### Install Chainsaw using Nix Profile Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md This command installs the latest version of Chainsaw from its GitHub repository using Nix profile. This provides a more persistent installation managed by Nix. ```bash nix profile install github:WithSecureLabs/chainsaw ``` -------------------------------- ### Clone Sigma Rules and EVTX Samples Repositories Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md This command clones the Sigma rules and EVTX-Attack-Samples repositories, which are necessary for running Chainsaw with example data and rules. Ensure these are cloned separately to get the latest versions. ```bash git clone https://github.com/SigmaHQ/sigma git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git ``` -------------------------------- ### Install Chainsaw using Nix Shell Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md This command installs and runs Chainsaw temporarily using Nix shell. This is a convenient way to use Chainsaw without a full system installation. ```bash nix-shell -p chainsaw ``` -------------------------------- ### Sigma Mapping Configuration Example (YAML) Source: https://context7.com/withsecurelabs/chainsaw/llms.txt An example of a Sigma mapping configuration file in YAML format for Chainsaw. It defines how Sigma rules are mapped to specific log sources and event IDs, including exclusions and preconditions. ```yaml # Example mapping configuration: mappings/sigma-event-logs-all.yml --- name: Chainsaw's groupless Sigma mappings for Event Logs kind: evtx rules: sigma exclusions: - Defense evasion via process reimaging - Exports Registry Key To an Alternate Data Stream extensions: preconditions: - for: logsource.category: process_creation filter: - Provider: Microsoft-Windows-Sysmon int(EventID): 1 - Provider: Microsoft-Windows-Security-Auditing int(EventID): 4688 - for: logsource.category: network_connection filter: Provider: Microsoft-Windows-Sysmon int(EventID): 3 groups: - name: Sigma timestamp: Event.System.TimeCreated filter: Provider: "*" fields: - from: Provider to: Event.System.Provider - name: Event ID from: EventID to: Event.System.EventID - from: CommandLine to: Event.EventData.CommandLine visible: false - from: Image to: Event.EventData.Image visible: false ``` -------------------------------- ### Chainsaw Search: Case-Insensitive String Search Source: https://github.com/withsecurelabs/chainsaw/wiki/Usage Example of searching all .evtx files for a case-insensitive string. This utilizes the '-i' flag for case-insensitivity and specifies the file extension to target. The output will highlight all occurrences of the specified string within the given directory. ```bash ./chainsaw search mimikatz -i evtx_attack_samples/ ``` -------------------------------- ### Chainsaw Detection Rule Format Example (YAML) Source: https://context7.com/withsecurelabs/chainsaw/llms.txt An example of a custom Chainsaw detection rule written in YAML format. It defines the rule's metadata, fields to extract, and a filter condition using Tau Engine syntax. ```yaml # Example Chainsaw detection rule: rules/evtx/service_installation/suspicious_commands.yml --- title: Suspicious Commands Service Installation group: Service Installation description: Suspicious Commands were found in a Service that Was Installed authors: - reece394 kind: evtx level: medium status: stable timestamp: Event.System.TimeCreated fields: - name: Event ID to: Event.System.EventID - name: Record ID to: Event.System.EventRecordID - name: Computer to: Event.System.Computer - name: Service Name to: Event.EventData.ServiceName - name: Service File Name to: Event.EventData.ImagePath filter: condition: service_control_manager and service_name service_control_manager: Event.System.Provider: Service Control Manager Event.System.EventID: 7045 service_name: Event.EventData.ImagePath: - 'i*cmd /c*' - 'i*cmd.exe /c*' - 'i*%COMSPEC%*' ``` -------------------------------- ### Chainsaw Search: Regex Pattern with JSON Output Source: https://github.com/withsecurelabs/chainsaw/wiki/Usage Example of searching a specific .evtx log for logon events using a regular expression and outputting the results in JSON format. The '-e' flag is used for regex pattern matching, and '--json' formats the output for programmatic processing. ```bash ./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json ``` -------------------------------- ### Shimcache and SRUM Forensic Analysis (Rust) Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Provides examples of using ShimcacheAnalyser for timeline creation with Amcache enrichment and regex filtering, and SrumAnalyser for parsing SRUM database information. These are key for forensic analysis of Windows systems. ```rust use chainsaw::{ShimcacheAnalyser, SrumAnalyser}; use std::path::PathBuf; fn main() -> anyhow::Result<()> { // Shimcache analysis with Amcache enrichment let shimcache_analyser = ShimcacheAnalyser::new( PathBuf::from("./SYSTEM"), Some(PathBuf::from("./Amcache.hve")), ); let regex_patterns = vec![ r".*\\Windows\\Temp\\.*".to_string(), r".*\\AppData\\Local\\Temp\\.*".to_string(), ]; let timeline = shimcache_analyser.amcache_shimcache_timeline( ®ex_patterns, true, // Enable timestamp pair matching )?; for entity in &timeline { if let Some(ref entry) = entity.shimcache_entry { println!("Entry: {:?}", entry); } } // SRUM analysis let srum_analyser = SrumAnalyser::new( PathBuf::from("./SRUDB.dat"), PathBuf::from("./SOFTWARE"), ); let srum_info = srum_analyser.parse_srum_database()?; println!("SRUM Tables:\n{}", srum_info.table_details); Ok(()) } ``` -------------------------------- ### Chainsaw Search: Tau Expression for Event ID Source: https://github.com/withsecurelabs/chainsaw/wiki/Usage Example of searching for specific PowerShell script block events (Event ID 4104) using a Tau expression. The '-t' flag allows for structured querying based on event properties, making it suitable for targeted log analysis. ```bash ./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/ ``` -------------------------------- ### Clone and Build Chainsaw from Source Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md These commands show how to clone the Chainsaw repository and compile it using Cargo. Building with the '--release' flag is recommended for significantly faster execution times. ```bash git clone https://github.com/WithSecureLabs/chainsaw.git cd chainsaw cargo build --release ``` -------------------------------- ### Build Chainsaw using Nix Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md This command builds the Chainsaw binary using Nix from the root directory of the cloned repository. The compiled binary will be located in the './result/bin/chainsaw' directory. ```bash nix build . ``` -------------------------------- ### Build Searcher with Patterns and Options (Rust) Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Demonstrates building a Searcher using the builder pattern to configure search criteria like patterns, case sensitivity, and error handling. It then searches through specified files and prints any matches or errors. ```rust use chainsaw::{Searcher, get_files}; use std::path::PathBuf; fn main() -> anyhow::Result<()> { // Build searcher with patterns and options let searcher = Searcher::builder() .patterns(vec!["mimikatz".to_string(), "sekurlsa".to_string()]) .ignore_case(true) .match_any(true) .load_unknown(false) .skip_errors(true) .build()?; // Search through files let files = get_files(&PathBuf::from("./evtx_samples/"), &None, false)?; for file in &files { let mut hits = searcher.search(file)?; for result in hits.iter() { match result { Ok(hit) => println!("Match found: {:?}", hit), Err(e) => eprintln!("Error: {}", e), } } } Ok(()) } ``` -------------------------------- ### Run Chainsaw with Sigma Rules and Mapping Source: https://github.com/withsecurelabs/chainsaw/blob/master/README.md This command demonstrates how to run Chainsaw's 'hunt' command using cloned Sigma rules and a specified mapping file. It targets the EVTX-Attack-Samples directory for analysis. ```bash ./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml ``` -------------------------------- ### Chainsaw Hunt Command Usage Source: https://github.com/withsecurelabs/chainsaw/wiki/Usage Demonstrates the basic structure for using the chainsaw hunt command. It outlines the required rules argument and optional path arguments for specifying files to hunt within. This command is used to apply detection rules to event logs. ```bash chainsaw hunt [FLAGS] [OPTIONS] [--] [path]... ``` -------------------------------- ### Chainsaw Search Command Usage Source: https://github.com/withsecurelabs/chainsaw/wiki/Usage Demonstrates the basic structure for using the chainsaw search command. It outlines the required pattern argument and optional path arguments for specifying files to search within. This command is used to find specific patterns within event logs. ```bash chainsaw search [FLAGS] [OPTIONS] [--] [path]... ``` -------------------------------- ### Build Hunter with Chainsaw Rust API Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Demonstrates how to use the Chainsaw Rust API to build a custom detection pipeline. It loads rules, applies mappings, and configures the hunter for processing files. ```rust use chainsaw::{Hunter, RuleKind, load as load_rule, get_files}; use std::path::PathBuf; use std::collections::HashSet; fn main() -> anyhow::Result<()> { // Load detection rules let mut rules = vec![]; for file in get_files(&PathBuf::from("./rules/"), &None, false)? { match load_rule(RuleKind::Chainsaw, &file, &None, &None, &None) { Ok(r) => rules.extend(r), Err(_) => continue, } } // Build hunter with configuration let hunter = Hunter::builder() .rules(rules) .mappings(vec![PathBuf::from("mappings/sigma-event-logs-all.yml")]) .load_unknown(false) .skip_errors(true) .preprocess(true) .build()?; // Hunt through files let files = get_files(&PathBuf::from("./evtx_samples/"), &None, false)?; for file in &files { let detections = hunter.hunt(file, &None)?; for detection in detections { println!("Found {} hits", detection.hits.len()); } } Ok(()) } ``` -------------------------------- ### Analyse Shimcache - Execution Timeline Analysis Source: https://context7.com/withsecurelabs/chainsaw/llms.txt The shimcache analysis command creates execution timelines from the Application Compatibility Cache. It supports regex patterns, Amcache enrichment, timestamp pair detection, and inline regex filtering. ```bash ./chainsaw analyse shimcache ./SYSTEM \ --regexfile ./analysis/shimcache_patterns.txt ``` ```bash ./chainsaw analyse shimcache ./SYSTEM \ --regexfile ./analysis/shimcache_patterns.txt \ --amcache ./Amcache.hve \ --tspair \ --output ./shimcache_timeline.csv ``` ```bash ./chainsaw analyse shimcache ./SYSTEM \ -e ".*\\Windows\\Temp\\.*" \ -e ".*\\Users\\.*\\AppData\\Local\\Temp\\.* --output ./timeline.csv ``` -------------------------------- ### Dump Registry Hive with Chainsaw CLI Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Dumps the SOFTWARE registry hive to a JSON file using the Chainsaw CLI. It takes the hive path as input and specifies the output file. ```bash ./chainsaw dump ./SOFTWARE --json --output ./registry_dump.json ``` -------------------------------- ### Hunt Command - Threat Detection with Sigma and Chainsaw Rules Source: https://context7.com/withsecurelabs/chainsaw/llms.txt The hunt command analyzes forensic artifacts using Sigma and Chainsaw detection rules to identify threats. It supports various options for rule sources, output formats (JSON, CSV), filtering by time and severity, and local timezone processing. ```bash ./chainsaw hunt ./evtx_samples/ -s ./sigma/rules/ --mapping mappings/sigma-event-logs-all.yml ``` ```bash ./chainsaw hunt ./evtx_samples/ \ -s ./sigma/rules/ \ --mapping mappings/sigma-event-logs-all.yml \ -r ./rules/ \ --json \ --output ./results.json ``` ```bash ./chainsaw hunt ./evtx_samples/ \ -s ./sigma/rules/ \ --mapping mappings/sigma-event-logs-all.yml \ --from "2024-01-01T00:00:00" \ --to "2024-01-31T23:59:59" \ --level critical \ --level high ``` ```bash ./chainsaw hunt ./evtx_samples/ \ -r ./rules/ \ --csv \ --output ./results/ ``` ```bash ./chainsaw hunt ./evtx_samples/ \ -s ./sigma/rules/ \ --mapping mappings/sigma-event-logs-all.yml \ --local \ --full \ --metadata ``` -------------------------------- ### Search Command - Pattern Matching in Forensic Artifacts Source: https://context7.com/withsecurelabs/chainsaw/llms.txt The search command finds specific strings, regex patterns, or Tau expressions within forensic artifacts without needing detection rules. It supports case-insensitive searches, regex, Tau expressions, multiple patterns, match modes (any/all), and time filtering. ```bash ./chainsaw search mimikatz -i ./evtx_samples/ ``` ```bash ./chainsaw search -e "DC[0-9]+\.insecurebank\.local" ./evtx_samples/ --json ``` ```bash ./chainsaw search -t 'Event.System.EventID: =4104' ./evtx_samples/ ``` ```bash ./chainsaw search \ -e "mimikatz" \ -e "sekurlsa" \ ./evtx_samples/ ``` ```bash ./chainsaw search \ -t 'Event.System.EventID: =4688' \ -t 'Event.System.EventID: =1' \ --match-any \ --from "2024-01-01T00:00:00" \ --timestamp "Event.System.TimeCreated" \ ./evtx_samples/ ``` ```bash ./chainsaw search mimikatz ./evtx_samples/ \ --extension evtx \ --output ./search_results.json \ --json ``` -------------------------------- ### Dump Specific File Types with Chainsaw CLI Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Dumps only files with a specific extension (e.g., .evtx) from a given directory using the Chainsaw CLI. The output is in JSON format. ```bash ./chainsaw dump ./artefacts/ \ --extension evtx \ --json \ --output ./evtx_dump.json ``` -------------------------------- ### Analyse SRUM - System Resource Usage Monitor Analysis Source: https://context7.com/withsecurelabs/chainsaw/llms.txt The SRUM analysis command parses the Windows System Resource Usage Monitor database to extract application and network usage data. It requires the SOFTWARE hive and supports outputting to JSON, or just retrieving statistics. ```bash ./chainsaw analyse srum ./SRUDB.dat \ --software ./SOFTWARE \ --output ./srum_analysis.json ``` ```bash ./chainsaw analyse srum ./SRUDB.dat \ --software ./SOFTWARE \ --stats-only ``` ```bash ./chainsaw analyse srum ./SRUDB.dat \ --software ./SOFTWARE \ -q \ --output ./srum_data.json ``` -------------------------------- ### Validate Sigma Rules with Tau Logic using CLI Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Validates Sigma detection rules using the `chainsaw lint` command with the `--tau` flag to enable Tau logic output. This helps ensure compatibility and correct parsing of Sigma rules. ```bash # Validate Sigma rules with Tau logic output ./chainsaw lint ./sigma/rules/ --kind sigma --tau ``` -------------------------------- ### Dump MFT with Data Stream Decoding using Chainsaw CLI Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Dumps the MFT (Master File Table) and decodes its data streams using the Chainsaw CLI. It specifies a directory to extract the streams into and outputs the result in JSON format. ```bash ./chainsaw dump ./$MFT \ --decode-data-streams \ --data-streams-directory ./extracted_streams \ --json ``` -------------------------------- ### Dump Command - Raw Artefact Extraction Source: https://context7.com/withsecurelabs/chainsaw/llms.txt The dump command extracts and converts raw forensic artifact contents to various formats, including JSON and newline-delimited JSON (JSONL). It is useful for exporting raw data for further processing. ```bash ./chainsaw dump ./evtx_samples/ --json --output ./dump.json ``` ```bash ./chainsaw dump ./evtx_samples/ --jsonl --output ./dump.jsonl ``` -------------------------------- ### Validate Chainsaw Rules with CLI Source: https://context7.com/withsecurelabs/chainsaw/llms.txt Validates Chainsaw detection rules using the `chainsaw lint` command. It can validate a directory of rules or a specific rule file. ```bash # Validate Chainsaw rules ./chainsaw lint ./rules/ --kind chainsaw # Validate a specific rule file ./chainsaw lint ./rules/evtx/service_installation/suspicious_commands.yml --kind chainsaw ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.