tabledevil
8fe7a4312d
WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary
to hayabusa/zircolite (different rule engine + format).
- ubuntu:24.04 base, multi-stage (fetcher + runtime).
- Pulls latest chainsaw release tarball from GitHub at build time
(greps the API JSON because release notes contain control chars
that break jq).
- Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules).
- start.sh: chainsaw hunt /data --csv --output (CSV is mutually
exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability).
- Output: /output/chainsaw_<ts>/{csv/, hunt.txt}.
- test_smoke.sh: fetch Yamato sample-evtx, scan, count detections.
- fetch-test-data.sh + .gitignore.
Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on
DeepBlueCLI subset.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
996 B
996 B
docker_chainsaw
WithSecure Labs' Chainsaw — fast Sigma-based EVTX hunter — wrapped in a container.
Build
docker build -t tabledevil/chainsaw .
The build always pulls the latest chainsaw release tarball + the current SigmaHQ rule corpus, so every rebuild ships with up-to-date detections.
Run
docker run --rm --network=none \
-v /path/to/evtx:/data:ro \
-v /path/for/output:/output \
tabledevil/chainsaw
Output lands in /output/chainsaw_<timestamp>/:
hunt.txt— chainsaw stdout summary (counts, table)csv/— per-rule CSV detections
Test
./test_smoke.sh # DeepBlueCLI subset (~21 EVTX, fast)
SUBSET=YamatoSecurity ./test_smoke.sh
KEEP_DATA=1 ./test_smoke.sh # keep cloned sample-evtx for re-runs
The test script clones Yamato-Security/hayabusa-sample-evtx
on demand into test-data/ (gitignored).