diff --git a/.gitignore b/.gitignore index 882e7f8e..d7c5ba26 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ .DS_Store test_* .env +/logs \ No newline at end of file diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index a9063724..e278da1e 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -15,6 +15,10 @@ - XXX +## v1.3.2 [2022/06/13] + +- evtxクレートを0.7.2から0.7.3に更新し、パッケージを全部更新した。 (@YamatoSecurity) + ## v1.3.1 [2022/06/13] **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ab8cb9a..a3eaef58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,12 @@ - XXX +## v1.3.2 [2022/06/13] + +**Enhancements:** + +- Changed the evtx Rust crate from 0.7.2 to 0.7.3 with updated packages. (@YamatoSecurity) + ## v1.3.1 [2022/06/13] **New Features:** diff --git a/Cargo.lock b/Cargo.lock index 16ad8730..8fdb0739 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -113,12 +113,6 @@ dependencies = [ "serde", ] -[[package]] -name = "build_const" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4ae4235e6dac0694637c763029ecea1a2ec9e4e06ec2729bd21ba4d9c863eb7" - [[package]] name = "bumpalo" version = "3.10.0" @@ -263,21 +257,6 @@ dependencies = [ "os_str_bytes", ] -[[package]] -name = "console" -version = "0.14.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3993e6445baa160675931ec041a5e03ca84b9c6e32a056150d3aa2bdda0a1f45" -dependencies = [ - "encode_unicode", - "lazy_static", - "libc", - "regex", - "terminal_size", - "unicode-width", - "winapi", -] - [[package]] name = "console" version = "0.15.0" @@ -287,7 +266,9 @@ dependencies = [ "encode_unicode", "libc", "once_cell", + "regex", "terminal_size", + "unicode-width", "winapi", ] @@ -303,15 +284,6 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc" -[[package]] -name = "crc" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d663548de7f5cca343f1e0a48d14dcfb0e9eb4e079ec58883b7251539fa10aeb" -dependencies = [ - "build_const", -] - [[package]] name = "crc32fast" version = "1.3.2" @@ -390,11 +362,11 @@ dependencies = [ [[package]] name = "dialoguer" -version = "0.8.0" +version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9dd058f8b65922819fabb4a41e7d1964e56344042c26efbccd465202c23fa0c" +checksum = "61579ada4ec0c6031cfac3f86fdba0d195a7ebeb5e36693bd53cb5999a25beeb" dependencies = [ - "console 0.14.1", + "console", "lazy_static", "tempfile", "zeroize", @@ -523,21 +495,21 @@ dependencies = [ [[package]] name = "evtx" -version = "0.7.2" -source = "git+https://github.com/omerbenamram/evtx.git?rev=95a8ca6#95a8ca63be304e11849ee5f450921f257a3cdd83" +version = "0.7.3" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git?rev=158d496#158d496e6f40a036fa30b35e245683c3f7981df6" dependencies = [ "anyhow", "bitflags", "byteorder", "chrono", "clap 2.34.0", - "crc", + "crc32fast", "dialoguer", "encoding", "indoc", "jemallocator", "log", - "quick-xml 0.22.0", + "quick-xml", "rayon", "rpmalloc", "serde", @@ -707,7 +679,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.3.1" +version = "1.3.2" dependencies = [ "base64", "bytesize", @@ -732,7 +704,7 @@ dependencies = [ "openssl", "pbr", "prettytable-rs", - "quick-xml 0.23.0", + "quick-xml", "regex", "serde", "serde_derive", @@ -867,7 +839,7 @@ version = "0.16.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2d207dc617c7a380ab07ff572a6e52fa202a2a8f355860ac9c38e23f8196be1b" dependencies = [ - "console 0.15.0", + "console", "lazy_static", "number_prefix", "regex", @@ -911,9 +883,9 @@ checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" [[package]] name = "jemalloc-sys" -version = "0.3.2" +version = "0.5.0+5.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0d3b9f3f5c9b31aa0f5ed3260385ac205db665baa41d49bb8338008ae94ede45" +checksum = "f655c3ecfa6b0d03634595b4b54551d4bd5ac208b9e0124873949a7ab168f70b" dependencies = [ "cc", "fs_extra", @@ -922,9 +894,9 @@ dependencies = [ [[package]] name = "jemallocator" -version = "0.3.2" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "43ae63fcfc45e99ab3d1b29a46782ad679e98436c3169d15a167a1108a724b69" +checksum = "16c2514137880c52b0b4822b563fadd38257c1f380858addb74a400889696ea6" dependencies = [ "jemalloc-sys", "libc", @@ -1336,15 +1308,6 @@ version = "1.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" -[[package]] -name = "quick-xml" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8533f14c8382aaad0d592c812ac3b826162128b65662331e1127b45c3d18536b" -dependencies = [ - "memchr", -] - [[package]] name = "quick-xml" version = "0.23.0" @@ -1589,9 +1552,9 @@ dependencies = [ [[package]] name = "simplelog" -version = "0.9.0" +version = "0.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4bc0ffd69814a9b251d43afcabf96dad1b29f5028378056257be9e3fecc9f720" +checksum = "85d04ae642154220ef00ee82c36fb07853c10a4f2a0ca6719f9991211d2eb959" dependencies = [ "chrono", "log", diff --git a/Cargo.toml b/Cargo.toml index 3bccb648..73b81263 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.3.1" +version = "1.3.2" authors = ["Yamato Security @SecurityYamato"] edition = "2021" @@ -8,7 +8,7 @@ edition = "2021" [dependencies] clap = { version = "3.*", features = ["derive", "cargo"]} -evtx = { git = "https://github.com/omerbenamram/evtx.git" , rev = "95a8ca6" , features = ["fast-alloc"]} +evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , rev = "158d496" , features = ["fast-alloc"]} quick-xml = {version = "0.23.0", features = ["serialize"] } serde = { version = "1.0.*", features = ["derive"] } serde_json = { version = "1.0"} diff --git a/README-Japanese.md b/README-Japanese.md index 8dc1beb5..562662dd 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -185,7 +185,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.3.0-win-x64.exe -u +hayabusa-1.3.2-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -267,20 +267,20 @@ Hayabusa実行する際や、`.yml`ルールのダウンロードや実行時に ## Windows コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.3.0-windows-x64.exe` +例: `hayabusa-1.3.2-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.3.0-linux-x64-gnu +chmod +x ./hayabusa-1.3.2-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.3.0-linux-x64-gnu +./hayabusa-1.3.2-linux-x64-gnu ``` ## macOS @@ -288,13 +288,13 @@ chmod +x ./hayabusa-1.3.0-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.3.0-mac-intel +chmod +x ./hayabusa-1.3.2-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.3.0-mac-intel +./hayabusa-1.3.2-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -308,7 +308,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.3.0-mac-intel +./hayabusa-1.3.2-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -434,79 +434,79 @@ OPTIONS: * 1つのWindowsイベントログファイルに対してHayabusaを実行します: ```bash -hayabusa-1.3.0-win-x64.exe -f eventlog.evtx +hayabusa-1.3.2-win-x64.exe -f eventlog.evtx ``` * 複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Hayabusaルールのみを実行します(デフォルトでは `-r .\rules` にあるすべてのルールが利用されます): ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行します: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行します: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知します: ```bash -hayabusa-1.3.0-win-x64.exe -l -m low +hayabusa-1.3.2-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成します(結果は結果毎に`keywords-Ip Address.txt`や`keyworss-Users.txt`等に出力されます): ```bash -hayabusa-1.3.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.3.2-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を取得します: ```bash -hayabusa-1.3.0-win-x64.exe -f Security.evtx -s +hayabusa-1.3.2-win-x64.exe -f Security.evtx -s ``` * 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -727,7 +727,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.3.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.3.2-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: diff --git a/README.md b/README.md index 92c9914b..22c74b4c 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.3.0-win-x64.exe -u +hayabusa-1.3.2-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -265,20 +265,20 @@ If you are worried about malware or supply chain attacks, please check the hayab ## Windows In Command Prompt or Windows Terminal, just run the 32-bit or 64-bit Windows binary from the hayabusa root directory. -Example: `hayabusa-1.3.0-windows-x64.exe` +Example: `hayabusa-1.3.2-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.3.0-linux-x64-gnu +chmod +x ./hayabusa-1.3.2-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.3.0-linux-x64-gnu +./hayabusa-1.3.2-linux-x64-gnu ``` ## macOS @@ -286,13 +286,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.3.0-mac-intel +chmod +x ./hayabusa-1.3.2-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.3.0-mac-intel +./hayabusa-1.3.2-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -306,7 +306,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.3.0-mac-intel +./hayabusa-1.3.2-mac-intel ``` The following warning will pop up, so please click "Open". @@ -433,79 +433,79 @@ OPTIONS: * Run hayabusa against one Windows event log file: ```bash -hayabusa-1.3.0-win-x64.exe -f eventlog.evtx +hayabusa-1.3.2-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.3.0-win-x64.exe -l -m low +hayabusa-1.3.2-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.3.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.3.2-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID statistics: ```bash -hayabusa-1.3.0-win-x64.exe -f Security.evtx -s +hayabusa-1.3.2-win-x64.exe -f Security.evtx -s ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.3.2-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -726,7 +726,7 @@ You can also add a rule ID to `rules/config/noisy_rules.txt` in order to ignore Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.3.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.3.2-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: diff --git a/rules b/rules index 3b48e177..deb6026f 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 3b48e177202fa97ebc044ef348e7ebc61f47ce38 +Subproject commit deb6026fcf452600829c52852f6283d2c808bc69 diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 84838495..5771637f 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -298,6 +298,7 @@ OPTIONS: } } } + #[derive(Debug, Clone)] pub struct TargetEventIds { ids: HashSet,