Windows Registry Forensic Analysis using Chainsaw, Wazuh Agent and Sigma Rules

SOCFortress
6 min readJun 26, 2022

--

Introduction.

Chainsaw is a Windows-based tool developed by F-Secure (WithSecure).
The tool provides a powerful ‘first-response’ capability to identify threats within Windows event logs quickly.
It offers a generic and fast method of searching through event logs for keywords and identifying threats using built-in detection logic and via support for Sigma detection rules.
In this blog post we detail how Chainsaw can be integrated with the Wazuh agent to “hunt” for past events recorded in the windows event logs and flagged by Sigma rules. The output of this scan can be appended to Wazuh’s active responses log file and sent to the Wazuh manager for centralized collection and event classification (alert severity, MITRE enrichment, etc.) using detection rules.

Some use cases

  • After deploying Wazuh in your environment, you can use Chainsaw to collect past artifacts still present in the WinEvtLogs and take Chainsaw’s output to the Wazuh manager for centralized analysis and triage of past events that might still require attention. This centralized collection of artifacts provides valuable insight into past security events that might have been missed since there was no EDR tool in place. It can also help to identify persistent footholds.
  • Apply DFIR at any given time. By using Wazuh’s wodle commands capability all artifacts in WinEvtLogs can be taken to the manager for analysis.

Details on Chainsaw tool can be found in F-Secure’s GitHub repo.

Sigma Rules

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

The integration of Sigma rules and Chainsaw described in this post leverages the rules included in official GitHub repo, with a severity = high or critical.

Windows Event IDs

Chainsaw will go through log events recorded in WinEvtLog and analyze the following events against sigma rules:

  • Process Creation (Sysmon) 1
  • Network Connections (Sysmon) 3
  • Image Loads (Sysmon) 7
  • File Creation (Sysmon) 11
  • Registry Events (Sysmon) 13
  • Process Creation 4688
  • Scheduled Task Creation 4698
  • Service Creation 7045

The mapping is done using the file “sigma-event-logs.yml”:

---
name: Chainsaw's Sigma mappings for Event Logs
kind: evtx
rules: sigma
ignore:
- Defense evasion via process reimaging
- Exports Registry Key To an Alternate Data Stream
- NetNTLM Downgrade Attack
- Non Interactive PowerShell
- Wuauclt Network Connection
groups:
- name: Suspicious Process Creation
timestamp: Event.System.TimeCreated
filter:
int(EventID): 1
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Command Line
from: CommandLine
to: Event.EventData.CommandLine
- name: Original File Name
from: OriginalFileName
to: Event.EventData.OriginalFileName
- name: Parent Image
from: ParentImage
to: Event.EventData.ParentImage
- name: Parent Command Line
from: ParentCommandLine
to: Event.EventData.ParentCommandLine
- name: Suspicious Network Connection
timestamp: Event.System.TimeCreated
filter:
int(EventID): 3
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: User
to: Event.EventData.User
- name: Image
from: Image
to: Event.EventData.Image
- name: Destination IP
from: DestinationIp
to: Event.EventData.DestinationIp
- name: Destination Port
from: DestinationPort
to: Event.EventData.DestinationPort
- name: Destination Hostname
from: DestinationHostname
to: Event.EventData.DestinationHostname
- name: Destination Is IPv6
from: DestinationIsIpv6
to: Event.EventData.DestinationIsIpv6
visible: false
- name: Initiated
from: Initiated
to: Event.EventData.Initiated
- name: Source Port
from: SourcePort
to: Event.EventData.SourcePort
- name: Suspicious Image Load
timestamp: Event.System.TimeCreated
filter:
int(EventID): 7
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Image Loaded
from: ImageLoaded
to: Event.EventData.ImageLoaded
- name: Suspicious File Creation
timestamp: Event.System.TimeCreated
filter:
int(EventID): 11
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Target File Name
from: TargetFilename
to: Event.EventData.TargetFilename
- name: Suspicious Registry Event
timestamp: Event.System.TimeCreated
filter:
int(EventID): 13
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Details
from: Details
to: Event.EventData.Details
- name: Target Object
from: TargetObject
to: Event.EventData.TargetObject
- name: Suspicious Service Installed
timestamp: Event.System.TimeCreated
filter:
int(EventID): 7045
Provider: Service Control Manager
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Service
from: ServiceName
to: Event.EventData.ServiceName
# TODO: Can someone check if this is a typo...?
- name: Command Line
from: CommandLine
to: Event.EventData.ImagePath
- name: Suspicious Command Line
timestamp: Event.System.TimeCreated
filter:
int(EventID): 4688
Provider: Microsoft-Windows-Security-Auditing
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: UserName
to: Event.EventData.SubjectUserName
# TODO: Can someone check if this is a typo...?
- name: Process
from: Image
to: Event.EventData.NewProcessName
- name: Command Line
from: CommandLine
to: Event.EventData.CommandLine
- name: Suspicious Scheduled Task Created
timestamp: Event.System.TimeCreated
filter:
int(EventID): 4698
Provider: Microsoft-Windows-Security-Auditing
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: UserName
to: Event.EventData.SubjectUserName
- name: Name
from: TaskName
to: Event.EventData.TaskName
# TODO: Can someone check if this is a typo...?
- name: Command Line
from: CommandLine
to: Event.EventData.TaskContent

Executing Chainsaw

Chainsaw can be downloaded from GitHub and the zip file packages the executable, along with sigma rules and a YAML file the the tool uses to map event IDs and the rules analyzed:

(The folder “evtx_attack_samples” is included for testing purposes)

Commands and options available in Chainsaw can be listed with its help command:

Hunt through event logs using detection rules and builtin logicUSAGE:
chainsaw.exe hunt [FLAGS] [OPTIONS] <rules> [--] [path]...
FLAGS:
--csv Print the output in csv format
--full Print the full values for the tabular output
-h, --help Prints help information
--json Print the output in json format
--load-unknown Allow chainsaw to try and load files it cannot identify
--local Output the timestamp using the local machine's timestamp
--metadata Apply addional metadata for the tablar output
-q Supress informational output
--skip-errors Continue to hunt when an error is encountered
-V, --version Prints version information
OPTIONS:
--column-width <column-width> Set the column width for the tabular output
--extension <extension> Only hunt through files with the provided extension
--from <from> The timestamp to hunt from. Drops any documents older than the value provided
-m, --mapping <mapping>... A mapping file to hunt with
-o, --output <output> The file/directory to output to
-r, --rule <rule>... Additional rules to hunt with
--timezone <timezone> Output the timestamp using the timezone provided
--to <to> The timestamp to hunt up to. Drops any documents newer than the value provided
ARGS:
<rules> The path to a collection of rules
<path>... The paths to hunt through

Chainsaw and Wazuh Agent

The execution of chainsaw can be integrated in Wazuh and executed periodically to hunt for events recorded in the Windows registry.

This integration is available in our GitHub repo.

Visualizing Events and Alerts

Chainsaw and Sigma Rules — Registry Scan

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).