 Good morning, good evening, and good afternoon to those at DevCon. I am Danny Henderson. I go by Bandito or BanditZero. I am part of the forensics team, and we're going to learn how to use chainsaw to identify malicious activity. Now, what is chainsaw, you ask? Well, we're going to go over that. This is going to be a quick, the slides are going to be quick because we're going to get right into the action, but to give an overview of chainsaw, it is an incident response tool that can, that you can use to quickly gather the data from the windows event logs is a command line tool that uses a signal rule detection logic. You can either search by keyword, regex, or the specific IDs, or you can hunt using its built in tools or the signal rules. The useful thing about it is that you can export the data to text files or CSVs to put in a spreadsheet so you want to carve more information out. So let's get right to it. Signal rules. Now, this is a generic signature for SAMs that is, like I said, targeted windows events. So it is to event logs as Yara is the malware. And we have an example here from Intazer, in fact, of how you would generally set up a signal rule. Now, without further ado, let's let it rip. So the first thing we want to do is go just pull up chainsaw itself. You get the nice view of the console with the use with the instructions of how to use it. So let's take a look at the help. Same thing in version, which is already on the screen, but there we go. And we want to go to various each part. So let's go. We're going to go for two things. There's two things that we're going to use throughout the event. So let me clear this log right quick. There's two aspects that we're going to go for. Search is going to be our first one. Search and hunt are the ones that we use the most. Now, searching, as I mentioned in the first slide, you want slides that you can search through the event IDs or keywords or even use rejects. The hunt is where you're going to be doing is a little more automated. So let's go through the search first. We want to look into the search help. So we're doing this case step by step. Now the flags here you can put the search for case insensitive. Now this is only usable for string search because I've attempted this with the rejects and that's not going to work. Now we can use a flag for either the events, rejects and strings and we may want to make an output of it. So let's begin on that. Now, so this for the obsidian event, we have kill chain one in three. We're going to start with kill chain three for search aspects. So we got to host that was part of the compromise. So we're going to use that for the example of how regex can help you identify what's going on. So what we're going to do here, we're going to use the event ID 4104 which is associated with the PowerShell. Let it rip. So let's grow up for just a bit. Let's grow up as much as we can. Because things happen very fast. And it may actually be better. If we just did a more. Let's let it go slowly. Now note it searched through 311 logs. And this is part of the output that it found. You have different mini attributes such as the event data, the paths, what that text is. And for this is a big chunk. So we broke this. Now next, we're going to do the strings next. So there's two things that we could do it for the strings. We're going to go with the, we're going to remove the insensitive one we're not going to use that one we will instead just use as is. You will find in this example, this actually did work. So in this case, you see signs of cover roasting. Only one event was found, which is part of the windows event logs. And this is pulled from the PowerShell operational log 123. So we found that aspect. Now, we're going to do something different we're going to do a regex. Now this, as I mentioned before, is also able to do regex. So this time we're going to do another device, which was the domain controller. What was that? Not a reason why. Yeah, let's give one moment. Oops, that's why. Now here we do have this gone fast. So, first we're going to do two things we're going to do more, just to go through it slowly. We can see PS exec service, or PS executive service, the create keys, Sysmon. We have a service here from the Sysmon. Now let's do this. That's to show you another way of seeing how much did we grab. So most of this has been part of the service. Oh, and here we actually have PS exec with one of the keys. So that's another example of what we have of a different one. So the regex was used to find the service as well as the PS exec, which we found with the RDP key associated. And now we want to save it to an output. So, there we go. On one hand, we do have it as an output on here. On the other hand, it doesn't look the greatest. But hey, you do have a way of putting it on here. And even more. Let's take a look at the downloads. Okay, now back to the next part. So that we're going to move on to the other capability of chainsaw. Now this is the other aspect called the hunt. This we can use the built in tools of hot. So we're going to go with, actually, do some cleanup here. Cleanup done. First we're going to take a look at the help. Now there's very there are various flags. So we can, we can save it as a seat as the individual CSV files. We can ask it to not use the built in tools go full which this can be useful for the PowerShell because some of us going to truncate. We can also leverage the lateral all. Let's do this one first. We're going to check on one of the workstations. This one's going to be with the built in tools. So we're going to do a hunt. We didn't add anything new to it but we do have a nice output out of this. Now we also see that it takes everything out. So here we at least have some activity from the built in logic, such as the security audit being cleared at 035. We also have users added to the local group. We have indications of brute forcing. Now we're going to let's actually go to workstation two. Then we're going to add lateral all to if there's indications of lateral movement. Now here you have potential activity related with lateral movement. Such as the user added into the local group as well the system locked being clear and the 4624 successful connections. We have a lot of connections on to workstation two, whereas others you see a system associated with it. Now what we want to do next is use the sigma rules. So this one's handled differently you have to in order to use the sigma rule you have to add a certain you have to add multiple flags to it so we're going to put rules. Sigma rules and then mapping. Let's do more just to not have it take everything at once. So no one screens are scrolled on here. Now this one is going through 835 detection rules out of the 311 event logs of those detection rules we see 90 of them were not loaded. So here we see activity that was not associated with the built in logic. So power shell indications. Now when I mentioned about the full this part here is where it talks about the use the full flag to show all content. So we're probably going to do that on a next go come off here. And this time we're going to go through this fully. And scroll up and see the other events that happens at once. It'd be easier that way. So we're letting it let the chainsaw rip through once more. The nice thing about this is that it can go through the logs very quickly. Now we see indications of the user being added. And as I mentioned before, more suspicious activity now sometimes these may be noise itself, the suspicious file creation. These may be more noise but what this allows you to do is it gives you a opportunity to analyze it. So despite the automation behind it, you still have to be part of you still have to have the analyst behind it to decipher what's going on. As I mentioned earlier, we're going to add the CSV flag. Now you see that it for here it created multiple file on CSV files, one space off of the external rules, and then also to build in logic. So it separates them. So let's open this back up and take a look at the CSV itself. Let's open up this folder. And we're going to open up the external rule here. So it'll use the system time of the activity, as well as the ID the event ID associated the texture rules and the data. And let's take a look at the file suspicious file loading. So you see indications of suspicious modules that's worth investigating to rule out if this was malicious or not. But the thing about the tool is that it gives you a faster way to analyze the data treated as a collector, a triage collector. That's the important thing about this. And we're just going to open it with pluma just to see the actual CSV itself, and that is actually the way of chainsaw. Now if you want to use chainsaw for your own investigations. You can grab it at get the get hub. Just remember the installation side remember to tag the sub modules to recurse. Because if you don't, you will not have access to the attack samples order Sigma rules to work with. I'll leave you all with one final note. Now has been a great tool to, which has helped us with the investigation for the obsidian project. We recommend every, and I personally recommend everyone having this in their library when they're doing their own event, their own incident investigation. Thank you for the questions. I will see you all later.