search

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.9k stars 267 forks source link

Hunt with WEC/WEF #115

Closed Flexxi51 closed 1 year ago

Flexxi51 commented 1 year ago

Hello, I really like this project, I think it can be very useful. However, there is a problem when I try to use it. We centralize our logs via WEC, and once the logs are centralized, the "hunt" option no longer works, making the tool unusable for companies or centralized log solutions.

Here an example with ForwardedEvent 

./chainsaw hunt ForwardedEventsExport/ForwardedEvents.evtx -s sigma-master/rules/windows/builtin/security --mapping mappings/sigma-event-logs-all.yml

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from: sigma-master/rules/windows/builtin/security
[+] Loaded 150 detection rules (1 not loaded)
[+] Loading forensic artefacts from: ForwardedEventsExport/ForwardedEvents.evtx (extensions: .evtx, .evt)
[+] Loaded 1 forensic artefacts (54.6 MB)
[+] Hunting: [========================================] 1/1                                                                                                                                                                                 [+] 0 Detections found on 0 documents

Thanks a lot

alexkornitzer commented 1 year ago

Hmm, I thought this was fixed upstream in the evtx parsing library but I guess there are still some samples that are not (https://github.com/WithSecureLabs/chainsaw/issues/25).

Without some sample files I can't really fix this. Are you able to provide any so that I can see what is going on?

Flexxi51 commented 1 year ago

I found the solution. My system is not in english, and when the logs are forwarded and parsed to JSON, a lot of key value like EventID become a string type, unlike a local event log which provide an integer for the EventID value. So we need to edit the sigma rule to match a string and not an int :)