Windows event log forensics for the Living off the Land era.
Vigil is a client-side DFIR tool that detects threats in Windows event logs without a backend. It ingests Hayabusa, Chainsaw, or raw EVTX exports and runs live Shannon entropy analysis, Sigma rule matching, PowerShell obfuscation decoding, ScriptBlock reassembly, ransomware chain correlation, credential access detection, and process lineage reconstruction — entirely in the browser.
Named after a vigil — a period of watchful attention. Vigil keeps watch over your logs so attackers can't hide in plain sight.
git clone https://github.com/fevra-dev/Vigil.git
cd Vigil/vigil-run
npm install
npm run devOpen http://localhost:5173 and click Load demo file on the Dashboard to see the full pipeline in action, or drop your own Hayabusa/Chainsaw output file.
# Hayabusa (recommended)
hayabusa json-timeline -d /path/to/evtx/ -o results.jsonl
# Chainsaw
chainsaw hunt /path/to/evtx/ -s sigma/ --json > results.json| Detection Module | Technique | MITRE ATT&CK |
|---|---|---|
| Sigma Engine | 31 rules covering LotL, persistence, credential access, lateral movement, ransomware | Multiple |
| Ransomware Chain | Multi-stage pre-deployment correlation (vssadmin, bcdedit, wbadmin, netsh) per host | T1490 |
| Lateral Movement | SMB sweep (3+ Type 3 logons), RDP anomaly, PsExec pattern detection | T1021.001, T1021.002 |
| Credential Access | SAM registry dump, DCSync (EID 4662), Kerberoasting burst (EID 4769 RC4) | T1003.002, T1003.006, T1558.003 |
| PowerShell Analysis | 12 obfuscation categories + auto Base64 decode + ScriptBlock reassembly (EID 4104) | T1059.001, T1027 |
| Entropy Scoring | Shannon entropy + character-type change frequency for obfuscation detection | T1027.010 |
| Process Lineage | Parent-child tree reconstruction via Sysmon ProcessGuid or heuristic PID chaining | T1059 |
| Baseline Diffing | PersistenceSniper CSV/JSON diff — suppress known-good, surface attacker-implanted persistence | T1547 |
| Tab | Purpose |
|---|---|
| Dashboard | File drop zone, event histogram, EID frequency, severity stats, threat summary, actor profiles |
| Log Analyser | Searchable event table with regex, pivot-on-click filtering, entropy scores, PowerShell decode panel |
| Correlation Engine | Multi-event attack chain reconstruction with kill chain phase mapping |
| Attack Graph | Two-lane SVG timeline showing lateral movement between hosts with tactic coloring |
| Process Lineage | Expandable tree view of process ancestry, grouped by host, with command-line inspection |
| Logon Summary | EID 4624/4625 logon timeline, logon type breakdown, per-account anomaly flagging |
| Ransomware Chain | 5-stage pre-deployment kill chain visualization with confidence scoring |
| Lateral Movement | SMB sweep, RDP anomaly, PsExec pattern correlation with sequence visualization |
| Baseline Diff | Live diff against known-good baselines — shows only the delta |
| Sigma Workshop | Browse, search, and inspect all 31 rules with live KQL/SPL/EQL/VQL export |
| ATT&CK Map | Technique coverage heatmap across 8 tactics, 35 techniques |
| LOLBin Radar | Detection status for 18 LOLBins from the LOLBAS + PersistenceSniper catalogs |
File Drop
│
▼
┌────────────────────────────────┐
│ Format Detection │
│ Hayabusa JSONL · Chainsaw │
│ Raw EVTX · Vigil JSON │
└──────────────┬─────────────────┘
│
▼
┌────────────────────────────────┐
│ Normalization + Reassembly │
│ Unified VigilEvent schema │
│ EID 4104 ScriptBlock stitch │
└──────────────┬─────────────────┘
│
▼
┌────────────────────────────────┐
│ Enrichment Pipeline │
│ │
│ 12 processing modules │
│ Entropy · Sigma · PS decode │
│ Ransomware · LM · Kerberos │
│ Lineage · Baseline diff │
└──────────────┬─────────────────┘
│
▼
┌────────────────────────────────┐
│ Output │
│ 12 interactive analysis tabs │
│ KQL/SPL/EQL/VQL rule export │
│ JSON/CSV event export │
└────────────────────────────────┘
31 Sigma rules authored in the open standard, mapping to MITRE ATT&CK v15.
| ID | Technique | MITRE | Severity |
|---|---|---|---|
| SIGMA-001 | Impacket WMIExec lateral movement | T1047, T1021.002 | Critical |
| SIGMA-002 | WMI persistence trinity (Filter + Consumer + Binding) | T1546.003 | Critical |
| SIGMA-003 | GhostTask — scheduled task via direct registry write | T1053.005, T1112 | Critical |
| SIGMA-004 | LSASS dump via comsvcs.dll MiniDump | T1003.001, T1218.011 | Critical |
| SIGMA-005 | DSRM backdoor on domain controller | T1098, T1112 | Critical |
| SIGMA-006 | LOLBin chain — certutil download + encoded PowerShell | T1105, T1059.001 | High |
| SIGMA-007 | Suborner — hidden admin via RID hijacking | T1136.001, T1098 | Critical |
| SIGMA-008 | PowerShell profile persistence | T1546.013 | High |
| SIGMA-009 | TelemetryController persistence via AppCompatFlags | T1053.005, T1112 | High |
| SIGMA-010 | mshta.exe remote HTA execution | T1218.005 | Critical |
| SIGMA-011 | regsvr32.exe Squiblydoo (remote COM scriptlet) | T1218.010 | High |
| SIGMA-012 | bitsadmin.exe file download via BITS job | T1105, T1197 | High |
| SIGMA-013 | wmic.exe remote process creation | T1047 | Critical |
| SIGMA-014 | cmstp.exe UAC bypass via INF | T1218.003 | High |
| SIGMA-015 | Security event log cleared (anti-forensics) | T1070.001 | Critical |
| SIGMA-016 | vssadmin shadow copy deletion (ransomware) | T1490 | Critical |
| SIGMA-017 | bcdedit recovery disabled (ransomware) | T1490 | Critical |
| SIGMA-018 | wbadmin backup catalog deleted (ransomware) | T1490 | Critical |
| SIGMA-019 | netsh firewall disabled (defense evasion) | T1562.004 | High |
| SIGMA-020 | Registry Run key persistence (Sysmon EID 13) | T1547.001 | High |
| SIGMA-021 | Suspicious service install — non-standard path (EID 7045) | T1543.003 | High |
| SIGMA-022 | COM object hijacking via CLSID registry write | T1546.015 | High |
| SIGMA-023 | Scheduled task created — EID 4698 | T1053.005 | Medium |
| SIGMA-024 | DLL loaded from suspicious path (Sysmon EID 7) | T1574.001 | High |
| SIGMA-025 | PowerShell ScriptBlock — offensive tool detected | T1059.001 | Critical |
| SIGMA-026 | AMSI bypass attempt via PowerShell | T1562.001 | Critical |
| SIGMA-027 | PowerShell execution from suspicious directory | T1059.001 | High |
| SIGMA-028 | LOLBin DLL injection via MavInject or odbcconf | T1218 | Critical |
| SIGMA-029 | SAM registry hive dump via reg.exe | T1003.002 | Critical |
| SIGMA-030 | DCSync — directory replication via EID 4662 | T1003.006 | Critical |
| SIGMA-031 | Kerberos RC4 service ticket request (Kerberoasting) | T1558.003 | High |
Vigil/
├── vigil-run/ The application (React 19 + Vite)
│ ├── src/
│ │ ├── components/ 18 UI components (12 tabs + atoms + tokens)
│ │ ├── engine/ 12 processing modules
│ │ ├── data/ 7 reference data files (31 Sigma rules, 18 LOLBins, MITRE map)
│ │ └── store/ EventContext (central state management)
│ └── public/sample/ Bundled 43-event Hayabusa demo file
├── .github/workflows/ GitHub Pages deployment
├── LICENSE MIT
└── README.md
- Zero backend — React 19 + Vite, runs entirely client-side. No data leaves the browser.
- No runtime dependencies beyond React — entropy, Sigma matching, PS decoding, chain correlation, lineage building, and query export all run in pure JavaScript.
- Multi-format ingestion — auto-detects Hayabusa JSONL, Chainsaw JSON, raw EVTX JSON, and Vigil native re-import.
- Rule export — every Sigma rule can be exported to KQL (Sentinel/Defender), SPL (Splunk), EQL (Elastic), or VQL (Velociraptor) with platform-specific field mapping.
Fevra — Security Developer
MIT License — see LICENSE for details.
MITRE ATT&CK is a registered trademark of The MITRE Corporation.