irt/chainsaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: chainsaw EVTX hunter

Browse Source 
WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary
to hayabusa/zircolite (different rule engine + format).

- ubuntu:24.04 base, multi-stage (fetcher + runtime).
- Pulls latest chainsaw release tarball from GitHub at build time
  (greps the API JSON because release notes contain control chars
  that break jq).
- Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules).
- start.sh: chainsaw hunt /data --csv --output (CSV is mutually
  exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability).
- Output: /output/chainsaw_<ts>/{csv/, hunt.txt}.
- test_smoke.sh: fetch Yamato sample-evtx, scan, count detections.
- fetch-test-data.sh + .gitignore.

Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on
DeepBlueCLI subset.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
tabledevil
2026-05-07 19:20:32 +02:00
commit 8fe7a4312d
6 changed files with 192 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
start.sh
Executable
+39
View File
@@ -0,0 +1,39 @@
#!/bin/bash
# chainsaw on-demand EVTX hunter. Same /data input + /output output pattern
# as docker_hayabusa.
set -e
if [ ! -d /data ]; then
echo "[!] No folder mounted to /data"
echo "[>] docker run -it --rm --network=none -v /path/to/evtx:/data:ro -v /path/for/report:/output tabledevil/chainsaw"
exit 1
fi
# Pick a writable output target.
if [ ! -f /output/notmounted ] && [ -w /output ]; then
output="/output"
elif [ -w /data ]; then
output="/data"
else
echo "[!] No writable output folder available"
exit 1
fi
ts="$(date +%s)"
out_base="${output}/chainsaw_${ts}"
mkdir -p "${out_base}"
echo "[>] Hunt with built-in chainsaw rules + Sigma core rules"
# Chainsaw v2.x makes --csv, --json and --jsonl mutually exclusive — pick CSV
# (one file per rule, easy to grep). For JSON later, run with --json.
chainsaw hunt /data \
--sigma /opt/sigma/rules \
--mapping /opt/chainsaw/mappings/sigma-event-logs-all.yml \
--rule /opt/chainsaw/rules \
--csv \
--output "${out_base}/csv" \
--skip-errors \
2>&1 | tee "${out_base}/hunt.txt"
echo "[>] Output: ${out_base}/"
ls -lh "${out_base}" 2>/dev/null