TAU rules usage #113

PhilippRieth · 2022-11-06T22:39:03Z

PhilippRieth
Nov 6, 2022

Hello,

It's not clear to me how to exactly use the TAU rules. I can't find any documentation on it. Can you give me an example and later update the readme / documentation?

I'm trying to combine to conditions with AND: The event ID being 4672 and the SubjectUserName being paul

--tau 'Event.System.EventID: =4672 and Event.EventData.SubjectUserName: =paul'

Can you help me?

That would be awesome! Awesome tool!

Cheers
Philipp

Answered by alexkornitzer

Nov 7, 2022

Ah apologies I missed that there was = on the paul one it shoud be:

--tau 'Event.System.EventID: =4672' --tau 'Event.EventData.SubjectUserName: paul'

You are correct in that the full expressional logic should be added to Chainsaw but this has not been done yet as the parsing is a bit complex vs what is provided in Tau. I will see if I can add that to my todo list.

View full answer

alexkornitzer · 2022-11-07T15:52:47Z

alexkornitzer
Nov 7, 2022
Maintainer

Yep, so I need to probably create a Wiki page for what bits of Tau can be used where in Chainsaw and some cheatsheets etc. But to achieve what you want you should be able to do:

--tau 'Event.System.EventID: =4672' --tau 'Event.EventData.SubjectUserName: =paul'

Basically --tau does not support the condition block only key/value pairs.

0 replies

PhilippRieth · 2022-11-07T20:53:54Z

PhilippRieth
Nov 7, 2022
Author

Thanks for your quick reply. A Tau wiki with few examples would be great.

I checked out your WithSecureLabs/tau-engine repo and tried to understand how conditions work. Can you also do logical OR or AND queries? Something like "(EventID=4634 OR EventID =4673) AND SubjectUserName = PAUL"?

Your proposed example does not work for me:

 ❯ .\chainsaw.exe search "c:\evtx\"   --from "2022-10-27T00:00:00" --to "2022-11-04T00:00:00" -t 'Event.System.EventID: =4634' -t 'Event.EventData.SubjectUserName: =Paul'

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By Countercept (@FranticTyping, @AlexKornitzer)

[+] Loading forensic artefacts from: C:\evtx\
[+] Loaded 22 forensic files (82.9 MB)
[x] an invalid identifier was encountered during parsing: invalid digit found in string

Thanks a lot!

Best regards,
Philipp

0 replies

alexkornitzer · 2022-11-07T21:27:15Z

alexkornitzer
Nov 7, 2022
Maintainer

Ah apologies I missed that there was = on the paul one it shoud be:

--tau 'Event.System.EventID: =4672' --tau 'Event.EventData.SubjectUserName: paul'

You are correct in that the full expressional logic should be added to Chainsaw but this has not been done yet as the parsing is a bit complex vs what is provided in Tau. I will see if I can add that to my todo list.

1 reply

PhilippRieth Nov 8, 2022
Author

Awesome thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TAU rules usage #113

{{title}}

Replies: 3 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

TAU rules usage #113

PhilippRieth Nov 6, 2022

Replies: 3 comments · 1 reply

alexkornitzer Nov 7, 2022 Maintainer

PhilippRieth Nov 7, 2022 Author

alexkornitzer Nov 7, 2022 Maintainer

PhilippRieth Nov 8, 2022 Author

PhilippRieth
Nov 6, 2022

Replies: 3 comments 1 reply

alexkornitzer
Nov 7, 2022
Maintainer

PhilippRieth
Nov 7, 2022
Author

alexkornitzer
Nov 7, 2022
Maintainer

PhilippRieth Nov 8, 2022
Author