Skip to main content

Zircolite

    ███████╗██╗██████╗  ██████╗ ██████╗ ██╗     ██╗████████╗███████╗
    ╚══███╔╝██║██╔══██╗██╔════╝██╔═══██╗██║     ██║╚══██╔══╝██╔════╝
      ███╔╝ ██║██████╔╝██║     ██║   ██║██║     ██║   ██║   █████╗
     ███╔╝  ██║██╔══██╗██║     ██║   ██║██║     ██║   ██║   ██╔══╝
    ███████╗██║██║  ██║╚██████╗╚██████╔╝███████╗██║   ██║   ███████╗
    ╚══════╝╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝   ╚═╝   ╚══════╝
   -= Standalone SIGMA Detection tool for EVTX/Auditd/Sysmon Linux =-

What it does

Zircolite is a event log analyzer that can process various different types of logging files in order to produce a list of potentially malicious event that can be detected from the logs.

These events give us a general indication of possible malicious activity that was found to have happened on our machine via the event logs.

Zircolite uses the sigma rule format in order to format and parse their rulesets.

How it works with CAPE

  1. We can submit the sample with or without adding our own custom sigma ruleset (json)
  2. Receive event logs from the sandbox analysis
  3. Zircolite is run with the event logs in order to get the detected events (processing\ziroclite_use.py)
  4. We then find the number of times each TTP is detected within the event logs (processing\ziroclite_use.py)
  5. These events are then further processed using MITRE ATT&CK framework by mapping their TTPs' id to their corresponding name and the information is then saved to a resultant json file (processing\ziroclite_use.py)
  6. During the runtime of the reporting modules, a heatmap is then rendered using the json file and can be viewed in the report (reporting\ziroclite_usage.py)
  7. The data of the module can be found in the analyses/{task_id} folder under the heatmap folder as detected.json (json data of Zircolite output), heatmap.html (html of heatmap), heatmap.json (the data file used to create the html) and output.log (the output of Zircolite). If custom rules were used, there will be a zircolite folder containing the custom ruleset used.

Results

  • The results are displayed in the form of a heatmap generated from the json file that was produced
  • The json file used can also be downloaded in the reports bar in the Overview tab as HeatmapData

Installation/Deployment

  • If your installation fails you can run the entire bash script /opt/CAPEv2/installer/ziroclite_setup.sh or you can run the commands in ziroclite_setup.sh individually
  • Once it is installed, restart cape
note

Zircolote should have been installed by default by the ansible scripts.

Troubleshooting

ErrorPotential issueFix
Access denied when trying to access filesUser cape does not have permissions to the file
  • Change the permissions of the file such that the user cape can run the program
The processing module fails to run with the error: “the evtx folder either doesnt exist or is empty”The analysis did not return any evtx files, hence zircolite_use.py fails to run
  • Check if the evtx auxiliary module has been turned on (evtx.py is the program that handles the returning of the evtx files during analysis)
  • By default, evtx.py returns the sysmon logs, please check if the sysmon auxiliary module has been turned on to install sysmon onto the VMs
The processing module fails to run due to a permission denied error at zircolite.logUser cape does not have permissions to the log file
  • Run: sudo chown cape:cape "/opt/Zircolite/zircolite.log"
The processing module fails to run due to a permission denied error at custom_rules.jsonUser cape does not have permissions to the json file
  • Run: sudo chown cape:cape "/opt/Zircolite/rules/custom_rules.json”
The processing module fails to run due to missing modules/missing dependencies
  • Zircolite runs using dependencies that should already be present in the pyproject.toml file for CAPEv2
  • Run: poetry install --only Zircolite
sudo /opt/CAPEv2/installer/ziroclite_setup.sh fails with error ‘command not found’The file likely does not have the correct execution permissions
  • Quick fix:
    • Run: sudo chmod 777 /opt/CAPEv2/installer/ziroclite_setup.sh
  • If the previous command raises any security issues:
    • Run: sudo chmod 764 /opt/CAPEv2/installer/ziroclite_setup.sh
    • This sets the file permissions to -rwxrw-r--, such that only the root or owner can run it
Missing packages after fully installing Zircolite
  • Run poetry update in the Zircolite directory and check if anything is updated
Ziroclite doesnt seem to be running without any error messagesIt is possibly due to pyattck being outdated compared to the version required (>=7.0.0)
  • add log.info(pyattck_version) within the run function in Zircolite_use.py
  • if the version is outdated (<7.0.0), run poetry update/install to update pyattck
  • If there is no change in the version, make sure that the pyattck version under the user cape is updated
info

If there is ever a need to reset Zircolite

  • Delete the /opt/CAPEv2/modules/processing/parsers/Zircolite directory
  • Repeat the installation process using ansible
Tips
  • The custom rulesets must be in the same syntax as the ones in the zircolite git. If not the ruleset will not be errored out at the start but will only be noticed during the runtime of the module. In most cases, the error message is only shown within the command line(it should be saved) as [-] Load JSON ruleset failed, are you sure it is a valid JSON file ?
  • If debugging for errors is required, and there is a possibility that the error is within the subprocess call of zircolite, remove capture_output=True and text=True in the code and turn on journalctl for cape-processor. This will allow you to see the error code of the subprocess call directly. (the options stated above hides the output and saves it to a variable)