diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 70a36b54..4b4d1180 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,6 @@ # 変更点 -## 1.7.1 [2022/xx/xx] +## 1.7.1 [2022/10/10] **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c24eb1c..c15a1612 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,13 @@ # Changes -## 1.7.1 [2022/xx/xx] +## 1.7.1 [2022/10/10] **Enhancements:** - Hayabusa now checks Channel and EID information based on `rules/config/channel_eid_info.txt` to provide more accurate results. (#463) (@garigariganzy) - Do not display a message about loading detection rules when using the `-M` or `-L` options. (#730) (@hitenkoku) - Added a table of rule authors to standard output. (#724) (@hitenkoku) -- Ignore event records when the channel name is `null` (ETW events) when scanning and performing metrics. (#727) (@hitenkoku) +- Ignore event records when the channel name is `null` (ETW events) when scanning and showing EID metrics. (#727) (@hitenkoku) **Bug Fixes:** diff --git a/Cargo.lock b/Cargo.lock index d770bfea..66db9d41 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -230,6 +230,16 @@ dependencies = [ "os_str_bytes", ] +[[package]] +name = "codespan-reporting" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e" +dependencies = [ + "termcolor", + "unicode-width", +] + [[package]] name = "comfy-table" version = "6.1.0" @@ -377,6 +387,50 @@ dependencies = [ "memchr", ] +[[package]] +name = "cxx" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19f39818dcfc97d45b03953c1292efc4e80954e1583c4aa770bac1383e2310a4" +dependencies = [ + "cc", + "cxxbridge-flags", + "cxxbridge-macro", + "link-cplusplus", +] + +[[package]] +name = "cxx-build" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3e580d70777c116df50c390d1211993f62d40302881e54d4b79727acb83d0199" +dependencies = [ + "cc", + "codespan-reporting", + "once_cell", + "proc-macro2", + "quote", + "scratch", + "syn", +] + +[[package]] +name = "cxxbridge-flags" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56a46460b88d1cec95112c8c363f0e2c39afdb237f60583b0b36343bf627ea9c" + +[[package]] +name = "cxxbridge-macro" +version = "1.0.78" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "747b608fecf06b0d72d440f27acc99288207324b793be2c17991839f3d4995ea" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "dashmap" version = "5.4.0" @@ -543,8 +597,8 @@ dependencies = [ [[package]] name = "evtx" -version = "0.8.2" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git?rev=95b1c6a#95b1c6a1eebe6e2dc7be896974e92e912ddb6780" +version = "0.8.3" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git?rev=5b0884d#5b0884dbc05a9dfd68d78063f9401eac14eea076" dependencies = [ "anyhow", "bitflags", @@ -558,7 +612,7 @@ dependencies = [ "indoc", "jemallocator", "log", - "quick-xml", + "quick-xml 0.25.0", "rayon", "rpmalloc", "serde", @@ -744,7 +798,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.7.1-dev" +version = "1.7.1" dependencies = [ "base64", "bytesize", @@ -774,7 +828,7 @@ dependencies = [ "openssl", "pbr", "pulldown-cmark", - "quick-xml", + "quick-xml 0.23.1", "rand", "regex", "reqwest", @@ -833,7 +887,7 @@ checksum = "75f43d41e26995c17e71ee126451dd3941010b0514a81a9d11f3b341debc2399" dependencies = [ "bytes", "fnv", - "itoa 1.0.3", + "itoa 1.0.4", ] [[package]] @@ -883,7 +937,7 @@ dependencies = [ "http-body", "httparse", "httpdate", - "itoa 1.0.3", + "itoa 1.0.4", "pin-project-lite", "socket2", "tokio", @@ -907,17 +961,28 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.50" +version = "0.1.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd911b35d940d2bd0bea0f9100068e5b97b51a1cbe13d13382f132e0365257a0" +checksum = "f5a6ef98976b22b3b7f2f3a806f858cb862044cfa66805aa3ad84cb3d3b785ed" dependencies = [ "android_system_properties", "core-foundation-sys", + "iana-time-zone-haiku", "js-sys", "wasm-bindgen", "winapi", ] +[[package]] +name = "iana-time-zone-haiku" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fde6edd6cef363e9359ed3c98ba64590ba9eecba2293eb5a723ab32aee8926aa" +dependencies = [ + "cxx", + "cxx-build", +] + [[package]] name = "idna" version = "0.3.0" @@ -991,9 +1056,9 @@ checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4" [[package]] name = "itoa" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c8af84674fe1f223a982c933a0ee1086ac4d4052aa0fb8060c12c6ad838e754" +checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc" [[package]] name = "jemalloc-sys" @@ -1105,6 +1170,15 @@ dependencies = [ "vcpkg", ] +[[package]] +name = "link-cplusplus" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9272ab7b96c9046fbc5bc56c06c117cb639fe2d509df0c421cad82d2915cf369" +dependencies = [ + "cc", +] + [[package]] name = "linked-hash-map" version = "0.5.6" @@ -1468,6 +1542,15 @@ dependencies = [ "serde", ] +[[package]] +name = "quick-xml" +version = "0.25.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "58e21a144a0ffb5fad7b464babcdab934a325ad69b7c0373bcfef5cbd9799ca9" +dependencies = [ + "memchr", +] + [[package]] name = "quote" version = "1.0.21" @@ -1689,6 +1772,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "scratch" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c8132065adcfd6e02db789d9285a0deb2f3fcb04002865ab67d5fb103533898" + [[package]] name = "security-framework" version = "2.7.0" @@ -1762,7 +1851,7 @@ version = "1.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e55a28e3aaef9d5ce0506d0a14dbba8054ddc7e499ef522dd8b26859ec9d4a44" dependencies = [ - "itoa 1.0.3", + "itoa 1.0.4", "ryu", "serde", ] @@ -1774,7 +1863,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" dependencies = [ "form_urlencoded", - "itoa 1.0.3", + "itoa 1.0.4", "ryu", "serde", ] @@ -1966,9 +2055,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.101" +version = "1.0.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e90cde112c4b9690b8cbe810cba9ddd8bc1d7472e2cae317b69e9438c1cba7d2" +checksum = "3fcd952facd492f9be3ef0d0b7032a6e442ee9b361d4acc2b1d0c4aaa5f613a1" dependencies = [ "proc-macro2", "quote", @@ -2076,7 +2165,7 @@ version = "0.3.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d634a985c4d4238ec39cacaed2e7ae552fbd3c476b552c1deac3021b7d7eaf0c" dependencies = [ - "itoa 1.0.3", + "itoa 1.0.4", "libc", "num_threads", "time-macros 0.2.4", @@ -2189,9 +2278,9 @@ checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" [[package]] name = "tracing" -version = "0.1.36" +version = "0.1.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fce9567bd60a67d08a16488756721ba392f24f29006402881e43b19aac64307" +checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" dependencies = [ "cfg-if", "pin-project-lite", @@ -2200,9 +2289,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.29" +version = "0.1.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5aeea4303076558a00714b823f9ad67d58a3bbda1df83d8827d21193156e22f7" +checksum = "24eb03ba0eab1fd845050058ce5e616558e8f8d8fca633e6b163fe25c797213a" dependencies = [ "once_cell", ] @@ -2230,9 +2319,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" [[package]] name = "unicode-ident" -version = "1.0.4" +version = "1.0.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dcc811dc4066ac62f84f11307873c4850cb653bfa9b1719cee2bd2204a4bc5dd" +checksum = "6ceab39d59e4c9499d4e5a8ee0e2735b891bb7308ac83dfb4e80cad195c9f6f3" [[package]] name = "unicode-normalization" diff --git a/Cargo.toml b/Cargo.toml index 94088995..f4b1a09a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.7.1-dev" +version = "1.7.1" authors = ["Yamato Security @SecurityYamato"] edition = "2021" @@ -8,7 +8,7 @@ edition = "2021" itertools = "*" dashmap = "*" clap = { version = "3.*", features = ["derive", "cargo"]} -evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , features = ["fast-alloc"] , rev = "95b1c6a" } +evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , features = ["fast-alloc"] , rev = "5b0884d" } #0.8.3 quick-xml = {version = "0.23.*", features = ["serialize"] } serde = { version = "1.*", features = ["derive"] } serde_json = { version = "1.0"} diff --git a/README-1.7.0-Japanese.pdf b/README-1.7.1-Japanese.pdf similarity index 62% rename from README-1.7.0-Japanese.pdf rename to README-1.7.1-Japanese.pdf index 97e6f7f3..3ca0cf71 100644 Binary files a/README-1.7.0-Japanese.pdf and b/README-1.7.1-Japanese.pdf differ diff --git a/README-1.7.0.pdf b/README-1.7.1.pdf similarity index 58% rename from README-1.7.0.pdf rename to README-1.7.1.pdf index 30397b8f..fa86a149 100644 Binary files a/README-1.7.0.pdf and b/README-1.7.1.pdf differ diff --git a/README-Japanese.md b/README-Japanese.md index 8d0b67c5..06d576a4 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -215,7 +215,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.7.0-win-x64.exe -u +hayabusa-1.7.1-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -320,20 +320,20 @@ Windows PC起動後の初回実行時に時間がかかる場合があります コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.7.0-windows-x64.exe` +例: `hayabusa-1.7.1-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.7.0-linux-x64-gnu +chmod +x ./hayabusa-1.7.1-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.7.0-linux-x64-gnu +./hayabusa-1.7.1-linux-x64-gnu ``` ## macOS @@ -341,13 +341,13 @@ chmod +x ./hayabusa-1.7.0-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.7.0-mac-intel +chmod +x ./hayabusa-1.7.1-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.7.0-mac-intel +./hayabusa-1.7.1-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -361,7 +361,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.7.0-mac-intel +./hayabusa-1.7.1-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -446,91 +446,91 @@ TIME-FORMAT: * 1つのWindowsイベントログファイルに対してHayabusaを実行する: ```bash -hayabusa-1.7.0-win-x64.exe -f eventlog.evtx +hayabusa-1.7.1-win-x64.exe -f eventlog.evtx ``` * `verbose`プロファイルで複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができる(注意: `verbose-details-and-all-field-info`プロファイルを使すると、出力するファイルのサイズがとても大きくなる!): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info ``` * タイムラインをJSON形式で保存する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j ``` * Hayabusaルールのみを実行する(デフォルトでは`-r .\rules`にあるすべてのルールが利用される): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にする: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力する: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知する: ```bash -hayabusa-1.7.0-win-x64.exe -l -m low +hayabusa-1.7.1-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成する(結果は結果毎に`keywords-Ip Address.txt`や`keywords-Users.txt`等に出力される): ```bash -hayabusa-1.7.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.7.1-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を出力する: ```bash -hayabusa-1.7.0-win-x64.exe -f Security.evtx -M +hayabusa-1.7.1-win-x64.exe -f Security.evtx -M ``` * ログオンサマリを出力する: ```bash -hayabusa-1.7.0-win-x64.exe -L -f Security.evtx -M +hayabusa-1.7.1-win-x64.exe -L -f Security.evtx -M ``` * 詳細なメッセージを出力する(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -551,7 +551,7 @@ Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_ * 結果を[Timesketch](https://timesketch.org/)にインポートできるCSV形式に保存する: ```bash -hayabusa-1.7.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U +hayabusa-1.7.1-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U ``` * エラーログの出力をさせないようにする: @@ -857,7 +857,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.7.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.7.1-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: diff --git a/README.md b/README.md index 01d34c1c..b5bc7406 100644 --- a/README.md +++ b/README.md @@ -207,7 +207,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.7.0-win-x64.exe -u +hayabusa-1.7.1-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -312,20 +312,20 @@ You may experience slow runtime especially on the first run after a reboot due t In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary. -Example: `hayabusa-1.7.0-windows-x64.exe` +Example: `hayabusa-1.7.1-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.7.0-linux-x64-gnu +chmod +x ./hayabusa-1.7.1-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.7.0-linux-x64-gnu +./hayabusa-1.7.1-linux-x64-gnu ``` ## macOS @@ -333,13 +333,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.7.0-mac-intel +chmod +x ./hayabusa-1.7.1-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.7.0-mac-intel +./hayabusa-1.7.1-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -353,7 +353,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.7.0-mac-intel +./hayabusa-1.7.1-mac-intel ``` The following warning will pop up, so please click "Open". @@ -437,91 +437,91 @@ TIME-FORMAT: * Run hayabusa against one Windows event log file with default standard profile: ```bash -hayabusa-1.7.0-win-x64.exe -f eventlog.evtx +hayabusa-1.7.1-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files with the verbose profile: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information (Warning: your file output size will become much larger with the `verbose-details-and-all-field-info` profile!): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info ``` * Save the timline in JSON format: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.7.0-win-x64.exe -l -m low +hayabusa-1.7.1-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.7.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.7.1-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID metrics: ```bash -hayabusa-1.7.0-win-x64.exe -f Security.evtx -M +hayabusa-1.7.1-win-x64.exe -f Security.evtx -M ``` * Print logon summary: ```bash -hayabusa-1.7.0-win-x64.exe -L -f Security.evtx -M +hayabusa-1.7.1-win-x64.exe -L -f Security.evtx -M ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.7.1-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -542,7 +542,7 @@ Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_ * Output to a CSV format compatible to import into [Timesketch](https://timesketch.org/): ```bash -hayabusa-1.7.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U +hayabusa-1.7.1-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U ``` * Quiet error mode: @@ -848,7 +848,7 @@ You can also add a rule ID to `./rules/config/noisy_rules.txt` in order to ignor Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.7.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.7.1-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: diff --git a/rules b/rules index 45262b36..b3f4d858 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 45262b36120ea76cec441fb2fa13cae248b75dfb +Subproject commit b3f4d8589d7b6aae3d84511827222fd17cba160c