Initial commit: chainsaw EVTX hunter

WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary to hayabusa/zircolite (different rule engine + format). - ubuntu:24.04 base, multi-stage (fetcher + runtime). - Pulls latest chainsaw release tarball from GitHub at build time (greps the API JSON because release notes contain control chars that break jq). - Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules). - start.sh: chainsaw hunt /data --csv --output (CSV is mutually exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability). - Output: /output/chainsaw_<ts>/{csv/, hunt.txt}. - test_smoke.sh: fetch Yamato sample-evtx, scan, count detections. - fetch-test-data.sh + .gitignore. Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on DeepBlueCLI subset. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 19:20:32 +02:00
commit 8fe7a4312d
6 changed files with 192 additions and 0 deletions
@@ -0,0 +1,48 @@
+FROM ubuntu:24.04 AS fetcher
+LABEL maintainer="tabledevil"
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+      curl ca-certificates git \
+ && rm -rf /var/lib/apt/lists/*
+
+# Pull the latest chainsaw release (Linux amd64) and the SigmaHQ rules
+# repo at build time. No version pin on the engine — image stays current.
+# (Plain grep instead of jq because release notes contain control chars
+# that break jq's JSON parser.)
+RUN set -eux; \
+    cd /tmp; \
+    url=$(curl -sL https://api.github.com/repos/WithSecureLabs/chainsaw/releases/latest \
+            | grep -oE 'https://[^"]*chainsaw_x86_64-unknown-linux-gnu\.tar\.gz' \
+            | head -1); \
+    echo "downloading $url"; \
+    curl -sL "$url" -o chainsaw.tar.gz; \
+    mkdir -p /opt/chainsaw; \
+    tar -xzf chainsaw.tar.gz -C /opt/chainsaw --strip-components=1; \
+    rm chainsaw.tar.gz; \
+    ls /opt/chainsaw
+
+# WithSecure dropped the bundled sigma rules in v2 — clone fresh from
+# SigmaHQ each build so we have current detections.
+RUN git clone --depth=1 https://github.com/SigmaHQ/sigma /opt/sigma
+
+# Chainsaw also ships its own mapping/rule files in chainsaw/{mappings,rules}
+# inside the tarball — those are already at /opt/chainsaw.
+
+FROM ubuntu:24.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends bash ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=fetcher /opt/chainsaw /opt/chainsaw
+COPY --from=fetcher /opt/sigma /opt/sigma
+
+ENV PATH=/opt/chainsaw:$PATH
+RUN mkdir -p /output && touch /output/notmounted && chmod +x /opt/chainsaw/chainsaw
+
+ADD start.sh /root/start.sh
+RUN chmod +x /root/start.sh
+WORKDIR /data
+CMD ["/bin/bash","/root/start.sh"]