Repository files navigation

HistoricProcessTree receives a Security Event Log file (evtx) and visualizes historic process execution evidence (based on 4688 events) in a tree view.

Analyzing processes execution, their time and their ancestors, provides researchers an initial understanding of what happened on an investigated machine.

Additional reading material on the tool, can be found in our blogVisualising Historic Process Execution Events.

• Powershell
• Python Anytree module
• Python jinja2 module

pip install anytree jinja2

Usage: HistoricProcessTree.py [-h] [-s START_TIME] [-e END_TIME] [--hours NUM_OF_HOURS] input_file output_filepositional arguments:  input_file            Path to evtx file  output_file           Final name of the generated HTMLoptional arguments:  -h, --help               Show this help message and exit  -s START_TIME    Start date filter- Format: "MM/DD/YYYY HH:MM:SS"  -e END_TIME          End date filter- Format: "MM/DD/YYYY HH:MM:SS"  --hours HOURS            Number of hours to go back since last event

HistoricProcessTree.py c:\work\Security.evtx -s “01/10/2018 15:45:00” -e “01/10/2017 16:00” output_file.htmlNote: Run this from the tool's working directory

will generate the following HTML page:

• Tom Kahana-@tomkahana1

This project is licensed under the BSD 3-clause license - see theLICENSE file for details

• Illusive Networks Research & Dev team members:
  • Tom Sela
  • Dolev Ben Shushan
  • Hadar Yudovich
  • Yair Fried
• Jonathan Miles for JQuery Plugin bootstrap-treeview.js