Sabonis – The Ultimate Tool For Enhanced Digital Forensics And Incident Response

Sabonis provides a way of quickly parsing EVTX, proxy and PCAP files and extracting just the information related to lateral movements.

It also has the ability of loading all this information into a Neo4J database.

This not only provides a graphic and easy-going way of investigating an incident, but also allows incident handlers to make use of the powerful graph database language “Cypher”

Features

Extracts and merge lateral movements from more than 7 different EVTX files
Parses Squid proxy events
Extracts all lateral movements from PCAP files
Quick and low memory comsumption
Loads different sources into a Neo4J database
Includes a Cypher Playbook to make investigations easy

Getting Started

Make sure that you have evtx_dump binary in src folder

Note: Before running sabonis.py, you must first generate the parsed XML files with pivotfoot.sh

Help

usage: sabonis.py [-h] [--version] [--source_artifact SOURCE_ARTIFACT] [--csv_output CSV_OUTPUT] [--csv_input CSV_INPUT] [--ne04j_url NE04J_URL]
                  [--ne04j_user NE04J_USER] [--only_first] [--ignore_local] [--stats] [--directory] [--exclusionlist EXCLUSIONLIST] [--focuslist FOCUSLIST]
                  [--timezone TIMEZONE]
                  {parse,load2neo} {pcap,proxy,evtx,freestyle}

parse forensics artifacts to CSV and load them into neo4j database

positional arguments:
  {parse,load2neo}      choose the action to perform
  {pcap,proxy,evtx,freestyle}
                        type of artifact

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --source_artifact SOURCE_ARTIFACT
                        forensic artifact file
  --csv_output CSV_OUTPUT
                        Resulting CSV ready to be loaded
  --csv_input CSV_INPUT
                        Processed CSV to be loaded into Neo4j instance
  --ne04j_url NE04J_URL
                        Ne04j database URL in bolt format
  --ne04j_user NE04J_USER
                        Ne04j database user. Pass will be prompted
  --only_first          Just parse first connections of the group source_IP, user, dest_IP
  --ignore_local        Just include remote logins
  --stats               Display stats of processed evidence
  --directory           Parses a whole winevt/Logs directory and merges results
  --exclusionlist EXCLUSIONLIST
                        Excludes all the evidence logs or packets that contain strings included in this wordlist
  --focuslist FOCUSLIST
                        Parser will ONLY process the evidence logs or packets that contain strings included in this wordlist
  --timezone TIMEZONE   All dates with be converted to specified timezone. Ex: Europe/Leon

Examples

Parsing

Parse all EVTX files before processing with Sabonis

./pivotfoot.sh source_folder_with_evtx destination_folder

Get CSVs With Lateral Movements

Process all evtx files in a directory

./sabonis.py parse evtx --source artifact folder_with_pivotfoot_output --directory --csv_output sabonis_output.csv --ignore_local

Loading Into Neo4J

Load sabonis_output into neo4j database

./sabonis.py load evtx --csv_input sabonis_output.csv -ne04j_url NE04J_URL --ne04j_user NE04J_USER

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.