Chainsaw

Installation

Binary Download

# Download latest release from GitHub
wget https://github.com/WithSecure/chainsaw/releases/download/v2.1.0/chainsaw-v2.1.0-x86_64-pc-windows-gnu.exe

# Add to PATH or run directly
chainsaw.exe hunt --help

Build from Source (Rust)

# Clone repository
git clone https://github.com/WithSecure/chainsaw.git
cd chainsaw

# Build with Cargo
cargo build --release

# Binary location: target/release/chainsaw
./target/release/chainsaw --version

Linux/WSL

# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Build for Linux
cargo build --release --target x86_64-unknown-linux-gnu

Core Concepts

Event Log Files (EVTX)

• Binary Windows event log format
• Located: C:\Windows\System32\winevt\Logs\
• Common logs: Security, System, Application, PowerShell, Sysmon
• Chainsaw searches these rapidly for patterns

Sigma Rules

• Generic, cross-platform detection rules in YAML
• Define detection logic without tool-specific syntax
• Chainsaw applies Sigma rules against EVTX events
• Rule repositories: SigmaHQ/sigma, community rules

Detection Methods

• Sigma rules: Pre-built detection logic
• Custom rules: JSON/YAML format for specific threats
• Keyword search: Simple string matching
• Regex patterns: Complex pattern matching
• Event ID filtering: Target specific Windows event types

Basic Hunting Commands

Hunt with Sigma Rules

# Hunt using default Sigma rule directory
chainsaw hunt /path/to/evtx/file -r ./rules/

# Hunt specific log file with Sigma rules
chainsaw hunt C:\Windows\System32\winevt\Logs\Security.evtx -r sigma_rules/

# Hunt multiple files
chainsaw hunt *.evtx -r ./sigma/

# Specify output format
chainsaw hunt events.evtx -r ./sigma/ -o json > results.json

Simple Keyword Search

# Search for keyword in event logs
chainsaw hunt -s "mimikatz" events.evtx

# Case-insensitive search
chainsaw hunt -s "pass" --ignore-case events.evtx

# Regex pattern matching
chainsaw hunt -r "regex:.*admin.*" events.evtx

Event ID Filtering

# Search specific event ID (e.g., 4688 - Process Creation)
chainsaw hunt events.evtx -e 4688

# Multiple event IDs
chainsaw hunt events.evtx -e 4688,4689,4690

Common Forensic Queries

Lateral Movement Detection

# WMI Activity (Event ID 20, 21, 22)
chainsaw hunt Security.evtx -e 20,21,22 -r ./sigma/

# Network share access (Event ID 5140)
chainsaw hunt Security.evtx -e 5140

# RDP login attempts (Event ID 4624, 4625)
chainsaw hunt Security.evtx -e 4624,4625 -s "RDP"

# NTLM authentication (Event ID 4776)
chainsaw hunt Security.evtx -e 4776

Persistence Mechanisms

# Service installation (Event ID 7045)
chainsaw hunt System.evtx -e 7045

# Scheduled task creation (Event ID 106, 129)
chainsaw hunt Security.evtx -e 4698,4699,4702

# Registry modification (Sysmon Event ID 13)
chainsaw hunt sysmon.evtx -e 13 -s "HKLM\\Software\\Run"

# WMI event consumer (Sysmon Event ID 19, 20, 21)
chainsaw hunt sysmon.evtx -e 19,20,21

Credential Access

# LSASS process access (Sysmon Event ID 10)
chainsaw hunt sysmon.evtx -e 10 -s "lsass"

# Credential Manager access (Event ID 5382)
chainsaw hunt Security.evtx -e 5382

# DPAPI key access detection
chainsaw hunt sysmon.evtx -s "DPAPI"

Execution and Command Line

# Process creation logs (Event ID 4688)
chainsaw hunt Security.evtx -e 4688 -s "powershell"

# PowerShell script block execution (Event ID 4104)
chainsaw hunt PowerShell.evtx -e 4104

# Command line arguments containing suspicious keywords
chainsaw hunt Security.evtx -e 4688 -s "wget\|curl\|Invoke-WebRequest"

# Sysmon process creation (Event ID 1)
chainsaw hunt sysmon.evtx -e 1 -s "cmd.exe"

Dumping and Analyzing EVTX

Extract Events to Readable Format

# Dump as table (human-readable)
chainsaw hunt events.evtx -o table

# Export to JSON
chainsaw hunt events.evtx -o json > events.json

# Export to CSV for spreadsheet analysis
chainsaw hunt events.evtx -o csv > events.csv

# Pretty-print JSON output
chainsaw hunt events.evtx -o json | jq '.'

Filter and Export Specific Events

# Export only Event ID 4688 to JSON
chainsaw hunt Security.evtx -e 4688 -o json > process_creation.json

# Dump events between timestamps
chainsaw hunt events.evtx -s "2024-01-15" --before "2024-01-16"

# Limit result count
chainsaw hunt events.evtx --limit 100

MFT and Filesystem Analysis

Master File Table (MFT) Parsing

# Parse MFT from mounted drive
chainsaw mft parse C:\$MFT -o json > mft.json

# Extract file timestamps and attributes
chainsaw mft C:\$MFT --output csv > mft_timeline.csv

# Identify suspicious file activity
chainsaw mft /mnt/windows/$MFT -s "\.exe\|\.dll\|\.ps1"

Timeline Creation from MFT

# Generate body file format for timeline analysis
chainsaw mft parse C:\$MFT --body-file mft.bodyfile

# Create timeline with mactime
mactime -b mft.bodyfile -d -z UTC > timeline.csv

Shimcache and Amcache Analysis

Shimcache Parsing

# Extract shimcache data (Application Compatibility Cache)
chainsaw shimcache C:\Windows\appcompat\Programs\Amcache.hve -o json

# Search for suspicious executables in shimcache
chainsaw shimcache amcache.hve -s "mimikatz\|psexec\|procdump"

# Get execution timestamp information
chainsaw shimcache amcache.hve -o csv > shimcache_timeline.csv

Amcache Analysis

# Parse Amcache.hve for installed applications
chainsaw amcache C:\Windows\appcompat\Programs\Amcache.hve -o json

# Identify recently executed programs
chainsaw amcache amcache.hve --recent

# Export full application history
chainsaw amcache amcache.hve -o csv > app_execution_history.csv

Custom Detection Rules

JSON Detection Rule Format

# Create custom rule file: detection.json
{
  "name": "Suspicious PowerShell Execution",
  "rules": [
    {
      "event_id": 4688,
      "field": "CommandLine",
      "pattern": ".*Invoke-WebRequest.*",
      "severity": "high"
    }
  ]
}

# Apply custom rule
chainsaw hunt Security.evtx -r detection.json

YAML Sigma Rule Format

title: Suspicious Process Execution
description: Detects execution of known malware tools
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    CommandLine|contains:
      - 'psexec.exe'
      - 'procdump.exe'
  condition: selection
falsepositives:
  - Administrative tools usage
level: high

# Use Sigma rule
chainsaw hunt Security.evtx -r sigma_rules/

Output Formats

Table Format (Default)

chainsaw hunt events.evtx -o table | head -20

Output: Human-readable columnar format with timestamps, event IDs, descriptions.

JSON Format

chainsaw hunt events.evtx -o json > results.json

# Parse with jq
cat results.json | jq '.[] | select(.event_id == 4688)'

CSV Format

chainsaw hunt events.evtx -o csv > results.csv

# Import into Excel, Power BI, or spreadsheet tools

HTML Report

chainsaw hunt events.evtx -o html > report.html

Sigma Rule Management

Download SigmaHQ Rules

# Clone SigmaHQ repository
git clone https://github.com/SigmaHQ/sigma.git

# Use sigma/rules/windows/ directory
chainsaw hunt events.evtx -r sigma/rules/windows/

Filter Rules by Category

# Hunt using only credential access rules
chainsaw hunt Security.evtx -r ./sigma/rules/windows/process_creation/

# Process creation-specific rules
chainsaw hunt Security.evtx -r ./sigma/rules/windows/process_creation/

# Persistence detection rules
chainsaw hunt System.evtx -r ./sigma/rules/windows/registry_set/

Custom Rule Directory Structure

rules/
├── persistence/
│   ├── scheduled_task.yml
│   └── service_install.yml
├── execution/
│   ├── powershell.yml
│   └── wmi_execution.yml
└── privilege_escalation/
    └── uac_bypass.yml

# Hunt all rules
chainsaw hunt events.evtx -r ./rules/

Sigma Rule Conversion

Convert Sigma to Chainsaw Format

# Chainsaw applies Sigma rules natively
# No conversion needed - Sigma rules work directly

# Validate Sigma rule syntax
chainsaw validate rules/my_rule.yml

Integration with DFIR Workflow

Collect Evidence

# Copy event logs from system
cp C:\Windows\System32\winevt\Logs\*.evtx ./evidence/

# Export MFT
cp C:\$MFT ./evidence/

# Export Amcache
cp C:\Windows\appcompat\Programs\Amcache.hve ./evidence/

Rapid Threat Hunt

# Hunt across all evidence with Sigma rules
chainsaw hunt ./evidence/*.evtx -r ./sigma/ -o json > hunt_results.json

# Parallel processing for speed
chainsaw hunt ./evidence/*.evtx -r ./sigma/ --threads 4

Timeline Creation

# Generate comprehensive timeline
chainsaw hunt ./evidence/Security.evtx -o json | \
  jq -r '.[] | [.timestamp, .event_id, .data] | @csv' > timeline.csv

# MFT timeline
chainsaw mft ./evidence/$MFT --body-file mft.bodyfile
mactime -b mft.bodyfile -z UTC > mft_timeline.csv

Forensic Report Generation

# Export findings as JSON for analysis
chainsaw hunt ./evidence/ -r ./sigma/ -o json > forensic_findings.json

# Create summary report
chainsaw hunt ./evidence/ -r ./sigma/ -o csv > summary.csv

# HTML report for stakeholders
chainsaw hunt ./evidence/ -r ./sigma/ -o html > incident_report.html

Performance Optimization

Multi-threaded Hunting

# Use multiple threads for faster processing
chainsaw hunt *.evtx -r ./sigma/ --threads 8

Filter Before Hunting

# Hunt specific date range first
chainsaw hunt events.evtx --after "2024-01-15" --before "2024-01-20" -r ./sigma/

# Target high-value logs
chainsaw hunt Security.evtx PowerShell.evtx -r ./sigma/

Rule Optimization

# Use minimal rule set for initial triage
chainsaw hunt events.evtx -r ./sigma/rules/windows/process_creation/

# Expand ruleset after confirmation
chainsaw hunt events.evtx -r ./sigma/

Advanced Techniques

Chained Analysis

# Hunt, export to JSON, parse with external tools
chainsaw hunt Security.evtx -r ./sigma/ -o json | \
  jq '.[] | select(.severity == "high") | .description'

Correlation Across Logs

# Hunt multiple log sources
chainsaw hunt Security.evtx System.evtx PowerShell.evtx Sysmon.evtx \
  -r ./sigma/ -o json > correlated_events.json

Forensic Artifact Integration

# Parse registry hives with Chainsaw
chainsaw registry parse SAM SYSTEM SOFTWARE -o json

# Analyze shimcache timeline
chainsaw shimcache amcache.hve -o json | jq '.[] | .timestamp'

Common MITRE ATT&CK Mappings

Technique	Event ID	Command
Lateral Movement - WMI	20, 21, 22	chainsaw hunt -e 20,21,22 -r ./sigma/
Persistence - Task Scheduler	4698, 4699	chainsaw hunt -e 4698,4699
Privilege Escalation - Token Impersonation	4672	chainsaw hunt -e 4672
Credential Access - LSASS	10 (Sysmon)	chainsaw hunt sysmon.evtx -e 10
Execution - PowerShell	4104	chainsaw hunt PowerShell.evtx -e 4104
Discovery - Network Share	5140	chainsaw hunt -e 5140
Defense Evasion - Event Log Clear	104	chainsaw hunt System.evtx -e 104

Troubleshooting

Invalid EVTX File

# Chainsaw handles corrupted logs gracefully
# Check file integrity
file events.evtx

# Export readable data from corrupted logs
chainsaw hunt corrupted.evtx -o json

Rule Not Matching

# Verify rule syntax
chainsaw validate my_rule.yml

# Check event ID matches
chainsaw hunt events.evtx -e 4688

# Debug with keyword search
chainsaw hunt events.evtx -s "keyword"

Performance Issues

# Reduce rule complexity
chainsaw hunt events.evtx -r ./sigma/rules/windows/process_creation/

# Increase thread count
chainsaw hunt events.evtx -r ./sigma/ --threads 16

# Filter time range
chainsaw hunt events.evtx -r ./sigma/ --after "2024-01-15"

Resources

• SigmaHQ Rules: https://github.com/SigmaHQ/sigma
• WithSecure Chainsaw: https://github.com/WithSecure/chainsaw
• Windows Event IDs: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
• MITRE ATT&CK: https://attack.mitre.org/
• Sigma Documentation: https://sigma.readthedocs.io/