[Request a new Feature] FastFind check event windows

[lprat]

Hi,

I would like to know if you possible to add new feature in FastFind to find special event (ID, content, ...).

E.G. :

• search mimikaz in xml_string
• wannamine (less file malware, content in memory by wmi subscribtion => OBJECTS.DATA is not readable, you can to find IOC in evtx [powershell, WMI, ...])

I think there are different ways to do it:

• parse evtx to extract each event in field to apply signatures (eg SIGMA - https://github.com/Neo23x0/sigma - regex)
• translate evtx in readable format and apply yara signature (more simple)
• extract event from evtx with minimal field (like plaso): datetime, event_identifier, source_name, event_level, xml_string; and apply signature like plaso tag (https://github.com/log2timeline/plaso/blob/master/data/tag_windows.txt)

If you choose the second case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.yara" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature yara matched">
            <filename fullname="Windows PowerShell.evtx" creation="2019-09-30 13:29:17.691" lastmodification="2019-09-30 13:29:17.691" lastaccess="2019-09-30 13:29:17.691" lastentrychange="2019-09-30 13:29:17.691" />
        </object_match>
    </event>
</fast_find>

If you choose the last case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.tag" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature tag matched">
            <events fullname="Windows PowerShell.evtx" datetime="2020-09-12T14:03:42.000", event_identifier="5805", source_name="NETLOGON", event_level="2", xml_string="<Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><System><Provider Name=\"NETLOGON\"/><EventID Qualifiers=\"0\">5805</EventID><Level>2</Level><Task>0</Task><Keywords>0x0080000000000000</Keywords><TimeCreated SystemTime=\"2020-09-12T14:03:42.000000000Z\"/><EventRecordID>XXXXX</EventRecordID><Channel>System</Channel><Computer>victim</Computer><Security/></System><EventData><Data>mimikatz</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData></Event>"/>
        </object_match>
    </event>
</fast_find>

Thank for you help!