chainsaw
by WithSecureLabs
Chainsaw is a fast, Rust-based tool for rapidly searching and hunting through Windows forensic artefacts using Sigma and custom detection rules.
Rapidly Search and Hunt through Windows Forensic Artefacts
Primary Use Case
Chainsaw is designed for incident responders and threat hunters who need to quickly triage and analyze Windows forensic artefacts such as event logs, MFT, and registry hives, especially in environments lacking EDR telemetry. It enables rapid threat identification and forensic data extraction without the overhead of complex infrastructure like ELK or Splunk.
- Hunt for threats using Sigma detection rules and custom Chainsaw detection rules
- Search and extract forensic artefacts by string matching and regex patterns
- Create execution timelines by analyzing Shimcache artefacts enriched with Amcache data
- Analyze the SRUM database and provide insights
- Dump raw content of forensic artefacts including MFT, registry hives, and ESE databases
- Lightning fast performance, written in Rust, leveraging the EVTX parser library
- Clean, lightweight execution and output formats without unnecessary bloat
- Document tagging via the TAU Engine library
Installation
- Download the latest release binary from the GitHub repository
- Alternatively, build from source using Rust toolchain (cargo build --release)
- Install or build with Nix package manager if preferred
- Run the executable directly on MacOS, Linux, or Windows
Usage
>_ chainsaw hunt --sigma <rule.yml> --evtx <eventlog.evtx>Hunt for threats in Windows event logs using Sigma detection rules
>_ chainsaw search --string <keyword> --evtx <eventlog.evtx>Search event logs for specific keywords or regex patterns
>_ chainsaw analyze shimcache --input <shimcache_file>Create execution timelines by analyzing Shimcache artefacts
>_ chainsaw analyze srum --input <srum_database>Analyze the SRUM database and extract usage insights
>_ chainsaw dump mft --input <mft_file>Dump raw content from the Master File Table (MFT)
>_ chainsaw dump registry --input <registry_hive>Dump raw content from Windows registry hives
>_ chainsaw --output json --evtx <eventlog.evtx>Output results in JSON format for further processing
- Integrate Chainsaw into automated incident response playbooks to accelerate triage of Windows forensic artefacts.
- Use Chainsaw to supplement EDR telemetry gaps during purple team exercises to validate detection coverage.
- Leverage Chainsaw’s Sigma rule support to rapidly prototype and test custom detection logic in hunting campaigns.
- Deploy Chainsaw in environments without heavy SIEM infrastructure to enable lightweight forensic investigations.
- Combine Chainsaw output with timeline analysis tools to enhance root cause analysis and attacker behavior reconstruction.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about chainsaw. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
mvt
mvt-project/mvt
MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
post-mortems
danluu/post-mortems
A collection of postmortems. Sorry for the delay in merging PRs!
Detect-It-Easy
horsicq/Detect-It-Easy
Program for determining types of files for Windows, Linux and MacOS.
howtheysre
upgundecha/howtheysre
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE)
awesome-incident-response
meirwah/awesome-incident-response
A curated list of tools for incident response
tracecat
TracecatHQ/tracecat
All-in-one AI automation platform (workflows, agents, cases, tables) for security, IT, and production engineering teams.