Looking for clarity for mft yaml 'filter' issue #148
Comments
|
Hey @gr3y56, which issue are you referring to? Are you able to explain what is not working? If so then I should be able to assist. |
|
this is the command im running ./chainsaw_x86_64-pc-windows-msvc.exe hunt -s sigma/ --mapping mappings/sigma-mft-logs-all.yml C:/Windows/System32/winevt/Logs --from 2023-11-18T17:00:00 --to 2023-11-19T01:45:00 --full this is the output in getting in return [+] Loading detection rules from: sigma/ i looked into the yml file and i see that theres a comment hinting at the possibility that this is a known issue i dont necessarily get it ? line 8 column 5 is just after the comment ## TODO: Flesh this out... but sigma does not seem geared for this? |
alexkornitzer
added
bug
|
Right okay, so I never did the initial MFT work, but from looking over it the reason the mapping file is empty is because there is no easy way to map the sigma rules onto an MFT. They all appear to be very event log centric. I think what I will do is remove that mapping file as it just causes confusion, that being said you can still dump or search an MFT with the following commands or rules could be written to hunt MFTs. |
There is no resonable way to currently coerce sigma rules onto an MFT so rather than providing a broken mapping file lets remove it. Issue #148
im working a on a particular issue where the use of chainsaw has been very welcome and essential, but im unfamiliar with a great deal in cybersecurity for the sake of redundancy this particular feature seemed helpful. is there a particular reason it isnt working and are there any solutions that i may not be readily aware of
The text was updated successfully, but these errors were encountered: