-
Notifications
You must be signed in to change notification settings - Fork 270
Home
Catarina de Faria edited this page Oct 9, 2023
·
3 revisions
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.
- 🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
- 🔍 Search and extract forensic artefacts by string matching, and regex patterns
- 📅 Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data
- 💡 Analyse the SRUM database and provide insights about it
- ⬇️ Dump the raw content of forensic artefacts (MFT, registry hives, ESE databases)
- ⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
- 🪶 Clean and lightweight execution and output formats without unnecessary bloat
- 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
- 📑 Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format
- 💻 Can be run on MacOS, Linux and Windows
- Why Chainsaw?
- How Does Chainsaw Work?
- Sigma Rule Support
- Supporting Additional Rules