search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.71k stars 245 forks source link

Issue with linux bash execution by multi directories #101

Closed KRUXLEX closed 1 year ago

KRUXLEX commented 1 year ago

HI, When I want hunt multpile directories I get some trouble with directory interpretation. Below will show a problem:

└─$ ~/git/chainsaw/chainsaw hunt -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o ../suspect_logs.log dc-*/Logs                                                            130 ⨯

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from: dc-1/Logs, /home/ubuntu/git/chainsaw/rules, /home/ubuntu/git/chainsaw/sigma_rules
[+] Loaded 7064 detection rules (783 not loaded)
[+] Loading event logs from: dc-2/Logs, dc-3/Logs, dc-4/Logs (extensions: .evtx)
[+] Loaded 94 EVTX files (12.2 GB)
[+] Hunting: [----------------------------------------] 0/94 ⠴
^C

Like you see, firs hunted directory is added to detection rules... Why? It isn'\t after switch -r or -s.

I was try many combination and effect is the same:

└─$ ~/git/chainsaw/chainsaw hunt -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o ../suspect_logs.log dc-*/Logs
└─$ ~/git/chainsaw/chainsaw hunt -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o ../suspect_logs.log ./dc-*/Logs
└─$ ~/git/chainsaw/chainsaw hunt ./dc-*/Logs -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o ../suspect_logs.log
└─$ ~/git/chainsaw/chainsaw hunt dc-*/Logs -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o ../suspect_logs.log