Rapidly Search and Hunt through Windows Event Logs
Illustration: Pexel, Skitterphoto
Incident Response Lifecycle:
In the event that one of your endpoint protection software identifies malicious software on a laptop, this blog will provide steps that can ensure the spread of the malware is contained immediately. The normal scenario is an employee contacting the security team via Slack to set up a bridged call outside of the organization’s network. This playbook presents methods which the Security Team or an employee can follow to investigate the incident by downloading necessary software, exporting logs from the system, and determining impact. This blog post will provide a supplemental process in the event of anomalous endpoint activity on a device where EDR has not triggered an alert, which is quite common.
Options for Incident Response Strategy
- If impact is high, then the employee will need to disconnect the laptop from the internet, keep the laptop turned on to preserve artifacts for digital forensics, and bring the laptop on-site (if possible).
- If impact is medium to low, then security will work with IT to ensure that all accounts which the employee has access to are temporarily locked to prevent unauthorized access.
- Setup remote connection to laptop via ScreenWise
Windows Analysis VM Setup
- Download Visual Studio Code
- Download Developer Command Prompt for VS 2019
- Download Rust (from git bash vscode terminal)
- curl –proto ‘=https’ –tlsv1.2 -sSf https://sh.rustup.rs | sh
- Close and Restart VS Code to ensure that the rust environment variables are applied
- Download Chainsaw
- git clone –recurse-submodules https://github.com/countercept/chainsaw.git
- Open folder within Visual Studio Code
- cargo build –release
Export Windows Logs from Victim
- Remote into laptop through ScreenWise, Zoom Remote, or LogmeIn
- Login to Administrator account
- Go to Start Menu > Type in Event Viewer
- Go to Windows Logs > Security > Actions > Save all events > Save it to Documents Folder (Repeat steps for Application, Setup, & System Logs)
- Create Folder “evntvwer” > copy files there > left click & compress folder
- Get the checksum of the zipped folder
- Security member to create shared Google Drive folder and upload files from victim laptop
- Download zipped folder from google and check the hash to ensure that the file hasn’t been corrupted in transit
- Certutil -hashfile <filename> md5
Why are we using Chainsaw?
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.
Hunt Through Logs
Ideally it’s best to review artifacts on a controlled sandboxed environment such as a dual homed VM setup. If that’s not possible, setup a windows 10 ec2 or windows VM.
- Open Visual Studio code
- File > Open Folder to previously downloaded Chainsaw folder
- Type “ctrl+shift+x” to bring up extensions as seen below. Search marketplace and install both the C/C++ & Python extensions
- Go to chainsaw folder > cd target > cd > release > this is where the compiled binary will be
- Run ./chainsaw.exe to view all arguments with tool
- $ ./chainsaw.exe hunt C:\\path\\to\\logs\\security.evtx
References
D, J., & Kornitzer, A. (2021). countercept/chainsaw: Rapidly Search and Hunt through Windows Event Logs. GitHub. Retrieved June 18, 2022, from https://github.com/countercept/chainsaw
Figueroa, M. (2021, January 4). Building a Custom Malware Analysis Lab Environment – SentinelLabs. SentinelOne. Retrieved June 18, 2022, from https://www.sentinelone.com/labs/building-a-custom-malware-analysis-lab-environment/
13Cubed. (2021, October 25). Event Log Chainsaw Massacre – Powerful Threat Detection. YouTube. Retrieved June 18, 2022, from https://www.youtube.com/watch?v=YN_kffuC6a8