From 089c5036f5eecc7494d7134d038d58d0dedbeaab Mon Sep 17 00:00:00 2001 From: FranticTyping Date: Mon, 11 Jul 2022 22:34:49 +0100 Subject: [PATCH] docs: update readme for beta release --- README.md | 184 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 121 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index eadefddc..4b1ebe86 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify - :bookmark_tabs: Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format - :computer: Can be run on MacOS, Linux and Windows --- - $ ./chainsaw hunt evtx_attack_samples -s sigma_rules --mapping mappings/sigma-event-logs.yml --level critical + $ ./chainsaw hunt rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗ ██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║ @@ -30,66 +30,104 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ By F-Secure Countercept (@FranticTyping, @AlexKornitzer) - [+] Loading detection rules from: sigma_rules - [+] Loaded 169 detection rules (338 not loaded) - [+] Loading event logs from: evtx_attack_samples (extensions: .evtx) + [+] Loading detection rules from: ../../rules/, /tmp/sigma/rules + [+] Loaded 129 detection rules (198 not loaded) + [+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx) [+] Loaded 268 EVTX files (37.5 MB) [+] Hunting: [========================================] 268/268 - [+] Group: Suspicious File Creation - ┌─────────────────────┬───────────────────────────────┬───────┬──────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ - │ timestamp │ detections │ count │ Computer │ Image │ Target File Name │ - ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ alice.insecurebank.local │ C:\Users\administrator\Desktop\x64\Outfl │ C:\Windows\Temp\dumpert.dmp │ - │ │ │ │ │ ank-Dumpert.exe │ │ - ├─────────────────────┼───────────────────────────────┼───────┼──────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2020-08-12 13:04:27 │ ‣ CVE-2021-1675 Print Spooler │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\spoolsv.exe │ C:\Windows\System32\spool\drivers\x64\3\ │ - │ │ Exploitation Filename │ │ │ │ New\STDSCHMX.GDL │ - │ │ Pattern │ │ │ │ │ - └─────────────────────┴───────────────────────────────┴───────┴──────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ - - [+] Group: Suspicious Process Creation - ┌─────────────────────┬───────────────────────────────┬───────┬─────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────┐ - │ timestamp │ detections │ count │ Computer │ Image │ Command Line │ Parent Command Line │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-04-30 20:26:52 │ ‣ Encoded FromBase64String │ 1 │ IEWIN7 │ C:\Windows\System32\WindowsPowerShell\v1 │ powershell.exe -nop -w hidden -noni -c " │ C:\Windows\system32\cmd.exe /b /c start │ - │ │ │ │ │ .0\powershell.exe │ if([IntPtr]::Size -eq 4){$b='powershell. │ /b /min powershell.exe -nop -w hidden -n │ - │ │ │ │ │ │ exe'}else{$b=$env:windir+'\syswow64\Wind │ oni -c "if([IntPtr]::Size -eq 4){$b='pow │ - │ │ │ │ │ │ owsPowerShell\v1.0\powershell.exe'};$s=N │ ershell.exe'}else{$b=$env:windir+'\syswo │ - │ │ │ │ │ │ ew-Object System.Diagnostics.ProcessStar │ w64\WindowsPowerShell\v1.0\powershell.ex │ - │ │ │ │ │ │ tInfo;$s.FileName=$b;$s.Arguments='-noni │ e'};$s=New-Object System.Diagnostics.Pro │ - │ │ │ │ │ │ -nop -w hidden -c &([scriptblock]::crea │ cessStartInfo;$s.FileName=$b;$s.Argument │ - │ │ │ │ │ │ IO.MemoryStream(,[Convert]::FromBase64St │ ew-Object IO.Compression.GzipStream((New │ - │ │ │ │ │ │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVE │ -Object IO.MemoryStream(,[Convert]::From │ - │ │ │ │ │ │ rZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/ │ Base64String(''H4sIAIuvyFwCA7VW+2/aSBD+O │ - │ │ │ │ │ │ u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2Dx │ ZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0la │ - │ │ │ │ │ │ Crl3Gbhx9ZapgqKf... │ yP6kiEwOpsexgQCk... │ - │ │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ (use --full to show all content) │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-08-14 12:17:14 │ ‣ Encoded FromBase64String │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wscript.exe │ "c:\windows\system32\wscript.exe" /E:vbs │ "C:\Windows\system32\rundll32.exe" zipfl │ - │ │ ‣ Encoded IEX │ │ │ │ c:\windows\temp\icon.ico "powershell -e │ dr.dll,RouteTheCall shell:::{769f9427-3c │ - │ │ │ │ │ │ xec bypass -c ""IEX ([System.Text.Encodi │ c6-4b62-be14-2a705115b7ab} │ - │ │ │ │ │ │ ng]::ASCII.GetString([System.Convert]::F │ │ - │ │ │ │ │ │ romBase64String('JFhYPUlFWCgoJ1snICsgW2N │ │ - │ │ │ │ │ │ dOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNic │ │ - │ │ │ │ │ │ gKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDU │ │ - │ │ │ │ │ │ zICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZ │ │ - │ │ │ │ │ │ mICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyB │ │ - │ │ │ │ │ │ 7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1 │ │ - │ │ │ │ │ │ bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHY │ │ - │ │ │ │ │ │ vMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnN │ │ - │ │ │ │ │ │ lKCRkKTtJRVgoWyc... │ │ - │ │ │ │ │ │ │ │ - │ │ │ │ │ │ (use --full to show all content) │ │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2019-11-03 13:51:58 │ ‣ Suspicious Shells Spawn │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\cmd.exe │ "C:\Windows\system32\cmd.exe" /c set > c │ "c:\Program Files\Microsoft SQL Server\M │ - │ │ by SQL Server │ │ │ │ :\users\\public\netstat.txt │ SSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.ex │ - │ │ │ │ │ │ │ e" -sSQLEXPRESS │ - ├─────────────────────┼───────────────────────────────┼───────┼─────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────┤ - │ 2020-10-20 22:33:02 │ ‣ Trickbot Malware Activity │ 1 │ MSEDGEWIN10 │ C:\Windows\System32\wermgr.exe │ C:\Windows\system32\wermgr.exe │ rundll32.exe c:\temp\winfire.dll,DllRegi │ - │ │ │ │ │ │ │ sterServer │ - └─────────────────────┴───────────────────────────────┴───────┴─────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────┘ + [+] Group: Antivirus + ┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────┬────────────────────────────────┬──────────────────────────────────┬────────────────────┐ + │ timestamp │ detections │ Event ID │ Record ID │ Computer │ Threat Name │ Threat Path │ User │ + ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤ + │ 2019-07-18 20:40:00 │ ‣ Windows Defender │ 1116 │ 37 │ MSEDGEWIN10 │ Trojan:PowerShell/Powersploit. │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │ + │ │ │ │ │ │ M │ red-team-master\atomics\T1056\ │ │ + │ │ │ │ │ │ │ Get-Keystrokes.ps1 │ │ + ├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤ + │ 2019-07-18 20:53:31 │ ‣ Windows Defender │ 1117 │ 106 │ MSEDGEWIN10 │ Trojan:XML/Exeselrun.gen!A │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │ + │ │ │ │ │ │ │ red-team-master\atomics\T1086\ │ │ + │ │ │ │ │ │ │ payloads\test.xsl │ │ + └─────────────────────┴────────────────────┴──────────┴───────────┴─────────────┴────────────────────────────────┴──────────────────────────────────┴────────────────────┘ + + [+] Group: Log Tampering + ┌─────────────────────┬───────────────────────────────┬──────────┬───────────┬────────────────────────────────┬───────────────┐ + │ timestamp │ detections │ Event ID │ Record ID │ Computer │ User │ + ├─────────────────────┼───────────────────────────────┼──────────┼───────────┼────────────────────────────────┼───────────────┤ + │ 2019-01-20 07:00:50 │ ‣ Security Audit Logs Cleared │ 1102 │ 32853 │ WIN-77LTAPHIQ1R.example.corp │ Administrator │ + └─────────────────────┴───────────────────────────────┴──────────┴───────────┴────────────────────────────────┴───────────────┘ + + [+] Group: Sigma + ┌─────────────────────┬────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬──────────────────────────┬──────────────────────────────────┐ + │ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-04-29 20:59:14 │ ‣ Malicious Named Pipe │ 1 │ Microsoft-Windows-Sysmon │ 18 │ 8046 │ IEWIN7 │ --- │ + │ │ │ │ │ │ │ │ Image: System │ + │ │ │ │ │ │ │ │ PipeName: "\\46a676ab7f179e511 │ + │ │ │ │ │ │ │ │ e30dd2dc41bd388" │ + │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-D9C4-5CC │ + │ │ │ │ │ │ │ │ 7-0000-0010EA030000 │ + │ │ │ │ │ │ │ │ ProcessId: 4 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-04-29 20:59:14. │ + │ │ │ │ │ │ │ │ 430" │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-04-30 20:26:51 │ ‣ CobaltStrike Service │ 1 │ Microsoft-Windows-Sysmon │ 13 │ 9806 │ IEWIN7 │ --- │ + │ │ Installations in Registry │ │ │ │ │ │ Details: "%%COMSPEC%% /b /c st │ + │ │ │ │ │ │ │ │ art /b /min powershell.exe -no │ + │ │ │ │ │ │ │ │ p -w hidden -noni -c \"if([Int │ + │ │ │ │ │ │ │ │ Ptr]::Size -eq 4){$b='powershe │ + │ │ │ │ │ │ │ │ ll.exe'}else{$b=$env:windir+'\ │ + │ │ │ │ │ │ │ │ \syswow64\\WindowsPowerShell\\ │ + │ │ │ │ │ │ │ │ v1.0\\powershell.exe'};$s=New- │ + │ │ │ │ │ │ │ │ Object System.Diagnostics.Proc │ + │ │ │ │ │ │ │ │ essStartInfo;$s.FileName=$b;$s │ + │ │ │ │ │ │ │ │ .Arguments='-noni -nop -w hidd │ + │ │ │ │ │ │ │ │ en -c &([scriptblock]::create( │ + │ │ │ │ │ │ │ │ (New-Object IO.StreamReader(Ne │ + │ │ │ │ │ │ │ │ w-Object IO.Compression.GzipSt │ + │ │ │ │ │ │ │ │ ream((New-Object IO.MemoryStre │ + │ │ │ │ │ │ │ │ am(,[Convert]::FromBase64Strin │ + │ │ │ │ │ │ │ │ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ │ + │ │ │ │ │ │ │ │ H6P1... │ + │ │ │ │ │ │ │ │ (use --full to show all content) │ + │ │ │ │ │ │ │ │ EventType: SetValue │ + │ │ │ │ │ │ │ │ Image: "C:\\Windows\\system32\ │ + │ │ │ │ │ │ │ │ \services.exe" │ + │ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-2586-5CC │ + │ │ │ │ │ │ │ │ 9-0000-0010DC530000 │ + │ │ │ │ │ │ │ │ ProcessId: 460 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ TargetObject: "HKLM\\System\\C │ + │ │ │ │ │ │ │ │ urrentControlSet\\services\\he │ + │ │ │ │ │ │ │ │ llo\\ImagePath" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-04-30 20:26:51. │ + │ │ │ │ │ │ │ │ 934" │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-05-12 12:52:43 │ ‣ Meterpreter or Cobalt │ 1 │ Service Control Manager │ 7045 │ 10446 │ IEWIN7 │ --- │ + │ │ Strike Getsystem Service │ │ │ │ │ │ AccountName: LocalSystem │ + │ │ Installation │ │ │ │ │ │ ImagePath: "%COMSPEC% /c ping │ + │ │ │ │ │ │ │ │ -n 1 127.0.0.1 >nul && echo 'W │ + │ │ │ │ │ │ │ │ inPwnage' > \\\\.\\pipe\\WinPw │ + │ │ │ │ │ │ │ │ nagePipe" │ + │ │ │ │ │ │ │ │ ServiceName: WinPwnage │ + │ │ │ │ │ │ │ │ ServiceType: user mode service │ + │ │ │ │ │ │ │ │ StartType: demand start │ + ├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤ + │ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ Microsoft-Windows-Sysmon │ 11 │ 238375 │ alice.insecurebank.local │ --- │ + │ │ │ │ │ │ │ │ CreationUtcTime: "2019-06-21 0 │ + │ │ │ │ │ │ │ │ 6:53:03.227" │ + │ │ │ │ │ │ │ │ Image: "C:\\Users\\administrat │ + │ │ │ │ │ │ │ │ or\\Desktop\\x64\\Outflank-Dum │ + │ │ │ │ │ │ │ │ pert.exe" │ + │ │ │ │ │ │ │ │ ProcessGuid: ECAD0485-88C9-5D0 │ + │ │ │ │ │ │ │ │ C-0000-0010348C1D00 │ + │ │ │ │ │ │ │ │ ProcessId: 3572 │ + │ │ │ │ │ │ │ │ RuleName: "" │ + │ │ │ │ │ │ │ │ TargetFilename: "C:\\Windows\\ │ + │ │ │ │ │ │ │ │ Temp\\dumpert.dmp" │ + │ │ │ │ │ │ │ │ UtcTime: "2019-06-21 07:35:37. │ + │ │ │ │ │ │ │ │ 324" │ + └─────────────────────┴────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴──────────────────────────┴──────────────────────────────────┘ ## Table Of Contents @@ -98,6 +136,7 @@ Chainsaw provides a powerful ‘first-response’ capability to quickly identify - [Quick Start Guide](#quick-start-guide) - [Downloading and Running](#downloading-and-running) - [EDR and AV Warnings](#edr-and-av-warnings) + - [What Changed In Chainsaw v2](#what-changed-in-chainsaw-v2) - [Examples](#examples) - [Searching](#searching) - [Hunting](#hunting) @@ -116,7 +155,7 @@ At the time of writing, there are very few open-source, standalone tools that pr ## Hunting Logic ### Sigma Rule Matching -Using the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported: +Using the `--sigma` and `--mapping` parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw which fields in the event logs to use for rule matching. By default, Chainsaw supports a wide range of Event Log types, including but not limited to: |Event Type|Event ID | |--|--| @@ -130,6 +169,8 @@ Using the `--sigma` and `--mapping` parameters you can specify a directory conta |Scheduled Task Creation|4698| |Service Creation|7045| +See the mapping file for the full list of fields that are used for rule detection, and feel free to extend it to your needs. + ### Chainsaw Detection Rules In addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a `rules` directory that contains various Chainsaw rules that allows users to: @@ -163,7 +204,7 @@ git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git ``` and then run Chainsaw with the parameters below: ``` -./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml +./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml ``` ### EDR and AV Warnings @@ -171,6 +212,23 @@ When downloading and running chainsaw you may find that your local EDR / AntiVir These warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. "mimikatz"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection. +### What Changed In Chainsaw v2? + +In July 2022 we released version 2 of Chainsaw which is a major overhaul of how Chainsaw operates. Chainsaw v2 contains a number of significant improvements, including the following list of highlights: + + - An improved approach to mapping Sigma rules which results in a significant increase in the number of supported Chainsaw rules, and Event Log event types. + - Improved CLI output which shows a snapshot of all Event Data for event logs containing detections. + - Support for loading and parsing Event Logs in both JSON and XML format. + - Cleaner and simpler command line arguments for the Hunt and Search features. + - Additional optional output information, such as Rule Author, Rule Status, Rule Level etc. + - The ability to filter loaded rules by status, kind, and severity level. + - Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files + - A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions. + +If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the [releases section](https://github.com/countercept/chainsaw/releases), or you can access the source code in the [v1.1.7 branch](https://github.com/countercept/chainsaw/tree/v1.1.7). Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2. + +A massive thank you to [@AlexKornitzer](https://twitter.com/AlexKornitzer?lang=en) who managed to convert Chainsaw v1's "Christmas Project" codebase into a polished product in v2. + ## Examples ### Searching @@ -255,15 +313,15 @@ These warnings are typically due to the example event logs and/or Sigma rules wh *Hunt through all evtx files using Sigma rules for detection logic* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml *Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml -r rules/ --csv --output results + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results *Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format* - ./chainsaw hunt evtx_attack_samples/ -s sigma_rules --mapping mappings/sigma-event-logs.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json + ./chainsaw hunt evtx_attack_samples/ -s sigma_rules --mapping mappings/sigma-event-logs-all.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json ### Acknowledgements - [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) by [@SBousseaden](https://twitter.com/SBousseaden)