sabonis

No description is available yet
sabonis logo

Sabonis: A Digital Forensics and Incident Response Pivoting Tool


Description

Sabonis is a digital forensics and incident response pivoting tool that quickly parses EVTX, proxy, and PCAP files to extract lateral movements. It also loads this information into a Neo4J database, providing a graphical and easy-to-use way of investigating an incident.


Features

  • Extracts and merges lateral movements from over 7 different EVTX files
  • Parses Squid proxy events
  • Extracts all lateral movements from PCAP files
  • Quick and low memory consumption
  • Loads different sources into a Neo4J database
  • Includes a Cypher Playbook for easy investigations

Getting Started

Make sure you have the evtx_dump binary in the source folder. Note that before running Sabonis, you must first generate the parsed XML files with pivotfoot.sh.


Help

usage: sabonis.py [-h] [--version] [--source_artifact SOURCE_ARTIFACT]
                   [--csv_output CSV_OUTPUT] [--csv_input CSV_INPUT]
                   [--ne04j_url NE04J_URL] [--ne04j_user NE04J_USER]
                   [--only_first] [--ignore_local] [--stats]
                   [--directory] [--exclusionlist EXCLUSIONLIST]
                   [--focuslist FOCUSLIST] [--timezone TIMEZONE]
                   {parse,load2neo} {pcap,proxy,evtx,freestyle}

parse forensics artifacts to CSV and load them into neo4j database

positional arguments:
  {parse,load2neo}      choose the action to perform
  {pcap,proxy,evtx,freestyle}
                        type of artifact

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --source_artifact SOURCE_ARTIFACT
                        forensic artifact file
  --csv_output CSV_OUTPUT
                        Resulting CSV ready to be loaded
  --csv_input CSV_INPUT
                        Processed CSV to be loaded into Neo4j instance
  --ne04j_url NE04J_URL
                        Ne04j database URL in bolt format
  --ne04j_user NE04J_USER
                        Ne04j database user. Pass will be prompted
  --only_first          Just parse first connections of the group source_IP, user, dest_IP
  --ignore_local        Just include remote logins
  --stats               Display stats of processed evidence
  --directory           Parses a whole winevt/Logs directory and merges results
  --exclusionlist EXCLUSIONLIST
                        Excludes all the evidence logs or packets that contain strings included in this wordlist
  --focuslist FOCUSLIST
                        Parser will ONLY process the evidence logs or packets that contain strings included in this wordlist
  --timezone TIMEZONE   All dates with be converted to specified timezone. Ex: Europe/Leon

Examples


Parsing

  • Parse all EVTX files before processing with Sabonis:

./pivotfoot.sh source_folder_with_evtx destination_folder


Get CSVs with lateral movements

  • Process all evtx files in a directory:

./sabonis.py parse evtx --source artifact folder_with_pivotfoot_output --directory --csv_output sabonis_output.csv --ignore_local


Loading into Neo4J

  • Load sabonis_output into neo4j database:

./sabonis.py load evtx --csv_input sabonis_output.csv --ne04j_url NE04J_URL --ne04j_user NE04J_USER


Acknowledgements

EVTX parser library by @OBenamram





> Visit sabonis Website <
Best Search
Popular Tags