HistoricProcessTree receives a Security Event Log file (evtx) and visualizes historic process execution evidence (based on 4688 events) in a tree view.
Analyzing processes execution, their time and their ancestors, provides researchers an initial understanding of what happened on an investigated machine.
Additional reading material on the tool, can be found in our blog Visualising Historic Process Execution Events.
- Powershell
- Python Anytree module
- Python jinja2 module
pip install anytree jinja2
Usage: HistoricProcessTree.py [-h] [-s START_TIME] [-e END_TIME] [--hours NUM_OF_HOURS] input_file output_file
positional arguments:
input_file Path to evtx file
output_file Final name of the generated HTML
optional arguments:
-h, --help Show this help message and exit
-s START_TIME Start date filter- Format: "MM/DD/YYYY HH:MM:SS"
-e END_TIME End date filter- Format: "MM/DD/YYYY HH:MM:SS"
--hours HOURS Number of hours to go back since last event
HistoricProcessTree.py c:\work\Security.evtx -s “01/10/2018 15:45:00” -e “01/10/2017 16:00” output_file.html Note: Run this from the tool's working directory
will generate the following HTML page:
- Tom Kahana- @tomkahana1
This project is licensed under the BSD 3-clause license - see the LICENSE file for details
- Illusive Networks Research & Dev team members:
- Tom Sela
- Dolev Ben Shushan
- Hadar Yudovich
- Yair Fried
- Jonathan Miles for JQuery Plugin bootstrap-treeview.js