chainsaw v2.8 releases: Rapidly Search and Hunt through Windows Event Logs

chainsaw –  Rapidly Search and Hunt through Windows Event Logs

Chainsaw provides a powerful “first-response” capability to quickly identify threats within Windows event logs. It offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.


  • 🔍 Search and extract event log records by event IDs, string matching, and regex patterns
  • 🎯 Hunt for threats using Sigma detection rules and custom built-in detection logic
  • ⚡ Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram
  • 🔥 Document tagging (detection logic matching) provided by the TAU Engine Library
  • 📑 Output in an ASCII table format, CSV format, or JSON format

Hunting logic

Sigma Rule Matching

Using the –rules and –mapping parameters you can specify a directory containing a subset of SIGMA detection rules (or just the entire SIGMA git repo) and chainsaw will automatically load, convert and run these rules against the provided event logs. The mapping file tells chainsaw what event IDs to run the detection rules against, and what fields are relevant. By default the following event IDs are supported:

Event Type Event ID
Process Creation (Sysmon) 1
Network Connections (Sysmon) 3
Image Loads (Sysmon) 7
File Creation (Sysmon) 11
Registry Events (Sysmon) 13
Powershell Script Blocks 4104
Process Creation 4688
Scheduled Task Creation 4698
Service Creation 7045

Built-In Logic

  1. Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
  2. Detection of key event logs being cleared, or the event log service being stopped
  3. Users being created or added to sensitive user groups
  4. Brute-force of local user accounts
  5. RDP Logins

You can specify the –lateral-all flag to a chainsaw to also parse and extract additional 4624 logon types (network logons, service, batch, etc.) relating to a potential lateral movement that may be interesting for investigations.

Changelog v2.8

This release contains the following changes of note:

  • Support for parsing ESE databases and analysing SRUM databases
  • New Chainsaw rules
  • Full output support for aggregations

Install & Use

Copyright (C) 2021 countercept