ISC StormCast for Wednesday, September 21st, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 21 September 2022
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, September 21st, 2020 edition of the Sansonet Storm Center's |
| 0:07.5 | Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:14.9 | One of the questions I'm getting a lot when talking about incident response in forensics is where |
| 0:20.4 | to start if you are confronted |
| 0:22.7 | with an incident, and of course doing so relatively quickly. Sometimes it's pretty straightforward. |
| 0:29.1 | You have a specific system and a specific piece of malware to deal with. Ransomware is always |
| 0:34.1 | pretty straightforward, of course, to pin down because you usually have this warning screen telling you what it's all about. |
| 0:40.8 | But it can be difficult to analyze all the different logs |
| 0:44.2 | that you may have access to. |
| 0:46.1 | And again, speed off matters. |
| 0:48.6 | So Rustaday wrote about a nice tool to assist with this task. Chainsaw. Chainsaw is a simple command line tool |
| 0:58.1 | that can read logs and extract relevant logs. That's really the key here. You always have a ton of |
| 1:04.7 | logs, but it's hard to find a couple lines that really matter. Chainsaw uses a common Sigma rule format, so you'll likely find some nice rule sets ready to use in addition to its own build-in rules. To demonstrate the capabilities of chainsaw, Russ first used data from an older incident he worked on, and it did a great job identifying some of the |
| 1:30.9 | relevant pieces of software involved in the incident. In addition, Russ then used data from |
| 1:37.2 | APT simulator, a tool that simulates activity that's sort of consistent with what's commonly known |
| 1:43.9 | as APT attacks. |
| 1:45.9 | This time, Russ used chainsaws built-in rules as well as some Sigma rules. |
| 1:52.4 | And again, chainsaw's own rules found that an administrator account was added. |
| 1:58.4 | That's, of course, always nice to know. |
| 2:00.5 | And Sigma rules then identified password dumping activity and... administrator account was added. That's of course always nice to know. |
| 2:06.6 | And Sigma Rules then identified password dumping activity and other relevant artifacts. |
| 2:10.8 | More about this in Russ's diary post. So in short, a very useful tool to at least get a decent first cut of what is odd and interesting, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.