Chainsaw: Hunt, search, and extract event log records
I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).
The Chainsaw project documentation is robust. As always, read up on the project before use, it makes use of other great projects as well. James and Alex have provided all you need to get started in short order.
I conducted my first experiment using logs from a DFIR consulting gig I had circa 2014 with an impacted manufacturing firm. The victim user and system names have been changed to protect the innocent.
The environment was a very flat Windows environment with a .local domain that was not administered in keeping with best practices. The organization’s controllers were compromised, both the accountant and the domain ;-), leading to a significant financial loss for the organization. As such, I’ve simply changed the user name to CONTROLLER, and the domain to victimsystems.local. The related logs from this event, for purposes of this experiment, were stored in logs/client
. In order to change names as described I simply wrote the results to a text file when running Chainsaw as follows:
chainsaw hunt logs/client/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml > results\results.txt
I also ran Chainsaw this way when I discovered that results written to the console are more comprehensive than those written out to CSV with the --csv --output results option
. This run exclusively used Sigma rules as noted via -s Sigma
.
Figure 1: First Chainsaw experiment
The results were revealing, and in keeping with my original investigation eight years ago. The victim system was thoroughly infested with malware, amongst which I’d identified Trojan.Agent.FSAVXGen, also known as Backdoor:Win32/Simda, a backdoor usually dropped by other malware or downloaded users visiting malicious sites. Chainsaw’s results revealed this malware in the victim system security log with Sigma’s Failed Code Integrity Checks and Remote Service Creation as seen in Figure 2.
Figure 2: Chainsaw reveals Backdoor:Win32/Simda
Note the kernel mode driver, and a service named xina.exe, but the real IOC is the failed code integrity check for l3codeca.acm, a common indicator for this malware.
My second experiment included the use of Florian’s APT Simulator on one of my Windows systems. APTSimulator is exactly what it says it is, delivered via is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised (Roth, 2022).
I chose to run every option, which is complete overkill, but fun nonetheless. I then saved the system’s security event log as APTsim.evtx and ran it through Chainsaw as follows:
chainsaw hunt logs/APTsim.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ > results\APTsimResults.txt
Note that this Chainsaw run included -r rules
, which incorporates Chainsaw’s built-in rule set as well. From th APTsim.evtx assessment, Chainsaw rules identified Account Tampering (APT Simulator added an admin to the local administrator’s group), while Sigma rules flagged Generic Password Dumper Activity on LSASS (procdump64.exe), Remote Service Creation (PSEXESVC.EXE), and Rare Schtasks Creations (falshupdate22).
Figure 3: Chainsaw identifies APT Simulator behaviors
This is an extremely useful tool when you need a fast way to hunt in Windows event logs with all the benefits of Sigma and speed. I really enjoyed the opportunity to experiment with Chainsaw, appreciate the project leads for their work, as well as the excellent dependencies Chainsaw takes in Sigma, the EVTX parser, and the TAU Engine. Great stuff all around. In the name of my favorite deathcore band, Whitechapel, “the saw is the law”!
Cheers…until next time.
References: Countercept, (2022, August). Rapidly Search and Hunt through Windows Event Logs. Github. Retrieved September 15, 2022, from https://github.com/WithSecureLabs/chainsaw
Roth, F. (2022, June 20). NextronSystems/APTSimulator: A toolset to make a system look as if it was the victim of an apt attack. GitHub. Retrieved September 18, 2022, from https://github.com/NextronSystems/APTSimulator
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago