F-Secure has open sourced a new tool for incident response teams and other security professionals called Chainsaw — designed as a “first-response” capability to quickly identify threats within Windows event logs.
(The Stack is adding it to our list of free security tools from reputable sources with real utility for enterprise security: Chainsaw joins Bloodhound, Infection Monkey, OpenCTI and others on that list…)
Developed by James D, who is the lead threat hunter at F-Secure’s managed detection and response unit Countercept, Chainsaw offers a “generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules” — written in Rust and accessible via command line, it’s likely to be particularly for IR and Blue Teams responding to breaches.
As the F-Secure team noted in a blog: “At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity.”
Most organisations need a SIEM in place to hunt through log data (which can rapidly get expensive). They added: “In our testing, the [free alternative] tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required.”
Chainsaw’s authors describe it as able to:
- 🔍 Search and extract event log records by event IDs, string matching, and regex patterns
- 🎯 Hunt for threats using Sigma detection rules and custom built-in detection logic
- ⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
- 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
- 📑 Output in an ASCII table format, CSV format, or JSON format
Searching and hunting features for Blue Teams in Chainsaw include the ability to search through event logs by event ID, keyword, and regex patterns; extraction and parse of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts; detect key event logs being cleared, or the event log service being stopped; users being created or added to sensitive user groups; brute-force of local user accounts; RDP logins, network logins etc., and Sigma rule detection against a wide variety of Windows event IDs. Security folks can get Chainsaw for free here.