Tau for multiple variables?

WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

GNU General Public License v3.0

2.7k stars 242 forks source link

Tau for multiple variables? #170

Closed Sil3ntgh0st closed 2 months ago

Sil3ntgh0st commented 2 months ago

There is a lot of documentation for tau regarding eventID, where would one go to learn how to use tau's structure? For example, I'm trying to use "Event.EventData.TargetUserName" and "Event.System.EventID". Is there a way to do that?

Sil3ntgh0st commented 2 months ago

Things I've tried were:

-t "str(Event.EventData.TargetUserName): Username && int(Event.System.EventID): =4688"
-t "(str(Event.EventData.TargetUserName): Username) && (int(Event.System.EventID): =4688)"
-t "str(Event.EventData.TargetUserName): Username & int(Event.System.EventID): =4688"

FranticTyping commented 2 months ago

Hey @Sil3ntgh0st

Thanks for raising this issue, I agree that there is a lack of documentation for how to use inline TAU. We'll try and get some more examples added to the README.

To answer you question, you can supply the '-t' flag multiple times to supply TAU search rules:

./chainsaw search -t 'Event.System.EventID: =4688' -t 'Event.EventData.TargetUserName: 01566S-WIN16-IR$' ~/EVTX-ATTACK-SAMPLES

By default these will have a logical AND applied. e.g. THIS AND THAT. You can change this to a logical OR e.g. THIS OR THAT by adding the --match-any flag:

./chainsaw search -t 'Event.System.EventID: =4625' -t 'Event.System.EventID: =4624' --match-any ~/EVTX-ATTACK-SAMPLES

Sil3ntgh0st commented 2 months ago

That worked great! Thank you so much! This made chainsaw an even stronger tool for me.

This is more of a curiosity, but is it possible to do a (THIS OR THAT) AND THAT2?

alexkornitzer commented 2 months ago

Not easily as the -t argument is a reduced syntax of Tau, currently just key/value pairs. We could potentially extend it to support more of Tau but then it would most likely be implemented as single line YAML. If this would be useful we can add it to the todo list.

Sil3ntgh0st commented 2 months ago

It's okay, I don't really have many, if any, use cases for that kind of logic. I was just wondering what the current extent is regarding tau arguments. I really appreciate the quick responses too!

The way chainsaw is now is good for me,

alexkornitzer commented 2 months ago

Ah gotcha, yeah I would probably say writing Chainsaw rules is the best way to do that as you get full syntax just run them via hunt.

Maybe we can extend search with full Tau support at a later date then :)

I'll close this out for now though if thats okay.