TAU rules usage #113
-
Hello, It's not clear to me how to exactly use the TAU rules. I can't find any documentation on it. Can you give me an example and later update the readme / documentation? I'm trying to combine to conditions with AND: The event ID being 4672 and the SubjectUserName being paul
Can you help me? That would be awesome! Awesome tool! Cheers |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
Yep, so I need to probably create a Wiki page for what bits of Tau can be used where in Chainsaw and some cheatsheets etc. But to achieve what you want you should be able to do:
Basically |
Beta Was this translation helpful? Give feedback.
-
Thanks for your quick reply. A Tau wiki with few examples would be great. I checked out your WithSecureLabs/tau-engine repo and tried to understand how conditions work. Can you also do logical Your proposed example does not work for me: ❯ .\chainsaw.exe search "c:\evtx\" --from "2022-10-27T00:00:00" --to "2022-11-04T00:00:00" -t 'Event.System.EventID: =4634' -t 'Event.EventData.SubjectUserName: =Paul'
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading forensic artefacts from: C:\evtx\
[+] Loaded 22 forensic files (82.9 MB)
[x] an invalid identifier was encountered during parsing: invalid digit found in string Thanks a lot! Best regards, |
Beta Was this translation helpful? Give feedback.
-
Ah apologies I missed that there was
You are correct in that the full expressional logic should be added to Chainsaw but this has not been done yet as the parsing is a bit complex vs what is provided in Tau. I will see if I can add that to my todo list. |
Beta Was this translation helpful? Give feedback.
Ah apologies I missed that there was
=
on thepaul
one it shoud be:You are correct in that the full expressional logic should be added to Chainsaw but this has not been done yet as the parsing is a bit complex vs what is provided in Tau. I will see if I can add that to my todo list.