To perform a basic analysis in Chainsaw, you can start with below commands:
To do (Search) analysis of log using words:
Using the command chainsaw.exe search mimikatz -i {Logs Path}, performing a case-insensitive search for the term "mimikatz" within the logs.
Command :- chainsaw.exe search mimikatz -i {Logs Path}
To do (Search) analysis of log using Event IDs:
Using chainsaw.exe search -t "Event.System.EventID: =4104" {Log Path} to search for logs matching Event ID 4104.
Command:- chainsaw.exe search -t "Event.System.EventID: =4104" {Log Path}
To do (Hunting)analysis of log using inbuild rules:
Leveraging inbuilt rules via chainsaw.exe hunt -r rules/ {Log Path}, utilizing the "hunt" keyword and applying rules located in the "rules/" directory.
Command:- chainsaw.exe hunt -r rules/ {Log Path}
To do(Hunting) analysis of log using Sigma rules:
Using Sigma rules with chainsaw.exe hunt -s sigma/ --mapping mappings/sigma-event-logs-all.yml, specifying Sigma rules located in the "sigma/" directory and mapping via "--mapping" with a file that instructs Chainsaw how to interpret third-party rules.
Command:- chainsaw.exe hunt -s sigma/ --mapping mappings/sigma-event-logs-all.yml
These commands cover a range of log analysis scenarios, enabling users to perform targeted searches and utilize different rule sets within Chainsaw for comprehensive log analysis tasks.
Akash Patel
Comments