diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index d293e853..6ac70fe0 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,13 @@ # 変更点 -## v1.5.0 [2022/XX/XX] +## v1.5.1 [2022/08/19] + +**Bug Fixes:** + +- Critical, medium、lowレベルのアラートはカラーで出力されていなかった。 (#663) (@fukusuket) +- `-f`で存在しないevtxファイルが指定された場合は、Hayabusaがクラッシュしていた。 (#664) (@fukusuket) + +## v1.5.0 [2022/08/18] **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 290d118a..7675819c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changes +## v1.5.1 [2022/08/19] + +**Bug Fixes:** + +- Critical, medium and low level alerts were not being displayed in color. (#663) (@fukusuket) +- Hayabusa would crash when an evtx file specified with `-f` did not exist. (#664) (@fukusuket) + ## v1.5.0 [2022/08/18] **New Features:** diff --git a/Cargo.lock b/Cargo.lock index 36dce0d5..e1facd6d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -707,7 +707,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.5.0" +version = "1.5.1" dependencies = [ "base64", "bytesize", @@ -846,9 +846,9 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.45" +version = "0.1.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef5528d9c2817db4e10cc78f8d4c8228906e5854f389ff6b076cee3572a09d35" +checksum = "ad2bfd338099682614d3ee3fe0cd72e0b6a41ca6a87f6a74a3bd593c91650501" dependencies = [ "android_system_properties", "core-foundation-sys", diff --git a/Cargo.toml b/Cargo.toml index 619d7e2b..e19cda31 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.5.0" +version = "1.5.1" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/README-1.5.0-Japanese.pdf b/README-1.5.1-Japanese.pdf similarity index 100% rename from README-1.5.0-Japanese.pdf rename to README-1.5.1-Japanese.pdf diff --git a/README-1.5.0.pdf b/README-1.5.1.pdf similarity index 100% rename from README-1.5.0.pdf rename to README-1.5.1.pdf diff --git a/README-Japanese.md b/README-Japanese.md index aa0353bc..f6b39973 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -194,7 +194,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.5.0-win-x64.exe -u +hayabusa-1.5.1-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -299,20 +299,20 @@ Windows PC起動後の初回実行時に時間がかかる場合があります コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.5.0-windows-x64.exe` +例: `hayabusa-1.5.1-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.5.0-linux-x64-gnu +chmod +x ./hayabusa-1.5.1-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.5.0-linux-x64-gnu +./hayabusa-1.5.1-linux-x64-gnu ``` ## macOS @@ -320,13 +320,13 @@ chmod +x ./hayabusa-1.5.0-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.5.0-mac-intel +chmod +x ./hayabusa-1.5.1-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.5.0-mac-intel +./hayabusa-1.5.1-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -340,7 +340,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.5.0-mac-intel +./hayabusa-1.5.1-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -420,84 +420,84 @@ TIME-FORMAT: * 1つのWindowsイベントログファイルに対してHayabusaを実行します: ```bash -hayabusa-1.5.0-win-x64.exe -f eventlog.evtx +hayabusa-1.5.1-win-x64.exe -f eventlog.evtx ``` * `verbose`プロファイルで複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます(注意: `verbose-details-and-all-field-info`プロファイルを使すると、出力するファイルのサイズがとても大きくなります!): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P `verbose-details-and-all-field-info` +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P `verbose-details-and-all-field-info` ``` * Hayabusaルールのみを実行します(デフォルトでは`-r .\rules`にあるすべてのルールが利用されます): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行します: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行します: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知します: ```bash -hayabusa-1.5.0-win-x64.exe -l -m low +hayabusa-1.5.1-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成します(結果は結果毎に`keywords-Ip Address.txt`や`keywords-Users.txt`等に出力されます): ```bash -hayabusa-1.5.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.5.1-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を出力します: ```bash -hayabusa-1.5.0-win-x64.exe -f Security.evtx -s +hayabusa-1.5.1-win-x64.exe -f Security.evtx -s ``` * ログオンサマリを出力します: ```bash -hayabusa-1.5.0-win-x64.exe -L -f Security.evtx -s +hayabusa-1.5.1-win-x64.exe -L -f Security.evtx -s ``` * 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -769,7 +769,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.5.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.5.1-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: diff --git a/README.md b/README.md index 5a8db360..9b7228e9 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.5.0-win-x64.exe -u +hayabusa-1.5.1-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -291,20 +291,20 @@ You may experience slow runtime especially on the first run after a reboot due t In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary. -Example: `hayabusa-1.5.0-windows-x64.exe` +Example: `hayabusa-1.5.1-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.5.0-linux-x64-gnu +chmod +x ./hayabusa-1.5.1-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.5.0-linux-x64-gnu +./hayabusa-1.5.1-linux-x64-gnu ``` ## macOS @@ -312,13 +312,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.5.0-mac-intel +chmod +x ./hayabusa-1.5.1-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.5.0-mac-intel +./hayabusa-1.5.1-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -332,7 +332,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.5.0-mac-intel +./hayabusa-1.5.1-mac-intel ``` The following warning will pop up, so please click "Open". @@ -412,85 +412,85 @@ TIME-FORMAT: * Run hayabusa against one Windows event log file with default standard profile: ```bash -hayabusa-1.5.0-win-x64.exe -f eventlog.evtx +hayabusa-1.5.1-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files with the verbose profile: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information (Warning: your file output size will become much larger with the `verbose-details-and-all-field-info` profile!): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.5.0-win-x64.exe -l -m low +hayabusa-1.5.1-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.5.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.5.1-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID statistics: ```bash -hayabusa-1.5.0-win-x64.exe -f Security.evtx -s +hayabusa-1.5.1-win-x64.exe -f Security.evtx -s ``` * Print logon summary: ```bash -hayabusa-1.5.0-win-x64.exe -L -f Security.evtx -s +hayabusa-1.5.1-win-x64.exe -L -f Security.evtx -s ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.5.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -762,7 +762,7 @@ You can also add a rule ID to `./rules/config/noisy_rules.txt` in order to ignor Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.5.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.5.1-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: diff --git a/contributors.txt b/contributors.txt index c83015c7..dd3e8a57 100644 --- a/contributors.txt +++ b/contributors.txt @@ -1,7 +1,7 @@ Hayabusa was possible thanks to the following people (in alphabetical order): Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc... -Fukusuke Takahashi (fukuseket): Static compiling for Windows, race condition bug fix. +Fukusuke Takahashi (fukuseket): Static compiling for Windows, race condition and other bug fixes. Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc... ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc... James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc…