This artifact leverages Chainsaw to enable usage of Sigma rules (in addition to built-in rules) to faciliate detection within Windows Event Logs.
From the project’s description:
“Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.”
https://github.com/countercept/chainsaw
name: Windows.EventLogs.Chainsaw
description: |
This artifact leverages Chainsaw to enable usage of Sigma rules
(in addition to built-in rules) to faciliate detection within
Windows Event Logs.
From the project's description:
"Chainsaw provides a powerful ‘first-response’ capability to
quickly identify threats within Windows event logs. It offers a
generic and fast method of searching through event logs for
keywords, and by identifying threats using built-in detection
logic and via support for Sigma detection rules."
https://github.com/countercept/chainsaw
author: Wes Lambert - @therealwlambert, James Dorgan - @FranticTyping, Alex Korntizer - @AlexKornitzer
tools:
- name: Chainsaw
url: https://github.com/WithSecureLabs/chainsaw/releases/download/v2.9.0/chainsaw_all_platforms+rules+examples.zip
version: 2.9.0
expected_hash: 9F809EA14B71E7C53FDE8EBEF7F3A82881F4DCACEC97566B29CC914324667EDA
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: EVTXPath
default: 'C:\Windows\System32\winevt\Logs'
- name: ExecLength
description: Size (in bytes) of output that will be returned for a single row for execve(). This value may need to be adjusted depending on the size of your event logs.
type: int
default: "100000000"
- name: JSONLength
description: Size (in bytes) of output that will be returned for a single row for parse_json_array(). This value may need to be adjusted depending on the size of your event logs.
type: int
default: "100000000"
sources:
- query: |
LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Chainsaw", IsExecutable=FALSE)
LET TmpDir <= tempdir()
LET TmpResults <= tempfile()
LET UnzipIt <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET SigmaRules <= TmpDir + '\\chainsaw\\sigma\\rules'
LET ChainsawRules <= TmpDir + '\\chainsaw\\rules'
LET SigmaMapping <= TmpDir + '\\chainsaw\\mappings\\sigma-event-logs-all.yml'
LET ExecCS <= SELECT * FROM execve(argv=[
TmpDir + '\\chainsaw\\chainsaw_x86_64-pc-windows-msvc.exe',
'hunt', EVTXPath,
"-s", SigmaRules,
"-r", ChainsawRules,
"--mapping", SigmaMapping,
"--json",
"--output", TmpResults], length=ExecLength)
SELECT get(member="document.data.Event.System.TimeCreated_attributes.SystemTime") AS EventTime,
get(member="name") AS Detection,
get(member="level") AS Severity,
get(member="status") AS Status,
get(member="group") AS `Rule Group`,
get(member="document.data.Event.System.Computer") AS Computer,
get(member="document.data.Event.System.Channel") AS Channel,
get(member="document.data.Event.System.EventID") AS EventID,
get(member="document.data.Event.EventData.User") AS _User,
get(member="document.data.Event.System") AS SystemData,
get(member="document.data.Event.EventData") AS EventData,
get(member="authors") AS Authors
FROM parse_json_array(data=read_file(filename=TmpResults, length=JSONLength))