https://github.com/yarox24/EvtxHussar
Initial triage of Windows Event logs. This is beta quality software.
- Logon related events dumping
- Reconstruction of PowerShell Scriptblocks
- Powershell -enc is automatically decoded
- Scheduled Tasks XML parsing
- Audit changes
- Boot up/Restart/Shutdown events = SMB related events
- Merge events from different sources (e.g. Microsoft-Windows-PowerShellOperational_General and Windows PowerShell) to single output file
- Deduplication of events (so you can provide logs from backup, VSS, archive)
- Supported events can be easily added by adding .yaml files to maps/ directory
- Parameters resolution (e.g. %%1936 changed to TokenElevationTypeDefault (1))
- Fields resolution (e.g. servicestarttype = 2 is replaced with "Auto start")
- Fields with different names are normalized to single field (whenever possible) e.g. Filename -> TargetFileName
You can find this here.