countercept / chainsaw

Rapidly Search and Hunt through Windows Event Logs

Github PK Tool:Github PK Tool

Repository from Github https://github.com/countercept/chainsawRepository from Github https://github.com/countercept/chainsaw

Latest release flagged in VirusTotal

curtisk opened this issue · 2 comments

Pulled latest compiled release x64 windows

chainsaw_x86_64-pc-windows-msvc.zip

VirusTotal reports a few issues
ChainSawLatest

Hey @curtisk

This is likely due to the event logs in the "evtx_attack_samples" directory. These are event logs (cloned from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) that contain examples of real attacks, and the AV's that are triggering above are likely just looking for simple string matches for 'known bad' strings. E.g. if you search the event logs for the string "mimikatz" you're going to find matches.

If I upload the chainsaw.exe seperately to VirusTotal (https://www.virustotal.com/gui/file/90a88e340271274b9bff5502c34e4669cd450fd6286625e827fb66019a9f1b6b) you can see that it's only detected by one AV engine (cynet). I can only assume they're doing some kind of hueristics which is falsely triggering on chainsaw in this case.

I don't think this is an issue that I can do anything about. As such I'm going to close this issue.

Thanks,
James

@fscc-jamesd Thanks for the follow up, I do see those samples are triggering the majority of it and it makes sense