chainsaw
chainsaw copied to clipboard
WithSecureLabs
Rapidly Search and Hunt through Windows Forensic Artefacts
I appreciate that chainsaw was written to support evtx files, but is there any way to also support Mac logs too? Or has anyone ever run across a tool like...
I would like to have the ability to create rules on registry hives, for example: ```yml --- title: T1547.004 - Winlogon System Shell Changed group: Persistence description: Winlogon\Shell changed from...
Just a proof of concept for detecting some anomalies in event logs even if Sysmon is not deployed across the organization - but the audit policy is configured correctly.
As we experienced in #212 there were several issues discovered with the mft library being used. It turns out a lot of the issues we have been experiencing have already...
As mentioned I have added the DataStreams field to all MFT rules as it might be handy for Zone.Identifiers since #210 has been merged now. Additionally I have worked on...
Thanks @FranticTyping for #210. This will be super useful for creating hunting rules. When testing it with hunt mode I noticed with the SmartScreen ADS it outputs in stream data...
When running chainsaw over whole triage packages the error handling is mostly correct. I.e. [!] failed to load file 'C:\Triage\C\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20241201-170000-00000000-fffffffeffffffff.bin' - Bad signature: [0, 10, 0, 0], expected one...
This primarily comes from working with registry files, as there is just so much data displayed per key it makes analyzing a dump or working with hunts painful. I wrote...
Metadata
Owner
Metadata
Rapidly Search and Hunt through Windows Forensic Artefacts