Chainsaw for analize

[Tr0jan_Horse]

​

The tool provides a powerful feature for searching and analyzing forensic artifacts in Windows and offers a versatile and fast method for searching keywords in Windows event logs and detecting threats using built-in support for Sigma detection rules and custom rules.

Installation
You can download the finished binary file on the releases page. (https://github.com/WithSecureLabs/chainsaw/releases/tag)
Another option is to install sudo apt install chainsaw via the Linux package manager.
You can also compile the tool yourself (the binary file will be located in the target/release folder):
git clone https://github.com/WithSecureLabs/chainsaw.git
cd chainsaw
cargo build --release

In addition, for fast and full-fledged work, it is also necessary to clone the Sigma Rules and EVTX-Attack-Samples repositories.:
git clone https://github.com/SigmaHQ/sigma
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

, Basic commands
hunt — threat search using detection rules.
View all .evtx files using Sigma rules for detection logic:
./chainsaw.exe hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

⏺search — search by keywords or regular expressions.
Search in all files .evtx events for blocking PowerShell scripts (event ID 4014):
./chainsaw.exe search -t'Event.System.EventID: =4104' evtx_attack_samples/

⏺analyze — analysis of various types of artifacts.
Analyzing the shimcache artifact using the provided regular expression templates:
./chainsaw.exe analyze shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt

dump — extraction of raw data.
Getting the raw contents of hive artifacts:
./chainsaw.exe dump ./SOFTWARE.hve --json --output ./output.json

 

[VIPAnon]

good

 

[concha_11]

ok

 

[tim6605]

qwe

 

[Jkris321]

!

 

[Mrglitchxxxx]

++

 

[Sosyopat]

sup

 

[ssjss]

thx

 

[Karos @]

ty

 

[Abood69]

thx

 

[plilyuds]

ok