Kali下Chainsaw(电锯)生成windows日志报告

最新推荐文章于 2024-02-23 11:30:00 发布

wlopghost

最新推荐文章于 2024-02-23 11:30:00 发布

阅读量390

点赞数 3

文章标签： windows linux

本文链接：https://blog.csdn.net/wlopghost/article/details/129733338

版权

首先用梯子上github下载chainsaw安装包，国内好像是没有这玩意的

下载的时候要注意，这个放在首页的是个坑，店旁边的v2.5.0进去查看最新版本

这里提供了电锯apple、windows、linux和源码版本的方案，本人全部逝了一遍，全部都是少了一些重要的配置文件（比如基本都缺了sigma这个文件夹，用命令调用的话就会报错）

花了半天时间才发现最上面这个

chainsaw_all_platforms+rules+examples.zip

意思就是全套版本都有

下下来之后可以看见里面配置文件都是齐的

将压缩包移到kali上，在kali上解压

电锯分为search模式和hunt模式

然后再github上查看使用说明或者使用命令chainsaw search -h/chainsaw hubt -h 这是github上电锯的位置 WithSecureLabs/chainsaw: Rapidly Search and Hunt through Windows Forensic Artefacts (github.com)

这里我直接打出来了

search模式

USAGE:

chainsaw search [FLAGS] [OPTIONS] <pattern> [--] [path]...

FLAGS:

-h, --help Prints help information

-i, --ignore-case Ignore the case when searching patterns

--json Print the output in json format

--load-unknown Allow chainsaw to try and load files it cannot identify

--local Output the timestamp using the local machine's timestamp

-q Supress informational output

--skip-errors Continue to search when an error is encountered

-V, --version Prints version information

OPTIONS:

--extension <extension>... Only search through files with the provided extension

--from <from> The timestamp to search from. Drops any documents older than the value provided

-o, --output <output> The path to output results to

-e, --regex <pattern>... A string or regular expression pattern to search for

-t, --tau <tau>... Tau expressions to search with. e.g. 'Event.System.EventID: =4104'

--timestamp <timestamp> The field that contains the timestamp

--timezone <timezone> Output the timestamp using the timezone provided

--to <to> The timestamp to search up to. Drops any documents newer than the value provided

ARGS:

<pattern> A string or regular expression pattern to search for. Not used when -e or -t is specified

<path>... The paths containing event logs to load and hunt through

eg：

Command Examples

Search all .evtx files for the case-insensitive string "mimikatz"

./chainsaw search mimikatz -i evtx_attack_samples/

*Search all .evtx files for powershell script block events (Event ID 4014)

./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/

Search a specific evtx log for logon events, with a matching regex pattern, output in JSON format

./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json

hunt模式

USAGE:

chainsaw hunt [FLAGS] [OPTIONS] [--] [path]...

FLAGS:

--csv Print the output in csv format

--full Print the full values for the tabular output

-h, --help Prints help information

--json Print the output in json format

--load-unknown Allow chainsaw to try and load files it cannot identify

--local Output the timestamp using the local machine's timestamp

--log Print the output in log like format

--metadata Display additional metadata in the tablar output

-q Supress informational output

--skip-errors Continue to hunt when an error is encountered

-V, --version Prints version information

OPTIONS:

--column-width <column-width> Set the column width for the tabular output

--extension <extension>... Only hunt through files with the provided extension

--from <from> The timestamp to hunt from. Drops any documents older than the value provided

--kind <kind>... Restrict loaded rules to specified kinds

--level <level>... Restrict loaded rules to specified levels

-m, --mapping <mapping>... A mapping file to tell Chainsaw how to use third-party rules

-o, --output <output> A path to output results to

-r, --rule <rule>... A path containing additional rules to hunt with

-s, --sigma <sigma>... A path containing Sigma rules to hunt with

--status <status>... Restrict loaded rules to specified statuses

--timezone <timezone> Output the timestamp using the timezone provided

--to <to> The timestamp to hunt up to. Drops any documents newer than the value provided

ARGS:

<rules> The path to a collection of rules to use for hunting

<path>... The paths containing event logs to load and hunt through

eg：

Command Examples

Hunt through all evtx files using Sigma rules for detection logic

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml

Hunt through all evtx files using Sigma rules and Chainsaw rules for detection logic and output in CSV format to the results folder

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --csv --output results

Hunt through all evtx files using Sigma rules for detection logic, only search between specific timestamps, and output the results in JSON format

./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --from "2019-03-17T19

然后github上面演示的效果图是这样的

$ ./chainsaw hunt -r rules/ evtx_attack_samples -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --level critical

██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗

██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║

██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║

██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║

╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝

╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝

By Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from: ../../rules/, /tmp/sigma/rules

[+] Loaded 129 detection rules (198 not loaded)

[+] Loading event logs from: ../../evtx_attack_samples (extensions: .evtx)

[+] Loaded 268 EVTX files (37.5 MB)

[+] Hunting: [========================================] 268/268

[+] Group: Antivirus

┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────┬────────────────────────────────┬──────────────────────────────────┬────────────────────┐

│ timestamp │ detections │ Event ID │ Record ID │ Computer │ Threat Name │ Threat Path │ User │

├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────┼────────────────────────────────┼──────────────────────────────────┼────────────────────┤

│ 2019-07-18 20:40:00 │ ‣ Windows Defender │ 1116 │ 37 │ MSEDGEWIN10 │ Trojan:PowerShell/Powersploit. │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │

│ │ │ │ │ │ M │ red-team-master\atomics\T1056\ │ │

│ │ │ │ │ │ │ Get-Keystrokes.ps1 │ │

│ 2019-07-18 20:53:31 │ ‣ Windows Defender │ 1117 │ 106 │ MSEDGEWIN10 │ Trojan:XML/Exeselrun.gen!A │ file:_C:\AtomicRedTeam\atomic- │ MSEDGEWIN10\IEUser │

│ │ │ │ │ │ │ red-team-master\atomics\T1086\ │ │

│ │ │ │ │ │ │ payloads\test.xsl │ │

└─────────────────────┴────────────────────┴──────────┴───────────┴─────────────┴────────────────────────────────┴──────────────────────────────────┴────────────────────┘

[+] Group: Log Tampering

┌─────────────────────┬───────────────────────────────┬──────────┬───────────┬────────────────────────────────┬───────────────┐

│ timestamp │ detections │ Event ID │ Record ID │ Computer │ User │

├─────────────────────┼───────────────────────────────┼──────────┼───────────┼────────────────────────────────┼───────────────┤

│ 2019-01-20 07:00:50 │ ‣ Security Audit Logs Cleared │ 1102 │ 32853 │ WIN-77LTAPHIQ1R.example.corp │ Administrator │

└─────────────────────┴───────────────────────────────┴──────────┴───────────┴────────────────────────────────┴───────────────┘

[+] Group: Sigma

┌─────────────────────┬────────────────────────────────┬───────┬────────────────────────────────┬──────────┬───────────┬──────────────────────────┬──────────────────────────────────┐

│ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │

├─────────────────────┼────────────────────────────────┼───────┼────────────────────────────────┼──────────┼───────────┼──────────────────────────┼──────────────────────────────────┤

│ 2019-04-29 20:59:14 │ ‣ Malicious Named Pipe │ 1 │ Microsoft-Windows-Sysmon │ 18 │ 8046 │ IEWIN7 │ --- │

│ │ │ │ │ │ │ │ Image: System │

│ │ │ │ │ │ │ │ PipeName: "\\46a676ab7f179e511 │

│ │ │ │ │ │ │ │ e30dd2dc41bd388" │

│ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-D9C4-5CC │

│ │ │ │ │ │ │ │ 7-0000-0010EA030000 │

│ │ │ │ │ │ │ │ ProcessId: 4 │

│ │ │ │ │ │ │ │ RuleName: "" │

│ │ │ │ │ │ │ │ UtcTime: "2019-04-29 20:59:14. │

│ │ │ │ │ │ │ │ 430" │

│ 2019-04-30 20:26:51 │ ‣ CobaltStrike Service │ 1 │ Microsoft-Windows-Sysmon │ 13 │ 9806 │ IEWIN7 │ --- │

│ │ Installations in Registry │ │ │ │ │ │ Details: "%%COMSPEC%% /b /c st │

│ │ │ │ │ │ │ │ art /b /min powershell.exe -no │

│ │ │ │ │ │ │ │ p -w hidden -noni -c \"if([Int │

│ │ │ │ │ │ │ │ Ptr]::Size -eq 4){$b='powershe │

│ │ │ │ │ │ │ │ ll.exe'}else{$b=$env:windir+'\ │

│ │ │ │ │ │ │ │ \syswow64\\WindowsPowerShell\\ │

│ │ │ │ │ │ │ │ v1.0\\powershell.exe'};$s=New- │

│ │ │ │ │ │ │ │ Object System.Diagnostics.Proc │

│ │ │ │ │ │ │ │ essStartInfo;$s.FileName=$b;$s │

│ │ │ │ │ │ │ │ .Arguments='-noni -nop -w hidd │

│ │ │ │ │ │ │ │ en -c &([scriptblock]::create( │

│ │ │ │ │ │ │ │ (New-Object IO.StreamReader(Ne │

│ │ │ │ │ │ │ │ w-Object IO.Compression.GzipSt │

│ │ │ │ │ │ │ │ ream((New-Object IO.MemoryStre │

│ │ │ │ │ │ │ │ am(,[Convert]::FromBase64Strin │

│ │ │ │ │ │ │ │ g(''H4sIAIuvyFwCA7VW+2/aSBD+OZ │

│ │ │ │ │ │ │ │ H6P1... │

│ │ │ │ │ │ │ │ (use --full to show all content) │

│ │ │ │ │ │ │ │ EventType: SetValue │

│ │ │ │ │ │ │ │ Image: "C:\\Windows\\system32\ │

│ │ │ │ │ │ │ │ \services.exe" │

│ │ │ │ │ │ │ │ ProcessGuid: 365ABB72-2586-5CC │

│ │ │ │ │ │ │ │ 9-0000-0010DC530000 │

│ │ │ │ │ │ │ │ ProcessId: 460 │

│ │ │ │ │ │ │ │ RuleName: "" │

│ │ │ │ │ │ │ │ TargetObject: "HKLM\\System\\C │

│ │ │ │ │ │ │ │ urrentControlSet\\services\\he │

│ │ │ │ │ │ │ │ llo\\ImagePath" │

│ │ │ │ │ │ │ │ UtcTime: "2019-04-30 20:26:51. │

│ │ │ │ │ │ │ │ 934" │

│ 2019-05-12 12:52:43 │ ‣ Meterpreter or Cobalt │ 1 │ Service Control Manager │ 7045 │ 10446 │ IEWIN7 │ --- │

│ │ Strike Getsystem Service │ │ │ │ │ │ AccountName: LocalSystem │

│ │ Installation │ │ │ │ │ │ ImagePath: "%COMSPEC% /c ping │

│ │ │ │ │ │ │ │ -n 1 127.0.0.1 >nul && echo 'W │

│ │ │ │ │ │ │ │ inPwnage' > \\\\.\\pipe\\WinPw │

│ │ │ │ │ │ │ │ nagePipe" │

│ │ │ │ │ │ │ │ ServiceName: WinPwnage │

│ │ │ │ │ │ │ │ ServiceType: user mode service │

│ │ │ │ │ │ │ │ StartType: demand start │

│ 2019-06-21 07:35:37 │ ‣ Dumpert Process Dumper │ 1 │ Microsoft-Windows-Sysmon │ 11 │ 238375 │ alice.insecurebank.local │ --- │

│ │ │ │ │ │ │ │ CreationUtcTime: "2019-06-21 0 │

│ │ │ │ │ │ │ │ 6:53:03.227" │

│ │ │ │ │ │ │ │ Image: "C:\\Users\\administrat │

│ │ │ │ │ │ │ │ or\\Desktop\\x64\\Outflank-Dum │

│ │ │ │ │ │ │ │ pert.exe" │

│ │ │ │ │ │ │ │ ProcessGuid: ECAD0485-88C9-5D0 │

│ │ │ │ │ │ │ │ C-0000-0010348C1D00 │

│ │ │ │ │ │ │ │ ProcessId: 3572 │

│ │ │ │ │ │ │ │ RuleName: "" │

│ │ │ │ │ │ │ │ TargetFilename: "C:\\Windows\\ │

│ │ │ │ │ │ │ │ Temp\\dumpert.dmp" │

│ │ │ │ │ │ │ │ UtcTime: "2019-06-21 07:35:37. │

│ │ │ │ │ │ │ │ 324" │

└─────────────────────┴────────────────────────────────┴───────┴────────────────────────────────┴──────────┴───────────┴──────────────────────────┴──────────────────────────────────┘

这个就是分析一个windows日志后产生的报告

然而现实中操作总会有那麽多意外

首先先从简单命令入手

用search模式搜索事件id位4104的事件报告，发现没有这个文件和目录的报错

原因是我们下载的完整版电锯安装包中电锯程序不叫chainsaw，而叫chainsaw_x86_64-unknown-linux-mus

修改后再次输入命令

这次爆出权限不够的命令

右键其属性查看权限发现确实是读写模式

经过一番查阅后发现用命令 chmod 777 +路径

改成读写权限，我也不知道在属性里改和用命令改为什莫会不一样反正本人做的时候在属性里改没用

随后用提到的命令加上自己的路径

这次运行了一会儿，然后报出了这个

翻译一下就是解析块10错误

这个错误比较难懂，本人在github上问了一下有位老哥帮我测试了一下说是文件有损坏，这里摘一下他的原话

This looks like a truncated/corrupt file to me. If I load it in event view on windows I get the same number of events out as I do with the evtx library. So in thise cause you are safe to use --skip-errors

本人自己在做的时候也一直遇到各种number的解析块错误，有10、7、2啥的，也不知道怎末办

这个老外的办法是加上 --skip-errors

在我加完之后确实问题没了，如下

root㉿monesy)-[~/桌面/chainsaw3]

└─# ./chainsaw_x86_64-unknown-linux-mus hunt -r rules/ /root/桌面/System.evtx -s sigma/rules --mapping mappings/sigma-event-logs-all.yml --skip-errors > 3.txt

██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗

██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║

██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║

██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║

╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝

╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝

By Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading detection rules from: rules/, sigma/rules

[+] Loaded 2498 detection rules (207 not loaded)

[+] Loading forensic artefacts from: /root/桌面/System.evtx (extensions: .evtx, .evt)

[+] Loaded 1 forensic artefacts (1.1 MB)

[+] Hunting: [----------------------------------------] 0/1 ⠋ [+] Hunting: [----------------------------------------] 0/1 ⠙ [+] Hunting: [----------------------------------------] 0/1 ⠹ [+] Hunting: [----------------------------------------] 0/1 ⠸ [+] Hunting: [----------------------------------------] 0/1 ⠼ [+] Hunting: [----------------------------------------] 0/1 ⠴ [+] Hunting: [----------------------------------------] 0/1 ⠦ [+] Hunting: [----------------------------------------] 0/1 ⠧ [+] Hunting: [----------------------------------------] 0/1 ⠇ [+] Hunting: [----------------------------------------] 0/1 ⠏ [+] Hunting: [----------------------------------------] 0/1 ⠋ [+] Hunting: [----------------------------------------] 0/1 ⠙ [+] Hunting: [----------------------------------------] 0/1 ⠹ [+] Hunting: [----------------------------------------] 0/1 ⠸ [+] Hunting: [----------------------------------------] 0/1 ⠼ [+] Hunting: [----------------------------------------] 0/1 ⠴ [+] Hunting: [----------------------------------------] 0/1 ⠦ [!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 10

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 11

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 12

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 13

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 14

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 15

[!] failed to parse document '/root/桌面/System.evtx' - Failed to parse chunk number 16

[+] Hunting: [========================================] 1/1 [+] 62 Detections found on 62 documents

其中的[+] Hunting: [----------------------------------------] 0/1不知道是不是意味着没有hunt到的意思，

本人认为用 --skip-errors只是遇到报错就跳过应该会遗失不少事件没有做成report

最后展示一下生成的报告