WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.85k stars 261 forks source link

Feature Request: Ability to Filter the Output View #187

Open IppSec opened 1 week ago

IppSec commented 1 week ago

This primarily comes from working with registry files, as there is just so much data displayed per key it makes analyzing a dump or working with hunts painful. I wrote the following JQ to get the data I like to see from the dump:

cat NTUSER.json | jq '.[] | {
  time: .detail.Light.last_key_written_date_and_time.interpreted, 
  path: .path} 
  + (if .sub_values then (.sub_values[] | {
    type: .data_type, 
    name: .value_name, 
    value: .value
  }) else {} end)'

I could see this being useful with the hunt, as it would be possible to create YML that just has a location like: SOFTWARE\Microsoft\Windows\CurrentVersion\Run and be able to easily see all the startup items. Right now if you tried something like that there is way too much noise to make sense of any of the data.

alexkornitzer commented 1 week ago

I assume for the above that is you running the Chainsaw dump command to output JSON then piping to JQ?

Just to clarify is this an extension of or same as #185? Or are you suggesting something different like the ability to run global formatting filters across the data output from hunt? Or to phrase this another way, how do you see this being applied to the hunt command?

IppSec commented 1 week ago

Yes the jq was against the dump output. I think it’s an extension of #185 - I was thinking an argument that works with dump/hunt/search that takes in a yaml file and filters the output based upon those parameters.

The yaml would have a match var so you can specify hive, evtx, mft, etc. then a filter where you put the variables you want.

That make sense/sound reasonable?

alexkornitzer commented 1 week ago

Okay so we can do this with the mapping files and the chainsaw rules already but obviously its limited as noted by the issue above. We can add something a bit more global I guess as a sort of data shape mutator but that will need a bit of thought as to how its exposed and implemented.