Chainsaw – the New Tool That Helps Incident Responding Teams
The New Tool Can Be Used to Speed Up Searching Through Windows Event Log Records in Order to Identify Threats.
Last updated on January 26, 2022
Chainsaw will help blue teams and incident responders to better assist in the first-response stage of a security engagement as it can provide help to the blue teams in triaging entries relevant for the investigation.
At the base of any forensic investigation, you will have the Windows event logs, as these are containing details about applications and user logins.
Investigators rely on these records to create an accurate timeline of the events, as sometimes these will constitute the main source of evidence in any investigated case.
The issue with these records is that the investigators are forced to go through an enormous amount of them, moreover when discussing systems that have a high logging level, therefore making shifting through for relevant information a time-consuming task.
James D, the lead threat hunter at F-Secure’s Countercept division, is the author of Chainsaw.
What Is Chainsaw?
Chainsaw represents a Rust-based command-line utility able to go through any event logs and highlight suspicious entries or strings that may indicate a threat.
Chainsaw uses the Sigma rule detection logic to quickly find event logs relevant to the investigation, and according to its creators, it is specifically tailored for a quick analysis of event logs in the environments where a detection and response solution (EDR) was not present at the time of compromise.
The Sigma Rule refers to the use of the – rules and – mapping parameters so a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs, as by using the mapping file Chainsaw will know what event IDs to run the detection rules against, and what fields are relevant
Chainsaw also contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs.
Searching through event logs by event ID, keyword, and regex patterns
Extracting and parsing Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
Detecting key event logs being cleared or the event log service is stopped
Detecting users being created or added to sensitive user groups
Brute-forcing of local user accounts
RDP logins, network logins, etc.
Chainsaw is available as an open-source tool and uses the EVTX parser library and the detection logic matching provided by F-Secure Countercept’s TAU Engine library, being able to output results in ASCII table, CSV, or JSON.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.