Chainsaw v2 - Pre-Release #77
Replies: 6 comments 10 replies
-
Most of us in incident response live in CSV output so losing CSV is very unfortunate. That also breaks the KAPE Module for Chainsaw, which I know a lot of people use - https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Apps/GitHub/Chainsaw.mkape |
Beta Was this translation helpful? Give feedback.
-
Hey all, So
|
Beta Was this translation helpful? Give feedback.
-
Alpha 3 is out, apart from cleaning up the printing output, handling data conflicts and some fixes we now also have initial support for hunting and searching through json & xml files. |
Beta Was this translation helpful? Give feedback.
-
Hello @alexkornitzer , Could we add arbitrary sigma rule data to JSON result output? Example: I checked I don't if it is difficult to implement, but: Can we add these specifications in the mapping file, or as another option from cmd line. Or, please consider add at least these sigma fields into the output. Sigma tags contain information useful to create ATT&CK Matrix Thanks a lot for your effort. |
Beta Was this translation helpful? Give feedback.
-
The latest alpha (v2.0.0-alpha.6) is now out. This alpha contains:
Example - Improved Progress Messages:
Example - Improved Error Messages:
We're nearly ready for the first beta release of Chainsaw v2 🎉 ! |
Beta Was this translation helpful? Give feedback.
-
Hello everyone! I'm excited to say that we have just released the first beta of Chainsaw v2! 🥳 🎉 Quite a lot has changed since the last Alpha and I think we've made several significant improvements. The key changes to be aware of:
This means that Chainsaw can now apply the detection logic of significantly more Sigma rules on more event log types. You should now see detections for a variety of new event types, e.g. "Process Access" events. Running chainsaw against the same sample of event logs, you can see the difference this makes: Legacy Mapping File:
In Version 1 the mapping file would specify which fields were displayed which meant that users would occasionally miss important information. In Version 2, Chainsaw outputs snippets from all fields in the relevant event log. You can see an example of this by looking at the last column in the table output below. In Chainsaw v1, we would only show a few relevant fields for these detections, whereas now users get snippets of every field. This approach also allows Chainsaw to more generically support new event log types moving forwards, as we no longer have to manually specify each field to display for every log type.
A small final addition is that Chainsaw v2 will auto-adjust the column width of the table view when showing results. This means that you will see more information by default on larger screens, and on smaller screens you have a lower chance of the table output being broken due to over-running lines. You can still use the I've updated the Readme file to reflect the changes made in Chainsaw v2, but please do let me know if anything is missing or if you think any usage information needs clarifying. We're also looking to add more information to the Wiki of this repo to help drive community support for Chainsaw. The master branch now contains the v2 codebase and there are compiled releases available in the releases section. You may notice that we no longer submodule the Sigma Rules or the EVTX-Attack-Samples repositories, so you'll need to clone those separately or download the chainsaw_all_platforms+rules+examples.tar.gz archive if you still want them bundled. If you still want to use Chainsaw v1, you can access it in the v1.x.x branch. We would love to hear your feedback (positive or negative) about your experience with the beta of Chainsaw v2, and we're happy to tweak it as people wish! Just as one final note, I would like to say a massive thank you to @alexkornitzer for all of his work on this project. He managed to take my "Lockdown Christmas Project" of 2020 and transform the cobbled together codebase into a much more polished product. (Oh and for being the mastermind behind the TAU engine which makes the detection speed of Chainsaw possible.) |
Beta Was this translation helpful? Give feedback.
-
Hi All,
So I have finally found time to do the major work for Chainsaw v2. As I am not a responder I would really love for feedback from everyone so that we can tweak any assumptions I have incorrectly made. I would also like to add that due to the new internals making tweaks and changes is much easier so discuss away. By keeping this as alpha it allows us to make rapid breaking changes.
Current Alpha:
2.0.0-alpha.0
The changes are as follows:
Added
evtx
extension (Evtx files with different extension #75)Modified
Removed
TODO
chainsaw
rules that will allow for aggregation, etc (Support for more F-Secure alerts / log providers #26, --lateral-all on large logs #58, Json output missing detections #59)Notable Changes
Arguments
The arguments now look like so:
Output
Tabluar with metadata
JSON
Tau
With the event_id field removed we can now use tau to provide the same functionality
Beta Was this translation helpful? Give feedback.
All reactions