README
ΒΆ
Rapidly Search and Hunt through Linux Forensics Artifacts
ChopChopGo inspired by Chainsaw utilizes Sigma rules for forensics artifact recovery, enabling rapid and comprehensive analysis of logs and other artifacts to identify potential security incidents and threats on Linux.
Features
- π― Hunt for threats using Sigma detection rules and custom ChopChopGo detection rules
- β‘ Lightning fast, written in go
- πͺΆ Clean and lightweight execution and output formats without unnecessary bloat
- π» Runs on Linux
$ ./ChopChopGo -target syslog -rules ./rules/linux/builtin/syslog/
ββββββ βββ ββ ββββββ ββββββ ββββββ βββ ββ ββββββ ββββββ βββββ ββββββ
ββββ ββ ββββ βββββββ βββββββ βββ ββββ ββ ββββ βββββββ βββββββ βββ βββ βββββββ βββ
βββ β ββββββββββββ βββββββ ββββ βββ β ββββββββββββ βββββββ ββββ ββββββββββββ βββ
ββββ βββββββ βββ βββ ββββββββββ β ββββ βββββββ βββ βββ ββββββββββ β βββ ββββββ βββ
β βββββ ββββββββββ βββββββββββ β β β βββββ ββββββββββ βββββββββββ β β βββββββββ βββββββ
β ββ β β β ββββββ ββββββ ββββ β β β ββ β β β ββββββ ββββββ ββββ β β ββ β β ββββββ
β β β βββ β β β ββ ββ β β β β βββ β β β ββ ββ β β β β β ββ
β β ββ ββ β β β ββ β β ββ ββ β β β ββ β β β β β β β
β β β β β β β β β β β β β β β β β
β β
By Keyboard Cowboys (M00NL1G7)
Using syslog file: /var/log/messages
100% |ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ| (67504/67504, 27840 it/s)
+-----------------+--------------------------------+-----------------------------------------+
| TIMESTAMP | MESSAGE | TAGS |
+-----------------+--------------------------------+-----------------------------------------+
| Mar 2 20:04:38 | fedora systemd[1]: | attack.defense_evasion-attack.t1562.004 |
| | iptables.service: Deactivated | |
| | successfully. | |
| Mar 4 10:19:03 | DESKTOP-RNL1DBO systemd[1]: | attack.defense_evasion-attack.t1562.004 |
| | iptables.service: Deactivated | |
| | successfully. | |
+-----------------+--------------------------------+-----------------------------------------+
Processed 67504 syslog events
Quick Start Guide
Downloading and Running
For an all-in-one zip container the ChopChopGo binary, and the official sigma rules to go with it, check out the releases section In this releases section you will also find pre-compiled binary-only versions of ChopChopGo.
If you want to compile ChopChopGo yourself, you can clone the ChopChopGo repo:
git clone https://github.com/M00NLIG7/ChopChopGo.git
and compile the code yourself by running: go build.
Command Examples
./ChopChopGo # Defaults to searching through auditd
./ChopChopGo -target syslog -rules ./rules/linux/builtin/syslog/ # This searches through syslog with the official sigma rules
./ChopChopGo -target journald -rules ./rules/linux/builtin/ # This searches through journald with specified rules
Documentation
ΒΆ
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.