diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 2138ab8e..121f514c 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -15,6 +15,8 @@ jobs:
steps:
- uses: actions/checkout@v2
+ with:
+ submodules: recursive
- uses: actions-rs/toolchain@v1
with:
toolchain: nightly
diff --git a/README-Japanese.md b/README-Japanese.md
index 2358d790..d3745188 100644
--- a/README-Japanese.md
+++ b/README-Japanese.md
@@ -290,7 +290,7 @@ OPTIONS:
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
-* 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\config\noisy-rules.txt`にルールIDが書かれているルール)を有効にします:
+* 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv
@@ -413,9 +413,9 @@ Sigmaルールは、最初にHayabusaルール形式に変換する必要があ
ファイアウォールやIDSと同様に、シグネチャベースのツールは、環境に合わせて調整が必要になるため、特定のルールを永続的または一時的に除外する必要がある場合があります。
-ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `config/exclude-rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
+ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `rules\config\exclude_rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
-ルールIDを `config/noisy-rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
+ルールIDを `rules\config\noisy_rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
## イベントIDフィルタリング
diff --git a/README.md b/README.md
index 20d77918..5916a51e 100644
--- a/README.md
+++ b/README.md
@@ -286,7 +286,7 @@ OPTIONS:
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
-* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\config\noisy-rules.txt`):
+* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv
@@ -407,13 +407,13 @@ Sigma rules need to first be converted to hayabusa rule format explained [here](
Like firewalls and IDSes, any signature-based tool will require some tuning to fit your environment so you may need to permanently or temporarily exclude certain rules.
-You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `config/exclude-rules.txt` in order to ignore any rule that you do not need or cannot be used.
+You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `rules\config\exclude_rules.txt` in order to ignore any rule that you do not need or cannot be used.
-You can also add a rule ID to `config/noisy-rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
+You can also add a rule ID to `rules\config\noisy_rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
## Event ID filtering
-You can filter on event IDs by placing event ID numbers in `config/target_eventids.txt`.
+You can filter on event IDs by placing event ID numbers in `config\target_eventids.txt`.
This will increase performance so it is recommended if you only need to search for certain IDs.
We have provided a sample ID filter list at [`config/target_eventids_sample.txt`](https://github.com/Yamato-Security/hayabusa/blob/main/config/target_eventids_sample.txt) created from the `EventID` fields in all of the rules as well as IDs seen in actual results.
diff --git a/config/eventkey_alias.txt b/config/eventkey_alias.txt
deleted file mode 100644
index 68b4e57b..00000000
--- a/config/eventkey_alias.txt
+++ /dev/null
@@ -1,190 +0,0 @@
-AccessList,Event.EventData.AccessList
-AccessMask,Event.EventData.AccessMask
-Accesses,Event.EventData.Accesses
-AccountName,Event.EventData.AccountName
-Account_Name,Event.EventData.Account_Name
-AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
-AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
-AttributeValue,Event.EventData.AttributeValue
-AuditPolicyChanges,Event.EventData.AuditPolicyChanges
-AuditSourceName,Event.EventData.AuditSourceName
-AuthenticationPackageName,Event.EventData.AuthenticationPackageName
-CallTrace,Event.EventData.CallTrace
-CallerProcessName,Event.EventData.CallerProcessName
-Caller_Process_Name,Event.EventData.Caller_Process_Name
-CallingProcessName,Event.EventData.CallingProcessName
-CategoryName,Event.EventData.Category Name
-CertThumbprint,Event.EventData.CertThumbprint
-Channel,Event.System.Channel
-ClassName,Event.EventData.ClassName
-Client_Address,Event.EventData.Client_Address
-CommandLine,Event.EventData.CommandLine
-Company,Event.EventData.Company
-Computer,Event.System.Computer
-ComputerName,Event.System.Computer
-ContextInfo,Event.EventData.ContextInfo
-CurrentDirectory,Event.EventData.CurrentDirectory
-Description,Event.EventData.Description
-DestAddress,Event.EventData.DestAddress
-DestPort,Event.EventData.DestPort
-Destination,Event.EventData.Destination
-DestinationAddress,Event.EventData.DestinationAddress
-DestinationHostname,Event.EventData.DestinationHostname
-DestinationIp,Event.EventData.DestinationIp
-DestinationIsIpv6,Event.EventData.DestinationIsIpv6
-DestinationPort,Event.EventData.DestinationPort
-Details,Event.EventData.Details
-DetectionSource,Event.EventData.DetectionSource
-DetectionUser,Event.EventData.Detection User
-Device,Event.EventData.Device
-DeviceClassName,Event.EventData.DeviceClassName
-DeviceDescription,Event.EventData.DeviceDescription
-DeviceName,Event.EventData.DeviceName
-DomainName,Event.EventData.SubjectDomainName
-EngineVersion,Event.EventData.EngineVersion
-ErrorCode,Event.EventData.ErrorCode
-EventID,Event.System.EventID
-EventType,Event.EventData.EventType
-FailureCode,Event.EventData.FailureCode
-FilePath,Event.EventData.FilePath
-FileVersion,Event.EventData.FileVersion
-Filename,Event.EventData.Filename
-GrantedAccess,Event.EventData.GrantedAccess
-GroupName,Event.EventData.GroupName
-GroupSid,Event.EventData.GroupSid
-Hashes,Event.EventData.Hashes
-HiveName,Event.EventData.HiveName
-HostApplication,Event.EventData.HostApplication
-HostName,Event.EventData.HostName
-HostVersion,Event.EventData.HostVersion
-Image,Event.EventData.Image
-ImageLoaded,Event.EventData.ImageLoaded
-ImagePath,Event.EventData.ImagePath
-Imphash,Event.EventData.Hashes
-Initiated,Event.EventData.Initiated
-InstanceID,Event.UserData.UMDFHostDeviceArrivalBegin.InstanceId
-IntegrityLevel,Event.EventData.IntegrityLevel
-IpAddress,Event.EventData.IpAddress
-IpPort,Event.EventData.IpPort
-JobTitle,Event.EventData.name
-KeyLength,Event.EventData.KeyLength
-Keywords,Event.System.Keywords
-LDAPDisplayName,Event.EventData.LDAPDisplayName
-LayerRTID,Event.EventData.LayerRTID
-Level,Event.System.Level
-LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName
-LogonId,Event.EventData.LogonId
-LogonProcessName,Event.EventData.LogonProcessName
-LogonType,Event.EventData.LogonType
-Logon_Account,Event.EventData.Logon_Account
-MachineName,Event.EventData.MachineName
-MemberName,Event.EventData.MemberName
-MemberSid,Event.EventData.MemberSid
-Message,Event.EventData
-NewName,Event.EventData.NewName
-NewTemplateContent, Event.EventData.NewTemplateContent
-NewUacValue,Event.EventData.NewUacValue
-NewValue,Event.EventData.NewValue
-New_Value,Event.EventData.New Value
-NewProcessName,Event.EventData.NewProcessName
-NewProcessId,Event.EventData.NewProcessId
-ObjectClass,Event.EventData.ObjectClass
-ObjectName,Event.EventData.ObjectName
-ObjectServer,Event.EventData.ObjectServer
-ObjectType,Event.EventData.ObjectType
-ObjectValueName,Event.EventData.ObjectValueName
-OldUacValue,Event.EventData.OldUacValue
-Origin,Event.EventData.Origin
-OriginalFileName,Event.EventData.OriginalFileName
-param1,Event.EventData.param1
-param2,Event.EventData.param2
-param3,Event.EventData.param3
-param4,Event.EventData.param4
-param5,Event.EventData.param5
-ParentCommandLine,Event.EventData.ParentCommandLine
-ParentImage,Event.EventData.ParentImage
-ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
-ParentProcessName,Event.EventData.ParentProcessName
-ParentUser,Event.EventData.ParentUser
-PasswordLastSet,Event.EventData.PasswordLastSet
-Path,Event.EventData.Path
-Payload,Event.EventData.Payload
-PipeName,Event.EventData.PipeName
-PreAuthType,Event.EventData.PreAuthType
-PrivilegeList,Event.EventData.PrivilegeList
-ProcessCommandLine,Event.EventData.ProcessCommandLine
-ProcessId,Event.EventData.ProcessId
-ProcessName,Event.EventData.ProcessName
-Product,Event.EventData.Product
-Properties,Event.EventData.Properties
-ProviderName,Event.System.Provider_Name
-Provider_Name,Event.System.Provider_Name
-QNAME,Event.EventData.QNAME
-QueryName,Event.EventData.QueryName
-QueryResults,Event.EventData.QueryResults
-QueryStatus,Event.EventData.QueryStatus
-RelativeTargetName,Event.EventData.RelativeTargetName
-RuleName,Event.EventData.RuleName
-SAMAccountName,Event.EventData.SamAccountName
-ScriptBlockText,Event.EventData.ScriptBlockText
-SearchFilter,Event.System.SearchFilter
-ServerName,Event.System.ServerName
-Service,Event.EventData.Service
-ServiceFileName,Event.EventData.ServiceFileName
-ServiceName,Event.EventData.ServiceName
-ServicePrincipalNames,Event.EventData.ServicePrincipalNames
-ServiceStartType,Event.EventData.ServiceStartType
-ServiceType,Event.EventData.ServiceType
-SeverityName,Event.EventData.Severity Name
-ShareLocalPath,Event.EventData.ShareLocalPath
-ShareName,Event.EventData.ShareName
-SidHistory,Event.EventData.SidHistory
-Signature,Event.EventData.Signature
-Signed,Event.EventData.Signed
-Source,Event.System.Provider_Name
-SourceAddress,Event.EventData.SourceAddress
-SourceImage,Event.EventData.SourceImage
-SourceNetworkAddress,Event.EventData.SourceNetworkAddress
-SourcePort,Event.EventData.SourcePort
-Source_Name,Event.EventData.Source Name
-Source_Network_Address,Event.EventData.Source_Network_Address
-Source_WorkStation,Event.EventData.Source_WorkStation
-StartAddress,Event.EventData.StartAddress
-StartFunction,Event.EventData.StartFunction
-StartModule,Event.EventData.StartModule
-StartType,Event.EventData.StartType
-State,Event.EventData.State
-Status,Event.EventData.Status
-SubStatus,Event.EventData.SubStatus
-SubjectDomainName,Event.EventData.SubjectDomainName
-SubjectLogonId,Event.EventData.SubjectLogonId
-SubjectUserName,Event.EventData.SubjectUserName
-SubjectUserSid,Event.EventData.SubjectUserSid
-TargetDomainName,Event.EventData.TargetDomainName
-TargetFilename,Event.EventData.TargetFilename
-TargetInfo,Event.EventData.TargetInfo
-TargetImage,Event.EventData.TargetImage
-TargetLogonId,Event.EventData.TargetLogonId
-TargetName,Event.EventData.TargetServerName
-TargetObject,Event.EventData.TargetObject
-TargetProcessAddress,Event.EventData.TargetProcessAddress
-TargetServerName,Event.EventData.TargetServerName
-TargetSid,Event.EventData.TargetSid
-TargetUserName,Event.EventData.TargetUserName
-TaskName,Event.EventData.TaskName
-TemplateContent,Event.EventData.TemplateContent
-ThreatName,Event.EventData.Threat Name
-TicketEncryptionType,Event.EventData.TicketEncryptionType
-TicketOptions,Event.EventData.TicketOptions
-Url,Event.EventData.url
-User,Event.EventData.User
-UserName,Event.EventData.UserName
-Value, Event.EventData.Value
-WindowsDefenderProcessName,Event.EventData.Process Name
-Workstation,Event.EventData.Workstation
-WorkstationName,Event.EventData.WorkstationName
-param1,Event.EventData.param1
-param2,Event.EventData.param2
-provider_Name,Event.EventData.Provider_Name
-service,Event.EventData.Service
-sha1,Event.EventData.Hashes_sha1
diff --git a/config/exclude-rules.txt b/config/exclude-rules.txt
deleted file mode 100644
index ed1d33a9..00000000
--- a/config/exclude-rules.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-# Cannot parse rule or generates errors:
-4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # "MSExchange Transport Agent Installation"
-b20f6158-9438-41be-83da-a5a16ac90c2b # "Rare Scheduled Task Creations"
-c92f1896-d1d2-43c3-92d5-7a5b35c217bb # "Possible Exploitation of Exchange RCE CVE-2021-42321"
-9f7aa113-9da6-4a8d-907c-5f1a4b908299 # "SyncAppvPublishingServer Execution to Bypass Powershell Restriction"
-
-# Replaced by Hayabusa rules
-c265cf08-3f99-46c1-8d59-328247057d57 # "User Added to Local Administrators"
-66b6be3d-55d0-4f47-9855-d69df21740ea # "Local User Creation"
-7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # "Hidden Local User Creation".
-
-# Disabled due to too many false positives:
-71158e3f-df67-472b-930e-7d287acaa3e1 # "Execution Of Not Existing File"
-c09dad97-1c78-4f71-b127-7edb2b8e491a # "Execution Of Other File Type Than .exe". Replaced with Hayabusa rule: 8d1487f1-7664-4bda-83b5-cb2f79491b6a
-1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 # "USB Device Plugged" False positives due to not filtering on provider properly.
-db809f10-56ce-4420-8c86-d6a7d793c79c # "Raw Disk Access Using Illegitimate Tools" Need to test if false positives lower when filtering on just sysmon logs.
-57b649ef-ff42-4fb0-8bf6-62da243a1708 # "Windows Defender Threat Detected" Replaced by Hayabusa rule.
-0eb2107b-a596-422e-b123-b389d5594ed7 # "Hurricane Panda Activity"
\ No newline at end of file
diff --git a/config/noisy-rules.txt b/config/noisy-rules.txt
deleted file mode 100644
index 1282e165..00000000
--- a/config/noisy-rules.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
-b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
-66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
-e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
-6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
-61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
-add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
-196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
-72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml
-dae8171c-5ec6-4396-b210-8466585b53e9 # "SCM Database Privileged Operation" Detects unprivelidged users attempting priv'd things. Can possible detect things like psexec but may have false positives and should probably be medium alert instead of critical.
\ No newline at end of file
diff --git a/config/regex/LOLBAS_commands.txt b/config/regex/LOLBAS_commands.txt
deleted file mode 100644
index 4a6c3d4a..00000000
--- a/config/regex/LOLBAS_commands.txt
+++ /dev/null
@@ -1,116 +0,0 @@
-.*(?i)AppInstaller.*
-.*(?i)Aspnet_Compiler.*
-.*(?i)At.*
-.*(?i)AtBroker.*
-.*(?i)Bash.*
-.*(?i)BitsAdmin.*
-.*(?i)CertOC.*
-.*(?i)CertReq.*
-.*(?i)CertUtil.*
-.*(?i)Cmd.*
-.*(?i)Cmdkey.*
-.*(?i)cmdl32.*
-.*(?i)Cmstp.*
-.*(?i)ConfigSecurityPolicy.*
-.*(?i)Control.*
-.*(?i)Csc.*
-.*(?i)Cscript.*
-.*(?i)DataSvcUtil.*
-.*(?i)DesktopImgDownldr.*
-.*(?i)DfSvc.*
-.*(?i)Diantz.*
-.*(?i)DiskShadow.*
-.*(?i)dllhost.*
-.*(?i)DnsCmd.*
-.*(?i)EsentUtl.*
-.*(?i)EventVwr.*
-.*(?i)Expand.*
-.*(?i)ExtExport.*
-.*(?i)Extrac32.*
-.*(?i)FindStr.*
-.*(?i)Finger.*
-.*(?i)FltMC.*
-.*(?i)ForFiles.*
-.*(?i)FTP.*
-.*(?i)GfxDownloadWrapper.*
-.*(?i)GpScript.*
-.*(?i)HH.*
-.*(?i)IMEWDBLD.*
-.*(?i)Ie4uInit.*
-.*(?i)IeExec.*
-.*(?i)ILASM.*
-.*(?i)InfDefaultInstall.*
-.*(?i)InstallUtil.*
-.*(?i)Jsc.*
-.*(?i)MakeCab.*
-.*(?i)MavInject.*
-.*(?i)Microsoft.Workflow.Compiler.*
-.*(?i)Mmc.*
-.*(?i)MpCmdRun.*
-.*(?i)Msbuild.*
-.*(?i)MsConfig.*
-.*(?i)Msdt.*
-.*(?i)Mshta.*
-.*(?i)MsiExec.*
-.*(?i)NetSh.*
-.*(?i)OdbcConf.*
-.*(?i)OfflineScannerShell.*
-.*(?i)OneDriveStandaloneUpdater.*
-.*(?i)Pcalua.*
-.*(?i)PcwRun.*
-.*(?i)PktMon.*
-.*(?i)PnpUtil.*
-.*(?i)PresentationHost.*
-.*(?i)Print.*
-.*(?i)PrintBrm.*
-.*(?i)Psr.*
-.*(?i)Rasautou.*
-.*(?i)Reg.*
-.*(?i)Regasm.*
-.*(?i)RegEdit.*
-.*(?i)RegIni.*
-.*(?i)Register-CimProvider.*
-.*(?i)RegSvcs.*
-.*(?i)RegSvr32.*
-.*(?i)Replace.*
-.*(?i)RpcPing.*
-.*(?i)RunDll32.*
-.*(?i)RunOnce.*
-.*(?i)RunScriptHelper.*
-.*(?i)Sc.*
-.*(?i)SchTasks.*
-.*(?i)ScriptRunner.*
-.*(?i)SettingSyncHost.*
-.*(?i)StorDiag.*
-.*(?i)SyncAppvPublishingServer.*
-.*(?i)TtdInject.*
-.*(?i)TtTracer.*
-.*(?i)VBC.*
-.*(?i)Verclsid.*
-.*(?i)ping.*
-.*(?i)ipconfig.*
-.*(?i)Wab.*
-.*(?i)Wmic.*
-.*(?i)WorkFolders.*
-.*(?i)Wscript.*
-.*(?i)WsReset.*
-.*(?i)Wuauclt.*
-.*(?i)Xwizard.*
-.*(?i)ADPlus.*
-.*(?i)AgentExecutor.*
-.*(?i)Appvlp.*
-.*(?i)Bginfo.*
-.*(?i)Cdb.*
-.*(?i)CoreGen.*
-.*(?i)CSI.*
-.*(?i)DefaultPack.*
-.*(?i)DevtoolsLauncher.*
-.*(?i)DNX.*
-.*(?i)Dotnet.*
-.*(?i)Dxcap.*
-.*(?i)NTDSUtil.*
-.*(?i)procdump.*
-.*(?i)psexec.*
-.*(?i)SqlDumper.*
-.*(?i)winrm.vbs.*
-.*(?i)powershell.*
\ No newline at end of file
diff --git a/config/regex/LOLBAS_paths.txt b/config/regex/LOLBAS_paths.txt
deleted file mode 100644
index bf641bf6..00000000
--- a/config/regex/LOLBAS_paths.txt
+++ /dev/null
@@ -1,118 +0,0 @@
-.*(?i)AppInstaller.exe$
-.*(?i)Aspnet_Compiler.exe$
-.*(?i)At.exe$
-.*(?i)AtBroker.exe$
-.*(?i)Bash.exe$
-.*(?i)BitsAdmin.exe$
-.*(?i)CertOC.exe$
-.*(?i)CertReq.exe$
-.*(?i)CertUtil.exe$
-.*(?i)Cmd.exe$
-.*(?i)Cmdkey.exe$
-.*(?i)cmdl32.exe$
-.*(?i)Cmstp.exe$
-.*(?i)ConfigSecurityPolicy.exe$
-.*(?i)Control.exe$
-.*(?i)Csc.exe$
-.*(?i)Cscript.exe$
-.*(?i)DataSvcUtil.exe$
-.*(?i)DesktopImgDownldr.exe$
-.*(?i)DfSvc.exe$
-.*(?i)Diantz.exe$
-.*(?i)DiskShadow.exe$
-.*(?i)dllhost.exe$
-.*(?i)DnsCmd.exe$
-.*(?i)EsentUtl.exe$
-.*(?i)EventVwr.exe$
-.*(?i)Expand.exe$
-.*(?i)ExtExport.exe$
-.*(?i)Extrac32.exe$
-.*(?i)FindStr.exe$
-.*(?i)Finger.exe$
-.*(?i)FltMC.exe$
-.*(?i)ForFiles.exe$
-.*(?i)FTP.exe$
-.*(?i)GfxDownloadWrapper.exe$
-.*(?i)GpScript.exe$
-.*(?i)HH.exe$
-.*(?i)IMEWDBLD.exe$
-.*(?i)Ie4uInit.exe$
-.*(?i)IeExec.exe$
-.*(?i)ILASM.exe$
-.*(?i)InfDefaultInstall.exe$
-.*(?i)InstallUtil.exe$
-.*(?i)Jsc.exe$
-.*(?i)MakeCab.exe$
-.*(?i)MavInject.exe$
-.*(?i)Microsoft.Workflow.Compiler.exe$
-.*(?i)Mmc.exe$
-.*(?i)MpCmdRun.exe$
-.*(?i)Msbuild.exe$
-.*(?i)MsConfig.exe$
-.*(?i)Msdt.exe$
-.*(?i)Mshta.exe$
-.*(?i)MsiExec.exe$
-.*(?i)NetSh.exe$
-.*(?i)OdbcConf.exe$
-.*(?i)OfflineScannerShell.exe$
-.*(?i)OneDriveStandaloneUpdater.exe$
-.*(?i)Pcalua.exe$
-.*(?i)PcwRun.exe$
-.*(?i)PktMon.exe$
-.*(?i)PnpUtil.exe$
-.*(?i)PresentationHost.exe$
-.*(?i)Print.exe$
-.*(?i)PrintBrm.exe$
-.*(?i)Psr.exe$
-.*(?i)Rasautou.exe$
-.*(?i)Reg.exe$
-.*(?i)Regasm.exe$
-.*(?i)RegEdit.exe$
-.*(?i)RegIni.exe$
-.*(?i)Register-CimProvider.exe$
-.*(?i)RegSvcs.exe$
-.*(?i)RegSvr32.exe$
-.*(?i)Replace.exe$
-.*(?i)RpcPing.exe$
-.*(?i)RunDll32.exe$
-.*(?i)RunOnce.exe$
-.*(?i)RunScriptHelper.exe$
-.*(?i)Sc.exe$
-.*(?i)SchTasks.exe$
-.*(?i)ScriptRunner.exe$
-.*(?i)SettingSyncHost.exe$
-.*(?i)StorDiag.exe$
-.*(?i)SyncAppvPublishingServer.exe$
-.*(?i)TtdInject.exe$
-.*(?i)TtTracer.exe$
-.*(?i)VBC.exe$
-.*(?i)Verclsid.exe$
-.*(?i)ping.exe$
-.*(?i)ipconfig.exe$
-.*(?i)Wab.exe$
-.*(?i)Wmic.exe$
-.*(?i)WorkFolders.exe$
-.*(?i)Wscript.exe$
-.*(?i)WsReset.exe$
-.*(?i)Wuauclt.exe$
-.*(?i)Xwizard.exe$
-.*(?i)ADPlus.exe$
-.*(?i)AgentExecutor.exe$
-.*(?i)Appvlp.exe$
-.*(?i)Bginfo.exe$
-.*(?i)Cdb.exe$
-.*(?i)CoreGen.exe$
-.*(?i)CSI.exe$
-.*(?i)DefaultPack.exe$
-.*(?i)DevtoolsLauncher.exe$
-.*(?i)DNX.exe$
-.*(?i)Dotnet.exe$
-.*(?i)Dxcap.exe$
-.*(?i)NTDSUtil.exe$
-.*(?i)procdump.exe$
-.*(?i)psexec.exe$
-.*(?i)SqlDumper.exe$
-.*(?i)winrm.vbs.exe$
-.*(?i)powershell.exe$
-.*(?i)xcopy.exe$
-.*(?i)RoboCopy.exe$
\ No newline at end of file
diff --git a/config/regex/allowlist_legitimate_services.txt b/config/regex/allowlist_legitimate_services.txt
deleted file mode 100644
index 4a160ef0..00000000
--- a/config/regex/allowlist_legitimate_services.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
-^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
diff --git a/config/regex/detectlist_suspicous_services.txt b/config/regex/detectlist_suspicous_services.txt
deleted file mode 100644
index 1d8f1570..00000000
--- a/config/regex/detectlist_suspicous_services.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
-powershell.*FromBase64String.*IO.Compression.GzipStream
-DownloadString\(.http
-.*(?i)mimikatz.*
-.*(?i)mimidvr.*
-Invoke-Mimikatz.ps
-PowerSploit.*ps1
-[a-zA-Z0-9/+=]{500}
-.*(?i)powershell.*
-.*(?i)cmd.*
-\\csc\.exe
-\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
-\\cvtres\.exe.*
-\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
-^[a-zA-Z]{22}$
-^[a-zA-Z]{16}$
\ No newline at end of file
diff --git a/config/regex/record_data_filter.txt b/config/regex/record_data_filter.txt
deleted file mode 100644
index 59584654..00000000
--- a/config/regex/record_data_filter.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-keyname,regex,replaced_str
-AccessMask,"[\r\n\t]+",
-Accesses,"[\r\n\t]+",
-AuditPolicyChanges,"[\r\n\t]+",
-SidHistory,"[\r\n\t]+",
-AccessList,"[\r\n\t]+",
-Properties,"[\r\n\t]+",
-ScriptBlockText,"[\r\n\t]+",
-Payload,"[\r\n\t]+",
\ No newline at end of file
diff --git a/doc/AboutRuleCreation-English.md b/doc/AboutRuleCreation-English.md
index 1561347b..1bc64963 100644
--- a/doc/AboutRuleCreation-English.md
+++ b/doc/AboutRuleCreation-English.md
@@ -52,7 +52,7 @@ ruletype: Hayabusa
> ## Alert section
* **title [required]**: Rule file title. This will also be the name of the alert that gets displayed so the briefer the better. (Should not be longer than 85 characters.)
* **title_jp** [optional]: The title in Japanese.
-* details [optional]: The details of the alert that gets displayed. Please output any fields in the Windows event log that are useful for analysis. Fields are seperated by `" : "` (two spaces on both sides). Field placeholders are enclosed with a `%` (Example: `%MemberName%`) and need to be defined in `config\eventkey_alias.txt`. (Explained below.)
+* details [optional]: The details of the alert that gets displayed. Please output any fields in the Windows event log that are useful for analysis. Fields are seperated by `" : "` (two spaces on both sides). Field placeholders are enclosed with a `%` (Example: `%MemberName%`) and need to be defined in `rules\config\eventkey_alias.txt`. (Explained below.)
* **details_jp** [optional]: The details message in Japanese.
* **description** [optional]: A description of the rule. This does not get displayed so you can make this long and detailed.
* **description_jp** [optional]: The description in Japanese.
@@ -153,7 +153,7 @@ The following is an excerpt of a Windows event log, formatted in the original XM
```
#### Eventkey Aliases
-Long eventkeys with many `.` seperations are common, so hayabusa will use aliases to make them easier to work with. Aliases are defined in the `config\eventkey_alias.txt` file. This file is a CSV file made up of `alias` and `event_key` mappings. You can rewrite the rule above as shown below with aliases making the rule easier to read.
+Long eventkeys with many `.` seperations are common, so hayabusa will use aliases to make them easier to work with. Aliases are defined in the `rules\config\eventkey_alias.txt` file. This file is a CSV file made up of `alias` and `event_key` mappings. You can rewrite the rule above as shown below with aliases making the rule easier to read.
```yaml
detection:
@@ -164,7 +164,7 @@ detection:
```
#### Caution: Undefined Eventkey Aliases
-Not all eventkey aliases are defined in `config\eventkey_alias.txt`. If you are not getting the correct data in the `details`(Alert details) message, and instead are getting results like `%EventID%` or if the selection in your detection logic is not working properly, then you need to update `config\eventkey_alias.txt` with a new alias.
+Not all eventkey aliases are defined in `rules\config\eventkey_alias.txt`. If you are not getting the correct data in the `details`(Alert details) message, and instead are getting results like `%EventID%` or if the selection in your detection logic is not working properly, then you need to update `rules\config\eventkey_alias.txt` with a new alias.
### How to use XML attributes in conditions
XML elements may have attributes set by adding a space to the element. For example, `Name` in `Provider Name` below is an XML attribute of the `Provider` element.
@@ -313,7 +313,7 @@ About escaping wildcards:
## Nesting keywords inside eventkeys
Eventkeys can be nested with specific keywords.
In the example below, the rule will match if the following are true:
-* `ServiceName` is called `malicious-service` or contains a regular expression in `./config/regex/detectlist_suspicous_services.txt`.
+* `ServiceName` is called `malicious-service` or contains a regular expression in `./rules/config/regex/detectlist_suspicous_services.txt`.
* `ImagePath` has a minimum of 1000 characters.
* `ImagePath` does not have any matches in the `allowlist`.
@@ -324,10 +324,10 @@ detection:
EventID: 7045
ServiceName:
- value: malicious-service
- - regexes: ./config/regex/detectlist_suspicous_services.txt
+ - regexes: ./rules/config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
- allowlist: ./config/regex/allowlist_legitimate_services.txt
+ allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
condition: selection
```
@@ -339,13 +339,13 @@ Currently, the following keywords can be specified:
### regexes and allowlist keywords
Hayabusa has two built-in regular expression files used for the `.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml` file:
-* `./config/regex/detectlist_suspicous_services.txt`: to detect suspicious service names
-* `./config/regex/allowlist_legitimate_services.txt`: to allow legitimate services
+* `./rules/config/regex/detectlist_suspicous_services.txt`: to detect suspicious service names
+* `./rules/config/regex/allowlist_legitimate_services.txt`: to allow legitimate services
Files defined in `regexes` and `allowlist` can be edited to change the behavior of all rules that reference them without having to change any rule file itself.
You can also use different detectlist and allowlist textfiles that you create.
-Please refer to the built-in `./config/regex/detectlist_suspicous_services.txt` and `./config/regex/allowlist_legitimate_services.txt` when creating your own.
+Please refer to the built-in `./rules/config/regex/detectlist_suspicous_services.txt` and `./rules/config/regex/allowlist_legitimate_services.txt` when creating your own.
## condition
With the notation we explained above, you can express `AND` and `OR` logic but it will be confusing if you are trying to define complex logic.
diff --git a/doc/AboutRuleCreation-Japanese.md b/doc/AboutRuleCreation-Japanese.md
index aabc47f3..6bdc4019 100644
--- a/doc/AboutRuleCreation-Japanese.md
+++ b/doc/AboutRuleCreation-Japanese.md
@@ -51,7 +51,7 @@ ruletype: Hayabusa
> ## アラートセクション
* **title [必須]**: ルールファイルのタイトル。これは表示されるアラートの名前にもなるので、簡潔であるほどよいです。(85文字以下でなければなりません。)
* **title_jp** [オプション]: 日本語のタイトルです。
-* **details** [オプション]: 表示されるアラートの詳細です。Windowsイベントログの中で解析に有効なフィールドがあれば出力してください。フィールドは `" : "` で区切られます(両側ともスペース2つ)。フィールドのプレースホルダは `%` で囲まれ (例: `%MemberName%`) 、`config_eventkey_alias.txt` で定義する必要があります。(以下で説明します)
+* **details** [オプション]: 表示されるアラートの詳細です。Windowsイベントログの中で解析に有効なフィールドがあれば出力してください。フィールドは `" : "` で区切られます(両側ともスペース2つ)。フィールドのプレースホルダは `%` で囲まれ (例: `%MemberName%`) 、`rules\config\eventkey_alias.txt` で定義する必要があります。(以下で説明します)
* **details_jp** [オプション]: 日本語の出力メッセージ。
* **description** [オプション]: ルールの説明。これは表示されないので、長く詳細に記述することができます。
* **description_jp** [オプション]: 日本語の説明文です。
@@ -157,7 +157,7 @@ WindowsイベントログをXML形式で出力すると下記のようになり
`System`
#### イベントキーエイリアス
-`.`の区切りが多くて長いイベントキーが一般的であるため、Hayabusaはエイリアスを使って簡単に扱えるようにします。エイリアスは `config\eventkey_alias.txt`ファイルで定義されています。このファイルは `alias` と `event_key` のマッピングで構成されるCSVファイルです。以下に示すように、エイリアスを使用して上記のルールを書き直し、ルールを読みやすくすることができます。
+`.`の区切りが多くて長いイベントキーが一般的であるため、Hayabusaはエイリアスを使って簡単に扱えるようにします。エイリアスは `rules\config\eventkey_alias.txt`ファイルで定義されています。このファイルは `alias` と `event_key` のマッピングで構成されるCSVファイルです。以下に示すように、エイリアスを使用して上記のルールを書き直し、ルールを読みやすくすることができます。
```yaml
detection:
@@ -168,7 +168,7 @@ detection:
```
#### 注意: 未定義のイベントキーエイリアスについて
-すべてのイベントキーエイリアスが `config\eventkey_alias.txt`に定義されているわけではありません。検知するはずのルールが検知しない場合や、`details`(アラートの詳細)メッセージに`%EventID%`のようなプレースホルダーが表示されている場合、`config\eventkey_alias.txt`の設定を確認してください。
+すべてのイベントキーエイリアスが `rules\config\eventkey_alias.txt`に定義されているわけではありません。検知するはずのルールが検知しない場合や、`details`(アラートの詳細)メッセージに`%EventID%`のようなプレースホルダーが表示されている場合、`rules\config\eventkey_alias.txt`の設定を確認してください。
### XML属性を条件に使用する方法
XMLのタグにはタグ名とは別に属性を設定できます。例えば、以下の `Provider Name` の `Name` は `Provider` タグの属性です。
@@ -325,10 +325,10 @@ detection:
EventID: 7045
ServiceName:
- value: malicious-service
- - regexes: ./config/regex/detectlist_suspicous_services.txt
+ - regexes: ./rules/config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
- allowlist: ./config/regex/allowlist_legitimate_services.txt
+ allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
condition: selection
```
@@ -340,13 +340,13 @@ detection:
### regexesとallowlistキーワード
Hayabusaに`.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml`のルールのために使う2つの正規表現ファイルが用意されています。
-* `./config/regex/detectlist_suspicous_services.txt`: 怪しいサービス名を検知するためのものです。
-* `./config/regex/allowlist_legitimate_services.txt`: 正規のサービスを許可するためのものです。
+* `./rules/config/regex/detectlist_suspicous_services.txt`: 怪しいサービス名を検知するためのものです。
+* `./rules/config/regex/allowlist_legitimate_services.txt`: 正規のサービスを許可するためのものです。
`regexes` と `allowlist` で定義されたファイルの正規表現を変更すると、それらを参照するすべてのルールの動作を一度に変更できます。
また、`regexes` と `allowlist` にはユーザーが独自で作成したファイルを指定することも可能です。
-デフォルトの `./config/detectlist_suspicous_services.txt` と `./config/allowlist_legitimate_services.txt` を参考にして、独自のファイルを作成してください。
+デフォルトの `./rules/config/detectlist_suspicous_services.txt` と `./rules/config/allowlist_legitimate_services.txt` を参考にして、独自のファイルを作成してください。
## condition (条件)
これまで説明した記法では簡単な`AND`や`OR`であれば表現可能ですが、複雑な条件は定義できません。そのような場合、`condition` キーワードを使用します。
diff --git a/rules b/rules
index 6b65c0ad..6d9781e3 160000
--- a/rules
+++ b/rules
@@ -1 +1 @@
-Subproject commit 6b65c0ad777155659f49bde660e685662d05e2aa
+Subproject commit 6d9781e349ef3a9f8210a758b52f0c59d6e7e37b
diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index 7d2ba00c..59e76bb7 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -19,7 +19,7 @@ lazy_static! {
return levelmap;
};
pub static ref EVENTKEY_ALIAS: EventKeyAliasConfig =
- load_eventkey_alias("config/eventkey_alias.txt");
+ load_eventkey_alias("./rules/config/eventkey_alias.txt");
}
#[derive(Clone)]
diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs
index 4a72914c..7a3af9f8 100644
--- a/src/detections/rule/matchers.rs
+++ b/src/detections/rule/matchers.rs
@@ -504,8 +504,8 @@ mod tests {
- ホスト アプリケーション
ImagePath:
min_length: 1234321
- regexes: ./config/regex/detectlist_suspicous_services.txt
- allowlist: ./config/regex/allowlist_legitimate_services.txt
+ regexes: ./rules/config/regex/detectlist_suspicous_services.txt
+ allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
falsepositives:
- unknown
level: medium
@@ -1092,7 +1092,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- - allowlist: ./config/regex/allowlist_legitimate_services.txt
+ - allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1126,7 +1126,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- - allowlist: ./config/regex/allowlist_legitimate_services.txt
+ - allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
@@ -1160,7 +1160,7 @@ mod tests {
selection:
EventID: 4103
Channel:
- - allowlist: ./config/regex/allowlist_legitimate_services.txt
+ - allowlist: ./rules/config/regex/allowlist_legitimate_services.txt
details: 'command=%CommandLine%'
"#;
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index 3cd173dd..225b673d 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -267,7 +267,7 @@ mod tests {
#[test]
fn test_check_regex() {
- let regexes = utils::read_txt("./config/regex/detectlist_suspicous_services.txt")
+ let regexes = utils::read_txt("./rules/config/regex/detectlist_suspicous_services.txt")
.unwrap()
.into_iter()
.map(|regex_str| Regex::new(®ex_str).unwrap())
@@ -282,7 +282,7 @@ mod tests {
#[test]
fn test_check_allowlist() {
let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\"";
- let allowlist = utils::read_txt("./config/regex/allowlist_legitimate_services.txt")
+ let allowlist = utils::read_txt("./rules/config/regex/allowlist_legitimate_services.txt")
.unwrap()
.into_iter()
.map(|allow_str| Regex::new(&allow_str).unwrap())
diff --git a/src/filter.rs b/src/filter.rs
index 6649cd4a..50839fde 100644
--- a/src/filter.rs
+++ b/src/filter.rs
@@ -24,7 +24,7 @@ pub struct DataFilterRule {
}
fn load_record_filters() -> HashMap {
- let file_path = "config/regex/record_data_filter.txt";
+ let file_path = "./rules/config/regex/record_data_filter.txt";
let read_result = utils::read_csv(file_path);
let mut ret = HashMap::new();
if read_result.is_err() {
@@ -104,10 +104,10 @@ pub fn exclude_ids() -> RuleExclude {
.args
.is_present("enable-noisy-rules")
{
- exclude_ids.insert_ids("config/noisy-rules.txt");
+ exclude_ids.insert_ids("./rules/config/noisy_rules.txt");
};
- exclude_ids.insert_ids("config/exclude-rules.txt");
+ exclude_ids.insert_ids("./rules/config/exclude_rules.txt");
return exclude_ids;
}
diff --git a/src/yaml.rs b/src/yaml.rs
index 5e4bc087..2458df6a 100644
--- a/src/yaml.rs
+++ b/src/yaml.rs
@@ -67,6 +67,7 @@ impl ParseYaml {
.unwrap()
.push(format!("[ERROR] {}", errmsg));
}
+ return io::Result::Ok(String::default());
}
let mut yaml_docs = vec![];
if metadata.unwrap().file_type().is_file() {