diff --git a/Cargo.lock b/Cargo.lock index 6cf865b2..90f15bf7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -163,15 +163,15 @@ checksum = "b4ae4235e6dac0694637c763029ecea1a2ec9e4e06ec2729bd21ba4d9c863eb7" [[package]] name = "bumpalo" -version = "3.9.1" +version = "3.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4a45a46ab1f2412e53d3a0ade76ffad2025804294569aae387231a0cd6e0899" +checksum = "37ccbd214614c6783386c1af30caf03192f17891059cecc394b4fb119e363de3" [[package]] name = "bytecount" -version = "0.6.2" +version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72feb31ffc86498dacdbd0fcebb56138e7177a8cc5cea4516031d15ae85a742e" +checksum = "2c676a478f63e9fa2dd5368a42f28bba0d6c560b775f38583c8bbaa7fcd67c9c" [[package]] name = "byteorder" @@ -766,13 +766,11 @@ dependencies = [ [[package]] name = "flate2" -version = "1.0.23" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b39522e96686d38f4bc984b9198e3a0613264abaebaff2c5c918bfa6b6da09af" +checksum = "f82b0f4c27ad9f8bfd1f3208d882da2b09c301bc1c828fd3a00d0216d2fbbff6" dependencies = [ - "cfg-if 1.0.0", "crc32fast", - "libc", "miniz_oxide", ] @@ -937,7 +935,7 @@ dependencies = [ name = "hayabusa" version = "1.3.0" dependencies = [ - "base64 0.10.1", + "base64 0.13.0", "bytesize", "chrono", "clap 2.34.0", @@ -1107,9 +1105,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "1.8.1" +version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f647032dfaa1f8b6dc29bd3edb7bbef4861b8b8007ebb118d6db284fd59f6ee" +checksum = "e6012d540c5baa3589337a98ce73408de9b5a25ec9fc2c6fd6be8f0d39e0ca5a" dependencies = [ "autocfg 1.1.0", "hashbrown 0.11.2", @@ -1275,9 +1273,9 @@ dependencies = [ [[package]] name = "libz-sys" -version = "1.1.6" +version = "1.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92e7e15d7610cce1d9752e137625f14e61a28cd45929b6e12e47b50fe154ee2e" +checksum = "9702761c3935f8cc2f101793272e202c72b99da8f4224a19ddcf1279a6450bbf" dependencies = [ "cc", "libc", @@ -1382,9 +1380,9 @@ dependencies = [ [[package]] name = "miniz_oxide" -version = "0.5.1" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2b29bd4bc3f33391105ebee3589c19197c4271e3e5a9ec9bfe8127eeff8f082" +checksum = "6f5c75688da582b8ffc1f1799e9db273f32133c49e048f614d22ec3256773ccc" dependencies = [ "adler", ] @@ -1565,9 +1563,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.73" +version = "0.9.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d5fd19fb3e0a8191c1e34935718976a3e70c112ab9a24af6d7cadccd9d90bc0" +checksum = "835363342df5fba8354c5b453325b110ffd54044e588c539cf2f20a8014e4cb1" dependencies = [ "autocfg 1.1.0", "cc", @@ -1596,9 +1594,9 @@ dependencies = [ [[package]] name = "parking_lot" -version = "0.12.0" +version = "0.12.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87f5ec2493a61ac0506c0f4199f99070cbe83857b0337006a30f3e6719b8ef58" +checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" dependencies = [ "lock_api 0.4.7", "parking_lot_core 0.9.3", @@ -2332,9 +2330,9 @@ checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" [[package]] name = "syn" -version = "1.0.95" +version = "1.0.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbaf6116ab8924f39d52792136fb74fd60a80194cf1b1c6ffa6453eef1c3f942" +checksum = "0748dd251e24453cb8717f0354206b91557e4ec8703673a4b30208f2abaf1ebf" dependencies = [ "proc-macro2", "quote", @@ -2527,7 +2525,7 @@ dependencies = [ "mio 0.8.3", "num_cpus", "once_cell", - "parking_lot 0.12.0", + "parking_lot 0.12.1", "pin-project-lite", "signal-hook-registry", "socket2", diff --git a/README-Japanese.md b/README-Japanese.md index bcef2b8c..6ff4b3bd 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -184,7 +184,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.2.2-win-x64.exe -u +hayabusa-1.3.0-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -266,20 +266,20 @@ Hayabusa実行する際や、`.yml`ルールのダウンロードや実行時に ## Windows コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.2.2-windows-x64.exe` +例: `hayabusa-1.3.0-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.2.2-linux-x64-gnu +chmod +x ./hayabusa-1.3.0-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.2.2-linux-x64-gnu +./hayabusa-1.3.0-linux-x64-gnu ``` ## macOS @@ -287,13 +287,13 @@ chmod +x ./hayabusa-1.2.2-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.2.2-mac-intel +chmod +x ./hayabusa-1.3.0-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.2.2-mac-intel +./hayabusa-1.3.0-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -307,7 +307,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.2.2-mac-intel +./hayabusa-1.3.0-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -322,33 +322,33 @@ macOSの環境設定から「セキュリティとプライバシー」を開き ```bash USAGE: - -d --directory=[DIRECTORY] '.evtxファイルを持つディレクトリのパス。' - -f --filepath=[FILEPATH] '1つの.evtxファイルのパス。' - -F --full-data '全てのフィールド情報を出力する。' - -r --rules=[RULEFILE/RULEDIRECTORY] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: ./rules)' - -C --config=[RULECONFIGDIRECTORY] 'ルールフォルダのコンフィグディレクトリ(デフォルト: ./rules/config)' - -o --output=[CSV_TIMELINE] 'タイムラインをCSV形式で保存する。(例: results.csv)' + -d, --directory [DIRECTORY] '.evtxファイルを持つディレクトリのパス。' + -f, --filepath [FILE_PATH] '1つの.evtxファイルのパス。' + -F, --full-data '全てのフィールド情報を出力する。' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: ./rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'ルールフォルダのコンフィグディレクトリ(デフォルト: ./rules/config)' + -o, --output [CSV_TIMELINE] 'タイムラインをCSV形式で保存する。(例: results.csv)' --all-tags '出力したCSVファイルにルール内のタグ情報を全て出力する。' - -R --display-record-id 'EventRecordIDを出力する。' - -v --verbose '詳細な情報を出力する。' - -D --enable-deprecated-rules 'Deprecatedルールを有効にする。' - -n --enable-noisy-rules 'Noisyルールを有効にする。' - -u --update-rules 'rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する。' - -m --min-level=[LEVEL] '結果出力をするルールの最低レベル。(デフォルト: informational)' - -l --live-analysis 'ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する。(Windowsのみ。管理者権限が必要。)' - --start-timeline=[STARTTIMELINE] '解析対象とするイベントログの開始時刻。(例: "2018-11-28 12:00:00 +09:00")' - --end-timeline=[ENDTIMELINE] '解析対象とするイベントログの終了時刻。(例: "2021-11-28 12:00:00 +09:00")' + -R, --display-record-id 'EventRecordIDを出力する。' + -v, --verbose '詳細な情報を出力する。' + -D, --enable-deprecated-rules 'Deprecatedルールを有効にする。' + -n, --enable-noisy-rules 'Noisyルールを有効にする。' + -u, --update-rules 'rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する。' + -m, --min-level [LEVEL] '結果出力をするルールの最低レベル。(デフォルト: informational)' + -l, --live-analysis 'ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する。(Windowsのみ。管理者権限が必要。)' + --start-timeline [START_TIMELINE] '解析対象とするイベントログの開始時刻。(例: "2018-11-28 12:00:00 +09:00")' + --end-timeline [END_TIMELINE] '解析対象とするイベントログの終了時刻。(例: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Mon, 07 Aug 2006 12:34:56 -0600)' --rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07T12:34:56.485214 -06:00)' - -U --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)' + -U, --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)' --no-color 'カラー出力を無効にする。' - -t --thread-number=[NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)' - -s --statistics 'イベント ID の統計情報を表示する。' - -L --logon-summary '成功と失敗したログオン情報の要約を出力する。' - -q --quiet 'Quietモード。起動バナーを表示しない。' - -Q --quiet-errors 'Quiet errorsモード。エラーログを保存しない。' - --level-tuning=[LEVEL_TUNING_FILE] 'ルールlevelのチューニング (default: ./rules/config/level_tuning.txt)' - -p --pivot-keywords-list 'ピボットキーワードの一覧作成。' + -t, --thread-number [NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)' + -s, --statistics 'イベント ID の統計情報を表示する。' + -L, --logon-summary '成功と失敗したログオン情報の要約を出力する。' + -q, --quiet 'Quietモード。起動バナーを表示しない。' + -Q, --quiet-errors 'Quiet errorsモード。エラーログを保存しない。' + --level-tuning [LEVEL_TUNING_FILE] 'ルールlevelのチューニング (default: ./rules/config/level_tuning.txt)' + -p, --pivot-keywords-list 'ピボットキーワードの一覧作成。' --contributors 'コントリビュータの一覧表示。' ``` @@ -357,79 +357,79 @@ USAGE: * 1つのWindowsイベントログファイルに対してHayabusaを実行します: ```bash -hayabusa-1.2.2-win-x64.exe -f eventlog.evtx +hayabusa-1.3.0-win-x64.exe -f eventlog.evtx ``` * 複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Hayabusaルールのみを実行します(デフォルトでは `-r .\rules` にあるすべてのルールが利用されます): ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行します: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行します: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知します: ```bash -hayabusa-1.2.2-win-x64.exe -l -m low +hayabusa-1.3.0-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成します(結果は結果毎に`keywords-Ip Address.txt`や`keyworss-Users.txt`等に出力されます): ```bash -hayabusa-1.2.2-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.3.0-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を取得します: ```bash -hayabusa-1.2.2-win-x64.exe -f Security.evtx -s +hayabusa-1.3.0-win-x64.exe -f Security.evtx -s ``` * 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -640,7 +640,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.2.2-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.3.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: diff --git a/README.md b/README.md index 9148bd4e..636c923c 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre ### Threat Hunting -Hayabusa currently has over 2200 sigma rules and around 125 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server. +Hayabusa currently has over 2300 sigma rules and over 130 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server. ### Fast Forensics Timeline Generation @@ -179,7 +179,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.2.2-win-x64.exe -u +hayabusa-1.3.0-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -264,20 +264,20 @@ If you are worried about malware or supply chain attacks, please check the hayab ## Windows In Command Prompt or Windows Terminal, just run the 32-bit or 64-bit Windows binary from the hayabusa root directory. -Example: `hayabusa-1.2.2-windows-x64.exe` +Example: `hayabusa-1.3.0-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.2.2-linux-x64-gnu +chmod +x ./hayabusa-1.3.0-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.2.2-linux-x64-gnu +./hayabusa-1.3.0-linux-x64-gnu ``` ## macOS @@ -285,13 +285,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.2.2-mac-intel +chmod +x ./hayabusa-1.3.0-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.2.2-mac-intel +./hayabusa-1.3.0-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -305,7 +305,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.2.2-mac-intel +./hayabusa-1.3.0-mac-intel ``` The following warning will pop up, so please click "Open". @@ -320,33 +320,33 @@ You should now be able to run hayabusa. ```bash USAGE: - -d --directory=[DIRECTORY] 'Directory of multiple .evtx files.' - -f --filepath=[FILEPATH] 'File path to one .evtx file.' - -F --full-data 'Print all field information.' - -r --rules=[RULEDIRECTORY/RULEFILE] 'Rule file or directory (default: ./rules)' - -C --config=[RULECONFIGDIRECTORY] 'Rule config folder. (Default: ./rules/config)' - -o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' + -d, --directory [DIRECTORY] 'Directory of multiple .evtx files.' + -f, --filepath [FILE_PATH] 'File path to one .evtx file.' + -F, --full-data 'Print all field information.' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule file or directory (default: ./rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: ./rules/config)' + -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' --all-tags 'Output all tags when saving to a CSV file.' - -R --display-record-id 'Display EventRecordID.' - -v --verbose 'Output verbose information.' - -D --enable-deprecated-rules 'Enable rules marked as deprecated.' - -n --enable-noisy-rules 'Enable rules marked as noisy.' - -u --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' - -m --min-level=[LEVEL] 'Minimum level for rules. (Default: informational)' - -l --live-analysis 'Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.)' - --start-timeline=[STARTTIMELINE] 'Start time of the event logs to load. (Example: "2018-11-28 12:00:00 +09:00")' - --end-timeline=[ENDTIMELINE] 'End time of the event logs to load. (Example: "2021-11-28 12:00:00 +09:00")' + -R, --display-record-id 'Display EventRecordID.' + -v, --verbose 'Output verbose information.' + -D, --enable-deprecated-rules 'Enable rules marked as deprecated.' + -n, --enable-noisy-rules 'Enable rules marked as noisy.' + -u, --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' + -m, --min-level [LEVEL] 'Minimum level for rules. (Default: informational)' + -l, --live-analysis 'Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.)' + --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: "2018-11-28 12:00:00 +09:00")' + --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: "2021-11-28 12:00:00 +09:00")' --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)' - -U --utc 'Output time in UTC format. (Default: local time)' + -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' - -t --thread-number=[NUMBER] 'Thread number. (Default: Optimal number for performance.)' - -s --statistics 'Prints statistics of event IDs.' - -L --logon-summary 'Successful and failed logons summary.' - -q --quiet 'Quiet mode. Do not display the launch banner.' - -Q --quiet-errors 'Quiet errors mode. Do not save error logs.' - --level-tuning=[LEVEL_TUNING_FILE] 'Adjust rule level.(default: ./rules/config/level_tuning.txt) ' - -p --pivot-keywords-list 'Create a list of pivot keywords.' + -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' + -s, --statistics 'Prints statistics of event IDs.' + -L, --logon-summary 'Successful and failed logons summary.' + -q, --quiet 'Quiet mode. Do not display the launch banner.' + -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' + --level-tuning [LEVEL_TUNING_FILE] 'Adjust rule level.(default: ./rules/config/level_tuning.txt) ' + -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.' ``` @@ -355,79 +355,79 @@ USAGE: * Run hayabusa against one Windows event log file: ```bash -hayabusa-1.2.2-win-x64.exe -f eventlog.evtx +hayabusa-1.3.0-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.2.2-win-x64.exe -l -m low +hayabusa-1.3.0-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.2.2-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.3.0-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID statistics: ```bash -hayabusa-1.2.2-win-x64.exe -f Security.evtx -s +hayabusa-1.3.0-win-x64.exe -f Security.evtx -s ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.2.2-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.3.0-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -638,7 +638,7 @@ You can also add a rule ID to `rules/config/noisy_rules.txt` in order to ignore Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.2.2-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.3.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 6e686841..9c2ac8e0 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -69,32 +69,32 @@ fn build_app<'a>() -> ArgMatches<'a> { return ArgMatches::default(); } - let usages = "-d --directory=[DIRECTORY] 'Directory of multiple .evtx files.' - -f --filepath=[FILEPATH] 'File path to one .evtx file.' - -F --full-data 'Print all field information.' - -r --rules=[RULEDIRECTORY/RULEFILE] 'Rule file or directory (default: ./rules)' - -C --config=[RULECONFIGDIRECTORY] 'Rule config folder. (Default: ./rules/config)' - -o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' + let usages = "-d, --directory [DIRECTORY] 'Directory of multiple .evtx files.' + -f, --filepath [FILE_PATH] 'File path to one .evtx file.' + -F, --full-data 'Print all field information.' + -r, --rules [RULE_DIRECTORY/RULE_FILE] 'Rule directory or file (default: ./rules)' + -C, --config [RULE_CONFIG_DIRECTORY] 'Rule config folder. (Default: ./rules/config)' + -o, --output [CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)' --all-tags 'Output all tags when saving to a CSV file.' - -R --display-record-id 'Display EventRecordID.' - -v --verbose 'Output verbose information.' - -D --enable-deprecated-rules 'Enable rules marked as deprecated.' - -n --enable-noisy-rules 'Enable rules marked as noisy.' - -u --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' - -m --min-level=[LEVEL] 'Minimum level for rules. (Default: informational)' - -l --live-analysis 'Analyze the local C:\\Windows\\System32\\winevt\\Logs folder (Windows Only. Administrator privileges required.)' - --start-timeline=[STARTTIMELINE] 'Start time of the event logs to load. (Example: \"2018-11-28 12:00:00 +09:00\")' - --end-timeline=[ENDTIMELINE] 'End time of the event logs to load. (Example: \"2021-11-28 12:00:00 +09:00\")' + -R, --display-record-id 'Display EventRecordID.' + -v, --verbose 'Output verbose information.' + -D, --enable-deprecated-rules 'Enable rules marked as deprecated.' + -n, --enable-noisy-rules 'Enable rules marked as noisy.' + -u, --update-rules 'Update to the latest rules in the hayabusa-rules github repository.' + -m, --min-level [LEVEL] 'Minimum level for rules. (Default: informational)' + -l, --live-analysis 'Analyze the local C:\\Windows\\System32\\winevt\\Logs folder (Windows Only. Administrator privileges required.)' + --start-timeline [START_TIMELINE] 'Start time of the event logs to load. (Example: \"2018-11-28 12:00:00 +09:00\")' + --end-timeline [END_TIMELINE] 'End time of the event logs to load. (Example: \"2021-11-28 12:00:00 +09:00\")' --rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)' --rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)' - -U --utc 'Output time in UTC format. (Default: local time)' + -U, --utc 'Output time in UTC format. (Default: local time)' --no-color 'Disable color output.' - -t --thread-number=[NUMBER] 'Thread number. (Default: Optimal number for performance.)' - -s --statistics 'Prints statistics of event IDs.' - -L --logon-summary 'Successful and failed logons summary.' - -q --quiet 'Quiet mode. Do not display the launch banner.' - -Q --quiet-errors 'Quiet errors mode. Do not save error logs.' - -p --pivot-keywords-list 'Create a list of pivot keywords.' + -t, --thread-number [NUMBER] 'Thread number. (Default: Optimal number for performance.)' + -s, --statistics 'Prints statistics of event IDs.' + -L, --logon-summary 'Successful and failed logons summary.' + -q, --quiet 'Quiet mode. Do not display the launch banner.' + -Q, --quiet-errors 'Quiet errors mode. Do not save error logs.' + -p, --pivot-keywords-list 'Create a list of pivot keywords.' --contributors 'Prints the list of contributors.'"; App::new(&program) .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")