diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 3e472a16..16ef0337 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,6 @@ # 変更点 -## v1.4.2 [2022/07/XX] +## v1.4.2 [2022/07/24] **改善:** @@ -10,7 +10,7 @@ **バグ修正:** -- cargo runコマンドでhayabusaを実行するとconfigフォルダの読み込みエラーが発生する問題を修正した。 (#618) (@hitenkoku) +- `cargo run`コマンドでhayabusaを実行するとconfigフォルダの読み込みエラーが発生する問題を修正した。 (#618) (@hitenkoku) ## v1.4.1 [2022/06/30] diff --git a/CHANGELOG.md b/CHANGELOG.md index 8853df37..9f822bf4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,12 @@ # Changes -## v1.4.2 [2022/07/XX] +## v1.4.2 [2022/07/24] **Enhancements:** - You can now update rules to a custom directory by combining the `--update-rules` and `--rules` options. (#615) (@hitenkoku) - Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn) -- The `.yml` rule path (changed from RulePath to RuleFile) saved with `-o` now outputs to decrease memory usage and file size. (#623) (@hitenkoku) +- When saving files with `-o`, the `.yml` detection rule path column changed from `RulePath` to `RuleFile` and only the rule file name will be saved in order to decrease file size. (#623) (@hitenkoku) **Bug Fixes:** diff --git a/Cargo.lock b/Cargo.lock index 22da4f7d..0122299a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -220,9 +220,9 @@ dependencies = [ [[package]] name = "clap" -version = "3.2.12" +version = "3.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab8b79fe3946ceb4a0b1c080b4018992b8d27e9ff363644c1c9b6387c854614d" +checksum = "54635806b078b7925d6e36810b1755f2a4b5b4d57560432c1ecf60bcbe10602b" dependencies = [ "atty", "bitflags", @@ -295,9 +295,9 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.5" +version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c02a4d71819009c192cf4872265391563fd6a84c81ff2c0f2a7026ca4c1d85c" +checksum = "c2dd04ddaf88237dc3b8d8f9a3c1004b506b54b3313403944054d23c0870c521" dependencies = [ "cfg-if", "crossbeam-utils", @@ -305,9 +305,9 @@ dependencies = [ [[package]] name = "crossbeam-deque" -version = "0.8.1" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6455c0ca19f0d2fbf751b908d5c55c1f5cbc65e03c4225427254b46890bdde1e" +checksum = "715e8152b692bba2d374b53d4875445368fdf21a94751410af607a5ac677d1fc" dependencies = [ "cfg-if", "crossbeam-epoch", @@ -316,9 +316,9 @@ dependencies = [ [[package]] name = "crossbeam-epoch" -version = "0.9.9" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07db9d94cbd326813772c968ccd25999e5f8ae22f4f8d1b11effa37ef6ce281d" +checksum = "045ebe27666471bb549370b4b0b3e51b07f56325befa4284db65fc89c02511b1" dependencies = [ "autocfg", "cfg-if", @@ -330,9 +330,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.10" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d82ee10ce34d7bc12c2122495e7593a9c41347ecdd64185af4ecf72cb1a7f83" +checksum = "51887d4adc7b564537b15adcfb307936f8075dfcd5f00dde9a9f1d29383682bc" dependencies = [ "cfg-if", "once_cell", @@ -529,7 +529,7 @@ dependencies = [ [[package]] name = "evtx" version = "0.7.3" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#8c3a7927d88972424574d1473ada5b76c8e98269" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#1f873e3a7042185c0079b4b52d9eb34540dcf5f1" dependencies = [ "anyhow", "bitflags", @@ -706,12 +706,12 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.4.2-dev" +version = "1.4.2" dependencies = [ "base64", "bytesize", "chrono", - "clap 3.2.12", + "clap 3.2.14", "crossbeam-utils", "csv", "dashmap", @@ -964,7 +964,7 @@ dependencies = [ "anyhow", "atty", "chrono", - "clap 3.2.12", + "clap 3.2.14", "file-chunker", "indicatif", "memmap2", @@ -1241,7 +1241,7 @@ checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.2.13", + "redox_syscall 0.2.15", "smallvec", "windows-sys", ] @@ -1409,9 +1409,9 @@ checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" [[package]] name = "redox_syscall" -version = "0.2.13" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" +checksum = "534cfe58d6a18cc17120fbf4635d53d14691c1fe4d951064df9bd326178d7d5a" dependencies = [ "bitflags", ] @@ -1561,18 +1561,18 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3" [[package]] name = "serde" -version = "1.0.139" +version = "1.0.140" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0171ebb889e45aa68b44aee0859b3eede84c6f5f5c228e6f140c0b2a0a46cad6" +checksum = "fc855a42c7967b7c369eb5860f7164ef1f6f81c20c7cc1141f2a604e18723b03" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.139" +version = "1.0.140" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc1d3230c1de7932af58ad8ffbe1d784bd55efd5a9d84ac24f69c72d83543dfb" +checksum = "6f2122636b9fe3b81f1cb25099fcf2d3f542cdb1d45940d56c713158884a05da" dependencies = [ "proc-macro2", "quote", @@ -1752,7 +1752,7 @@ dependencies = [ "cfg-if", "fastrand", "libc", - "redox_syscall 0.2.13", + "redox_syscall 0.2.15", "remove_dir_all", "winapi", ] @@ -2222,6 +2222,6 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.5.6" +version = "1.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "20b578acffd8516a6c3f2a1bdefc1ec37e547bb4e0fb8b6b01a4cafc886b4442" +checksum = "c394b5bd0c6f669e7275d9c20aa90ae064cb22e75a1cad54e1b34088034b149f" diff --git a/Cargo.toml b/Cargo.toml index 9be76e07..82aca364 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.4.2-dev" +version = "1.4.2" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/README-1.4.1-Japanese.pdf b/README-1.4.2-Japanese.pdf similarity index 94% rename from README-1.4.1-Japanese.pdf rename to README-1.4.2-Japanese.pdf index e13ba510..cc564cd0 100644 Binary files a/README-1.4.1-Japanese.pdf and b/README-1.4.2-Japanese.pdf differ diff --git a/README-1.4.1.pdf b/README-1.4.2.pdf similarity index 94% rename from README-1.4.1.pdf rename to README-1.4.2.pdf index a5d4c8a7..2fea35e2 100644 Binary files a/README-1.4.1.pdf and b/README-1.4.2.pdf differ diff --git a/README-Japanese.md b/README-Japanese.md index b0ea5a95..ca8be3eb 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -182,7 +182,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.4.1-win-x64.exe -u +hayabusa-1.4.2-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -267,20 +267,20 @@ Windows PC起動後の初回実行時に時間がかかる場合があります コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.4.1-windows-x64.exe` +例: `hayabusa-1.4.2-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.4.1-linux-x64-gnu +chmod +x ./hayabusa-1.4.2-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.4.1-linux-x64-gnu +./hayabusa-1.4.2-linux-x64-gnu ``` ## macOS @@ -288,13 +288,13 @@ chmod +x ./hayabusa-1.4.1-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.4.1-mac-intel +chmod +x ./hayabusa-1.4.2-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.4.1-mac-intel +./hayabusa-1.4.2-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -308,7 +308,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.4.1-mac-intel +./hayabusa-1.4.2-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -370,79 +370,79 @@ OPTIONS: * 1つのWindowsイベントログファイルに対してHayabusaを実行します: ```bash -hayabusa-1.4.1-win-x64.exe -f eventlog.evtx +hayabusa-1.4.2-win-x64.exe -f eventlog.evtx ``` * 複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます(注意: `-F`を有効にすると、出力するファイルのサイズがとても大きくなります!): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Hayabusaルールのみを実行します(デフォルトでは `-r .\rules` にあるすべてのルールが利用されます): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行します: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行します: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知します: ```bash -hayabusa-1.4.1-win-x64.exe -l -m low +hayabusa-1.4.2-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成します(結果は結果毎に`keywords-Ip Address.txt`や`keywords-Users.txt`等に出力されます): ```bash -hayabusa-1.4.1-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.4.2-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を取得します: ```bash -hayabusa-1.4.1-win-x64.exe -f Security.evtx -s +hayabusa-1.4.2-win-x64.exe -f Security.evtx -s ``` * 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -661,7 +661,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.4.1-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.4.2-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: @@ -674,7 +674,7 @@ id,new_level ## イベントIDフィルタリング -バージョン1.4.1以降では、デフォルトでパフォーマンスを上げるために、検知ルールでイベントIDが定義されていないイベントを無視しています。 +バージョン1.4.2以降では、デフォルトでパフォーマンスを上げるために、検知ルールでイベントIDが定義されていないイベントを無視しています。 デフォルトでは`./rules/config/target_event_IDs.txt`で定義されたIDがスキャンされます。 If you want to scan all events, please use the `-D, --deep-scan` option. すべてのイベントをスキャンしたい場合は、`-D, --deep-scan`オプションを使用してください。 diff --git a/README.md b/README.md index 44b9753c..1d0cf412 100644 --- a/README.md +++ b/README.md @@ -175,7 +175,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.4.1-win-x64.exe -u +hayabusa-1.4.2-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -263,20 +263,20 @@ You may experience slow runtime especially on the first run after a reboot due t In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary. -Example: `hayabusa-1.4.1-windows-x64.exe` +Example: `hayabusa-1.4.2-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.4.1-linux-x64-gnu +chmod +x ./hayabusa-1.4.2-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.4.1-linux-x64-gnu +./hayabusa-1.4.2-linux-x64-gnu ``` ## macOS @@ -284,13 +284,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.4.1-mac-intel +chmod +x ./hayabusa-1.4.2-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.4.1-mac-intel +./hayabusa-1.4.2-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -304,7 +304,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.4.1-mac-intel +./hayabusa-1.4.2-mac-intel ``` The following warning will pop up, so please click "Open". @@ -366,79 +366,79 @@ OPTIONS: * Run hayabusa against one Windows event log file: ```bash -hayabusa-1.4.1-win-x64.exe -f eventlog.evtx +hayabusa-1.4.2-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information (Warning: your file output size will become much larger with `-F` enabled!): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.4.1-win-x64.exe -l -m low +hayabusa-1.4.2-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.4.1-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.4.2-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID statistics: ```bash -hayabusa-1.4.1-win-x64.exe -f Security.evtx -s +hayabusa-1.4.2-win-x64.exe -f Security.evtx -s ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.4.1-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -657,7 +657,7 @@ You can also add a rule ID to `./rules/config/noisy_rules.txt` in order to ignor Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.4.1-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.4.2-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: @@ -671,7 +671,7 @@ In this case, the risk level of the rule with an `id` of `00000000-0000-0000-000 ## Event ID Filtering -As of version 1.4.1, by default, events are filtered by ID to improve performance by ignorning events that have no detection rules. +As of version 1.4.2, by default, events are filtered by ID to improve performance by ignorning events that have no detection rules. The IDs defined in `./rules/config/target_event_IDs.txt` will be scanned by default. If you want to scan all events, please use the `-D, --deep-scan` option. diff --git a/rules b/rules index cf1ea8fd..7be684d2 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit cf1ea8fd0dd1ed3d09ac2961980350635911e53c +Subproject commit 7be684d206203683fa190f23158a78079f310925