<aside> <img src="/icons/home_lightgray.svg" alt="/icons/home_lightgray.svg" width="40px" /> HOME

Forensic Tools

Penetration Tools

Vulnerabilities & CVE

BB & Other

CFT

Blog & Books (KNiggas)

About(CV)

</aside>

<aside> <img src="/icons/list-indent_blue.svg" alt="/icons/list-indent_blue.svg" width="40px" /> Table of Contents

</aside>

Info

Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Features

• 🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
• 🔍 Search and extract forensic artefacts by string matching, and regex patterns
• 📅 Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data
• 💡 Analyse the SRUM database and provide insights about it
• ⬇️ Dump the raw content of forensic artefacts (MFT, registry hives, ESE databases)
• ⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
• 🪶 Clean and lightweight execution and output formats without unnecessary bloat
• 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
• 📑 Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format
• 💻 Can be run on MacOS, Linux and Windows

Quick Start Guide

Downloading and Running

With the release of Chainsaw v2, we decided to no longer include the Sigma Rules and EVTX-Attack-Samples repositories as Chainsaw submodules. We recommend that you clone these repositories separately to ensure you have the latest versions.

If you still need an all-in-one package containing the Chainsaw binary, Sigma rules and example Event logs, you can download it from the releases section of this GitHub repo. In this releases section you will also find pre-compiled binary-only versions of Chainsaw for various platforms and architectures.

If you want to compile Chainsaw yourself, you can clone the Chainsaw repo: git clone <https://github.com/WithSecureLabs/chainsaw.git>

and compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

Make sure to build with the --release flag as this will ensure significantly faster execution time.

If you want to quickly see what Chainsaw looks like when it runs, you can clone the Sigma Rules and EVTX-Attack-Samples repositories:

git clone <https://github.com/SigmaHQ/sigma>
git clone <https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git>

chainsaw.zip

and then run Chainsaw with the parameters below:

./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Command Examples

Search all .evtx files for the case-insensitive string "mimikatz"

./chainsaw search mimikatz -i evtx_attack_samples/

• Search all .evtx files for powershell script block events (Event ID 4014)

./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/