├── .github ├── CODEOWNERS └── workflows │ ├── v1.yml │ └── v2.yml ├── .gitignore ├── .gitmodules ├── Cargo.lock ├── Cargo.toml ├── LICENCE ├── README.md ├── analysis └── shimcache_patterns.txt ├── flake.lock ├── flake.nix ├── images └── chainsaw.png ├── mappings ├── sigma-event-logs-all.yml └── sigma-event-logs-legacy.yml ├── rules ├── evtx │ ├── account_tampering │ │ ├── new_user_created.yml │ │ ├── user_added_to_global_group.yml │ │ ├── user_added_to_local_group.yml │ │ └── user_added_to_universal_group.yml │ ├── antivirus │ │ ├── f-secure.yml │ │ ├── f-secure_legacy.yml │ │ ├── kaspersky.yml │ │ ├── mcafee.yml │ │ ├── sophos.yml │ │ ├── symantec.yml │ │ ├── windows_defender.yml │ │ └── windows_security_essentials.yml │ ├── applocker │ │ ├── eid_8002_applocker_lolbins_allowed_to_run.yml │ │ ├── eid_8002_applocker_reconnaissance_allowed.yml │ │ ├── eid_8002_lolbin_lateral_mouvement.yml │ │ ├── eid_8002_privilege_escalation.yml │ │ ├── eid_8004_applocker_exe-dll_blocked.yml │ │ └── eid_8007_applocker_msi-script_blocked.yml │ ├── credential_access │ │ ├── kerberoasting_administrator.yml │ │ └── weak_kerberos_ticket.yml │ ├── defense_evasion │ │ ├── T1562.001 - Sysmon Service set to Manual.yml │ │ └── T1562.001 - Sysmon Service was Disabled.yml │ ├── indicator_removal │ │ └── T1070.009 - Scheduled Task was Deleted.yml │ ├── lateral_movement │ │ ├── T1021.004 - Lateral Movement via SSH.yml │ │ ├── batch_logon.yml │ │ ├── interactive_logon.yml │ │ ├── network_logon.yml │ │ ├── rdp_logon.yml │ │ ├── service_logon.yml │ │ └── unlock_logon.yml │ ├── log_tampering │ │ ├── security_audit_log_was_cleared.yml │ │ └── system_log_was_cleared.yml │ ├── login_attacks │ │ └── account_brute_force.yml │ ├── microsoft_rasvpn_events │ │ ├── eid_20220_20227_rasvpn_client_connection_error.yml │ │ ├── eid_20221_to_20225_rasvpn_client_connection_establishment.yml │ │ ├── eid_20226_rasvpn_client_connection_termination.yml │ │ ├── eid_20250_20274_rasvpn_server_logon.yml │ │ ├── eid_20253_20255_connection_error.yml │ │ ├── eid_20271_rasvpn_server_authentication_error.yml │ │ └── eid_20272_20275_rasvpn_server_logoff.yml │ ├── microsoft_rds_events │ │ ├── rd_connection_broker │ │ │ ├── eid_1307_rdcb_successful_client_redirection.yml │ │ │ ├── eid_800_rdcb_connection_request_received.yml │ │ │ └── eid_801_rdcb_connection_request_successfully_processed.yml │ │ ├── rd_gateway │ │ │ ├── eid_200_rdgw_rd_cap_requirements_met.yml │ │ │ ├── eid_300_rdgw_rd_rap_requirements_met.yml │ │ │ ├── eid_302_rdgw_user_connected_to_resource.yml │ │ │ └── eid_303_rdgw_user_disconnected_from_resource.yml │ │ ├── rd_web_access │ │ │ └── eid_4624_rdwa_logon.yml │ │ └── user_profile_disk │ │ │ └── eid_5_user_profile_service_registry_file_loaded.yml │ ├── persistence │ │ ├── T1053.005 - Scheduled Task was Created.yml │ │ └── T1547.004 - Winlogon System Shell Changed.yml │ ├── powershell │ │ ├── eid_400_powershell_engine_state_available.yml │ │ ├── eid_403_powershell_engine_state_stopped.yml │ │ └── eid_4104_powershell_script_executed.yml │ ├── rdp_attacks │ │ ├── eid_21_rdp_session_logon_succeeded.yml │ │ ├── eid_22_file_explorer_shell_appeared_in_rdp_session.yml │ │ ├── eid_23_rdp_session_logoff.yml │ │ ├── eid_39_rdp_session_disconnected.yml │ │ ├── event_id_1149.yaml │ │ ├── event_id_24.yaml │ │ ├── event_id_25.yaml │ │ └── event_id_4624_logontype_10.yaml │ ├── service_installation │ │ ├── credential_dumping_tools.yml │ │ ├── csexec.yml │ │ ├── krbrelayup.yml │ │ ├── meterpreter_cobalt_strike_getsystem.yml │ │ ├── powershell.yml │ │ ├── processhacker.yml │ │ ├── remote_access_tools.yml │ │ ├── smbexec.yml │ │ ├── suspicious_commands.yml │ │ ├── suspicious_paths.yml │ │ ├── sysinternals_psexec.yml │ │ └── tap0901.yml │ └── service_tampering │ │ ├── event_log.yml │ │ ├── mssql_sus_behavior.yml │ │ ├── remote_registry_usage.yml │ │ └── xp_cmdshell_enabled.yml └── mft │ ├── adamntds_dit_mft.yml │ ├── advanced_ip_scanner_mft.yml │ ├── advanced_port_scanner_mft.yml │ ├── angry_ip_scanner_mft.yml │ ├── anydesk_mft.yml │ ├── browserscan_mft.yml │ ├── filezilla_mft.yml │ ├── lsass_dmp_mft.yml │ ├── megasync_mft.yml │ ├── mimikatz_mft.yml │ ├── netscan_mft.yml │ ├── nirsoft_mft.yml │ ├── ntds_dit_mft.yml │ ├── processhacker_mft.yml │ ├── psexec_mft.yml │ ├── pstools_mft.yml │ ├── rclone_mft.yml │ ├── rubeus_mft.yml │ ├── shadow_dumper_mft.yml │ ├── sup_script_exec_intel_mft.yml │ ├── sup_script_exec_perflogs_mft.yml │ ├── sup_script_exec_program_files_root_mft.yml │ ├── sup_script_exec_programdata_mft.yml │ ├── sup_script_exec_public_mft.yml │ ├── sup_script_exec_recyclebin_mft.yml │ ├── sup_script_exec_recyclebin_nonstand_mft.yml │ ├── sup_script_exec_root_mft.yml │ ├── sup_script_exec_root_nonstand_fold_mft.yml │ ├── sup_script_exec_root_temp_mft.yml │ ├── sup_script_exec_rtlo_mft.yml │ ├── sup_script_exec_user_desktop_mft.yml │ ├── sup_script_exec_user_downloads_mft.yml │ ├── sup_script_exec_user_mft.yml │ ├── sup_script_exec_windows_root_mft.yml │ ├── sup_script_exec_windows_temp_mft.yml │ ├── systeminformer_mft.yml │ ├── winscp_mft.yml │ └── xenallpasswordpro_mft.yml ├── src ├── analyse │ ├── mod.rs │ ├── shimcache.rs │ └── srum.rs ├── cli.rs ├── ext │ ├── mod.rs │ └── tau.rs ├── file │ ├── esedb │ │ ├── mod.rs │ │ └── srum.rs │ ├── evtx.rs │ ├── hve │ │ ├── amcache.rs │ │ ├── mod.rs │ │ ├── shimcache.rs │ │ └── srum.rs │ ├── json.rs │ ├── mft.rs │ ├── mod.rs │ └── xml.rs ├── hunt.rs ├── lib.rs ├── main.rs ├── rule │ ├── chainsaw.rs │ ├── mod.rs │ └── sigma.rs ├── search.rs ├── value.rs └── write.rs └── tests ├── clo.rs ├── common.rs ├── convert.rs ├── convert ├── sigma_collection.yml ├── sigma_collection_output.yml ├── sigma_simple.yml └── sigma_simple_output.yml ├── evtx ├── clo_hunt_r_any_logon.txt ├── clo_search_q_jsonl_simple_string.txt ├── clo_search_q_simple_string.txt ├── clo_search_qj_simple_string.txt ├── rule-any-logon.yml └── security_sample.evtx └── srum ├── SOFTWARE ├── SRUDB.dat ├── analysis_srum_database_json.txt └── analysis_srum_database_table_details.txt /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Set default reviewers 2 | * @alexkornitzer 3 | -------------------------------------------------------------------------------- /.github/workflows/v1.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/.github/workflows/v1.yml -------------------------------------------------------------------------------- /.github/workflows/v2.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/.github/workflows/v2.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/.gitignore -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/.gitmodules -------------------------------------------------------------------------------- /Cargo.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/Cargo.lock -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/Cargo.toml -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/LICENCE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/README.md -------------------------------------------------------------------------------- /analysis/shimcache_patterns.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/analysis/shimcache_patterns.txt -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/flake.lock -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/flake.nix -------------------------------------------------------------------------------- /images/chainsaw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/images/chainsaw.png -------------------------------------------------------------------------------- /mappings/sigma-event-logs-all.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/mappings/sigma-event-logs-all.yml -------------------------------------------------------------------------------- /mappings/sigma-event-logs-legacy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/mappings/sigma-event-logs-legacy.yml -------------------------------------------------------------------------------- /rules/evtx/account_tampering/new_user_created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/account_tampering/new_user_created.yml -------------------------------------------------------------------------------- /rules/evtx/account_tampering/user_added_to_global_group.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/account_tampering/user_added_to_global_group.yml -------------------------------------------------------------------------------- /rules/evtx/account_tampering/user_added_to_local_group.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/account_tampering/user_added_to_local_group.yml -------------------------------------------------------------------------------- /rules/evtx/account_tampering/user_added_to_universal_group.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/account_tampering/user_added_to_universal_group.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/f-secure.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/f-secure.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/f-secure_legacy.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/f-secure_legacy.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/kaspersky.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/kaspersky.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/mcafee.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/mcafee.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/sophos.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/sophos.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/symantec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/symantec.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/windows_defender.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/windows_defender.yml -------------------------------------------------------------------------------- /rules/evtx/antivirus/windows_security_essentials.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/antivirus/windows_security_essentials.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8002_applocker_lolbins_allowed_to_run.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8002_applocker_lolbins_allowed_to_run.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8002_applocker_reconnaissance_allowed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8002_applocker_reconnaissance_allowed.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8002_lolbin_lateral_mouvement.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8002_lolbin_lateral_mouvement.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8002_privilege_escalation.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8002_privilege_escalation.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8004_applocker_exe-dll_blocked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8004_applocker_exe-dll_blocked.yml -------------------------------------------------------------------------------- /rules/evtx/applocker/eid_8007_applocker_msi-script_blocked.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/applocker/eid_8007_applocker_msi-script_blocked.yml -------------------------------------------------------------------------------- /rules/evtx/credential_access/kerberoasting_administrator.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/credential_access/kerberoasting_administrator.yml -------------------------------------------------------------------------------- /rules/evtx/credential_access/weak_kerberos_ticket.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/credential_access/weak_kerberos_ticket.yml -------------------------------------------------------------------------------- /rules/evtx/defense_evasion/T1562.001 - Sysmon Service set to Manual.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/defense_evasion/T1562.001 - Sysmon Service set to Manual.yml -------------------------------------------------------------------------------- /rules/evtx/defense_evasion/T1562.001 - Sysmon Service was Disabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/defense_evasion/T1562.001 - Sysmon Service was Disabled.yml -------------------------------------------------------------------------------- /rules/evtx/indicator_removal/T1070.009 - Scheduled Task was Deleted.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/indicator_removal/T1070.009 - Scheduled Task was Deleted.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/T1021.004 - Lateral Movement via SSH.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/T1021.004 - Lateral Movement via SSH.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/batch_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/batch_logon.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/interactive_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/interactive_logon.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/network_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/network_logon.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/rdp_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/rdp_logon.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/service_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/service_logon.yml -------------------------------------------------------------------------------- /rules/evtx/lateral_movement/unlock_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/lateral_movement/unlock_logon.yml -------------------------------------------------------------------------------- /rules/evtx/log_tampering/security_audit_log_was_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/log_tampering/security_audit_log_was_cleared.yml -------------------------------------------------------------------------------- /rules/evtx/log_tampering/system_log_was_cleared.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/log_tampering/system_log_was_cleared.yml -------------------------------------------------------------------------------- /rules/evtx/login_attacks/account_brute_force.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/login_attacks/account_brute_force.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20220_20227_rasvpn_client_connection_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20220_20227_rasvpn_client_connection_error.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20221_to_20225_rasvpn_client_connection_establishment.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20221_to_20225_rasvpn_client_connection_establishment.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20226_rasvpn_client_connection_termination.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20226_rasvpn_client_connection_termination.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20250_20274_rasvpn_server_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20250_20274_rasvpn_server_logon.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20253_20255_connection_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20253_20255_connection_error.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20271_rasvpn_server_authentication_error.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20271_rasvpn_server_authentication_error.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rasvpn_events/eid_20272_20275_rasvpn_server_logoff.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rasvpn_events/eid_20272_20275_rasvpn_server_logoff.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_connection_broker/eid_1307_rdcb_successful_client_redirection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_connection_broker/eid_1307_rdcb_successful_client_redirection.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_connection_broker/eid_800_rdcb_connection_request_received.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_connection_broker/eid_800_rdcb_connection_request_received.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_connection_broker/eid_801_rdcb_connection_request_successfully_processed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_connection_broker/eid_801_rdcb_connection_request_successfully_processed.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_gateway/eid_200_rdgw_rd_cap_requirements_met.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_gateway/eid_200_rdgw_rd_cap_requirements_met.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_gateway/eid_300_rdgw_rd_rap_requirements_met.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_gateway/eid_300_rdgw_rd_rap_requirements_met.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_gateway/eid_302_rdgw_user_connected_to_resource.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_gateway/eid_302_rdgw_user_connected_to_resource.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_gateway/eid_303_rdgw_user_disconnected_from_resource.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_gateway/eid_303_rdgw_user_disconnected_from_resource.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/rd_web_access/eid_4624_rdwa_logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/rd_web_access/eid_4624_rdwa_logon.yml -------------------------------------------------------------------------------- /rules/evtx/microsoft_rds_events/user_profile_disk/eid_5_user_profile_service_registry_file_loaded.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/microsoft_rds_events/user_profile_disk/eid_5_user_profile_service_registry_file_loaded.yml -------------------------------------------------------------------------------- /rules/evtx/persistence/T1053.005 - Scheduled Task was Created.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/persistence/T1053.005 - Scheduled Task was Created.yml -------------------------------------------------------------------------------- /rules/evtx/persistence/T1547.004 - Winlogon System Shell Changed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/persistence/T1547.004 - Winlogon System Shell Changed.yml -------------------------------------------------------------------------------- /rules/evtx/powershell/eid_400_powershell_engine_state_available.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/powershell/eid_400_powershell_engine_state_available.yml -------------------------------------------------------------------------------- /rules/evtx/powershell/eid_403_powershell_engine_state_stopped.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/powershell/eid_403_powershell_engine_state_stopped.yml -------------------------------------------------------------------------------- /rules/evtx/powershell/eid_4104_powershell_script_executed.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/powershell/eid_4104_powershell_script_executed.yml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/eid_21_rdp_session_logon_succeeded.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/eid_21_rdp_session_logon_succeeded.yml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/eid_22_file_explorer_shell_appeared_in_rdp_session.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/eid_22_file_explorer_shell_appeared_in_rdp_session.yml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/eid_23_rdp_session_logoff.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/eid_23_rdp_session_logoff.yml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/eid_39_rdp_session_disconnected.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/eid_39_rdp_session_disconnected.yml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/event_id_1149.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/event_id_1149.yaml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/event_id_24.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/event_id_24.yaml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/event_id_25.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/event_id_25.yaml -------------------------------------------------------------------------------- /rules/evtx/rdp_attacks/event_id_4624_logontype_10.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/rdp_attacks/event_id_4624_logontype_10.yaml -------------------------------------------------------------------------------- /rules/evtx/service_installation/credential_dumping_tools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/credential_dumping_tools.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/csexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/csexec.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/krbrelayup.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/krbrelayup.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/meterpreter_cobalt_strike_getsystem.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/meterpreter_cobalt_strike_getsystem.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/powershell.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/powershell.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/processhacker.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/processhacker.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/remote_access_tools.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/remote_access_tools.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/smbexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/smbexec.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/suspicious_commands.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/suspicious_commands.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/suspicious_paths.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/suspicious_paths.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/sysinternals_psexec.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/sysinternals_psexec.yml -------------------------------------------------------------------------------- /rules/evtx/service_installation/tap0901.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_installation/tap0901.yml -------------------------------------------------------------------------------- /rules/evtx/service_tampering/event_log.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_tampering/event_log.yml -------------------------------------------------------------------------------- /rules/evtx/service_tampering/mssql_sus_behavior.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_tampering/mssql_sus_behavior.yml -------------------------------------------------------------------------------- /rules/evtx/service_tampering/remote_registry_usage.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_tampering/remote_registry_usage.yml -------------------------------------------------------------------------------- /rules/evtx/service_tampering/xp_cmdshell_enabled.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/evtx/service_tampering/xp_cmdshell_enabled.yml -------------------------------------------------------------------------------- /rules/mft/adamntds_dit_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/adamntds_dit_mft.yml -------------------------------------------------------------------------------- /rules/mft/advanced_ip_scanner_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/advanced_ip_scanner_mft.yml -------------------------------------------------------------------------------- /rules/mft/advanced_port_scanner_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/advanced_port_scanner_mft.yml -------------------------------------------------------------------------------- /rules/mft/angry_ip_scanner_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/angry_ip_scanner_mft.yml -------------------------------------------------------------------------------- /rules/mft/anydesk_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/anydesk_mft.yml -------------------------------------------------------------------------------- /rules/mft/browserscan_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/browserscan_mft.yml -------------------------------------------------------------------------------- /rules/mft/filezilla_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/filezilla_mft.yml -------------------------------------------------------------------------------- /rules/mft/lsass_dmp_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/lsass_dmp_mft.yml -------------------------------------------------------------------------------- /rules/mft/megasync_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/megasync_mft.yml -------------------------------------------------------------------------------- /rules/mft/mimikatz_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/mimikatz_mft.yml -------------------------------------------------------------------------------- /rules/mft/netscan_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/netscan_mft.yml -------------------------------------------------------------------------------- /rules/mft/nirsoft_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/nirsoft_mft.yml -------------------------------------------------------------------------------- /rules/mft/ntds_dit_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/ntds_dit_mft.yml -------------------------------------------------------------------------------- /rules/mft/processhacker_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/processhacker_mft.yml -------------------------------------------------------------------------------- /rules/mft/psexec_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/psexec_mft.yml -------------------------------------------------------------------------------- /rules/mft/pstools_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/pstools_mft.yml -------------------------------------------------------------------------------- /rules/mft/rclone_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/rclone_mft.yml -------------------------------------------------------------------------------- /rules/mft/rubeus_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/rubeus_mft.yml -------------------------------------------------------------------------------- /rules/mft/shadow_dumper_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/shadow_dumper_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_intel_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_intel_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_perflogs_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_perflogs_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_program_files_root_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_program_files_root_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_programdata_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_programdata_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_public_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_public_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_recyclebin_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_recyclebin_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_root_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_root_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_root_nonstand_fold_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_root_temp_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_root_temp_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_rtlo_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_rtlo_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_user_desktop_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_user_desktop_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_user_downloads_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_user_downloads_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_user_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_user_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_windows_root_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_windows_root_mft.yml -------------------------------------------------------------------------------- /rules/mft/sup_script_exec_windows_temp_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/sup_script_exec_windows_temp_mft.yml -------------------------------------------------------------------------------- /rules/mft/systeminformer_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/systeminformer_mft.yml -------------------------------------------------------------------------------- /rules/mft/winscp_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/winscp_mft.yml -------------------------------------------------------------------------------- /rules/mft/xenallpasswordpro_mft.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/rules/mft/xenallpasswordpro_mft.yml -------------------------------------------------------------------------------- /src/analyse/mod.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/analyse/mod.rs -------------------------------------------------------------------------------- /src/analyse/shimcache.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/analyse/shimcache.rs -------------------------------------------------------------------------------- /src/analyse/srum.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/analyse/srum.rs -------------------------------------------------------------------------------- /src/cli.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/cli.rs -------------------------------------------------------------------------------- /src/ext/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod tau; 2 | -------------------------------------------------------------------------------- /src/ext/tau.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/ext/tau.rs -------------------------------------------------------------------------------- /src/file/esedb/mod.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/esedb/mod.rs -------------------------------------------------------------------------------- /src/file/esedb/srum.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/esedb/srum.rs -------------------------------------------------------------------------------- /src/file/evtx.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/evtx.rs -------------------------------------------------------------------------------- /src/file/hve/amcache.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/hve/amcache.rs -------------------------------------------------------------------------------- /src/file/hve/mod.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/hve/mod.rs -------------------------------------------------------------------------------- /src/file/hve/shimcache.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/hve/shimcache.rs -------------------------------------------------------------------------------- /src/file/hve/srum.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/hve/srum.rs -------------------------------------------------------------------------------- /src/file/json.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/json.rs -------------------------------------------------------------------------------- /src/file/mft.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/mft.rs -------------------------------------------------------------------------------- /src/file/mod.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/mod.rs -------------------------------------------------------------------------------- /src/file/xml.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/file/xml.rs -------------------------------------------------------------------------------- /src/hunt.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/hunt.rs -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/lib.rs -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/main.rs -------------------------------------------------------------------------------- /src/rule/chainsaw.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/rule/chainsaw.rs -------------------------------------------------------------------------------- /src/rule/mod.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/rule/mod.rs -------------------------------------------------------------------------------- /src/rule/sigma.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/rule/sigma.rs -------------------------------------------------------------------------------- /src/search.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/search.rs -------------------------------------------------------------------------------- /src/value.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/value.rs -------------------------------------------------------------------------------- /src/write.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/src/write.rs -------------------------------------------------------------------------------- /tests/clo.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/clo.rs -------------------------------------------------------------------------------- /tests/common.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/common.rs -------------------------------------------------------------------------------- /tests/convert.rs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/convert.rs -------------------------------------------------------------------------------- /tests/convert/sigma_collection.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/convert/sigma_collection.yml -------------------------------------------------------------------------------- /tests/convert/sigma_collection_output.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/convert/sigma_collection_output.yml -------------------------------------------------------------------------------- /tests/convert/sigma_simple.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/convert/sigma_simple.yml -------------------------------------------------------------------------------- /tests/convert/sigma_simple_output.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/convert/sigma_simple_output.yml -------------------------------------------------------------------------------- /tests/evtx/clo_hunt_r_any_logon.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/clo_hunt_r_any_logon.txt -------------------------------------------------------------------------------- /tests/evtx/clo_search_q_jsonl_simple_string.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/clo_search_q_jsonl_simple_string.txt -------------------------------------------------------------------------------- /tests/evtx/clo_search_q_simple_string.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/clo_search_q_simple_string.txt -------------------------------------------------------------------------------- /tests/evtx/clo_search_qj_simple_string.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/clo_search_qj_simple_string.txt -------------------------------------------------------------------------------- /tests/evtx/rule-any-logon.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/rule-any-logon.yml -------------------------------------------------------------------------------- /tests/evtx/security_sample.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/evtx/security_sample.evtx -------------------------------------------------------------------------------- /tests/srum/SOFTWARE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/srum/SOFTWARE -------------------------------------------------------------------------------- /tests/srum/SRUDB.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/srum/SRUDB.dat -------------------------------------------------------------------------------- /tests/srum/analysis_srum_database_json.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/srum/analysis_srum_database_json.txt -------------------------------------------------------------------------------- /tests/srum/analysis_srum_database_table_details.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WithSecureLabs/chainsaw/HEAD/tests/srum/analysis_srum_database_table_details.txt --------------------------------------------------------------------------------