From b5d2a2a3b7638aaa1a34d6c773b1e046a9565f73 Mon Sep 17 00:00:00 2001 From: reece394 <31659691+reece394@users.noreply.github.com> Date: Thu, 14 Nov 2024 18:36:06 +0000 Subject: [PATCH 1/2] Update Chainsaw module to link to latest build and add a module to Dump MFT files using Chainsaw --- Modules/Apps/GitHub/Chainsaw.mkape | 4 ++-- Modules/Apps/GitHub/Chainsaw_mft_dump.mkape | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 Modules/Apps/GitHub/Chainsaw_mft_dump.mkape diff --git a/Modules/Apps/GitHub/Chainsaw.mkape b/Modules/Apps/GitHub/Chainsaw.mkape index f86c9af0d..7dfe376a9 100644 --- a/Modules/Apps/GitHub/Chainsaw.mkape +++ b/Modules/Apps/GitHub/Chainsaw.mkape @@ -1,9 +1,9 @@ Description: Chainsaw - Rapidly Search and Hunt through Windows Event Logs Category: EventLogs Author: Andrew Rathbun -Version: 2.0 +Version: 2.1 Id: e5912d52-6b31-4480-9255-8c5433326d85 -BinaryUrl: https://github.com/WithSecureLabs/chainsaw/releases/download/v2.3.1/chainsaw_all_platforms+rules+examples.zip +BinaryUrl: https://github.com/WithSecureLabs/chainsaw/releases/latest/download/chainsaw_all_platforms+rules+examples.zip ExportFormat: csv Processors: - diff --git a/Modules/Apps/GitHub/Chainsaw_mft_dump.mkape b/Modules/Apps/GitHub/Chainsaw_mft_dump.mkape new file mode 100644 index 000000000..1c4ce8a87 --- /dev/null +++ b/Modules/Apps/GitHub/Chainsaw_mft_dump.mkape @@ -0,0 +1,21 @@ +Description: 'Chainsaw: Dump $MFT files' +Category: FileSystem +Author: Reece394 +Version: 1.0 +Id: 47e20c2d-eef3-4902-a80d-48aca1329fec +BinaryUrl: https://github.com/WithSecureLabs/chainsaw/releases/latest/download/chainsaw_all_platforms+rules+examples.zip +ExportFormat: json +FileMask: $MFT|*.mft|mft.bin +Processors: + - + Executable: Chainsaw\Chainsaw.exe + CommandLine: dump %sourceFile% --json --output %destinationDirectory%\%d%_MFT_Output.json + ExportFormat: json + +# Documentation +# https://github.com/WithSecureLabs/chainsaw +# Versions of Chainsaw 2.0 and above have changed rule directories +# The Chainsaw executable should reside in .\KAPE\Modules\bin\chainsaw\Chainsaw.exe +# PLEASE NOTE: You may have to rename the Windows executable to Chainsaw.exe manually +# As of posting 11/14/2024 you have to build Chainsaw from source to get $MFT filename support. This will change after v2.10.1. +# Prior versions only support MFT files named with .mft or .bin file extensions. From 9bdd302462d67f471d4b4c93163f757101026e6e Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Thu, 14 Nov 2024 13:52:06 -0500 Subject: [PATCH 2/2] Update and rename Chainsaw_mft_dump.mkape to Chainsaw_MFT_Dump.mkape --- .../GitHub/{Chainsaw_mft_dump.mkape => Chainsaw_MFT_Dump.mkape} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Modules/Apps/GitHub/{Chainsaw_mft_dump.mkape => Chainsaw_MFT_Dump.mkape} (100%) diff --git a/Modules/Apps/GitHub/Chainsaw_mft_dump.mkape b/Modules/Apps/GitHub/Chainsaw_MFT_Dump.mkape similarity index 100% rename from Modules/Apps/GitHub/Chainsaw_mft_dump.mkape rename to Modules/Apps/GitHub/Chainsaw_MFT_Dump.mkape