Chainsaw

Goal: A reproducible DFIR lab pipeline: Sysmon emits clean telemetry → Chainsaw hunts EVTX with Sigma → JSON detections flow into ForenSynth AI. 1) Lab Topology (Minimal Viable Setup) Host: Your workstation (analysis + Git operations) Windows 10/11 VM (Target): Generates events, runs Sysmon (Optional) Kali/Ubuntu VM: Auxiliary analysis tools Network: Host-only or NAT. Keep the Windows VM reachable via shared folders for exporting EVTX. 2) Sysmon Installation (SwiftOnSecurity config) Copy Sysmon64.exe and the SwiftOnSecurity config (e.g., sysmonconfig-export.xml) to the Windows VM. Install: Sysmon64.exe -accepteula -i sysmonconfig-export.xml Verify service: Get-Service Sysmon64 Confirm logs are flowing: Windows Event Viewer → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational You should see Event IDs like 1 (Process Creation), 3 (Network), 7 (Image Load), 10 (Process Access), 11 (File Create). Tip: Keep a copy of the exact Sysmon XML you used in your repo for reproducibility. ...

Purpose During DFIR analysis, it’s easy to rely on static data. To train and validate detections, I built a PowerShell-based Random DFIR Noise Simulator that produces realistic but safe Windows event activity for hunting and Sigma rule tuning. Evolution of the Simulator During early DFIR lab builds, I wrote a sequence of PowerShell scripts to simulate benign Windows activity and inject lightweight IOC noise into Sysmon and Security logs for Chainsaw and Sigma testing. ...

Automation shouldn’t replace judgment; it should buy you time to use it. Problem DFIR analysts burn hours turning raw detections into readable narratives. EVTX hunts surface signals, but write-ups lag behind, delaying remediation and weakening portfolio proof. We need a repeatable way to go from logs → findings → human-ready report without sacrificing accuracy or analyst judgment. Approach Small pipeline: Chainsaw (Sigma EVTX hunting) → SwiftOnSecurity Sysmon config (clean telemetry) → PowerShell simulator (lab noise) → Python LLM summarizer (structured narrative + IOC table). Human stays in the loop for validation and context, not rote drafting. ...