updated usage options #651
This commit is contained in:
DastInDark
@@ -323,42 +323,58 @@ USAGE:
|
||||
hayabusa.exe -f file.evtx [OPTIONS] / hayabusa.exe -d evtx-directory [OPTIONS]
|
||||
|
||||
OPTIONS:
|
||||
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
|
||||
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
|
||||
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
|
||||
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
|
||||
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
|
||||
-c, --rules-config <RULE_CONFIG_DIRECTORY> Specify custom rule config folder (default: ./rules/config)
|
||||
--contributors Print the list of contributors
|
||||
-d, --directory <DIRECTORY> Directory of multiple .evtx files
|
||||
-D, --deep-scan Disable event ID filter to scan all events
|
||||
--enable-deprecated-rules Enable rules marked as deprecated
|
||||
--end-timeline <END_TIMELINE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
|
||||
--exclude-status <EXCLUDE_STATUS>... Ignore rules according to status (ex: experimental) (ex: stable test)
|
||||
-f, --filepath <FILE_PATH> File path to one .evtx file
|
||||
-h, --help Print help information
|
||||
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
|
||||
-L, --logon-summary Print a summary of successful and failed logons
|
||||
--level-tuning [<LEVEL_TUNING_FILE>] Tune alert levels (default: ./rules/config/level_tuning.txt)
|
||||
-m, --min-level <LEVEL> Minimum level for rules (default: informational)
|
||||
-n, --enable-noisy-rules Enable rules marked as noisy
|
||||
--no-color Disable color output
|
||||
-o, --output <CSV_TIMELINE> Save the timeline in CSV format (ex: results.csv)
|
||||
-p, --pivot-keywords-list Create a list of pivot keywords
|
||||
-P, --profile <PROFILE> Specify output profile
|
||||
-q, --quiet Quiet mode: do not display the launch banner
|
||||
-Q, --quiet-errors Quiet errors mode: do not save error logs
|
||||
-r, --rules <RULE_DIRECTORY/RULE_FILE> Specify a rule directory or file (default: ./rules)
|
||||
-s, --statistics Print statistics of event IDs
|
||||
--set-default-profile <SET_DEFAULT_PROFILE> Set default output profile
|
||||
--start-timeline <START_TIMELINE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
|
||||
-t, --thread-number <NUMBER> Thread number (default: optimal number for performance)
|
||||
--target-file-ext <EVTX_FILE_EXT>... Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2)
|
||||
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository
|
||||
-U, --UTC Output time in UTC format (default: local time)
|
||||
-v, --verbose Output verbose information
|
||||
-V, --visualize-timeline Output event frequency timeline
|
||||
--version Print version information
|
||||
-h, --help Print help information
|
||||
--version Print version information
|
||||
|
||||
INPUT:
|
||||
-d, --directory <DIRECTORY> Directory of multiple .evtx files
|
||||
-f, --file <FILE> File path to one .evtx file
|
||||
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
|
||||
|
||||
ADVANCED:
|
||||
-c, --rules-config <DIRECTORY> Specify custom rule config directory (default: ./rules/config)
|
||||
--level-tuning [<FILE>] Tune alert levels (default: ./rules/config/level_tuning.txt)
|
||||
-Q, --quiet-errors Quiet errors mode: do not save error logs
|
||||
-r, --rules <DIRECTORY/FILE> Specify a custom rule directory or file (default: ./rules)
|
||||
-t, --thread-number <NUMBER> Thread number (default: optimal number for performance)
|
||||
--target-file-ext <EVTX_FILE_EXT>... Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2)
|
||||
|
||||
OUTPUT:
|
||||
-o, --output <FILE> Save the timeline in CSV format (ex: results.csv)
|
||||
|
||||
DISPLAY-SETTINGS:
|
||||
--no-color Disable color output
|
||||
-q, --quiet Quiet mode: do not display the launch banner
|
||||
-v, --verbose Output verbose information
|
||||
-V, --visualize-timeline Output event frequency timeline
|
||||
|
||||
FILTERING:
|
||||
-D, --deep-scan Disable event ID filter to scan all events
|
||||
--enable-deprecated-rules Enable rules marked as deprecated
|
||||
--exclude-status <STATUS>... Ignore rules according to status (ex: experimental) (ex: stable test)
|
||||
-m, --min-level <LEVEL> Minimum level for rules (default: informational)
|
||||
-n, --enable-noisy-rules Enable rules marked as noisy
|
||||
--timeline-end <DATE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
|
||||
--timeline-start <DATE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
|
||||
|
||||
OTHER-ACTIONS:
|
||||
--contributors Print the list of contributors
|
||||
-L, --logon-summary Print a summary of successful and failed logons
|
||||
-p, --pivot-keywords-list Create a list of pivot keywords
|
||||
-s, --statistics Print statistics of event IDs
|
||||
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository
|
||||
|
||||
TIME-FORMAT:
|
||||
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
|
||||
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
|
||||
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
|
||||
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
|
||||
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
|
||||
-U, --UTC Output time in UTC format (default: local time)
|
||||
|
||||
OUTPUT-SETTINGS:
|
||||
-P, --profile <PROFILE> Specify output profile
|
||||
--set-default-profile <PROFILE> Set default output profile
|
||||
```
|
||||
|
||||
## Usage Examples
|
||||
|
||||
Reference in New Issue
Block a user