mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-10-23 08:12:16 +00:00
Update chainsaw.ps1
This commit is contained in:
taylor_socfortress
committed by
GitHub
GitHub
parent
6d154097da
commit
4f6aba5139
@@ -1,37 +1,83 @@
|
||||
################################
|
||||
### Script to execute F-Secure/Chainsaw - Identify Malicious activitie recorded in WinEvtLogs using Sigma Rules
|
||||
### Script to execute F-Secure/Chainsaw - Identify Malicious activity recorded in WinEvtLogs using Sigma Rules
|
||||
################################
|
||||
|
||||
##########
|
||||
# Chainsaw will be run against all event logs found in the default location
|
||||
# Output converted to JSON and appended to active-responses.log
|
||||
##########
|
||||
|
||||
##########
|
||||
# Chainsaw Version: v2.0-alpha
|
||||
##########
|
||||
|
||||
$ErrorActionPreference = "SilentlyContinue"
|
||||
#Create Chainsaw Output Folder if doesn't exist
|
||||
|
||||
# Clone or pull Sigma repo
|
||||
$repo_path = "C:\Program Files\socfortress\chainsaw\sigma"
|
||||
if (!(test-path $repo_path)) {
|
||||
New-Item -ItemType Directory -Force -Path $repo_path
|
||||
$env:PATH += ";C:\Program Files\Git\bin"
|
||||
git clone https://github.com/SigmaHQ/sigma.git $repo_path
|
||||
} else {
|
||||
$env:PATH += ";C:\Program Files\Git\bin"
|
||||
git -C $repo_path pull
|
||||
}
|
||||
|
||||
# Analyse events recorded in last 1 Minutes. Convert Start Date to Timestamp
|
||||
$start_date = (Get-Date).AddMinutes(-1)
|
||||
$from = Get-Date -Date $start_date -UFormat '+%Y-%m-%dT%H:%M:%S'
|
||||
|
||||
# Create Chainsaw Output Folder if it doesn't exist
|
||||
$chainsaw_output = "$env:TMP\chainsaw_output"
|
||||
If(!(test-path $chainsaw_output))
|
||||
{
|
||||
New-Item -ItemType Directory -Force -Path $chainsaw_output
|
||||
If(!(test-path $chainsaw_output)) {
|
||||
New-Item -ItemType Directory -Force -Path $chainsaw_output
|
||||
}
|
||||
#Analyse events recorded in last 24 Hours. Convert Start Date to Timestamp
|
||||
$start_date=(Get-Date).AddHours(-24)
|
||||
$from=Get-Date -Date $start_date -UFormat '+%Y-%m-%dT%H:%M:%S'
|
||||
# RUN CHAINSAW AND STORE CSVs in TMP folder
|
||||
c:\"Program Files"\socfortress\chainsaw\chainsaw.exe hunt c:\"Program Files"\socfortress\chainsaw\sigma-rules --mapping 'C:\Program Files\socfortress\chainsaw\mappings\sigma-event-logs.yml' --from $from C:\Windows\System32\winevt --output $env:TMP\chainsaw_output --csv
|
||||
Get-ChildItem $env:TMP\chainsaw_output -Filter *.csv |
|
||||
Foreach-Object {
|
||||
$count = 0
|
||||
$Chainsaw_Array = Get-Content $_.FullName | ConvertFrom-Csv
|
||||
Foreach ($item in $Chainsaw_Array) {
|
||||
echo $item | ConvertTo-Json -Compress | Out-File -width 5000 C:\"Program Files (x86)"\ossec-agent\active-response\active-responses.log -Append -Encoding ascii
|
||||
# Sleep 1 seconds every 5 runs - Avoid Queue Flooding.
|
||||
if(++$count % 5 -eq 0)
|
||||
{
|
||||
Start-Sleep -Seconds 1
|
||||
}
|
||||
}
|
||||
|
||||
# Windows Sigma Path
|
||||
$windows_path = "C:\Program Files\socfortress\chainsaw\sigma\rules\windows"
|
||||
|
||||
# Run Chainsaw and store JSONs in TMP folder
|
||||
& 'C:\Program Files\socfortress\chainsaw\chainsaw.exe' hunt C:\Windows\System32\winevt -s $windows_path --mapping 'C:\Program Files\socfortress\chainsaw\mappings\sigma-event-logs-all.yml' --from $from --output $env:TMP\chainsaw_output\results.json --json --level high
|
||||
|
||||
# Convert JSON to new line entry for every 'group'
|
||||
function Convert-JsonToNewLine($json) {
|
||||
foreach($document in $json) {
|
||||
$document.document | ConvertTo-Json -Compress -Depth 99 | foreach-object {
|
||||
[pscustomobject]@{
|
||||
group = $document.group
|
||||
kind = $document.kind
|
||||
document = $_
|
||||
name = $document.name
|
||||
timestamp = $document.timestamp
|
||||
authors = $document.authors
|
||||
level = $document.level
|
||||
source = $document.source
|
||||
status = $document.status
|
||||
falsepositives = $document.falsepositives
|
||||
id = $document.id
|
||||
logsource = $document.logsource
|
||||
references = $document.references
|
||||
tags = $document.tags
|
||||
} | ConvertTo-Json -Compress
|
||||
}
|
||||
}
|
||||
}
|
||||
#Remove TMP CSV Folder
|
||||
|
||||
# Convert JSONs to new line entry and append to active-responses.log
|
||||
Get-ChildItem $env:TMP\chainsaw_output -Filter *.json | Foreach-Object {
|
||||
$Chainsaw_Array = Get-Content $_.FullName | ConvertFrom-Json
|
||||
Convert-JsonToNewLine $Chainsaw_Array | Out-File -Append -Encoding ascii 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'
|
||||
}
|
||||
|
||||
# Remove TMP JSON Folder
|
||||
rm -r $chainsaw_output
|
||||
|
||||
# Output status if Sigma rules were updated
|
||||
if ($LASTEXITCODE -eq 0) {
|
||||
$status_payload = @{
|
||||
group = 'sigma'
|
||||
sigma_rules = 'updated'
|
||||
} | ConvertTo-Json
|
||||
Write-Output $status_payload
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user