When we're up against the clock, racing to find a needle in a haystack of Windows Event Logs without access to a SIEM, Sigma rules combined with tools like Chainsaw and Zircolite are our best allies.
Both tools allow us to use Sigma rules to scan not just one, but multiple EVTX files concurrently, offering a broader and more comprehensive scan in a very efficient manner.
Scanning Windows Event Logs With Chainsaw
Chainsaw is a freely available tool designed to swiftly pinpoint security threats within Windows Event Logs. This tool enables efficient keyword-based event log searches and is equipped with integrated support for Sigma detection rules as well as custom Chainsaw rules. Therefore, it serves as a valuable asset for validating our Sigma rules by applying them to actual event logs. Let's download the Chainsaw from the official Github repository and run it with some sigma rules:
Let's first run Chainsaw with -h flag to see the help menu.
PS C:\Tools\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe -h
Rapidly work with Forensic Artefacts
Usage: chainsaw_x86_64-pc-windows-msvc.exe [OPTIONS] <COMMAND>
Commands:
dump Dump an artefact into a different format
hunt Hunt through artefacts using detection rules for threat detection
lint Lint provided rules to ensure that they load correctly
search Search through forensic artefacts for keywords
analyse Perform various analyses on artifacts
help Print this message or the help of the given subcommand(s)
Options:
--no-banner Hide Chainsaw's banner
--num-threads <NUM_THREADS> Limit the thread number (default: num of CPUs)
-h, --help Print help
-V, --version Print version
Examples:
Hunt with Sigma and Chainsaw Rules:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
Hunt with Sigma rules and output in JSON:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json
Search for the case-insensitive word 'mimikatz':
./chainsaw search mimikatz -i evtx_attack_samples/
Search for Powershell Script Block Events (EventID 4014):
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
Example 1: Hunting for Multiple Failed Logins From Single Source With Sigma
Using the -s parameter, we can specify a directory containing Sigma detection rules (or one Sigma detection rule) and Chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file (specified through the --mapping parameter) tells Chainsaw which fields in the event logs to use for rule matching.
Example 2: Hunting for Abnormal PowerShell Command Line Size With Sigma (Based on Event ID 4688)
Firstly, let's set the stage by recognizing that PowerShell, being a highly flexible scripting language, is an attractive target for attackers. Its deep integration with Windows APIs and .NET Framework makes it an ideal candidate for a variety of post-exploitation activities.
To conceal their actions, attackers utilize complex encoding layers or misuse cmdlets for purposes they weren't designed for. This leads to abnormally long PowerShell commands that often incorporate Base64 encoding, string merging, and several variables containing fragmented parts of the command.
title:Unusually Long PowerShell CommandLineid:d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6status:testdescription:Detects unusually long PowerShell command lines with a length of 1000 characters or morereferences: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuseauthor:oscd.community, Natalia Shornikova / HTB Academy, Dimitrios Bougioukasdate:2020/10/06modified:2023/04/14tags: - attack.execution - attack.t1059.001 - detection.threat_huntinglogsource:category:process_creationproduct:windowsdetection:selection:EventID:4688NewProcessName|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe'selection_powershell:CommandLine|contains: - 'powershell.exe' - 'pwsh.exe'selection_length:CommandLine|re:'.{1000,}'condition:selection and selection_powershell and selection_lengthfalsepositives: - Unknownlevel:low
Sigma Rule Breakdown:
detection: The selection section checks if any Windows events with ID 4688 exist and also checks if the NewProcessName field ends with \powershell.exe, \pwsh.exe, or \cmd.exe. The selection_powershell section checks if the executed command line includes PowerShell-related executables and finally, the selection_length section checks if the CommandLine field of the 4688 event contains 1,000 characters or more. The condition section checks if the selection criteria inside the selection, selection_powershell, and selection_length sections are all met.
Let's put Chainsaw to work by applying the abovementioned Sigma rule, proc_creation_win_powershell_abnormal_commandline_size.yml, to lab_events_3.evtx that contains 4688 events with abnormally long PowerShell commands.
Our Sigma rule successfully uncovered all three abnormally long PowerShell commands that exist inside lab_events_3.evtx
Q & A
1) Use Chainsaw with the "C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.yml" Sigma rule to hunt for suspicious Defender exclusions inside "C:\Events\YARASigma\lab_events_5.evtx". Enter the excluded directory as your answer.
