When we're up against the clock, racing to find a needle in a haystack of Windows Event Logs without access to a SIEM, Sigma rules combined with tools like Chainsaw and Zircolite are our best allies.
Both tools allow us to use Sigma rules to scan not just one, but multiple EVTX files concurrently, offering a broader and more comprehensive scan in a very efficient manner.
Scanning Windows Event Logs With Chainsaw
Chainsaw is a freely available tool designed to swiftly pinpoint security threats within Windows Event Logs. This tool enables efficient keyword-based event log searches and is equipped with integrated support for Sigma detection rules as well as custom Chainsaw rules. Therefore, it serves as a valuable asset for validating our Sigma rules by applying them to actual event logs. Let's download the Chainsaw from the official Github repository and run it with some sigma rules:
Let's first run Chainsaw with -h flag to see the help menu.
PS C:\Tools\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe -hRapidly work with Forensic ArtefactsUsage: chainsaw_x86_64-pc-windows-msvc.exe [OPTIONS] <COMMAND>Commands: dump Dump an artefact into a different format hunt Hunt through artefacts using detection rules for threat detection lint Lint provided rules to ensure that they load correctly search Search through forensic artefacts for keywords analyse Perform various analyses on artifacts help Print this message or the help of the given subcommand(s)Options: --no-banner Hide Chainsaw's banner --num-threads <NUM_THREADS> Limit the thread number (default: num of CPUs) -h, --help Print help -V, --version Print versionExamples: Hunt with Sigma and Chainsaw Rules: ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ Hunt with Sigma rules and output in JSON: ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json Search for the case-insensitive word 'mimikatz': ./chainsaw search mimikatz -i evtx_attack_samples/ Search for Powershell Script Block Events (EventID 4014): ./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/Example 1: Hunting for Multiple Failed Logins From Single Source With Sigma
.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_2.evtx -s C:\Rules\sigma\win_security_susp_failed_logons_single_source2.yml --mapping .\mappings\sigma-event-logs-all.ymlUsing the -s parameter, we can specify a directory containing Sigma detection rules (or one Sigma detection rule) and Chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file (specified through the --mapping parameter) tells Chainsaw which fields in the event logs to use for rule matching.
Example 2: Hunting for Abnormal PowerShell Command Line Size With Sigma (Based on Event ID 4688)
Firstly, let's set the stage by recognizing that PowerShell, being a highly flexible scripting language, is an attractive target for attackers. Its deep integration with Windows APIs and .NET Framework makes it an ideal candidate for a variety of post-exploitation activities.
To conceal their actions, attackers utilize complex encoding layers or misuse cmdlets for purposes they weren't designed for. This leads to abnormally long PowerShell commands that often incorporate Base64 encoding, string merging, and several variables containing fragmented parts of the command.
title: Unusually Long PowerShell CommandLineid: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6status: testdescription: Detects unusually long PowerShell command lines with a length of 1000 characters or morereferences: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuseauthor: oscd.community, Natalia Shornikova / HTB Academy, Dimitrios Bougioukasdate: 2020/10/06modified: 2023/04/14tags: - attack.execution - attack.t1059.001 - detection.threat_huntinglogsource: category: process_creation product: windowsdetection: selection: EventID: 4688 NewProcessName|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' selection_powershell: CommandLine|contains: - 'powershell.exe' - 'pwsh.exe' selection_length: CommandLine|re: '.{1000,}' condition: selection and selection_powershell and selection_lengthfalsepositives: - Unknownlevel: lowSigma Rule Breakdown:
detection: Theselectionsection checks if any Windows events with ID 4688 exist and also checks if theNewProcessNamefield ends with\powershell.exe,\pwsh.exe, or\cmd.exe. Theselection_powershellsection checks if the executed command line includes PowerShell-related executables and finally, theselection_lengthsection checks if theCommandLinefield of the4688event contains 1,000 characters or more. Theconditionsection checks if the selection criteria inside theselection,selection_powershell, andselection_lengthsections are all met.
Let's put Chainsaw to work by applying the abovementioned Sigma rule, proc_creation_win_powershell_abnormal_commandline_size.yml, to lab_events_3.evtx that contains 4688 events with abnormally long PowerShell commands.
PS C:\Tools\chainsaw> .\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_3.evtx -s C:\Rules\sigma\proc_creation_win_powershell_abnormal_commandline_size.yml --mapping .\mappings\sigma-event-logs-all-new.yml ██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ By Countercept (@FranticTyping, @AlexKornitzer)[+] Loading detection rules from: C:\Rules\sigma\proc_creation_win_powershell_abnormal_commandline_size.yml[+] Loaded 1 detection rules[+] Loading forensic artefacts from: C:\Events\YARASigma\lab_events_3.evtx (extensions: .evtx, .evt)[+] Loaded 1 forensic artefacts (69.6 KB)[+] Hunting: [========================================] 1/1 -[+] Group: Sigma┌─────────────────────┬─────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬─────────────────────┬──────────────────────────────────┐│ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │├─────────────────────┼─────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────────┼──────────────────────────────────┤│ 2021-04-22 08:51:04 │ + Unusually Long PowerShell │ 1 │ Microsoft-Windows-Security-Aud │ 4688 │ 435121 │ fs03vuln.offsec.lan │ CommandLine: powershell.exe -n ││ │ CommandLine │ │ iting │ │ │ │ op -w hidden -noni -c "if([Int ││ │ │ │ │ │ │ │ Ptr]::Size -eq 4){$b='powershe ││ │ │ │ │ │ │ │ ll.exe'}else{$b=$env:windir+'\ ││ │ │ │ │ │ │ │ syswow64\WindowsPowerShell\v1. ││ │ │ │ │ │ │ │ 0\powershell.exe'};$s=New-Obje ││ │ │ │ │ │ │ │ ct System.Diagnostics.ProcessS ││ │ │ │ │ │ │ │ tartInfo;$s.FileName=$b;$s.Arg ││ │ │ │ │ │ │ │ uments='-noni -nop -w hidden - ││ │ │ │ │ │ │ │ c &([scriptblock]::create((New ││ │ │ │ │ │ │ │ -Object System.IO.StreamReader ││ │ │ │ │ │ │ │ (New-Object System.IO.Compress ││ │ │ │ │ │ │ │ ion.GzipStream((New-Object Sys ││ │ │ │ │ │ │ │ tem.IO.MemoryStream(,[System.C ││ │ │ │ │ │ │ │ onvert]::FromBase64String(''H4 ││ │ │ │ │ │ │ │ sIAPg2gWACA7VWbW+bSBD+nEj5D6iy ││ │ │ │ │ │ │ │ ... ││ │ │ │ │ │ │ │ (use --full to show all content) ││ │ │ │ │ │ │ │ NewProcessId: '0x7f0' ││ │ │ │ │ │ │ │ NewProcessName: C:\Windows\Sys ││ │ │ │ │ │ │ │ tem32\WindowsPowerShell\v1.0\p ││ │ │ │ │ │ │ │ owershell.exe ││ │ │ │ │ │ │ │ ProcessId: '0x6e8' ││ │ │ │ │ │ │ │ SubjectDomainName: OFFSEC ││ │ │ │ │ │ │ │ SubjectLogonId: '0x3e7' ││ │ │ │ │ │ │ │ SubjectUserName: FS03VULN$ ││ │ │ │ │ │ │ │ SubjectUserSid: S-1-5-18 ││ │ │ │ │ │ │ │ TokenElevationType: '%%1936' │├─────────────────────┼─────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────────┼──────────────────────────────────┤│ 2021-04-22 08:51:04 │ + Unusually Long PowerShell │ 1 │ Microsoft-Windows-Security-Aud │ 4688 │ 435120 │ fs03vuln.offsec.lan │ CommandLine: C:\Windows\system ││ │ CommandLine │ │ iting │ │ │ │ 32\cmd.exe /b /c start /b /min ││ │ │ │ │ │ │ │ powershell.exe -nop -w hidden ││ │ │ │ │ │ │ │ -noni -c "if([IntPtr]::Size - ││ │ │ │ │ │ │ │ eq 4){$b='powershell.exe'}else ││ │ │ │ │ │ │ │ {$b=$env:windir+'\syswow64\Win ││ │ │ │ │ │ │ │ dowsPowerShell\v1.0\powershell ││ │ │ │ │ │ │ │ .exe'};$s=New-Object System.Di ││ │ │ │ │ │ │ │ agnostics.ProcessStartInfo;$s. ││ │ │ │ │ │ │ │ FileName=$b;$s.Arguments='-non ││ │ │ │ │ │ │ │ i -nop -w hidden -c &([scriptb ││ │ │ │ │ │ │ │ lock]::create((New-Object Syst ││ │ │ │ │ │ │ │ em.IO.StreamReader(New-Object ││ │ │ │ │ │ │ │ System.IO.Compression.GzipStre ││ │ │ │ │ │ │ │ am((New-Object System.IO.Memor ││ │ │ │ │ │ │ │ yStream(,[System.Convert]::Fro ││ │ │ │ │ │ │ │ ... ││ │ │ │ │ │ │ │ (use --full to show all content) ││ │ │ │ │ │ │ │ NewProcessId: '0x6e8' ││ │ │ │ │ │ │ │ NewProcessName: C:\Windows\Sys ││ │ │ │ │ │ │ │ tem32\cmd.exe ││ │ │ │ │ │ │ │ ProcessId: '0x1d0' ││ │ │ │ │ │ │ │ SubjectDomainName: OFFSEC ││ │ │ │ │ │ │ │ SubjectLogonId: '0x3e7' ││ │ │ │ │ │ │ │ SubjectUserName: FS03VULN$ ││ │ │ │ │ │ │ │ SubjectUserSid: S-1-5-18 ││ │ │ │ │ │ │ │ TokenElevationType: '%%1936' │├─────────────────────┼─────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼─────────────────────┼──────────────────────────────────┤│ 2021-04-22 08:51:05 │ + Unusually Long PowerShell │ 1 │ Microsoft-Windows-Security-Aud │ 4688 │ 435124 │ fs03vuln.offsec.lan │ CommandLine: '"C:\Windows\sysw ││ │ CommandLine │ │ iting │ │ │ │ ow64\WindowsPowerShell\v1.0\po ││ │ │ │ │ │ │ │ wershell.exe" -noni -nop -w hi ││ │ │ │ │ │ │ │ dden -c &([scriptblock]::creat ││ │ │ │ │ │ │ │ e((New-Object System.IO.Stream ││ │ │ │ │ │ │ │ Reader(New-Object System.IO.Co ││ │ │ │ │ │ │ │ mpression.GzipStream((New-Obje ││ │ │ │ │ │ │ │ ct System.IO.MemoryStream(,[Sy ││ │ │ │ │ │ │ │ stem.Convert]::FromBase64Strin ││ │ │ │ │ │ │ │ g(''H4sIAPg2gWACA7VWbW+bSBD+nE ││ │ │ │ │ │ │ │ j5D6iyBKiOIbbbvEiVbgFju4kdbBI7 ││ │ │ │ │ │ │ │ sWud1rCGbRbWgSWO0/a/32CgTa/pXX ││ │ │ │ │ │ │ │ vSIb/sy8zszDPPzrDKYk9QHku+w91M ││ │ │ │ │ │ │ │ +nSwv+fgBEeSUouy9fqkLtXSsaPu7c ││ │ │ │ │ │ │ │ FGjXd7+K30TlLmaL22eIRpvDg7M7Mk ││ │ │ │ │ │ │ │ IbEo5o0uEShNSbRklKSKKn2WpiFJyO ││ │ │ │ │ │ │ │ ... ││ │ │ │ │ │ │ │ (use --full to show all content) ││ │ │ │ │ │ │ │ NewProcessId: '0x8f0' ││ │ │ │ │ │ │ │ NewProcessName: C:\Windows\Sys ││ │ │ │ │ │ │ │ WOW64\WindowsPowerShell\v1.0\p ││ │ │ │ │ │ │ │ owershell.exe ││ │ │ │ │ │ │ │ ProcessId: '0x7f0' ││ │ │ │ │ │ │ │ SubjectDomainName: OFFSEC ││ │ │ │ │ │ │ │ SubjectLogonId: '0x3e7' ││ │ │ │ │ │ │ │ SubjectUserName: FS03VULN$ ││ │ │ │ │ │ │ │ SubjectUserSid: S-1-5-18 ││ │ │ │ │ │ │ │ TokenElevationType: '%%1936' │└─────────────────────┴─────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴─────────────────────┴──────────────────────────────────┘[+] 3 Detections found on 3 documentsOur Sigma rule successfully uncovered all three abnormally long PowerShell commands that exist inside lab_events_3.evtx
Q & A
1) Use Chainsaw with the "C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.yml" Sigma rule to hunt for suspicious Defender exclusions inside "C:\Events\YARASigma\lab_events_5.evtx". Enter the excluded directory as your answer.
.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Events\YARASigma\lab_events_5.evtx -s C:\Tools\chainsaw\sigma\rules\windows\powershell\powershell_script\posh_ps_win_defender_exclusions_added.yml --mapping .\mappings\sigma-event-logs-all-new.ymlAnswer: c:\document\virus\
