ESET Endpoint Security Log Parsing Artifact #931
Conversation
| type: CLIENT | ||
|
|
||
| tools: | ||
| - name: ESETLogCollector |
There was a problem hiding this comment.
Can you add an expected_hash field in?
tools:
- name: ESETLogCollector
url: https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcollector.exe
expected_hash: efade9e0e6d228c118c4c28de2e45c37ae2fa4973283d5f851e6c62c7b72f53b < add the hash here
serve_locally: true
There was a problem hiding this comment.
im also wondering what this tool does - for example: does it decode the logs?
Depending on what it does we might be able to do this natively and bypass the need for EXECVE
There was a problem hiding this comment.
I've added expected_hash. The main purpose of ELC here is that it can convert proprietary format of AV logs into XML. See https://help.eset.com/elc/4.10/en-US/elc_cli.html It's too bad AV can't currently convert logs to XML directly without the need to download this tool.
There was a problem hiding this comment.
no worries - this is defiantly a useful artifact!
I just like to mention native as Ive seen logs simply rc4-ed that were easy to do natively so think about uplifting this if we can figure out what they are. VR can definitely read XML, just what ever the other binary format is. The general idea of minimising EXECVE and third party execution on the endpoint is always a good one. :)
There was a problem hiding this comment.
Agree, I will look into if anything can be done about it. I'm probably best person to do it as I work for ESET.
Artifact that uses ESET Log Collector tool to convert threat logs into XMLs and parse them through Velociraptor. Covers all important log sources that are commonly encountered in enterprise setting. Tested on ESET Endpoint Security.
Examples:
