Search feature doesn't parse backslashes

[b0s0z0ku]

Hi, Using Chainsaw Search command on Sysmon\Operational.evtx logs, it seems that special characters are not interpreted. For example, looking for a specific user : chainsaw.exe --no-banner search -i -e 'DOMAIN\Administrator' .\Microsoft-Windows-Sysmon%4Operational.evtx --json

Provides no results despite the fact that there is multiple entries. When removing the domain part ("DOMAIN\"), everything is working fine. I've tried with regex or string, -e or not, etc...

Thanks for your help. Regards. Chainsaw version : 2.8.1

[alexkornitzer]

Nice spot, its using the Regex library so the -e expression should be -e 'DOMAIN\\Administrator' but due to the hack applied in the searcher to turn everything to a string when no key is provided (by calling JSON on it) its doubling up the backslashes which will clearly need fixing. For now the work around is to double up to match so -e 'DOMAIN\\\\Administrator' should work.

[b0s0z0ku]

Hi @alexkornitzer and thanks a lot for taking care of this issue and your quick answer about that! I really appreciate the work and really love Chainsaw ; this tool is so awesome! Regards