Contents:
Chainsaw will help blue teams and incident responders to better assist in the first-response stage of a security engagement as it can provide help to the blue teams in triaging entries relevant for the investigation.
At the base of any forensic investigation, you will have the Windows event logs, as these are containing details about applications and user logins.
Investigators rely on these records to create an accurate timeline of the events, as sometimes these will constitute the main source of evidence in any investigated case.
The issue with these records is that the investigators are forced to go through an enormous amount of them, moreover when discussing systems that have a high logging level, therefore making shifting through for relevant information a time-consuming task.
James D, the lead threat hunter at F-Secure’s Countercept division, is the author of Chainsaw.
What Is Chainsaw?
Chainsaw represents a Rust-based command-line utility able to go through any event logs and highlight suspicious entries or strings that may indicate a threat.
Chainsaw uses the Sigma rule detection logic to quickly find event logs relevant to the investigation, and according to its creators, it is specifically tailored for a quick analysis of event logs in the environments where a detection and response solution (EDR) was not present at the time of compromise.
The Sigma Rule refers to the use of the – rules and – mapping parameters so a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs, as by using the mapping file Chainsaw will know what event IDs to run the detection rules against, and what fields are relevant
Chainsaw also contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs.
Chainsaw allows threat hunters and incident responders to use its search features in order to extract from Windows logs information pertinent to malicious activity.
According to the journalists at BleepingComputer, the tool can be used for:
- Searching through event logs by event ID, keyword, and regex patterns
- Extracting and parsing Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
- Detecting key event logs being cleared or the event log service is stopped
- Detecting users being created or added to sensitive user groups
- Brute-forcing of local user accounts
- RDP logins, network logins, etc.
Chainsaw is available as an open-source tool and uses the EVTX parser library and the detection logic matching provided by F-Secure Countercept’s TAU Engine library, being able to output results in ASCII table, CSV, or JSON.