菜单
Perform rapid Sigma and keyword hunting across Windows event logs with Chainsaw.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | hunting-evtx-with-chainsaw |
| description | Perform rapid Sigma and keyword hunting across Windows event logs with Chainsaw. |
| domain | cybersecurity |
| subdomain | threat-hunting |
| tags | ["chainsaw","threat-hunting","evtx","sigma","windows-event-logs","dfir","detection","shimcache"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["DE.AE-02"] |
| mitre_attack | ["T1059.001"] |
Chainsaw is a fast, Rust-based forensic artifact search and hunting tool from WithSecure Labs. It provides first-response capability to rapidly identify threats within Windows Event Logs (.evtx) and other artifacts. Chainsaw can hunt with the full SigmaHQ rule corpus (translating Sigma to its internal Tau engine), run its own built-in detection rules, perform high-speed keyword/regex search across logs, and analyse specialized artifacts such as the AppCompatCache (shimcache), SRUM database, and event-log gaps. Output can be a colorized table, CSV, or JSON for downstream tooling.
Chainsaw's strength is speed and flexibility during initial triage: an analyst can drop a folder of collected EVTX onto the tool and get back a prioritized set of detections in seconds, then pivot with targeted search queries to confirm a hypothesis. Unlike a SIEM, it needs no ingestion pipeline, runs as a single binary, and works fully offline against acquired evidence — ideal for the field or an air-gapped analysis VM. The --mapping file tells Chainsaw how Sigma fields translate to Windows event fields, which is what enables broad Sigma coverage over EVTX.
A common hunt outcome is detecting suspicious PowerShell — MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) — by running Sigma rules against PowerShell operational logs (Event ID 4104 script-block logging) or searching for encoded-command patterns. This skill maps to NIST CSF DE.AE-02 (potentially adverse events are analyzed to better understand associated activities).
.evtx without standing up a SIEM.# Build from source (Rust toolchain required)
git clone https://github.com/WithSecureLabs/chainsaw.git
cd chainsaw && cargo build --release
./target/release/chainsaw --version
# or: nix profile install github:WithSecureLabs/chainsaw
mappings/ (Sigma field mappings) and rules/ (Chainsaw rules).git clone https://github.com/SigmaHQ/sigma.git
.evtx files (and registry hives like SYSTEM/Amcache.hve for shimcache analysis).| Technique ID | Official Name | Why Chainsaw Detects It |
|---|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell | Sigma rules over EID 4104/4103 and search flag malicious PowerShell |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Process-creation Sigma rules surface suspicious cmd usage |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Sigma rules over registry events flag persistence |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Rules over EID 4698/106 detect task creation |
| T1070.006 | Indicator Removal: Timestomp | analyse gaps and shimcache analysis reveal tampering/time gaps |
| T1204.002 | User Execution: Malicious File | Shimcache analysis shows executed binaries |
Run the SigmaHQ corpus against collected logs using the bundled mapping file. The mapping translates Sigma fields to EVTX fields.
chainsaw hunt ./collected_evtx \
-s ./sigma/rules \
--mapping ./mappings/sigma-event-logs-all.yml
Combine Chainsaw's own rules (-r) with Sigma (-s) for broader coverage.
chainsaw hunt ./collected_evtx \
-r ./rules \
-s ./sigma/rules \
--mapping ./mappings/sigma-event-logs-all.yml
Limit results by Sigma rule level, status, and detection kind.
chainsaw hunt ./collected_evtx -s ./sigma/rules \
--mapping ./mappings/sigma-event-logs-all.yml \
--level high --status stable --kind evtx
Write structured output for reporting and pipelines.
# JSON to stdout/file
chainsaw hunt ./collected_evtx -s ./sigma/rules \
--mapping ./mappings/sigma-event-logs-all.yml --json > detections.json
# CSV into a directory (one file per detection group)
chainsaw hunt ./collected_evtx -s ./sigma/rules \
--mapping ./mappings/sigma-event-logs-all.yml --csv --output ./csv_out
Confirm a hypothesis by searching raw events independent of rules.
# Case-insensitive keyword search
chainsaw search "mimikatz" -i ./collected_evtx
# Regex for base64-encoded PowerShell commands, as JSON
chainsaw search -e "-[Ee]nc(odedCommand)?\s+[A-Za-z0-9+/=]{20,}" ./collected_evtx --json
# Time-bounded search using a Tau expression
chainsaw search ./collected_evtx -t 'Event.System.EventID: =4624' \
--from "2026-06-01T00:00:00" --to "2026-06-20T00:00:00"
Parse the AppCompatCache from the SYSTEM hive, pair it with Amcache timestamps, and pattern-match suspicious entries.
chainsaw analyse shimcache ./SYSTEM \
--regexfile ./shimcache_patterns.txt \
--amcache ./Amcache.hve --tspair \
--output ./shimcache_analysis.csv
Detect program/network usage and identify suspicious logging gaps (possible log clearing or timestomp).
# SRUM database analysis
chainsaw analyse srum --software ./SOFTWARE ./SRUDB.dat -o srum.json
# Event-log gaps that may indicate cleared/tampered logs
chainsaw analyse gaps ./collected_evtx --min-time-gap-minutes 30 --json
Inspect raw artifact content and validate custom rules before a hunt.
chainsaw dump ./SOFTWARE --json --output dump.json
chainsaw lint -r ./rules --kind sigma
| Tool | Purpose | Source |
|---|---|---|
| Chainsaw | Fast EVTX/artifact hunting and search | https://github.com/WithSecureLabs/chainsaw |
| SigmaHQ rules | Community detection rules | https://github.com/SigmaHQ/sigma |
| Chainsaw mappings | Sigma-to-EVTX field mappings | https://github.com/WithSecureLabs/chainsaw/tree/master/mappings |
| Hayabusa | Alternative Sigma EVTX timeline tool | https://github.com/Yamato-Security/hayabusa |
| Timeline Explorer | Review CSV output | https://ericzimmerman.github.io/ |
--version confirmed.