I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).
The Chainsaw project documentation is robust. As always, read up on the project before use, it makes use of other great projects as well. James and Alex have provided all you need to get started in short order.
I conducted my first experiment using logs from a DFIR consulting gig I had circa 2014 with an impacted manufacturing firm. The victim user and system names have been changed to protect the innocent.
I also ran Chainsaw this way when I discovered that results written to the console are more comprehensive than those written out to CSV with the
Figure 1: First Chainsaw experiment
The results were revealing, and in keeping with my original investigation eight years ago. The victim system was thoroughly infested with malware, amongst which I’d identified Trojan.Agent.FSAVXGen, also known as Backdoor:Win32/Simda, a backdoor usually dropped by other malware or downloaded users visiting malicious sites. Chainsaw’s results revealed this malware in the victim system security log with Sigma’s Failed Code Integrity Checks and Remote Service Creation as seen in Figure 2.
Figure 2: Chainsaw reveals Backdoor:Win32/Simda
Note the kernel mode driver, and a service named xina.exe, but the real IOC is the failed code integrity check for l3codeca.acm, a common indicator for this malware.
My second experiment included the use of Florian’s APT Simulator on one of my Windows systems. APTSimulator is exactly what it says it is, delivered via is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised (Roth, 2022).
Note that this Chainsaw run included
Figure 3: Chainsaw identifies APT Simulator behaviors
This is an extremely useful tool when you need a fast way to hunt in Windows event logs with all the benefits of Sigma and speed. I really enjoyed the opportunity to experiment with Chainsaw, appreciate the project leads for their work, as well as the excellent dependencies Chainsaw takes in Sigma, the EVTX parser, and the TAU Engine. Great stuff all around. In the name of my favorite deathcore band, Whitechapel, “the saw is the law”!
Cheers…until next time.
References: Countercept, (2022, August). Rapidly Search and Hunt through Windows Event Logs. Github. Retrieved September 15, 2022, from https://github.com/WithSecureLabs/chainsaw
Roth, F. (2022, June 20). NextronSystems/APTSimulator: A toolset to make a system look as if it was the victim of an apt attack. GitHub. Retrieved September 18, 2022, from https://github.com/NextronSystems/APTSimulator
Sep 20th 2022
Sep 20th 2022
1 week ago