Chainsaw-style DFIR hunting for IIS W3C logs

A command-line DFIR and threat-hunting tool that parses Microsoft IIS W3C access logs, normalizes them into a stable schema, and applies Sigma-inspired YAML detection rules to surface web shells, exploitation attempts, scanning, and brute force. Inspired by the offline hunting workflow of tools like Chainsaw — but instead of Windows EVTX, it hunts IIS web access logs.

Looking to hunt Windows event logs? W3CSaw is for IIS web access logs, not EVTX. If you need to hunt Windows Event Logs, check out Chainsaw — the two are complementary: run Chainsaw on the EVTX and W3CSaw on the IIS logs from the same server, then correlate the timelines.

Features

  • Streaming W3C parser that respects #Fields: headers and tolerates changing field order across files
  • Detection engine (contains/startswith/endswith/regex/numeric operators) plus an aggregation engine for threshold, sequence, and rarity rules
  • 72 bundled rules across webshell, RCE, traversal, scanning, auth, and upload — mapped to MITRE ATT&CK
  • Outputs: JSONL, CSV, Markdown DFIR report, and a chronological timeline
  • Rich terminal mode with severity-aware grouped tables, plus an interactive prompt-driven mode
  • Python 3.9+, streaming and memory-efficient, unit-tested

Usage

# Guided interactive session (loads bundled rules automatically)
w3csaw

# Hunt a directory of logs and write findings
w3csaw scan -i "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -o findings.jsonl

# Analyst-friendly terminal review
w3csaw scan -i logs/ --cli

What it detects

Web shell command execution, suspicious uploads, path traversal, SQLi/XSS/LDAP injection, Log4Shell, Struts OGNL, SSRF to cloud metadata, scanner activity, 404 floods, and brute-force-then-success sequences.

View on GitHub — MIT License