Comments (3)
gr3y56
commented on June 6, 2024
1
this is the command im running
./chainsaw_x86_64-pc-windows-msvc.exe hunt -s sigma/ --mapping mappings/sigma-mft-logs-all.yml C:/Windows/System32/winevt/Logs --from 2023-11-18T17:00:00 --to 2023-11-19T01:45:00 --full
this is the output in getting in return
[+] Loading detection rules from: sigma/
[!] Loaded 3040 detection rules (339 not loaded)
[x] Provided mapping file is invalid - groups[0]: missing field filter at line 8 column 5
i looked into the yml file and i see that theres a comment hinting at the possibility that this is a known issue i dont necessarily get it ? line 8 column 5 is just after the comment ## TODO: Flesh this out... but sigma does not seem geared for this?
from chainsaw.
alexkornitzer
commented on June 6, 2024
Hey @gr3y56, which issue are you referring to? Are you able to explain what is not working? If so then I should be able to assist.
from chainsaw.
alexkornitzer
commented on June 6, 2024
Right okay, so I never did the initial MFT work, but from looking over it the reason the mapping file is empty is because there is no easy way to map the sigma rules onto an MFT. They all appear to be very event log centric. I think what I will do is remove that mapping file as it just causes confusion, that being said you can still dump or search an MFT with the following commands or rules could be written to hunt MFTs.
chainsaw dump ~/Downloads/mft.bin
# or
chainsaw search -t 'FullPath: *Teams.exe' ~/Downloads/mft.bin
from chainsaw.
Related Issues (20)
- Definition of "logsource" values like product or category. HOT 12
- Add timestamp format to help output HOT 2
- Deserialization error does't not show responsible file HOT 2
- Invalid Tau Key Pair error HOT 2
- Hunt with WEC/WEF HOT 2
- keyless identifiers cannot be converted HOT 3
- Check for potential I/0 error before processing HOT 1
- Erroneous Sigma Results using Hunt option HOT 7
- chainsaw project name collides with another rust project HOT 2
- Tau EventID Filter error HOT 6
- v2.4+ seems to be unable to recognize Sigma alerts HOT 1
- Sophos Antivirus Rule Not Parsing Data Events With Same Key Name HOT 5
- Print warning when loading Sigma rules with keyless search identifiers HOT 6
- Missing Sigma Base64 Encoding? HOT 3
- -o flag not recognized HOT 2
- No executable HOT 1
- [Feature Request] Support for "contains", "|" and "all" in both chainsaw and sigma rules HOT 4
- Search feature doesn't parse backslashes HOT 2
- Feature Request: Event Log ID / Sigma Summary HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chainsaw.