33 Updates the Sigma Rules for use with Chainsaw!
44
55 . DESCRIPTION
6- This script was made for the purpose of use with KAPE. It's meant to be placed into .\KAPE\Modules\bin and called upon using the associated KAPE Module. However, one could use this simply by ensuring your Chainsaw folder is at the root of where the script is executed. There are no parameters with this script currently.
6+ This script was originally made for the purpose of use with KAPE. However, this version can be easily used outside of KAPE. Simply place it in the same folder as where your Chainsaw binary is!
77
88 .CHANGELOG
99 2022-08-23 - Updated for Chainsaw V2 where Sigma rules folder moved to .\chainsaw\sigma
10+ 2024-09-25 - Created a version of this made for using outside of KAPE
1011
1112 . NOTES
1213 ===========================================================================
1314 Created with: SAPIEN Technologies, Inc., PowerShell Studio 2022 v5.8.201
14- Created on: 2022-02-23 16:17
15+ Created on: 2024-09-25 16:17
1516 Created by: Andrew Rathbun
1617 ===========================================================================
1718#>
@@ -20,7 +21,7 @@ Set-ExecutionPolicy Bypass -Scope Process
2021
2122$PSScriptRoot = Split-Path - Parent $MyInvocation.MyCommand.Definition
2223$sigmaRulesGitHubDestination = Join-Path $PSScriptRoot " sigma"
23- $oldSigmaRulesPath = Join-Path $PSScriptRoot " sigma" # More descriptive name
24+ $oldSigmaRulesPath = Join-Path $PSScriptRoot " sigma"
2425$sigmaRulesGitHubUrl = " https://github.com/SigmaHQ/sigma/archive/refs/heads/master.zip"
2526$sigmaRulesGitHubZip = Join-Path $PSScriptRoot " sigma-master.zip"
2627$sigmaRulesGitHubTargetFolder = Join-Path $PSScriptRoot " sigma-master\rules"
@@ -46,7 +47,6 @@ function Get-SigmaRules
4647 [CmdletBinding ()]
4748 param ()
4849
49- $timestamp = Get-Date - Format " yyyy-MM-dd HH:mm:ss"
5050 Write-Log " Downloading Sigma Rules from $sigmaRulesGitHubUrl to $sigmaRulesGitHubZip "
5151 Invoke-WebRequest - Uri $sigmaRulesGitHubUrl - OutFile $sigmaRulesGitHubZip - ErrorAction Stop
5252}
@@ -60,7 +60,6 @@ function Expand-SigmaRules
6060 [CmdletBinding ()]
6161 param ()
6262
63- $timestamp = Get-Date - Format " yyyy-MM-dd HH:mm:ss"
6463 Write-Log " Extracting $sigmaRulesGitHubZip to $PSScriptRoot "
6564 Expand-Archive - Path $sigmaRulesGitHubZip - DestinationPath $PSScriptRoot - Force - ErrorAction Stop
6665}
@@ -74,7 +73,6 @@ function Remove-OldSigmaRules
7473 [CmdletBinding ()]
7574 param ()
7675
77- $timestamp = Get-Date - Format " yyyy-MM-dd HH:mm:ss"
7876 Write-Log " Removing preexisting Sigma Rules from $oldSigmaRulesPath "
7977 Remove-Item - Path $oldSigmaRulesPath - Recurse - Force - ErrorAction Stop
8078}
@@ -87,7 +85,6 @@ function Move-SigmaRules
8785{
8886 [CmdletBinding ()]
8987 param ()
90- $timestamp = Get-Date - Format " yyyy-MM-dd HH:mm:ss"
9188 Write-Log " Moving $sigmaRulesGitHubTargetFolder to $sigmaRulesGitHubDestination "
9289 Move-Item - Path $sigmaRulesGitHubTargetFolder - Destination $sigmaRulesGitHubDestination - Force - ErrorAction Stop
9390}
@@ -101,23 +98,22 @@ function Remove-SigmaRulesDownload
10198 [CmdletBinding ()]
10299 param ()
103100
104- $timestamp = Get-Date - Format " yyyy-MM-dd HH:mm:ss"
105101 Write-Log " Removing instances of files downloaded from $PSScriptRoot "
106102 Remove-Item - Path $sigmaRulesGitHubZip - Force - ErrorAction Stop
107103 Remove-Item - Path (Join-Path $PSScriptRoot " sigma-master" - Recurse - Force - ErrorAction Stop
108104}
109105
110- & Get-SigmaRules
111- & Expand-SigmaRules
112- & Remove-OldSigmaRules
113- & Move-SigmaRules
114- & Remove-SigmaRulesDownload
106+ Get-SigmaRules
107+ Expand-SigmaRules
108+ Remove-OldSigmaRules
109+ Move-SigmaRules
110+ Remove-SigmaRulesDownload
115111
116112# SIG # Begin signature block
117113# MIIvngYJKoZIhvcNAQcCoIIvjzCCL4sCAQExDzANBglghkgBZQMEAgEFADB5Bgor
118114# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
119- # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAMZ5nEJ+br74Dz
120- # njuK8PopFrZvJwhSuYQkNzyepXhfQ6CCKKMwggQyMIIDGqADAgECAgEBMA0GCSqG
115+ # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBYmPwDxiA2p4pr
116+ # 3WKbNMC91v6hsdo2+3GbSBrcoP3OCqCCKKMwggQyMIIDGqADAgECAgEBMA0GCSqG
121117# SIb3DQEBBQUAMHsxCzAJBgNVBAYTAkdCMRswGQYDVQQIDBJHcmVhdGVyIE1hbmNo
122118# ZXN0ZXIxEDAOBgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoMEUNvbW9kbyBDQSBMaW1p
123119# dGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdGUgU2VydmljZXMwHhcNMDQwMTAx
@@ -337,36 +333,36 @@ function Remove-SigmaRulesDownload
337333# 9lAXRaV/0x/qHtrv6DGCBlEwggZNAgEBMGgwVDELMAkGA1UEBhMCR0IxGDAWBgNV
338334# BAoTD1NlY3RpZ28gTGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29k
339335# ZSBTaWduaW5nIENBIFIzNgIQNZ6LJbr/UQt8TtHttsJpJDANBglghkgBZQMEAgEF
340- # AKBMMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMC8GCSqGSIb3DQEJBDEiBCDg
341- # VuUr9NZADdkg5iPTu0ol8GjJvYrx3OcdUJagV06Q7DANBgkqhkiG9w0BAQEFAASC
342- # AgAzDiJbF0hjmWBKcBzDKlM2+Jlc7aEpKv8lyoUq+pI0XsRlkvkgqUj6KEj9QLSD
343- # zrBh1s1wxP3dhr/Xf5FCPsY37GkWhosMrTcUEr0ozc2g3Y1MUUp+sKPZNO3CgLzw
344- # LZ6oAMydXvHb+8PFjXYNxxyQQDzWETtZnsJLldCvAtRXKXZZMdfLuZKR8e4t1QIS
345- # u6jzHotkUxjtKWHU+lzoP8z9SoOqd2uBsXEKupDmrnA7R+XJo1tPjJz6FkJfEtdu
346- # 4gObFOZb/WvOVk7MLlMnv6u5iJ8KsN1H6n7ThNBVe77QeQ+y7ED04u0Q/eVGimog
347- # VEJhWNTh2uLf919VfZxsJfNNML0SI7DiNj3b/yrcnx+0NOJ7qVWxvbi/slObyG1M
348- # h42zLHAh1QyfKckFjFfvC02x9rmw93vfcryMu40Ftq0XNDtJQyk4C+sux8OS1Abm
349- # Ps3ipA1euhkdyNDXpAWGNBeiNeku9WfesctpRDKaz6YQvSOIXxbr6kyCwfdOlngD
350- # wRn8UEhn2RFhTPWXmZMyOrZhZxY8ISd4UBtToOH0g4LrAsLJTaDdT1Ye124bYgP7
351- # QwuJ8YPPgAkvO+7ii4iph33L/fk3iOVvehZ9pSFSTa5YPnUMG4nmu5BWsm3Zp3/d
352- # O/BvGxVurIKOJVDgT+wbtE8+YCQdwAevZ8JvBGUELqbIa6GCA2wwggNoBgkqhkiG
336+ # AKBMMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMC8GCSqGSIb3DQEJBDEiBCD4
337+ # 5M+tUQtgvQTLWwAge15E1NyQmDL0JCC5jcv4bUZBpTANBgkqhkiG9w0BAQEFAASC
338+ # AgCLffR2FnrsfHhVQE0L89fTlhAkJDlAMqmhqrDZ3QCSF4zpDEkXhaZXOuSMvtYJ
339+ # M3eZx1oYFEKceLB2f/9BhXe1YgwZ+BwqKseeuszqUXWNYiuQkvtK2c1wQaWi7bnv
340+ # +toUQT3ltWWPJDbbLBWM7fBaPrIlydrtaAgYawP9kix4xMQ4nn5x7Gl8eV5+SywK
341+ # uhuRef9WMNT/pCu7lV6L3lG85zFauVo0AS/gh2mbjHGanu5qggV1qKSMjGx4ct5L
342+ # PR87eFOFFYGz0eXfO4A39ue9fnhyEhpcsVSpj36PzfHuvhBXp9iDlH5MzNmyTL2r
343+ # p6cpd9WJyXRZOZp92kQUulmlZacTOdUESPugHzUxj5nAwjQ55tXoXrE/YTvthYEM
344+ # 3jrlLfx5VWfvfgxUjLBl2UCIduMh0VXr5/SrlEtPbaOa7jJA5Jhm2TCu/G4vagLf
345+ # 9J0ujTUI5Nv8rIYOfVpiBIeMTmtyyLhP1t3hnZekPknKntZiyMbdYiD/eLtbjVo3
346+ # +N1U1TKlO/YGBw6CC4VqC/pQ/4OdBnJZ/KAfeE+m4iyh9IAJK45DYR+BkHpj1Rqw
347+ # 7badIh1186LFAnuJKgr/hmZ12eq8by51gJoRcTcFUDQM5L92KqbzeEIk6BahusrT
348+ # ZSejQFMdvQhDlRz2uWx4iLyWtogsE+GpPOQsOO6RWfbZtqGCA2wwggNoBgkqhkiG
353349# 9w0BCQYxggNZMIIDVQIBATBvMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
354350# YWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIFRpbWVzdGFtcGluZyBD
355351# QSAtIFNIQTM4NCAtIEc0AhABB2SbCLCn/n3WVKjy9Cn2MAsGCWCGSAFlAwQCAaCC
356352# AT0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjQw
357- # OTI2MDExODIyWjArBgkqhkiG9w0BCTQxHjAcMAsGCWCGSAFlAwQCAaENBgkqhkiG
358- # 9w0BAQsFADAvBgkqhkiG9w0BCQQxIgQgdsXiocg/nxnxheIOjcMcB7r5yasDzBWE
359- # T+oN5T14w+4wgaQGCyqGSIb3DQEJEAIMMYGUMIGRMIGOMIGLBBRE05OczRuIf4Z6
353+ # OTI2MDEzMjU2WjArBgkqhkiG9w0BCTQxHjAcMAsGCWCGSAFlAwQCAaENBgkqhkiG
354+ # 9w0BAQsFADAvBgkqhkiG9w0BCQQxIgQg3UVm5uFDd8Ejz0D1OVI+wVUJ1UIZAmuf
355+ # +icv3otwXpUwgaQGCyqGSIb3DQEJEAIMMYGUMIGRMIGOMIGLBBRE05OczRuIf4Z6
360356# zNqB7K8PZfzSWTBzMF+kXTBbMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFs
361357# U2lnbiBudi1zYTExMC8GA1UEAxMoR2xvYmFsU2lnbiBUaW1lc3RhbXBpbmcgQ0Eg
362358# LSBTSEEzODQgLSBHNAIQAQdkmwiwp/591lSo8vQp9jANBgkqhkiG9w0BAQsFAASC
363- # AYAjmIGJEUMV5g/NMN0AF3tWGEqBHikj5RrlKPnTrZVJOlD3NvxufO/5DWnGd5Zf
364- # uZZ3zZHMuUlpnLgf+TCfqzVfcyvj2AydtFFgS/HZZ1oWhPmDU2bvhptAcSBF1Hkx
365- # gGAMQQPMzmvS/hNhNb1Mf0mcuYs3Qn3BRrHrrS6jnRDuJwo/QDGsiaayLOlgwrP8
366- # 3u7DABreJS5hYFXCcXtvXrUGoqcK1p03hdOWTxTJL1NwewznJbU6ubTge9uLNepQ
367- # iEoLIX0KbeZO7CoeomhCBRja2OiKrsL/ed7CUPxBinRPgBsaQkm/lZCA6ewZW1L4
368- # HjSjueb6xSer3j9jKBgtLPgg/eRSqjr1KB83KluNjbH4P7DNHWhiCHFSEKWg3xpa
369- # 6TZgKeRuQxljeFAzSFBXO3viyQXuE0NDxwOpWz2+4FVAnTVP0MGX/0mErwXWKUQX
370- # cHejdB/zN5z8EXktL3FuVN5GWwy0l5a9NyIOTui22wirnsbaK04FUB/szkV1ZJhL
371- # 98A =
359+ # AYAvOafbMfBpAHhLFNBw0PcOjPNyZc0C+miVyYrrAsCVOSOd3NGTqVDQJImrM3Od
360+ # eGEgBq0zIG/gTk5F+zcv2jSeBjCfBg6Dw0FR3011lNEsA/x9YRdjzX3Oa2OpSpTf
361+ # 0m4Pf8luR/9ot4ZvTAEd97OiMhvz1Vwe9Tem9EtlKeyGt7ICkNwh1gVFkdxXVFlF
362+ # AlKrCJzdoSRsppXAelHJfOZrXLFoUIP+A1TFCJ2Ugt2hgRs+dvzmlkTKtQhYmu8y
363+ # S2dxtNZx/XDzOZ7L6leJry6YIQHRbQQRFEvfaSkyDliBO2PLBufYfeL3X5pdcGVW
364+ # aOarihx44e4o0iSGybUjFddl7usr1lnE7ktZ76OVc1uSOItpTDWPPxqrrKi5/4lr
365+ # zYcCSdPTt8YJzMF0T+G9uD7ykyZAw+5t5OY9ZUfHljhHCz+gE0LM35jIJ81yAzYl
366+ # sJqLRz8YJAlyaVZorCo8SCYvUBKzb2KEGsW0a3T8sYD5CokTt4fJDtFAW9X6HF3x
367+ # YdQ =
372368# SIG # End signature block
0 commit comments