOURCE_ARTIFACT
forensic artifact file
--csv_output CSV_OUTPUT
Resulting CSV ready to be loaded
--csv_input CSV_INPUT
Processed CSV to be loaded into Neo4j instance
--ne04j_url NE04J_URL
Ne04j database URL in bolt format
--ne04j_user NE04J_USER
Ne04j database user. Pass will be prompted
--only_first Just parse first connections of the group source_IP, user, dest_IP
--ignore_local Just include remote logins
--stats Display stats of processed evidence
--directory Parses a whole winevt/Logs directory and merges results
--exclusionlist EXCLUSIONLIST
Excludes all the evidence logs or packets that contain strings included in this wordlist
--focuslist FOCUSLIST
Parser will ONLY process the evidence logs or packets that contain strings included in this wordlist
--timezone TIMEZONE All dates with be converted to specified timezone. Ex: Europe/Leon
./pivotfoot.sh source_folder_with_evtx destination_folder
./sabonis.py parse evtx --source artifact folder_with_pivotfoot_output --directory --csv_output sabonis_output.csv --ignore_local
./sabonis.py load evtx --csv_input sabonis_output.csv -ne04j_url NE04J_URL --ne04j_user NE04J_USER
Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…
Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…