Question 1

How to replay EVTX files from this repo using the included PowerShell script?

Accepted Answer

Use the Winlogbeat-Bulk-Read.ps1 script provided in the repository; it can parse and replay EVTX files by pointing it to a directory with evtx files and a winlogbeat.exe binary, outputting logs to configured destinations like an ELK stack or local JSON files.

Question 2

EVTX-ATTACK-SAMPLES vs Atomic Red Team for detection testing?

Accepted Answer

EVTX-ATTACK-SAMPLES provides pre-generated event logs for specific attacks, ideal for testing log parsers and SIEM rules without executing code. In contrast, Atomic Red Team executes live attack simulations, offering real-time data but requiring safe environments. Choose based on whether you need static logs or active testing.

Question 3

Does this repo cover the latest MITRE ATT&CK techniques?

Accepted Answer

The README shows stats and heatmaps for covered TTPs, but it's a static collection; updates depend on contributor efforts. Check the linked details or GitHub issues for recent additions, as attack techniques evolve over time.

Question 4

How to integrate these samples into Elasticsearch for SIEM testing?

Accepted Answer

Leverage the Winlogbeat script to bulk-read EVTX files and output to Elasticsearch via Winlogbeat configurations. You'll need to set up Winlogbeat with your Elastic Stack instance and adjust the YAML files included in the repo for seamless ingestion.

Question 5

Can I use these samples for red team training without triggering alerts?

Accepted Answer

Yes, the samples help red teams identify noisy techniques, as mentioned in the README. However, since they're simulated logs, running them in production-like environments still requires caution to avoid false positives or compliance issues.

Question 6

What's the best way to contribute new EVTX samples to this project?

Accepted Answer

Contribute by submitting pull requests with new EVTX files mapped to ATT&CK techniques, ensuring they follow the repository's structure. Check the GitHub page for guidelines, and consider including documentation on the attack simulation for clarity.

Windows Events Attack Samples

What is Windows Events Attack Samples?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions