I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).
The Chainsaw project documentation is robust. As always, read up on the project before use, it makes use of other great projects as well. James and Alex have provided all you need to get started in short order.
I conducted my first experiment using logs from a DFIR consulting gig I had circa 2014 with an impacted manufacturing firm. The victim user and system names have been changed to protect the innocent.
The environment was a very flat Windows environment with a .local domain that was not administered in keeping with best practices. The organization’s controllers were compromised, both the accountant and the domain ;-), leading to a significant financial loss for the organization. As such, I’ve simply changed the user name to CONTROLLER, and the domain to victimsystems.local. The related logs from this event, for purposes of this experiment, were stored in
logs/client. In order to change names as described I simply wrote the results to a text file when running Chainsaw as follows:
chainsaw hunt logs/client/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml > resultsresults.txt
I also ran Chainsaw this way when I discovered that results written to the console are more comprehensive than those written out to CSV with the
--csv --output results option. This run exclusively used Sigma rules as noted via
Figure 1: First Chainsaw experiment
The results were revealing, and in keeping with my original investigation eight years ago. The victim system was thoroughly infested with malware, amongst which I’d identified Trojan.Agent.FSAVXGen, also known as Backdoor:Win32/Simda, a backdoor usually dropped by other malware or downloaded users visiting malicious sites. Chainsaw’s results revealed this malware in the victim system security log with Sigma’s Failed Code Integrity Checks and Remote Service Creation as seen in Figure 2.
Figure 2: Chainsaw reveals Backdoor:Win32/Simda
Note the kernel mode driver, and a service named xina.exe, but the real IOC is the failed code integrity check for l3codeca.acm, a common indicator for this malware.
My second experiment included the use of Florian’s APT Simulator on one of my Windows systems. APTSimulator is exactly what it says it is, delivered via is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised (Roth, 2022).
I chose to run every option, which is complete overkill, but fun nonetheless. I then saved the system’s security event log as APTsim.evtx and ran it through Chainsaw as follows:
chainsaw hunt logs/APTsim.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ > resultsAPTsimResults.txt
Note that this Chainsaw run included
-r rules, which incorporates Chainsaw’s built-in rule set as well. From th APTsim.evtx assessment, Chainsaw rules identified Account Tampering (APT Simulator added an admin to the local administrator’s group), while Sigma rules flagged Generic Password Dumper Activity on LSASS (procdump64.exe), Remote Service Creation (PSEXESVC.EXE), and Rare Schtasks Creations (falshupdate22).
Figure 3: Chainsaw identifies APT Simulator behaviors
This is an extremely useful tool when you need a fast way to hunt in Windows event logs with all the benefits of Sigma and speed. I really enjoyed the opportunity to experiment with Chainsaw, appreciate the project leads for their work, as well as the excellent dependencies Chainsaw takes in Sigma, the EVTX parser, and the TAU Engine. Great stuff all around. In the name of my favorite deathcore band, Whitechapel, “the saw is the law”!
Cheers…until next time.
References: Countercept, (2022, August). Rapidly Search and Hunt through Windows Event Logs. Github. Retrieved September 15, 2022, from https://github.com/WithSecureLabs/chainsaw
Roth, F. (2022, June 20). NextronSystems/APTSimulator: A toolset to make a system look as if it was the victim of an apt attack. GitHub. Retrieved September 18, 2022, from https://github.com/NextronSystems/APTSimulator
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.