Windows Registry Forensic Analysis using Chainsaw, Wazuh Agent and Sigma Rules

Introduction.

Some use cases

Sigma Rules

Windows Event IDs

---
name: Chainsaw's Sigma mappings for Event Logs
kind: evtx
rules: sigma
ignore:
- Defense evasion via process reimaging
- Exports Registry Key To an Alternate Data Stream
- NetNTLM Downgrade Attack
- Non Interactive PowerShell
- Wuauclt Network Connection
groups:
- name: Suspicious Process Creation
timestamp: Event.System.TimeCreated
filter:
int(EventID): 1
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Command Line
from: CommandLine
to: Event.EventData.CommandLine
- name: Original File Name
from: OriginalFileName
to: Event.EventData.OriginalFileName
- name: Parent Image
from: ParentImage
to: Event.EventData.ParentImage
- name: Parent Command Line
from: ParentCommandLine
to: Event.EventData.ParentCommandLine
- name: Suspicious Network Connection
timestamp: Event.System.TimeCreated
filter:
int(EventID): 3
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: User
to: Event.EventData.User
- name: Image
from: Image
to: Event.EventData.Image
- name: Destination IP
from: DestinationIp
to: Event.EventData.DestinationIp
- name: Destination Port
from: DestinationPort
to: Event.EventData.DestinationPort
- name: Destination Hostname
from: DestinationHostname
to: Event.EventData.DestinationHostname
- name: Destination Is IPv6
from: DestinationIsIpv6
to: Event.EventData.DestinationIsIpv6
visible: false
- name: Initiated
from: Initiated
to: Event.EventData.Initiated
- name: Source Port
from: SourcePort
to: Event.EventData.SourcePort
- name: Suspicious Image Load
timestamp: Event.System.TimeCreated
filter:
int(EventID): 7
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Image Loaded
from: ImageLoaded
to: Event.EventData.ImageLoaded
- name: Suspicious File Creation
timestamp: Event.System.TimeCreated
filter:
int(EventID): 11
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Target File Name
from: TargetFilename
to: Event.EventData.TargetFilename
- name: Suspicious Registry Event
timestamp: Event.System.TimeCreated
filter:
int(EventID): 13
Provider: Microsoft-Windows-Sysmon
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Image
from: Image
to: Event.EventData.Image
- name: Details
from: Details
to: Event.EventData.Details
- name: Target Object
from: TargetObject
to: Event.EventData.TargetObject
- name: Suspicious Service Installed
timestamp: Event.System.TimeCreated
filter:
int(EventID): 7045
Provider: Service Control Manager
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: Service
from: ServiceName
to: Event.EventData.ServiceName
# TODO: Can someone check if this is a typo...?
- name: Command Line
from: CommandLine
to: Event.EventData.ImagePath
- name: Suspicious Command Line
timestamp: Event.System.TimeCreated
filter:
int(EventID): 4688
Provider: Microsoft-Windows-Security-Auditing
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: UserName
to: Event.EventData.SubjectUserName
# TODO: Can someone check if this is a typo...?
- name: Process
from: Image
to: Event.EventData.NewProcessName
- name: Command Line
from: CommandLine
to: Event.EventData.CommandLine
- name: Suspicious Scheduled Task Created
timestamp: Event.System.TimeCreated
filter:
int(EventID): 4698
Provider: Microsoft-Windows-Security-Auditing
fields:
- from: Provider
to: Event.System.Provider
visible: false
- name: Event ID
from: EventID
to: Event.System.EventID
- name: Record ID
from: EventRecordID
to: Event.System.EventRecordID
- name: Computer
from: Computer
to: Event.System.Computer
- name: User
from: UserName
to: Event.EventData.SubjectUserName
- name: Name
from: TaskName
to: Event.EventData.TaskName
# TODO: Can someone check if this is a typo...?
- name: Command Line
from: CommandLine
to: Event.EventData.TaskContent

Executing Chainsaw

Hunt through event logs using detection rules and builtin logicUSAGE:
chainsaw.exe hunt [FLAGS] [OPTIONS] <rules> [--] [path]...
FLAGS:
--csv Print the output in csv format
--full Print the full values for the tabular output
-h, --help Prints help information
--json Print the output in json format
--load-unknown Allow chainsaw to try and load files it cannot identify
--local Output the timestamp using the local machine's timestamp
--metadata Apply addional metadata for the tablar output
-q Supress informational output
--skip-errors Continue to hunt when an error is encountered
-V, --version Prints version information
OPTIONS:
--column-width <column-width> Set the column width for the tabular output
--extension <extension> Only hunt through files with the provided extension
--from <from> The timestamp to hunt from. Drops any documents older than the value provided
-m, --mapping <mapping>... A mapping file to hunt with
-o, --output <output> The file/directory to output to
-r, --rule <rule>... Additional rules to hunt with
--timezone <timezone> Output the timestamp using the timezone provided
--to <to> The timestamp to hunt up to. Drops any documents newer than the value provided
ARGS:
<rules> The path to a collection of rules
<path>... The paths to hunt through

Chainsaw and Wazuh Agent

Visualizing Events and Alerts

Chainsaw and Sigma Rules — Registry Scan

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).