countercept / chainsaw

Rapidly Search and Hunt through Windows Event Logs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PowerShell Object Data

high101bro opened this issue · comments

It would be extremely useful for this tool to have a switch like --PSObject, that outputs the results to stdout as PowerShell object data. Currently, I have to save the results to a csv file then import it into PowerShell for additional manipulation using "Import-Csv "chainsawfile.csv". Though, this mild inconvenience isn't a show stopper, skipping the step of saving the results and being able to manipulate object data would be super awesome. A simple example is using PowerShell's Out-GridView to view the results natively and then applying filters or just searching. That, and having to clean up the files afterward wouldn't be necessary.

Example of request:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --PSObject | Out-GrdiView -Title 'Chainsaw Results'

Current Non-Preferred Method:
chainsaw.exe hunt $SavedEventLogs --rules .\sigma_rules\ --mapping .\mapping_files\sigma-mapping.yml --csv
Import-Csv ".\chainsaw_2021-09-05T11-52-35(external_rule)_-suspicious_process_creation.csv" | Out-GridView -Title "Chainsaw Results"
Remove-Item ".\chainsaw_2021-09-05T11-52-35(external_rule)

Whoops, nevermind, this is already asked about here:

I'm wondering if it would make more sense to allow outputting the json to stdout then leave the user to handle as they need. For PowerShell you then pipe it to, say, ConvertFrom-Json to get the custom PSObject.

What I'm not certain about is if this method would want for the records to be in separate json entries. Looking at the json output file they are currently sent as an array of json records.

I am in favour of using ConvertFrom-Json, which will be possible with the changes sitting in #23.

This has been done in #23. A new build will be pushed out in the next couple of days.

ezoic increase your site revenue