Log Analysis

## ------------------| Install
sudo apt install cargo
git clone https://github.com/WithSecureLabs/chainsaw.git && chainsaw
git clone https://github.com/SigmaHQ/sigma
cargo build --release
mv target/release/chainsaw .

## ------------------| Install
## Or Download from https://github.com/Yamato-Security/hayabusa/releases/latest
./hayabusa update

## ------------------| Compiling From Source 
sudo apt install cargo rustup
git clone https://github.com/Yamato-Security/hayabusa && hayabusa
rustup update stable
cargo update
cargo build --release
mv target/release/hayabusa .
./hayabusa update

## ------------------| Hunt with Sigma and Chainsaw Rules
./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/

## ------------------| Output in JSON
./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --json

## ------------------| Search for the case-insensitive word 'mimikatz'
./chainsaw search mimikatz -i *.evtx

## ------------------| Search for Powershell Script Block Events (EventID 4014)
./chainsaw search -t 'Event.System.EventID: =4104' *.evtx

## ------------------| Search by EventID
./chainsaw search -t 'Event.System.EventID: =<ID>' *.evtx

## ------------------| Search by PID
./chainsaw search <PID> *.evtx 

## ------------------| Dump data
./chainsaw dump *.evtx --jsonl > events.json
### List of logs we have
cat events.json | jq '.Event | .System.Channel' | sort | uniq
### Grep from logs
cat events.json | jq '.Event' -c | grep -i "<word>"
### Get all System event logs
cat events.json | jq '.Event | select(.System.Channel == "System")'
cat events.json | jq '.Event | select(.System.Channel == "System") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n 
### Get all Security event logs
cat events.json | jq '.Event | select(.System.Channel == "Security")'
cat events.json | jq '.Event | select(.System.Channel == "Security") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n
### Get all NTFS Operational event logs
cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational")'
cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n
### Search by EventID
cat events.json | jq '.Event | select(.System.EventID ==<ID>)'
### Get EventID's name
cat events.json | jq '.Event | select(.System.EventID ==<ID>) | .EventData.param1' | sort -u
cat events.json | jq '.Event | select(.System.EventID ==<ID>) | select(.EventData.param1 == "<EventName>")' 

## ------------------| Hunt 
./hayabusa csv-timeline -d <directory>

## ------------------| Dump data using chainsaw
./chainsaw dump mft.bin
./chainsaw dump mft.bin --jsonl > mft.json

## ------------------| System Events
1 - The logon process has completed.  
3 - A network link is established.  
6 - The event log service has started.  
12 - System Information (System events).  
14 - The system has entered sleep mode.  
15 - A system-wide resource has been initialized.  
16 - The system is resuming from sleep.  
18 - The network adapter has connected.  
20 - A logon attempt was made.  
24 - A user account was successfully logged on.  
25 - A disk volume has been successfully mounted.  
27 - The system event notification service was triggered.  
32 - The system time zone information has been updated.  
41 - The system has rebooted without a clean shutdown.  
55 - Windows Update has completed successfully.  
98 - A Windows Update operation has completed.  
129 - A Volume Shadow Copy was created successfully.  
139 - A Kerberos authentication request was made.  
143 - The Kerberos authentication process failed.  
153 - Hardware event occurred on the system.  
162 - Group Policy settings have been applied.  
172 - A Windows Update installation has started.  
238 - Setup has completed successfully.  
1001 - A bug check (stop error) occurred.  
1014 - The DNS client encountered an error.  
6005 - The Event Log service was started.  
6008 - The previous system shutdown was unexpected.  
6009 - The system has started.  
6013 - The system has shut down.  
7001 - A service has been installed on the system.  
7026 - A service failed to start during the system boot process.  
7036 - The service has entered the running state.  
7040 - A service was stopped unexpectedly.  
10016 - The DCOM permissions have been modified.  
10148 - Windows Defender has updated its definitions.  
10154 - Windows Defender found an issue.  
14531 - The Windows Server Essentials service started.  
14533 - The Windows Server Essentials service stopped.  
16962 - Windows Defender detected a potential threat.  
16977 - Windows Defender completed a scan.  
16983 - Windows Defender quarantined an item.  
50036 - Windows Defender detected a suspicious item.  
50103 - Windows Defender found malware.  
51046 - Windows Defender performed a full scan.  

## ------------------| Security Events
521  - The security log has been cleared.
1101 - The audit log was cleared.
4616 - The system time was changed.
4662 - An attempt was made to query the existence of a named pipe.
4688 - A new process has been created.
4696 - A trusted domain was added to the domain.
4698 - A scheduled task was created.
4699 - A scheduled task was deleted.
4700 - A scheduled task was enabled.
4701 - A scheduled task was disabled.
4702 - A scheduled task was updated.
4742 - A computer account was changed.
4768 - A Kerberos authentication ticket (TGT) was requested.
4769 - A service ticket was requested.
4799 - A user right was assigned.
4826 - A certificate request was completed.
5140 - A network share object was accessed.
5142 - A network share object was modified.
5379 - The Windows Defender Antivirus protection was turned on.

## ------------------| Microsoft-Windows-Sysmon/Operational
1    - ProcessCreate
2    - FileCreationTimeChanged
3    - NetworkConnection
4    - SysmonServiceStateChanged
5    - ProcessTerminated
6    - DriverLoaded
7    - ImageLoaded
8    - CreateRemoteThread
9    - RawAccessRead
10   - ProcessAccess
11   - FileCreated
12   - RegistryObjectAddedorDeleted
13   - RegistryValueSet
14   - RegistryKeyandValueRename
15   - FileStreamCreated
16   - SysmonConfigurationChanged
17   - PipeCreated
18   - PipeConnected
19   - WMIFilterCreated
20   - WMIConsumerCreated
21   - WMIConsumerFilterLinked
22   - DNSEvent(DNSQuery)
23   - FileDeleted
24   - ClipboardChange
25   - ProcessTampering
255  - Error

## ------------------| Microsoft-Windows-Ntfs/Operational Events
4   - The system is shutting down.
9   - A security package has been successfully loaded.
10  - The system is starting up.
142 - The system is in the process of shutting down.
158 - The operating system is starting up.
159 - The operating system has finished starting up.
300 - A user logon attempt has occurred.
301 - A user logoff attempt has occurred.
302 - A successful logon was made to the system.
303 - A failed logon attempt was made to the system.
500 - A security audit failure occurred.

## ------------------| utmpdump
utmpdump <file>

## ------------------| last
sudo apt install wtmpdb
TZ=utc last -f <file> -F

## ------------------| View all the programs 
awk '{print $5}' auth.log | sed 's/[\[\:].*//g'| sort | uniq -c | sort -n

## ------------------| Check new user added
grep 'useradd\|usermod' auth.log

## ------------------| Check brutefoce SSH logins 
grep ssh auth.log | grep -v pam_unix | grep -oP ' [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n

## ------------------| Check Successfully logged users
grep ssh auth.log | grep -v pam_unix | grep 'Accepted password'