Chainsaw
Chainsaw rapidly searches and hunts through Windows forensic artefacts like Event Logs and MFT files to identify threats. It supports keyword searches and detection using Sigma and custom Chainsaw rules.
Description
Chainsaw provides a powerful first-response capability for quickly identifying threats within Windows forensic artefacts such as Event Logs and MFT files. It offers a generic and fast method of searching through event logs for keywords and uses built-in support for Sigma detection rules along with custom Chainsaw detection rules.
Use cases include threat hunting in forensic investigations, rapid triage of event logs for indicators of compromise, and validating detection rules. It is particularly useful for security analysts and incident responders dealing with Windows environments.
The tool supports multiple commands for dumping artefacts, hunting threats, linting rules, searching patterns, and performing analyses, making it versatile for forensic workflows.
How It Works
Chainsaw processes Windows forensic artefacts like EVTX event logs and MFT files using multi-threaded operations (defaulting to CPU count). It parses logs for keywords or patterns via the search command, applies Sigma rules with mappings for threat detection in hunt mode, and supports custom rules. Additional commands enable dumping to formats like JSON, rule linting, and artefact analysis.
Installation
sudo apt install chainsawFlags
Examples
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json./chainsaw search mimikatz -i evtx_attack_samples/./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/chainsaw dump evtx_attack_samples/chainsaw hunt evtx_attack_samples/chainsaw lint rules/chainsaw analyse evtx_attack_samples/