irt/chainsaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8fe7a4312d5091f962aeb2256f9911e7f486de84
chainsaw/start.sh
T
tabledevil 8fe7a4312d Initial commit: chainsaw EVTX hunter 
WithSecure Labs' chainsaw — fast Sigma-based EVTX hunter, complementary
to hayabusa/zircolite (different rule engine + format).

- ubuntu:24.04 base, multi-stage (fetcher + runtime).
- Pulls latest chainsaw release tarball from GitHub at build time
  (greps the API JSON because release notes contain control chars
  that break jq).
- Clones SigmaHQ rules at build (chainsaw v2 dropped bundled rules).
- start.sh: chainsaw hunt /data --csv --output (CSV is mutually
  exclusive with --json/--jsonl in v2.x; pick CSV for grep-ability).
- Output: /output/chainsaw_<ts>/{csv/, hunt.txt}.
- test_smoke.sh: fetch Yamato sample-evtx, scan, count detections.
- fetch-test-data.sh + .gitignore.

Validated end-to-end on amd64 Linux: 6/6 PASS, 3970 detections on
DeepBlueCLI subset.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 19:20:32 +02:00

40 lines
1.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# chainsaw on-demand EVTX hunter. Same /data input + /output output pattern
# as docker_hayabusa.
set -e
if [ ! -d /data ]; then
echo "[!] No folder mounted to /data"
echo "[>] docker run -it --rm --network=none -v /path/to/evtx:/data:ro -v /path/for/report:/output tabledevil/chainsaw"
exit 1
fi
# Pick a writable output target.
if [ ! -f /output/notmounted ] && [ -w /output ]; then
output="/output"
elif [ -w /data ]; then
output="/data"
else
echo "[!] No writable output folder available"
exit 1
fi
ts="$(date +%s)"
out_base="${output}/chainsaw_${ts}"
mkdir -p "${out_base}"
echo "[>] Hunt with built-in chainsaw rules + Sigma core rules"
# Chainsaw v2.x makes --csv, --json and --jsonl mutually exclusive — pick CSV
# (one file per rule, easy to grep). For JSON later, run with --json.
chainsaw hunt /data \
--sigma /opt/sigma/rules \
--mapping /opt/chainsaw/mappings/sigma-event-logs-all.yml \
--rule /opt/chainsaw/rules \
--csv \
--output "${out_base}/csv" \
--skip-errors \
2>&1 | tee "${out_base}/hunt.txt"
echo "[>] Output: ${out_base}/"
ls -lh "${out_base}" 2>/dev/null
Reference in New Issue View Git Blame Copy Permalink