{"id":28416809,"url":"https://github.com/withsecurelabs/chainsaw","last_synced_at":"2025-06-25T04:31:18.674Z","repository":{"id":37245424,"uuid":"395658506","full_name":"WithSecureLabs/chainsaw","owner":"WithSecureLabs","description":"Rapidly Search and Hunt through Windows Forensic Artefacts","archived":false,"fork":false,"pushed_at":"2025-04-26T19:46:22.000Z","size":16454,"stargazers_count":3171,"open_issues_count":13,"forks_count":284,"subscribers_count":55,"default_branch":"master","last_synced_at":"2025-06-04T07:28:03.722Z","etag":null,"topics":["attack","blueteam","chainsaw","countercept","detection","dfir","forensics","logs","rust","security","sigma","threat-hunting","windows"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WithSecureLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-13T13:07:24.000Z","updated_at":"2025-06-04T04:38:11.000Z","dependencies_parsed_at":"2023-12-12T18:40:02.758Z","dependency_job_id":"b197c77f-9044-4431-b360-f83b1e3f04ca","html_url":"https://github.com/WithSecureLabs/chainsaw","commit_stats":{"total_commits":290,"total_committers":17,"mean_commits":"17.058823529411764","dds":0.6793103448275862,"last_synced_commit":"bbce68dec707334ed556821b8d759fd52e5798a5"},"previous_names":["countercept/chainsaw"],"tags_count":49,"template":false,"template_full_name":null,"purl":"pkg:github/WithSecureLabs/chainsaw","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fchainsaw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fchainsaw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fchainsaw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fchainsaw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WithSecureLabs","download_url":"https://codeload.github.com/WithSecureLabs/chainsaw/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fchainsaw/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261805070,"owners_count":23212291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack","blueteam","chainsaw","countercept","detection","dfir","forensics","logs","rust","security","sigma","threat-hunting","windows"],"created_at":"2025-06-04T00:43:52.711Z","updated_at":"2025-06-25T04:31:18.661Z","avatar_url":"https://github.com/WithSecureLabs.png","language":"Rust","readme":"\n\u003cdiv align=\"center\"\u003e\n \u003cp\u003e\n \u003ch1\u003e\n Rapidly Search and Hunt through Windows Forensic Artefacts\n \u003c/h1\u003e\n \u003c/p\u003e\n\u003cimg style=\"padding:0;vertical-align:bottom;\" height=\"76\" width=\"300\" src=\"images/chainsaw.png\"/\u003e\n\u003c/div\u003e\n\n---\nChainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.\n\n## Features\n\n - :dart: Hunt for threats using [Sigma](https://github.com/SigmaHQ/sigma) detection rules and custom Chainsaw detection rules\n - :mag: Search and extract forensic artefacts by string matching, and regex patterns\n - :date: Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data\n - :bulb: Analyse the SRUM database and provide insights about it\n - :arrow_down: Dump the raw content of forensic artefacts (MFT, registry hives, ESE databases)\n - :zap: Lightning fast, written in rust, wrapping the [EVTX parser](https://github.com/omerbenamram/evtx) library by [@OBenamram](https://twitter.com/obenamram?lang=en)\n - :feather: Clean and lightweight execution and output formats without unnecessary bloat\n - :fire: Document tagging (detection logic matching) provided by the [TAU Engine](https://github.com/WithSecureLabs/tau-engine) Library\n - :bookmark_tabs: Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format\n - :computer: Can be run on MacOS, Linux and Windows\n---\n\n## Table Of Contents\n\n- [Features](#features)\n- [Why Chainsaw?](#why-chainsaw)\n- [Hunting Logic for Windows Event Logs](#hunting-logic-for-windows-event-logs)\n- [Quick Start Guide](#quick-start-guide)\n - [Downloading and Running](#downloading-and-running)\n - [Install/Build with Nix](#installbuild-with-nix)\n - [EDR and AV Warnings](#edr-and-av-warnings)\n - [What changed in Chainsaw v2](#what-changed-in-chainsaw-v2)\n- [Examples](#examples)\n - [Searching](#searching)\n - [Hunting](#hunting)\n - [Analysis](#analysis)\n - [Shimcache](#shimcache)\n - [SRUM (System Resource Usage Monitor)](#srum-system-resource-usage-monitor)\n - [Dumping](#srum)\n- [Acknowledgements](#acknowledgements)\n\nExtended information can be found in the Wiki for this tool: https://github.com/WithSecureLabs/chainsaw/wiki\n\n## Why Chainsaw?\n\nAt WithSecure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyse forensic artefacts that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of forensic artefacts in these circumstances.\n\n### Windows Event Logs\n\nWindows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations. Chainsaw solves the issue since it allows the rapid search and hunt through Windows event logs.\n\nAt the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required.\n\n## Hunting Logic for Windows Event Logs\n\n### Sigma Rule Matching\nUsing the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw which fields in the event logs to use for rule matching. By default, Chainsaw supports a wide range of Event Log types, including but not limited to:\n\n|Event Type|Event ID |\n|--|--|\n|Process Creation (Sysmon)| 1 |\n|Network Connections (Sysmon)|3|\n|Image Loads (Sysmon)|7|\n|File Creation (Sysmon)|11|\n|Registry Events (Sysmon)|13|\n|Powershell Script Blocks|4104|\n|Process Creation|4688|\n|Scheduled Task Creation|4698|\n|Service Creation|7045|\n\nSee the mapping file for the full list of fields that are used for rule detection, and feel free to extend it to your needs.\n\n### Chainsaw Detection Rules\nIn addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a `rules` directory that contains various Chainsaw rules that allows users to:\n\n 1. Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts\n 2. Detect key event logs being cleared, or the event log service being stopped\n 3. Users being created or added to sensitive user groups\n 4. Remote Logins (Service, RDP, Network etc.) events. This helps hunters to identify sources of lateral movement\n 5. Brute-force of local user accounts\n\n\n## Quick Start Guide\n### Downloading and Running\n\nWith the release of Chainsaw v2, we decided to no longer include the Sigma Rules and EVTX-Attack-Samples repositories as Chainsaw submodules. We recommend that you clone these repositories separately to ensure you have the latest versions.\n\nIf you still need an all-in-one package containing the Chainsaw binary, Sigma rules and example Event logs, you can download it from the [releases section](https://github.com/WithSecureLabs/chainsaw/releases) of this GitHub repo. In this releases section you will also find pre-compiled binary-only versions of Chainsaw for various platforms and architectures.\n\nIf you want to compile Chainsaw yourself, you can clone the Chainsaw repo:\n\n `git clone https://github.com/WithSecureLabs/chainsaw.git`\n\nand compile the code yourself by running: `cargo build --release`. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.\n\n**Make sure to build with the `--release` flag as this will ensure significantly faster execution time.**\n\nIf you want to quickly see what Chainsaw looks like when it runs, you can clone the [Sigma Rules](https://github.com/SigmaHQ/sigma) and [EVTX-Attack-Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) repositories:\n\n```\ngit clone https://github.com/SigmaHQ/sigma\ngit clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git\n```\nand then run Chainsaw with the parameters below:\n```\n./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml\n```\n\n### Install/build with Nix\n\n```\n├───devShells\n│ └───x86_64-linux\n│ └───default: development environment 'nix-shell'\n├───formatter\n│ └───x86_64-linux: package 'alejandra-3.1.0'\n└───packages\n └───x86_64-linux\n ├───chainsaw: package 'chainsaw-2.10.1'\n └───default: package 'chainsaw-2.10.1'\n```\n\nChainsaw, as a package, is available via [nixpkgs](https://search.nixos.org/packages?query=chainsaw).\nIf you're using NixOS, just add `chainsaw` to your system configuration file.\n\nHowever, if you're not using NixOS, you can still install Chainsaw via Nix. The recommend way is via `nix-shell`, which will temporarily modify your $PATH environment variable.\nTo do so, please run the following:\n```\nnix-shell -p chainsaw\n```\n\nYou can also utilize the fact, that this repo is a flake, and you can run the following:\n```\nnix profile install github:WithSecureLabs/chainsaw\n```\n\nHowever, if you want to build chainsaw yourself, using Nix, you can once again utilize `flake.nix`, which is provided with this repository. \nTo build the binary, please run the following, in the root dir of cloned repo\n```\nnix build .#\n```\nThis will create `./result` directory, with chainsaw binary located under `./result/bin/chainsaw`. \n\n### EDR and AV Warnings\n\nWhen downloading and running chainsaw you may find that your local EDR / AntiVirus engine detects Chainsaw as malicious. You can see examples of this in the following GitHub issues: [Example1](https://github.com/WithSecureLabs/chainsaw/issues/12), [Example2](https://github.com/WithSecureLabs/chainsaw/issues/47).\n\nThese warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. \"mimikatz\"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection.\n\n### What changed in Chainsaw v2?\n\nIn July 2022 we released version 2 of Chainsaw which is a major overhaul of how Chainsaw operates. Chainsaw v2 contains several significant improvements, including the following list of highlights:\n\n - An improved approach to mapping Sigma rules which results in a significant increase in the number of supported Chainsaw rules, and Event Log event types.\n - Improved CLI output which shows a snapshot of all Event Data for event logs containing detections.\n - Support for loading and parsing Event Logs in both JSON and XML format.\n - Cleaner and simpler command line arguments for the Hunt and Search features.\n - Additional optional output information, such as Rule Author, Rule Status, Rule Level etc.\n - The ability to filter loaded rules by status, kind, and severity level.\n - Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files\n - A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions.\n\nIf you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the [releases section](https://github.com/WithSecureLabs/chainsaw/releases), or you can access the source code in the [v1.x.x branch](https://github.com/WithSecureLabs/chainsaw/tree/v1.x.x). Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2.\n\nA massive thank you to [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en) who managed to convert Chainsaw v1's \"Christmas Project\" codebase into a polished product in v2.\n\n## Examples\n### Searching\n\n USAGE:\n chainsaw search [FLAGS] [OPTIONS] \u003cpattern\u003e [--] [path]...\n\n FLAGS:\n -h, --help Prints help information\n -i, --ignore-case Ignore the case when searching patterns\n --json Print the output in json format\n --load-unknown Allow chainsaw to try and load files it cannot identify\n --local Output the timestamp using the local machine's timestamp\n -q Suppress informational output\n --skip-errors Continue to search when an error is encountered\n -V, --version Prints version information\n\n OPTIONS:\n --extension \u003cextension\u003e... Only search through files with the provided extension\n --from \u003cfrom\u003e The timestamp to search from. Drops any documents older than the value provided\n -o, --output \u003coutput\u003e The path to output results to\n -e, --regex \u003cpattern\u003e... A string or regular expression pattern to search for\n -t, --tau \u003ctau\u003e... Tau expressions to search with. e.g. 'Event.System.EventID: =4104'\n --timestamp \u003ctimestamp\u003e The field that contains the timestamp\n --timezone \u003ctimezone\u003e Output the timestamp using the timezone provided\n --to \u003cto\u003e The timestamp to search up to. Drops any documents newer than the value provided\n\n ARGS:\n \u003cpattern\u003e A string or regular expression pattern to search for. Not used when -e or -t is specified\n \u003cpath\u003e... The paths containing event logs to load and hunt through\n\n#### Command Examples\n\n *Search all .evtx files for the case-insensitive string \"mimikatz\"*\n\n ./chainsaw search mimikatz -i evtx_attack_samples/\n\n *Search all .evtx files for powershell script block events (Event ID 4014)\n\n ./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/\n\n *Search a specific evtx log for logon events, with a matching regex pattern, output in JSON format*\n\n ./chainsaw search -e \"DC[0-9].insecurebank.local\" evtx_attack_samples --json\n\n\n### Hunting\n\n USAGE:\n chainsaw hunt [FLAGS] [OPTIONS] [--] [path]...\n\n FLAGS:\n --csv Print the output in csv format\n --full Print the full values for the tabular output\n -h, --help Prints help information\n --json Print the output in json format\n --load-unknown Allow chainsaw to try and load files it cannot identify\n --local Output the timestamp using the local machine's timestamp\n --log Print the output in log like format\n --metadata Display additional metadata in the tablar output\n -q Suppress informational output\n --skip-errors Continue to hunt when an error is encountered\n -V, --version Prints version information\n\n OPTIONS:\n --column-width \u003ccolumn-width\u003e Set the column width for the tabular output\n --extension \u003cextension\u003e... Only hunt through files with the provided extension\n --from \u003cfrom\u003e The timestamp to hunt from. Drops any documents older than the value provided\n --kind \u003ckind\u003e... Restrict loaded rules to specified kinds\n --level \u003clevel\u003e... Restrict loaded rules to specified levels\n -m, --mapping \u003cmapping\u003e... A mapping file to tell Chainsaw how to use third-party rules\n -o, --output \u003coutput\u003e A path to output results to\n -r, --rule \u003crule\u003e... A path containing additional rules to hunt with\n -s, --sigma \u003csigma\u003e... A path containing Sigma rules to hunt with\n --status \u003cstatus\u003e... Restrict loaded rules to specified statuses\n --timezone \u003ctimezone\u003e Output the timestamp using the timezone provided\n --to \u003cto\u003e The timestamp to hunt up to. Drops any documents newer than the value provided\n\n ARGS:\n \u003crules\u003e The path to a collection of rules to use for hunting\n \u003cpath\u003e... The paths containing event logs to load and hunt through\n\n#### Command Examples\n\n *Hunt through all evtx files using Sigma rules for detection logic*\n\n ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml\n\n *Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder*\n\n ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results\n\n *Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format*\n\n ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --from \"2019-03-17T19:09:39\" --to \"2019-03-17T19:09:50\" --json\n\n#### Output\n\n $ ./chainsaw hunt -r rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical\n\n ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗\n ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║\n ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║\n ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║\n ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝\n ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝\n By WithSecure Countercept (@FranticTyping, @AlexKornitzer)\n\n [+] Loading detection rules from: ../../rules/, /tmp/sigma/rules\n [+] Loaded 129 detection rules (198 not loaded)\n [+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx)\n [+] Loaded 268 EVTX files (37.5 MB)\n [+] Hunting: [========================================] 268/268\n\n [+] Group: Antivirus\n ┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────┬────────────────────────────────┬──────────────────────────────────┬────────────────────┐\n │ timestamp │ detections │ Event ID │ Record ID │ Computer │ Threat Name │ Threat Path │ User │\n ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤\n │ 2019-07-18 20:40:00 │ ‣ Windows Defender │ 1116 │ 37 │ MSEDGEWIN10 │ Trojan:PowerShell/Powersploit. │ file:_C:\\AtomicRedTeam\\atomic- │ MSEDGEWIN10\\IEUser │\n │ │ │ │ │ │ M │ red-team-master\\atomics\\T1056\\ │ │\n │ │ │ │ │ │ │ Get-Keystrokes.ps1 │ │\n ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤\n │ 2019-07-18 20:53:31 │ ‣ Windows Defender │ 1117 │ 106 │ MSEDGEWIN10 │ Trojan:XML/Exeselrun.gen!A │ file:_C:\\AtomicRedTeam\\atomic- │ MSEDGEWIN10\\IEUser │\n │ │ │ │ │ │ │ red-team-master\\atomics\\T1086\\ │ │\n │ │ │ │ │ │ │ payloads\\test.xsl │ │\n └─────────────────────┴────────────────────┴──────────┴───────────┴─────────────┴────────────────────────────────┴──────────────────────────────────┴────────────────────┘\n\n [+] Group: Log Tampering\n ┌─────────────────────┬───────────────────────────────┬──────────┬───────────┬────────────────────────────────┬───────────────┐\n │ timestamp │ detections │ Event ID │ Record ID │ Computer │ User │\n ├─────────────────────┼───────────────────────────────┼──────────┼───────────┼────────────────────────────────┼───────────────┤\n │ 2019-01-20 07:00:50 │ ‣ Security Audit Logs Cleared │ 1102 │ 32853 │ WIN-77LTAPHIQ1R.example.corp │ Administrator │\n └─────────────────────┴───────────────────────────────┴──────────┴───────────┴────────────────────────────────┴───────────────┘\n\n [+] Group: Sigma\n ┌─────────────────────┬────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬──────────────────────────┬──────────────────────────────────┐\n │ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │\n ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤\n │ 2019-04-29 20:59:14 │ ‣ Malicious Named Pipe │ 1 │ Microsoft-Windows-Sysmon │ 18 │ 8046 │ IEWIN7 │ --- │\n │ │ │ │ │ │ │ │ Image: System │\n │ │ │ │ │ │ │ │ PipeName: \"\\\\46a676ab7f179e511 │\n │ │ │ │ │ │ │ │ e30dd2dc41bd388\" │\n │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-D9C4-5CC │\n │ │ │ │ │ │ │ │ 7-0000-0010EA030000 │\n │ │ │ │ │ │ │ │ ProcessId: 4 │\n │ │ │ │ │ │ │ │ RuleName: \"\" │\n │ │ │ │ │ │ │ │ UtcTime: \"2019-04-29 20:59:14. │\n │ │ │ │ │ │ │ │ 430\" │\n ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤\n │ 2019-04-30 20:26:51 │ ‣ CobaltStrike Service │ 1 │ Microsoft-Windows-Sysmon │ 13 │ 9806 │ IEWIN7 │ --- │\n │ │ Installations in Registry │ │ │ │ │ │ Details: \"%%COMSPEC%% /b /c st │\n │ │ │ │ │ │ │ │ art /b /min powershell.exe -no │\n │ │ │ │ │ │ │ │ p -w hidden -noni -c \\\"if([Int │\n │ │ │ │ │ │ │ │ Ptr]::Size -eq 4){$b='powershe │\n │ │ │ │ │ │ │ │ ll.exe'}else{$b=$env:windir+'\\ │\n │ │ │ │ │ │ │ │ \\syswow64\\\\WindowsPowerShell\\\\ │\n │ │ │ │ │ │ │ │ v1.0\\\\powershell.exe'};$s=New- │\n │ │ │ │ │ │ │ │ Object System.Diagnostics.Proc │\n │ │ │ │ │ │ │ │ essStartInfo;$s.FileName=$b;$s │\n │ │ │ │ │ │ │ │ .Arguments='-noni -nop -w hidd │\n │ │ │ │ │ │ │ │ en -c \u0026([scriptblock]::create( │\n │ │ │ │ │ │ │ │ (New-Object IO.StreamReader(Ne │\n │ │ │ │ │ │ │ │ w-Object IO.Compression.GzipSt │\n │ │ │ │ │ │ │ │ ream((New-Object IO.MemoryStre │\n │ │ │ │ │ │ │ │ am(,[Convert]::FromBase64Strin │\n │ │ │ │ │ │ │ │ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ │\n │ │ │ │ │ │ │ │ H6P1... │\n │ │ │ │ │ │ │ │ (use --full to show all content) │\n │ │ │ │ │ │ │ │ EventType: SetValue │\n │ │ │ │ │ │ │ │ Image: \"C:\\\\Windows\\\\system32\\ │\n │ │ │ │ │ │ │ │ \\services.exe\" │\n │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-2586-5CC │\n │ │ │ │ │ │ │ │ 9-0000-0010DC530000 │\n │ │ │ │ │ │ │ │ ProcessId: 460 │\n │ │ │ │ │ │ │ │ RuleName: \"\" │\n │ │ │ │ │ │ │ │ TargetObject: \"HKLM\\\\System\\\\C │\n │ │ │ │ │ │ │ │ urrentControlSet\\\\services\\\\he │\n │ │ │ │ │ │ │ │ llo\\\\ImagePath\" │\n │ │ │ │ │ │ │ │ UtcTime: \"2019-04-30 20:26:51. │\n │ │ │ │ │ │ │ │ 934\" │\n ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤\n │ 2019-05-12 12:52:43 │ ‣ Meterpreter or Cobalt │ 1 │ Service Control Manager │ 7045 │ 10446 │ IEWIN7 │ --- │\n │ │ Strike Getsystem Service │ │ │ │ │ │ AccountName: LocalSystem │\n │ │ Installation │ │ │ │ │ │ ImagePath: \"%COMSPEC% /c ping │\n │ │ │ │ │ │ │ │ -n 1 127.0.0.1 \u003enul \u0026\u0026 echo 'W │\n │ │ │ │ │ │ │ │ inPwnage' \u003e \\\\\\\\.\\\\pipe\\\\WinPw │\n │ │ │ │ │ │ │ │ nagePipe\" │\n │ │ │ │ │ │ │ │ ServiceName: WinPwnage │\n │ │ │ │ │ │ │ │ ServiceType: user mode service │\n │ │ │ │ │ │ │ │ StartType: demand start │\n ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤\n │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ Microsoft-Windows-Sysmon │ 11 │ 238375 │ alice.insecurebank.local │ --- │\n │ │ │ │ │ │ │ │ CreationUtcTime: \"2019-06-21 0 │\n │ │ │ │ │ │ │ │ 6:53:03.227\" │\n │ │ │ │ │ │ │ │ Image: \"C:\\\\Users\\\\administrat │\n │ │ │ │ │ │ │ │ or\\\\Desktop\\\\x64\\\\Outflank-Dum │\n │ │ │ │ │ │ │ │ pert.exe\" │\n │ │ │ │ │ │ │ │ ProcessGuid: ECAD0485-88C9-5D0 │\n │ │ │ │ │ │ │ │ C-0000-0010348C1D00 │\n │ │ │ │ │ │ │ │ ProcessId: 3572 │\n │ │ │ │ │ │ │ │ RuleName: \"\" │\n │ │ │ │ │ │ │ │ TargetFilename: \"C:\\\\Windows\\\\ │\n │ │ │ │ │ │ │ │ Temp\\\\dumpert.dmp\" │\n │ │ │ │ │ │ │ │ UtcTime: \"2019-06-21 07:35:37. │\n │ │ │ │ │ │ │ │ 324\" │\n └─────────────────────┴────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴──────────────────────────┴──────────────────────────────────┘\n\n### Analysing\n#### Shimcache\n COMMAND:\n analyse shimcache Create an execution timeline from the shimcache with optional amcache enrichments\n\n USAGE:\n chainsaw analyse shimcache [OPTIONS] \u003cSHIMCACHE\u003e\n\n ARGUMENTS:\n \u003cSHIMCACHE\u003e The path to the shimcache artefact (SYSTEM registry file)\n\n OPTIONS:\n -e, --regex \u003cpattern\u003e A string or regular expression for detecting shimcache entries whose timestamp matches their insertion time\n -r, --regexfile \u003cREGEX_FILE\u003e The path to a newline delimited file containing regex patterns for detecting shimcache entries whose timestamp matches their insertion time\n -o, --output \u003cOUTPUT\u003e The path to output the result csv file\n -a, --amcache \u003cAMCACHE\u003e The path to the amcache artefact (Amcache.hve) for timeline enrichment\n -p, --tspair Enable near timestamp pair detection between shimcache and amcache for finding additional insertion timestamps for shimcache entries\n -h, --help Print help\n\n- Example pattern file for the `--regexfile` parameter is included in [analysis/shimcache_patterns.txt](analysis/shimcache_patterns.txt).\n- Regex patterns are matched on paths in shimcache entries **converted to lowercase**.\n\n##### Command Examples\n *Analyse a shimcache artefact with the provided regex patterns, and use amcache enrichment with timestamp near pair detection enabled. Output to a csv file.*\n\n ./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt --amcache ./Amcache.hve --tspair --output ./output.csv\n\n\n *Analyse a shimcache artefact with the provided regex patterns (without amcache enrichment). Output to the terminal.*\n\n ./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt\n\n#### SRUM (System Resource Usage Monitor)\nThe SRUM database parser implemented in Chainsaw differs from other parsers because it does not rely on hardcoded values about the tables. The information is extracted directly from the SOFTWARE hive, which is a mandatory argument. The goal is to avoid errors related to unknown tables.\n\n COMMAND:\n analyse srum Analyse the SRUM database\n\n USAGE:\n chainsaw analyse srum [OPTIONS] --software \u003cSOFTWARE_HIVE_PATH\u003e \u003cSRUM_PATH\u003e\n\n ARGUMENTS:\n \u003cSRUM_PATH\u003e The path to the SRUM database\n\n OPTIONS:\n -s, --software \u003cSOFTWARE_HIVE_PATH\u003e The path to the SOFTWARE hive\n --stats-only Only output details about the SRUM database\n -q Suppress informational output\n -o, --output \u003cOUTPUT\u003e Save the output to a file\n -h, --help Print help\n\n##### Command Example\n\n *Analyse the SRUM database (the SOFTWARE hive is mandatory)*\n\n ./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat --output ./output.json\n\n##### Output\n\n $ ./chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat -o ./output.json\n\n ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗\n ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║\n ██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║\n ██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║\n ╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝\n ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝\n By WithSecure Countercept (@FranticTyping, @AlexKornitzer)\n\n [+] ESE database file loaded from \"/home/user/Documents/SRUDB.dat\"\n [+] Parsing the ESE database...\n [+] SOFTWARE hive loaded from \"/home/user/Documents/SOFTWARE\"\n [+] Parsing the SOFTWARE registry hive...\n [+] Analysing the SRUM database...\n [+] Details about the tables related to the SRUM extensions:\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | Table GUID | Table Name | DLL Path | Timeframe of the data | Expected Retention Time |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {5C8CF1C7-7257-4F13-B223-970EF5939312} | App Timeline Provider | %SystemRoot%\\System32\\eeprov.dll | 2022-03-10 16:34:59 UTC | 7 days |\n | | | | 2022-03-10 21:10:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} | Tagged Energy Provider | %SystemRoot%\\System32\\eeprov.dll | No records | 3 days |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} | WPN SRUM Provider | %SystemRoot%\\System32\\wpnsruprov.dll | 2022-03-10 20:09:00 UTC | 60 days |\n | | | | 2022-03-10 21:09:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} | Application Resource Usage Provider | %SystemRoot%\\System32\\appsruprov.dll | 2022-03-10 16:34:59 UTC | 60 days |\n | | | | 2022-03-10 21:10:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} | Energy Usage Provider | %SystemRoot%\\System32\\energyprov.dll | No records | 60 days |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT | Energy Usage Provider (Long Term) | %SystemRoot%\\System32\\energyprov.dll | No records | 1820 days |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {973F5D5C-1D90-4944-BE8E-24B94231A174} | Windows Network Data Usage Monitor | %SystemRoot%\\System32\\nduprov.dll | 2022-03-10 16:34:59 UTC | 60 days |\n | | | | 2022-03-10 21:10:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} | vfuprov | %SystemRoot%\\System32\\vfuprov.dll | 2022-03-10 20:09:00 UTC | 60 days |\n | | | | 2022-03-10 21:10:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} | Energy Estimation Provider | %SystemRoot%\\System32\\eeprov.dll | No records | 7 days |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n | {DD6636C4-8929-4683-974E-22C046A43763} | Windows Network Connectivity Usage Monitor | %SystemRoot%\\System32\\ncuprov.dll | 2022-03-10 16:34:59 UTC | 60 days |\n | | | | 2022-03-10 21:10:00 UTC | |\n +------------------------------------------+--------------------------------------------+--------------------------------------+-------------------------+-------------------------+\n [+] SRUM database parsed successfully\n [+] Saving output to \"/home/user/Documents/output.json\"\n [+] Saved output to \"/home/user/Documents/output.json\"\n\n##### Forensic insights\nInformation about the new forensic insights related to this artefact can be found in the wiki: https://github.com/WithSecureLabs/chainsaw/wiki/SRUM-Analysis.\n\n\n### Dumping\n\n USAGE:\n chainsaw dump [OPTIONS] \u003cPATH\u003e\n\n ARGUMENTS:\n \u003cPATH\u003e The path to an artefact to dump\n\n OPTIONS:\n -j, --json Dump in json format\n --jsonl Print the output in jsonl format\n --load-unknown Allow chainsaw to try and load files it cannot identify\n -o, --output \u003cOUTPUT\u003e A path to output results to\n -q Suppress informational output\n --skip-errors Continue to hunt when an error is encountered\n -h, --help Print help\n\n#### Command Example\n\n *Dump the SOFTWARE hive*\n\n ./chainsaw dump ./SOFTWARE.hve --json --output ./output.json\n\n\n## Acknowledgements\n - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) by [@SBousseaden](https://twitter.com/SBousseaden)\n - [Sigma](https://github.com/SigmaHQ/sigma) detection rules\n - [EVTX parser](https://github.com/omerbenamram/evtx) library by [@OBenamram](https://twitter.com/obenamram?lang=en)\n - [TAU Engine](https://github.com/WithSecureLabs/tau-engine) Library by [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en)\n - Shimcache analysis feature developed as a part of [CC-Driver](https://www.ccdriver-h2020.com/) project, funded by the European Union’s Horizon 2020 Research and Innovation Programme under Grant Agreement No. 883543\n - [DFIRArtifactMuseum](https://github.com/AndrewRathbun/DFIRArtifactMuseum) by Andrew Rathbun ([@bunsofwrath12](https://twitter.com/bunsofwrath12))","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fchainsaw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwithsecurelabs%2Fchainsaw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fchainsaw/lists"}