Linux.LogAnalysis.ChopChopGo :: Velociraptor

Linux.LogAnalysis.ChopChopGo

This artifact leverages ChopChopGo to enable usage of Sigma rules to faciliate detection within Linux logs.

From the project’s description:

ChopChopGo inspired by Chainsaw utilizes Sigma rules for forensics artifact recovery, enabling rapid and comprehensive analysis of logs and other artifacts to identify potential security incidents and threats on Linux.


name: Linux.LogAnalysis.ChopChopGo
description: |

    This artifact leverages ChopChopGo to enable usage of Sigma rules to faciliate detection within Linux logs.
    
    From the project's description:
    
    `ChopChopGo inspired by Chainsaw utilizes Sigma rules for forensics artifact recovery, enabling rapid and comprehensive analysis of logs and other artifacts to identify potential security incidents and threats on Linux.`
    
reference:
  - https://github.com/M00NLIG7/ChopChopGo

author: Wes Lambert - @therealwlambert, @weslambert@infosec.exchange
tools:
  - name: ChopChopGo
    url: https://github.com/M00NLIG7/ChopChopGo/releases/download/v1.0.0-beta-3/ChopChopGo_v1.0.0-beta-3.zip
    
precondition: SELECT OS From info() where OS = 'linux'

parameters:  
  - name: ExecLength
    description: Size (in bytes) of output that will be returned for a single row for execve().  This value may need to be adjusted depending on the size of your event logs.
    type: int
    default: "100000000"
  
  - name: Rules
    description: Sigma rules to use for detection 
    type: string
    default: /ChopChopGo/rules/linux/builtin/syslog/
    
  - name: Target 
    description: Refers to the type of data you woud like to analyze. For example, `journald` or `syslog`.
    type: string
    default: syslog
    
sources:
  - query: |
        LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="ChopChopGo", IsExecutable=FALSE)
        LET TmpDir <= tempdir()
        LET TmpResults <= tempfile()
        LET UnzipIt <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
        LET SigmaRules <= TmpDir + Rules
        LET ExecCCG <= SELECT * FROM execve(argv=[
                        TmpDir + '/ChopChopGo/ChopChopGo',
                        "-rules", SigmaRules,
                        "-target", Target,
                        "-out", "json"], length=ExecLength)
        SELECT *
        FROM foreach(
            row=ExecCCG, 
             query={
                SELECT 
                    Timestamp,
                    Title,
                    Message AS Message,
                    Tags,
                    Author,
                    ID
                FROM parse_json_array(data=Stdout)})