WOLF Commands - H0wl3r/WOLF-VM GitHub Wiki

Import

Windows Logs

Command: WOLF-Import-Windows_logs

To ingest Windows Event Log files (.evtx format) into Elastic for analysis:

  1. Prepare Log Files: Drag and drop .evtx logs into the directory:

    C:\WOLF\Logs\WinLogs

  2. Run the Import Command: Execute the following command to ingest all .evtx logs from the WinLogs directory into Elastic:

    WOLF-Import-Windows_logs

  3. Elastic Ingestion: Once processed, the .evtx files will be automatically imported into Elastic, enabling detailed investigation and analysis.

Hayabusa Logs

Command: WOLF-Import-Hayabusa_logs

Automate analysis of Windows .evtx logs with Hayabusa and ingest into Elastic:

  1. Prepare Log Files: Place your .evtx log files in the directory:

    C:\WOLF\Logs\WinLogs

  2. Run the Import Command: Execute the following command to process all .evtx files in the directory with Hayabusa:

    WOLF-Import-Hayabusa_logs

    This command will:

    • Run Hayabusa analysis on each `.evtx file.
    • Save the generated JSON output file to:

    C:\WOLF\Logs\Hayabusa

  3. Elastic Ingestion: Once processed, the results.jsonl file will be automatically imported into Elastic, allowing for detailed forensic investigation and correlation.

PCAP Logs

Command: WOLF-Import-PCAP

To ingest .pcap files into Elastic for analysis:

  1. Prepare PCAP Files: Place your .pcap files in the directory:

    C:\WOLF\Logs\PCAP

  2. Run the Import Command: Execute the following command for Zeek to conduct analysis of all .pcap files located in C:\WOLF\Logs\PCAP.

    WOLF-Import-PCAP

    This command will:

    • Run Zeek analysis on each .pcap file.
    • Save the generated JSON output files to:

    C:\WOLF\Logs\Zeek

  3. Elastic Ingestion: Once processed, the JSON files will be automatically imported into Elastic, enabling detailed investigation and analysis of network traffic.

Remove

Command: WOLF-Remove-All_logs

This command will not delete any log files and will just remove the documents from the Elastic Indices.

WOLF-Remove-All_logs

Command: WOLF-Remove-Filebeat_logs

This command will remove all documents within the filebeat-* index only.

WOLF-Remove-Filebeat_logs

Command: WOLF-Remove-Hayabusa_logs

This command will remove all documents within the Hayabusa index only.

WOLF-Remove-Hayabusa_logs

Command: WOLF-Remove-WinLogBeat_logs

This command will remove all documents with the winlogbeat-* index only.

WOLF-Remove-WinLogBeat_logs

Update

Hayabusa Rules

WOLF-Update-Hayabusa_Rules

The above command will sync the rules folder with the Hayabusa rules github repository, updating the sigma rules to the latest version.

GeoIP

WOLF-Update-GeoIP

WOLF-VM is integrated with GeoLite2 data created by MaxMind, available from https://www.maxmind.com and subject to the GeoLite2 EULA The included GeoIP database files can be updated by running the above command pulling the latest database files.