tabledevil
8fe7a4312d
WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary
to hayabusa/zircolite (different rule engine + format).
- ubuntu:24.04 base, multi-stage (fetcher + runtime).
- Pulls latest chainsaw release tarball from GitHub at build time
(greps the API JSON because release notes contain control chars
that break jq).
- Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules).
- start.sh: chainsaw hunt /data --csv --output (CSV is mutually
exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability).
- Output: /output/chainsaw_<ts>/{csv/, hunt.txt}.
- test_smoke.sh: fetch Yamato sample-evtx, scan, count detections.
- fetch-test-data.sh + .gitignore.
Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on
DeepBlueCLI subset.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
39 lines
996 B
Markdown
39 lines
996 B
Markdown
# docker_chainsaw
|
|
|
|
WithSecure Labs' [Chainsaw](https://github.com/WithSecureLabs/chainsaw) — fast
|
|
Sigma-based EVTX hunter — wrapped in a container.
|
|
|
|
## Build
|
|
|
|
```
|
|
docker build -t tabledevil/chainsaw .
|
|
```
|
|
|
|
The build always pulls the latest chainsaw release tarball + the current
|
|
SigmaHQ rule corpus, so every rebuild ships with up-to-date detections.
|
|
|
|
## Run
|
|
|
|
```
|
|
docker run --rm --network=none \
|
|
-v /path/to/evtx:/data:ro \
|
|
-v /path/for/output:/output \
|
|
tabledevil/chainsaw
|
|
```
|
|
|
|
Output lands in `/output/chainsaw_<timestamp>/`:
|
|
|
|
- `hunt.txt` — chainsaw stdout summary (counts, table)
|
|
- `csv/` — per-rule CSV detections
|
|
|
|
## Test
|
|
|
|
```
|
|
./test_smoke.sh # DeepBlueCLI subset (~21 EVTX, fast)
|
|
SUBSET=YamatoSecurity ./test_smoke.sh
|
|
KEEP_DATA=1 ./test_smoke.sh # keep cloned sample-evtx for re-runs
|
|
```
|
|
|
|
The test script clones [Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
|
|
on demand into `test-data/` (gitignored).
|