CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into 651-organize-menu

Browse Source
This commit is contained in:
DastInDark
2022-08-10 02:42:50 +09:00
parent b01a85136f e4e5d2376f
commit a48f942cfe
8 changed files with 56 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -5,4 +5,5 @@
.DS_Store
test_*
.env
/logs
/logs
*.csv

1
CHANGELOG-Japanese.md
View File

@@ -10,6 +10,7 @@
- ルールのアップデート機能のルールパスの出力から./を削除した。 (#642) (@hitenkoku)
- MITRE ATT&CK関連のタグとその他タグを出力するための出力用のエイリアスを追加した。 (#637) (@hitenkoku)
- 結果概要の数値をカンマをつけて見やすくした。 (#649) (@hitenkoku)
- メニューを使いやすいようにグループ化した。 (#651) (@YamatoSecurity and @hitenkoku)
**バグ修正:**

1
CHANGELOG.md
View File

@@ -10,6 +10,7 @@
- Removed ./ from rule path when updating. (#642) (@hitenkoku)
- Added new output alias for MITRE ATT&CK tags and other tags. (#637) (@hitenkoku)
- Changed output summary numbers from without commas to with commas. (#649) (@hitenkoku)
- Organized menu (#651) (@YamatoSecurity and @hitenkoku)
**Bug Fixes:**

28
Cargo.lock generated
View File

@@ -49,6 +49,15 @@ version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544"
[[package]]
name = "arrayvec"
version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cd9fd44efafa8690358b7408d253adf110036b88f55672a933f01d616ad9b1b9"
dependencies = [
"nodrop",
]
[[package]]
name = "arrayvec"
version = "0.5.2"
@@ -97,7 +106,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "afa748e348ad3be8263be728124b24a24f268266f6f5d58af9d75f6a40b5c587"
dependencies = [
"arrayref",
"arrayvec",
"arrayvec 0.5.2",
"constant_time_eq",
]
@@ -728,6 +737,7 @@ dependencies = [
"lazy_static",
"linked-hash-map",
"lock_api",
"num-format",
"num_cpus",
"openssl",
"pbr",
@@ -1109,6 +1119,12 @@ dependencies = [
"windows-sys",
]
[[package]]
name = "nodrop"
version = "0.1.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72ef4a56884ca558e5ddb05a1d1e7e1bfd9a68d9ed024c21704cc98872dae1bb"
[[package]]
name = "num-derive"
version = "0.3.3"
@@ -1120,6 +1136,16 @@ dependencies = [
"syn",
]
[[package]]
name = "num-format"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bafe4179722c2894288ee77a9f044f02811c86af699344c498b0840c698a2465"
dependencies = [
"arrayvec 0.4.12",
"itoa 0.4.8",
]
[[package]]
name = "num-integer"
version = "0.1.45"

1
Cargo.toml
View File

@@ -37,6 +37,7 @@ bytesize = "1.*"
hyper = "0.14.*"
lock_api = "0.4.*"
crossbeam-utils = "0.8.*"
num-format = "*"
[build-dependencies]
static_vcruntime = "2.*"

2
README-Japanese.md
View File

@@ -90,7 +90,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)
### スレット(脅威)ハンティングと企業向けの広範囲なDFIR
Hayabusaには現在、2300以上のSigmaルールと130以上のHayabusa検知ルールがあり、定期的にルールが追加されています。
[Velociraptor](https://docs.velociraptor.app/)の[Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/)を用いることで企業向けの広範囲なスレットハンティングだけでなくDFIR(デジタルフォレンジックとインシデントレスポンス)にも無料で利用することが可能です。この2つのオープンソースを組み合わせることで、SIEMが設定されていない環境でも実質的に遡及してSIEMを再現することができます。具体的な方法は[Eric Cupuano](https://twitter.com/eric_capuano)の[こちら](https://www.youtube.com/watch?v=Q1IoGX--814)の動画で学ぶことができます。
[Velociraptor](https://docs.velociraptor.app/)の[Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/)を用いることで企業向けの広範囲なスレットハンティングだけでなくDFIR(デジタルフォレンジックとインシデントレスポンス)にも無料で利用することが可能です。この2つのオープンソースを組み合わせることで、SIEMが設定されていない環境でも実質的に遡及してSIEMを再現することができます。具体的な方法は[Eric Capuano](https://twitter.com/eric_capuano)の[こちら](https://www.youtube.com/watch?v=Q1IoGX--814)の動画で学ぶことができます。
最終的な目標はインシデントレスポンスや定期的なスレットハンティングのために、HayabusaエージェントをすべてのWindows端末にインストールして、中央サーバーにアラートを返す仕組みを作ることです。
### フォレンジックタイムラインの高速生成

4
README.md
View File

@@ -88,7 +88,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre
### Threat Hunting and Enterprise-wide DFIR
Hayabusa currently has over 2400 Sigma rules and over 130 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with [Velociraptor](https://docs.velociraptor.app/)'s [Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/). By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching [Eric Cupuano](https://twitter.com/eric_capuano)'s Velociraptor walkthrough [here](https://www.youtube.com/watch?v=Q1IoGX--814).
Hayabusa currently has over 2400 Sigma rules and over 130 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with [Velociraptor](https://docs.velociraptor.app/)'s [Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/). By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching [Eric Capuano](https://twitter.com/eric_capuano)'s Velociraptor walkthrough [here](https://www.youtube.com/watch?v=Q1IoGX--814).
### Fast Forensics Timeline Generation
@@ -799,4 +799,4 @@ Hayabusa is released under [GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html)
# Twitter
You can recieve the latest news about Hayabusa, rule updates, other Yamato Security tools, etc... by following us on Twitter at [@SecurityYamato](https://twitter.com/SecurityYamato).
You can recieve the latest news about Hayabusa, rule updates, other Yamato Security tools, etc... by following us on Twitter at [@SecurityYamato](https://twitter.com/SecurityYamato).

27
src/afterfact.rs
View File

@@ -14,6 +14,7 @@ use lazy_static::lazy_static;
use linked_hash_map::LinkedHashMap;
use hashbrown::{HashMap, HashSet};
use num_format::{Locale, ToFormattedString};
use std::cmp::min;
use std::error::Error;
@@ -334,7 +335,10 @@ fn emit_csv<W: std::io::Write>(
write_color_buffer(
&disp_wtr,
get_writable_color(None),
&format!("Total events: {}", all_record_cnt),
&format!(
"Total events: {}",
all_record_cnt.to_formatted_string(&Locale::en)
),
true,
)
.ok();
@@ -343,7 +347,8 @@ fn emit_csv<W: std::io::Write>(
get_writable_color(None),
&format!(
"Data reduction: {} events ({:.2}%)",
reducted_record_cnt, reducted_percent
reducted_record_cnt.to_formatted_string(&Locale::en),
reducted_percent
),
true,
)
@@ -440,7 +445,10 @@ fn _print_unique_results(
"{} {}: {}",
head_word,
tail_word,
counts_by_level.iter().sum::<u128>(),
counts_by_level
.iter()
.sum::<u128>()
.to_formatted_string(&Locale::en),
),
true,
)
@@ -452,7 +460,10 @@ fn _print_unique_results(
}
let output_raw_str = format!(
"{} {} {}: {}",
head_word, level_name, tail_word, counts_by_level[i]
head_word,
level_name,
tail_word,
counts_by_level[i].to_formatted_string(&Locale::en)
);
write_color_buffer(
&BufferWriter::stdout(ColorChoice::Always),
@@ -482,7 +493,7 @@ fn _print_detection_summary_by_date(
for (date, cnt) in detections_by_day {
if cnt > &tmp_cnt {
exist_max_data = true;
max_detect_str = format!("{} ({})", date, cnt);
max_detect_str = format!("{} ({})", date, cnt.to_formatted_string(&Locale::en));
tmp_cnt = *cnt;
}
}
@@ -527,7 +538,11 @@ fn _print_detection_summary_by_computer(
sorted_detections.sort_by(|a, b| (-a.1).cmp(&(-b.1)));
for x in sorted_detections.iter().take(5) {
result_vec.push(format!("{} ({})", x.0, x.1));
result_vec.push(format!(
"{} ({})",
x.0,
x.1.to_formatted_string(&Locale::en)
));
}
let result_str = if result_vec.is_empty() {
"n/a".to_string()