countercept / chainsaw Goto Github PK

View Code? Open in Web Editor NEW

2.5K 49.0 225.0 15.94 MB

Rapidly Search and Hunt through Windows Forensic Artefacts

License: GNU General Public License v3.0

Rust 99.65% Nix 0.35%

attack rust security threat-hunting blueteam chainsaw detection dfir forensics logs sigma windows countercept

chainsaw's Introduction

Rapidly Search and Hunt through Windows Forensic Artefacts

Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Features

🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
🔍 Search and extract forensic artefacts by string matching, and regex patterns
📅 Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data
💡 Analyse the SRUM database and provide insights about it
⬇️ Dump the raw content of forensic artefacts (MFT, registry hives, ESE databases)
⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
🪶 Clean and lightweight execution and output formats without unnecessary bloat
🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
📑 Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format
💻 Can be run on MacOS, Linux and Windows

Features
Why Chainsaw?
Hunting Logic for Windows Event Logs
Quick Start Guide
Examples
Acknowledgements

Extended information can be found in the Wiki for this tool: https://github.com/WithSecureLabs/chainsaw/wiki

Why Chainsaw?

At WithSecure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyse forensic artefacts that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of forensic artefacts in these circumstances.

Windows Event Logs

Windows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations. Chainsaw solves the issue since it allows the rapid search and hunt through Windows event logs.

At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required.

Hunting Logic for Windows Event Logs

Sigma Rule Matching

Using the --sigma and --mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw which fields in the event logs to use for rule matching. By default, Chainsaw supports a wide range of Event Log types, including but not limited to:

Event Type	Event ID
Process Creation (Sysmon)	1
Network Connections (Sysmon)	3
Image Loads (Sysmon)	7
File Creation (Sysmon)	11
Registry Events (Sysmon)	13
Powershell Script Blocks	4104
Process Creation	4688
Scheduled Task Creation	4698
Service Creation	7045

See the mapping file for the full list of fields that are used for rule detection, and feel free to extend it to your needs.

Chainsaw Detection Rules

In addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a rules directory that contains various Chainsaw rules that allows users to:

Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
Detect key event logs being cleared, or the event log service being stopped
Users being created or added to sensitive user groups
Remote Logins (Service, RDP, Network etc.) events. This helps hunters to identify sources of lateral movement
Brute-force of local user accounts

Quick Start Guide

Downloading and Running

With the release of Chainsaw v2, we decided to no longer include the Sigma Rules and EVTX-Attack-Samples repositories as Chainsaw submodules. We recommend that you clone these repositories separately to ensure you have the latest versions.

If you still need an all-in-one package containing the Chainsaw binary, Sigma rules and example Event logs, you can download it from the releases section of this GitHub repo. In this releases section you will also find pre-compiled binary-only versions of Chainsaw for various platforms and architectures.

If you want to compile Chainsaw yourself, you can clone the Chainsaw repo:

git clone https://github.com/WithSecureLabs/chainsaw.git

and compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

Make sure to build with the --release flag as this will ensure significantly faster execution time.

If you want to quickly see what Chainsaw looks like when it runs, you can clone the Sigma Rules and EVTX-Attack-Samples repositories:

git clone https://github.com/SigmaHQ/sigma
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

and then run Chainsaw with the parameters below:

./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

EDR and AV Warnings

When downloading and running chainsaw you may find that your local EDR / AntiVirus engine detects Chainsaw as malicious. You can see examples of this in the following GitHub issues: Example1, Example2.

These warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. "mimikatz"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection.

What changed in Chainsaw v2?

In July 2022 we released version 2 of Chainsaw which is a major overhaul of how Chainsaw operates. Chainsaw v2 contains several significant improvements, including the following list of highlights:

An improved approach to mapping Sigma rules which results in a significant increase in the number of supported Chainsaw rules, and Event Log event types.
Improved CLI output which shows a snapshot of all Event Data for event logs containing detections.
Support for loading and parsing Event Logs in both JSON and XML format.
Cleaner and simpler command line arguments for the Hunt and Search features.
Additional optional output information, such as Rule Author, Rule Status, Rule Level etc.
The ability to filter loaded rules by status, kind, and severity level.
Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files
A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions.

If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the releases section, or you can access the source code in the v1.x.x branch. Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2.

A massive thank you to @AlexKornitzer who managed to convert Chainsaw v1's "Christmas Project" codebase into a polished product in v2.

Examples

Searching

  USAGE:
      chainsaw search [FLAGS] [OPTIONS] <pattern> [--] [path]...

  FLAGS:
      -h, --help            Prints help information
      -i, --ignore-case     Ignore the case when searching patterns
          --json            Print the output in json format
          --load-unknown    Allow chainsaw to try and load files it cannot identify
          --local           Output the timestamp using the local machine's timestamp
      -q                    Suppress informational output
          --skip-errors     Continue to search when an error is encountered
      -V, --version         Prints version information

  OPTIONS:
          --extension <extension>...    Only search through files with the provided extension
          --from <from>                 The timestamp to search from. Drops any documents older than the value provided
      -o, --output <output>             The path to output results to
      -e, --regex <pattern>...          A string or regular expression pattern to search for
      -t, --tau <tau>...                Tau expressions to search with. e.g. 'Event.System.EventID: =4104'
          --timestamp <timestamp>       The field that contains the timestamp
          --timezone <timezone>         Output the timestamp using the timezone provided
          --to <to>                     The timestamp to search up to. Drops any documents newer than the value provided

  ARGS:
      <pattern>    A string or regular expression pattern to search for. Not used when -e or -t is specified
      <path>...    The paths containing event logs to load and hunt through

Command Examples

Search all .evtx files for the case-insensitive string "mimikatz"

./chainsaw search mimikatz -i evtx_attack_samples/

*Search all .evtx files for powershell script block events (Event ID 4014)

./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/

Search a specific evtx log for logon events, with a matching regex pattern, output in JSON format

./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json

Hunting

  USAGE:
      chainsaw hunt [FLAGS] [OPTIONS] [--] [path]...

  FLAGS:
          --csv             Print the output in csv format
          --full            Print the full values for the tabular output
      -h, --help            Prints help information
          --json            Print the output in json format
          --load-unknown    Allow chainsaw to try and load files it cannot identify
          --local           Output the timestamp using the local machine's timestamp
          --log             Print the output in log like format
          --metadata        Display additional metadata in the tablar output
      -q                    Suppress informational output
          --skip-errors     Continue to hunt when an error is encountered
      -V, --version         Prints version information

  OPTIONS:
          --column-width <column-width>    Set the column width for the tabular output
          --extension <extension>...       Only hunt through files with the provided extension
          --from <from>                    The timestamp to hunt from. Drops any documents older than the value provided
          --kind <kind>...                 Restrict loaded rules to specified kinds
          --level <level>...               Restrict loaded rules to specified levels
      -m, --mapping <mapping>...           A mapping file to tell Chainsaw how to use third-party rules
      -o, --output <output>                A path to output results to
      -r, --rule <rule>...                 A path containing additional rules to hunt with
      -s, --sigma <sigma>...               A path containing Sigma rules to hunt with
          --status <status>...             Restrict loaded rules to specified statuses
          --timezone <timezone>            Output the timestamp using the timezone provided
          --to <to>                        The timestamp to hunt up to. Drops any documents newer than the value provided

  ARGS:
      <rules>      The path to a collection of rules to use for hunting
      <path>...    The paths containing event logs to load and hunt through

Command Examples

Hunt through all evtx files using Sigma rules for detection logic

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results

Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format

 ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json

Output

$ ./chainsaw hunt -r rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical

     ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

    [+] Loading detection rules from: ../../rules/, /tmp/sigma/rules
    [+] Loaded 129 detection rules (198 not loaded)
    [+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx)
    [+] Loaded 268 EVTX files (37.5 MB)
    [+] Hunting: [========================================] 268/268

    [+] Group: Antivirus
    ┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────┬────────────────────────────────┬──────────────────────────────────┬────────────────────┐
    │      timestamp      │     detections     │ Event ID │ Record ID │  Computer   │          Threat Name           │           Threat Path            │        User        │
    ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤
    │ 2019-07-18 20:40:00 │ ‣ Windows Defender │ 1116     │ 37        │ MSEDGEWIN10 │ Trojan:PowerShell/Powersploit. │ file:_C:\AtomicRedTeam\atomic-   │ MSEDGEWIN10\IEUser │
    │                     │                    │          │           │             │ M                              │ red-team-master\atomics\T1056\   │                    │
    │                     │                    │          │           │             │                                │ Get-Keystrokes.ps1               │                    │
    ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤
    │ 2019-07-18 20:53:31 │ ‣ Windows Defender │ 1117     │ 106       │ MSEDGEWIN10 │ Trojan:XML/Exeselrun.gen!A     │ file:_C:\AtomicRedTeam\atomic-   │ MSEDGEWIN10\IEUser │
    │                     │                    │          │           │             │                                │ red-team-master\atomics\T1086\   │                    │
    │                     │                    │          │           │             │                                │ payloads\test.xsl                │                    │
    └─────────────────────┴────────────────────┴──────────┴───────────┴─────────────┴────────────────────────────────┴──────────────────────────────────┴────────────────────┘

    [+] Group: Log Tampering
    ┌─────────────────────┬───────────────────────────────┬──────────┬───────────┬────────────────────────────────┬───────────────┐
    │      timestamp      │          detections           │ Event ID │ Record ID │            Computer            │     User      │
    ├─────────────────────┼───────────────────────────────┼──────────┼───────────┼────────────────────────────────┼───────────────┤
    │ 2019-01-20 07:00:50 │ ‣ Security Audit Logs Cleared │ 1102     │ 32853     │ WIN-77LTAPHIQ1R.example.corp   │ Administrator │
    └─────────────────────┴───────────────────────────────┴──────────┴───────────┴────────────────────────────────┴───────────────┘

    [+] Group: Sigma
    ┌─────────────────────┬────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬──────────────────────────┬──────────────────────────────────┐
    │      timestamp      │           detections           │ count │     Event.System.Provider      │ Event ID │ Record ID │         Computer         │            Event Data            │
    ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤
    │ 2019-04-29 20:59:14 │ ‣ Malicious Named Pipe         │ 1     │ Microsoft-Windows-Sysmon       │ 18       │ 8046      │ IEWIN7                   │ ---                              │
    │                     │                                │       │                                │          │           │                          │ Image: System                    │
    │                     │                                │       │                                │          │           │                          │ PipeName: "\\46a676ab7f179e511   │
    │                     │                                │       │                                │          │           │                          │ e30dd2dc41bd388"                 │
    │                     │                                │       │                                │          │           │                          │ ProcessGuid: 365ABB72-D9C4-5CC   │
    │                     │                                │       │                                │          │           │                          │ 7-0000-0010EA030000              │
    │                     │                                │       │                                │          │           │                          │ ProcessId: 4                     │
    │                     │                                │       │                                │          │           │                          │ RuleName: ""                     │
    │                     │                                │       │                                │          │           │                          │ UtcTime: "2019-04-29 20:59:14.   │
    │                     │                                │       │                                │          │           │                          │ 430"                             │
    ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤
    │ 2019-04-30 20:26:51 │ ‣ CobaltStrike Service         │ 1     │ Microsoft-Windows-Sysmon       │ 13       │ 9806      │ IEWIN7                   │ ---                              │
    │                     │ Installations in Registry      │       │                                │          │           │                          │ Details: "%%COMSPEC%% /b /c st   │
    │                     │                                │       │                                │          │           │                          │ art /b /min powershell.exe -no   │
    │                     │                                │       │                                │          │           │                          │ p -w hidden -noni -c \"if([Int   │
    │                     │                                │       │                                │          │           │                          │ Ptr]::Size -eq 4){$b='powershe   │
    │                     │                                │       │                                │          │           │                          │ ll.exe'}else{$b=$env:windir+'\   │
    │                     │                                │       │                                │          │           │                          │ \syswow64\\WindowsPowerShell\\   │
    │                     │                                │       │                                │          │           │                          │ v1.0\\powershell.exe'};$s=New-   │
    │                     │                                │       │                                │          │           │                          │ Object System.Diagnostics.Proc   │
    │                     │                                │       │                                │          │           │                          │ essStartInfo;$s.FileName=$b;$s   │
    │                     │                                │       │                                │          │           │                          │ .Arguments='-noni -nop -w hidd   │
    │                     │                                │       │                                │          │           │                          │ en -c &([scriptblock]::create(   │
    │                     │                                │       │                                │          │           │                          │ (New-Object IO.StreamReader(Ne   │
    │                     │                                │       │                                │          │           │                          │ w-Object IO.Compression.GzipSt   │
    │                     │                                │       │                                │          │           │                          │ ream((New-Object IO.MemoryStre   │
    │                     │                                │       │                                │          │           │                          │ am(,[Convert]::FromBase64Strin   │
    │                     │                                │       │                                │          │           │                          │ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ   │
    │                     │                                │       │                                │          │           │                          │ H6P1...                          │
    │                     │                                │       │                                │          │           │                          │ (use --full to show all content) │
    │                     │                                │       │                                │          │           │                          │ EventType: SetValue              │
    │                     │                                │       │                                │          │           │                          │ Image: "C:\\Windows\\system32\   │
    │                     │                                │       │                                │          │           │                          │ \services.exe"                   │
    │                     │                                │       │                                │          │           │                          │ ProcessGuid: 365ABB72-2586-5CC   │
    │                     │                                │       │                                │          │           │                          │ 9-0000-0010DC530000              │
    │                     │                                │       │                                │          │           │                          │ ProcessId: 460                   │
    │                     │                                │       │                                │          │           │                          │ RuleName: ""                     │
    │                     │                                │       │                                │          │           │                          │ TargetObject: "HKLM\\System\\C   │
    │                     │                                │       │                                │          │           │                          │ urrentControlSet\\services\\he   │
    │                     │                                │       │                                │          │           │                          │ llo\\ImagePath"                  │
    │                     │                                │       │                                │          │           │                          │ UtcTime: "2019-04-30 20:26:51.   │
    │                     │                                │       │                                │          │           │                          │ 934"                             │
    ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤
    │ 2019-05-12 12:52:43 │ ‣ Meterpreter or Cobalt        │ 1     │ Service Control Manager        │ 7045     │ 10446     │ IEWIN7                   │ ---                              │
    │                     │ Strike Getsystem Service       │       │                                │          │           │                          │ AccountName: LocalSystem         │
    │                     │ Installation                   │       │                                │          │           │                          │ ImagePath: "%COMSPEC% /c ping    │
    │                     │                                │       │                                │          │           │                          │ -n 1 127.0.0.1 >nul && echo 'W   │
    │                     │                                │       │                                │          │           │                          │ inPwnage' > \\\\.\\pipe\\WinPw   │
    │                     │                                │       │                                │          │           │                          │ nagePipe"                        │
    │                     │                                │       │                                │          │           │                          │ ServiceName: WinPwnage           │
    │                     │                                │       │                                │          │           │                          │ ServiceType: user mode service   │
    │                     │                                │       │                                │          │           │                          │ StartType: demand start          │
    ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤
    │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper       │ 1     │ Microsoft-Windows-Sysmon       │ 11       │ 238375    │ alice.insecurebank.local │ ---                              │
    │                     │                                │       │                                │          │           │                          │ CreationUtcTime: "2019-06-21 0   │
    │                     │                                │       │                                │          │           │                          │ 6:53:03.227"                     │
    │                     │                                │       │                                │          │           │                          │ Image: "C:\\Users\\administrat   │
    │                     │                                │       │                                │          │           │                          │ or\\Desktop\\x64\\Outflank-Dum   │
    │                     │                                │       │                                │          │           │                          │ pert.exe"                        │
    │                     │                                │       │                                │          │           │                          │ ProcessGuid: ECAD0485-88C9-5D0   │
    │                     │                                │       │                                │          │           │                          │ C-0000-0010348C1D00              │
    │                     │                                │       │                                │          │           │                          │ ProcessId: 3572                  │
    │                     │                                │       │                                │          │           │                          │ RuleName: ""                     │
    │                     │                                │       │                                │          │           │                          │ TargetFilename: "C:\\Windows\\   │
    │                     │                                │       │                                │          │           │                          │ Temp\\dumpert.dmp"               │
    │                     │                                │       │                                │          │           │                          │ UtcTime: "2019-06-21 07:35:37.   │
    │                     │                                │       │                                │          │           │                          │ 324"                             │
    └─────────────────────┴────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴──────────────────────────┴──────────────────────────────────┘

Analysing

Shimcache

COMMAND:
    analyse shimcache                 Create an execution timeline from the shimcache with optional amcache enrichments

USAGE:
    chainsaw analyse shimcache [OPTIONS] <SHIMCACHE>

ARGUMENTS:
    <SHIMCACHE>                       The path to the shimcache artefact (SYSTEM registry file)

OPTIONS:
    -e, --regex <pattern>             A string or regular expression for detecting shimcache entries whose timestamp matches their insertion time
    -r, --regexfile <REGEX_FILE>      The path to a newline delimited file containing regex patterns for detecting shimcache entries whose timestamp matches their insertion time
    -o, --output <OUTPUT>             The path to output the result csv file
    -a, --amcache <AMCACHE>           The path to the amcache artefact (Amcache.hve) for timeline enrichment
    -p, --tspair                      Enable near timestamp pair detection between shimcache and amcache for finding additional insertion timestamps for shimcache entries
    -h, --help                        Print help

Example pattern file for the --regexfile parameter is included in analysis/shimcache_patterns.txt.
Regex patterns are matched on paths in shimcache entries converted to lowercase.

Command Examples

Analyse a shimcache artefact with the provided regex patterns, and use amcache enrichment with timestamp near pair detection enabled. Output to a csv file.

./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt --amcache ./Amcache.hve --tspair --output ./output.csv

Analyse a shimcache artefact with the provided regex patterns (without amcache enrichment). Output to the terminal.

./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt

SRUM (System Resource Usage Monitor)

The SRUM database parser implemented in Chainsaw differs from other parsers because it does not rely on hardcoded values about the tables. The information is extracted directly from the SOFTWARE hive, which is a mandatory argument. The goal is to avoid errors related to unknown tables.

COMMAND:
    analyse srum                             Analyse the SRUM database

USAGE:
    chainsaw analyse srum [OPTIONS] --software <SOFTWARE_HIVE_PATH> <SRUM_PATH>

ARGUMENTS:
    <SRUM_PATH>                              The path to the SRUM database

OPTIONS:
    -s, --software <SOFTWARE_HIVE_PATH>      The path to the SOFTWARE hive
        --stats-only                         Only output details about the SRUM database
    -q                                       Suppress informational output
    -o, --output <OUTPUT>                    Save the output to a file
    -h, --help                               Print help

Command Example

Analyse the SRUM database (the SOFTWARE hive is mandatory)

./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat --output ./output.json

Output

$ ./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat -o ./output.json

     ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

    [+] ESE database file loaded from "/home/user/Documents/SRUDB.dat"
    [+] Parsing the ESE database...
    [+] SOFTWARE hive loaded from "/home/user/Documents/SOFTWARE"
    [+] Parsing the SOFTWARE registry hive...
    [+] Analysing the SRUM database...
    [+] Details about the tables related to the SRUM extensions:
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | Table GUID                               | Table Name                                 | DLL Path                             | Timeframe of the data   | Expected Retention Time |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {5C8CF1C7-7257-4F13-B223-970EF5939312}   | App Timeline Provider                      | %SystemRoot%\System32\eeprov.dll     | 2022-03-10 16:34:59 UTC | 7 days                  |
    |                                          |                                            |                                      | 2022-03-10 21:10:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4}   | Tagged Energy Provider                     | %SystemRoot%\System32\eeprov.dll     | No records              | 3 days                  |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}   | WPN SRUM Provider                          | %SystemRoot%\System32\wpnsruprov.dll | 2022-03-10 20:09:00 UTC | 60 days                 |
    |                                          |                                            |                                      | 2022-03-10 21:09:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}   | Application Resource Usage Provider        | %SystemRoot%\System32\appsruprov.dll | 2022-03-10 16:34:59 UTC | 60 days                 |
    |                                          |                                            |                                      | 2022-03-10 21:10:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}   | Energy Usage Provider                      | %SystemRoot%\System32\energyprov.dll | No records              | 60 days                 |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT | Energy Usage Provider (Long Term)          | %SystemRoot%\System32\energyprov.dll | No records              | 1820 days               |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {973F5D5C-1D90-4944-BE8E-24B94231A174}   | Windows Network Data Usage Monitor         | %SystemRoot%\System32\nduprov.dll    | 2022-03-10 16:34:59 UTC | 60 days                 |
    |                                          |                                            |                                      | 2022-03-10 21:10:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}   | vfuprov                                    | %SystemRoot%\System32\vfuprov.dll    | 2022-03-10 20:09:00 UTC | 60 days                 |
    |                                          |                                            |                                      | 2022-03-10 21:10:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}   | Energy Estimation Provider                 | %SystemRoot%\System32\eeprov.dll     | No records              | 7 days                  |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    | {DD6636C4-8929-4683-974E-22C046A43763}   | Windows Network Connectivity Usage Monitor | %SystemRoot%\System32\ncuprov.dll    | 2022-03-10 16:34:59 UTC | 60 days                 |
    |                                          |                                            |                                      | 2022-03-10 21:10:00 UTC |                         |
    +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+
    [+] SRUM database parsed successfully
    [+] Saving output to "/home/user/Documents/output.json"
    [+] Saved output to "/home/user/Documents/output.json"

Forensic insights

Information about the new forensic insights related to this artefact can be found in the wiki: https://github.com/WithSecureLabs/chainsaw/wiki/SRUM-Analysis.

Dumping

USAGE:
    chainsaw dump [OPTIONS] <PATH>

ARGUMENTS:
    <PATH>                  The path to an artefact to dump

OPTIONS:
    -j, --json              Dump in json format
        --jsonl             Print the output in jsonl format
        --load-unknown      Allow chainsaw to try and load files it cannot identify
    -o, --output <OUTPUT>   A path to output results to
    -q                      Suppress informational output
        --skip-errors       Continue to hunt when an error is encountered
    -h, --help              Print help

Command Example

Dump the SOFTWARE hive

./chainsaw dump ./SOFTWARE.hve --json --output ./output.json

Acknowledgements

EVTX-ATTACK-SAMPLES by @SBousseaden
Sigma detection rules
EVTX parser library by @OBenamram
TAU Engine Library by @AlexKornitzer
Shimcache analysis feature developed as a part of CC-Driver project, funded by the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No. 883543
DFIRArtifactMuseum by Andrew Rathbun (@bunsofwrath12)

chainsaw's People

Contributors

Stargazers

Watchers

Forkers

yosignals blue-infosec ceyhuncamli torstenbeer guillaumecsekoia cybersecops gavz kartikeyap ethancck hasanakgoz zha0 486dx powerpress kevien software-security-course os-security-training jessefmoore cctv0x01 y0d4a me009 raystyle weldingwit run0nceex sschatz1997 drag0s-sc morpheusc m4d3bug owlthreatintel cermmik mlynchcogent romulus968 patroclica jasperh8624 randengshifu forkkit castuloramirez slooppe bigbrobro andrewrathbun jack51706 hackinfinity carmelofdz hell0scp lostar303 miragshin sgnls omenscan j5s rafael-sm17 bnder1 conexioninversa meni0n jesse-culver michaeljgoodman dave360-crypto ctfbuster workcha blackjack0 usama7628674 florianb l1kw1d orinocoz top-team sirwomble ethanflair c002 datbiao 1063122023 colindix finalplus 333c maubertin ashleykellyforensics needafuture ana7z theshiv303 akiyamaliet sinsixx jonz-secops markusloyen superuser5 git4artifact madusec dekoder blueteam0ps emesaitch little4n6fox justinforbes control-risks-dfir hotelzululima tonycrespome fuzzyun1c0rn nejibnbm jxpsx radizzle morph13nd scriptidiot fadymarkram sofectalabs northshade

chainsaw's Issues

Support for more F-Secure alerts / log providers

Request to add support for more event log providers related to F-Secure alerts. The built-in support for F-Secure alerts consumes events from the "F-Secure Ultralight SDK" provider. My limited research shows that alerts are also found in the "F-Secure File scanning" and "FSecure-FSecure-F-Secure DeepGuard" providers. These alerts aren't detected by Chainsaw.

(Let me know if there is any good documentation about event ID:s and log providers used by F-Secure.)

Support for WEF/WEC ForwardedEvents.evtx

Request to add support for WEF/WEC ForwardedEvents.evtx files. Chainsaw seems to process such files, but no results are shown for searches or hunts. See examples below:

--json not outputting correctly with search

The JSON output for "search" puts a [] around the JSON data and introduces other formatting errors.

From Firefox: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data. Even if I remove the []'s, I still get that.

Get-Content -Raw .\output.json | ConvertFrom-Json returns blank data as well.

This is chainsaw version 1.1.5 on Windows 10.

Ability to use the --csv option to output the results to specified directory

Hi,
Great Tool! Would love to see the --csv option to have the ability to output/write the csv files to a specified directory similar to the --json option? With that, it should be pretty easy to integrate with other tools, such as integrating it as a kape module.

Start / end date options to select events to process

Request to include start / end date options, to select events to process. This would optimize processing of large event log files, such as ForwardedEvents.evtx with 10-20 GB max size. Ideally the date filters would be applied as early as possible, to avoid unnecessary processing of irrelevant events. Suggested options:

OPTIONS:
  -sd, --start-date <datetime>
           Start date for including events (UTC). Anything older than this is dropped. Format: yyyy-MM-dd HH:mm:ss

  -ed, --end-date <datetime>
           End date for including events (UTC). Anything newer than this is dropped. Format: yyyy-MM-dd HH:mm:ss

Rules folders not loading correctly

No matter what folder you specify it seems to load the default rules folder

Feature Request - Parsing event log xml file

Wondering if there is a way to parse an XML file of event logs that may have been extracted from memory with volatility or
Willi Ballenthin's evtxtract. Not able to find a method to extract the individual logs from the xml, but if this feature could be added to the tool, that'd be awesome! Thanks!

CSV Encoding

Awesome tool...thx for sharing with the community!

The CSV output should be in UTF8. Please fix this with your next release. Thank you!

I processed EVTX files from a French system and a lot of characters were bogus. JSON output looked fine.

Cheers!

Rule seemingly not matching certain event IDs

Upon attempting to create some test rules, I could not get a simple contains condition to hit on a type 400 powershell event. So I removed everything from the condition but the event ID and tried again, and still got no hits.

Tried removing as much as possible to isolate the problem, changing the log source service and product between the various "powershell", "powershell-classic" etc... used across pre-existing sigma rules.

Whilst I tried a large number of variants, see below the rule I believe should be most likely to work based off of existing rules in the 'sigma_rules' ruleset. this rule does not hit on any of the 400 events within a "Windows PowerShell.evtx" log:

title: test
id: 30a8cb77-8eb3-4cfb-8e79-ad447c5a4592
description: test
status: experimental
author: Michael
date: 2021/11/19
modified: 2021/11/19
tags:
    - attack.execution
    - attack.t1086
logsource:
    product: windows
    service: powershell-classic
detection:
    selection:
        EventID: 400
    condition: selection
falsepositives:
    - unknown
level: low

--json output not properly formatted?

I saved the results as a json file. I believe there's a format error somewhere. When I paste the contents into a json syntax verifier it fails, and when I import it into PowerShell and convert it, it also fails.

.\chainsaw.exe hunt .\evtx_attack_samples\Execution\exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --lateral-all --json .\results.json

Get-Content -raw .\results.json | ConvertFrom-Json
// Fails

Fix incorrect parsing of Sigma's Rule Collections

At the time I clearly did not read this bit of the spec properly (or at all). So that way we parse sigma into tau for Rule collections is incorrect. This results in issues (#19, #30). Correcting this should not be too difficult.

--lateral-all on large logs

had a 200mb log which shows the 4624 when using "search" however doesn't when using "hunt".

is it an issue with log size?

A single invalid evtx stream halts processing of multiple files

Running on a sample of 178 evtx files and it fails quickly throwing the error "[!] Chainsaw exited: An error occurred while trying to deserialize evtx stream."

However, it does not give any indication of which log file it failed to parse, and with 100+ logs it's time consuming to work out which evtx file(s) it's struggling with.

Additionally it can be tedious to copy the files to a new location and remove just the one invalid file and re-run, so a suggested fix would preferably be one that:

Skips any evtx file it fails to parse
Provides verbose (or logged) indication of the filename when throwing errors

Give it a bit of a clean and add some very much needed tests :P

So IMO the chainsaw code needs a bit of a clean. We also need to add tests so that its easier for contributions and changes. When I find some time I will try and make some headway into this.

Refactor to handle Rust style testing
Clean code as required

EventID in Sigma Rules not matching (String vs Numeric)

Most sigma rules use numeric EventID - i.e.:

detection:
    selection:
        EventID: 7045
        ServiceName:
            - 'srservice'
            - 'ipvpn'
            - 'hkmsvc'
    condition: selection

modules.rs [line 215] however converts the EventID to a String

doc["EventID"] = json!(event_id.to_string());

and the condition (EventID: 7045) is therefore not met. After removing the conversion to String (or rewriting the Sigma Rule to EventID: "7045") the Event is successfully matched:

doc["EventID"] = json!(event_id);

Compliance with DRL 1.1

First of all, great tool 👍

Would it be possible to display the rule author somewhere whenever a rule matches on an eventlog entry to comply with the Detection Rule License?
Maybe in brackets behind the rule title in the column detection_rules?

https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md

I guess this would be the right location:
https://github.com/countercept/chainsaw/blob/0a4b0f22427985a6cd0af1b1fd559933e5adf6f7/src/hunt/modules.rs#L50

JSON Output to Stdout

It would be nice to have an option to output JSON results to stdout for immediate consumptions vs. writing to a file.

Originally discussed here: #2 (comment)

killed by security tools

Symantec category: Malware
Hash: 90A88E340271274B9BFF5502C34E4669CD450FD6286625E827FB66019A9F1B6B

"+" at the start of detection_rules column values

Even when only a single rule matches, testing numerous sets of logs will often come back with "+ Accessing WinAPI in PowerShell" or something similar, where the + character is added to the start of the column value.

I'm unsure if this is because there may be one or more rules in the main sigma ruleset that don't have a title, but even in that case it would be preferable to exclude the empty " +" from the start.

As a small compatibility sidenote, this does then interfere with opening the csv outputs in excel as excel will turn these column values into equations, which is actually quite difficult to get around without some transformation of the file.

Add Sigma Rule Id and description to results

Hello, thanks a lot for this amazing product.

Currently, Chainsaw result includes the name of matched Sigma rule. Can you include Sigma rule ID and description too?

Sigma ID is not a mandatory field according to https://github.com/SigmaHQ/sigma/wiki/Specification, but it could be nice to know more information about the match from the Sigma rule specification.

Thanks!

Trend Micro Antivirus removing chainsaw.exe as malicious file

Trend Micro Antivirus removing chainsaw.exe as a malicious file. Is there any way we could get it reported to trend to allow it?

PowerShell Object Data

It would be extremely useful for this tool to have a switch like --PSObject, that outputs the results to stdout as PowerShell object data. Currently, I have to save the results to a csv file then import it into PowerShell for additional manipulation using "Import-Csv "chainsawfile.csv". Though, this mild inconvenience isn't a show stopper, skipping the step of saving the results and being able to manipulate object data would be super awesome. A simple example is using PowerShell's Out-GridView to view the results natively and then applying filters or just searching. That, and having to clean up the files afterward wouldn't be necessary.

Example of request:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --PSObject | Out-GrdiView -Title 'Chainsaw Results'

Current Non-Preferred Method:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --csv
Import-Csv ".\chainsaw_2021-09-05T11-52-35(external_rule)_-suspicious_process_creation.csv" | Out-GridView -Title "Chainsaw Results"
Remove-Item ".\chainsaw_2021-09-05T11-52-35(external_rule)-_suspicious_process_creation.csv"

Json output missing detections

Yo yo,

It's your boy, Mert.

Was just testing the json output. It looks like built-in detections do not get appended to the json output. Was this by design or a bug?

Json output:

Normal output:

CSV Files not generated correctly

When \r present in columns, the CSV files generate additional lines and not formatted correctly:

system_time,id,detection_rules,computer_name,Event.EventData.TargetFilename,image
2021-10-26 05:58:04,11,"+ Suspicious xxxx
File Created In TMP","""xxxx""",xxxx,xxxx
2021-10-26 06:55:36,11,"+ Suspicious xxxx
File Created In TMP","""xxxx""",xxxx,xxxx

This is normally the case for the column "Detection Rules".
Would it be possible to remove that \r or generate that column in a different way so that the CSVs will be created correctly?

Support for Syslog/CEF output

Request to add support for sending the output as Syslog or CEF stream.

This would give the possibility of performing threat hunting on multiple teams at the same time without the need for forensic acquisitions.

Example:

1-Display chainsaw on a big grouf of computers (Ex: 1000)
2-Execute a chainsaw command on multiple computers. (Example: With psexec.)
3-Receive all the data in a SIEM and query about them.

--json output path not working for hunts

I'm trying to generate a json output file. Unfortuanttly it seems not to work because it's not allowed to add a path after --json like --json C:\TEMP\test.json

Expected behavior:
If I'm running the command:
chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json
I would execpet in the folder C:\xyz\xyz\xyz\chainsaw\ the output.json.

Actual behavior
If I'm running the command:
chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json

I get the following "error" dialog:
error: Found argument 'C:\xyz\xyz\xyz\chainsaw\output.json' which wasn't expected, or isn't valid in this context

If I'm running it without a path like:
chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json

Its working but prints the json in the console which is not what I expect from this paramter.

Could you maybe have a look on it?

Thanks already and many greetings

Evtx files with different extension

I can see that chainsaw only supports files with evtx extension.
https://github.com/countercept/chainsaw/blob/master/src/util.rs#L56

Would it be possible to add a command line argument to check for a different file extension ?

thanks !

Memory Exhaustion Error

When running chainsaw in search mode against a very large set of event logs, if the search parameters are broad enough to capture a lot of results then the memory used by Chainsaw will balloon and may result in the binary being terminated.

This is due to #7 where we now load hits into a Vec before printing in order to output JSON correctly. If there are too many matches then the Vec will bloat out and consume too much memory.

Latest release flagged in VirusTotal

Pulled latest compiled release x64 windows

chainsaw_x86_64-pc-windows-msvc.zip

VirusTotal reports a few issues

Use separate-json-attributes

Curious why not use separate-json-attributes for the EvtxParserSettings?

The issue with not using this settings is that it causes inconsistent json attribute naming standard:

When ever a XML element as an attribute, the JSON field will split into a #text and #attributes. This causes issues on many fronts. Using separate-json-attributes setting for the parser will normalize the fields and an XML element's value will always be the field name and any element attributes will be placed under <ELEMENT_NAME>_attributes. This prevents inconsistent field names in JSON serializations.

Some other references:

If you are open to this I can create a PR

Output Directory option?

Curious as to why there isn't an option for both hunt/search for an output directory?

I use this for multiple concurrent clients and it creates a lot of overhead to either move chainsaw and its libraries needed, or constantly moving the folder created from where chainsaw executes to my current working directory

Search Progress Bar not working since v1.1.0

Since we merged in #23 the progress bar for the search functionality no longer seems to work.
The hunt search bar still works, so I assume this might be to do with how we are printing now?

@alexkornitzer - One for you to take a look at if you have time?

Request for time filters(start and end dates) in local time

It would be great to have the start and end date filters support the local machine time as apart from servers most desktops in an organization would have local time set.

Currently the events returned with date filters set are also in UTC time which means one needs to reconvert back the output to local time.

search -o and -j Parameter not working as intended

`-o` Parameter

Expected behavior as per README.md

Using chainsaw <EVTX-File> -o example.txt lets me save the results to a txt file.

Actual behavior

error: Found argument '-o' which wasn't expected, or isn't valid in this context

`-j/--json` Parameter

Expected behavior as per `.\chainsaw.exe search --help`

.\chainsaw.exe search --help does not show any -o option for chainsaw. It instead shows a -j/--json option. This should store the output to a .JSON file.

Actual behavior

Using this parameter yields basically the same error message:

error: Found argument '-j' which wasn't expected, or isn't valid in this context

Summary

Missmatch between README.md and output of --help
-o not known for search
-j/--json not known for search

Testing Environment

I tested the most current version chainsaw 1.1.5 (chainsaw_x86_64-pc-windows-msvc.zip) using:

Windows 11 Pro N (10.0.22000 Build 22000) cmd.exe
Tested for PowerShell 5.1.22000.282

Is there any installation guide?

I cloned the repository and tried compiling the software but unfortunately I did not find any relevant document to do so. Am I missing anything or looking at wrong place? My OS is Ubuntu-20.04

Path issue leading to merging sample logs

On one of my first run-throughs of using Chainsaw I mistakenly put the logs I wanted to parse in the root of the program folder on a windows machine and then ran some analysis tasks. It seems it will recursively check subfolders under the main folder for additional event files and add them to the capture. This resulted in me thinking I was seeing signs of compromise in the output .csv files that were actually pulled in from the samples and merged with the results from the actual parsing. May want to add a check or a warning to new users to ensure they don't make the same mistake.

Add --sync command for updating Sigma rules from SigmaHQ repo

Hello,

Thanks for all your work on this fantastic tool!

Sigma rules in the SigmaHQ repo seem to change by the hour. It's a very fast moving repo, as I've come to find out. Manually updating these Sigma rules is simply something most people won't do and over time they'll be missing out on new rules for the latest threats. A fair amount of examiners likely won't know any better that these rules should be maintained and updated on a fairly regular basis.

The ask here is to consider adding a --sync command (or similar) that'll mirror the contents of https://github.com/SigmaHQ/sigma/tree/master/rules into the .\Chainsaw\sigma_rules directory, folders and all. If not all folders, then maybe at least the Windows and APT folders, to start?

Thanks for any consideration!

warning: field is never read

Running Ubuntu 20.04 and getting the following errors when launching cargo build

warning: field is never read: category--> src/convert/sigma.rs:22:5 | 22 | pub category: Option<String>, | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | = note:#[warn(dead_code)]` on by default

warning: field is never read: product
--> src/convert/sigma.rs:24:5
|
24 | pub product: Option,
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^

warning: field is never read: service
--> src/convert/sigma.rs:26:5
|
26 | pub service: Option,
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^

warning: field is never read: logsource
--> src/convert/sigma.rs:50:5
|
50 | pub logsource: Option,
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

warning: chainsaw (lib) generated 4 warnings
Finished release [optimized] target(s) in 3m 30s
`

CSV output to Stdout

similar to issue #8 having an option for the csv output to stdout would be great

thread "main" panicked when trying to use custom rules in `hunt` mode

Hello, I downloaded the release version of chainsaw and it's running smoothly using sigma-rules from SigmaHQ, which is great. But once I use custom rules from another repository, it threw an error. I'm not sure where the error come from, but it became an issue when I'm trying to use custom rule.

PS> chainsaw.exe hunt <evtx location> -r <custom rules location> -m ".\mapping_files\sigma-mapping.yml"
██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)

[+] Found 231 EVTX files
[+] Converting detection rules...
thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', library\alloc\src\vec\mod.rs:1385:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Is the mapping incompatibility become an issue?

Incorrect Sigma detections since v1.1.0

Potential bug resulting in incorrect Sigma detections since Chainsaw v1.1.0.

When parsing a System.evtx file with Chainsaw v1.1.0 (from "chainsaw_x86_64-pc-windows-msvc.zip"), several Sigma rules are incorrectly triggered by every 7045 event. See example below:

A similar test using Chainsaw v1.0.2 shows no false positives, see below:

Finally a test with Chainsaw v1.0.2 using the Sigma rule set bundled with v1.1.0. No false positives, see below:

Expand --ignore-errors to include system errors

When running against some triage images that contain unreadable directories, chainsaw will exit even with --ignore-errors set.

Example:
Chainsaw exited: IO error for operation on E:\System Volume Information: Access is denied. (os error 5)

Documentation or guidance on expanding Chainsaw's functionality

Hello,

Would it be possible for some documentation or guidance on how to expand the functionality of Chainsaw using sigma rules and chainsaw's mapping file?

I've spoken with a number of people in the DFIR community who would love to be able to contribute and build on what is already an amazing tool but have struggled to understand how to write new rules and then map it to Chainsaw's output (myself included!)

I'd be more than happy to collate some ideas for detection rules if that would help the process in anyway.

Any help, support or resource you can offer would be greatly appreciated.

Many thanks

Tom

chainsaw_x86_64-pc-windows-msvc.zip

Chainsaw for Windows does not run in Windows 7? Is there a Version that will run in Windows 7?

However it does run in Windows 10.

Kenneth

How to install on Windows 10

Hey, a beginner at this I was wondering if anyone could help me install this on my Windows 10?
I'm really not getting it... Thanks in advance!

Feature Request: Quiet Option

Request to include a -q flag that only prints the JSON output (excludes banner, etc.). This would make it easier to pipe the output of chainsaw to other tools.

can it take json as input ? (question)

I have evtx saved as json. Noticed in your blog that you convert evtx to json, before searching thru them. Is it possible to feed json directly ? Thanks

Output failed file?

We pull event logs out of RAM for forensic analysis. This can lead to both complete and incomplete files, and when you have hundreds of event logs trying to figure out which ones are good and which ones are bad can be tedious. When Chainsaw hits an incomplete/corrupt file it stops the whole search with the message "an error occurred while trying to deserialize evtx stream". If there's 400 evtx logs and only 1 of them is bad, it will stop the whole search.

Is it possible to have it skip files it can't parse in order to complete the search? Or barring that can it at least output which file it hung up on so I can remove it from the directory?

Valid JSON Output

Great work on this! I really appreciate all the work that went into it!

While the individual objects contained within the JSON output are considered valid JSON, it seems like when they are concatenated together in the results file, they are not separated (by comma ,), and/or considered as an array of objects (with open/closing bracket []), so the results can't be picked up by tools that parse JSON without additional work. If needed, I can follow up with a PR as I get time.

Additionally, it would be nice to consider allowing for JSON output to stdout, so a file would not need to be written to disk, but other tools could easily parse the data returned.

Add sigma metadatas in results

It would be really nice to have sigma metadatas (especially level and tags) directly in the json output file.

This would be usefull when indexing results in a SIEM !

Thanks

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble

countercept / chainsaw Goto Github PK

chainsaw's Introduction

Rapidly Search and Hunt through Windows Forensic Artefacts

Features

Table Of Contents

Why Chainsaw?

Windows Event Logs

Hunting Logic for Windows Event Logs

Sigma Rule Matching

Chainsaw Detection Rules

Quick Start Guide

Downloading and Running

EDR and AV Warnings

What changed in Chainsaw v2?

Examples

Searching

Command Examples

Hunting

Command Examples

Output

Analysing

Shimcache

Command Examples

SRUM (System Resource Usage Monitor)

Command Example

Output

Forensic insights

Dumping

Command Example

Acknowledgements

chainsaw's People

Contributors

Stargazers

Watchers

Forkers

chainsaw's Issues

-o Parameter

Expected behavior as per README.md

Actual behavior

-j/--json Parameter

Expected behavior as per .\chainsaw.exe search --help

Actual behavior

Summary

Testing Environment

Recommend Projects

Recommend Topics

Recommend Org

Jobs

`-o` Parameter

`-j/--json` Parameter

Expected behavior as per `.\chainsaw.exe search --help`