Automic VaultAutomic Vault

brew

Install chainsaw with Homebrew, Nix, zypper

Rapidly Search and Hunt through Windows Forensic Artefacts. Version 2.16.0 via Homebrew; verified 2026-05-09.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install chainsaw

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#chainsaw

nixpkgs package indexes · pkgs/by-name/ch/chainsaw/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install apache-chainsaw

openSUSE Tumbleweed package metadata · apache-chainsaw · source: download.opensuse.org

overview

Package summary

Rapidly Search and Hunt through Windows Forensic Artefacts

Commands and aliases

  • chainsaw

history

Project history and usage

Chainsaw is a WithSecure Labs command-line tool for rapid Windows forensic triage. It searches event logs and other Windows artefacts, applies Sigma and custom detection rules, and emits investigator-friendly output formats.

Project history

WithSecure Countercept created Chainsaw for incident-response cases where endpoint telemetry or a SIEM was not available, so analysts needed fast standalone processing of Windows artefacts. The public GitHub repository was created in August 2021 and v1.0.0 was released later that month.

The project evolved from an all-in-one threat-hunting bundle toward a tool that expects users to keep Sigma rules and sample event logs separately. The README notes that Chainsaw v2 stopped including Sigma Rules and EVTX-Attack-Samples as submodules so users could track those projects independently.

Adoption history

Chainsaw is distributed through GitHub releases, Nix, and the Homebrew formula named chainsaw. That packaging path matters because the tool is useful as a portable first-response binary on analyst workstations and ephemeral response systems.

GitHub release metadata shows active maintenance from v1.0.0 in 2021 through v2 releases in 2026.

How it is used

Typical use is to run chainsaw against Windows event-log collections, optionally supplying a Sigma rules directory and a mapping file such as mappings/sigma-event-logs-all.yml. The README documents output formats including table, CSV, and JSON, plus timeline generation from Shimcache enriched with Amcache data.

Why package nerds care

Chainsaw is notable in package-manager culture because it packages modern Rust DFIR tooling for a workflow that often used heavier SIEM stacks such as Splunk or ELK. It also shows the Sigma ecosystem becoming something local CLIs can consume directly.

Timeline

  • 2021: GitHub repository created by WithSecureLabs.
  • 2021: v1.0.0 published on GitHub releases.
  • 2023: v2 line documented removal of bundled Sigma and EVTX sample submodules.
  • 2026: v2.16.0 published on GitHub releases.

Related projects

  • SigmaHQ/sigma provides the Sigma detection rules Chainsaw can run.
  • omerbenamram/evtx is the Rust EVTX parser wrapped by Chainsaw.
  • sbousseaden/EVTX-ATTACK-SAMPLES is used in the README example dataset workflow.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for chainsaw. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
chainsawcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.16.0
manager updated2026-05-09
local dataok
upstreamcurrent
latest detectedv2.16.0

https://github.com/WithSecureLabs/chainsaw

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:chainsaw
Version2.16.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/chainsaw
Homepagehttps://github.com/WithSecureLabs/chainsaw
Repositoryhttps://github.com/WithSecureLabs/chainsaw
Upstream docshttps://github.com/WithSecureLabs/chainsaw#readme
LicenseGPL-3.0-only
Source archivehttps://github.com/WithSecureLabs/chainsaw/archive/refs/tags/v2.16.0.tar.gz
Last updated2026-05-09T11:59:50Z
Pulseupdated
Build dependenciesrust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namechainsaw
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

chainsaw

nix profile install nixpkgs#chainsaw
  • normalized package name match
  • Matched by: Chainsaw
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ch/chainsaw/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
zypper95%

apache-chainsaw 2.1.0-5.8

Apache Chainsaw

https://logging.apache.org/chainsaw

sudo zypper install apache-chainsaw
  • License: Apache-2.0
  • Category: Development/Libraries/Java
  • Architecture: noarch
  • Source Package: apache-chainsaw
  • 15 dependencies
  • 4 provides
  • normalized package name match
  • Matched by: Chainsaw
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: apache-chainsaw from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment