From 6b5283b28bab914dfdb185ea2bc122a2b8ce4235 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Thu, 23 Dec 2021 11:33:10 +0900
Subject: [PATCH 1/5] added no detection when statistics option enabled. #341

---
 src/detections/print.rs |  5 +++++
 src/main.rs             | 17 ++++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/src/detections/print.rs b/src/detections/print.rs
index 380c2858..6c9ef6b8 100644
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -47,6 +47,11 @@ lazy_static! {
         .args
         .is_present("quiet-errors");
     pub static ref ERROR_LOG_STACK: Mutex<Vec<String>> = Mutex::new(Vec::new());
+    pub static ref STATISTICS_FLAG: bool = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .is_present("statistics");
 }
 
 impl Message {
diff --git a/src/main.rs b/src/main.rs
index 2910353a..9b741ca3 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -9,6 +9,7 @@ use hayabusa::detections::print::AlertMessage;
 use hayabusa::detections::print::ERROR_LOG_PATH;
 use hayabusa::detections::print::ERROR_LOG_STACK;
 use hayabusa::detections::print::QUIET_ERRORS_FLAG;
+use hayabusa::detections::print::STATISTICS_FLAG;
 use hayabusa::detections::rule::{get_detection_keys, RuleNode};
 use hayabusa::filter;
 use hayabusa::omikuji::Omikuji;
@@ -205,7 +206,9 @@ impl App {
             pb.inc();
         }
         detection.add_aggcondition_msges(&self.rt);
-        after_fact();
+        if !*STATISTICS_FLAG {
+            after_fact();
+        }
     }
 
     // Windowsイベントログファイルを1ファイル分解析する。
@@ -223,7 +226,9 @@ impl App {
         let mut tl = Timeline::new();
         let mut parser = parser.unwrap();
         let mut records = parser.records_json_value();
-
+        if !*STATISTICS_FLAG {
+            println!("Generating Event ID Statistics");
+        }
         loop {
             let mut records_per_detect = vec![];
             while records_per_detect.len() < MAX_DETECT_RECORDS {
@@ -273,11 +278,13 @@ impl App {
                 self.rule_keys.clone(),
             ));
 
-            // // timeline機能の実行
+            // timeline機能の実行
             tl.start(&records_per_detect);
 
-            // // ruleファイルの検知
-            detection = detection.start(&self.rt, records_per_detect);
+            if !*STATISTICS_FLAG {
+                // ruleファイルの検知
+                detection = detection.start(&self.rt, records_per_detect);
+            }
         }
 
         tl.tm_stats_dsp_msg();

From 09782f02a9f68cb0dadad08f2c5291affa2c3294 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Thu, 23 Dec 2021 11:35:34 +0900
Subject: [PATCH 2/5] added newline

---
 src/main.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main.rs b/src/main.rs
index 9b741ca3..1730adfb 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -117,6 +117,7 @@ impl App {
         }
         let analysis_end_time: DateTime<Local> = Local::now();
         let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time);
+        println!("");
         println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx());
         println!("");
 

From 9b382df001185ea6f8b36a53d081fd262d9e0e59 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Thu, 23 Dec 2021 11:39:52 +0900
Subject: [PATCH 3/5] fixed output flag process #341

---
 src/main.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.rs b/src/main.rs
index 1730adfb..f0feeb1a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -227,7 +227,7 @@ impl App {
         let mut tl = Timeline::new();
         let mut parser = parser.unwrap();
         let mut records = parser.records_json_value();
-        if !*STATISTICS_FLAG {
+        if *STATISTICS_FLAG {
             println!("Generating Event ID Statistics");
         }
         loop {

From 7813fd6ac6e6b9d80a5aed2048b4b99a38de2d28 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Thu, 23 Dec 2021 11:42:58 +0900
Subject: [PATCH 4/5] reduced statistics start output each file #341

---
 src/main.rs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index f0feeb1a..6bb33feb 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -85,6 +85,9 @@ impl App {
                 return;
             }
         }
+        if *STATISTICS_FLAG {
+            println!("Generating Event ID Statistics");
+        }
         if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") {
             if !filepath.ends_with(".evtx") {
                 AlertMessage::alert(
@@ -227,9 +230,7 @@ impl App {
         let mut tl = Timeline::new();
         let mut parser = parser.unwrap();
         let mut records = parser.records_json_value();
-        if *STATISTICS_FLAG {
-            println!("Generating Event ID Statistics");
-        }
+
         loop {
             let mut records_per_detect = vec![];
             while records_per_detect.len() < MAX_DETECT_RECORDS {

From b85ccd5af349961719e00a43f07395c3680344a2 Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Thu, 23 Dec 2021 12:31:04 +0900
Subject: [PATCH 5/5] timeline event info update

---
 config/timeline_event_info.txt | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/config/timeline_event_info.txt b/config/timeline_event_info.txt
index d1e1e642..74fe361c 100644
--- a/config/timeline_event_info.txt
+++ b/config/timeline_event_info.txt
@@ -1,8 +1,11 @@
 eventid,event_title,detect_flg,comment
+1,Sysmon process creation,Yes,
+59,Bits Job Creation,Yes,
 1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down.
 1101,Audit Events Have Been Dropped By The Transport,,
 1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for.
 1107,Event processing error,,
+4103,Powershell execution pipeline,Yes,
 4608,Windows started up,,
 4610,An authentication package has been loaded by the Local Security Authority,,
 4611,A trusted logon process has been registered with the Local Security Authority,,
@@ -19,6 +22,8 @@ eventid,event_title,detect_flg,comment
 4696,Primary token assigned to process,,
 4692,Backup of data protection master key was attempted,,
 4697,Service installed,,
+4768,Kerberos TGT request,Yes,
+4769,Kerberos service ticket request,Yes,
 4717,System security access was granted to an account,,
 4719,System audit policy was changed,,
 4720,User account created,Yes,
@@ -34,7 +39,7 @@ eventid,event_title,detect_flg,comment
 4727,Security global group was changed,,
 4738,User accounts properties changed,,
 4739,Domain policy changed,,
-4776,NTLM logon to local user,,
+4776,NTLM logon to local user,Yes,
 4778,RDP session reconnected or user switched back through Fast User Switching,,
 4779,RDP session disconnected or user switched away through Fast User Switching,,
 4797,Attempt to query the account for a blank password,,
@@ -61,13 +66,15 @@ eventid,event_title,detect_flg,comment
 5058,Key file operation,,
 5059,Key migration operation,,
 5061,Cryptographic operation,,
-5140,Network share object was accessed,,
+5140,Network share access,Yes,
 5142,A network share object was added,,
 5144,A network share object was deleted,,
+5145,Network shared file access,Yes,
 5379,Credential Manager credentials were read,,
 5381,Vault credentials were read,,
 5382,Vault credentials were read,,
 5478,IPsec Services started,,
 5889,An object was deleted to the COM+ Catalog,,
 5890,An object was added to the COM+ Catalog,,
+8001,Wireless access point connect,Yes,
 unregistered_event_id,Unknown,,