Tag: Sigma
-
Hunting on custom log files with Chainsaw
The previous posts looked on how we could hunt on forged EVTX files. However, in the course of an incident response or advanced threat hunting, not all logs lies in properly formated EVTX files. For example, some firewalls export their logs in JSON format, some application will output XML. On Windows servers, these might eventually reach an event log but on Linux, it will most likely remains as it is. As I don’t like wasting my time, I want to leverage Sigma rules on JSON and XML files. Today, I focus my post on JSON files.
-
Creating EVTX for malicious activity
Previous post explained my process for developing Sigma rules to detect suspicious activity. A key element in developing such rules is the log file itself. While incident response will provides you plenty of (large) event logs with malicious activity, it might be time-consuming to read hundreds of thousands log lines to find the one you are interested in detecting. Or you might not even have the possiblity to get such event logs; For example, a new version of SysMon is released and you would like to test the new capabilities.