From 781117f206118d36065d502391175923f44b6031 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 18:50:30 +0900 Subject: [PATCH 01/12] added three time option #574 --- Cargo.lock | 52 +++++++++++++++++++++++++++++++++++++++ src/afterfact.rs | 13 +++++++--- src/detections/configs.rs | 5 +++- 3 files changed, 66 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 42cf7f6b..4f102742 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -568,6 +568,21 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.0.1" @@ -699,6 +714,7 @@ dependencies = [ "linked-hash-map", "lock_api", "num_cpus", + "openssl", "pbr", "prettytable-rs", "quick-xml 0.23.0", @@ -1103,12 +1119,47 @@ version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7709cef83f0c1f58f666e746a08b21e0085f7440fa6a29cc194d68aac97a4225" +[[package]] +name = "openssl" +version = "0.10.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb81a6430ac911acb25fe5ac8f1d2af1b4ea8a4fdfda0f1ee4292af2e2d8eb0e" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-src" +version = "111.20.0+1.1.1o" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92892c4f87d56e376e469ace79f1128fdaded07646ddf73aa0be4706ff712dec" +dependencies = [ + "cc", +] + [[package]] name = "openssl-sys" version = "0.9.74" @@ -1118,6 +1169,7 @@ dependencies = [ "autocfg", "cc", "libc", + "openssl-src", "pkg-config", "vcpkg", ] diff --git a/src/afterfact.rs b/src/afterfact.rs index 32c40b35..d3c68c22 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -592,10 +592,17 @@ fn format_rfc(time: &DateTime) -> String where Tz::Offset: std::fmt::Display, { - if configs::CONFIG.read().unwrap().args.is_present("rfc-2822") { + let time_args = &configs::CONFIG.read().unwrap().args; + if time_args.is_present("rfc-2822") { time.to_rfc2822() - } else if configs::CONFIG.read().unwrap().args.is_present("rfc-3339") { - time.to_rfc3339() + } else if time_args.is_present("rfc-3339") { + time.format("%Y-%m-%d %H:%M:%S%.6f%:z").to_string() + } else if time_args.is_present("US-time") { + time.format("%m-%d-%Y %I:%M:%S%.3f %p %:z").to_string() + } else if time_args.is_present("US-military-time") { + time.format("%m-%d-%Y %H:%M:%S%.3f %:z").to_string() + } else if time_args.is_present("European-time") { + time.format("%d-%m-%Y %H:%M:%S%.3f %:z").to_string() } else { time.format("%Y-%m-%d %H:%M:%S%.3f %:z").to_string() } diff --git a/src/detections/configs.rs b/src/detections/configs.rs index e886a566..7cf0be71 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -87,7 +87,10 @@ fn build_app<'a>() -> ArgMatches<'a> { --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: \"2018-11-28 12:00:00 +09:00\")' --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: \"2021-11-28 12:00:00 +09:00\")' --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)' + --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07 12:34:56.485214-06:00)' + --US-time 'Output date time in US time format. (Example: 08-07-2006 00:34:56.485 PM -6:00)' + --US-military-time 'Output date time in US military time format. (Example: 08-07-2006 12:34:56.485 -6:00)' + --European-time 'Output date time in European time format. (Example: 07-08-2006 12:34:56.485 +2:00)' -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' From 863d443b5c8aeab067e1371e6923cdf97af48372 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 18:57:51 +0900 Subject: [PATCH 02/12] added three new time format option in readme #574 --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 1cae6011..7fe2d903 100644 --- a/README.md +++ b/README.md @@ -339,6 +339,9 @@ USAGE: --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)' + --US-time 'Output date time in US time format. (Example: 08-07-2006 00:34:56.485 PM -6:00)' + --US-military-time 'Output date time in US military time format. (Example: 08-07-2006 12:34:56.485 -6:00)' + --European-time 'Output date time in European time format. (Example: 07-08-2006 12:34:56.485 +2:00)' -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' From 2e45fa9fb80977fd67b9635ae0ef82497660136d Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 18:58:38 +0900 Subject: [PATCH 03/12] fixed rfc-3339 output format #574 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7fe2d903..d53f82d7 100644 --- a/README.md +++ b/README.md @@ -338,7 +338,7 @@ USAGE: --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: "2018-11-28 12:00:00 +09:00")' --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)' + --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07 12:34:56.485214-06:00)' --US-time 'Output date time in US time format. (Example: 08-07-2006 00:34:56.485 PM -6:00)' --US-military-time 'Output date time in US military time format. (Example: 08-07-2006 12:34:56.485 -6:00)' --European-time 'Output date time in European time format. (Example: 07-08-2006 12:34:56.485 +2:00)' From 22cd39b2760fa4aa81fe77b47a8fbd91dc5019e6 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 19:00:34 +0900 Subject: [PATCH 04/12] fixed rfc3339 option output format in readme jp #574 --- README-Japanese.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-Japanese.md b/README-Japanese.md index 6395da26..2fb877f9 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -340,7 +340,7 @@ USAGE: --start-timeline [START_TIMELINE] '解析対象とするイベントログの開始時刻。(例: "2018-11-28 12:00:00 +09:00")' --end-timeline [END_TIMELINE] '解析対象とするイベントログの終了時刻。(例: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07T12:34:56.485214 -06:00)' + --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07 12:34:56.485214-06:00)' -U, --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)' --no-color 'カラー出力を無効にする。' -t, --thread-number [NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)' From a9204e1c7de5b95771e889725fe8b0760bfd5e7e Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 19:05:08 +0900 Subject: [PATCH 05/12] added three new time format option in readme jp #574 --- README-Japanese.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README-Japanese.md b/README-Japanese.md index 2fb877f9..e82228a5 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -341,6 +341,9 @@ USAGE: --end-timeline [END_TIMELINE] '解析対象とするイベントログの終了時刻。(例: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Mon, 07 Aug 2006 12:34:56 -0600)' --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07 12:34:56.485214-06:00)' + --US-time 'アメリカ形式で日付と時刻を出力する。 (Example: 08-07-2006 00:34:56.485 PM -6:00)' + --US-military-time '24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する。 (Example: 08-07-2006 12:34:56.485 -6:00)' + --European-time 'ヨーロッパ形式で日付と時刻を出力する。 (Example: 07-08-2006 12:34:56.485 +2:00)' -U, --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)' --no-color 'カラー出力を無効にする。' -t, --thread-number [NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)' From 77b063639b1b7c27589927a965e723cce846d725 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 19:13:29 +0900 Subject: [PATCH 06/12] updated changelog #574 --- CHANGELOG-Japanese.md | 10 ++++++++++ CHANGELOG.md | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 88617cce..a601924a 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -2,9 +2,19 @@ ## v1.3.1 [2022/xx/xx] +**新機能:** + +- xxx + **改善:** - LinuxとmacOSのバイナリサイズをより小さくするために、デバッグシンボルをストリップします。(#568) (@YamatoSecurity) +- 新たな時刻表示のオプションとして`--US-time`、`--US-military-time`、`--European-time`の3つを追加した (#574) (@hitenkoku) +- `--rfc-3339` オプションの時刻表示形式を変更した。 (#574) (@hitenkoku) + +**バグ修正:** + +- xxx ## v1.3.0 [2022/06/06] diff --git a/CHANGELOG.md b/CHANGELOG.md index 82736a6e..8c939b18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,19 @@ ## v1.3.1 [2022/xx/xx] +**New Features:** + +- xxx + **Enhancements:** - Strip debug symbols by default for smaller Linux and macOS binaries. (#568) (@YamatoSecurity) +- Added new output time format option (`--US-time`, `--US-military-time`, `--European-time`) (#574) (@hitenkoku) +- Changed output time format when `--rfc-3339` option is enabled. (#574) (@hitenkoku) + +**Bug Fixes:** + +- xxx ## v1.3.0 [2022/06/06] From 7e5ebc0216a40a3cef859b9601838280a5c7dcc8 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 19:13:50 +0900 Subject: [PATCH 07/12] fixed lack of parenthesis in v1.3.0 changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c939b18..911e92ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,7 +39,7 @@ **Bug Fixes:** -- Fixed the `--start-timeline` and `--end-timeline` options as they were not working. (#546) @hitenkoku) +- Fixed the `--start-timeline` and `--end-timeline` options as they were not working. (#546) (@hitenkoku) - Fixed crash bug when level in rule is not valid. (#560) (@hitenkoku) ## v1.2.2 [2022/05/20] From aafb085747403cfcd4680ac287cd4ead90716b97 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Wed, 8 Jun 2022 19:26:45 +0900 Subject: [PATCH 08/12] updated rules #575 --- rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules b/rules index e8e335e5..3b48e177 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit e8e335e58d561e1622b5337bfecec62ae3b74750 +Subproject commit 3b48e177202fa97ebc044ef348e7ebc61f47ce38 From 35f4a92f2109dff0f88c1dcccf00712dc902434b Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 9 Jun 2022 09:20:49 +0900 Subject: [PATCH 09/12] updated readme and usage examples --- CHANGELOG.md | 2 +- README-Japanese.md | 24 ++++++++++++------------ README.md | 24 ++++++++++++------------ src/detections/configs.rs | 25 +++++++++++++------------ 4 files changed, 38 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 911e92ff..c04c92af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ **Enhancements:** - Strip debug symbols by default for smaller Linux and macOS binaries. (#568) (@YamatoSecurity) -- Added new output time format option (`--US-time`, `--US-military-time`, `--European-time`) (#574) (@hitenkoku) +- Added new output time format options. (`--US-time`, `--US-military-time`, `--European-time`) (#574) (@hitenkoku) - Changed output time format when `--rfc-3339` option is enabled. (#574) (@hitenkoku) **Bug Fixes:** diff --git a/README-Japanese.md b/README-Japanese.md index e82228a5..e2070efb 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -325,11 +325,11 @@ USAGE: -d, --directory [DIRECTORY] '.evtxファイルを持つディレクトリのパス。' -f, --filepath [FILE_PATH] '1つの.evtxファイルのパス。' -F, --full-data '全てのフィールド情報を出力する。' - -r, --rules [RULE_DIRECTORY/RULE_FILE] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: ./rules)' - -C, --config [RULE_CONFIG_DIRECTORY] 'ルールフォルダのコンフィグディレクトリ(デフォルト: ./rules/config)' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: .\rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'ルールフォルダのコンフィグディレクトリ(デフォルト: .\rules\config)' -o, --output [CSV_TIMELINE] 'タイムラインをCSV形式で保存する。(例: results.csv)' --all-tags '出力したCSVファイルにルール内のタグ情報を全て出力する。' - -R, --display-record-id 'EventRecordIDを出力する。' + -R, --display-record-id 'イベントレコードIDを出力する。' -v, --verbose '詳細な情報を出力する。' -V, --visualize-timeline 'イベント頻度タイムラインを出力する。' -D, --enable-deprecated-rules 'Deprecatedルールを有効にする。' @@ -337,21 +337,21 @@ USAGE: -u, --update-rules 'rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する。' -m, --min-level [LEVEL] '結果出力をするルールの最低レベル。(デフォルト: informational)' -l, --live-analysis 'ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する。(Windowsのみ。管理者権限が必要。)' - --start-timeline [START_TIMELINE] '解析対象とするイベントログの開始時刻。(例: "2018-11-28 12:00:00 +09:00")' - --end-timeline [END_TIMELINE] '解析対象とするイベントログの終了時刻。(例: "2021-11-28 12:00:00 +09:00")' - --rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07 12:34:56.485214-06:00)' - --US-time 'アメリカ形式で日付と時刻を出力する。 (Example: 08-07-2006 00:34:56.485 PM -6:00)' - --US-military-time '24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する。 (Example: 08-07-2006 12:34:56.485 -6:00)' - --European-time 'ヨーロッパ形式で日付と時刻を出力する。 (Example: 07-08-2006 12:34:56.485 +2:00)' + --start-timeline [START_TIMELINE] '解析対象とするイベントログの開始時刻。(例: "2020-02-22 00:00:00 +09:00")' + --end-timeline [END_TIMELINE] '解析対象とするイベントログの終了時刻。(例: "2022-02-22 23:59:59 +09:00")' + --rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Fri, 22 Feb 2022 22:00:00 -0600)' + --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2022-02-22 22:00:00.123456-06:00)' + --US-time 'アメリカ形式で日付と時刻を出力する。 (例: 02-22-2022 10:00:00.123 PM -06:00)' + --US-military-time '24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する。 (例: 02-22-2022 22:00:00.123 -06:00)' + --European-time 'ヨーロッパ形式で日付と時刻を出力する。 (例: 22-02-2022 22:00:00.123 +02:00)' -U, --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)' --no-color 'カラー出力を無効にする。' -t, --thread-number [NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)' - -s, --statistics 'イベント ID の統計情報を表示する。' + -s, --statistics 'イベントIDの統計情報を表示する。' -L, --logon-summary '成功と失敗したログオン情報の要約を出力する。' -q, --quiet 'Quietモード。起動バナーを表示しない。' -Q, --quiet-errors 'Quiet errorsモード。エラーログを保存しない。' - --level-tuning [LEVEL_TUNING_FILE] 'ルールlevelのチューニング (default: ./rules/config/level_tuning.txt)' + --level-tuning [LEVEL_TUNING_FILE] 'ルールlevelのチューニング (デフォルト: .\rules\config\level_tuning.txt)' -p, --pivot-keywords-list 'ピボットキーワードの一覧作成。' --contributors 'コントリビュータの一覧表示。' ``` diff --git a/README.md b/README.md index d53f82d7..d87b0ffd 100644 --- a/README.md +++ b/README.md @@ -323,11 +323,11 @@ USAGE: -d, --directory [DIRECTORY] 'Directory of multiple .evtx files.' -f, --filepath [FILE_PATH] 'File path to one .evtx file.' -F, --full-data 'Print all field information.' - -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule file or directory (default: ./rules)' - -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: ./rules/config)' - -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule file or directory (Default: .\rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: .\rules\config)' + -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Ex: results.csv)' --all-tags 'Output all tags when saving to a CSV file.' - -R, --display-record-id 'Display EventRecordID.' + -R, --display-record-id 'Display event record ID.' -v, --verbose 'Output verbose information.' -V, --visualize-timeline 'Output event frequency timeline.' -D, --enable-deprecated-rules 'Enable rules marked as deprecated.' @@ -335,13 +335,13 @@ USAGE: -u, --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' -m, --min-level [LEVEL] 'Minimum level for rules. (Default: informational)' -l, --live-analysis 'Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.)' - --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: "2018-11-28 12:00:00 +09:00")' - --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: "2021-11-28 12:00:00 +09:00")' - --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07 12:34:56.485214-06:00)' - --US-time 'Output date time in US time format. (Example: 08-07-2006 00:34:56.485 PM -6:00)' - --US-military-time 'Output date time in US military time format. (Example: 08-07-2006 12:34:56.485 -6:00)' - --European-time 'Output date time in European time format. (Example: 07-08-2006 12:34:56.485 +2:00)' + --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00")' + --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00")' + --rfc-2822 'Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)' + --rfc-3339 'Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)' + --US-time 'Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)' + --US-military-time 'Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)' + --European-time 'Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)' -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' @@ -349,7 +349,7 @@ USAGE: -L, --logon-summary 'Successful and failed logons summary.' -q, --quiet 'Quiet mode. Do not display the launch banner.' -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' - --level-tuning [LEVEL_TUNING_FILE] 'Adjust rule level.(default: ./rules/config/level_tuning.txt) ' + --level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\rules\config\level_tuning.txt)' -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.' ``` diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 7cf0be71..0ab396a5 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -72,11 +72,11 @@ fn build_app<'a>() -> ArgMatches<'a> { let usages = "-d, --directory [DIRECTORY] 'Directory of multiple .evtx files.' -f, --filepath [FILE_PATH] 'File path to one .evtx file.' -F, --full-data 'Print all field information.' - -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule directory or file (default: ./rules)' - -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: ./rules/config)' - -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule directory or file (Default: .\rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: .\rules\config)' + -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Ex: results.csv)' --all-tags 'Output all tags when saving to a CSV file.' - -R, --display-record-id 'Display EventRecordID.' + -R, --display-record-id 'Display event record ID.' -v, --verbose 'Output verbose information.' -V, --visualize-timeline 'Output event frequency timeline.' -D, --enable-deprecated-rules 'Enable rules marked as deprecated.' @@ -84,13 +84,13 @@ fn build_app<'a>() -> ArgMatches<'a> { -u, --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' -m, --min-level [LEVEL] 'Minimum level for rules. (Default: informational)' -l, --live-analysis 'Analyze the local C:\\Windows\\System32\\winevt\\Logs folder (Windows Only. Administrator privileges required.)' - --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: \"2018-11-28 12:00:00 +09:00\")' - --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: \"2021-11-28 12:00:00 +09:00\")' - --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' - --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07 12:34:56.485214-06:00)' - --US-time 'Output date time in US time format. (Example: 08-07-2006 00:34:56.485 PM -6:00)' - --US-military-time 'Output date time in US military time format. (Example: 08-07-2006 12:34:56.485 -6:00)' - --European-time 'Output date time in European time format. (Example: 07-08-2006 12:34:56.485 +2:00)' + --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Ex: \"2020-02-22 00:00:00 +09:00\")' + --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Ex: \"2022-02-22 23:59:59 +09:00\")' + --rfc-2822 'Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)' + --rfc-3339 'Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)' + --US-time 'Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)' + --US-military-time 'Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)' + --European-time 'Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)' -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' @@ -98,11 +98,12 @@ fn build_app<'a>() -> ArgMatches<'a> { -L, --logon-summary 'Successful and failed logons summary.' -q, --quiet 'Quiet mode. Do not display the launch banner.' -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' + --level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\rules\config\level_tuning.txt)' -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.'"; App::new(&program) .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!") - .version("1.3.0") + .version("1.3.1-dev") .author("Yamato Security (https://github.com/Yamato-Security/hayabusa) @SecurityYamato") .setting(AppSettings::VersionlessSubcommands) .arg( From 620fa7b634b6e469ebc750930b00dcb6db69a8e4 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 9 Jun 2022 09:28:05 +0900 Subject: [PATCH 10/12] fix \ escape --- src/detections/configs.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 0ab396a5..a7a6d1dd 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -72,8 +72,8 @@ fn build_app<'a>() -> ArgMatches<'a> { let usages = "-d, --directory [DIRECTORY] 'Directory of multiple .evtx files.' -f, --filepath [FILE_PATH] 'File path to one .evtx file.' -F, --full-data 'Print all field information.' - -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule directory or file (Default: .\rules)' - -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: .\rules\config)' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule directory or file (Default: .\\rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: .\\rules\\config)' -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Ex: results.csv)' --all-tags 'Output all tags when saving to a CSV file.' -R, --display-record-id 'Display event record ID.' @@ -98,7 +98,7 @@ fn build_app<'a>() -> ArgMatches<'a> { -L, --logon-summary 'Successful and failed logons summary.' -q, --quiet 'Quiet mode. Do not display the launch banner.' -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' - --level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\rules\config\level_tuning.txt)' + --level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\\rules\\config\\level_tuning.txt)' -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.'"; App::new(&program) From bcc9133ac7599f203bc1ab481feb2bfc0b489cfa Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 10 Jun 2022 12:47:20 +0900 Subject: [PATCH 11/12] fixed usage bug --- src/detections/configs.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index a7a6d1dd..2b42bb8b 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -98,7 +98,6 @@ fn build_app<'a>() -> ArgMatches<'a> { -L, --logon-summary 'Successful and failed logons summary.' -q, --quiet 'Quiet mode. Do not display the launch banner.' -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' - --level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\\rules\\config\\level_tuning.txt)' -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.'"; App::new(&program) @@ -108,7 +107,7 @@ fn build_app<'a>() -> ArgMatches<'a> { .setting(AppSettings::VersionlessSubcommands) .arg( // TODO: When update claps to 3.x, these can write in usage texts... - Arg::from_usage("--level-tuning=[LEVEL_TUNING_FILE] 'Adjust rule level.'") + Arg::from_usage("--level-tuning [LEVEL_TUNING_FILE] 'Tune alert levels. (Default: .\\rules\\config\\level_tuning.txt)'") .default_value("./rules/config/level_tuning.txt"), ) .usage(usages) From f9a0606c9774e8a1fdf6f4260a82b8d5573db280 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Fri, 10 Jun 2022 13:24:20 +0900 Subject: [PATCH 12/12] fixed date output format each format option #574 --- src/afterfact.rs | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 760adf80..bce27093 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -237,7 +237,7 @@ fn emit_csv( if level == "informational" { level = "info".to_string(); } - let time_str = format_time(time); + let time_str = format_time(time, false); if displayflag { let record_id = detect_info .record_id @@ -301,7 +301,7 @@ fn emit_csv( let level_suffix = *configs::LEVELMAP .get(&detect_info.level.to_uppercase()) .unwrap_or(&0) as usize; - let time_str_date = &time_str[0..10]; + let time_str_date = format_time(time, true); let mut detect_counts_by_date = detect_counts_by_date_and_level .get(&detect_info.level.to_lowercase()) .unwrap_or_else(|| detect_counts_by_date_and_level.get("undefined").unwrap()) @@ -585,11 +585,11 @@ fn _print_detection_summary_by_computer( buf_wtr.print(&wtr).ok(); } -fn format_time(time: &DateTime) -> String { +fn format_time(time: &DateTime, date_only: bool) -> String { if configs::CONFIG.read().unwrap().args.is_present("utc") { - format_rfc(time) + format_rfc(time, date_only) } else { - format_rfc(&time.with_timezone(&Local)) + format_rfc(&time.with_timezone(&Local), date_only) } } @@ -604,21 +604,43 @@ fn _get_timestamp(time: &DateTime) -> i64 { } /// return rfc time format string by option -fn format_rfc(time: &DateTime) -> String +fn format_rfc(time: &DateTime, date_only: bool) -> String where Tz::Offset: std::fmt::Display, { let time_args = &configs::CONFIG.read().unwrap().args; if time_args.is_present("rfc-2822") { - time.to_rfc2822() + if date_only { + time.format("%a, %e %b %Y").to_string() + } else { + time.format("%a, %e %b %Y %H:%M:%S %:z").to_string() + } } else if time_args.is_present("rfc-3339") { - time.format("%Y-%m-%d %H:%M:%S%.6f%:z").to_string() + if date_only { + time.format("%Y-%m-%d").to_string() + } else { + time.format("%Y-%m-%d %H:%M:%S%.6f%:z").to_string() + } } else if time_args.is_present("US-time") { - time.format("%m-%d-%Y %I:%M:%S%.3f %p %:z").to_string() + if date_only { + time.format("%m-%d-%Y").to_string() + } else { + time.format("%m-%d-%Y %I:%M:%S%.3f %p %:z").to_string() + } } else if time_args.is_present("US-military-time") { - time.format("%m-%d-%Y %H:%M:%S%.3f %:z").to_string() + if date_only { + time.format("%m-%d-%Y").to_string() + } else { + time.format("%m-%d-%Y %H:%M:%S%.3f %:z").to_string() + } } else if time_args.is_present("European-time") { - time.format("%d-%m-%Y %H:%M:%S%.3f %:z").to_string() + if date_only { + time.format("%d-%m-%Y").to_string() + } else { + time.format("%d-%m-%Y %H:%M:%S%.3f %:z").to_string() + } + } else if date_only { + time.format("%Y-%m-%d").to_string() } else { time.format("%Y-%m-%d %H:%M:%S%.3f %:z").to_string() } @@ -784,7 +806,7 @@ mod tests { assert_eq!(_get_serialized_disp_output(None,), expect_header); assert_eq!( _get_serialized_disp_output(Some(DisplayFormat { - timestamp: &format_time(&test_timestamp), + timestamp: &format_time(&test_timestamp, false), level: test_level, computer: test_computername, event_i_d: test_eventid,