Vigil — Windows Event Log Forensics & Detection Engineering

Live Demo

A client-side DFIR tool specializing in Living off the Land (LotL) attack detection. Vigil ingests forensic data from Hayabusa, Chainsaw, or raw EVTX exports and runs live Shannon entropy analysis, Sigma rule matching, PowerShell obfuscation decoding, ScriptBlock reassembly (EID 4104), ransomware chain correlation, credential access detection (SAM dump, DCSync, Kerberoasting), and process lineage reconstruction — entirely in the browser.

Built for blue team analysts, detection engineers, and SOC operators who need to rapidly triage Windows event logs and codify findings into deployable detection rules.

---

Screenshots

Screenshots coming soon. Run npm run dev and click "Load demo file" to see:

• Dashboard with ransomware chain detection banner, lateral movement alert, and event histogram
• Log analyser with PowerShell decoded payload and pivot-on-click filtering
• Ransomware chain 5-stage kill chain visualization
• Lateral movement correlation findings (SMB sweep, RDP anomaly, PsExec pattern)
• ATT&CK map with coverage percentage across 8 tactics

---

What it does

Ingest — Drop a Hayabusa JSONL, Chainsaw JSON, or raw EVTX JSON file. Events are auto-detected, normalized into a unified schema, and enriched in real time. EID 4104 ScriptBlock fragments are automatically reassembled before analysis. A bundled 43-event demo file is included for instant testing.

Detect — 31 built-in Sigma rules cover the highest-signal LotL, persistence, ransomware, lateral movement, credential access, and PowerShell threat patterns: Impacket WMIExec, WMI persistence trinity, GhostTask, LSASS dump, DSRM backdoor, LOLBin download cradles, Suborner RID hijacking, PowerShell profile persistence, TelemetryController abuse, mshta/regsvr32/bitsadmin/wmic/cmstp abuse, log clearing anti-forensics, ransomware pre-deployment chain (vssadmin/bcdedit/wbadmin/netsh), Registry Run key persistence, suspicious service installs, COM object hijacking, scheduled task creation, DLL side-loading, PowerShell ScriptBlock offensive tools, AMSI bypass, PowerShell from suspicious directories, LOLBin DLL injection (MavInject/odbcconf), SAM registry hive dump, DCSync directory replication (EID 4662), and Kerberos RC4 ticket requests (EID 4769).

Analyze — Shannon entropy scoring flags obfuscated command lines. PowerShell obfuscation analyzer runs 12 pattern categories (download cradles, dynamic execution, encoded payloads, memory injection, credential access, AMSI bypass, PS v2 downgrade, AD reconnaissance, LOLBin execution, registry persistence, lateral movement tools, multi-layer obfuscation) and auto-decodes -EncodedCommand Base64 payloads inline. EID 4104 ScriptBlock reassembly stitches fragmented PowerShell scripts back together before analysis, so the full payload is analyzed as a unit rather than meaningless fragments. Ransomware chain detector correlates 4 pre-encryption stages per host within a 30-minute window and escalates to CRITICAL. Lateral movement engine detects SMB sweeps (3+ Type 3 logons from same IP), RDP anomalies (external IP or service account), and PsExec patterns (Type 3 logon + suspicious service install). Kerberoasting burst detector groups EID 4769 RC4 ticket requests by account and flags when 5+ distinct service tickets are requested within 5 minutes. Process lineage reconstruction builds parent-child trees from Sysmon ProcessGuids or heuristic PID chaining. Logon summary parses EID 4624/4625 into per-account activity with anomaly detection. Event ID frequency analysis shows the top 10 EIDs by volume.

Hunt — Pivot-on-click turns the Log Analyser into a threat hunting surface. Click any field value (host, user, process, parent) to instantly filter all matching events. Regex search runs across all fields. Three-stage filter pipeline (category, pivot, search) enables rapid drill-down.

Baseline — Upload a known-good baseline (PersistenceSniper CSV or Vigil JSON) and the tool automatically diffs it against ingested events. Baseline matches are suppressed as false positives; only the delta remains for investigation. Export the current scan as a reusable baseline for future comparisons.

Export — Every Sigma rule can be exported to KQL (Sentinel/Defender), SPL (Splunk), EQL (Elastic), or VQL (Velociraptor) with platform-specific field mapping. Enriched event data can be exported as JSON or CSV for handoff.

---

Tabs

Tab	Purpose
Dashboard	File drop zone, event frequency histogram, EID frequency breakdown, severity stats, ransomware chain banner, lateral movement alert, Kerberoasting alert, threat summary, actor profile cards
Log analyser	Searchable event table with regex toggle, pivot-on-click filtering, severity/MITRE tags, entropy scores, PowerShell analysis panel with decoded payloads, and Sigma match details
Correlation engine	Multi-event attack chain reconstruction with kill chain phase mapping
Attack graph	Two-lane SVG timeline showing lateral movement between hosts with tactic phase coloring
Process lineage	Expandable tree view of process ancestry, grouped by host, with command-line inspection
Logon summary	EID 4624/4625 logon timeline, logon type breakdown, per-account activity cards with anomaly flagging
Ransomware chain	5-stage pre-deployment kill chain visualization — shadow copy deletion, recovery disable, backup deletion, firewall tampering, AV stop — with confidence scoring and urgency countdown
Lateral movement	Three-pattern correlation: SMB sweep detection (3+ hosts from same IP), RDP anomaly (external IP / service account), PsExec pattern (Type 3 logon + service install). Structured findings with sequence visualization
Baseline diff	Upload a known-good baseline (PersistenceSniper CSV or JSON) and live-diff against ingested events. Shows only the delta — attacker-implanted persistence not in the baseline. Export current scan as a reusable baseline. Falls back to static demo data when no baseline is loaded
Sigma workshop	Browse, search, and inspect all 31 rules — YAML preview, tag metadata, and live KQL/SPL/EQL/VQL export
ATT&CK map	Technique coverage heatmap aligned to MITRE ATT&CK v15 tactics (8 tactics, 35 techniques) with coverage percentage bar
LOLBin radar	Detection status dashboard for 18 LOLBins from the LOLBAS + PersistenceSniper catalogs (9 actively detected)

---

Architecture

vigil-run/src/
  data/           Static reference data (demo scenario, Sigma rules, MITRE map, LOLBin catalog)
  engine/         Processing pipeline (12 modules)
                    normalizer              — auto-detect format, normalize to VigilEvent schema
                    scriptBlockReassembler  — EID 4104 fragment stitching by ScriptBlockId
                    entropy                 — Shannon entropy + character-type change scoring
                    sigmaMatcher            — client-side Sigma rule evaluation engine
                    sigmaExporter           — rule translation to KQL/SPL/EQL/VQL
                    psAnalyzer              — 12 PowerShell obfuscation categories + Base64 decode
                    ransomwareChain         — multi-stage chain correlation per host
                    lateralMovement         — SMB sweep, RDP anomaly, PsExec pattern detection
                    kerberoasting           — EID 4769 RC4 burst detection per account
                    baselineEngine          — CSV/JSON baseline parsing, diff computation, export
                    lineageBuilder          — process ancestry tree construction
                    exporter                — JSON/CSV browser download
  store/          React Context + useReducer (EventContext — single source of truth)
  components/     UI modules (Shell, Dashboard, LogAnalyzer, RansomwareChain, ProcessTree, ...)

Enrichment pipeline:

File drop  -->  parseFileContent()  -->  detectFormat()  -->  normalizeEvent()
           -->  reassembleScriptBlocks()   (stitch EID 4104 fragments)
           -->  calculateEntropy()  -->  matchEvent()    -->  analyzePowerShell()
           -->  detectRansomwareChain()  -->  detectLateralMovement()
           -->  detectKerberoasting()
           -->  EventContext dispatch  -->  All 12 tabs re-render with enriched events

Supported ingestion formats:

• Hayabusa JSONL — hayabusa json-timeline -d <logs> -o results.jsonl
• Chainsaw JSON — chainsaw hunt <logs> -s sigma/ --json > results.json
• Raw EVTX JSON — evtx_dump or python-evtx JSON output
• Vigil native — re-import of previously exported Vigil JSON

---

Quickstart

cd vigil-run
npm install
npm run dev

Open http://localhost:5173 and click Load demo file on the Dashboard to see the full pipeline in action, or drop your own Hayabusa/Chainsaw output file. The bundled demo file contains 43 Hayabusa-format events simulating a multi-stage LotL intrusion with ransomware pre-deployment, lateral movement, credential access (SAM dump, DCSync, Kerberoasting), and fragmented PowerShell ScriptBlock reassembly.

Generate test data

# Hayabusa (recommended)
hayabusa json-timeline -d /path/to/evtx/ -o results.jsonl

# Chainsaw
chainsaw hunt /path/to/evtx/ -s sigma/ --json > results.json

---

Detection Coverage

31 rules authored in the Sigma open standard, mapping to MITRE ATT&CK v15.

ID	Technique	MITRE	Severity
SIGMA-001	Impacket WMIExec lateral movement	T1047, T1021.002	Critical
SIGMA-002	WMI persistence trinity (Filter + Consumer + Binding)	T1546.003	Critical
SIGMA-003	GhostTask — scheduled task via direct registry write	T1053.005, T1112	Critical
SIGMA-004	LSASS dump via comsvcs.dll MiniDump	T1003.001, T1218.011	Critical
SIGMA-005	DSRM backdoor on domain controller	T1098, T1112	Critical
SIGMA-006	LOLBin chain — certutil download + encoded PowerShell	T1105, T1059.001	High
SIGMA-007	Suborner — hidden admin via RID hijacking	T1136.001, T1098	Critical
SIGMA-008	PowerShell profile persistence	T1546.013	High
SIGMA-009	TelemetryController persistence via AppCompatFlags	T1053.005, T1112	High
SIGMA-010	mshta.exe remote HTA execution	T1218.005	Critical
SIGMA-011	regsvr32.exe Squiblydoo (remote COM scriptlet)	T1218.010	High
SIGMA-012	bitsadmin.exe file download via BITS job	T1105, T1197	High
SIGMA-013	wmic.exe remote process creation	T1047	Critical
SIGMA-014	cmstp.exe UAC bypass via INF	T1218.003	High
SIGMA-015	Security event log cleared (anti-forensics)	T1070.001	Critical
SIGMA-016	vssadmin shadow copy deletion (ransomware)	T1490	Critical
SIGMA-017	bcdedit recovery disabled (ransomware)	T1490	Critical
SIGMA-018	wbadmin backup catalog deleted (ransomware)	T1490	Critical
SIGMA-019	netsh firewall disabled (defense evasion)	T1562.004	High
SIGMA-020	Registry Run key persistence (Sysmon EID 13)	T1547.001	High
SIGMA-021	Suspicious service install — non-standard path (EID 7045)	T1543.003	High
SIGMA-022	COM object hijacking via CLSID registry write	T1546.015	High
SIGMA-023	Scheduled task created — EID 4698	T1053.005	Medium
SIGMA-024	DLL loaded from suspicious path (Sysmon EID 7)	T1574.001	High
SIGMA-025	PowerShell ScriptBlock — offensive tool detected	T1059.001	Critical
SIGMA-026	AMSI bypass attempt via PowerShell	T1562.001	Critical
SIGMA-027	PowerShell execution from suspicious directory	T1059.001	High
SIGMA-028	LOLBin DLL injection via MavInject or odbcconf	T1218	Critical
SIGMA-029	SAM registry hive dump via reg.exe	T1003.002	Critical
SIGMA-030	DCSync — directory replication via EID 4662	T1003.006	Critical
SIGMA-031	Kerberos RC4 service ticket request (Kerberoasting)	T1558.003	High

---

ScriptBlock Reassembly (EID 4104)

Windows PowerShell ScriptBlock Logging (EID 4104) splits large scripts across multiple events sharing the same ScriptBlockId. Each fragment carries a MessageNumber and MessageTotal. Vigil automatically stitches these fragments back together before running any analysis, so the full payload is evaluated as a unit rather than meaningless fragments.

The reassembler runs between normalization and enrichment in the pipeline. After reassembly:

• The full script is injected into the first fragment's cmdline for entropy, Sigma, and PS pattern analysis
• Non-first fragments are marked as such, with a cross-reference to the reassembled event
• The Log Analyser detail pane shows the complete reassembled script in a scrollable code block

---

PowerShell Obfuscation Analysis

The PS analyzer runs 12 pattern categories against every command line and auto-decodes Base64 payloads:

Category	What it detects	MITRE
Download Cradle	DownloadString, WebClient, Invoke-WebRequest, Start-BitsTransfer	T1105
Dynamic Execution	IEX, Invoke-Expression, [ScriptBlock]::Create	T1059.001
Encoded Payload	-EncodedCommand, FromBase64String — auto-decoded (UTF-16LE/UTF-8)	T1027
Memory Injection	Reflection.Assembly.Load, Add-Type -AssemblyName	T1620
Credential Access	sekurlsa, mimikatz, lsass, Get-Credential	T1003.001
AMSI Bypass	amsiInitFailed, AmsiScanBuffer, amsi.dll	T1562.001
PS v2 Downgrade	powershell -version 2 — bypasses modern logging	T1059.001
AD Reconnaissance	Get-DomainUser, PowerView, Invoke-UserHunter, nltest	T1087.002
LOLBin Execution	cscript //E:JScript, mshta .hta, MavInject /INJECTRUNNING	T1218
Registry Persistence	AppInit_DLLs, UserInit hijack, Office COM persistence	T1547.001
Lateral Movement Tool	PsMapExec, Invoke-Mimikatz, secretsdump, DCSync	T1021.002
Multi-Layer Obfuscation	[char] codes, -join, -bxor, format operator tricks	T1027.010

---

Ransomware Chain Detection

Vigil correlates ransomware pre-deployment behaviors per host. When 2+ stages fire within a 30-minute window, the tool escalates to CRITICAL:

Stage	Binary	What it detects	Required
1	vssadmin.exe	Shadow copy deletion	Yes
2	bcdedit.exe	Boot recovery disabled	Yes
3	wbadmin.exe	Backup catalog deleted	No
4	netsh.exe	Firewall disabled	No
5	—	AV/EDR stopped	Future

Confidence scoring: 2 stages = High, 3 = Critical, 4+ = Confirmed.

---

Lateral Movement Detection

Vigil detects three lateral movement patterns:

Pattern	Trigger	MITRE
SMB Sweep	Same source IP performs Type 3 logons to 3+ hosts within 5 min	T1021.002
RDP Anomaly	Type 10 logon from external IP or service account	T1021.001
PsExec Pattern	Type 3 logon followed by suspicious service install (SIGMA-021) on same host within 2 min	T1021.002 + T1543.003

---

Credential Access Detection

Vigil detects three credential access techniques beyond LSASS memory dumping:

Technique	Detection Method	MITRE
SAM Registry Dump	reg save HKLM\SAM / HKLM\SYSTEM / HKLM\SECURITY — single-event Sigma rule (SIGMA-029)	T1003.002
DCSync	EID 4662 with Active Directory replication GUIDs (1131f6ad-..., 1131f6aa-...) from non-DC accounts — Sigma rule (SIGMA-030)	T1003.006
Kerberoasting	EID 4769 with RC4 encryption (0x17) — per-event Sigma rule (SIGMA-031) + burst correlation engine flags 5+ distinct service ticket requests per account within 5 minutes	T1558.003

The Sigma matcher includes a raw event data fallback that checks _raw.Details and _raw.EventData fields for domain-specific attributes (Properties, TicketEncryptionType, ServiceName) not promoted to the flat VigilEvent schema. This enables accurate matching for EID 4662 and 4769 events.

---

Baseline Diffing

Vigil supports live baseline diffing using the PersistenceSniper DiffCSV pattern:

1. Snapshot a clean machine — run a persistence scan and export as CSV or JSON
2. Upload the baseline to the Baseline diff tab
3. Ingest the suspect machine's event logs
4. Review — Vigil computes the diff automatically, suppressing known-good entries and surfacing only attacker-implanted persistence

Supported baseline formats:

• PersistenceSniper CSV — columns: Type, Name, Host, Path, Author
• Vigil baseline JSON — exported from a previous Vigil scan
• Generic CSV/JSON — any file with Type/Name/Host/Path fields

Matching uses composite keys (type+name+host, path+host, eid+process+host) for robust deduplication across scan variations. The "Export scan as baseline" button lets you save the current event set as a reusable baseline for future investigations.

---

Entropy Analysis

Shannon entropy classifies command-line obfuscation into four bands:

Band	H range	Interpretation
Normal	< 3.5	Standard administrative commands
Elevated	3.5 – 4.5	Complex paths, URLs — may be legitimate
Suspicious	4.5 – 5.5	Likely obfuscation
Obfuscated	> 5.5	Base64, XOR, encrypted payloads

Supplemented by character-type change frequency to detect polymorphic AI-generated scripts.

---

Tech Stack

• React 19 + Vite — zero-backend, client-side only
• No runtime dependencies beyond React — entropy, Sigma matching, PS decoding, ransomware chain correlation, lineage building, and query export all run in pure JavaScript
• Design tokens follow a Rams-inspired dark palette (DM Sans + IBM Plex Mono)
• GitHub Pages deployment via GitHub Actions

---

Project Structure

Vigil-WindowsEventLog-DFIR/
  vigil-run/             The application (React + Vite)
    src/components/      16 UI components (11 tabs + atoms + tokens)
    src/engine/          12 processing modules
    src/data/            7 reference data files (31 Sigma rules, 18 LOLBins, MITRE map)
    src/store/           EventContext (central state management)
    public/sample/       Bundled 43-event Hayabusa demo file
  .github/workflows/    GitHub Pages deployment
  research/             LotL research, planning docs, threat analysis
  Moveme-Vigil/         Archived earlier iterations (v1, v2, v3 prototypes)
  README.md             This file
  .gitignore

---

License

MIT