I cannot figure this one out. what should have been simple, became a real pain. The following code works. It just that I need to start it in the background and inside a function.
The code:
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
Set-Alias Chainsaw $Chainsawpath
$run = Chainsaw hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
From inside a function:
function Chainsaw
{
start-job {
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
& $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
}
if ($LASTEXITCODE -ne 0)
{
write-host "$LASTEXITCODE"
return
}
else
{
write-host "$Time Chainsaw analysis completed successfully"
}
Start-Sleep -s 2
}
You can run a variable with the call operator.
$run = & $Chainsawpath hunt $EvidenceDirectory\EVTX --rules $Sigmarules --mapping $Sigmamappings --csv $EvidenceDirectory\Chainsaw
As a job:
start-job {
$EvidenceDirectory = "C:\Evidence"
$Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
$Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
$Sigmarules = "C:\Tools\chainsaw\sigma_rules"
& $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
}