• Stars
    star
    2,713
  • Rank 16,807 (Top 0.4 %)
  • Language
    Rust
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rapidly Search and Hunt through Windows Forensic Artefacts

Rapidly Search and Hunt through Windows Forensic Artefacts


Chainsaw provides a powerful β€˜first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Features

  • 🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
  • πŸ” Search and extract forensic artefacts by string matching, and regex patterns
  • ⚑ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
  • πŸͺΆ Clean and lightweight execution and output formats without unnecessary bloat
  • πŸ”₯ Document tagging (detection logic matching) provided by the TAU Engine Library
  • πŸ“… Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data
  • πŸ“‘ Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format
  • πŸ’» Can be run on MacOS, Linux and Windows

  $ ./chainsaw hunt -r rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical

   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—    β–ˆβ–ˆβ•—
  β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘    β–ˆβ–ˆβ•‘
  β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β–ˆβ•— β–ˆβ–ˆβ•‘
  β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘β•šβ•β•β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘
  β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ•”β•
   β•šβ•β•β•β•β•β•β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β•β•šβ•β•β•šβ•β•  β•šβ•β•β•β•β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β• β•šβ•β•β•β•šβ•β•β•
      By Countercept (@FranticTyping, @AlexKornitzer)

  [+] Loading detection rules from: ../../rules/, /tmp/sigma/rules
  [+] Loaded 129 detection rules (198 not loaded)
  [+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx)
  [+] Loaded 268 EVTX files (37.5 MB)
  [+] Hunting: [========================================] 268/268

  [+] Group: Antivirus
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚      timestamp      β”‚     detections     β”‚ Event ID β”‚ Record ID β”‚  Computer   β”‚          Threat Name           β”‚           Threat Path            β”‚        User        β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-07-18 20:40:00 β”‚ β€£ Windows Defender β”‚ 1116     β”‚ 37        β”‚ MSEDGEWIN10 β”‚ Trojan:PowerShell/Powersploit. β”‚ file:_C:\AtomicRedTeam\atomic-   β”‚ MSEDGEWIN10\IEUser β”‚
  β”‚                     β”‚                    β”‚          β”‚           β”‚             β”‚ M                              β”‚ red-team-master\atomics\T1056\   β”‚                    β”‚
  β”‚                     β”‚                    β”‚          β”‚           β”‚             β”‚                                β”‚ Get-Keystrokes.ps1               β”‚                    β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-07-18 20:53:31 β”‚ β€£ Windows Defender β”‚ 1117     β”‚ 106       β”‚ MSEDGEWIN10 β”‚ Trojan:XML/Exeselrun.gen!A     β”‚ file:_C:\AtomicRedTeam\atomic-   β”‚ MSEDGEWIN10\IEUser β”‚
  β”‚                     β”‚                    β”‚          β”‚           β”‚             β”‚                                β”‚ red-team-master\atomics\T1086\   β”‚                    β”‚
  β”‚                     β”‚                    β”‚          β”‚           β”‚             β”‚                                β”‚ payloads\test.xsl                β”‚                    β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

  [+] Group: Log Tampering
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚      timestamp      β”‚          detections           β”‚ Event ID β”‚ Record ID β”‚            Computer            β”‚     User      β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-01-20 07:00:50 β”‚ β€£ Security Audit Logs Cleared β”‚ 1102     β”‚ 32853     β”‚ WIN-77LTAPHIQ1R.example.corp   β”‚ Administrator β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

  [+] Group: Sigma
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚      timestamp      β”‚           detections           β”‚ count β”‚     Event.System.Provider      β”‚ Event ID β”‚ Record ID β”‚         Computer         β”‚            Event Data            β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-04-29 20:59:14 β”‚ β€£ Malicious Named Pipe         β”‚ 1     β”‚ Microsoft-Windows-Sysmon       β”‚ 18       β”‚ 8046      β”‚ IEWIN7                   β”‚ ---                              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Image: System                    β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ PipeName: "\\46a676ab7f179e511   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ e30dd2dc41bd388"                 β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessGuid: 365ABB72-D9C4-5CC   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 7-0000-0010EA030000              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessId: 4                     β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ RuleName: ""                     β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ UtcTime: "2019-04-29 20:59:14.   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 430"                             β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-04-30 20:26:51 β”‚ β€£ CobaltStrike Service         β”‚ 1     β”‚ Microsoft-Windows-Sysmon       β”‚ 13       β”‚ 9806      β”‚ IEWIN7                   β”‚ ---                              β”‚
  β”‚                     β”‚ Installations in Registry      β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Details: "%%COMSPEC%% /b /c st   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ art /b /min powershell.exe -no   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ p -w hidden -noni -c \"if([Int   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Ptr]::Size -eq 4){$b='powershe   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ll.exe'}else{$b=$env:windir+'\   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ \syswow64\\WindowsPowerShell\\   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ v1.0\\powershell.exe'};$s=New-   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Object System.Diagnostics.Proc   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ essStartInfo;$s.FileName=$b;$s   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ .Arguments='-noni -nop -w hidd   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ en -c &([scriptblock]::create(   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ (New-Object IO.StreamReader(Ne   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ w-Object IO.Compression.GzipSt   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ream((New-Object IO.MemoryStre   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ am(,[Convert]::FromBase64Strin   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ H6P1...                          β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ (use --full to show all content) β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ EventType: SetValue              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Image: "C:\\Windows\\system32\   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ \services.exe"                   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessGuid: 365ABB72-2586-5CC   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 9-0000-0010DC530000              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessId: 460                   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ RuleName: ""                     β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ TargetObject: "HKLM\\System\\C   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ urrentControlSet\\services\\he   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ llo\\ImagePath"                  β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ UtcTime: "2019-04-30 20:26:51.   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 934"                             β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-05-12 12:52:43 β”‚ β€£ Meterpreter or Cobalt        β”‚ 1     β”‚ Service Control Manager        β”‚ 7045     β”‚ 10446     β”‚ IEWIN7                   β”‚ ---                              β”‚
  β”‚                     β”‚ Strike Getsystem Service       β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ AccountName: LocalSystem         β”‚
  β”‚                     β”‚ Installation                   β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ImagePath: "%COMSPEC% /c ping    β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ -n 1 127.0.0.1 >nul && echo 'W   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ inPwnage' > \\\\.\\pipe\\WinPw   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ nagePipe"                        β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ServiceName: WinPwnage           β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ServiceType: user mode service   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ StartType: demand start          β”‚
  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
  β”‚ 2019-06-21 07:35:37 β”‚ β€£ Dumpert Process Dumper       β”‚ 1     β”‚ Microsoft-Windows-Sysmon       β”‚ 11       β”‚ 238375    β”‚ alice.insecurebank.local β”‚ ---                              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ CreationUtcTime: "2019-06-21 0   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 6:53:03.227"                     β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Image: "C:\\Users\\administrat   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ or\\Desktop\\x64\\Outflank-Dum   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ pert.exe"                        β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessGuid: ECAD0485-88C9-5D0   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ C-0000-0010348C1D00              β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ ProcessId: 3572                  β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ RuleName: ""                     β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ TargetFilename: "C:\\Windows\\   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ Temp\\dumpert.dmp"               β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ UtcTime: "2019-06-21 07:35:37.   β”‚
  β”‚                     β”‚                                β”‚       β”‚                                β”‚          β”‚           β”‚                          β”‚ 324"                             β”‚
  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Table Of Contents

Extended information can be found in the Wiki for this tool: https://github.com/countercept/chainsaw/wiki

Why Chainsaw?

Windows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations.

At WithSecure Countercept, we ingest a wide range of telemetry sources from endpoints via our EDR agent to provide our managed detection and response service. However, there are circumstances where we need to quickly analyze event log data that hasn’t been captured by our EDR, a common example being incident response investigations on an estate where our EDR wasn’t installed at the time of the compromise. Chainsaw was created to provide our threat hunters and incident response consultants with a tool to perform rapid triage of Windows event logs in these circumstances.

At the time of writing, there are very few open-source, standalone tools that provide a simple and fast method of triaging Windows event logs, identifying interesting elements within the logs and applying a detection logic rule format (such as Sigma) to detect signs of malicious activity. In our testing, the tools that did exist struggled to efficiently apply detection logic to large volumes of event logs making them unsuitable for scenarios where quick triage is required.

Hunting Logic

Sigma Rule Matching

Using the --sigma and --mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw which fields in the event logs to use for rule matching. By default, Chainsaw supports a wide range of Event Log types, including but not limited to:

Event Type Event ID
Process Creation (Sysmon) 1
Network Connections (Sysmon) 3
Image Loads (Sysmon) 7
File Creation (Sysmon) 11
Registry Events (Sysmon) 13
Powershell Script Blocks 4104
Process Creation 4688
Scheduled Task Creation 4698
Service Creation 7045

See the mapping file for the full list of fields that are used for rule detection, and feel free to extend it to your needs.

Chainsaw Detection Rules

In addition to supporting sigma rules, Chainsaw also supports a custom rule format. In the repository you will find a rules directory that contains various Chainsaw rules that allows users to:

  1. Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  2. Detect key event logs being cleared, or the event log service being stopped
  3. Users being created or added to sensitive user groups
  4. Remote Logins (Service, RDP, Network etc.) events. This helps hunters to identify sources of lateral movement
  5. Brute-force of local user accounts

Quick Start Guide

Downloading and Running

With the release of Chainsaw v2, we decided to no longer include the Sigma Rules and EVTX-Attack-Samples repositories as Chainsaw submodules. We recommend that you clone these repositories separately to ensure you have the latest versions.

If you still need an all-in-one package containing the Chainsaw binary, Sigma rules and example Event logs, you can download it from the releases section of this Github repo. In this releases section you will also find pre-compiled binary-only versions of Chainsaw for various platforms and architectures.

If you want to compile Chainsaw yourself, you can clone the Chainsaw repo:

git clone https://github.com/countercept/chainsaw.git

and compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

Make sure to build with the --release flag as this will ensure significantly faster execution time.

If you want to quickly see what Chainsaw looks like when it runs, you can clone the Sigma Rules and EVTX-Attack-Samples repositories:

git clone https://github.com/SigmaHQ/sigma
git clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

and then run Chainsaw with the parameters below:

./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

EDR and AV Warnings

When downloading and running chainsaw you may find that your local EDR / AntiVirus engine detects Chainsaw as malicious. You can see examples of this in the following Github issues: Example1, Example2.

These warnings are typically due to the example event logs and/or Sigma rules which contain references to malicious strings (e.g. "mimikatz"). We have also seen instances where the Chainsaw binary has been detected by a small subset of Anti-Virus engines likely due to some form of heuristics detection.

What Changed In Chainsaw v2?

In July 2022 we released version 2 of Chainsaw which is a major overhaul of how Chainsaw operates. Chainsaw v2 contains a number of significant improvements, including the following list of highlights:

  • An improved approach to mapping Sigma rules which results in a significant increase in the number of supported Chainsaw rules, and Event Log event types.
  • Improved CLI output which shows a snapshot of all Event Data for event logs containing detections.
  • Support for loading and parsing Event Logs in both JSON and XML format.
  • Cleaner and simpler command line arguments for the Hunt and Search features.
  • Additional optional output information, such as Rule Author, Rule Status, Rule Level etc.
  • The ability to filter loaded rules by status, kind, and severity level.
  • Inbuilt Chainsaw Detection rules have been broken out into dedicated Chainsaw rule files
  • A clean and rewrite of Chainsaw's code to improve readability and to reduce the overhead for community contributions.

If you still wish to use the version 1 of Chainsaw, you can find compiled binaries in the releases section, or you can access the source code in the v1.x.x branch. Please note that Chainsaw v1 is no longer being maintained, and all users should look to move to Chainsaw v2.

A massive thank you to @AlexKornitzer who managed to convert Chainsaw v1's "Christmas Project" codebase into a polished product in v2.

Examples

Searching

  USAGE:
      chainsaw search [FLAGS] [OPTIONS] <pattern> [--] [path]...

  FLAGS:
      -h, --help            Prints help information
      -i, --ignore-case     Ignore the case when searching patterns
          --json            Print the output in json format
          --load-unknown    Allow chainsaw to try and load files it cannot identify
          --local           Output the timestamp using the local machine's timestamp
      -q                    Supress informational output
          --skip-errors     Continue to search when an error is encountered
      -V, --version         Prints version information

  OPTIONS:
          --extension <extension>...    Only search through files with the provided extension
          --from <from>                 The timestamp to search from. Drops any documents older than the value provided
      -o, --output <output>             The path to output results to
      -e, --regex <pattern>...          A string or regular expression pattern to search for
      -t, --tau <tau>...                Tau expressions to search with. e.g. 'Event.System.EventID: =4104'
          --timestamp <timestamp>       The field that contains the timestamp
          --timezone <timezone>         Output the timestamp using the timezone provided
          --to <to>                     The timestamp to search up to. Drops any documents newer than the value provided

  ARGS:
      <pattern>    A string or regular expression pattern to search for. Not used when -e or -t is specified
      <path>...    The paths containing event logs to load and hunt through

Command Examples

Search all .evtx files for the case-insensitive string "mimikatz"

./chainsaw search mimikatz -i evtx_attack_samples/

*Search all .evtx files for powershell script block events (Event ID 4014)

./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/

Search a specific evtx log for logon events, with a matching regex pattern, output in JSON format

./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json

Hunting

  USAGE:
      chainsaw hunt [FLAGS] [OPTIONS] [--] [path]...

  FLAGS:
          --csv             Print the output in csv format
          --full            Print the full values for the tabular output
      -h, --help            Prints help information
          --json            Print the output in json format
          --load-unknown    Allow chainsaw to try and load files it cannot identify
          --local           Output the timestamp using the local machine's timestamp
          --log             Print the output in log like format
          --metadata        Display additional metadata in the tablar output
      -q                    Supress informational output
          --skip-errors     Continue to hunt when an error is encountered
      -V, --version         Prints version information

  OPTIONS:
          --column-width <column-width>    Set the column width for the tabular output
          --extension <extension>...       Only hunt through files with the provided extension
          --from <from>                    The timestamp to hunt from. Drops any documents older than the value provided
          --kind <kind>...                 Restrict loaded rules to specified kinds
          --level <level>...               Restrict loaded rules to specified levels
      -m, --mapping <mapping>...           A mapping file to tell Chainsaw how to use third-party rules
      -o, --output <output>                A path to output results to
      -r, --rule <rule>...                 A path containing additional rules to hunt with
      -s, --sigma <sigma>...               A path containing Sigma rules to hunt with
          --status <status>...             Restrict loaded rules to specified statuses
          --timezone <timezone>            Output the timestamp using the timezone provided
          --to <to>                        The timestamp to hunt up to. Drops any documents newer than the value provided

  ARGS:
      <rules>      The path to a collection of rules to use for hunting
      <path>...    The paths containing event logs to load and hunt through

Command Examples

Hunt through all evtx files using Sigma rules for detection logic

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results

Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format

 ./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --from "2019-03-17T19:09:39" --to "2019-03-17T19:09:50" --json

Shimcache Analysis

COMMAND:
    analyse shimcache                 Create an execution timeline from the shimcache with optional amcache enrichments

USAGE:
    chainsaw analyse shimcache [OPTIONS] <SHIMCACHE>

ARGUMENTS:
    <SHIMCACHE>                       The path to the shimcache artifact (SYSTEM registry file)

OPTIONS:
    -e, --regex <pattern>             A string or regular expression for detecting shimcache entries whose timestamp matches their insertion time
    -r, --regexfile <REGEX_FILE>      The path to a newline delimited file containing regex patterns for detecting shimcache entries whose timestamp matches their insertion time
    -o, --output <OUTPUT>             The path to output the result csv file
    -a, --amcache <AMCACHE>           The path to the amcache artifact (Amcache.hve) for timeline enrichment
    -p, --tspair                      Enable near timestamp pair detection between shimcache and amcache for finding additional insertion timestamps for shimcache entries
    -h, --help                        Print help
  • Example pattern file for the --regexfile parameter is included in analysis/shimcache_patterns.txt.
  • Regex patterns are matched on paths in shimcache entires converted to lowercase.

Command Examples

Analyse a shimcache artifact with the provided regex patterns, and use amcache enrichment with timestamp near pair detection enabled. Output to a csv file.

./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt --amcache ./Amcache.hve --tspair --output ./output.csv

Analyse a shimcache artifact with the provided regex patterns (without amcache enrichment). Output to the terminal.

./chainsaw analyse shimcache ./SYSTEM --regexfile ./analysis/shimcache_patterns.txt

Acknowledgements

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,894
star
2

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,498
star
3

needle

The iOS Security Testing Framework
Python
1,331
star
4

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
5

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
913
star
6

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
7

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
8

android-keystore-audit

JavaScript
385
star
9

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
10

Jandroid

Python
323
star
11

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
12

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
13

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
14

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
15

snake

snake - a malware storage zoo
Shell
205
star
16

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
17

IAMSpy

Python
169
star
18

damn-vulnerable-llm-agent

Python
169
star
19

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
20

IceKube

Python
161
star
21

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
22

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
23

detectree

Data visualization for blue teams
Svelte
123
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
113
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
102
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
48
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
22
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
12
star
42

volatility-plugins

Python
11
star
43

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
44

snake-core

snake-core - the real snake
Python
11
star
45

jdiesel

jdiesel fuels the drozer
Java
10
star
46

deject

Memory dump and Sample analysis tool
Python
8
star
47

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
48

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
49

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
50

datamate

Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star