Incident responders and blue groups have a brand new instrument known as Chainsaw that accelerates looking out by Home windows occasion log data to establish threats.
The instrument is designed to help within the first-response stage of a safety engagement and may assist blue groups triage entries related for the investigation.
Constructed for incident responders
Home windows occasion logs are a ledger of the system’s actions, comprising particulars about purposes and person logins. Forensic investigators depend on these data, generally as the primary supply of proof, to create a timeline of occasions of curiosity.
The problem with checking these data is that there’s lots of them, particularly on techniques with a excessive logging degree; sifting by for related data can and could be a time-consuming job.
Authored by James D, lead menace hunter at F-Safe’s Countercept division, Chainsaw is a Rust-based command-line utility that may undergo occasion logs to spotlight suspicious entries or strings which will point out a menace.
The instrument makes use of the Sigma rule detection logic to shortly discover occasion logs related to the investigation.
“Chainsaw additionally comprises built-in logic for detection use-cases that aren’t appropriate for Sigma guidelines, and supplies a easy interface to look by occasion logs by key phrase, regex sample, or for particular occasion IDs.”
F-Safe says that Chainsaw is particularly tailor-made for fast evaluation of occasion logs in environments the place a detection and response resolution (EDR) was not current on the time of compromise.
In such circumstances, menace hunters and incident responders can use Chainsaw’s search options to extract from Home windows logs data pertinent to malicious exercise.
Customers can use the instrument to do the next:
- Search by occasion logs by occasion ID, key phrase, and regex patterns
- Extract and parse Home windows Defender, F-Safe, Sophos, and Kaspersky AV alerts
- Detect key occasion logs being cleared or the occasion log service being stopped
- Detect customers being created or added to delicate person teams
- Brute-force of native person accounts
- RDP logins, community logins and so on.
Aside from this, Sigma rule detection works for quite a few Home windows occasion IDs that embody the next:
|Occasion Sort||Occasion ID|
|Course of Creation (Sysmon)||1|
|Community Connections (Sysmon)||3|
|Picture Hundreds (Sysmon)||7|
|File Creation (Sysmon)||11|
|Registry Occasions (Sysmon)||13|
|Powershell Script Blocks||4104|
|Course of Creation||4688|
|Scheduled Job Creation||4698|
Accessible as an open-source tool, Chainsaw makes use of the EVTX parser library and the detection logic matching offered by F-Safe Countercept’s TAU Engine library. It could actually output the ends in ASCII desk, CSV, or JSON.