WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.85k stars 260 forks source link

Documentation or guidance on expanding Chainsaw's functionality #69

Open tomnewman86 opened 2 years ago

tomnewman86 commented 2 years ago

Hello,

Would it be possible for some documentation or guidance on how to expand the functionality of Chainsaw using sigma rules and chainsaw's mapping file?

I've spoken with a number of people in the DFIR community who would love to be able to contribute and build on what is already an amazing tool but have struggled to understand how to write new rules and then map it to Chainsaw's output (myself included!)

I'd be more than happy to collate some ideas for detection rules if that would help the process in anyway.

Any help, support or resource you can offer would be greatly appreciated.

Many thanks

Tom

AndrewRathbun commented 2 years ago

I echo everything above. Potential contributor here but haven't yet been able to grasp how to expand Chainsaw's functionality on my own.

FranticTyping commented 2 years ago

Thanks for raising this issue, this is really valuable feedback.

I'll work on building out some clearer documentation on how chainsaw uses the mapping file to apply the Sigma rule logic.

AndrewRathbun commented 2 years ago

Thanks for raising this issue, this is really valuable feedback.

I'll work on building out some clearer documentation on how chainsaw uses the mapping file to apply the Sigma rule logic.

Thank you so much. A walkthrough of even an existing mapping with commentary would be very useful. I'd be happy to provide feedback as I attempt to build out further detections.

Thank you 👍

tomnewman86 commented 2 years ago

Thanks for raising this issue, this is really valuable feedback.

I'll work on building out some clearer documentation on how chainsaw uses the mapping file to apply the Sigma rule logic.

That's brilliant. Thank you.

As Andrew has said above, I'm more than happy to run tests and provide feedback on any/all support you can offer.

bmmojo commented 2 years ago

@FranticTyping Just curious if you have an estimated time of arrival (ETA) of when that documentation would come out? Similar to @tomnewman86 and @AndrewRathbun, I was trying to figure out how to expand the current Sigma rule and mapping file and create custom rules/mapping in Chainsaw. I was sad when Chainsaw didn't alert on ProxyShell threat in these event logs I had.

FranticTyping commented 2 years ago

I took a stab at improving some of the documentation today.

If you check out the 'How to add support for more rules' section of the readme (it's at the bottom) in the "documentation_improvements" branch and let me know if that helps at all.

Please let me know if anything is unclear or if you'd like me to expand/add any more information!

tomnewman86 commented 2 years ago

I took a stab at improving some of the documentation today.

If you check out the 'How to add support for more rules' section of the readme (it's at the bottom) in the "documentation_improvements" branch and let me know if that helps at all.

Please let me know if anything is unclear or if you'd like me to expand/add any more information!

This is very much appreciated James. I'll put some time aside to go through it, absorb it and then attempt to build some new rules.

I'll report back as soon as I've had an attempt, with any comments or questions.

Thank you for taking the time to do this.

AndrewRathbun commented 2 years ago

@FranticTyping Definitely a great start! I'll digest this further (as I'm sure others will) as we re-attempt furthering Chainsaw's functionality.

One thing I did want to pass on was when trying to identify which fields may be of relevance, you could provide a link to a repo I've been doing lots of work on. I hate to come off as self-promotional, but the repo was created exactly for use cases like this one. Link here: https://github.com/nasbench/EVTX-ETW-Resources

For example, here's where in the Security-Auditing Provider for a 4624 event where all the possible fields are documented for that specific event.

This could aid those who are doing research on which events log what for which version of Windows, and help better determine whether it's worth creating a mapping in Chainsaw. Every version of Windows (Consumer) since Windows 7, including Server, are covered here. More and more as time goes on and Microsoft releases new ISOs.

Cheers and thanks again for your assistance with this!

tomnewman86 commented 2 years ago

I took a stab at improving some of the documentation today.

If you check out the 'How to add support for more rules' section of the readme (it's at the bottom) in the "documentation_improvements" branch and let me know if that helps at all.

Please let me know if anything is unclear or if you'd like me to expand/add any more information!

Hi James,

I wanted to report back to let you know I've run through your documentation and found it most helpful. In fact, I probably hit more obstacles with sigma than chainsaw's mapping which ended up being quite intuitive once I'd familiarised myself with it.

FYI, whilst working through creating some sample mappings and rules for testing, I created an "on the fly" writeup of the steps I took with screenshots. This is as much a reference point for myself as it is for anyone else who may find it helpful.

https://github.com/tomnewman86/DFIR_documentation/tree/master/documents/Chainsaw

Thanks again for taking the time to do this. I have a few ideas in the works to help expand on Chainsaw's functionality and hope that other people will jump all over this too!

AndrewRathbun commented 2 years ago

@tomnewman86 @bmmojo is there a place we should centralize ideas in a to-do list? There aren't any active Projects/Kanban boards in this repo but maybe we could use a single Issue or the Discussions (if enabled) to collaborate on ideas. Thoughts?

alexkornitzer commented 2 years ago

@AndrewRathbun I'll go through the settings tomorrow and make sure those options are enabled. I'll also gear up the wiki and add some other missing stuff in. Should be able to carve some time when I am in the office.

fscc-alexkornitzer commented 2 years ago

@AndrewRathbun discussions should be enabled now, lemme know if they are not appearing.

AndrewRathbun commented 2 years ago

@AndrewRathbun discussions should be enabled now, lemme know if they are not appearing.

I see them, thank you!

tomnewman86 commented 2 years ago

Yes this a great idea. I've not really used discussions/kanban boards before so this feels like a perfect time to familiarise myself.

AndrewRathbun commented 2 years ago

Yes this a great idea. I've not really used discussions/kanban boards before so this feels like a perfect time to familiarise myself.

I use them all the time. Good example here: https://github.com/EricZimmerman/KapeFiles/projects/1

I basically use them to open source and organize the ideas in my brain 😆