Closed 0x90v1 closed 2 years ago
fscc-alexkornitzer
commented
2 years ago Hi @0x90v1,
I believe the issue you are having is due to the out of date README. With the latest Chainsaw the saving of JSON output is now done with file redirection such as ... -j > ./output.json.
0x90v1
commented
2 years ago hey alex, thanks for your response. Unfortunatlly I'm running into strange problems with my deployment of chainsaw if I have to pipe the output like that. I'm using Velociraptor to deploy chainsaw and collect the logs. Wouldn't it be possible to renable the paramter --json
alexkornitzer
commented
2 years ago Hmm okay, rather than reverting i'll see if we can add an --output arg for when piping is not possible. Ill add it to my list.
0x90v1
commented
2 years ago cool thanks already a lot 👍
FranticTyping
commented
2 years ago Hi @0x90v1 ,
I've merged #64 into master and kicked off a new build for v1.1.6.
This should resolve this issue, but if it doesn't please feel free to re-open this issue.
0x90v1
commented
2 years ago hey everyone I just tested the v1.1.6 build and it seems that the error is still the same as soon as I put the --json with a output file in it:
If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json
I get the following "error" dialog: error: Found argument 'C:\xyz\xyz\xyz\chainsaw\output.json' which wasn't expected, or isn't valid in this context
FranticTyping
commented
2 years ago Hi @0x90v1
The --json flag just tells chainsaw to change the output type to JSON. It doesn't take a parameter for where to save the file.
The PR above introduced the --output param which allows you to specify an output file for Chainsaw to save the output into.
Using these two params together should now allow you to achieve what you need:
-> % ./chainsaw hunt /tmp/chainsaw/evtx_attack_samples --rules /tmp/chainsaw/sigma_rules/rules --mapping /tmp/chainsaw/mapping_files/sigma-mapping.yml --json --output foo.json
[+] Found 268 EVTX files
[+] Converting detection rules...
[+] Loaded 1002 detection rules (216 were not loaded)
[+] Hunting: [========================================] 268/268
[+] 520 Detections foundThe above will create foo.json which contains the JSON output created by chainsaw. Does this solve the issue you were experiencing?
0x90v1
commented
2 years ago indeed that's working :-) Thanks a lot for that change and input. You are doing great!
I'm trying to generate a json output file. Unfortuanttly it seems not to work because it's not allowed to add a path after --json like --json C:\TEMP\test.json
Expected behavior: If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json I would execpet in the folder C:\xyz\xyz\xyz\chainsaw\ the output.json.
Actual behavior If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json
I get the following "error" dialog: error: Found argument 'C:\xyz\xyz\xyz\chainsaw\output.json' which wasn't expected, or isn't valid in this context
If I'm running it without a path like: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json
Its working but prints the json in the console which is not what I expect from this paramter.
Could you maybe have a look on it?
Thanks already and many greetings