Cyber Security
New Chainsaw tool helps IR teams analyze Windows event logs
Incident responders and blue teams have a new tool called Chainsaw that speeds up searching through Windows event log records to identify threats.
The tool is designed to assist in the first-response stage of a security engagement and can also help blue teams triage entries relevant for the investigation.
Built for incident responders
Windows event logs are a ledger of the system’s activities, comprising details about applications and user logins. Forensic investigators rely on these records, sometimes as the main source of evidence, to create a timeline of events of interest.
The difficulty with checking these records is that there’s a lot of them, especially on systems with a high logging level; sifting through for relevant information can and can be a time-consuming task.
Authored by James D, lead threat hunter at F-Secure’s Countercept division, Chainsaw is a Rust-based command-line utility that can go through event logs to highlight suspicious entries or strings that may indicate a threat.
The tool uses the Sigma rule detection logic to quickly find event logs relevant to the investigation.
“Chainsaw also contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs.”
F-Secure says that Chainsaw is specifically tailored for quick analysis of event logs in environments where a detection and response solution (EDR) was not present at the time of compromise.
In such cases, threat hunters and incident responders can use Chainsaw’s search features to extract from Windows logs information pertinent to malicious activity.
Users can use the tool to do the following:
- Search through event logs by event ID, keyword, and regex patterns
- Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
- Detect key event logs being cleared or the event log service being stopped
- Detect users being created or added to sensitive user groups
- Brute-force of local user accounts
- RDP logins, network logins etc.
Apart from this, Sigma rule detection works for numerous Windows event IDs that include the following:
| Event Type | Event ID |
| Process Creation (Sysmon) | 1 |
| Network Connections (Sysmon) | 3 |
| Image Loads (Sysmon) | 7 |
| File Creation (Sysmon) | 11 |
| Registry Events (Sysmon) | 13 |
| Powershell Script Blocks | 4104 |
| Process Creation | 4688 |
| Scheduled Task Creation | 4698 |
| Service Creation | 7045 |
Available as an open-source tool, Chainsaw uses the EVTX parser library and the detection logic matching provided by F-Secure Countercept’s TAU Engine library. It can output the results in ASCII table, CSV, or JSON.