Zircolite is a standalone tool written in Python 3 allowing to use SIGMA rules on Windows event logs (in EVTX and JSON format)
- Zircolite can be used directly on the investigated endpoint (use releases) or in your favorite forensic/detection lab
- Zircolite is fast and can parse large datasets in just seconds (check benchmarks)
- Zircolite can handle EVTX files and JSON files as long as they are in JSONL/NDJSON format (one JSON event per line)
Zircolite can be used directly in Python or you can use the binaries provided in releases (Microsoft Windows and Linux only). Documentation is here.
ℹ️ If you want to try the tool you can test with these samples :
- EVTX-ATTACK-SAMPLES (EVTX Files)
- MORDOR - APT29 Day 1 (JSONL Files), MORDOR - APT29 Day 2 (JSONL Files)
- MORDOR - APT3 Scenario 1 (JSONL Files), MORDOR - APT3 Scenario 2 (JSONL Files)
- Mandatory - Evtx_dump : The tool is provided if you clone the repo. You can download also the tool directly on the official repository : here.
- Optional - To enhance Zircolite experience, you can use the following third party Python libraries : tqdm, colorama, jinja2. You can install them with :
pip3 install -r requirements.txt
Help is available with zircolite.py -h. If your evtx files have the extension ".evtx" :
python3 zircolite.py --evtx <EVTX folder> --ruleset <Converted Sigma rules>
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.jsonFor JSONL/NDJSON :
python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json --jsononlyEverything is here.
The Mini-GUI can be used totaly offline, it allows the user to display and search results. To know how to use the Mini-GUI Check docs here.
Zircolite has been used to perform cold-analysis (in Lab) on EVTX in multiple "real-life" situations. However, even if Zircolite has been used many times to perform analysis directly on an Microsoft Windows endpoint, there is not yet a pipeline to thoroughly test every release.
- All the code of the project is licensed under the GNU Lesser General Public License
evtx_dumpis under the MIT license- The rules are released under the Detection Rule License (DRL) 1.0