alexkornitzer
commented
10 months ago Hey @gr3y56, which issue are you referring to? Are you able to explain what is not working? If so then I should be able to assist.
Open gr3y56 opened 10 months ago
alexkornitzer
commented
10 months ago Hey @gr3y56, which issue are you referring to? Are you able to explain what is not working? If so then I should be able to assist.
gr3y56
commented
10 months ago this is the command im running
./chainsaw_x86_64-pc-windows-msvc.exe hunt -s sigma/ --mapping mappings/sigma-mft-logs-all.yml C:/Windows/System32/winevt/Logs --from 2023-11-18T17:00:00 --to 2023-11-19T01:45:00 --full
this is the output in getting in return
[+] Loading detection rules from: sigma/
[!] Loaded 3040 detection rules (339 not loaded)
[x] Provided mapping file is invalid - groups[0]: missing field filter at line 8 column 5
i looked into the yml file and i see that theres a comment hinting at the possibility that this is a known issue i dont necessarily get it ? line 8 column 5 is just after the comment ## TODO: Flesh this out... but sigma does not seem geared for this?
alexkornitzer
commented
10 months ago Right okay, so I never did the initial MFT work, but from looking over it the reason the mapping file is empty is because there is no easy way to map the sigma rules onto an MFT. They all appear to be very event log centric. I think what I will do is remove that mapping file as it just causes confusion, that being said you can still dump or search an MFT with the following commands or rules could be written to hunt MFTs.
chainsaw dump ~/Downloads/mft.bin
# or
chainsaw search -t 'FullPath: *Teams.exe' ~/Downloads/mft.bin
im working a on a particular issue where the use of chainsaw has been very welcome and essential, but im unfamiliar with a great deal in cybersecurity for the sake of redundancy this particular feature seemed helpful. is there a particular reason it isnt working and are there any solutions that i may not be readily aware of