Microsoft Defender / Antivirus detections removed in new releases

[AnthoLaMalice]

Hey guys,

I have observed that the latest version of Chainsaw no longer seems to report Microsoft Defender/AV detection.

I ran both v2.9.0 and v2.8.0 on the same log set, which I know contains Microsoft Defender detection for CVE-2021-31207. The default raw output was redirected to a file for testing.

v2.9.0 vs v2.8.0 :

As you can see v2.8.0 indeed showed Microsoft Defender detection which is not the case for v2.9.0.

It also seems that with version 2.8.0, if you output your results to a csv or json file, a specific file has been created for AV detection, which is not the case with version 2.9.0.

Is there an explanation for this?

Thanks for your work!

[FranticTyping]

Hey @AnthoLaMalice

Thanks for flagging this. I'll take a look next week and get back to you after I've figured out what's going on.

[alexkornitzer]

Does undoing this https://github.com/WithSecureLabs/chainsaw/commit/9e04039d571e64d8ef828be284bae2f2127a2860 change to the Chainsaw windows_defender.yml rule fix the behaviour?

[AnthoLaMalice]

It indeed seems like it fixed the issue :

[alexkornitzer]

Awesome, okay that should not break it but now we know where to look.

[reece394]

I tried to reproduce this using the same rules but only switching the Chainsaw version on Windows between v2.8.1 and v2.9.0 but I was unable to. They produced identical results apart from a few lines changing positions on the csv which is expected. 1116 and 1117 events appeared correctly using EVTX Attack Samples to test.

I noticed in the screenshots you were using Linux so this may be a platform specific bug?

[alexkornitzer]

@AnthoLaMalice are you able to provide the event log so that I can try and replicate this behaviour?

@reece394 thank you for doing some further triage.

[alexkornitzer]

Yep, not able to replicate on my machine using the example EVTX files.