From fdb7056f62a310cc56b02e72b539e115a9b1224f Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 15 Jun 2022 07:10:07 +0900 Subject: [PATCH] update cargo and usage text --- Cargo.lock | 52 ++++++++-------- Cargo.toml | 2 +- src/detections/configs.rs | 126 +++++++++++++++++++------------------- 3 files changed, 91 insertions(+), 89 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8fdb0739..e307c6f4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -14,7 +14,7 @@ version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47" dependencies = [ - "getrandom 0.2.6", + "getrandom 0.2.7", "once_cell", "version_check", ] @@ -220,16 +220,16 @@ dependencies = [ [[package]] name = "clap" -version = "3.1.18" +version = "3.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2dbdf4bdacb33466e854ce889eee8dfd5729abf7ccd7664d0a2d60cd384440b" +checksum = "6d20de3739b4fb45a17837824f40aa1769cc7655d7a83e68739a77fe7b30c87a" dependencies = [ "atty", "bitflags", "clap_derive", "clap_lex", "indexmap", - "lazy_static", + "once_cell", "strsim 0.10.0", "termcolor", "textwrap 0.15.0", @@ -237,9 +237,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "3.1.18" +version = "3.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25320346e922cffe59c0bbc5410c8d8784509efb321488971081313cb1e1a33c" +checksum = "026baf08b89ffbd332836002ec9378ef0e69648cbfadd68af7cd398ca5bf98f7" dependencies = [ "heck", "proc-macro-error", @@ -250,9 +250,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.2.0" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a37c35f1112dad5e6e0b1adaff798507497a18fceeb30cceb3bae7d1427b9213" +checksum = "5538cd660450ebeb4234cfecf8f2284b844ffc4c50531e66d584ad5b91293613" dependencies = [ "os_str_bytes", ] @@ -632,13 +632,13 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" +checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6" dependencies = [ "cfg-if", "libc", - "wasi 0.10.0+wasi-snapshot-preview1", + "wasi 0.11.0+wasi-snapshot-preview1", ] [[package]] @@ -679,12 +679,12 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.3.2" +version = "1.4.0" dependencies = [ "base64", "bytesize", "chrono", - "clap 3.1.18", + "clap 3.2.4", "crossbeam-utils", "csv", "downcast-rs", @@ -920,7 +920,7 @@ dependencies = [ "anyhow", "atty", "chrono", - "clap 3.1.18", + "clap 3.2.4", "file-chunker", "indicatif", "memmap2", @@ -1902,9 +1902,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" [[package]] name = "unicode-ident" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee" +checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" [[package]] name = "unicode-normalization" @@ -1992,9 +1992,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.80" +version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27370197c907c55e3f1a9fbe26f44e937fe6451368324e009cba39e139dc08ad" +checksum = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994" dependencies = [ "cfg-if", "wasm-bindgen-macro", @@ -2002,9 +2002,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.80" +version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "53e04185bfa3a779273da532f5025e33398409573f348985af9a1cbf3774d3f4" +checksum = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a" dependencies = [ "bumpalo", "lazy_static", @@ -2017,9 +2017,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.80" +version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17cae7ff784d7e83a2fe7611cfe766ecf034111b49deb850a3dc7699c08251f5" +checksum = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2027,9 +2027,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.80" +version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99ec0dc7a4756fffc231aab1b9f2f578d23cd391390ab27f952ae0c9b3ece20b" +checksum = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048" dependencies = [ "proc-macro2", "quote", @@ -2040,9 +2040,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.80" +version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d554b7f530dee5964d9a9468d95c1f8b8acae4f282807e7d27d4b03099a46744" +checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" [[package]] name = "winapi" diff --git a/Cargo.toml b/Cargo.toml index 73b81263..fdb4dcd4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.3.2" +version = "1.4.0" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 2098ac7a..beb005df 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -201,88 +201,90 @@ struct Config { impl ConfigReader { pub fn new() -> Self { - let app_str = "hayabusa 1.3.1"; + let app_str = "Hayabusa 1.4"; let custom_usage_and_opt = r#" + USAGE: - hayabusa.exe -f file.evtx [OPTIONS] - hayabusa.exe -d evtx-directory [OPTIONS] + hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS] OPTIONS: --European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) --US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) --US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) - --all-tags Output all tags when saving to a CSV file - -C, --config Rule config folder [default: .\rules\config] - --contributors Prints the list of contributors - -d, --directory Directory of multiple .evtx files - -D, --enable-deprecated-rules Enable rules marked as deprecated + --all-tags Output all tags when saving to a CSV file. + -C, --config Specify rule config folder. (Default: .\rules\config) + --contributors Prints the list of contributors. + -d, --directory Directory of multiple .evtx files. + -D, --enable-deprecated-rules Enable rules marked as deprecated. --end-timeline End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") - -f, --filepath File path to one .evtx file - -F, --full-data Print all field information - -h, --help Print help information - -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.) - -L, --logon-summary Successful and failed logons summary - --level-tuning Tune alert levels [default: .\rules\config\level_tuning.txt] - -m, --min-level Minimum level for rules [default: informational] - -n, --enable-noisy-rules Enable rules marked as noisy - --no_color Disable color output + -f, --filepath File path to one .evtx file. + -F, --full-data Print all field information. + -h, --help Print help information. + -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder. (Windows Only. Administrator privileges required.) + -L, --logon-summary Successful and failed logons summary. + --level-tuning Tune alert levels. (Default: .\rules\config\level_tuning.txt) + -m, --min-level Minimum level for rules. (Default: informational) + -n, --enable-noisy-rules Enable rules marked as noisy. + --no_color Disable color output. -o, --output Save the timeline in CSV format. (Ex: results.csv) - -p, --pivot-keywords-list Create a list of pivot keywords - -q, --quiet Quiet mode. Do not display the launch banner - -Q, --quiet-errors Quiet errors mode. Do not save error logs - -r, --rules Rule directory or file [default: .\rules] - -R, --hide-record-id Do not display EventRecordID number + -p, --pivot-keywords-list Create a list of pivot keywords. + -q, --quiet Quiet mode. Do not display the launch banner. + -Q, --quiet-errors Quiet errors mode. Do not save error logs. + -r, --rules Specify rule directory or file. (Default: .\rules) + -R, --hide-record-id Do not display EventRecordID numbers. --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) - -s, --statistics Prints statistics of event IDs + -s, --statistics Prints statistics of event IDs. --start-timeline Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") - -t, --thread-number Thread number. [default: Optimal number for performance.] - -u, --update-rules Update to the latest rules in the hayabusa-rules github repository - -U, --utc Output time in UTC format. [default: local time] - -v, --verbose Output verbose information - -V, --visualize-timeline Output event frequency timeline - --version Print version information"#; - let build_cmd = Config::command().override_help(r#"hayabusa 1.3.1 + -t, --thread-number Thread number. (Default: Optimal number for performance.) + -u, --update-rules Update to the latest rules in the hayabusa-rules github repository. + -U, --utc Output time in UTC format. (Default: local time) + -v, --verbose Output verbose information. + -V, --visualize-timeline Output event frequency timeline. + --version Print version information."#; + let build_cmd = Config::command().override_help(r#"Hayabusa 1.4 Help Menu: + +Hayabusa: A sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Yamato Security (https://github.com/Yamato-Security/hayabusa) @SecurityYamato) -Hayabusa: Aiming to be the world's greatest Windows event log analysis tool! + USAGE: - hayabusa.exe -f file.evtx [OPTIONS] - hayabusa.exe -d evtx-directory [OPTIONS] + hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS] + OPTIONS: --European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) --US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) --US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) - --all-tags Output all tags when saving to a CSV file - -C, --config Rule config folder [default: .\rules\config] - --contributors Prints the list of contributors - -d, --directory Directory of multiple .evtx files - -D, --enable-deprecated-rules Enable rules marked as deprecated + --all-tags Output all tags when saving to a CSV file. + -C, --config Specify rule config folder. (Default: .\rules\config) + --contributors Prints the list of contributors. + -d, --directory Directory of multiple .evtx files. + -D, --enable-deprecated-rules Enable rules marked as deprecated. --end-timeline End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") - -f, --filepath File path to one .evtx file - -F, --full-data Print all field information - -h, --help Print help information - -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.) - -L, --logon-summary Successful and failed logons summary - --level-tuning Tune alert levels [default: .\rules\config\level_tuning.txt] - -m, --min-level Minimum level for rules [default: informational] - -n, --enable-noisy-rules Enable rules marked as noisy - --no_color Disable color output + -f, --filepath File path to one .evtx file. + -F, --full-data Print all field information. + -h, --help Print help information. + -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder. (Windows Only. Administrator privileges required.) + -L, --logon-summary Successful and failed logons summary. + --level-tuning Tune alert levels. (Default: .\rules\config\level_tuning.txt) + -m, --min-level Minimum level for rules. (Default: informational) + -n, --enable-noisy-rules Enable rules marked as noisy. + --no_color Disable color output. -o, --output Save the timeline in CSV format. (Ex: results.csv) - -p, --pivot-keywords-list Create a list of pivot keywords - -q, --quiet Quiet mode. Do not display the launch banner - -Q, --quiet-errors Quiet errors mode. Do not save error logs - -r, --rules Rule directory or file [default: .\rules] - -R, --hide-record-id Do not display EventRecordID number - --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) - --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) - -s, --statistics Prints statistics of event IDs - --start-timeline Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") - -t, --thread-number Thread number. [default: Optimal number for performance.] - -u, --update-rules Update to the latest rules in the hayabusa-rules github repository - -U, --utc Output time in UTC format. [default: local time] - -v, --verbose Output verbose information - -V, --visualize-timeline Output event frequency timeline - --version Print version information + -p, --pivot-keywords-list Create a list of pivot keywords. + -q, --quiet Quiet mode. Do not display the launch banner. + -Q, --quiet-errors Quiet errors mode. Do not save error logs. + -r, --rules Specify rule directory or file. (Default: .\rules) + -R, --hide-record-id Do not display EventRecordID numbers. + --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) + --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) + -s, --statistics Prints statistics of event IDs. + --start-timeline Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") + -t, --thread-number Thread number. (Default: Optimal number for performance.) + -u, --update-rules Update to the latest rules in the hayabusa-rules github repository. + -U, --utc Output time in UTC format. (Default: local time) + -v, --verbose Output verbose information. + -V, --visualize-timeline Output event frequency timeline. + --version Print version information. "#); let arg = build_cmd.clone().get_matches(); let headless_help = format!("{}{}", app_str, custom_usage_and_opt);