Go Evtx SigNature Engine

This article introduces an engine (a.k.a Gene) we have designed to match signatures in Windows events. Our motivations were driven by some observations done during several incident we have worked on. The first observation is that Windows OS has hundreds of different event logs, which makes very difficult to remember the meaning of all of them. Some event logs can simply characterize that something is going wrong on a system whilst some others are clearly the signature of a compromise. The two previous observations make the study of the Windows very important and sometime decisive for an analysis. more ...


EVTX Flat Storage Optimization

When we try to play with several machines, Sysmon and WECs (Windows Event Collectors) we quickly see the amount of logs growing. Knowing quite good the EVTX file format we realized that no compression is builtin. In order to optimize the storage of the events collected, we decided to run basic compression tests that we are going to describe here. more ...