Use Chainsaw in PowerShell , the powerful evtx (win event log) parsing tool to improve your threat analysis — A walkthrough 2023

Chainsaw is an awesome tool to “rapidly search and hunt through windows forensic artefacts”. Say you have a server which has been taken offline due to a compromised admin account , the company needs you as a security analyst to look into what the primary attack vector was on the machine and how the threat actor originally acquired access. We pull the past two days worth of windows event security logs (evtx logs) from the server and can begin our analysis.

If you’ve ever worked with the default Event Viewer app when needing to search through hundreds of thousands of logs, you know just as well as I that it can be glitchy and laggy. This is okay , because with the help of Chainsaw, we can expedite our log analysis efforts in a fraction of the time. In this guide I’ll show how to install it, and use it to improve your threat hunting.

Setup and Installation (Windows)

Ok so the initial install has been changed a little since the 2022 updates to the github, but just follow along and you’ll be chainsawing away in no time :] You can “install” (not really installing, more configuring) it with the following steps:

• Follow the GitHub link and select the latest release: https://github.com/countercept/chainsaw

Chose one at top

1. So to begin , we need to download chainsaw_all_platforms+rules+examples.zip at the top , unzip it. Go ahead and create new folder in Downloads or Documents or wherever is easy to navigate to and name it “chainsaw.exe”. Move or copy pasta the entire contents of the folder: C:\Users\user\Downloads\chainsaw_all_platforms+rules+examples\chainsaw into C:\Users\User\Downloads\chainsaw. It should look like this:

2. Go ahead and rename “chainsaw_x86_64-pc-windows-msvc.exe” to chainsaw.exe:

• What’s great about this zip is you can play around with some real life examples of malicious evtx logs , the devs have a special folder for you to do just that. The folder name is “EVTX-ATTACK-SAMPLES”. In this guide, we’re going to change the name of this to “Logs” to shorten things up a bit for demo. NOTE: You must not use spaces in the names of any folders being scanned or the commands will not work.
• This folder includes a mapping file that is used in conjunction with a pre-defined ruleset known as sigma_rules. What are Sigma rules, you may ask? A Sigma rule is a generic and open, YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format: https://syedhasan010.medium.com/defenders-toolkit-102-sigma-rules-4a623acb2036 / https://github.com/SigmaHQ/sigma

*So if this was a real server or machine that you had the logs exported from , you would move the evtx files to chainsaw\Logs. Usually I place my .evtx files in this folder individually, then scan and see what comes up to avoid confusion.

*In this example, I’m going to use three different examples each a different category so you can get the gist \Logs\Persistence, Execution, etc:

3. Open up powershell, cd to” “C:\Users\User\Downloads\chainsaw”

Here we have our Credential Access examples, a password change , a password spray attack, and lsass dump file logged by sysmon

2. First we’ll start with a “Hunting” command , these are the most rewarding as they check all sigma rules and mappings:

./chainsaw hunt -r rules/ .\Logs\Credential_Access\ -s sigma/rules — mapping mappings/sigma-event-logs-all.yml

• This will searching through all rules, sigma and mappings , the output from this is as follows:

Here we can see the threat actor intentionally deleted Event Logs with event ID 1102, this is used to hide traces of activity

• Next up from these logs and this one command we can see a credential dumping via LSASS process clone and it’s available log data:

• Lets move on to another threat classification example — we’ll go with Persistence.

3. Say you want to search for a specific event ID , instead of rules — you can call on the “Search” type command. This is great to use if there is a keyword you wish to search the logs for. We’re looking for the event ID “4662: An operation was performed on an object” as we suspect permission changes have taken place, as well as search for the lsass.exe process :

• ./chainsaw search -t ‘Event.System.EventID: =4662’ .\Logs\Persistence\

Event ID found!

• From here you will get a list of all of the instances of that particular ID output in the terminal.
• You can concatenate a bunch of Event IDs in the same string line with the following: ./chainsaw search -t ‘Event.System.EventID: =4625’ .\Logs\ ; ./chainsaw search -t ‘Event.System.EventID: =104’ .\Logs\ ; ./chainsaw search -t ‘Event.System.EventID: =11020’ .\Logs\ ; (I’m sure there’s an easier way to do this, if so let me know ;))
• Now to search for terms or exes: ./chainsaw search lsass.exe -i .\Logs\Persistence\

lsass.exe processes available for review

4. Additionally, you can change the output of the commands to export to json, csv, and more with the following flags:

5. As a 5th and final example will be under the, “Execution” category (again all these EVTX files can be found in the original zip). This refers to the execution of the payload:

./chainsaw hunt -r rules/ .\Logs\Execution\ -s sigma/rules — mapping mappings/sigma-event-logs-all.yml

• Again we see Sigma rules detected for “Potential Defense Evasion via Raw Disk Access by Uncommon Tools” and gives a break down of the event data on the right side, next to the endpoint name

We’ll stop here for now, as I think that gives you a general idea of this tools capabilities and variety of search mechanism it employs. Keep in mind , this is just skimming the surface of what is contained within Chainsaw. I hope this walkthrough helps you with your efforts