Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

Let’s Welcome, CHAINSAW!

The blue team and Incident responders have a new tool on board called the Chainsaw.

Chainsaw depicts a Rust-based command-line utility able to go through any event logs and highlight suspicious entries or strings that may indicate a threat. 

It uses the Sigma rule detection logic to find event logs relevant to the investigation. According to its creators, it is specifically structured for a quick analysis of event logs in environments where a detection and response solution (EDR) was not present at the time of compromise. The Sigma Rule is structured to use the rules and mapping parameters, so a directory containing subset detection rules and Chainsaw will load instantly, convert, and run the rules against the provided events logs. Using the mapping file, Chainsaw automatically knows what IDs to run detection rules against and what fields are necessary and relevant.

Chainsaw users can:

  • Search through event logs by event ID, keyword, and regex patterns.
  • Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  • Detect key event logs cleared or the event log service stopped.
  • Detect users being created or added to sensitive user groups
  • Brute-force of local user accounts
  • RDP logins, network logins, etc.

 

Chainsaw is an open-source tool that uses the EVTX (a log file created by the Windows 7 Event Viewer which contains a list of events recorded by Windows) parser library and the detection logic matching provided by F secure.

Chainsaw helps blue teams and incident responders to better assist in the first-response stage of a security engagement. It provides help to the blue team in triaging entries relevant to the investigation. At the base of these investigations, there are Windows event logs that contain details about applications and user logins. Investigators and analysts depend on these records to create an accurate timeline of events. This is a time-consuming task because both analysts and investigators have to go through an enormous number of records, but the Chainsaw tools help because of their quick detection ability to find relevant event logs. 

 

The Sigma rule detection also works for numerous Windows event IDs like Process creation (Sysmon) with an Event ID of 1, Network Connections (Sysmon) with Event ID 3, Image Loads (Sysmon) with Event ID 7, File Creation (Symon) with Event ID 11 and so on.

Infoprive’s DNA is anchored on its zest and focus to provide the best solutions to its clients. 

Copyright © Infoprive 2021. All Right Reserved.