├── .github └── workflows │ ├── generate_builds.yml │ └── lint_python.yml ├── .gitignore ├── Dockerfile ├── Makefile ├── README.md ├── Taskfile.yml ├── bin ├── create_universal_bin_macos.sh ├── evtx_dump_lin ├── evtx_dump_lin_arm ├── evtx_dump_mac ├── evtx_dump_win.exe └── package_evtx_binaries.sh ├── config └── fieldMappings.json ├── docs ├── .nojekyll ├── Advanced.md ├── Internals.md ├── README.md ├── Usage.md ├── Zircolite_manual.pdf ├── _sidebar.md ├── index.html └── pics │ ├── Zircolite.png │ └── gui.jpg ├── gui └── zircogui.zip ├── pics ├── Zircolite.gif ├── Zircolite.png ├── Zircolite.svg ├── Zircolite_v2.9.gif ├── gui-matrix.webp ├── gui-timeline.webp ├── gui.jpg ├── gui.webp ├── zircolite_200.png ├── zircolite_400.png ├── zircolite_600.png └── zircolite_800.png ├── requirements.full.txt ├── requirements.txt ├── rules ├── README.md ├── rules_linux.json ├── rules_windows_generic.json ├── rules_windows_generic_full.json ├── rules_windows_generic_high.json ├── rules_windows_generic_medium.json ├── rules_windows_generic_pysigma.json ├── rules_windows_sysmon.json ├── rules_windows_sysmon_full.json ├── rules_windows_sysmon_high.json ├── rules_windows_sysmon_medium.json └── rules_windows_sysmon_pysigma.json ├── templates ├── exportForELK.tmpl ├── exportForSplunk.tmpl ├── exportForSplunkWithRuleID.tmpl ├── exportForTimesketch.tmpl ├── exportForZinc.tmpl └── exportForZircoGui.tmpl └── zircolite.py /.github/workflows/generate_builds.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/.github/workflows/generate_builds.yml -------------------------------------------------------------------------------- /.github/workflows/lint_python.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/.github/workflows/lint_python.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/.gitignore -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/Dockerfile -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/README.md -------------------------------------------------------------------------------- /Taskfile.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/Taskfile.yml -------------------------------------------------------------------------------- /bin/create_universal_bin_macos.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/create_universal_bin_macos.sh -------------------------------------------------------------------------------- /bin/evtx_dump_lin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/evtx_dump_lin -------------------------------------------------------------------------------- /bin/evtx_dump_lin_arm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/evtx_dump_lin_arm -------------------------------------------------------------------------------- /bin/evtx_dump_mac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/evtx_dump_mac -------------------------------------------------------------------------------- /bin/evtx_dump_win.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/evtx_dump_win.exe -------------------------------------------------------------------------------- /bin/package_evtx_binaries.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/bin/package_evtx_binaries.sh -------------------------------------------------------------------------------- /config/fieldMappings.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/config/fieldMappings.json -------------------------------------------------------------------------------- /docs/.nojekyll: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /docs/Advanced.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/Advanced.md -------------------------------------------------------------------------------- /docs/Internals.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/Internals.md -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/README.md -------------------------------------------------------------------------------- /docs/Usage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/Usage.md -------------------------------------------------------------------------------- /docs/Zircolite_manual.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/Zircolite_manual.pdf -------------------------------------------------------------------------------- /docs/_sidebar.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/_sidebar.md -------------------------------------------------------------------------------- /docs/index.html: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/index.html -------------------------------------------------------------------------------- /docs/pics/Zircolite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/pics/Zircolite.png -------------------------------------------------------------------------------- /docs/pics/gui.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/docs/pics/gui.jpg -------------------------------------------------------------------------------- /gui/zircogui.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/gui/zircogui.zip -------------------------------------------------------------------------------- /pics/Zircolite.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/Zircolite.gif -------------------------------------------------------------------------------- /pics/Zircolite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/Zircolite.png -------------------------------------------------------------------------------- /pics/Zircolite.svg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/Zircolite.svg -------------------------------------------------------------------------------- /pics/Zircolite_v2.9.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/Zircolite_v2.9.gif -------------------------------------------------------------------------------- /pics/gui-matrix.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/gui-matrix.webp -------------------------------------------------------------------------------- /pics/gui-timeline.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/gui-timeline.webp -------------------------------------------------------------------------------- /pics/gui.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/gui.jpg -------------------------------------------------------------------------------- /pics/gui.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/gui.webp -------------------------------------------------------------------------------- /pics/zircolite_200.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/zircolite_200.png -------------------------------------------------------------------------------- /pics/zircolite_400.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/zircolite_400.png -------------------------------------------------------------------------------- /pics/zircolite_600.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/zircolite_600.png -------------------------------------------------------------------------------- /pics/zircolite_800.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/pics/zircolite_800.png -------------------------------------------------------------------------------- /requirements.full.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/requirements.full.txt -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | orjson>=3.9.15 2 | xxhash 3 | colorama>=0.4.4 4 | tqdm>=4.58.0 5 | chardet 6 | RestrictedPython 7 | -------------------------------------------------------------------------------- /rules/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/README.md -------------------------------------------------------------------------------- /rules/rules_linux.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_linux.json -------------------------------------------------------------------------------- /rules/rules_windows_generic.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_generic.json -------------------------------------------------------------------------------- /rules/rules_windows_generic_full.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_generic_full.json -------------------------------------------------------------------------------- /rules/rules_windows_generic_high.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_generic_high.json -------------------------------------------------------------------------------- /rules/rules_windows_generic_medium.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_generic_medium.json -------------------------------------------------------------------------------- /rules/rules_windows_generic_pysigma.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_generic_pysigma.json -------------------------------------------------------------------------------- /rules/rules_windows_sysmon.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_sysmon.json -------------------------------------------------------------------------------- /rules/rules_windows_sysmon_full.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_sysmon_full.json -------------------------------------------------------------------------------- /rules/rules_windows_sysmon_high.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_sysmon_high.json -------------------------------------------------------------------------------- /rules/rules_windows_sysmon_medium.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_sysmon_medium.json -------------------------------------------------------------------------------- /rules/rules_windows_sysmon_pysigma.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/rules/rules_windows_sysmon_pysigma.json -------------------------------------------------------------------------------- /templates/exportForELK.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForELK.tmpl -------------------------------------------------------------------------------- /templates/exportForSplunk.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForSplunk.tmpl -------------------------------------------------------------------------------- /templates/exportForSplunkWithRuleID.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForSplunkWithRuleID.tmpl -------------------------------------------------------------------------------- /templates/exportForTimesketch.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForTimesketch.tmpl -------------------------------------------------------------------------------- /templates/exportForZinc.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForZinc.tmpl -------------------------------------------------------------------------------- /templates/exportForZircoGui.tmpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/templates/exportForZircoGui.tmpl -------------------------------------------------------------------------------- /zircolite.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wagga40/Zircolite/HEAD/zircolite.py --------------------------------------------------------------------------------