Hunt them in Windows
What is Windows Event Log?
It is a comprehensive record of events pertaining to the system, security and applications on Windows operating system. It like an end to end trail logging mechanism of your system that can help you in tracking, troubleshooting the system or application issues.
All such windows event logs have a unique code to identify the specific logged event or issue with other details like source, datetime, level, user etc.
Windows event logs can be located under C:\Windows\System32\winevt\Logs in .evtx format. You can also run eventvwr to open the GUI.
> Not sure if you ever tried but you can also open it on browser that would look something like below.
Some important windows event code to track:
What is Chainsaw and how does it help?
Chainsaw empowers you identify threats within Windows forensic artefacts such as .evtx logs . It lets you perform blazing fast search on your .evtx using keyword or Regex patterns.
Additionally it can also use Sigma detection rules or its own custom detection rules to identify the threats.
I will be using Windows to demonstrate the capability of Chainsaw with the sample logs that are provided by chainsaw itself.
You can download the latest version of chainsaw here or git clone https://github.com/WithSecureLabs/chainsaw.git
> Run Chainsaw.exe from our Windows CMD:
> You can get self help regarding the usage of tool with -h or --h flag.
chainsaw.exe --help
It will give you four main command options:
So along with windows event logs you would use chainsaw for hunting the unseen on Windows.
Lets look at chainsaw.exe search command options using -h mode.
Got my favorite --regex with few other options like saving output and tau option is from a separate project by the name Tau Engine
I would be using the sample evtx logs files that are provided by chainsaw bundled with Sigma and other rules as per below.
If get inside the folder "EVTX-ATTACK-SAMPLES" then there are tons of other things that you should not ignore. Like they have given sample .evtx files mapped to MITRE Tactics that can be used to learn winevent logs, ingest in SIEM and test therequired detection rules.
You can also look at collated evtx to .csv format and data plotting in .html format.
Original project for these logs can be referred here.
Another good project to refer for Mitre Evtx mapping can be found here.
Evtx by Yamato Security (Makers of Hayabusa) as per here.
Chainsawdemo:
> chainsaw*.exe search -e <pattern> <path>Using the above mentioned information, I selected chaisaw.exe with search command, keyword ’4624’ (Login) and the path of sample .evtx.
You use keyword as well to search for example search -e mimikatz
chainsaw_x86_64-pc-windows-msvc.exe search -e 4624 C:\Users\ashis\Downloads\chainsaw_all_platforms+rules+examples\chainsaw\EVTX-ATTACK-SAMPLES”
Search string pattern for mimikatz using just keyword mimi
Tip: You can get more information about particular windows event on https://www.ultimatewindowssecurity.com, not even MSDN can beat it.
> Save output result to file using -o <filename> as per the below.
chainsaw_x86_64-pc-windows-msvc.exe search -e 4625 C:\Users\XX\Downloads\chainsaw_all_platforms+rules+examples\chainsaw\EVTX-ATTACK-SAMPLES -o 4625.log
Some other flags to use along with search are as following:
chainsaw huntThere are predefined rules either in Chainsaw custom format or Sigma rules. You can use-rfor Chainsaw and-sfor Sigma rules path.
chainsaw*.exe hunt -h Refer to command syntax and other available flags.
chainsaw*.exe hunt -hJust use chainsaw hunt -r <rules> <evtx log location> , Done!
Hunt command will automatically analyze the logs and rules will be used to detect anomalies that will displayed in the form of table.
Using Sigma rule is little tricky:
Correct Syntax:
Loads Sigma Rules: chainsaw*.exe hunt -m <sigma_mapping.yml> -s sigma <log_file>
Loads both Chainsaw and Sigma Rules: chainsaw*.exe hunt -r rules -m <sigma_mapping.yml> -s sigma <log_file>
Other similar tool that I love and would recommend is “Hayabusa”, that is equally powerfully with similar functionality. You can also look at another project called WELA by makers of Hayabusa.
Refer to the project page: https://github.com/Yamato-Security/hayabusa
Imagine the incredible possibilities of utilizing chainsaw along with velociraptor , kape , timeline explorer .
Please fee free to reach out in case any further information or feedback on this.
Refer my Linkedin post www.linkedin.com/posts/ashishsecdev_hunt-them-in-windows-activity-7025418126380974080-ZDP1
~Ashishsecdev
