fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Chainsaw Tool Helps IR Teams Analyze Windows Event Logs

New Chainsaw Tool Helps IR Teams Analyze Windows Event Logs

Incident responders and blue teams have a new tool called Chainsaw that speeds up searching through Windows event log records to identify threats.

The tool is designed to assist in the first-response stage of a security engagement and can also help blue teams triage entries relevant for the investigation.

Built for incident responders

Windows event logs are a ledger of the system’s activities, comprising details about applications and user logins. Forensic investigators rely on these records, sometimes as the main source of evidence, to create a timeline of events of interest.

The difficulty with checking these records is that there’s a lot of them, especially on systems with a high logging level; sifting through for relevant information can and can be a time-consuming task.

Authored by James D, lead threat hunter at F-Secure’s Countercept division, Chainsaw is a Rust-based command-line utility that can go through event logs to highlight suspicious entries or strings that may indicate a threat.

The tool uses the Sigma rule detection logic to quickly find event logs relevant to the investigation.

“Chainsaw also contains built-in logic for detection use-cases that are not suitable for Sigma rules, and provides a simple interface to search through event logs by keyword, regex pattern, or for specific event IDs.”

F-Secure says that Chainsaw is specifically tailored for quick analysis of event logs in environments where a detection and response solution (EDR) was not present at the time of compromise.

In such cases, threat hunters and incident responders can use Chainsaw’s search features to extract from Windows logs information pertinent to malicious activity.

Also Read: What Is Data Sovereignty and How It Applies To Your Business

Users can use the tool to do the following:

  • Search through event logs by event ID, keyword, and regex patterns
  • Extract and parse Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  • Detect key event logs being cleared or the event log service being stopped
  • Detect users being created or added to sensitive user groups
  • Brute-force of local user accounts
  • RDP logins, network logins etc.
Chainsaw hunting and searching for relevant info in Windows event logs
Chainsaw hunting for suspicious events and searching for mimikatz activity

Apart from this, Sigma rule detection works for numerous Windows event IDs that include the following:

Event TypeEvent ID
Process Creation (Sysmon)1
Network Connections (Sysmon)3
Image Loads (Sysmon)7
File Creation (Sysmon)11
Registry Events (Sysmon)13
Powershell Script Blocks4104
Process Creation4688
Scheduled Task Creation4698
Service Creation7045

Also Read: What a Vulnerability Assessment Shows and How It Can Save You Money

Available as an open-source tool, Chainsaw uses the EVTX parser library and the detection logic matching provided by F-Secure Countercept’s TAU Engine library. It can output the results in ASCII table, CSV, or JSON.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us