Hunt them in Windows
What is Windows Event Log?
It is a comprehensive record of events pertaining to the system, security and applications on Windows operating system. It like an end to end trail logging mechanism of your system that can help you in tracking, troubleshooting the system or application issues.
All such windows event logs have a unique code to identify the specific logged event or issue with other details like source, datetime, level, user etc.
Windows event logs
can be located under C:\Windows\System32\winevt\Logs
in .evtx
format. You can also run eventvwr
to open the GUI.
> Not sure if you ever tried but you can also open it on browser that would look something like below.
Some important windows event code to track:
What is Chainsaw and how does it help?
Chainsaw empowers you identify threats within Windows forensic artefacts such as .evtx
logs . It lets you perform blazing fast search on your .evtx
using keyword or Regex patterns.
Additionally it can also use Sigma detection
rules or its own custom detection rules to identify the threats.
I will be using Windows to demonstrate the capability of Chainsaw
with the sample logs that are provided by chainsaw
itself.
You can download the latest version of chainsaw
here or git clone https://github.com/WithSecureLabs/chainsaw.git
> Run Chainsaw.exe
from our Windows CMD:
> You can get self help regarding the usage of tool with -h
or --h
flag.
chainsaw.exe --help
It will give you four main command options:
So along with windows event logs
you would use chainsaw
for hunting the unseen on Windows.
Lets look at chainsaw.exe
search
command options using -h
mode.
Got my favorite --regex
with few other options like saving output
and tau
option is from a separate project by the name Tau Engine
I would be using the sample evtx
logs files that are provided by chainsaw
bundled with Sigma and other rules as per below.
If get inside the folder "EVTX-ATTACK-SAMPLES"
then there are tons of other things that you should not ignore. Like they have given sample .evtx files mapped to MITRE Tactics that can be used to learn winevent
logs, ingest in SIEM and test therequired detection rules.
You can also look at collated evtx
to .csv
format and data plotting in .html
format.
Original project for these logs can be referred here.
Another good project to refer for Mitre Evtx mapping can be found here.
Evtx by Yamato Security (Makers of Hayabusa) as per here.
Chainsaw
demo:
> chainsaw*.exe search -e <pattern> <path>
Using the above mentioned information, I selected chaisaw.exe
with search
command, keyword ’4624’ (Login) and the path of sample .evtx
.
You use keyword as well to search for example search -e mimikatz
chainsaw_x86_64-pc-windows-msvc.exe search -e 4624 C:\Users\ashis\Downloads\chainsaw_all_platforms+rules+examples\chainsaw\EVTX-ATTACK-SAMPLES”
Search string pattern for mimikatz
using just keyword mimi
Tip: You can get more information about particular windows event on https://www.ultimatewindowssecurity.com, not even MSDN can beat it.
> Save output result to file using -o <filename>
as per the below.
chainsaw_x86_64-pc-windows-msvc.exe search -e 4625 C:\Users\XX\Downloads\chainsaw_all_platforms+rules+examples\chainsaw\EVTX-ATTACK-SAMPLES -o 4625.log
Some other flags to use along with search
are as following:
chainsaw hunt
There are predefined rules either in Chainsaw custom format or Sigma rules. You can use-r
for Chainsaw and-s
for Sigma rules path.
chainsaw*.exe hunt -h
Refer to command syntax and other available flags.
Just use chainsaw hunt -r <rules> <evtx log location>
, Done!
Hunt
command will automatically analyze the logs and rules will be used to detect anomalies that will displayed in the form of table.
Using Sigma
rule is little tricky:
Correct Syntax:
Loads Sigma Rules: chainsaw*.exe hunt -m <sigma_mapping.yml> -s sigma <log_file>
Loads both Chainsaw and Sigma Rules: chainsaw*.exe hunt -r rules -m <sigma_mapping.yml> -s sigma <log_file>
Other similar tool that I love and would recommend is “Hayabusa”, that is equally powerfully with similar functionality. You can also look at another project called WELA by makers of Hayabusa.
Refer to the project page: https://github.com/Yamato-Security/hayabusa
Imagine the incredible possibilities of utilizing chainsaw
along with velociraptor
, kape
, timeline explorer
.
Please fee free to reach out in case any further information or feedback on this.
Refer my Linkedin post www.linkedin.com/posts/ashishsecdev_hunt-them-in-windows-activity-7025418126380974080-ZDP1
~Ashishsecdev