CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'clap_update_v3' of github.com:Yamato-Security/hayabusa into clap_update_v3

Browse Source
This commit is contained in:
DustInDark
2022-06-15 10:02:32 +09:00
parent 034d26cecf fdb7056f62
commit abc38e406d
3 changed files with 91 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
Cargo.lock generated
View File

@@ -14,7 +14,7 @@ version = "0.7.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47" checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47"
dependencies = [ dependencies = [
"getrandom 0.2.6", "getrandom 0.2.7",
"once_cell", "once_cell",
"version_check", "version_check",
] ]
@@ -220,16 +220,16 @@ dependencies = [
[[package]] [[package]]
name = "clap" name = "clap"
version = "3.1.18" version = "3.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d2dbdf4bdacb33466e854ce889eee8dfd5729abf7ccd7664d0a2d60cd384440b" checksum = "6d20de3739b4fb45a17837824f40aa1769cc7655d7a83e68739a77fe7b30c87a"
dependencies = [ dependencies = [
"atty", "atty",
"bitflags", "bitflags",
"clap_derive", "clap_derive",
"clap_lex", "clap_lex",
"indexmap", "indexmap",
"lazy_static", "once_cell",
"strsim 0.10.0", "strsim 0.10.0",
"termcolor", "termcolor",
"textwrap 0.15.0", "textwrap 0.15.0",
@@ -237,9 +237,9 @@ dependencies = [
[[package]] [[package]]
name = "clap_derive" name = "clap_derive"
version = "3.1.18" version = "3.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "25320346e922cffe59c0bbc5410c8d8784509efb321488971081313cb1e1a33c" checksum = "026baf08b89ffbd332836002ec9378ef0e69648cbfadd68af7cd398ca5bf98f7"
dependencies = [ dependencies = [
"heck", "heck",
"proc-macro-error", "proc-macro-error",
@@ -250,9 +250,9 @@ dependencies = [
[[package]] [[package]]
name = "clap_lex" name = "clap_lex"
version = "0.2.0" version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a37c35f1112dad5e6e0b1adaff798507497a18fceeb30cceb3bae7d1427b9213" checksum = "5538cd660450ebeb4234cfecf8f2284b844ffc4c50531e66d584ad5b91293613"
dependencies = [ dependencies = [
"os_str_bytes", "os_str_bytes",
] ]
@@ -632,13 +632,13 @@ dependencies = [
[[package]] [[package]]
name = "getrandom" name = "getrandom"
version = "0.2.6" version = "0.2.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" checksum = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"libc", "libc",
"wasi 0.10.0+wasi-snapshot-preview1", "wasi 0.11.0+wasi-snapshot-preview1",
] ]
[[package]] [[package]]
@@ -679,12 +679,12 @@ dependencies = [
[[package]] [[package]]
name = "hayabusa" name = "hayabusa"
version = "1.3.2" version = "1.4.0"
dependencies = [ dependencies = [
"base64", "base64",
"bytesize", "bytesize",
"chrono", "chrono",
"clap 3.1.18", "clap 3.2.4",
"crossbeam-utils", "crossbeam-utils",
"csv", "csv",
"downcast-rs", "downcast-rs",
@@ -920,7 +920,7 @@ dependencies = [
"anyhow", "anyhow",
"atty", "atty",
"chrono", "chrono",
"clap 3.1.18", "clap 3.2.4",
"file-chunker", "file-chunker",
"indicatif", "indicatif",
"memmap2", "memmap2",
@@ -1902,9 +1902,9 @@ checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992"
[[package]] [[package]]
name = "unicode-ident" name = "unicode-ident"
version = "1.0.0" version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d22af068fba1eb5edcb4aea19d382b2a3deb4c8f9d475c589b6ada9e0fd493ee" checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c"
[[package]] [[package]]
name = "unicode-normalization" name = "unicode-normalization"
@@ -1992,9 +1992,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
[[package]] [[package]]
name = "wasm-bindgen" name = "wasm-bindgen"
version = "0.2.80" version = "0.2.81"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27370197c907c55e3f1a9fbe26f44e937fe6451368324e009cba39e139dc08ad" checksum = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"wasm-bindgen-macro", "wasm-bindgen-macro",
@@ -2002,9 +2002,9 @@ dependencies = [
[[package]] [[package]]
name = "wasm-bindgen-backend" name = "wasm-bindgen-backend"
version = "0.2.80" version = "0.2.81"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53e04185bfa3a779273da532f5025e33398409573f348985af9a1cbf3774d3f4" checksum = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a"
dependencies = [ dependencies = [
"bumpalo", "bumpalo",
"lazy_static", "lazy_static",
@@ -2017,9 +2017,9 @@ dependencies = [
[[package]] [[package]]
name = "wasm-bindgen-macro" name = "wasm-bindgen-macro"
version = "0.2.80" version = "0.2.81"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17cae7ff784d7e83a2fe7611cfe766ecf034111b49deb850a3dc7699c08251f5" checksum = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa"
dependencies = [ dependencies = [
"quote", "quote",
"wasm-bindgen-macro-support", "wasm-bindgen-macro-support",
@@ -2027,9 +2027,9 @@ dependencies = [
[[package]] [[package]]
name = "wasm-bindgen-macro-support" name = "wasm-bindgen-macro-support"
version = "0.2.80" version = "0.2.81"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99ec0dc7a4756fffc231aab1b9f2f578d23cd391390ab27f952ae0c9b3ece20b" checksum = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
@@ -2040,9 +2040,9 @@ dependencies = [
[[package]] [[package]]
name = "wasm-bindgen-shared" name = "wasm-bindgen-shared"
version = "0.2.80" version = "0.2.81"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d554b7f530dee5964d9a9468d95c1f8b8acae4f282807e7d27d4b03099a46744" checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be"
[[package]] [[package]]
name = "winapi" name = "winapi"

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "hayabusa" name = "hayabusa"
version = "1.3.2" version = "1.4.0"
authors = ["Yamato Security @SecurityYamato"] authors = ["Yamato Security @SecurityYamato"]
edition = "2021" edition = "2021"

120
src/detections/configs.rs
View File

@@ -201,88 +201,90 @@ struct Config {
impl ConfigReader { impl ConfigReader {
pub fn new() -> Self { pub fn new() -> Self {
let app_str = "hayabusa 1.3.1"; let app_str = "Hayabusa 1.4";
let custom_usage_and_opt = r#" let custom_usage_and_opt = r#"
USAGE: USAGE:
hayabusa.exe -f file.evtx [OPTIONS] hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS]
hayabusa.exe -d evtx-directory [OPTIONS]
OPTIONS: OPTIONS:
--European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) --European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)
--US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) --US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) --US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)
--all-tags Output all tags when saving to a CSV file --all-tags Output all tags when saving to a CSV file.
-C, --config <RULE_CONFIG_DIRECTORY> Rule config folder [default: .\rules\config] -C, --config <RULE_CONFIG_DIRECTORY> Specify rule config folder. (Default: .\rules\config)
--contributors Prints the list of contributors --contributors Prints the list of contributors.
-d, --directory <DIRECTORY> Directory of multiple .evtx files -d, --directory <DIRECTORY> Directory of multiple .evtx files.
-D, --enable-deprecated-rules Enable rules marked as deprecated -D, --enable-deprecated-rules Enable rules marked as deprecated.
--end-timeline <END_TIMELINE> End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") --end-timeline <END_TIMELINE> End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00")
-f, --filepath <FILE_PATH> File path to one .evtx file -f, --filepath <FILE_PATH> File path to one .evtx file.
-F, --full-data Print all field information -F, --full-data Print all field information.
-h, --help Print help information -h, --help Print help information.
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.) -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder. (Windows Only. Administrator privileges required.)
-L, --logon-summary Successful and failed logons summary -L, --logon-summary Successful and failed logons summary.
--level-tuning <LEVEL_TUNING_FILE> Tune alert levels [default: .\rules\config\level_tuning.txt] --level-tuning <LEVEL_TUNING_FILE> Tune alert levels. (Default: .\rules\config\level_tuning.txt)
-m, --min-level <LEVEL> Minimum level for rules [default: informational] -m, --min-level <LEVEL> Minimum level for rules. (Default: informational)
-n, --enable-noisy-rules Enable rules marked as noisy -n, --enable-noisy-rules Enable rules marked as noisy.
--no_color Disable color output --no_color Disable color output.
-o, --output <CSV_TIMELINE> Save the timeline in CSV format. (Ex: results.csv) -o, --output <CSV_TIMELINE> Save the timeline in CSV format. (Ex: results.csv)
-p, --pivot-keywords-list Create a list of pivot keywords -p, --pivot-keywords-list Create a list of pivot keywords.
-q, --quiet Quiet mode. Do not display the launch banner -q, --quiet Quiet mode. Do not display the launch banner.
-Q, --quiet-errors Quiet errors mode. Do not save error logs -Q, --quiet-errors Quiet errors mode. Do not save error logs.
-r, --rules <RULE_DIRECTORY/RULE_FILE> Rule directory or file [default: .\rules] -r, --rules <RULE_DIRECTORY/RULE_FILE> Specify rule directory or file. (Default: .\rules)
-R, --hide-record-id Do not display EventRecordID number -R, --hide-record-id Do not display EventRecordID numbers.
--rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)
--rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)
-s, --statistics Prints statistics of event IDs -s, --statistics Prints statistics of event IDs.
--start-timeline <START_TIMELINE> Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") --start-timeline <START_TIMELINE> Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> Thread number. [default: Optimal number for performance.] -t, --thread-number <NUMBER> Thread number. (Default: Optimal number for performance.)
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository -u, --update-rules Update to the latest rules in the hayabusa-rules github repository.
-U, --utc Output time in UTC format. [default: local time] -U, --utc Output time in UTC format. (Default: local time)
-v, --verbose Output verbose information -v, --verbose Output verbose information.
-V, --visualize-timeline Output event frequency timeline -V, --visualize-timeline Output event frequency timeline.
--version Print version information"#; --version Print version information."#;
let build_cmd = Config::command().override_help(r#"hayabusa 1.3.1 let build_cmd = Config::command().override_help(r#"Hayabusa 1.4 Help Menu:
Hayabusa: A sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Yamato Security (https://github.com/Yamato-Security/hayabusa) @SecurityYamato) Yamato Security (https://github.com/Yamato-Security/hayabusa) @SecurityYamato)
Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!
USAGE: USAGE:
hayabusa.exe -f file.evtx [OPTIONS] hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS]
hayabusa.exe -d evtx-directory [OPTIONS]
OPTIONS: OPTIONS:
--European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00) --European-time Output timestamp in European time format. (Ex: 22-02-2022 22:00:00.123 +02:00)
--US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00) --US-military-time Output timestamp in US military time format. (Ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00) --US-time Output timestamp in US time format. (Ex: 02-22-2022 10:00:00.123 PM -06:00)
--all-tags Output all tags when saving to a CSV file --all-tags Output all tags when saving to a CSV file.
-C, --config <RULE_CONFIG_DIRECTORY> Rule config folder [default: .\rules\config] -C, --config <RULE_CONFIG_DIRECTORY> Specify rule config folder. (Default: .\rules\config)
--contributors Prints the list of contributors --contributors Prints the list of contributors.
-d, --directory <DIRECTORY> Directory of multiple .evtx files -d, --directory <DIRECTORY> Directory of multiple .evtx files.
-D, --enable-deprecated-rules Enable rules marked as deprecated -D, --enable-deprecated-rules Enable rules marked as deprecated.
--end-timeline <END_TIMELINE> End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00") --end-timeline <END_TIMELINE> End time of the event logs to load. (Ex: "2022-02-22 23:59:59 +09:00")
-f, --filepath <FILE_PATH> File path to one .evtx file -f, --filepath <FILE_PATH> File path to one .evtx file.
-F, --full-data Print all field information -F, --full-data Print all field information.
-h, --help Print help information -h, --help Print help information.
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.) -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder. (Windows Only. Administrator privileges required.)
-L, --logon-summary Successful and failed logons summary -L, --logon-summary Successful and failed logons summary.
--level-tuning <LEVEL_TUNING_FILE> Tune alert levels [default: .\rules\config\level_tuning.txt] --level-tuning <LEVEL_TUNING_FILE> Tune alert levels. (Default: .\rules\config\level_tuning.txt)
-m, --min-level <LEVEL> Minimum level for rules [default: informational] -m, --min-level <LEVEL> Minimum level for rules. (Default: informational)
-n, --enable-noisy-rules Enable rules marked as noisy -n, --enable-noisy-rules Enable rules marked as noisy.
--no_color Disable color output --no_color Disable color output.
-o, --output <CSV_TIMELINE> Save the timeline in CSV format. (Ex: results.csv) -o, --output <CSV_TIMELINE> Save the timeline in CSV format. (Ex: results.csv)
-p, --pivot-keywords-list Create a list of pivot keywords -p, --pivot-keywords-list Create a list of pivot keywords.
-q, --quiet Quiet mode. Do not display the launch banner -q, --quiet Quiet mode. Do not display the launch banner.
-Q, --quiet-errors Quiet errors mode. Do not save error logs -Q, --quiet-errors Quiet errors mode. Do not save error logs.
-r, --rules <RULE_DIRECTORY/RULE_FILE> Rule directory or file [default: .\rules] -r, --rules <RULE_DIRECTORY/RULE_FILE> Specify rule directory or file. (Default: .\rules)
-R, --hide-record-id Do not display EventRecordID number -R, --hide-record-id Do not display EventRecordID numbers.
--rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600) --rfc-2822 Output timestamp in RFC 2822 format. (Ex: Fri, 22 Feb 2022 22:00:00 -0600)
--rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00) --rfc-3339 Output timestamp in RFC 3339 format. (Ex: 2022-02-22 22:00:00.123456-06:00)
-s, --statistics Prints statistics of event IDs -s, --statistics Prints statistics of event IDs.
--start-timeline <START_TIMELINE> Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00") --start-timeline <START_TIMELINE> Start time of the event logs to load. (Ex: "2020-02-22 00:00:00 +09:00")
-t, --thread-number <NUMBER> Thread number. [default: Optimal number for performance.] -t, --thread-number <NUMBER> Thread number. (Default: Optimal number for performance.)
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository -u, --update-rules Update to the latest rules in the hayabusa-rules github repository.
-U, --utc Output time in UTC format. [default: local time] -U, --utc Output time in UTC format. (Default: local time)
-v, --verbose Output verbose information -v, --verbose Output verbose information.
-V, --visualize-timeline Output event frequency timeline -V, --visualize-timeline Output event frequency timeline.
--version Print version information --version Print version information.
"#); "#);
let arg = build_cmd.clone().get_matches(); let arg = build_cmd.clone().get_matches();
let headless_help = format!("{}{}", app_str, custom_usage_and_opt); let headless_help = format!("{}{}", app_str, custom_usage_and_opt);