CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #425 from Yamato-Security/develop

Browse Source 
v1.1.0 Release
This commit is contained in:
Yamato Security
2022-03-03 09:09:48 +09:00
committed by GitHub
parent dc8d7f3522 631496cf41
commit db857f81af
1240 changed files with 2163 additions and 48721 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/rust.yml vendored
View File

@@ -15,6 +15,8 @@ jobs:
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
- uses: actions-rs/toolchain@v1
with:
toolchain: nightly

3
.gitmodules vendored
View File

@@ -0,0 +1,3 @@
[submodule "rules"]
path = rules
url = https://github.com/Yamato-Security/hayabusa-rules.git

29
CHANGELOG-Japanese.md Normal file
View File

@@ -0,0 +1,29 @@
# 変更点
##v1.1.0 [2022/03/03]
**新機能:**
- `-r / --rules`オプションで一つのルール指定が可能。(ルールをテストする際に便利!) (@kazuminn)
- ルール更新オプション (`-u / --update-rules`): [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules)レポジトリにある最新のルールに更新できる。 (@hitenkoku)
- ライブ調査オプション (`-l / --live-analysis`): Windowsイベントログディレクトリを指定しないで、楽にWindows端末でライブ調査ができる。(@hitenkoku)
**改善:**
- ドキュメンテーションの更新。 (@kazuminn@itiB@hitenkoku@YamatoSecurity)
- ルールの更新。(Hayabusaルール: 20個以上、Sigmaルール: 200個以上) (@YamatoSecurity)
- Windowsバイナリは静的でコンパイルしているので、Visual C++ 再頒布可能パッケージをインストールする必要はない。(@hitenkoku)
- カラー出力 (`-c / --color`) True Colorに対応しているターミナル(Windows Terminal、iTerm2等々)ではカラーで出力できる。(@hitenkoku)
- MITRE ATT&CK戦略が出力される。(@hitenkoku)
- パフォーマンスの改善。(@hitenkoku)
- exclude_rules.txtとnoisy_rules.txtの設定ファイルのコメント対応。(@kazuminn)
- より速いメモリアロケータの利用。 (Windowsの場合はrpmalloc、macOS/Linuxの場合は、jemalloc) (@kazuminn)
- Cargo crateの更新。 (@YamatoSecurity)
**バグ修正:**
- `cargo update`がより安定するために、clapのバージョンを固定した。(@hitenkoku)
- フィールドのタブや改行がある場合に、ルールが検知しなかったので、修正した。(@hitenkoku)
## v1.0.0-Release 2 [2022/01/27]
- アンチウィルスに誤検知されたExcelの結果ファイルの削除。(@YamatoSecurity)
- Rustのevtxライブラリを0.7.2に更新。 (@YamatoSecurity)
## v1.0.0 [2021/12/25]
- 最初のリリース

29
CHANGELOG.md Normal file
View File

@@ -0,0 +1,29 @@
# Changes
##v1.1.0 [2022/03/03]
**New Features:**
- Can specify a single rule with the `-r / --rules` option. (Great for testing rules!) (@kazuminn)
- Rule update option (`-u / --update-rules`): Update to the latest rules in the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) repository. (@hitenkoku)
- Live analysis option (`-l / --live-analysis`): Can easily perform live analysis on Windows machines without specifying the Windows event log directory. (@hitenkoku)
**Enhancements:**
- Updated documentation. (@kazuminn , @hitenkoku , @YamatoSecurity)
- Updated rules. (20+ Hayabusa rules, 200+ Sigma rules) (@YamatoSecurity)
- Windows binaries are now statically compiled so installing Visual C++ Redistributable is not required. (@hitenkoku)
- Color output (`-c / --color`) for terminals that support True Color (Windows Terminal, iTerm2, etc...). (@hitenkoku)
- MITRE ATT&CK tactics are included in the saved CSV output. (@hitenkoku)
- Performance improvement. (@hitenkoku)
- Comments added to exclusion and noisy config files. (@kazuminn)
- Using faster memory allocators (rpmalloc for Windows, jemalloc for macOS and Linux.) (@kazuminn)
- Updated cargo crates. (@YamatoSecurity)
**Bug Fixes:**
- Made the clap library version static to make `cargo update` more stable. (@hitenkoku)
- Some rules were not alerting if there were tabs or carriage returns in the fields. (@hitenkoku)
## v1.0.0-Release 2 [2022/01/27]
- Removed Excel result sample files as they were being flagged by anti-virus. (@YamatoSecurity)
- Updated the Rust evtx library to 0.7.2 (@YamatoSecurity)
## v1.0.0 [2021/12/25]
- Initial release.

900
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

41
Cargo.toml
View File

@@ -1,40 +1,41 @@
[package]
name = "hayabusa"
version = "1.0.0"
authors = ["Yamato Security @yamatosecurity"]
version = "1.1.0"
authors = ["Yamato Security @SecurityYamato"]
edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
evtx = { git = "https://github.com/omerbenamram/evtx.git" }
quick-xml = {version = "0.17", features = ["serialize"] }
serde = { version = "1.0", features = ["derive"] }
evtx = { git = "https://github.com/omerbenamram/evtx.git" , rev = "95a8ca6" , features = ["fast-alloc"]}
quick-xml = {version = "0.22.0", features = ["serialize"] }
serde = { version = "1.0.*", features = ["derive"] }
serde_json = { version = "1.0"}
serde_derive = "1.0"
serde_derive = "1.0.*"
clap = "2.*"
regex = "1.5.4"
csv = "1.1"
regex = "1.5.*"
csv = "1.1.*"
base64 = "*"
flate2 = "1.0"
flate2 = "1.0.*"
lazy_static = "1.4.0"
chrono = "0.4.19"
yaml-rust = "0.4"
linked-hash-map = "0.5.3"
yaml-rust = "0.4.*"
linked-hash-map = "0.5.*"
tokio = { version = "1", features = ["full"] }
num_cpus = "1.13.0"
mopa = "0.2.2"
num_cpus = "1.13.*"
mopa = "0.2.*"
slack-hook = "0.8"
dotenv = "0.15.0"
dotenv = "0.15.*"
hhmmss = "*"
pbr = "*"
hashbrown = "0.11.2"
hashbrown = "0.12.*"
colored = "2.*"
hex = "0.4.*"
git2="0.13"
[target.x86_64-pc-windows-gnu]
linker = "x86_64-w64-mingw32-gcc"
[target.i686-pc-windows-gnu]
linker = "i686-w64-mingw32-gcc"
[target.'cfg(windows)'.dependencies]
is_elevated = "0.1.2"
static_vcruntime = "1.5.*"
[profile.release]
lto = true

341
README-English.md
View File

@@ -1,341 +0,0 @@
<div align="center">
<p>
![Hayabusa Logo](hayabusa-logo.png)
</p>
</div>
# About Hayabusa
Hayabusa is a **Windows event log fast forensics timeline generator** and **threat hunting tool** created by the [Yamato Security](https://yamatosecurity.connpass.com/) group in Japan. Hayabusa means ["peregrine falcon"](https://en.wikipedia.org/wiki/Peregrine_falcon") in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in [Rust](https://www.rust-lang.org/) and supports multi-threading in order to be as fast as possible. We have provided a [tool](https://github.com/Yamato-Security/hayabusa/tree/main/tools/sigmac) to convert [sigma](https://github.com/SigmaHQ/sigma) rules into hayabusa rule format. The hayabusa detection rules, like sigma, are also written in YML in order to be as easily customizable and extensible as possible. It can be run either on running systems for live analysis or by gathering logs from multiple systems for offline analysis. (At the moment, it does not support real-time alerting or periodic scans.) The output will be consolidated into a single CSV timeline for easy analysis in Excel or [Timeline Explorer](https://ericzimmerman.github.io/#!index.md).
## Main goals
### Threat hunting
Hayabusa currently has over 1000 sigma rules and around 50 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server.
### Fast forensics timeline generation
Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa's main goal is to extract out only useful data and present it in an easy-to-read format that is usable not only by professionally trained analysts but also by any Windows system administrator.
Hayabusa is not intended to be a replacement for tools like [Evtx Explorer](https://ericzimmerman.github.io/#!index.md) or [Event Log Explorer](https://eventlogxp.com/) for more deep-dive analysis but is intended for letting analysts get 80% of their work done in 20% of the time.
# About the development
First inspired by the [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) Windows event log analyzer, we started in 2020 porting it over to Rust for the [RustyBlue](https://github.com/Yamato-Security/RustyBlue) project, then created sigma-like flexible detection signatures written in YML, and then added a backend to sigma to support converting sigma rules into our hayabusa rule format.
# Screenshots
## Startup:
![Hayabusa Startup](/screenshots/Hayabusa-Startup.png)
## Terminal output:
![Hayabusa terminal output](/screenshots/Hayabusa-Results.png)
## Results summary:
![Hayabusa results summary](/screenshots/HayabusaResultsSummary.png)
## Analysis in Excel:
![Hayabusa analysis in Excel](/screenshots/ExcelScreenshot.png)
## Analysis in Timeline Explorer:
![Hayabusa analysis in Timeline Explorer](screenshots/TimelineExplorer-ColoredTimeline.png)
## Critical alert filtering and computer grouping in Timeline Explorer:
![Critical alert filtering and computer grouping in Timeline Explorer](screenshots/TimelineExplorer-CriticalAlerts-ComputerGrouping.png)
# Sample timeline results
You can check out sample CSV and manually edited XLSX timeline results [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results).
You can learn how to analyze CSV timelines in Excel and Timeline Explorer [here](doc/CSV-AnalysisWithExcelAndTimelineExplorer-English.pdf).
# Features
* Cross-platform support: Windows, Linux, macOS
* Developed in Rust to be memory safe and faster than a hayabusa falcon!
* Multi-thread support delivering up to a 5x speed improvement!
* Creates a single easy-to-analyze CSV timeline for forensic investigations and incident response
* Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules
* Sigma rule support to convert sigma rules to hayabusa rules
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules
* Event log statistics (Useful for getting a picture of what types of events there are and for tuning your log settings)
* Rule tuning configuration by excluding bad rules or noisy rules
# Planned Features
* Enterprise-wide hunting on all endpoints
* Japanese language support
* MITRE ATT&CK mapping
* MITRE ATT&CK heatmap generation
* User logon and failed logon summary
* Input from JSON logs
* JSON support for sending alerts to Elastic Stack/Splunk, etc...
# Downloads
You can download the latest Hayabusa version from the [Releases](https://github.com/Yamato-Security/hayabusa/releases) page.
You can also `git clone` the repository with the following command and compile binary from source code.:
```bash
git clone https://github.com/Yamato-Security/hayabusa.git
```
# Compiling from source (Optional)
If you have rust installed, you can compile from source with the following command:
```bash
cargo clean
cargo build --release
```
## Advanced: Updating Rust packages
You can update to the latest rust crates before compiling to get the latest libraries:
```bash
cargo update
```
Please let us know if anything breaks after you update.
## Testing hayabusa out on sample evtx files
We have provided some sample evtx files for you to test hayabusa and/or create new rules at [https://github.com/Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
You can download the sample evtx files to a new `hayabusa-sample-evtx` sub-directory with the following command:
```bash
git clone https://github.com/Yamato-Security/hayabusa-sample-evtx.git
```
> Note: You need to run the binary from the Hayabusa root directory.
# Usage
> Note: You need to run the Hayabusa binary from the Hayabusa root directory. Example: `.\hayabusa.exe`
## Command line options
```bash
USAGE:
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
-f --filepath=[FILEPATH] 'File path to one .evtx file'
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. Example: results.csv'
-v --verbose 'Output verbose information'
-D --enable-deprecated-rules 'Enable sigma rules marked as deprecated'
-n --enable-noisy-rules 'Enable rules marked as noisy'
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
--start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
-u --utc 'Output time in UTC format (default: local time)'
-t --thread-number=[NUMBER] 'Thread number (default: optimal number for performance)'
-s --statistics 'Prints statistics of event IDs'
-q --quiet 'Quiet mode. Do not display the launch banner'
-Q --quiet-errors 'Quiet errors mode. Do not save error logs.'
--contributors 'Prints the list of contributors'
```
## Usage examples
* Run hayabusa against one Windows event log file:
```bash
.\hayabusa.exe -f eventlog.evtx
```
* Run hayabusa against the sample-evtx directory with multiple Windows event log files:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx
```
* Export to a single CSV file for further analysis with excel or timeline explorer:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv
```
* Only run hayabusa rules (the default is to run all the rules in `-r .\rules`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv
```
* Only run hayabusa rules for logs that are enabled by default on Windows:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv
```
* Only run hayabusa rules for sysmon logs:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv
```
* Only run sigma rules:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\config\noisy-rules.txt`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv
```
* Only run rules to analyze logons and output in the UTC timezone:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -u -o results.csv
```
* Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior):
```bash
.\hayabusa.exe -d C:\Windows\System32\winevt\Logs -m low
```
* Get event ID statistics:
```bash
.\hayabusa.exe -f Security.evtx -s
```
* Print verbose information (useful for determining which files take long to process, parsing errors, etc...):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -v
```
* Verbose output example:
```bash
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information\u{a0}Compile After Delivery/sysmon.evtx"
1 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.20 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx"
2 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.39 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets\u{a0}Kerberoasting/Security.evtx"
3 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.59 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx"
4 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.79 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution\u{a0}InstallUtil/sysmon.evtx"
5 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.98 % 1s
```
* Quiet error mode:
By default, hayabusa will save error messages to error log files.
If you do not want to save error messages, please add `-Q`.
# Hayabusa output
When Hayabusa output is being displayed to the screen (the default), it will display the following information:
* `Timestamp`: Default is `YYYY-MM-DD HH:mm:ss.sss +hh:mm` format. This comes from the `<Event><System><TimeCreated SystemTime>` field in the event log. The default timezone will be the local timezone but you can change the timezone to UTC with the `--utc` option.
* `Computer`: This comes from the `<Event><System><Computer>` field in the event log.
* `Event ID`: This comes from the `<Event><System><EventID>` field in the event log.
* `Level`: This comes from the `level` field in the YML detection rule. (`informational`, `low`, `medium`, `high`, `critical`) By default, all level alerts will be displayed but you can set the minimum level with `-m`. For example, you can set `-m high`) in order to only scan for and display high and critical alerts.
* `Title`: This comes from the `title` field in the YML detection rule.
* `Details`: This comes from the `details` field in the YML detection rule, however, only Hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `<Event><System><EventData>` portion of the log. For example, usernames, command line information, process information, etc...
When saving to a CSV file an additional two fields will be added:
* `Rule Path`: The path to the detection rule that generated the alert or event.
* `File Path`: The path to the evtx file that caused the alert or event.
## Progress bar
The progress bar will only work with multiple evtx files.
It will display in real time the number and percent of evtx files that it has analyzed.
# Hayabusa rules
Hayabusa detection rules are written in a sigma-like YML format and are located in the `rules` folder. In the future, we plan to host the rules at [https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) so please send any issues and pull requests for rules there instead of the main hayabusa repository.
Please read [AboutRuleCreation-English.md](./doc/AboutRuleCreation-English.md) to understand about the rule format how to create rules.
All of the rules from the hayabusa-rules repository should be placed in the `rules` folder.
`informational` level rules are considered `events`, while anything with a `level` of `low` and higher are considered `alerts`.
The hayabusa rule directory structure is separated into 3 directories:
* `default`: logs that are turned on in Windows by default.
* `non-default`: logs that need to be turned on through group policy, security baselines, etc...
* `sysmon`: logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
* `testing`: a temporary directory to put rules that you are currently testing
Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:
* Alert format: `<EventID>_<MITRE ATT&CK Name>_<Description>.yml`
* Alert example: `1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml`
* Event format: `<EventID>_<Description>.yml`
* Event example: `4776_NTLM-LogonToLocalAccount.yml`
Please check out the current rules to use as a template in creating new ones or for checking the detection logic.
## Hayabusa v.s. converted Sigma rules
Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa/blob/main/tools/sigmac/README-English.md). Hayabusa rules are designed solely for Windows event log analysis and have the following benefits:
1. An extra `details` field to display additional information taken from only the useful fields in the log.
2. They are all tested against sample logs and are known to work.
> Some sigma rules may not work as intended due to bugs in the conversion process, unsupported features, or differences in implementation (such as in regular expressions).
**Limitations**: To our knowledge, hayabusa provides the greatest support for sigma rules out of any open source Windows event log analysis tool, however, there are still rules that are not supported:
1. Rules that use regular expressions that do not work with the [Rust regex crate](https://docs.rs/regex/1.5.4/regex/)
2. Aggregation expressions besides `count` in the [sigma rule specification](https://github.com/SigmaHQ/sigma/wiki/Specification).
> Note: the limitation is in the sigma rule converter and not in hayabusa itself.
## Detection rule tuning
Like firewalls and IDSes, any signature-based tool will require some tuning to fit your environment so you may need to permanently or temporarily exclude certain rules.
You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `config/exclude-rules.txt` in order to ignore any rule that you do not need or cannot be used.
You can also add a rule ID to `config/noisy-rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
## Event ID filtering
You can filter on event IDs by placing event ID numbers in `config/target_eventids.txt`.
This will increase performance so it is recommended if you only need to search for certain IDs.
We have provided a sample ID filter list at [`config/target_eventids_sample.txt`](https://github.com/Yamato-Security/hayabusa/blob/main/config/target_eventids_sample.txt) created from the `EventID` fields in all of the rules as well as IDs seen in actual results.
Please use this list if you want the best performance but be aware that there is a slight possibility for missing events (false negatives).
# Other Windows event log analyzers and related projects
There is no "one tool to rule them all" and we have found that each has its own merits so we recommend checking out these other great tools and projects and seeing which ones you like.
- [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - Attack detection tool written in Python.
- [Chainsaw](https://github.com/countercept/chainsaw) - A similar sigma-based attack detection tool written in Rust.
- [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) - Attack detection tool written in Powershell by [Eric Conrad](https://twitter.com/eric_conrad).
- [EventList](https://github.com/miriamxyra/EventList/) - Map security baseline event IDs to MITRE ATT&CK by [Miriam Wiesner](https://github.com/miriamxyra)
- [EVTXtract](https://github.com/williballenthin/EVTXtract) - Recover EVTX log files from unallocated space and memory images.
- [EvtxToElk](https://www.dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/) - Python tool to send Evtx data to Elastic Stack.
- [EVTX ATTACK Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - EVTX attack sample event log files by [SBousseaden](https://twitter.com/SBousseaden).
- [EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - Another great repository of EVTX attack sample logs mapped to ATT&CK.
- [EVTX parser](https://github.com/omerbenamram/evtx) - the Rust library we used written by [@OBenamram](https://twitter.com/obenamram).
- [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - A graphical interface to visualize logons to detect lateral movement by [JPCERTCC](https://twitter.com/jpcert_en).
- [RustyBlue](https://github.com/Yamato-Security/RustyBlue) - Rust port of DeepBlueCLI by Yamato Security.
- [Sigma](https://github.com/SigmaHQ/sigma) - Community based generic SIEM rules.
- [so-import-evtx](https://docs.securityonion.net/en/2.3/so-import-evtx.html) - Import evtx files into Security Onion.
- [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) - The best CSV timeline analyzer by [Eric Zimmerman](https://twitter.com/ericrzimmerman).
- [Windows Event Log Analysis - Analyst Reference](https://www.forwarddefense.com/media/attachments/2021/05/15/windows-event-log-analyst-reference.pdf) - by Forward Defense's Steve Anson.
- [WELA (Windows Event Log Analyzer)](https://github.com/Yamato-Security/WELA) - The swiff-army knife for Windows event logs by [Yamato Security](https://github.com/Yamato-Security/)
- [Zircolite](https://github.com/wagga40/Zircolite) - Sigma-based attack detection tool written in Python.
## Comparison to other similar tools that support sigma
Please understand that it is not possible to do a perfect comparison as results will differ based on the target sample data, command-line options, rule tuning, etc...
In our tests, we have found hayabusa to support the largest number of sigma rules out of all the tools while still maintaining very fast speeds and does not require a great amount of memory.
The following benchmarks were taken on a Lenovo P51 based on approximately 500 evtx files (130MB) from our [sample-evtx repository](https://github.com/Yamato-Security/hayabusa-sample-evtx) at 2021/12/23 with Hayabusa version 1.0.0.
| | Elapsed Time | Memory Usage | Unique Sigma Rules With Detections |
| :---: | :---: | :---: | :---: |
| Chainsaw | 7.5 seconds | 75 MB | 170 |
| Hayabusa | 7.8 seconds | 340 MB | 267 |
| Zircolite | 34 seconds | 380 MB (normally requires 3 times the size of the log files) | 237 |
* With hayabusa rules enabled, it will detect around 300 unique alerts and events.
* When tested on many event logs files totaling 7.5 GB, it finished in under 7 minutes and used around 1 GB of memory. The amount of memory consumed is based on the size of the results, not on the size of the target evtx files.
* It is the only tool that provides a consolidated single CSV timeline to analysis in tools like [Timeline Explorer](https://ericzimmerman.github.io/#!index.md).
# Community Documentation
## English
- 2022/01/24 [Graphing Hayabusa results in neo4j](https://www.youtube.com/watch?v=7sQqz2ek-ko) by Matthew Seyer ([@forensic_matt](https://twitter.com/forensic_matt))
## Japanese
- 2022/01/22 [Visualizing Hayabusa results in Elastic Stack](https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749) by [@kzzzzo2](https://qiita.com/kzzzzo2)
- 2021/12/31 [Intro to Hayabusa](https://itib.hatenablog.com/entry/2021/12/31/222946) by itiB ([@itiB_S144](https://twitter.com/itiB_S144))
- 2021/12/27 [Hayabusa internals](https://kazuminkun.hatenablog.com/entry/2021/12/27/190535) by Kazuminn ([@k47_um1n](https://twitter.com/k47_um1n))
# Contribution
We would love any form of contribution. Pull requests, rule creation and sample evtx logs are the best but feature requests, notifying us of bugs, etc... are also very welcome.
At the least, if you like our tool then please give us a star on Github and show your support!
# License
Hayabusa is released under [GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html) and all rules are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md).

301
README-Japanese.md
View File

@@ -1,20 +1,75 @@
<div align="center">
<p>
![Hayabusa Logo](hayabusa-logo.png)
<img alt="Hayabusa Logo" src="hayabusa-logo.png" width="50%">
</p>
[<a href="README.md">English</a>] | [<b>日本語</b>]
</div>
---
[tag-1]: https://img.shields.io/github/downloads/Yamato-Security/hayabusa/total?style=plastic&label=GitHub%F0%9F%A6%85DownLoads
[tag-2]: https://img.shields.io/github/stars/Yamato-Security/hayabusa?style=plastic&label=GitHub%F0%9F%A6%85Stars
[tag-3]: https://img.shields.io/github/v/release/Yamato-Security/hayabusa?display_name=tag&label=latest-version&style=plastic
![tag-1] ![tag-2] ![tag-3]
# Hayabusa について
Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/)グループによって作られた**Windowsイベントログのファストフォレンジックタイムライン生成**および**スレットハンティングツール**です。 Hayabusaは日本語で[「ハヤブサ」](https://en.wikipedia.org/wiki/Peregrine_falcon)を意味し、ハヤブサが世界で最も速く、狩猟(hunting)に優れ、とても訓練しやすい動物であることから選ばれました。[Rust](https://www.rust-lang.org/) で開発され、マルチスレッドに対応し、可能な限り高速に動作するよう配慮されています。[Sigma](https://github.com/SigmaHQ/Sigma)ルールをHayabusaルール形式に変換する[ツール](https://github.com/Yamato-Security/hayabusa/tree/main/tools/Sigmac)も提供しています。Hayabusaの検知ルールもSigmaと同様にYML形式であり、カスタマイズ性や拡張性に優れます。稼働中のシステムで実行してライブ調査することも、複数のシステムからログを収集してオフライン調査することも可能です。(※現時点では、リアルタイムアラートや定期的なスキャンには対応していません。) 出力は一つのCSVタイムラインにまとめられ、Excelや[Timeline Explorer](https://ericzimmerman.github.io/#!index.md)で簡単に分析できるようになります。
## 目次
- [Hayabusa について](#hayabusa-について)
- [目次](#目次)
- [主な目的](#主な目的)
- [スレット(脅威)ハンティング](#スレット脅威ハンティング)
- [フォレンジックタイムラインの高速生成](#フォレンジックタイムラインの高速生成)
- [開発について](#開発について)
- [スクリーンショット](#スクリーンショット)
- [起動画面:](#起動画面)
- [ターミナル出力画面:](#ターミナル出力画面)
- [結果サマリ画面:](#結果サマリ画面)
- [Excelでの解析:](#excelでの解析)
- [Timeline Explorerでの解析:](#timeline-explorerでの解析)
- [Criticalアラートのフィルタリングとコンピュータごとのグルーピング:](#criticalアラートのフィルタリングとコンピュータごとのグルーピング)
- [タイムラインのサンプル結果](#タイムラインのサンプル結果)
- [特徴](#特徴)
- [予定されている機能](#予定されている機能)
- [ダウンロード](#ダウンロード)
- [ソースコードからのコンパイル(任意)](#ソースコードからのコンパイル任意)
- [32ビットWindowsバイナリのクロスコンパイル](#32ビットwindowsバイナリのクロスコンパイル)
- [macOSでのコンパイルの注意点](#macosでのコンパイルの注意点)
- [Linuxでのコンパイルの注意点](#linuxでのコンパイルの注意点)
- [アドバンス: Rustパッケージの更新](#アドバンス-rustパッケージの更新)
- [サンプルevtxファイルでHayabusaをテストする](#サンプルevtxファイルでhayabusaをテストする)
- [使用方法](#使用方法)
- [Windows Terminalで利用する際の注意事項](#windows-terminalで利用する際の注意事項)
- [コマンドラインオプション](#コマンドラインオプション)
- [使用例](#使用例)
- [Hayabusaの出力](#hayabusaの出力)
- [プログレスバー](#プログレスバー)
- [標準出力へのカラー設定](#標準出力へのカラー設定)
- [Hayabusa ルール](#hayabusa-ルール)
- [Hayabusa v.s. 変換されたSigmaルール](#hayabusa-vs-変換されたsigmaルール)
- [検知ルールのチューニング](#検知ルールのチューニング)
- [イベントIDフィルタリング](#イベントidフィルタリング)
- [その他のWindowsイベントログ解析ツールおよび関連プロジェクト](#その他のwindowsイベントログ解析ツールおよび関連プロジェクト)
- [Sigmaをサポートする他の類似ツールとの比較](#sigmaをサポートする他の類似ツールとの比較)
- [コミュニティによるドキュメンテーション](#コミュニティによるドキュメンテーション)
- [英語](#英語)
- [日本語](#日本語)
- [貢献](#貢献)
- [バグの報告](#バグの報告)
- [ライセンス](#ライセンス)
## 主な目的
### スレット(脅威)ハンティング
Hayabusa には現在、1000以上のSigmaルールと約50のHayabusa検知ルールがあり、定期的にルールが追加されています。 最終的な目標はインシデントレスポンスや定期的なスレットハンティングのために、HayabusaエージェントをすべてのWindows端末にインストールして、中央サーバーにアラートを返す仕組みを作ることです。
### フォレンジックタイムラインの高速生成
Windowsのイベントログは、
1解析が困難なデータ形式であること
2データの大半がイズであり調査に有用でないこと
@@ -22,9 +77,11 @@ Windowsのイベントログは、
[Evtx Explorer](https://ericzimmerman.github.io/#!index.md)や[Event Log Explorer](https://eventlogxp.com/)のような深掘り分析を行うツールの代替ではなく、分析者が20%の時間で80%の作業を行えるようにすることを目的としています。
# 開発について
[DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI)というWindowsイベントログ解析ツールに触発されて、2020年に[RustyBlue](https://github.com/Yamato-Security/RustyBlue)プロジェクト用にRustに移植することから始めました。その後、YMLで書かれたSigmaのような柔軟な検知シグネチャを作り、SigmaルールをHayabusaルール形式へ変換するツールも作成しました。
# スクリーンショット
## 起動画面:
![Hayabusa 起動画面](/screenshots/Hayabusa-Startup.png)
@@ -50,11 +107,13 @@ Windowsのイベントログは、
![Timeline ExplorerでCriticalアラートのフィルタリングとコンピュータグルーピング](screenshots/TimelineExplorer-CriticalAlerts-ComputerGrouping.png)
# タイムラインのサンプル結果
CSVと手動で編集したXLSXのタイムライン結果のサンプルは[こちら](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results)で確認できます。
CSVのタイムラインをExcelやTimeline Explorerで分析する方法は[こちら](doc/CSV-AnalysisWithExcelAndTimelineExplorer-Japanese.pdf)で紹介しています。
# 特徴
* クロスプラットフォーム対応: Windows, Linux, macOS
* Rustで開発され、メモリセーフでハヤブサよりも高速です
* マルチスレッド対応により、最大5倍のスピードアップを実現!
@@ -64,34 +123,88 @@ CSVのタイムラインをExcelやTimeline Explorerで分析する方法は[こ
* 現在、他の類似ツールに比べ最も多くのSigmaルールをサポートしており、カウントルールにも対応しています。
* イベントログの統計(どのような種類のイベントがあるのかを把握し、ログ設定のチューニングに有効です。)
* 不良ルールやノイズの多いルールを除外するルールチューニング設定が可能です。
* MITRE ATT&CKとのマッピング
# 予定されている機能
* すべてのエンドポイントでの企業全体のスレットハンティング
* 日本語対応
* MITRE ATT&CK とのマッピング
* MITRE ATT&CK ヒートマップ生成機能
* MITRE ATT&CKのヒートマップ生成機能
* ユーザーログオンと失敗したログオンのサマリー
* JSONログからの入力
* JSONへの出力→Elastic Stack/Splunkへのインポート
# ダウンロード
Hayabusaの[Releases](https://github.com/Yamato-Security/hayabusa/releases)から最新版をダウンロードできます。
または、以下の`git clone`コマンドでレポジトリをダウンロードし、ソースコードからコンパイルして使用することも可能です。
```bash
git clone https://github.com/Yamato-Security/hayabusa.git
git clone https://github.com/Yamato-Security/hayabusa.git --recursive
```
--recursive をつけ忘れた場合、サブモジュールとして管理されている rules/ 内のファイルが取得できません。
Hayabusaでは検知ルールを`rules/`フォルダの取得はコンパイル後に以下のコマンドでルールの最新版を取得することができます。
rulesフォルダ配下でファイルを削除や更新をしていた場合は更新されないのでその場合はrulesフォルダを他の名前にリネームしたうえで以下のコマンドを打ってください。
```bash
.\hayabusa.exe -u
```
# ソースコードからのコンパイル(任意)
rustがインストールされている場合、以下のコマンドでソースコードからコンパイルすることができます:
Rustがインストールされている場合、以下のコマンドでソースコードからコンパイルすることができます:
```bash
cargo clean
cargo build --release
```
以下のコマンドで定期的にRustをアップデートしてください
```bash
rustup update
```
コンパイルされたバイナリは`target/release`フォルダ配下で作成されます。
## 32ビットWindowsバイナリのクロスコンパイル
以下のコマンドで64ビットのWindows端末で32ビットのバイナリをクロスコンパイルできます:
```bash
rustup install stable-i686-pc-windows-msvc
rustup target add i686-pc-windows-msvc
rustup run stable-i686-pc-windows-msvc cargo build --release
```
## macOSでのコンパイルの注意点
opensslについてのコンパイルエラーが表示される場合は、[Homebrew](https://brew.sh/)をインストールしてから、以下のパッケージをインストールする必要があります:
```bash
brew install pkg-config
brew install openssl
```
## Linuxでのコンパイルの注意点
opensslについてのコンパイルエラーが表示される場合は、以下のパッケージをインストールする必要があります。
Ubuntu系のディストロ:
```bash
sudo apt install libssl-dev
```
Fedora系のディストロ:
```bash
sudo yum install openssl-devel
```
## アドバンス: Rustパッケージの更新
コンパイル前に最新のRust crateにアップデートすることで、最新のライブラリを利用することができます:
```bash
@@ -101,9 +214,11 @@ cargo update
※ アップデート後、何か不具合がありましたらお知らせください。
## サンプルevtxファイルでHayabusaをテストする
Hayabusaをテストしたり、新しいルールを作成したりするためのサンプルevtxファイルをいくつか提供しています: [https://github.com/Yamato-Security/Hayabusa-sample-evtx](https://github.com/Yamato-Security/Hayabusa-sample-evtx)
以下のコマンドで、サンプルのevtxファイルを新しいサブディレクトリ `hayabusa-sample-evtx` にダウンロードすることができます:
```bash
git clone https://github.com/Yamato-Security/hayabusa-sample-evtx.git
```
@@ -111,93 +226,117 @@ git clone https://github.com/Yamato-Security/hayabusa-sample-evtx.git
> ※ 以下の例でHayabusaを試したい方は、上記コマンドをhayabusaのルートフォルダから実行してください。
# 使用方法
> 注意: Hayabusaのルートディレクトリから、バイナリを実行する必要があります。例`.\hayabusa.exe`
## Windows Terminalで利用する際の注意事項
2021/02/01現在、Windows Terminalから標準出力でhayabusaを使ったときに、コントロールコード(0x9D等)が検知結果に入っていると出力が止まることが確認されています。
Windows Terminalからhayabusaを標準出力で解析させたい場合は、 `-c` (カラー出力)のオプションをつければ出力が止まることを回避できます。
## コマンドラインオプション
```bash
USAGE:
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files'
-f --filepath=[FILEPATH] 'File path to one .evtx file'
-r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)'
-o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. Example: results.csv'
-v --verbose 'Output verbose information'
-D --enable-deprecated-rules 'Enable sigma rules marked as deprecated'
-n --enable-noisy-rules 'Enable rules marked as noisy'
-m --min-level=[LEVEL] 'Minimum level for rules (default: informational)'
--start-timeline=[STARTTIMELINE] 'Start time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--end-timeline=[ENDTIMELINE] 'End time of the event to load from event file. Example: '2018/11/28 12:00:00 +09:00''
--rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600'
--rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00'
-u --utc 'Output time in UTC format (default: local time)'
-t --thread-number=[NUMBER] 'Thread number (default: optimal number for performance)'
-s --statistics 'Prints statistics of event IDs'
-q --quiet 'Quiet mode. Do not display the launch banner'
-Q --quiet-errors 'Quiet errors mode. Do not save error logs.'
--contributors 'Prints the list of contributors'
-d --directory=[DIRECTORY] '.evtxファイルを持つディレクトリのパス。'
-f --filepath=[FILEPATH] '1つの.evtxファイルのパス。'
-r --rules=[RULEFILE/RULEDIRECTORY] 'ルールファイルまたはルールファイルを持つディレクトリ。(デフォルト: ./rules)'
-c --color 'カラーで出力する。 (ターミナルはTrue Colorに対応する必要がある。)'
-o --output=[CSV_TIMELINE] 'タイムラインをCSV形式で保存する。(例: results.csv)'
-v --verbose '詳細な情報を出力する。'
-D --enable-deprecated-rules 'Deprecatedルールを有効にする。'
-n --enable-noisy-rules 'Noisyルールを有効にする。'
-u --update-rules 'rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する。'
-m --min-level=[LEVEL] '結果出力をするルールの最低レベル。(デフォルト: informational)'
-l --live-analysis 'ローカル端末のC:\Windows\System32\winevt\Logsフォルダを解析する。(Windowsのみ。管理者権限が必要。)'
--start-timeline=[STARTTIMELINE] '解析対象とするイベントログの開始時刻。(例: '2018/11/28 12:00:00 +09:00')'
--end-timeline=[ENDTIMELINE] '解析対象とするイベントログの終了時刻。(例: '2018/11/28 12:00:00 +09:00')'
--rfc-2822 'RFC 2822形式で日付と時刻を出力する。(例: Mon, 07 Aug 2006 12:34:56 -0600)'
--rfc-3339 'RFC 3339形式で日付と時刻を出力する。 (例: 2006-08-07T12:34:56.485214 -06:00)'
-U --utc 'UTC形式で日付と時刻を出力する。(デフォルト: 現地時間)'
-t --thread-number=[NUMBER] 'スレッド数。(デフォルト: パフォーマンスに最適な数値)'
-s --statistics 'イベント ID の統計情報を表示する。'
-q --quiet 'Quietモード。起動バナーを表示しない。'
-Q --quiet-errors 'Quiet errorsモード。エラーログを保存しない。'
--contributors 'コントリビュータの一覧表示。'
```
## 使用例
* 1 つのWindowsイベントログファイルに対してHayabusaを実行します:
* つのWindowsイベントログファイルに対してHayabusaを実行します:
```bash
.\hayabusa.exe -f eventlog.evtx
```
* 複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx
```
* 1 つのCSVファイルにエクスポートして、EXCELやTimeline Explorerでさらに分析することができます:
* つのCSVファイルにエクスポートして、EXCELやTimeline Explorerでさらに分析することができます:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv
```
* Hayabusaルールのみを実行しますデフォルトでは `-r .\rules` にあるすべてのルールが利用されます):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv
```
* Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv
```
* Sysmonログに対してのみHayabusaルールを実行します:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv
```
* Sigmaルールのみを実行します:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
* 廃棄(deprecated)されたルール(`status``deprecated`になっているルール)とノイジールール(`.\config\noisy-rules.txt`にルールIDが書かれているルール)を有効にします:
* 廃棄(deprecated)されたルール(`status``deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv
```
* ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r ./rules/Hayabusa/default/events/Security/Logons -u -o results.csv
.\hayabusa.exe -d .\hayabusa-sample-evtx -r ./rules/Hayabusa/default/events/Security/Logons -U -o results.csv
```
* 起動中のWindows端末上で実行しAdministrator権限が必要、アラート悪意のある可能性のある動作のみを検知します:
```bash
.\hayabusa.exe -d C:\Windows\System32\winevt\Logs -m low
.\hayabusa.exe -l -m low
```
* イベントIDの統計情報を取得します:
```bash
.\hayabusa.exe -f Security.evtx -s
```
* 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -v
```
* Verbose出力の例:
```bash
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information\u{a0}Compile After Delivery/sysmon.evtx"
1 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.20 % 1s
@@ -216,6 +355,7 @@ Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_
エラーメッセージを保存したくない場合は、`-Q`を追加してください。
# Hayabusaの出力
Hayabusaの結果を標準出力に表示しているときデフォルトは、以下の情報を表示します:
* `Timestamp`: デフォルトでは`YYYY-MM-DD HH:mm:ss.sss +hh:mm`形式になっています。イベントログの`<Event><System><TimeCreated SystemTime>`フィールドから来ています。デフォルトのタイムゾーンはローカルのタイムゾーンになりますが、`--utc` オプションで UTC に変更することができます。
@@ -226,56 +366,74 @@ Hayabusaの結果を標準出力に表示しているときデフォルト
* `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの`<Event><System><EventData>`部分から有用なデータを抽出することができます。
CSVファイルとして保存する場合、以下の2つのフィールドが追加されます:
* `Rule Path`: アラートまたはイベントを生成した検知ルールへのパス。
* `File Path`: アラートまたはイベントを起こしたevtxファイルへのパス。
## プログレスバー
プログレス・バーは、複数のevtxファイルに対してのみ機能します。
解析したevtxファイルの数と割合をリアルタイムで表示します。
## 標準出力へのカラー設定
`-c`または`--color`を指定することで、Hayabusaの結果は`level`毎に文字色を変えることができます。
`./config/level_color.txt`の値を変更することで文字色を変えることができます。
形式は`level名,(6桁のRGBのカラーhex)`です。
注意: True Colorに対応しているターミナルが必要です。
例: [Windows Terminal](https://docs.microsoft.com/en-us/windows/terminal/install) またはmacOSの[iTerm2](https://iterm2.com/)。
# Hayabusa ルール
Hayabusa検知ルールはSigmaのようなYML形式で記述されています。`rules`ディレクトリに入っていますが、将来的には[https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules)のレポジトリで管理する予定なので、ルールのissueとpull requestはhayabusaのレポジトリではなく、ルールレポジトリへお願いします。
ルールの作成方法については、[AboutRuleCreation-Japanese.md](./doc/AboutRuleCreation-Japanese.md) をお読みください。
ルールの作成方法については、[hayabusa-rulesレポジトリのREADME](https://github.com/Yamato-Security/hayabusa-rules/blob/main/README-Japanese.md) をお読みください。
[hayabusa-rulesレポジトリ](https://github.com/Yamato-Security/hayabusa-rules)にあるすべてのルールは、`rules`フォルダに配置する必要があります。
`level`がinformationのルールは `events` とみなされ、`low` 以上は `alerts` とみなされます。
Hayabusaルールのディレクトリ構造は、3つのディレクトリに分かれています。
* `default`: Windows OSでデフォルトで記録されるログ
* `non-default`: グループポリシーやセキュリティベースラインの適用でオンにする必要があるログ
* `sysmon`: [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)によって生成されるログ
* `testing`: 現在テストしているルールを配置するための一時ディレクトリ
* `default`: Windows OSでデフォルトで記録されるログ
* `non-default`: グループポリシーやセキュリティベースラインの適用でオンにする必要があるログ
* `sysmon`: [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)によって生成されるログ。
* `testing`: 現在テストしているルールを配置するための一時ディレクトリ
ルールはさらにログタイプSecurity、Systemなどによってディレクトリに分けられ、次の形式で名前が付けられます。
* アラート形式: `<イベントID>_<MITRE ATT&CKの攻撃手法名>_<詳細>.yml`
* アラート: `1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml`
* イベント形式: `<イベントID>_<詳細>.yml`
* イベント: `4776_NTLM-LogonToLocalAccount.yml`
* アラート形式: `<イベントID>_<MITRE ATT&CKの攻撃手法名>_<詳細>.yml`
* アラート例: `1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml`
* イベント形式: `<イベントID>_<詳細>.yml`
* イベント例: `4776_NTLM-LogonToLocalAccount.yml`
現在のルールをご確認いただき、新規作成時のテンプレートとして、また検知ロジックの確認用としてご利用ください。
## Hayabusa v.s. 変換されたSigmaルール
Sigmaルールは、最初にHayabusaルール形式に変換する必要があります。変換のやり方は[ここ](https://github.com/Yamato-Security/Hayabusa/blob/main/tools/Sigmac/README-Japanese.md)で説明されています。Hayabusaルールは、Windowsのイベントログ解析専用に設計されており、以下のような利点があります:
1. ログの有用なフィールドのみから抽出された追加情報を表示するための `details`フィールドを追加しています。
2. Hayabusaルールはすべてサンプルログに対してテストされ、検知することが確認されています。
> 変換処理のバグ、サポートされていない機能、実装の違い(正規表現など)により、一部のSigmaルールは意図したとおりに動作しない可能性があります。
**制限事項**: 私たちの知る限り、Hayabusa はオープンソースの Windows イベントログ解析ツールの中でSigmaルールを最も多くサポートしていますが、まだサポートされていないルールもあります。
1. [Rust正規表現クレート](https://docs.rs/regex/1.5.4/regex/)では機能しない正規表現を使用するルール。
2. [Sigmaルール仕様](https://github.com/SigmaHQ/Sigma/wiki/Specification)の`count`以外の集計式。
> 注意この制限はSigmaルールの変換ツールにあり、Hayabusa自身にあるわけではありません。
## 検知ルールのチューニング
ファイアウォールやIDSと同様に、シグネチャベースのツールは、環境に合わせて調整が必要になるため、特定のルールを永続的または一時的に除外する必要がある場合があります。
ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `config/exclude-rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
ルールID(例: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) を `rules/config/exclude_rules.txt`に追加すると、不要なルールや利用できないルールを無視することができます。
ルールIDを `config/noisy-rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
ルールIDを `rules/config/noisy_rules.txt`に追加して、デフォルトでルールを無視することもできますが、` -n`または `--enable-noisy-rules`オプションを指定してルールを使用することもできます。
## イベントIDフィルタリング
`config/target_eventids.txt`にイベントID番号を追加することで、イベントIDでフィルタリングすることができます。
これはパフォーマンスを向上させるので、特定のIDだけを検索したい場合に推奨されます。
@@ -284,36 +442,41 @@ Sigmaルールは、最初にHayabusaルール形式に変換する必要があ
最高のパフォーマンスを得たい場合はこのリストを使用してください。ただし、検出漏れの可能性が若干あることにご注意ください。
# その他のWindowsイベントログ解析ツールおよび関連プロジェクト
「すべてを統治する1つのツール」というものはなく、それぞれにメリットがあるため、これらの他の優れたツールやプロジェクトをチェックして、どれが気に入ったかを確認することをお勧めします。
- [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - Pythonで開発された攻撃検知ツール。
- [Chainsaw](https://github.com/countercept/chainsaw) - Rustで開発された同様のSigmaベースの攻撃検知ツール
- [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) - [Eric Conrad](https://twitter.com/eric_conrad) によってPowershellで開発された攻撃検知ツール。
- [EventList](https://github.com/miriamxyra/EventList/) - [Miriam Wiesner](https://github.com/miriamxyra)によるセキュリティベースラインの有効なイベントIDをMITRE ATT&CKにマッピングするPowerShellツール。
- [EvtxToElk](https://www.dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/) - Elastic StackにEvtxデータを送信するPythonツール。
- [EVTX ATTACK Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - [SBousseaden](https://twitter.com/SBousseaden) によるEVTX攻撃サンプルイベントログファイル
- [EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - ATT&CKにマッピングされたEVTX攻撃サンプルログのもう一つの素晴らしいレポジトリ
- [EVTX parser](https://github.com/omerbenamram/evtx) - [@OBenamram](https://twitter.com/obenamram) によって書かれた、私たちが使用したRustライブラリ
- [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - [JPCERTCC](https://twitter.com/jpcert) による、横方向の動きを検知するためにログオンを視覚化するグラフィカルなインターフェース
- [RustyBlue](https://github.com/Yamato-Security/RustyBlue) - 大和セキュリティによるDeepBlueCLIのRust版
- [Sigma](https://github.com/SigmaHQ/Sigma) - コミュニティベースの汎用SIEMルール
- [so-import-evtx](https://docs.securityonion.net/en/2.3/so-import-evtx.html) - evtxファイルをSecurityOnionにインポートするツール
- [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) - [Eric Zimmerman](https://twitter.com/ericrzimmerman) による最高のCSVタイムラインアナライザ
- [Windows Event Log Analysis - Analyst Reference](https://www.forwarddefense.com/media/attachments/2021/05/15/windows-event-log-analyst-reference.pdf) - Forward DefenseのSteve AnsonによるWindowsイベントログ解析の参考資料
- [WELA (Windows Event Log Analyzer)](https://github.com/Yamato-Security/WELA/) - [Yamato Security](https://github.com/Yamato-Security/)によるWindowsイベントログ解析のマルチツール。
- [Zircolite](https://github.com/wagga40/Zircolite) - Pythonで書かれたSigmaベースの攻撃検知ツール
* [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - Pythonで開発された攻撃検知ツール。
* [Awesome Event IDs](https://github.com/stuhli/awesome-event-ids) - フォレンジック調査とインシデント対応に役立つイベントIDのリソース
* [Chainsaw](https://github.com/countercept/chainsaw) - Rustで開発された同様のSigmaベースの攻撃検知ツール。
* [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) - [Eric Conrad](https://twitter.com/eric_conrad) によってPowershellで開発された攻撃検知ツール。
* [EventList](https://github.com/miriamxyra/EventList/) - [Miriam Wiesner](https://github.com/miriamxyra)によるセキュリティベースラインの有効なイベントIDをMITRE ATT&CKにマッピングするPowerShellツール。
* [EvtxECmd](https://github.com/EricZimmerman/evtx) - [Eric Zimmerman](https://twitter.com/ericrzimmerman)によるEvtxパーサー
* [EVTXtract](https://github.com/williballenthin/EVTXtract) - 未使用領域やメモリダンプからEVTXファイルを復元するツール
* [EvtxToElk](https://www.dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/) - Elastic StackにEvtxデータを送信するPythonツール
* [EVTX ATTACK Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - [SBousseaden](https://twitter.com/SBousseaden) によるEVTX攻撃サンプルイベントログファイル
* [EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - ATT&CKにマッピングされたEVTX攻撃サンプルログのもう一つの素晴らしいレポジトリ
* [EVTX parser](https://github.com/omerbenamram/evtx) - [@OBenamram](https://twitter.com/obenamram) によって書かれた、私たちが使用したRustライブラリ
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - [JPCERTCC](https://twitter.com/jpcert) による、横方向の動きを検知するためにログオンを視覚化するグラフィカルなインターフェース
* [RustyBlue](https://github.com/Yamato-Security/RustyBlue) - 大和セキュリティによるDeepBlueCLIのRust版
* [Sigma](https://github.com/SigmaHQ/Sigma) - コミュニティベースの汎用SIEMルール
* [so-import-evtx](https://docs.securityonion.net/en/2.3/so-import-evtx.html) - evtxファイルをSecurityOnionにインポートするツール。
* [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) - [Eric Zimmerman](https://twitter.com/ericrzimmerman) による最高のCSVタイムラインアナライザ
* [Windows Event Log Analysis - Analyst Reference](https://www.forwarddefense.com/media/attachments/2021/05/15/windows-event-log-analyst-reference.pdf) - Forward DefenseのSteve AnsonによるWindowsイベントログ解析の参考資料。
* [WELA (Windows Event Log Analyzer)](https://github.com/Yamato-Security/WELA/) - [Yamato Security](https://github.com/Yamato-Security/)によるWindowsイベントログ解析のマルチツール。
* [Zircolite](https://github.com/wagga40/Zircolite) - Pythonで書かれたSigmaベースの攻撃検知ツール。
## Sigmaをサポートする他の類似ツールとの比較
対象となるサンプルデータ、コマンドラインオプション、ルールのチューニング等によって結果が異なるため、完全な比較はできませんが、ご了承ください。
我々のテストでは、Hayabusaはすべてのツールの中で最も多くのSigmaルールをサポートしながらも、非常に高速な速度を維持し、大量のメモリを必要としないことが分かっています。
以下のベンチマークは、2021/12/23に [sample-evtx repository](https://github.com/Yamato-Security/Hayabusa-sample-evtx) から約500個のevtxファイル130MBを基に、Lenovo P51で計測したものです。Hayabusa 1.0.0を使いました。
| | 経過時間 | メモリ使用量 | 利用可能のSigmaルール数 |
| :---: | :---: | :---: | :---: |
| Chainsaw | 7.5 seconds | 70 MB | 170 |
| Hayabusa | 7.8 seconds | 340 MB | 267 |
| Zircolite | 34 seconds | 380 MB (通常、ログファイルの3倍のサイズが必要) | 237 |
| | 経過時間 | メモリ使用量 | 利用可能のSigmaルール数 |
| :-------: | :---------: | :--------------------------------------------: | :---------------------: |
| Chainsaw | 7.5 seconds | 70 MB | 170 |
| Hayabusa | 7.8 seconds | 340 MB | 267 |
| Zircolite | 34 seconds | 380 MB (通常、ログファイルの3倍のサイズが必要) | 237 |
* Hayabusaルールも有効にすると、約300のユニークなアラートとイベントを検知します。
* 合計7.5GBの多数のイベントログファイルでテストしたところ、7分以内に終了し、1GB以上のメモリを使用しませんでした。消費されるメモリ量は、ターゲットのevtxファイルのサイズではなく、結果のサイズによって増えます。
@@ -323,13 +486,13 @@ Sigmaルールは、最初にHayabusaルール形式に変換する必要があ
## 英語
- 2022/01/24 [Hayabusa結果をneo4jで可視化する方法](https://www.youtube.com/watch?v=7sQqz2ek-ko) by Matthew Seyer ([@forensic_matt](https://twitter.com/forensic_matt))
* 2022/01/24 [Hayabusa結果をneo4jで可視化する方法](https://www.youtube.com/watch?v=7sQqz2ek-ko) by Matthew Seyer ([@forensic_matt](https://twitter.com/forensic_matt))
## 日本語
- 2022/01/22 [Hayabusa結果をElastic Stackで可視化する方法](https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749) by [@kzzzzo2](https://qiita.com/kzzzzo2)
- 2021/12/31 [Windowsイベントログ解析ツール「Hayabusa」を使ってみる](https://itib.hatenablog.com/entry/2021/12/31/222946) by itiB ([@itiB_S144](https://twitter.com/itiB_S144))
- 2021/12/27 [Hayabusaの中身](https://kazuminkun.hatenablog.com/entry/2021/12/27/190535) by Kazuminn ([@k47_um1n](https://twitter.com/k47_um1n))
* 2022/01/22 [Hayabusa結果をElastic Stackで可視化する方法](https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749) by [@kzzzzo2](https://qiita.com/kzzzzo2)
* 2021/12/31 [Windowsイベントログ解析ツール「Hayabusa」を使ってみる](https://itib.hatenablog.com/entry/2021/12/31/222946) by itiB ([@itiB_S144](https://twitter.com/itiB_S144))
* 2021/12/27 [Hayabusaの中身](https://kazuminkun.hatenablog.com/entry/2021/12/27/190535) by Kazuminn ([@k47_um1n](https://twitter.com/k47_um1n))
# 貢献
@@ -337,6 +500,10 @@ Sigmaルールは、最初にHayabusaルール形式に変換する必要があ
少なくとも、私たちのツールを気に入っていただけたなら、Githubで星を付けて、あなたのサポートを表明してください。
# バグの報告
見つけたバグを[こちら](https://github.com/Yamato-Security/hayabusa/issues/new?assignees=&labels=bug&template=bug_report.md&title=%5Bbug%5D)でご連絡ください。報告されたバグを喜んで修正します!
# ライセンス
Hayabusaは[GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html)で公開され、すべてのルールは[Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md)で公開されています。

507
README.md
View File

@@ -1,5 +1,506 @@
Hayabusa Readme:
<div align="center">
<p>
<img alt="Hayabusa Logo" src="hayabusa-logo.png" width="50%">
</p>
[ <b>English</b> ] | [<a href="README-Japanese.md">日本語</a>]
</div>
[English](README-English.md)
---
[Japanese](README-Japanese.md)
[tag-1]: https://img.shields.io/github/downloads/Yamato-Security/hayabusa/total?style=plastic&label=GitHub%F0%9F%A6%85DownLoads
[tag-2]: https://img.shields.io/github/stars/Yamato-Security/hayabusa?style=plastic&label=GitHub%F0%9F%A6%85Stars
[tag-3]: https://img.shields.io/github/v/release/Yamato-Security/hayabusa?display_name=tag&label=latest-version&style=plastic
![tag-1] ![tag-2] ![tag-3]
# About Hayabusa
Hayabusa is a **Windows event log fast forensics timeline generator** and **threat hunting tool** created by the [Yamato Security](https://yamatosecurity.connpass.com/) group in Japan. Hayabusa means ["peregrine falcon"](https://en.wikipedia.org/wiki/Peregrine_falcon") in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in [Rust](https://www.rust-lang.org/) and supports multi-threading in order to be as fast as possible. We have provided a [tool](https://github.com/Yamato-Security/hayabusa/tree/main/tools/sigmac) to convert [sigma](https://github.com/SigmaHQ/sigma) rules into hayabusa rule format. The hayabusa detection rules, like sigma, are also written in YML in order to be as easily customizable and extensible as possible. It can be run either on running systems for live analysis or by gathering logs from multiple systems for offline analysis. (At the moment, it does not support real-time alerting or periodic scans.) The output will be consolidated into a single CSV timeline for easy analysis in Excel or [Timeline Explorer](https://ericzimmerman.github.io/#!index.md).
## Table of Contents
- [About Hayabusa](#about-hayabusa)
- [Table of Contents](#table-of-contents)
- [Main goals](#main-goals)
- [Threat hunting](#threat-hunting)
- [Fast forensics timeline generation](#fast-forensics-timeline-generation)
- [About the development](#about-the-development)
- [Screenshots](#screenshots)
- [Startup](#startup)
- [Terminal output](#terminal-output)
- [Results summary](#results-summary)
- [Analysis in Excel](#analysis-in-excel)
- [Analysis in Timeline Explorer](#analysis-in-timeline-explorer)
- [Critical alert filtering and computer grouping in Timeline Explorer](#critical-alert-filtering-and-computer-grouping-in-timeline-explorer)
- [Sample timeline results](#sample-timeline-results)
- [Features](#features)
- [Planned Features](#planned-features)
- [Downloads](#downloads)
- [Compiling from source (Optional)](#compiling-from-source-optional)
- [Cross-compiling 32-bit Windows binaries](#cross-compiling-32-bit-windows-binaries)
- [Notes on compiling on macOS](#notes-on-compiling-on-macos)
- [Notes on compiling on Linux](#notes-on-compiling-on-linux)
- [Advanced: Updating Rust packages](#advanced-updating-rust-packages)
- [Testing hayabusa out on sample evtx files](#testing-hayabusa-out-on-sample-evtx-files)
- [Usage](#usage)
- [Caution: Output printed to screen may stop in Windows Terminal](#caution-output-printed-to-screen-may-stop-in-windows-terminal)
- [Command line options](#command-line-options)
- [Usage examples](#usage-examples)
- [Hayabusa output](#hayabusa-output)
- [Progress bar](#progress-bar)
- [Color Output](#color-output)
- [Hayabusa rules](#hayabusa-rules)
- [Hayabusa v.s. converted Sigma rules](#hayabusa-vs-converted-sigma-rules)
- [Detection rule tuning](#detection-rule-tuning)
- [Event ID filtering](#event-id-filtering)
- [Other Windows event log analyzers and related projects](#other-windows-event-log-analyzers-and-related-projects)
- [Comparison to other similar tools that support sigma](#comparison-to-other-similar-tools-that-support-sigma)
- [Community Documentation](#community-documentation)
- [English](#english)
- [Japanese](#japanese)
- [Contribution](#contribution)
- [Bug Submission](#bug-submission)
- [License](#license)
## Main goals
### Threat hunting
Hayabusa currently has over 1000 sigma rules and around 50 hayabusa rules with more rules being added regularly. The ultimate goal is to be able to push out hayabusa agents to all Windows endpoints after an incident or for periodic threat hunting and have them alert back to a central server.
### Fast forensics timeline generation
Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa's main goal is to extract out only useful data and present it in an easy-to-read format that is usable not only by professionally trained analysts but any Windows system administrator.
Hayabusa is not intended to be a replacement for tools like [Evtx Explorer](https://ericzimmerman.github.io/#!index.md) or [Event Log Explorer](https://eventlogxp.com/) for more deep-dive analysis but is intended for letting analysts get 80% of their work done in 20% of the time.
# About the development
First inspired by the [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) Windows event log analyzer, we started in 2020 porting it over to Rust for the [RustyBlue](https://github.com/Yamato-Security/RustyBlue) project, then created sigma-like flexible detection signatures written in YML, and then added a backend to sigma to support converting sigma rules into our hayabusa rule format.
# Screenshots
## Startup
![Hayabusa Startup](/screenshots/Hayabusa-Startup.png)
## Terminal output
![Hayabusa terminal output](/screenshots/Hayabusa-Results.png)
## Results summary
![Hayabusa results summary](/screenshots/HayabusaResultsSummary.png)
## Analysis in Excel
![Hayabusa analysis in Excel](/screenshots/ExcelScreenshot.png)
## Analysis in Timeline Explorer
![Hayabusa analysis in Timeline Explorer](screenshots/TimelineExplorer-ColoredTimeline.png)
## Critical alert filtering and computer grouping in Timeline Explorer
![Critical alert filtering and computer grouping in Timeline Explorer](screenshots/TimelineExplorer-CriticalAlerts-ComputerGrouping.png)
# Sample timeline results
You can check out sample CSV and manually edited XLSX timeline results [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results).
You can learn how to analyze CSV timelines in Excel and Timeline Explorer [here](doc/CSV-AnalysisWithExcelAndTimelineExplorer-English.pdf).
# Features
* Cross-platform support: Windows, Linux, macOS
* Developed in Rust to be memory safe and faster than a hayabusa falcon!
* Multi-thread support delivering up to a 5x speed improvement!
* Creates a single easy-to-analyze CSV timeline for forensic investigations and incident response
* Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules
* Sigma rule support to convert sigma rules to hayabusa rules
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules
* Event log statistics (Useful for getting a picture of what types of events there are and for tuning your log settings)
* Rule tuning configuration by excluding unneeded or noisy rules
* MITRE ATT&CK mapping
# Planned Features
* Enterprise-wide hunting on all endpoints
* Japanese language support
* MITRE ATT&CK heatmap generation
* User logon and failed logon summary
* Input from JSON logs
* JSON support for sending alerts to Elastic Stack/Splunk, etc...
# Downloads
You can download the latest Hayabusa version from the [Releases](https://github.com/Yamato-Security/hayabusa/releases) page.
You can also `git clone` the repository with the following command and compile binary from source code.:
```bash
git clone https://github.com/Yamato-Security/hayabusa.git --recursive
```
If you forget to use --recursive option, rules/ files which managed in submodule did not cloned.
You can get latest Hayabusa rules with the execute following command.
When you modified or erased in rules/ , update is failed.
In this case, you can get latest Hayabusa if you renamed rules folder and execute following command.
```bash
.\hayabusa.exe -u
```
# Compiling from source (Optional)
If you have Rust installed, you can compile from source with the following command:
```bash
cargo clean
cargo build --release
```
Be sure to periodically update Rust with:
```bash
rustup update
```
The compiled binary will be outputted in the `target/release` folder.
## Cross-compiling 32-bit Windows binaries
You can create 32-bit binaries on 64-bit Windows systems with the following:
```bash
rustup install stable-i686-pc-windows-msvc
rustup target add i686-pc-windows-msvc
rustup run stable-i686-pc-windows-msvc cargo build --release
```
## Notes on compiling on macOS
If you receive compile errors about openssl, you will need to install [Homebrew](https://brew.sh/) and then install the following packages:
```bash
brew install pkg-config
brew install openssl
```
## Notes on compiling on Linux
If you receive compile errors about openssl, you will need to install the following package.
Ubuntu-based distros:
```bash
sudo apt install libssl-dev
```
Fedora-based distros:
```bash
sudo yum install openssl-devel
```
## Advanced: Updating Rust packages
You can update to the latest Rust crates before compiling to get the latest libraries:
```bash
cargo update
```
Please let us know if anything breaks after you update.
## Testing hayabusa out on sample evtx files
We have provided some sample evtx files for you to test hayabusa and/or create new rules at [https://github.com/Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
You can download the sample evtx files to a new `hayabusa-sample-evtx` sub-directory with the following command:
```bash
git clone https://github.com/Yamato-Security/hayabusa-sample-evtx.git
```
> Note: You need to run the binary from the Hayabusa root directory.
# Usage
> Note: You need to run the Hayabusa binary from the Hayabusa root directory. Example: `.\hayabusa.exe`
## Caution: Output printed to screen may stop in Windows Terminal
As of Feb 1, 2022, Windows Terminal will freeze midway when displaying results to the screen when run against the sample evtx files.
This is because there is a control code (0x9D) in the output.
This is known Windows Terminal bug which will eventually be fixed but for the meantime, you can avoid this bug by adding the `-c` (colored output) option when you run hayabusa.
## Command line options
```bash
USAGE:
-d --directory=[DIRECTORY] 'Directory of multiple .evtx files.'
-f --filepath=[FILEPATH] 'File path to one .evtx file.'
-r --rules=[RULEFILE/RULEDIRECTORY] 'Rule file or directory. (Default: ./rules)'
-c --color 'Output with color. (Terminal needs to support True Color.)'
-o --output=[CSV_TIMELINE] 'Save the timeline in CSV format. (Example: results.csv)'
-v --verbose 'Output verbose information.'
-D --enable-deprecated-rules 'Enable rules marked as deprecated.'
-n --enable-noisy-rules 'Enable rules marked as noisy.'
-u --update-rules 'Update to the latest rules in the hayabusa-rules github repository.'
-m --min-level=[LEVEL] 'Minimum level for rules. (Default: informational)'
-l --live-analysis 'Analyze the local C:\Windows\System32\winevt\Logs folder (Windows Only. Administrator privileges required.)'
--start-timeline=[STARTTIMELINE] 'Start time of the event logs to load. (Example: '2018/11/28 12:00:00 +09:00')'
--end-timeline=[ENDTIMELINE] 'End time of the event logs to load. (Example: '2018/11/28 12:00:00 +09:00')'
--rfc-2822 'Output date and time in RFC 2822 format. (Example: Mon, 07 Aug 2006 12:34:56 -0600)'
--rfc-3339 'Output date and time in RFC 3339 format. (Example: 2006-08-07T12:34:56.485214 -06:00)'
-U --utc 'Output time in UTC format. (Default: local time)'
-t --thread-number=[NUMBER] 'Thread number. (Default: Optimal number for performance.)'
-s --statistics 'Prints statistics of event IDs.'
-q --quiet 'Quiet mode. Do not display the launch banner.'
-Q --quiet-errors 'Quiet errors mode. Do not save error logs.'
--contributors 'Prints the list of contributors.'
```
## Usage examples
* Run hayabusa against one Windows event log file:
```bash
.\hayabusa.exe -f eventlog.evtx
```
* Run hayabusa against the sample-evtx directory with multiple Windows event log files:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx
```
* Export to a single CSV file for further analysis with excel or timeline explorer:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv
```
* Only run hayabusa rules (the default is to run all the rules in `-r .\rules`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv
```
* Only run hayabusa rules for logs that are enabled by default on Windows:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv
```
* Only run hayabusa rules for sysmon logs:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv
```
* Only run sigma rules:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
```
* Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv
```
* Only run rules to analyze logons and output in the UTC timezone:
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv
```
* Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior):
```bash
.\hayabusa.exe -l -m low
```
* Get event ID statistics:
```bash
.\hayabusa.exe -f Security.evtx -s
```
* Print verbose information (useful for determining which files take long to process, parsing errors, etc...):
```bash
.\hayabusa.exe -d .\hayabusa-sample-evtx -v
```
* Verbose output example:
```bash
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information\u{a0}Compile After Delivery/sysmon.evtx"
1 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.20 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx"
2 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.39 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets\u{a0}Kerberoasting/Security.evtx"
3 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.59 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx"
4 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.79 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution\u{a0}InstallUtil/sysmon.evtx"
5 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.98 % 1s
```
* Quiet error mode:
By default, hayabusa will save error messages to error log files.
If you do not want to save error messages, please add `-Q`.
# Hayabusa output
When Hayabusa output is being displayed to the screen (the default), it will display the following information:
* `Timestamp`: Default is `YYYY-MM-DD HH:mm:ss.sss +hh:mm` format. This comes from the `<Event><System><TimeCreated SystemTime>` field in the event log. The default timezone will be the local timezone but you can change the timezone to UTC with the `--utc` option.
* `Computer`: This comes from the `<Event><System><Computer>` field in the event log.
* `Event ID`: This comes from the `<Event><System><EventID>` field in the event log.
* `Level`: This comes from the `level` field in the YML detection rule. (`informational`, `low`, `medium`, `high`, `critical`) By default, all level alerts will be displayed but you can set the minimum level with `-m`. For example, you can set `-m high`) in order to only scan for and display high and critical alerts.
* `Title`: This comes from the `title` field in the YML detection rule.
* `Details`: This comes from the `details` field in the YML detection rule, however, only Hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `<Event><System><EventData>` portion of the log. For example, usernames, command line information, process information, etc...
When saving to a CSV file an additional two fields will be added:
* `Rule Path`: The path to the detection rule that generated the alert or event.
* `File Path`: The path to the evtx file that caused the alert or event.
## Progress bar
The progress bar will only work with multiple evtx files.
It will display in real time the number and percent of evtx files that it has finished analyzing.
## Color Output
You can output the alerts in color based on the alert `level` by specifying `-c` or `--color`.
You can change the default colors in the config file at `./config/level_color.txt` in the format of `level,(RGB 6-digit ColorHex)`.
Note: Color can only be displayed in terminals that support [True Color](https://en.wikipedia.org/wiki/Color_depth#True_color_(24-bit)).
Example: [Windows Terminal](https://docs.microsoft.com/en-us/windows/terminal/install) or [iTerm2](https://iterm2.com/) for macOS.
# Hayabusa rules
Hayabusa detection rules are written in a sigma-like YML format and are located in the `rules` folder. In the future, we plan to host the rules at [https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) so please send any issues and pull requests for rules there instead of the main hayabusa repository.
Please read [the hayabusa-rules repository README](https://github.com/Yamato-Security/hayabusa-rules/blob/main/README.md) to understand about the rule format and how to create rules.
All of the rules from the hayabusa-rules repository should be placed in the `rules` folder.
`informational` level rules are considered `events`, while anything with a `level` of `low` and higher are considered `alerts`.
The hayabusa rule directory structure is separated into 3 directories:
* `default`: logs that are turned on in Windows by default.
* `non-default`: logs that need to be turned on through group policy, security baselines, etc...
* `sysmon`: logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
* `testing`: a temporary directory to put rules that you are currently testing
Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:
* Alert format: `<EventID>_<MITRE ATT&CK Name>_<Description>.yml`
* Alert example: `1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml`
* Event format: `<EventID>_<Description>.yml`
* Event example: `4776_NTLM-LogonToLocalAccount.yml`
Please check out the current rules to use as a template in creating new ones or for checking the detection logic.
## Hayabusa v.s. converted Sigma rules
Sigma rules need to first be converted to hayabusa rule format explained [here](https://github.com/Yamato-Security/hayabusa/blob/main/tools/sigmac/README-English.md). Hayabusa rules are designed solely for Windows event log analysis and have the following benefits:
1. An extra `details` field to display additional information taken from only the useful fields in the log.
2. They are all tested against sample logs and are known to work.
> Some sigma rules may not work as intended due to bugs in the conversion process, unsupported features, or differences in implementation (such as in regular expressions).
**Limitations**: To our knowledge, hayabusa provides the greatest support for sigma rules out of any open source Windows event log analysis tool, however, there are still rules that are not supported:
1. Rules that use regular expressions that do not work with the [Rust regex crate](https://docs.rs/regex/1.5.4/regex/)
2. Aggregation expressions besides `count` in the [sigma rule specification](https://github.com/SigmaHQ/sigma/wiki/Specification).
> Note: the limitation is in the sigma rule converter and not in hayabusa itself.
## Detection rule tuning
Like firewalls and IDSes, any signature-based tool will require some tuning to fit your environment so you may need to permanently or temporarily exclude certain rules.
You can add a rule ID (Example: `4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6`) to `rules/config/exclude_rules.txt` in order to ignore any rule that you do not need or cannot be used.
You can also add a rule ID to `rules/config/noisy_rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--enable-noisy-rules` option.
## Event ID filtering
You can filter on event IDs by placing event ID numbers in `config/target_eventids.txt`.
This will increase performance so it is recommended if you only need to search for certain IDs.
We have provided a sample ID filter list at [`config/target_eventids_sample.txt`](https://github.com/Yamato-Security/hayabusa/blob/main/config/target_eventids_sample.txt) created from the `EventID` fields in all of the rules as well as IDs seen in actual results.
Please use this list if you want the best performance but be aware that there is a slight possibility for missing events (false negatives).
# Other Windows event log analyzers and related projects
There is no "one tool to rule them all" and we have found that each has its own merits so we recommend checking out these other great tools and projects and seeing which ones you like.
* [APT-Hunter](https://github.com/ahmedkhlief/APT-Hunter) - Attack detection tool written in Python.
* [Awesome Event IDs](https://github.com/stuhli/awesome-event-ids) - Collection of Event ID resources useful for Digital Forensics and Incident Response
* [Chainsaw](https://github.com/countercept/chainsaw) - A similar sigma-based attack detection tool written in Rust.
* [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) - Attack detection tool written in Powershell by [Eric Conrad](https://twitter.com/eric_conrad).
* [EventList](https://github.com/miriamxyra/EventList/) - Map security baseline event IDs to MITRE ATT&CK by [Miriam Wiesner](https://github.com/miriamxyra).
* [EvtxECmd](https://github.com/EricZimmerman/evtx) - Evtx parser by [Eric Zimmerman](https://twitter.com/ericrzimmerman).
* [EVTXtract](https://github.com/williballenthin/EVTXtract) - Recover EVTX log files from unallocated space and memory images.
* [EvtxToElk](https://www.dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/) - Python tool to send Evtx data to Elastic Stack.
* [EVTX ATTACK Samples](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) - EVTX attack sample event log files by [SBousseaden](https://twitter.com/SBousseaden).
* [EVTX-to-MITRE-Attack](https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack) - Another great repository of EVTX attack sample logs mapped to ATT&CK.
* [EVTX parser](https://github.com/omerbenamram/evtx) - the Rust library we used written by [@OBenamram](https://twitter.com/obenamram).
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - A graphical interface to visualize logons to detect lateral movement by [JPCERTCC](https://twitter.com/jpcert_en).
* [RustyBlue](https://github.com/Yamato-Security/RustyBlue) - Rust port of DeepBlueCLI by Yamato Security.
* [Sigma](https://github.com/SigmaHQ/sigma) - Community based generic SIEM rules.
* [so-import-evtx](https://docs.securityonion.net/en/2.3/so-import-evtx.html) - Import evtx files into Security Onion.
* [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) - The best CSV timeline analyzer by [Eric Zimmerman](https://twitter.com/ericrzimmerman).
* [Windows Event Log Analysis - Analyst Reference](https://www.forwarddefense.com/media/attachments/2021/05/15/windows-event-log-analyst-reference.pdf) - by Forward Defense's Steve Anson.
* [WELA (Windows Event Log Analyzer)](https://github.com/Yamato-Security/WELA) - The swiff-army knife for Windows event logs by [Yamato Security](https://github.com/Yamato-Security/)
* [Zircolite](https://github.com/wagga40/Zircolite) - Sigma-based attack detection tool written in Python.
## Comparison to other similar tools that support sigma
Please understand that it is not possible to do a perfect comparison as results will differ based on the target sample data, command-line options, rule tuning, etc...
In our tests, we have found hayabusa to support the largest number of sigma rules out of all the tools while still maintaining very fast speeds and does not require a great amount of memory.
The following benchmarks were taken on a Lenovo P51 based on approximately 500 evtx files (130MB) from our [sample-evtx repository](https://github.com/Yamato-Security/hayabusa-sample-evtx) at 2021/12/23 with Hayabusa version 1.0.0.
| | Elapsed Time | Memory Usage | Unique Sigma Rules With Detections |
| :-------: | :----------: | :----------------------------------------------------------: | :--------------------------------: |
| Chainsaw | 7.5 seconds | 75 MB | 170 |
| Hayabusa | 7.8 seconds | 340 MB | 267 |
| Zircolite | 34 seconds | 380 MB (normally requires 3 times the size of the log files) | 237 |
* With hayabusa rules enabled, it will detect around 300 unique alerts and events.
* When tested on many event logs files totaling 7.5 GB, it finished in under 7 minutes and used around 1 GB of memory. The amount of memory consumed is based on the size of the results, not on the size of the target evtx files.
* It is the only tool that provides a consolidated single CSV timeline to analysis in tools like [Timeline Explorer](https://ericzimmerman.github.io/#!index.md).
# Community Documentation
## English
* 2022/01/24 [Graphing Hayabusa results in neo4j](https://www.youtube.com/watch?v=7sQqz2ek-ko) by Matthew Seyer ([@forensic_matt](https://twitter.com/forensic_matt))
## Japanese
* 2022/01/22 [Visualizing Hayabusa results in Elastic Stack](https://qiita.com/kzzzzo2/items/ead8ccc77b7609143749) by [@kzzzzo2](https://qiita.com/kzzzzo2)
* 2021/12/31 [Intro to Hayabusa](https://itib.hatenablog.com/entry/2021/12/31/222946) by itiB ([@itiB_S144](https://twitter.com/itiB_S144))
* 2021/12/27 [Hayabusa internals](https://kazuminkun.hatenablog.com/entry/2021/12/27/190535) by Kazuminn ([@k47_um1n](https://twitter.com/k47_um1n))
# Contribution
We would love any form of contribution. Pull requests, rule creation and sample evtx logs are the best but feature requests, notifying us of bugs, etc... are also very welcome.
At the least, if you like our tool then please give us a star on Github and show your support!
# Bug Submission
Please submit any bugs you find [here.](https://github.com/Yamato-Security/hayabusa/issues/new?assignees=&labels=bug&template=bug_report.md&title=%5Bbug%5D)
This project is currently actively maintained and we are happy to fix any bugs reported.
# License
Hayabusa is released under [GPLv3](https://www.gnu.org/licenses/gpl-3.0.en.html) and all rules are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md).

181
config/eventkey_alias.txt
View File

@@ -1,181 +0,0 @@
AccessList,Event.EventData.AccessList
AccessMask,Event.EventData.AccessMask
Accesses,Event.EventData.Accesses
AccountName,Event.EventData.AccountName
Account_Name,Event.EventData.Account_Name
AllowedToDelegateTo,Event.EventData.AllowedToDelegateTo
AttributeLDAPDisplayName,Event.EventData.AttributeLDAPDisplayName
AttributeValue,Event.EventData.AttributeValue
AuditPolicyChanges,Event.EventData.AuditPolicyChanges
AuditSourceName,Event.EventData.AuditSourceName
AuthenticationPackageName,Event.EventData.AuthenticationPackageName
CallTrace,Event.EventData.CallTrace
CallerProcessName,Event.EventData.CallerProcessName
Caller_Process_Name,Event.EventData.Caller_Process_Name
CallingProcessName,Event.EventData.CallingProcessName
CategoryName,Event.EventData.Category Name
CertThumbprint,Event.EventData.CertThumbprint
Channel,Event.System.Channel
ClassName,Event.EventData.ClassName
Client_Address,Event.EventData.Client_Address
CommandLine,Event.EventData.CommandLine
Company,Event.EventData.Company
Computer,Event.System.Computer
ComputerName,Event.System.Computer
ContextInfo,Event.EventData.ContextInfo
CurrentDirectory,Event.EventData.CurrentDirectory
Description,Event.EventData.Description
DestAddress,Event.EventData.DestAddress
DestPort,Event.EventData.DestPort
Destination,Event.EventData.Destination
DestinationAddress,Event.EventData.DestinationAddress
DestinationHostname,Event.EventData.DestinationHostname
DestinationIp,Event.EventData.DestinationIp
DestinationIsIpv6,Event.EventData.DestinationIsIpv6
DestinationPort,Event.EventData.DestinationPort
Details,Event.EventData.Details
DetectionSource,Event.EventData.DetectionSource
DetectionUser,Event.EventData.Detection User
Device,Event.EventData.Device
DeviceClassName,Event.EventData.DeviceClassName
DeviceDescription,Event.EventData.DeviceDescription
DeviceName,Event.EventData.DeviceName
DomainName,Event.EventData.SubjectDomainName
EngineVersion,Event.EventData.EngineVersion
ErrorCode,Event.EventData.ErrorCode
EventID,Event.System.EventID
EventType,Event.EventData.EventType
FailureCode,Event.EventData.FailureCode
FilePath,Event.EventData.FilePath
FileVersion,Event.EventData.FileVersion
Filename,Event.EventData.Filename
GrantedAccess,Event.EventData.GrantedAccess
GroupName,Event.EventData.GroupName
GroupSid,Event.EventData.GroupSid
Hashes,Event.EventData.Hashes
HiveName,Event.EventData.HiveName
HostApplication,Event.EventData.HostApplication
HostName,Event.EventData.HostName
HostVersion,Event.EventData.HostVersion
Image,Event.EventData.Image
ImageLoaded,Event.EventData.ImageLoaded
ImagePath,Event.EventData.ImagePath
Imphash,Event.EventData.Hashes
Initiated,Event.EventData.Initiated
IntegrityLevel,Event.EventData.IntegrityLevel
IpAddress,Event.EventData.IpAddress
IpPort,Event.EventData.IpPort
JobTitle,Event.EventData.name
KeyLength,Event.EventData.KeyLength
Keywords,Event.System.Keywords
LDAPDisplayName,Event.EventData.LDAPDisplayName
LayerRTID,Event.EventData.LayerRTID
Level,Event.System.Level
LogFileClearedSubjectUserName,Event.UserData.LogFileCleared.SubjectUserName
LogonId,Event.EventData.LogonId
LogonProcessName,Event.EventData.LogonProcessName
LogonType,Event.EventData.LogonType
Logon_Account,Event.EventData.Logon_Account
MachineName,Event.EventData.MachineName
MemberName,Event.EventData.MemberName
MemberSid,Event.EventData.MemberSid
Message,Event.EventData
NewName,Event.EventData.NewName
NewTemplateContent, Event.EventData.NewTemplateContent
NewUacValue,Event.EventData.NewUacValue
NewValue,Event.EventData.NewValue
New_Value,Event.EventData.New Value
ObjectClass,Event.EventData.ObjectClass
ObjectName,Event.EventData.ObjectName
ObjectServer,Event.EventData.ObjectServer
ObjectType,Event.EventData.ObjectType
ObjectValueName,Event.EventData.ObjectValueName
OldUacValue,Event.EventData.OldUacValue
Origin,Event.EventData.Origin
OriginalFilename,Event.EventData.OriginalFileName
ParentCommandLine,Event.EventData.ParentCommandLine
ParentImage,Event.EventData.ParentImage
ParentIntegrityLevel,Event.EventData.ParentIntegrityLevel
ParentProcessName,Event.EventData.ParentProcessName
ParentUser,Event.EventData.ParentUser
PasswordLastSet,Event.EventData.PasswordLastSet
Path,Event.EventData.Path
Payload,Event.EventData.Payload
PipeName,Event.EventData.PipeName
PreAuthType,Event.EventData.PreAuthType
PrivilegeList,Event.EventData.PrivilegeList
ProcessCommandLine,Event.EventData.ProcessCommandLine
ProcessId,Event.EventData.ProcessId
ProcessName,Event.EventData.ProcessName
Product,Event.EventData.Product
Properties,Event.EventData.Properties
ProviderName,Event.System.Provider_Name
Provider_Name,Event.System.Provider_Name
QNAME,Event.EventData.QNAME
QueryName,Event.EventData.QueryName
QueryResults,Event.EventData.QueryResults
QueryStatus,Event.EventData.QueryStatus
RelativeTargetName,Event.EventData.RelativeTargetName
RuleName,Event.EventData.RuleName
SAMAccountName,Event.EventData.SamAccountName
ScriptBlockText,Event.EventData.ScriptBlockText
SearchFilter,Event.System.SearchFilter
ServerName,Event.System.ServerName
Service,Event.EventData.Service
ServiceFileName,Event.EventData.ServiceFileName
ServiceName,Event.EventData.ServiceName
ServicePrincipalNames,Event.EventData.ServicePrincipalNames
ServiceStartType,Event.EventData.ServiceStartType
ServiceType,Event.EventData.ServiceType
SeverityName,Event.EventData.Severity Name
ShareLocalPath,Event.EventData.ShareLocalPath
ShareName,Event.EventData.ShareName
SidHistory,Event.EventData.SidHistory
Signature,Event.EventData.Signature
Signed,Event.EventData.Signed
Source,Event.System.Provider_Name
SourceAddress,Event.EventData.SourceAddress
SourceImage,Event.EventData.SourceImage
SourceNetworkAddress,Event.EventData.SourceNetworkAddress
SourcePort,Event.EventData.SourcePort
Source_Name,Event.EventData.Source Name
Source_Network_Address,Event.EventData.Source_Network_Address
Source_WorkStation,Event.EventData.Source_WorkStation
StartAddress,Event.EventData.StartAddress
StartFunction,Event.EventData.StartFunction
StartModule,Event.EventData.StartModule
State,Event.EventData.State
Status,Event.EventData.Status
SubStatus,Event.EventData.SubStatus
SubjectDomainName,Event.EventData.SubjectDomainName
SubjectLogonId,Event.EventData.SubjectLogonId
SubjectUserName,Event.EventData.SubjectUserName
SubjectUserSid,Event.EventData.SubjectUserSid
TargetDomainName,Event.EventData.TargetDomainName
TargetFilename,Event.EventData.TargetFilename
TargetInfo,Event.EventData.TargetInfo
TargetImage,Event.EventData.TargetImage
TargetLogonId,Event.EventData.TargetLogonId
TargetName,Event.EventData.TargetServerName
TargetObject,Event.EventData.TargetObject
TargetProcessAddress,Event.EventData.TargetProcessAddress
TargetServerName,Event.EventData.TargetServerName
TargetSid,Event.EventData.TargetSid
TargetUserName,Event.EventData.TargetUserName
TaskName,Event.EventData.TaskName
TemplateContent,Event.EventData.TemplateContent
ThreatName,Event.EventData.Threat Name
TicketEncryptionType,Event.EventData.TicketEncryptionType
TicketOptions,Event.EventData.TicketOptions
Url,Event.EventData.url
User,Event.EventData.User
UserName,Event.EventData.UserName
Value, Event.EventData.Value
WindowsDefenderProcessName,Event.EventData.Process Name
Workstation,Event.EventData.Workstation
WorkstationName,Event.EventData.WorkstationName
param1,Event.EventData.param1
param2,Event.EventData.param2
provider_Name,Event.EventData.Provider_Name
service,Event.EventData.Service
sha1,Event.EventData.Hashes_sha1

9
config/exclude-rules-full.txt
View File

@@ -1,9 +0,0 @@
4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 # ./rules/sigma/other/msexchange/win_exchange_transportagent.yml
c92f1896-d1d2-43c3-92d5-7a5b35c217bb # ./rules/sigma/other/msexchange/win_exchange_cve_2021_42321.yml
9f7aa113-9da6-4a8d-907c-5f1a4b908299 # ./rules/sigma/deprecated/powershell_syncappvpublishingserver_exe.yml
# Replaced by hayabusa rules
c265cf08-3f99-46c1-8d59-328247057d57 # ./rules/sigma/builtin/security/win_user_added_to_local_administrators.yml
66b6be3d-55d0-4f47-9855-d69df21740ea # ./rules/sigma/builtin/security/win_user_creation.yml
7b449a5e-1db5-4dd0-a2dc-4e3a67282538 # ./rules/sigma/builtin/security/win_hidden_user_creation.yml
b20f6158-9438-41be-83da-a5a16ac90c2b # ./rules/sigma/other/taskscheduler/win_rare_schtask_creation.yml

7
config/exclude-rules.txt
View File

@@ -1,7 +0,0 @@
4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
c92f1896-d1d2-43c3-92d5-7a5b35c217bb
7b449a5e-1db5-4dd0-a2dc-4e3a67282538
c265cf08-3f99-46c1-8d59-328247057d57
66b6be3d-55d0-4f47-9855-d69df21740ea
9f7aa113-9da6-4a8d-907c-5f1a4b908299
b20f6158-9438-41be-83da-a5a16ac90c2b

6
config/level_color.txt Normal file
View File

@@ -0,0 +1,6 @@
level,colorcode
critical,ff0000
high,ffff00
medium,00ffff
low,00ff00

9
config/noisy-rules-full.txt
View File

@@ -1,9 +0,0 @@
0f06a3a5-6a09-413f-8743-e6cf35561297 # ./rules/sigma/wmi_event/sysmon_wmi_event_subscription.yml
b0d77106-7bb0-41fe-bd94-d1752164d066 # ./rules/sigma/builtin/security/win_rare_schtasks_creations.yml
66bfef30-22a5-4fcd-ad44-8d81e60922ae # ./rules/sigma/builtin/system/win_rare_service_installs.yml
e98374a6-e2d9-4076-9b5c-11bdb2569995 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source.yml
6309ffc4-8fa2-47cf-96b8-a2f72e58e538 # ./rules/sigma/builtin/security/win_susp_failed_logons_single_source2.yml
61ab5496-748e-4818-a92f-de78e20fe7f1 # ./rules/sigma/process_creation/win_multiple_suspicious_cli.yml
add2ef8d-dc91-4002-9e7e-f2702369f53a # ./rules/sigma/builtin/security/win_susp_failed_remote_logons_single_source.yml
196a29c2-e378-48d8-ba07-8a9e61f7fab9 # ./rules/sigma/builtin/security/win_susp_failed_logons_explicit_credentials.yml
72124974-a68b-4366-b990-d30e0b2a190d # ./rules/sigma/builtin/security/win_metasploit_authentication.yml

9
config/noisy-rules.txt
View File

@@ -1,9 +0,0 @@
0f06a3a5-6a09-413f-8743-e6cf35561297
b0d77106-7bb0-41fe-bd94-d1752164d066
66bfef30-22a5-4fcd-ad44-8d81e60922ae
e98374a6-e2d9-4076-9b5c-11bdb2569995
6309ffc4-8fa2-47cf-96b8-a2f72e58e538
61ab5496-748e-4818-a92f-de78e20fe7f1
add2ef8d-dc91-4002-9e7e-f2702369f53a
196a29c2-e378-48d8-ba07-8a9e61f7fab9
72124974-a68b-4366-b990-d30e0b2a190d

2
config/regex/allowlist_legitimate_services.txt
View File

@@ -1,2 +0,0 @@
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"

17
config/regex/detectlist_suspicous_services.txt
View File

@@ -1,17 +0,0 @@
^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$
^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$
powershell.*FromBase64String.*IO.Compression.GzipStream
DownloadString\(.http
mimikatz
Invoke-Mimikatz.ps
PowerSploit.*ps1
User-Agent
[a-zA-Z0-9/+=]{500}
powershell.exe.*Hidden.*Enc
\\csc\.exe
\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline
# Generic cvtres.exe alert
\\cvtres\.exe.*
\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp
^[a-zA-Z]{22}$
^[a-zA-Z]{16}$

3
contributors.txt
View File

@@ -1,10 +1,11 @@
Hayabusa was possible thanks to the following people (in alphabetical order):
Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc...
DustInDark (@hitenkoku): Core developer (too many contributions to list up)
Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc...
ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc...
James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc…
Kazuminn (@k47_um1n): Developer
Kazuminn (@k47_um1n): Core Developer
Tsubokku (@ytsuboi0322): Translations
Yusuke Matsui (@apt773): AD hacking working group leader, rule testing, documentation, research, support, etc...
Zach Mathis (@yamatosecurity, Yamato Security Founder): Project leader, tool and concept design, rule creation and tuning, etc…

594
doc/AboutRuleCreation-English.md
View File

@@ -1,594 +0,0 @@
## About rule files
Hayabusa detection rules are written in [YAML](https://en.wikipedia.org/wiki/YAML) format.
They are a subset of sigma rules with some additions. We are trying to make them as close to sigma rules as possible so that it is easy to convert Hayabusa rules back to sigma to give back to the community.
Hayabusa rules can express complex detection rules by combining not only simple string matching but also regular expressions, `AND`, `OR`, and other conditions.
In this section, we will explain how to write Hayabusa detection rules.
# Rule file format
Example:
```yaml
#Author section
author: Eric Conrad, Zach Mathis
date: 2020/11/08
modified: 2021/11/26
#Alert section
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
#Rule section
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
logsource: default
ruletype: Hayabusa
```
> ## Author section
* **author [required]**: Name of the author(s).
* **contributor** [optional]: Name of any contributor(s) (anyone who made any minor corrections).
* **date [required]**: Date the rule was made.
* **modified** [optional]: Date the rule was updated.
> ## Alert section
* **title [required]**: Rule file title. This will also be the name of the alert that gets displayed so the briefer the better. (Should not be longer than 85 characters.)
* **title_jp** [optional]: The title in Japanese.
* details [optional]: The details of the alert that gets displayed. Please output any fields in the Windows event log that are useful for analysis. Fields are seperated by `" : "` (two spaces on both sides). Field placeholders are enclosed with a `%` (Example: `%MemberName%`) and need to be defined in `config\eventkey_alias.txt`. (Explained below.)
* **details_jp** [optional]: The details message in Japanese.
* **description** [optional]: A description of the rule. This does not get displayed so you can make this long and detailed.
* **description_jp** [optional]: The description in Japanese.
> ## Rule section
* **id [required]**: A randomly generated version 4 UUID used to uniquely identify the rule. You can generate one [here](https://www.uuidgenerator.net/version4).
* **level [required]**: Severity level based on [sigma's definition](https://github.com/SigmaHQ/sigma/wiki/Specification). Please write one of the following: `informational`,`low`,`medium`,`high`,`critical`
* **status[required]**: `stable` for tested rules and `testing` for rules that need to be tested.
* **detection [required]**: The detection logic goes here. (Explained below.)
* **falsepositives [required]**: The possibilities for false positives. For example: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`, `none`. If it is unknown, please write `unknown`.
* **tags** [optional]: If the technique is a [LOLBINS/LOLBAS](https://lolbas-project.github.io/) technique, please add the `lolbas` tag. If the alert can be mapped to a technique in the [MITRE ATT&CK](https://attack.mitre.org/) framework, please add the tactic ID (Example: `attack.t1098`) and any applicable tactics below:
* `attack.impact` -> Impact
* `attack.initial_access` -> Initial Access
* `attack.execution` -> Execution
* `attack.lateral_movement` -> Lateral Movement
* `attack.persistence` -> Persistence
* `attack.privilege_escalation` -> Privilege Escalation
* `attack.reconnaissance` -> Reconnaissance
* `attack.collection` -> Collection
* `attack.command_and_control` -> Command and Control
* `attack.credential_access` -> Credential Access
* `attack.defense_evasion` -> Defense Evasion
* `attack.discovery` -> Discovery
* `attack.exfiltration` -> Exfiltration
* `attack.resource_development` -> Resource Development
* **references** [optional]: Any links to references.
* **sample-evtx [required]**: File path or URL to an event log file that this rule will detect.
* **logsource [required]**: The source of where the log comes from. Please specify one of the following:
* `default`: For logs that are turned on in Windows by default.
* `non-default`: For logs that need to be turned on through group policy, security baselines, etc...
* `sysmon`: Logs that require sysmon to be installed.
* **non-default-setting** [optional]: Explanation of how to turn on the log setting for `non-default` log sources.
* **ruletype [required]**: `Hayabusa` for hayabusa rules. Rules automatically converted from sigma Windows rules will be `Sigma`.
# Detection field
## Selection fundamentals
First, the fundamentals of how to create a selection rule will be explained.
### How to write AND and OR logic
To write AND logic, we use nested dictionaries.
The detection rule below defines that **both conditions** have to be true in order for the rule to match.
* EventID has to exactly be `7040`.
* **AND**
* Channel has to exactly be `System`.
```yaml
detection:
selection:
Event.System.EventID: 7040
Event.System.Channel: System
condition: selection
```
To write OR logic, we use lists (Dictionaries that start with `- `).
In the detection rule below, **either one** of the conditions will result in the rule being triggered.
* EventID has to exactly be `7040`.
* **OR**
* Channel has to exactly be `System`.
```yaml
detection:
selection:
- Event.System.EventID: 7040
- Event.System.Channel: System
condition: selection
```
We can also combine `AND` and `OR` logic as shown below.
In this case, the rule matches when the following two conditions are both true.
* EventID is either exactly `7040` **OR** `7041`.
* **AND**
* Channel is exactly `System`.
```yaml
detection:
selection:
Event.System.EventID:
- 7040
- 7041
Event.System.Channel: System
condition: selection
```
### Eventkeys
The following is an excerpt of a Windows event log, formatted in the original XML. The `Event.System.Channel` field in the rule file example above refers to the original XML tag: `<Event><System><Channel>System<Channel><System></Event>`. Nested XML tags are replaced by tag names seperated by dots (`.`). In hayabusa rules, these field strings connected together with dots are refered to as `eventkeys`.
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>7040</EventID>
<Channel>System</Channel>
</System>
<EventData>
<Data Name='param1'>Background Intelligent Transfer Service</Data>
<Data Name='param2'>auto start</Data>
</EventData>
</Event>
```
#### Eventkey Aliases
Long eventkeys with many `.` seperations are common, so hayabusa will use aliases to make them easier to work with. Aliases are defined in the `config\eventkey_alias.txt` file. This file is a CSV file made up of `alias` and `event_key` mappings. You can rewrite the rule above as shown below with aliases making the rule easier to read.
```yaml
detection:
selection:
Channel: System
EventID: 7040
condition: selection
```
#### Caution: Undefined Eventkey Aliases
Not all eventkey aliases are defined in `config\eventkey_alias.txt`. If you are not getting the correct data in the `details`(Alert details) message, and instead are getting results like `%EventID%` or if the selection in your detection logic is not working properly, then you need to update `config\eventkey_alias.txt` with a new alias.
### How to use XML attributes in conditions
XML elements may have attributes set by adding a space to the element. For example, `Name` in `Provider Name` below is an XML attribute of the `Provider` element.
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4672</EventID>
<EventRecordID>607469</EventRecordID>
<Channel>Security</Channel>
<Security />
</System>
</Event>
```
To specify XML attributes in an eventkey, use the format `{eventkey}_attributes.{attribute_name}`. For example, to specify the `Name` attribute of the `Provider` element in a rule file, it would look like this:
```yaml
detection:
selection:
Channel: Security
EventID: 4672
Event.System.Provider_attributes.Name: 'Microsoft-Windows-Security-Auditing'
condition: selection
```
### grep search
Hayabusa can perform grep searches in Windows event log files by not specifying any eventkeys.
To do a grep search, specify the detection as shown below. In this case, if the strings `mimikatz` or `metasploit` are included in the Windows Event log, it will match. It is also possible to specify wildcards.
```yaml
detection:
selection:
- mimikatz
- metasploit
```
> Note: Hayabusa internally converts Windows event log data to JSON format before processing the data so it is not possible to match on XML tags.
### EventData
Windows event logs are divided into two parts: the `System` part where the fundamental data (Event ID, Timestamp, Record ID, Log name (Channel)) is written, and the `EventData` part where arbitrary data is written depending on the Event ID. The problem is that the names of the tags nested in EventData are all called `Data` so the eventkeys described so far cannot distinguish between `SubjectUserSid` and `SubjectUserName`.
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>5379</EventID>
<TimeCreated SystemTime='2021-10-20T10:16:18.7782563Z' />
<EventRecordID>607469</EventRecordID>
<Channel>Security</Channel>
<Security />
</System>
<EventData>
<Data Name='SubjectUserSid'>S-1-1-11-1111111111-111111111-1111111111-1111</Data>
<Data Name='SubjectUserName'>hayabusa</Data>
<Data Name='SubjectDomainName'>DESKTOP-HAYABUSA</Data>
<Data Name='SubjectLogonId'>0x11111111</Data>
</EventData>
</Event>
```
To deal with this problem, you can specify the value assigned in `Data Name`. For example, if you want to use `SubjectUserName` and `SubjectDomainName` in the EventData as a condition of a rule, you can describe it as follows:
```yaml
detection:
selection:
Channel: System
EventID: 7040
Event.EventData.SubjectUserName: hayabusa
Event.EventData.SubjectDomainName: DESKTOP-HAYBUSA
condition: selection
```
### Abnormal patterns in EventData
Some of the tags nested in `EventData` do not have a `Name` attribute.
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>5379</EventID>
<Channel>Security</Channel>
<Security />
</System>
<EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=9 HostName=ConsoleHost HostVersion=2.0 HostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c EngineVersion=2.0 RunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
```
To detect an event log like the one above, you can specify an eventkey named `EventData`. In this case, the condition will match as long as any one of the nested tags without a `Name` attribute matches.
```yaml
detection:
selection:
Channel: Security
EventID: 5379
EventData: None
condition: selection
```
## Pipes
A pipe can be used with eventkeys as shown below for matching strings. All of the conditions we have described so far use exact matches, but by using pipes, you can describe more flexible detection rules. In the following example, if the value of `EventData` matches the regular expression `[\s\S]*EngineVersion=2\.0[\s\S]*`, it will match the condition.
```yaml
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
condition: selection
```
This is a list of what you can specify after the pipe. At the moment, hayabusa does not support chaining multiple pipes together.
* startswith: Checks the string from the beginning
* endswith: Checks the end of the string
* contains: Checks if a word is contained in the data
* re: Use regular expressions. (We are using the regex crate so please out the documentation at https://docs.rs/regex/1.5.4/regex/ to know how to write correct regular expressions.)
> Caution: Some sigma rules that use regular expressions may fail to detect due to differences in how rust uses regular expressions.
## Wildcards
Wildcards can be used in eventkeys. In the example below, if `ProcessCommandLine` starts with the string "malware", the rule will match.
The specification is fundamentally the same as sigma rule wildcards.
```yaml
detection:
selection:
Channel: Security
EventID: 4688
ProcessCommandLine: malware*
condition: selection
```
The following two wildcards can be used.
* `*`: Matches any string of zero or more characters. (Internally it is converted to the regular expression `.*`)
* `?`: Matches any single character. (Internally converted to the regular expression `.`)
About escaping wildcards:
* Wildcards (`*` and `?`) can be escaped by using a backslash: `\*`, `\?`.
* If you want to use a backslash right before a wildcard then write `\\*` or `\\?`.
* Escaping is not required if you are using backslashes by themselves.
## Nesting keywords inside eventkeys
Eventkeys can be nested with specific keywords.
In the example below, the rule will match if the following are true:
* `ServiceName` is called `malicious-service` or contains a regular expression in `./config/regex/detectlist_suspicous_services.txt`.
* `ImagePath` has a minimum of 1000 characters.
* `ImagePath` does not have any matches in the `allowlist`.
```yaml
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
- value: malicious-service
- regexes: ./config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
condition: selection
```
Currently, the following keywords can be specified:
* `value`: matches by string (wildcards and pipes can also be specified).
* `min_length`: matches when the number of characters is greater than or equal to the specified number.
* `regexes`: matches if one of the regular expressions in the file that you specify in this field matches.
* `allowlist`: rule will be skipped if there is any match found in the list of regular expressions in the file that you specify in this field.
### regexes and allowlist keywords
Hayabusa has two built-in regular expression files used for the `.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml` file:
* `./config/regex/detectlist_suspicous_services.txt`: to detect suspicious service names
* `./config/regex/allowlist_legitimate_services.txt`: to allow legitimate services
Files defined in `regexes` and `allowlist` can be edited to change the behavior of all rules that reference them without having to change any rule file itself.
You can also use different detectlist and allowlist textfiles that you create.
Please refer to the built-in `./config/regex/detectlist_suspicous_services.txt` and `./config/regex/allowlist_legitimate_services.txt` when creating your own.
## condition
With the notation we explained above, you can express `AND` and `OR` logic but it will be confusing if you are trying to define complex logic.
When you want to make more complex rules, you should use the `condition` keyword as shown below.
```yaml
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
Initiated: 'true'
SELECTION_3:
DestinationPort:
- '4444'
- '666'
SELECTION_4:
Image: '*\Program Files*'
SELECTION_5:
DestinationIp:
- 10.*
- 192.168.*
- 172.16.*
- 127.*
SELECTION_6:
DestinationIsIpv6: 'false'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4 or (SELECTION_5 and SELECTION_6))))
```
The following expressions can be used for `condition`.
* `{expression1} and {expression2}`: Require both {expression1} AND {expression2}
* `{expression1} or {expression2}`: Require either {expression1} OR {expression2}
* `not {expression}`: Reverse the logic of {expression}
* `( {expression} )`: Set precedance of {expression}. It follows the same precedance logic as in mathematics.
In the above example, selection names such as `SELECTION_1`, `SELECTION_2`, etc... are used but they can be named anything as long as they only contain the following characters: `a-z A-Z 0-9 _`
> However, please use the standard convention of `selection_1`, `selection_2`, `filter_1`, `filter_2`, etc... to make things easy to read whenever possible.
## not logic
Many rules will result in false positives so it is very common to have a selection for signatures to search for but also a filter selection to not alert on false positives.
For example:
```yaml
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
```
## Aggregation conditions (Count rules)
### Basics
The `condition` keyword described above implements not only `AND` and `OR` logic, but is also able to count or "aggregate" events.
This function is called the "aggregation condition" and is specified by connecting a condition with a pipe.
In this password spray detection example below, a conditional expression is used to determine if there are 5 or more `TargetUserName` values from one source `IpAddress` within a timeframe of 5 minutes.
```yaml
detection:
selection:
Channel: Security
EventID: 4648
condition: selection | count(TargetUserName) by IpAddress > 5
timeframe: 5m
```
Aggregation conditions can be defined in the following format:
* `count() {operator} {number}`: For log events that match the first condition before the pipe, the condition will match if the number of matched logs satisfies the condition expression specified by `{operator}` and `{number}`.
`{operator}` can be one of the following:
* `==`: If the value is equal to the specified value, it is treated as matching the condition.
* `>=`: If the value is greater than or equal to the specified value, the condition is considered to have been met.
* `>`: If the value is greater than the specified value, the condition is considered to have been met.
* `<=`: If the value is less than or equal to the specified value, the condition is considered to have been met.
* `<`: If the value is less than the specified value, it will be treated as if the condition is met.
`{number}` must be a number.
`timeframe` can be defined in the following:
* `15s`: 15 seconds
* `30m`: 30 minutes
* `12h`: 12 hours
* `7d`: 7 days
* `3M`: 3 months
### Four patterns for aggregation conditions:
1. No count argument or `by` keyword. Example: `selection | count() > 10`
> If `selection` matches more than 10 times within the timeframe, the condition will match.
2. No count argument but there is a `by` keyword. Example: `selection | count() by IpAddress > 10`
> `selection` will have to be true more than 10 times for the **same** `IpAddress`.
3. There is a count argument but no `by` keyword. Example: `selection | count(TargetUserName) > 10`
> If `selection` matches and `TargetUserName` is **different** more than 10 times within the timeframe, the condition will match.
4. There is both a count argument and `by` keyword. Example: `selection | count(Users) by IpAddress > 10`
> For the **same** `IpAddress`, there will need to be more than 10 **different** `TargetUserName` in order for the condition to match.
### Pattern 1 example:
This is the most basic pattern: `count() {operator} {number}`. The rule below will match if `selection` happens 3 or more times.
![](CountRulePattern-1-EN.png)
### Pattern 2 example:
`count() by {eventkey} {operator} {number}`: Log events that match the `condition` before the pipe are grouped by the **same** `{eventkey}`. If the number of matched events for each grouping satisfies the condition specified by `{operator}` and `{number}`, then the condition will match.
![](CountRulePattern-2-EN.png)
### Pattern 3 example:
`count({eventkey}) {operator} {number}`: Counts how many **different** values of `{eventkey}` exist in the log event that match the condition before the condition pipe. If the number satisfies the conditional expression specified in `{operator}` and `{number}`, the condition is considered to have been met.
![](CountRulePattern-3-EN.png)
### Pattern 4 example:
`count({eventkey_1}) by {eventkey_2} {operator} {number}`: The logs that match the condition before the condition pipe are grouped by the **same** `{eventkey_2}`, and the number of **different** values of `{eventkey_1}` in each group is counted. If the values counted for each grouping satisfy the conditional expression specified by `{operator}` and `{number}`, the condition will match.
![](CountRulePattern-4-EN.png)
### Count rule output:
The details output for count rules is fixed and will print the original count condition in `[condition]` followed by the recorded eventkeys in `[result]`.
In the example below, a list of `TargetUserName` usernames that were being bruteforced followed by the source `IpAddress`:
```
[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:jorchilles/jlake/cspizor/lpesce/bgalbraith/jkulikowski/baker/eskoudis/dpendolino/sarmstrong/lschifano/drook/rbowes/ebooth/melliott/econrad/sanson/dmashburn/bking/mdouglas/cragoso/psmith/bhostetler/zmathis/thessman/kperryman/cmoody/cdavis/cfleener/gsalinas/wstrzelec/jwright/edygert/ssims/jleytevidal/celgee/Administrator/mtoussain/smisenar/tbennett/bgreenwood IpAddress:10.10.2.22 timeframe:5m
```
The timestamp of the alert will be the time from the first event detected.
# Rule creation advice
1. **When possible, always specify `Channel` and `EventID` name.** In the future, we may filter on channel names and event IDs so your rule may be ignored if this is not set.
2. **Please do not use multiple `selection` or `filter` fields and excessive grouping when it is not needed.** For example:
### Instead of:
```yaml
detection:
SELECTION_1:
Channnel: Security
SELECTION_2:
EventID: 4625
SELECTION_3:
LogonType: 3
FILTER_1:
SubStatus: "0xc0000064" #Non-existent user
FILTER_2:
SubStatus: "0xc000006a" #Wrong password
condition: SELECTION_1 and SELECTION_2 and SELECTION_3 and not (FILTER_1 or FILTER_2)
```
### Please do this:
```yaml
detection:
selection:
Channel: Security
EventID: 4625
LogonType: 3
filter:
- SubStatus: "0xc0000064" #Non-existent user
- SubStatus: "0xc000006a" #Wrong password
condition: selection and not filter
```
3. **When you need multiple sections, please name the first section with channel and event ID information in the `section_basic_info` section and other selections with meaningful names after `section_` and `filter_`, or use the notation `section_1`, `filter_1`, etc... Also, please write comments to explain anything difficult to understand.**
### Instead of:
```yaml
detection:
Takoyaki:
Channel: Security
EventID: 4648
Naruto:
TargetUserName|endswith: "$"
IpAddress: "-"
Sushi:
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
Godzilla:
SubjectUserName|endswith: "$"
Ninja:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$"
IpAddress: "-"
Daisuki:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: Takoyaki and Daisuki and not (Naruto and not Godzilla) and not Ninja and not Sushi
```
### Please do this:
```yaml
detection:
selection_1:
Channel: Security
EventID: 4648
selection_2:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_1: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_2:
SubjectUserName|endswith: "$"
filter_3:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_4:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_1 and selection_4 and not (selection_2 and not filter_2) and not filter_3 and not filter_1
```
### Or ideally something like this:
```yaml
detection:
selection_BasicInfo:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_basic and selection_SuspiciousProcess and not (selection_TargetUserIsComputerAccount
and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts and not filter_UsersAndTargetServerAreComputerAccounts
```
# Converting sigma rules to hayabusa format
We have created a backend for sigmac to convert rules from sigma to hayabusa format [here](https://github.com/Yamato-Security/hayabusa/blob/main/tools/sigmac/).
The documentation for how to use it is [here](https://github.com/Yamato-Security/hayabusa/blob/main/tools/sigmac/README-English.md).

592
doc/AboutRuleCreation-Japanese.md
View File

@@ -1,592 +0,0 @@
# ルールファイルについて
Hayabusaの検知ルールは[YAML](https://en.wikipedia.org/wiki/YAML) 形式で記述されています。
単純な文字列のマッチングだけでなく、正規表現や`AND``OR`などの条件を組み合わせて複雑な検知ルールを表現することができます。
本節ではHayabusaの検知ルールの書き方について説明します。
## ルールファイル形式
記述例:
```yaml
#Author section
author: Eric Conrad, Zach Mathis
date: 2020/11/08
modified: 2021/11/26
#Alert section
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
#Rule section
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
logsource: default
ruletype: Hayabusa
```
> ## 著者名欄
* **author [必須]**: 著者名(複数可)。
* **contributor** [オプション]: 寄稿者の名前(細かい修正をした人)。
* **date [必須]**: ルールが作成された日付。
* **modified** [オプション]: ルールが更新された日付。
> ## アラートセクション
* **title [必須]**: ルールファイルのタイトル。これは表示されるアラートの名前にもなるので、簡潔であるほどよいです。(85文字以下でなければなりません。)
* **title_jp** [オプション]: 日本語のタイトルです。
* **details** [オプション]: 表示されるアラートの詳細です。Windowsイベントログの中で解析に有効なフィールドがあれば出力してください。フィールドは `" : "` で区切られます両側ともスペース2つ。フィールドのプレースホルダは `%` で囲まれ (例: `%MemberName%`) 、`config_eventkey_alias.txt` で定義する必要があります。(以下で説明します)
* **details_jp** [オプション]: 日本語の出力メッセージ。
* **description** [オプション]: ルールの説明。これは表示されないので、長く詳細に記述することができます。
* **description_jp** [オプション]: 日本語の説明文です。
> ## ルールセクション
* **id [必須]**: ルールを一意に識別するために使用される、ランダムに生成されたバージョン4のUUIDです。 [ここ](https://www.uuidgenerator.net/version4) で生成することができます。
* **level [必須]**: [sigmaルールの定義](https://github.com/SigmaHQ/sigma/wiki/Specification)に基づく重要度レベル。 以下のいずれかを記述してください。 `informational`,`low`,`medium`,`high`,`critical`
* **status[必須]**: テスト済みのルールには `stable` を、テストが必要なルールには `testing` を指定します。
* **detection [必須]**: 検知ロジックはここに入ります。(以下で説明します。)
* **falsepositives [必須]**: 誤検知の可能性について記載を行います。例: `system administrator`, `normal user usage`, `normal system usage`, `legacy application`, `security team`, `none`。 不明な場合は `unknown` と記述してください。
* **tags** [オプション]: [LOLBINS/LOLBAS](https://lolbas-project.github.io/)という手法を利用している場合、`lolbas` タグを追加してください。アラートを[MITRE ATT&CK](https://attack.mitre.org/) フレームワークにマッピングできる場合は、以下のリストから該当するものを追加してください。戦術ID`attack.t1098`)を指定することも可能です。
* `attack.impact` -> Impact
* `attack.initial_access` -> Initial Access
* `attack.execution` -> Execution
* `attack.lateral_movement` -> Lateral Movement
* `attack.persistence` -> Persistence
* `attack.privilege_escalation` -> Privilege Escalation
* `attack.reconnaissance` -> Reconnaissance
* `attack.collection` -> Collection
* `attack.command_and_control` -> Command and Control
* `attack.credential_access` -> Credential Access
* `attack.defense_evasion` -> Defense Evasion
* `attack.discovery` -> Discovery
* `attack.exfiltration` -> Exfiltration
* `attack.resource_development` -> Resource Development
* **references** [オプション]: 参考文献への任意のリンク。
* **sample-evtx [必須]**: このルールが検知するイベントログファイルへのファイルパスまたはURL。
* **logsource [必須]**: ログの出所。以下のいずれかを指定してください。
* `default`: Windowsでデフォルトで有効になっているログの場合等
* `non-default`: グループポリシーやセキュリティベースラインなどで有効にする必要があるログ用。
* `sysmon`: sysmonのインストールが必要なログ。
* **non-default-setting** [オプション]: `non-default` のログソースのログ設定をオンにする方法の説明です。
* **ruletype [必須]**: Hayabusaルールには `Hayabusa` を指定します。SigmaのWindowsルールから自動変換されたルールは `Sigma` になります。
# detectionフィールド
## selectionの基礎知識
まず、selectionの作り方の基本を説明します。
### 論理積(AND)と論理和(OR)の書き方
ANDを表現するには辞書YAMLでは辞書を`:`で表します)を使用します。
このルールでログが検知されるには、**両方の条件**が真である必要があります。
* イベントIDが `7040` であること。
* チャンネルが `System` であること。
```yaml
detection:
selection:
Event.System.EventID: 7040
Event.System.Channel: System
condition: selection
```
ORを表現するには、配列YAMLでは配列を`- `で表します)を使用します。
このルールでログが検知されるには、**片方の条件**が真である必要があります。
* イベントIDが `7040` であること。
* チャンネルが `System` であること。
```yaml
detection:
selection:
- Event.System.EventID: 7040
- Event.System.Channel: System
condition: selection
```
また、以下のように「AND」と「OR」を組み合わせることも可能です。
この場合、以下の2つの条件が両方成立したときに、このルールでログが検知されます。
* イベントIDが `7040` **または** `7041` のどちらかであること。
* チャンネルが `System` であること。
```yaml
detection:
selection:
Event.System.EventID:
- 7040
- 7041
Event.System.Channel: System
condition: selection
```
### イベントキー
WindowsイベントログをXML形式で出力すると下記のようになります。
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>7040</EventID>
<Channel>System</Channel>
</System>
<EventData>
<Data Name='param1'>Background Intelligent Transfer Service</Data>
<Data Name='param2'>auto start</Data>
</EventData>
</Event>
```
論理和の例で示したルールの `Event.System.Channel` フィールドは、下記のXMLタグで囲まれた値を参照しています。 ネストされたXMLタグはドット(`.`)で区切られたタグ名で置き換えられます。Hayabusaのルールでは、このドットでつながれた文字列のことをイベントキーと呼んでいます。
`<Event><System><Channel>System<Channel><System></Event>`
#### イベントキーエイリアス
`.`の区切りが多くて長いイベントキーが一般的であるため、Hayabusaはエイリアスを使って簡単に扱えるようにします。エイリアスは `config\eventkey_alias.txt`ファイルで定義されています。このファイルは `alias``event_key` のマッピングで構成されるCSVファイルです。以下に示すように、エイリアスを使用して上記のルールを書き直し、ルールを読みやすくすることができます。
```yaml
detection:
selection:
Channel: System
EventID: 7040
condition: selection
```
#### 注意: 未定義のイベントキーエイリアスについて
すべてのイベントキーエイリアスが `config\eventkey_alias.txt`に定義されているわけではありません。検知するはずのルールが検知しない場合や、`details`(アラートの詳細)メッセージに`%EventID%`のようなプレースホルダーが表示されている場合、`config\eventkey_alias.txt`の設定を確認してください。
### XML属性を条件に使用する方法
XMLのタグにはタグ名とは別に属性を設定できます。例えば、以下の `Provider Name``Name``Provider` タグの属性です。
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4672</EventID>
<EventRecordID>607469</EventRecordID>
<Channel>Security</Channel>
<Security />
</System>
</Event>
```
イベントキーでXMLの属性を指定するには、`{eventkey}_attributes.{attribute_name}`という形式で記述します。例えば、ルールファイルの `Provider` 要素の `Name` 属性を指定する場合は、以下のようになります。
```yaml
detection:
selection:
Channel: Security
EventID: 4672
Event.System.Provider_attributes.Name: 'Microsoft-Windows-Security-Auditing'
condition: selection
```
### grep検索
Hayabusaではeventkeyを指定せず、WindowsEventログに含まれる文字列にマッチするかどうかを判定する機能も用意されています。この機能をHayabusaではgrep検索と呼んでいます。
grep検索をするには下記のようにdetectionを指定します。この場合、`mimikatz`または`metasploit`という文字列がWindowsEventログに含まれる場合に、ルールが検知されます。また、grep検索にはワイルドカードを指定することも可能です。
```yaml
detection:
selection:
- `mimikatz`
- `metasploit`
```
> ※ Hayabusaでは内部的にWindowsEventログをJSON形式に変換しています。そのため、grep検索ではXMLのタグをマッチさせることはできません。
### EventData
Windowsのイベントログは、基本データイベントID、タイムスタンプ、レコードID、ログ名チャンネルが書き込まれる`System`タグと、イベントIDに応じて任意のデータが書き込まれる`EventData`タグの2つに分けられます。その内、`EventData`タグ はネストされたタグの名前がすべて `Data` であり、これまで説明したイベントキーでは `SubjectUserSid``SubjectUserName` を区別できません。
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>5379</EventID>
<TimeCreated SystemTime='2021-10-20T10:16:18.7782563Z' />
<EventRecordID>607469</EventRecordID>
<Channel>Security</Channel>
<Security />
</System>
<EventData>
<Data Name='SubjectUserSid'>S-1-1-11-1111111111-111111111-1111111111-1111</Data>
<Data Name='SubjectUserName'>Hayabusa</Data>
<Data Name='SubjectDomainName'>DESKTOP-Hayabusa</Data>
<Data Name='SubjectLogonId'>0x11111111</Data>
</EventData>
</Event>
```
この問題に対処するため、`Data`タグの`Name`属性に指定された値をイベントキーとして利用できます。例えば、EventData の `SubjectUserName``SubjectDomainName` を条件として利用する場合、以下のように記述することが可能です。
```yaml
detection:
selection:
Channel: System
EventID: 7040
Event.EventData.SubjectUserName: Hayabusa
Event.EventData.SubjectDomainName: DESKTOP-HAYBUSA
condition: selection
```
### EventDataの例外的なパターン
`EventData` タグにネストされたいくつかのタグは `Name` 属性を持ちません。
```xml
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<EventID>5379</EventID>
<Channel>Security</Channel>
<Security />
</System>
<EventData>
<Data>Available</Data>
<Data>None</Data>
<Data>NewEngineState=Available PreviousEngineState=None SequenceNumber=9 HostName=ConsoleHost HostVersion=2.0 HostId=5cbb33bf-acf7-47cc-9242-141cd0ba9f0c EngineVersion=2.0 RunspaceId=c6e94dca-0daf-418c-860a-f751a9f2cbe1 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
```
上記のようなイベントログを検知するには、`EventData`というイベントキーを指定します。この場合、`EventData`にネストされたタグの内、値がNoneになるタグが1つ以上存在すれば、条件にマッチすることになります。
```yaml
detection:
selection:
Channel: Security
EventID: 5379
EventData: None
condition: selection
```
## パイプ
イベントキーにはパイプを指定することができます。ここまで説明した書き方では完全一致しか表現できませんでしたが、パイプを使うことでより柔軟な検知ルールを記載できるようになります。以下の例では、`EventData`の値が正規表現 `[\s\S]*EngineVersion=2.0[\s\S]*` に当てはまる場合、条件にマッチすることになります。
```yaml
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
condition: selection
```
パイプには以下のキーワードを指定できます。v1の時点で複数のパイプを連結することはできません。
* startswith: 指定された文字列で始まることをチェックします。
* endswith: 指定された文字列で終わることをチェックします。
* contains: 指定された文字列が含まれることをチェックします。
* re: 正規表現を使用します。(正規表現の書き方については https://docs.rs/regex/1.5.4/regex/ を参照してください)。
> 注意: SigmaルールとHayabusaルールは正規表現の記法に一部差異があります。そのため、HayabusaではSigmaルールを正しく検知できない場合があります。
## ワイルドカード
Hayabusaルールではワイルドカードを使用することができます。以下の例では、`ProcessCommandLine` が "malware" という文字列で始まる場合、このルールでログが検知されます。この仕様はSigmaルールのワイルドカードと同じです。
```yaml
detection:
selection:
Channel: Security
EventID: 4688
ProcessCommandLine: malware*
condition: selection
```
以下の2つのワイルドカードを使用することができます。
* `*`: 0文字以上の任意の文字列にマッチします。(内部的には`.*`という正規表現に変換されます)。
* `?`: 任意の1文字にマッチします。(内部的には`.`という正規表現に変換されます)。
ワイルドカードのエスケープについて
* ワイルドカード(`*`と`?`)はバックスラッシュでエスケープできます: `\*` と `\?`.
* ワイルドカードの直前にバックスラッシュを使用する場合、 `\\*` または `\\?` と記述してください。
* バックスラッシュを単独で使用する場合、エスケープは不要です。
## イベントキー内のキーワードのネスト
イベントキーには特定のキーワードをネストすることができます。
```yaml
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
- value: malicious-service
- regexes: ./config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
condition: selection
```
現在、指定できるキーワードは以下の通りです。
* `value`: 文字列によるマッチング (ワイルドカードやパイプも指定可能)。
* `min_length`: 指定された文字数以上の場合にマッチします。
* `regexes`: 指定されたファイルに定義された正規表現に1つ以上に一致する場合、**条件にマッチした**ものとして扱われます。
* `allowlist`: 指定されたファイルに定義された正規表現に1つ以上に一致する場合、**条件にマッチしてない**ものとして扱われます。
### regexesとallowlistキーワード
Hayabusaに`.\rules\hayabusa\default\alerts\System\7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml`のルールのために使う2つの正規表現ファイルが用意されています。
* `./config/regex/detectlist_suspicous_services.txt`: 怪しいサービス名を検知するためのものです。
* `./config/regex/allowlist_legitimate_services.txt`: 正規のサービスを許可するためのものです。
`regexes` と `allowlist` で定義されたファイルの正規表現を変更すると、それらを参照するすべてのルールの動作を一度に変更できます。
また、`regexes` と `allowlist` にはユーザーが独自で作成したファイルを指定することも可能です。
デフォルトの `./config/detectlist_suspicous_services.txt` と `./config/allowlist_legitimate_services.txt` を参考にして、独自のファイルを作成してください。
## condition (条件)
これまで説明した記法では簡単な`AND`や`OR`であれば表現可能ですが、複雑な条件は定義できません。そのような場合、`condition` キーワードを使用します。
```yaml
detection:
SELECTION_1:
EventID: 3
SELECTION_2:
Initiated: 'true'
SELECTION_3:
DestinationPort:
- '4444'
- '666'
SELECTION_4:
Image: '*\Program Files*'
SELECTION_5:
DestinationIp:
- 10.*
- 192.168.*
- 172.16.*
- 127.*
SELECTION_6:
DestinationIsIpv6: 'false'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and not ((SELECTION_4 or (SELECTION_5 and SELECTION_6))))
```
`condition`には、以下の式を用いることができます。
* `{expression1} and {expression2}`: {expression1} と {expression2} の両方が真である場合にマッチします。
* `{expression1} or {expression2}`: {expression1} または {expression2} のどちらかが真である場合にマッチします。
* `not {expression}`: {expression} の真偽を反転させます。
* `( {expression} )`: `()`で囲まれた {expression} を先に評価します。数学と同じ優先順位に従います。
上記の例では、 `SELECTION_1`、` SELECTION_2`などの名前が使用されていますが、名前には `a-z A-Z 0-9 _`の文字を使用可能です。ただし、`selection_1`、` selection_2`、 `filter_1`、` filter_2`などの標準的な規則の利用を推奨します。
## notロジック
ルールを作成する場合、誤検知を減らすためにフィルターを作成することはよくあります。以下に利用例を示します。
```yaml
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
```
## aggregation condition
### 基本事項
上記の `condition` キーワードは `AND` や `OR` だけでなく、マッチしたイベントの集計も可能です。この機能を利用するには`aggregation condition`を利用します。指定するには条件をパイプでつなぎます。
以下のパスワードスプレー攻撃の例では、5分以内に同じ送信元の`IpAddress`で5個以上の `TargetUserName`があるかどうかを判断します。
```yaml
detection:
selection:
Channel: Security
EventID: 4648
condition: selection | count(TargetUserName) by IpAddress > 5
timeframe: 5m
```
`aggregation condition`は以下の形式で定義します。
* `count() {operator} {number}`: パイプの前の最初の条件にマッチするログイベントに対して、マッチしたログの数が `{operator}` と `{number}` で指定した条件式を満たす場合に条件がマッチします。
`{operator}` は以下のいずれかになります。
* `==`: 指定された値と等しい場合、条件にマッチしたものとして扱われる。
* `>=`: 指定された値以上であれば、条件にマッチしたものとして扱われる。
* `>`: 指定された値以上であれば、条件にマッチしたものとして扱われる。
* `<=`: 指定された値以下の場合、条件にマッチしたものとして扱われる。
* `<`: 指定された値より小さい場合、条件にマッチしたものとして扱われる。
`{number}` は数値である必要があります。
`timeframe` は以下のように定義することができます。
* `15s`: 15秒
* `30m`: 30分
* `12h`: 12時間
* `7d`: 7日間
* `3M`: 3ヶ月
### countの4パターン
1. countの引数と`by` キーワード共に指定しないパターン。例: `selection | count() > 10`
> `selection`にマッチしたログが10件以上ある場合、このルールは検知します。
2. countの引数はないが、`by` キーワードはある。例: `selection | count() by date > 10`
> `selection`にマッチするログが10件以上あるかどうか、日付毎にチェックします。
3. countの引数があるが、`by` キーワードがない場合。例: `selection | count(TargetUserName) > 10`
> `selection`に一致する`TargetUserName`が10人以上存在する場合、このルールは検知します。
4. count 引数と `by` キーワードの両方が存在する。例: `selection | count(TargetUserName) by date > 10`
> `selection`に一致する`TargetUserName`が10人以上存在するかどうか、日付毎にチェックします。
### パターン1の例
これは最も基本的なパターンです:`count() {operator} {number}`. 以下のルールは、`selection`にマッチしたログが3つ以上である場合、このルールが検知されます。
![](CountRulePattern-1-JP.png)
### パターン2の例
`count() by {eventkey} {operator} {number}` `selection`にマッチしたログは、`{eventkey}`の値が**同じログ毎にグルーピング**されます。各グループにおいて、マッチしたイベントの数が`{operator}`と`{number}`で指定した条件を満たした場合、このルールが検知されます。
![](CountRulePattern-2-JP.png)
### パターン3の例
`count({eventkey}) {operator} {number}``selection`にマッチしたログの内、 `{eventkey}` が**異なる**値の数をカウントします。そのカウントされた値が`{operator}`と`{number}`で指定された条件式を満たす場合、このルールが検知されます。
![](CountRulePattern-3-JP.png)
### パターン4の例
`count({eventkey_1}) by {eventkey_2} {operator} {number}` `selection`にマッチしたログは、`{eventkey}`の値が**同じログ毎にグルーピングし**、各グループに含まれる`{eventkey_1}`が**異なる**値の数をカウントします。各グループでカウントされた値が`{operator}`と`{number}`で指定された条件式を満たした場合、このルールが検知されます。
![](CountRulePattern-4-JP.png)
### Countルールの出力:
CountルールのDetails出力は固定で、`[condition]`にcount条件と`[result]`に記録されたイベントキーが出力されます。
以下の例では、ブルートフォースされた`TargetUserName`のユーザ名のリストと送信元の`IpAddress`が出力されます:
```
[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:jorchilles/jlake/cspizor/lpesce/bgalbraith/jkulikowski/baker/eskoudis/dpendolino/sarmstrong/lschifano/drook/rbowes/ebooth/melliott/econrad/sanson/dmashburn/bking/mdouglas/cragoso/psmith/bhostetler/zmathis/thessman/kperryman/cmoody/cdavis/cfleener/gsalinas/wstrzelec/jwright/edygert/ssims/jleytevidal/celgee/Administrator/mtoussain/smisenar/tbennett/bgreenwood IpAddress:10.10.2.22 timeframe:5m
```
アラートのタイムスタンプには、timeframe内で最初に検知されたイベントの時間が表示されます。
# ルール作成のアドバイス
1. **可能な場合は、常に `Channel`と`EventID`を指定してください。** 将来的には、チャネル名とイベンドIDでフィルタリングする可能性があるため、適切な` Channel`と`EventID`が設定されていない場合はルールが無視される可能性があります。
2. **不要な場合は複数の `selection`と`filter`セクションを使用しないでください。**
### 悪い例:
```yaml
detection:
detection:
SELECTION_1:
Channnel: Security
SELECTION_2:
EventID: 4625
SELECTION_3:
LogonType: 3
FILTER_1:
SubStatus: "0xc0000064"
FILTER_2:
SubStatus: "0xc000006a"
condition: SELECTION_1 and SELECTION_2 and SELECTION_3 and not (FILTER_1 or FILTER_2)
```
### 良い例:
```yaml
detection:
selection:
Channel: Security
EventID: 4625
LogonType: 3
filter:
- SubStatus: "0xc0000064" #Non-existent user
- SubStatus: "0xc000006a" #Wrong password
condition: selection and not filter
```
3. **複数のセクションが必要な場合は、チャンネル名とイベントIDの情報を記入する最初のセクションを `section_basic_info` セクションに、その他のセクションを `section_` と `filter_` の後に意味のある名前を付けるか、または `section_1`, `filter_1` などの記法を用いてください。また、分かりにくいところはコメントを書いて説明してください。**
### 悪い例:
```yaml
detection:
Takoyaki:
Channel: Security
EventID: 4648
Naruto:
TargetUserName|endswith: "$"
IpAddress: "-"
Sushi:
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
Godzilla:
SubjectUserName|endswith: "$"
Ninja:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$"
IpAddress: "-"
Daisuki:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: Takoyaki and Daisuki and not (Naruto and not Godzilla) and not Ninja and not Sushi
```
### OKな例
```yaml
detection:
selection_1:
Channel: Security
EventID: 4648
selection_2:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_1: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_2:
SubjectUserName|endswith: "$"
filter_3:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_4:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_1 and selection_4 and not (selection_2 and not filter_2) and not filter_3 and not filter_1
```
### 良い例:
```yaml
detection:
selection_BasicInfo:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_basic and selection_SuspiciousProcess and not (selection_TargetUserIsComputerAccount
and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts and not filter_UsersAndTargetServerAreComputerAccounts
```
# SigmaルールからHayabusaルール形式への自動変換
SigmaルールからHayabusaルール形式に自動で変換する[ツール](https://github.com/Yamato-Security/hayabusa/tree/main/tools/sigmac)を作成しました。
使用方法は[Readme](https://github.com/Yamato-Security/hayabusa/blob/main/tools/sigmac/README-Japanese.md)を参照してください。

BIN
doc/CountRulePattern-1-EN.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 150 KiB

BIN
doc/CountRulePattern-1-JP.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 150 KiB

BIN
doc/CountRulePattern-2-EN.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 138 KiB

BIN
doc/CountRulePattern-2-JP.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 131 KiB

BIN
doc/CountRulePattern-3-EN.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 194 KiB

BIN
doc/CountRulePattern-3-JP.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 162 KiB

BIN
doc/CountRulePattern-4-EN.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 176 KiB

BIN
doc/CountRulePattern-4-JP.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 130 KiB

1
rules Submodule

Submodule rules added at 6d9781e349

2
rules/README.md
View File

@@ -1,2 +0,0 @@
# hayabusa-rules
Detection rules for hayabusa

29
rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml
View File

@@ -1,29 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: Security log was cleared
title_jp: セキュリティログがクリアされた
details: "User: %LogFileClearedSubjectUserName%"
details_jp: "ユーザ: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the Security event log.
description_jp: 誰かがセキュリティログをクリアした。
id: c2f690ac-53f8-4745-8cfe-7127dda28c74
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 1102
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
date: 2021/12/20
modified: 2021/12/22
title: Password Guessing Attack
title_jp: パスワード推測攻撃
details: '' #Cannot be used because this is a count rule
details_jp: ''
description: Search for many 4625 wrong password failed logon attempts in a short period of time.
description_jp:
id: 35e8a0fc-60c2-46d7-ba39-aafb15b9854e
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a" #Wrong password
condition: selection | count() by IpAddress >= 5
timeframe: 5m
falsepositives:
- User mistyping password
tags:
- attack.t1110.003
- attack.credential_access
references: https://attack.mitre.org/techniques/T1110/003/
sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
logsource: default
ruletype: Hayabusa

29
rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
date: 2021/12/20
modified: 2021/12/22
title: User Guessing Attempt
title_jp: ユーザ名推測の試行
details: '' #Cannot be used because this is a count rule
details_jp: ''
description: Search for many 4625 failed logon attempts due to wrong usernames in a short period of time.
description_jp:
id: 4574194d-e7ca-4356-a95c-21b753a1787e
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064" #Username does not exist
condition: selection | count() by IpAddress >= 5
timeframe: 5m
falsepositives:
tags:
- attack.t1110.003
- attack.credential_access
references: https://attack.mitre.org/techniques/T1110/003/
sample-evtx: ./hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
logsource: default
ruletype: Hayabusa

29
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/12/22
title: Logon Failure - Unknown Reason
title_jp: ログオンに失敗 - 不明な理由
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: a85096da-be85-48d7-8ad5-2f957cd74daa
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
filter:
- SubStatus: "0xc0000064" #Non-existent user
- SubStatus: "0xc000006a" #Wrong password
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Wrong Password
title_jp: ログオンに失敗 - パスワードが間違っている
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints logon information.
description_jp: Prints logon information.
id: e87bd730-df45-4ae9-85de-6c75369c5d29
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc000006a"
condition: selection
falsepositives:
- user mistypes password
tags:
references:
sample-evtx: ./sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Failure - Username does not exist
title_jp: ログオンに失敗 - ユーザ名は存在しない
details: 'User: %TargetUserName% : Type: %LogonType% : Workstation: %WorkstationName% : IP Address: %IpAddress% : AuthPackage: %AuthenticationPackageName%'
details_jp: 'ユーザ: %TargetUserName% : タイプ: %LogonType% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : 認証パッケージ: %AuthenticationPackageName%'
description: Prints failed logons
description_jp: ログオンに失敗したイベントを出力する
id: 8afa97ce-a217-4f7c-aced-3e320a57756d
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4625
SubStatus: "0xc0000064"
condition: selection
falsepositives:
- user mistypes username
tags:
references:
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml
View File

@@ -1,28 +0,0 @@
author: Zach Mathis
date: 2021/12/20
modified: 2021/12/20
title: Password Spray
title_jp: パスワードスプレー攻撃
details: '' #Cannot be used because this is a count rule
details_jp: ''
description: Search for many 4648 explicit credential logon attempts in a short period of time.
description_jp:
id: ffd622af-d049-449f-af5a-0492fdcc3a58
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4648
condition: selection | count(TargetUserName) by IpAddress >= 5
timeframe: 5m
falsepositives:
tags:
- attack.t1110.003
- attack.credential_access
references: https://attack.mitre.org/techniques/T1110/003/
sample-evtx: ./hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
logsource: default
ruletype: Hayabusa

45
rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml
View File

@@ -1,45 +0,0 @@
author: Zach Mathis
date: 2021/12/17
modified: 2021/12/17
title: "Explicit Logon: Suspicious Process"
title_jp: "不審なプロセスからの明示的なログオン"
details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
description: Alter on explicit credential logons with suspicous processes like powershell and wmic which are often abused by malware like Cobalt Strike.
description_jp:
id: 7616e857-8e41-4976-bc21-811d122b9fc9
level: medium
status: stable
detection:
selection_basic_info:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
selection_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
condition: selection_basic_info and selection_SuspiciousProcess and not (selection_TargetUserIsComputerAccount
and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts and not filter_UsersAndTargetServerAreComputerAccounts
falsepositives:
- normal system usage
tags:
- attack.privilege_escalation
- attack.lateral_movement
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
logsource: default
ruletype: Hayabusa

49
rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml
View File

@@ -1,49 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/12/22
title: Unknown process used a high privilege
title_jp: 不明なプロセスが高い権限を使った
details: 'Process: %ProcessName% : User: %SubjectUserName% : LogonID: %SubjectLogonId%'
details_jp: 'プロセス名: %ProcessName% : ユーザ名: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: |
Malware may generate a 4673 event (A privileged service was called) when dumping hashes or wiping disk.
For example, mimikatz will generate 4 logs using SeTcbPrivilege (Act as part of the OS.)
Disk wipers like bcwipe will also generate this.
More legitimate filepaths may have to be added to the filter.
This is marked as a medium alert as there is a high possibility for false positives.
description_jp:
id: 5b6e58ee-c231-4a54-9eee-af2577802e08
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4673
filter:
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\System32\lsass.exe
- ProcessName: C:\Windows\System32\audiodg.exe
- ProcessName: C:\Windows\System32\svchost.exe
- ProcessName: C:\Windows\System32\mmc.exe
- ProcessName: C:\Windows\System32\net.exe
- ProcessName: C:\Windows\explorer.exe
- ProcessName: C:\Windows\System32\SettingSyncHost.exe
- ProcessName: C:\Windows\System32\sdiagnhost.exe
- ProcessName|startswith: C:\Program Files
- SubjectUserName: LOCAL SERVICE
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.credential_access
- attack.t1003.001
- attack.t1561
- attack.impact
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
sample-evtx: ./sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
uodated_date: 2021/12/22
title: Hidden user account created! (Possible Backdoor)
title_jp: 隠しユーザアカウントが作成された!(バックドアの可能性あり)
details: 'User: %TargetUserName% : SID: %TargetSid%'
details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%'
description: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
description_jp: A computer account (an account that ends with a $) was created. These accounts are not displayed by default so will be hidden.
id: 70b8b1bd-c107-4b1a-8b1e-5b0f9f57930a
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4720
TargetUserName|endswith: "$" #Any user account that ends with a $ will be treated as a machine account and be hidden by default.
condition: selection
falsepositives:
- machine/computer accounts being created
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml
View File

@@ -1,31 +0,0 @@
author: Eric Conrad, Yamato Security
creation_date: 2020/11/08
uodated_date: 2021/12/22
title: Local user account created
title_jp: ローカルユーザアカウントが作成された
details: 'User: %TargetUserName% : SID: %TargetSid%'
details_jp: 'ユーザ名: %TargetUserName% : SID: %TargetSid%'
description: A local user account was created.
description_jp: ローカルユーザアカウントが作成された.
id: 13edce80-2b02-4469-8de4-a3e37271dcdb
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4720
filter:
TargetUserName|endswith: "$" #Filter out machine/computer accounts
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.11136.001
references:
- https://attack.mitre.org/techniques/T1136/001/
sample-evtx: ./sample-evtx/DeepBlueCLI/new-user-security.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml
View File

@@ -1,30 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/12/22
title: User added to local Domain Admins group
title_jp: ユーザがローカルドメイン管理者グループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to the local Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: bc58e432-959f-464d-812e-d60ce5d46fa1
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
logsource: default
ruletype: Hayabusa

33
rules/hayabusa/default/alerts/Security/4728-AccountManipulation_UserAddedToLocalSecurityGroup.yml
View File

@@ -1,33 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/12/22
title: User added to local security group
title_jp: ユーザがローカルセキュリティグループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to a security-enabled local group.
description_jp: ユーザがローカルセキュリティグループに追加された。
id: 2f04e44e-1c79-4343-b4ab-ba670ee10aa0
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
- TargetUserName: Administrators
- TargetUserName: None
- TargetUserName: Domain Admins
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

32
rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml
View File

@@ -1,32 +0,0 @@
author: Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/12/22
title: User added to the global Domain Admins group
title_jp: ユーザがグローバルドメイン管理者グループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to the Domain Admins group.
description_jp: ユーザがドメイン管理者グループに追加された。
id: 4bb89c86-a138-42a0-baaf-fc2f777a4506
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4728
TargetUserName: Domain Admins
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml
View File

@@ -1,31 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/12/22
title: User added to global security group
title_jp: ユーザがグローバルセキュリティグループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to a security-enabled global group. Global means the group can be granted access in any trusting domain but may only have members from its own domain. Subjet user is the user that performed the action.
description_jp: ユーザがグローバルのセキュリティグループに追加された。
id: 0db443ba-561c-4a04-b349-d74ce1c5fc8b
level: medium
status: stable
detection:
selection:
Channel: Security
EventID: 4728
filter:
SubjectUserName|endswith: $
condition: selection and not filter
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
logsource: default
ruletype: Hayabusa

30
rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml
View File

@@ -1,30 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/12/22
title: User added to local Administrators group
title_jp: ユーザがローカル管理者グループに追加された
details: 'User: %SubjectUserName% : Group: %TargetUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : グループ名: %TargetUserName% : ログオンID: %SubjectLogonId%'
description: A user was added to the local Administrators group.
description_jp: ユーザがローカル管理者グループに追加された。
id: 611e2e76-a28f-4255-812c-eb8836b2f5bb
level: high
status: stable
detection:
selection:
Channel: Security
EventID: 4732
TargetUserName: Administrators
condition: selection
falsepositives:
- system administrator
tags:
- attack.persistence
- attack.t1098
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
sample-evtx: ./sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml
View File

@@ -1,31 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/11/26
title: Possible AS-REP Roasting
title_jp: AS-REPロースティングの可能性
details: 'Possible AS-REP Roasting'
details_jp: 'AS-REPロースティングのリスクがある'
description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
description_jp: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
id: dee2a01e-5d7c-45b4-aec3-ad9722f2165a
level: medium
status: testing
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 0 #Logon without pre-authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.004
references:
- https://attack.mitre.org/techniques/T1558/004/
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml
View File

@@ -1,31 +0,0 @@
author: Yusuke Matsui, Yamato Security
creation_date: 2020/11/08
updated_date: 2021/12/22
title: Kerberoasting
title_jp: Kerberoast攻撃
details: 'Possible Kerberoasting Risk Activity.'
details_jp: 'Kerberoast攻撃のリスクがある'
description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
description_jp: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
id: f19849e7-b5ba-404b-a731-9b624d7f6d19
level: medium
status: testing
detection:
selection:
Channel: Security
EventID: 4768
TicketEncryptionType: '0x17' #RC4-HMAC
PreAuthType: 2 #Standard password authentication
condition: selection
falsepositives:
- legacy application
tags:
- attack.credential_access
- attack.t1558.003
references:
- https://attack.mitre.org/techniques/T1558/003/
sample-evtx:
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/25
title: System log file was cleared
title_jp: システムログがクリアされた
details: "User: %LogFileClearedSubjectUserName%"
details_jp: "ユーザ: %LogFileClearedSubjectUserName%"
description: Somebody has cleared the System event log.
description_jp: 誰かがシステムログをクリアした。
id: f481a1f3-969e-4187-b3a5-b47c272bfebd
level: high
status: stable
detection:
selection:
Channel: System
EventID: 104
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1070.001
references:
- https://attack.mitre.org/techniques/T1070/001/
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/alerts/System/7040_ImpairDefenses-DisableWindowsEventLogging_EventLogServiceStartupDisabled.yml
View File

@@ -1,28 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/22
title: Event log service startup type changed to disabled
title_jp: イベントログサービスのスタートアップの種類が無効に変更された
details: 'Old setting: %param2% : New setting: %param3%'
details_jp: '設定前: %param2% : 設定後: %param3%'
id: ab3507cf-5231-4af6-ab1d-5d3b3ad467b5
level: medium
status: test
detection:
selection:
Channel: System
EventID: 7040
param1: 'Windows Event Log'
param3: "disabled"
condition: selection
falsepositives:
- system administrator
tags:
- attack.defense_evasion
- attack.t1562.002
references:
- https://attack.mitre.org/techniques/T1562/002/
logsource: default
ruletype: Hayabusa

33
rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml
View File

@@ -1,33 +0,0 @@
author: Eric Conrad, Zach Mathis
creation_date: 2020/11/08
updated_date: 2021/11/23
title: Malicious service installed
title_jp: 悪意のあるサービスがインストールされた
details: 'Service: %ServiceName% : Path: %ImagePath%'
details_jp: 'サービス: %ServiceName% : パス: %ImagePath%'
description: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
description_jp: Malicious service was installed based on suspicious entries in ./config/regex/regexes_suspicous_service.txt
id: dbbfd9f3-9508-478b-887e-03ddb9236909
level: high
status: test
detection:
selection:
Channel: System
EventID: 7045
ServiceName:
regexes: ./config/regex/detectlist_suspicous_services.txt
ImagePath:
min_length: 1000
allowlist: ./config/regex/allowlist_legitimate_services.txt
condition: selection
falsepositives:
- normal system usage
tags:
- attack.persistence
- attack.t1543.003
references:
- https://attack.mitre.org/techniques/T1543/003/
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2021/12/01
modified: 2021/12/01
title: Windows Defender Alert
title_jp: Windows Defenderアラート
details: 'Threat: %ThreatName% : Severity: %SeverityName% : Type: %CategoryName% : User: %DetectionUser% : Path: %Path% : Process: %WindowsDefenderProcessName%'
details_jp: '脅威: %ThreatName% : 深刻度: %SeverityName% : 種類: %CategoryName% : ユーザ: %DetectionUser% : パス: %Path% : プロセス: %WindowsDefenderProcessName%'
description: Windows defender malware detection
description_jp: Windows defenderのマルウェア検知
id: 810bfd3a-9fb3-44e0-9016-8cdf785fddbf
level: high
status: test
detection:
selection:
Channel: Microsoft-Windows-Windows Defender/Operational
EventID: 1116
falsepositives:
- bad signature
tags:
- malware
references:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml
View File

@@ -1,31 +0,0 @@
author: Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Bits Job Creation
title_jp: Bits Jobの作成
details: 'Job Title: %JobTitle% : URL: %Url%'
details_jp: 'Job名: %JobTitle% : URL: %Url%'
description: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
description_jp: Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
id: 18e6fa4a-353d-42b6-975c-bb05dbf4a004
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-Bits-Client/Operational
EventID: 59
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
- lolbas
references:
- https://attack.mitre.org/techniques/T1197/
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 0 - System
title_jp: ログオンタイプ 0 - System
details: 'Bootup'
details_jp: 'システム起動'
description: Prints logon information
description_jp: Prints logon information
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 0
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 10 - RDP (Remote Interactive)
title_jp: ログオンタイプ 10 - RDP (リモートインタラクティブ)
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: a4e05f05-ff88-48b9-8524-a88c1c32fe19
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 10
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 11 - CachedInteractive
title_jp: ログオンタイプ 11 - キャッシュされたインタラクティブ
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: fbbe9d3f-ed1f-49a9-9446-726e349f5fba
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 11
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-12-CachedRemoteInteractive.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 12 - CachedRemoteInteractive
title_jp: ログオンタイプ 12 - キャッシュされたリモートインタラクティブ
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: f4b46dd3-63d6-4c75-a54c-9f6bd095cd6f
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 12
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-13-CachedUnlock.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 13 - CachedUnlock
title_jp: ログオンタイプ 13 - キャッシュされたアンロック
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: e50e3952-06d9-44a8-ab07-7a41c9801d78
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 13
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 2 - Interactive
title_jp: ログオンタイプ 2 - インタラクティブ
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information
description_jp: Prints logon information
id: 7beb4832-f357-47a4-afd8-803d69a5c85c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 2
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml
View File

@@ -1,31 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 3 - Network
title_jp: ログオンタイプ 3 - ネットワーク
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: c7b22878-e5d8-4c30-b245-e51fd354359e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 3
filter:
- IpAddress: "-"
- IpAddress: "127.0.0.1"
- IpAddress: "::1"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 4 - Batch
title_jp: ログオンタイプ 4 - バッチ
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 8ad8b25f-6052-4cfd-9a50-717cb514af13
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 4
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml
View File

@@ -1,31 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 5 - Service
title_jp: ログオンタイプ 5 - サービス
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: 408e1304-51d7-4d3e-ab31-afd07192400b
level: low
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 5
filter:
- TargetUserName: "SYSTEM"
- TargetUserName: "NETWORK SERVICE"
- TargetUserName: "LOCAL SERVICE"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 7 - Unlock
title_jp: ログオンタイプ 7 - アンロック
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
description: Prints logon information
description_jp: Prints logon information
id: b61bfa39-48ec-4bdf-9d4e-e7205f49acd2
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 7
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-8-NetworkCleartext.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 8 - NetworkCleartext
title_jp: ログオンタイプ 8 - ネットワーク平文
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId%'
description: Prints logon information. Despite the naming NetworkCleartext, the password is not unhashed. It is usually for IIS Basic Authentication.
description_jp: Prints logon information
id: 7ff51227-6a10-49e6-a58b-b9f4ac32b138
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 8
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

27
rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml
View File

@@ -1,27 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logon Type 9 - NewCredentials
title_jp: ログオンタイプ 9 - 新しい資格情報
details: 'User: %TargetUserName% : Workstation: %WorkstationName% : IP Address: %IpAddress% : LogonID: %TargetLogonId% : (Warning: Credentials are stored in memory)'
details_jp: 'ユーザ: %TargetUserName% : 端末: %WorkstationName% : IPアドレス: %IpAddress% : ログオンID: %TargetLogonId% : (注意: 資格情報がメモリに格納される)'
description: Prints logon information.
description_jp: Prints logon information.
id: d80facaa-ca97-47bb-aed2-66362416eb49
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4624
LogonType: 9
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

28
rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml
View File

@@ -1,28 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff
title_jp: ログオフ
details: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 7309e070-56b9-408b-a2f4-f1840f8f1ebf
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4634
filter:
TargetUserName|endswith: "$" #filter out computer/machine accounts
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Logoff - User Initiated
title_jp: ログオフ - ユーザが行った
details: 'User: %TargetUserName% : LogonID: %TargetLogonId%'
details_jp: 'ユーザ: %TargetUserName% : ログオンID: %TargetLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: 6bad16f1-02c4-4075-b414-3cd16944bc65
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4647
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

54
rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml
View File

@@ -1,54 +0,0 @@
author: Zach Mathis
date: 2021/12/17
modified: 2021/12/17
title: Explicit Logon
title_jp: 明示的なログオン
details: 'Source User: %SubjectUserName% : Target User: %TargetUserName% : IP Address: %IpAddress% : Process: %ProcessName% : Target Server: %TargetInfo%'
details_jp: 'ソースユーザ: %SubjectUserName% : ターゲットユーザ: %TargetUserName% : IPアドレス: %IpAddress% : プロセス: %ProcessName% : ターゲットサーバ: %TargetInfo%'
description: |
(From ultimatewindowsecurity.com)
This log is generated when
1. A user connects to a server or runs a program locally using alternate credentials.
For instance a user maps a drive to a server but specifies a different user's credentials or opens a shortcut under RunAs by shift-control-right-clicking on the shortcut,
selecting Run as..., and then filling in a different user's credentials in the dialog box that appears. Or a user logs on to a web site using new specific credentials.
2. When a process logs on as a different account such as when the Scheduled Tasks service starts a task as the specified user.
3. With User Account Control enabled, an end user runs a program requiring admin authority. You will get this event where the process information is consent.exe.
Unfortunately the Subject does not identify the end user.
4. Logging on interactively to a server with a domain account. (Two 4624 events will also be generated.)
description_jp:
id: 8c1899fe-493d-4faf-aae1-0853a33a3278
level: informational
status: stable
detection:
selection_basic_info:
Channel: Security
EventID: 4648
selection_TargetUserIsComputerAccount:
TargetUserName|endswith: "$"
IpAddress: "-"
filter_SuspiciousProcess:
- ProcessName|endswith: "powershell.exe"
- ProcessName|endswith: "WMIC.exe"
filter_UsersAndTargetServerAreComputerAccounts: #Filter system noise
SubjectUserName|endswith: "$"
TargetUserName|endswith: "$"
TargetInfo|endswith: "$"
filter_SubjectUserIsComputerAccount:
SubjectUserName|endswith: "$"
filter_SystemAccounts:
TargetUserName|re: "(DWM|UMFD)-([0-9]|1[0-2])$" #Filter out default Desktop Windows Manager and User Mode Driver Framework accounts
IpAddress: "-" #Don't filter if the IP address is remote to catch attackers who created backdoor accounts that look like DWM-12, etc..
condition: selection_basic_info and not (selection_TargetUserIsComputerAccount and not filter_SubjectUserIsComputerAccount) and not filter_SystemAccounts
and not filter_UsersAndTargetServerAreComputerAccounts and not filter_SuspiciousProcess
falsepositives:
- normal system usage
tags:
- attack.privilege_escalation
- attack.lateral_movement
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4648
sample-evtx: ./EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml
View File

@@ -1,31 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Admin Logon
title_jp: 管理者ログオン
details: 'User: %SubjectUserName% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : ログオンID: %SubjectLogonId%'
description: Prints logon information.
description_jp: Prints logon information.
id: fdd0b325-8b89-469c-8b0c-e5ddfe39b62e
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4672
filter:
- SubjectUserName: "SYSTEM"
- SubjectUserName: "LOCAL SERVICE"
- SubjectUserName: "NETWORK SERVICE"
- SubjectUserName|endswith: "$"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos TGT was requested
title_jp: Kerberos TGTが要求された
details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status% : PreAuthType: %PreAuthType%'
details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status% : 事前認証タイプ: %PreAuthType%'
description: Prints logon information.
description_jp: Prints logon information.
id: d9f336ea-bb16-4a35-8a9c-183216b8d59c
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4768
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Kerberos Service Ticket Requested
title_jp: Kerberosサービスチケットが要求された
details: 'User: %TargetUserName% : Service: %ServiceName% : IP Address: %IpAddress% : Status: %Status%'
details_jp: 'ユーザ: %TargetUserName% : サービス: %ServiceName% : IPアドレス: %IpAddress% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: da6257f3-cf49-464a-96fc-c84a7ce20636
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4769
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: NTLM Logon to Local Account
title_jp: ローカルアカウントへのNTLMログオン
details: 'User: %TargetUserName% : Workstation %Workstation% : Status: %Status%'
details_jp: 'ユーザ: %TargetUserName% : 端末: %Workstation% : ステータス: %Status%'
description: Prints logon information.
description_jp: Prints logon information.
id: 4fbe94b0-577a-4f77-9b13-250e27d440fa
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 4776
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

26
rules/hayabusa/default/events/Security/WirelessAccess/8001_WirelessAP-Connect.yml
View File

@@ -1,26 +0,0 @@
author: Zach Mathis
date: 2020/11/08
modified: 2021/11/26
title: Connection to wireless access point
title_jp: ローカルアカウントへのNTLMログオン
details: 'SSID: %SSID% : Type: %AuthenticationAlgorithm% : BSSType: %BSSType%'
details_jp: 'SSID: %SSID% : タイプ: %AuthenticationAlgorithm% : BSSタイプ: %BSSType%'
description: Prints connection info to wireless access points.
description_jp: Prints connection info to wireless access points.
id: 90dd0797-f481-453d-a97e-dd78436893f9
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-WLAN-AutoConfig
EventID: 8001
condition: selection
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: default
ruletype: Hayabusa

31
rules/hayabusa/non-default/alerts/PowershellOperational/400_ImpairDefenses-DowngradeAttack_PowershellV2DowngradeAttack.yml
View File

@@ -1,31 +0,0 @@
author: Yusuke Matsui, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: Powershell 2.0 Downgrade Attack
title_jp: Powershell 2.0へのダウングレード攻撃
details: 'Powershell 2.0 downgrade attack detected!'
details_jp: 'Powershell 2.0へのダウングレード攻撃が検知されました!'
description: An attacker may have started Powershell 2.0 to evade detection.
description_jp: 攻撃者は検知されないようにPowershell 2.0を起動したリスクがある。
id: bc082394-73e6-4d00-a9af-e7b524ef5085
level: medium
status: testing
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 400
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
condition: selection
falsepositives:
- legacy application
tags:
- attack.defense_evasion
- attack.t1562.010
- lolbas
references:
- https://attack.mitre.org/techniques/T1562/010/
- https://kurtroggen.wordpress.com/2017/05/17/powershell-security-powershell-downgrade-attacks/
logsource: non-default
ruletype: Hayabusa

31
rules/hayabusa/non-default/events/PowerShellOperational/4103_CommandAndScriptingInterpreter-PowerShell_PowershellExecutionPipeline.yml
View File

@@ -1,31 +0,0 @@
author: Eric Conrad, Yamato Security
date: 2020/11/08
modified: 2021/11/22
title: PowerShell Execution Pipeline
title_jp: PowerShellパイプライン実行
details: 'Command: %CommandLine%'
details_jp: 'コマンド: %CommandLine%'
description: Displays powershell execution
description_jp: Powershellの実行を出力する。
id: d3fb8f7b-88b0-4ff4-bf9b-ca286ce19031
level: informational
status: stable
detection:
selection:
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
ContextInfo:
- Host Application
- ホスト アプリケーション
condition: selection
falsepositives:
- normal system usage
tags:
- attack.defense_evasion
- attack.t1059.001
- lolbas
references:
logsource: non-default
ruletype: Hayabusa

28
rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml
View File

@@ -1,28 +0,0 @@
author: Zach Mathis
date: 2021/12/16
modified: 2021/12/16
title: Network Share Access
title_jp: ネットワーク共有へのアクセス
details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%'
description:
description_jp:
id: 15d042c1-07c6-4e16-ae7d-e0e556ccd9a8
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 5140
condition: selection
falsepositives:
- normal system usage
tags:
- attack.t1039 # Data from network shared drive
- attack.collection
references:
sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
logsource: non-default
ruletype: Hayabusa

33
rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml
View File

@@ -1,33 +0,0 @@
author: Zach Mathis
date: 2021/12/16
modified: 2021/12/16
title: Network Share File Access
title_jp: ネットワーク共有へのアクセス
details: 'User: %SubjectUserName% : Share Name: %ShareName% : Share Path: %ShareLocalPath% : File: %RelativeTargetName% : IP Address: %IpAddress% : LogonID: %SubjectLogonId%'
details_jp: 'ユーザ: %SubjectUserName% : 共有名: %ShareName% : 共有パス: %ShareLocalPath% : ファイル: %RelativeTargetName% : IPアドレス: %IpAddress% : ログオンID: %SubjectLogonId%'
description:
description_jp:
id: 8c6ec2b2-8dad-4996-9aba-d659afc1b919
level: informational
status: stable
detection:
selection:
Channel: Security
EventID: 5145
filter:
- ShareLocalPath: ""
- ShareLocalPath: "null"
- ShareName: "\\\\*\\IPC$"
- RelativeTargetName: "\\"
condition: selection and not filter
falsepositives:
- normal system usage
tags:
- attack.t1039 # Data from network shared drive
- attack.collection
references:
sample-evtx: ./EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
logsource: non-default
ruletype: Hayabusa

29
rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
date: 2021/12/11
modified: 2021/12/11
title: Process Creation Sysmon Rule Alert
title_jp: プロセス起動 - Sysmonルールアラート
details: 'Rule: %RuleName% : Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
details_jp: 'ルール: %RuleName% : コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
description: Sysmon process creation
description_jp: Sysmonログによるプロセス起動のログ
id: d5e4fb89-b027-43bf-bd3a-2e7f74f105ac
level: high
status: stable
detection:
selection:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
filter:
- RuleName: ""
- RuleName: "-"
condition: selection and not filter
falsepositives:
- bad sysmon rule
tags:
references:
sample-evtx:
logsource: sysmon
ruletype: Hayabusa

29
rules/hayabusa/sysmon/events/1_ProcessCreation.yml
View File

@@ -1,29 +0,0 @@
author: Zach Mathis
date: 2021/12/11
modified: 2021/12/11
title: Process Creation
title_jp: プロセス起動
details: 'Command: %CommandLine% : Path: %Image% : User: %User% : Parent Command: %ParentCommandLine%'
details_jp: 'コマンド: %CommandLine% : パス: %Image% : ユーザ: %User% : 親コマンド: %ParentCommandLine%'
description: Sysmon process creation. Displays only commands that have not been flagged with a sysmon detection rule.
description_jp: Sysmonログによるプロセス起動のログ
id: 85790e3e-e270-499f-a6ad-f8afe85c35f1
level: informational
status: stable
detection:
selection_1:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
selection_2:
- RuleName: ""
- RuleName: "-"
condition: selection_1 and selection_2
falsepositives:
- normal system usage
tags:
references:
sample-evtx:
logsource: sysmon
ruletype: Hayabusa

0
rules/hayabusa/testing/.gitkeep
View File

39
rules/sigma/builtin/application/win_audit_cve.yml
View File

@@ -1,39 +0,0 @@
title: Audit CVE Event
ruletype: Sigma
author: Florian Roth
date: 2020/01/15
description: Detects events generated by Windows to indicate the exploitation of a
known vulnerability (e.g. CVE-2020-0601)
detection:
SELECTION_1:
Provider_Name: Microsoft-Windows-Audit-CVE
condition: SELECTION_1
falsepositives:
- Unknown
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
level: critical
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://twitter.com/mattifestation/status/1217179698008068096
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/davisrichardg/status/1217517547576348673
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
status: experimental
tags:
- attack.execution
- attack.t1203
- attack.privilege_escalation
- attack.t1068
- attack.defense_evasion
- attack.t1211
- attack.credential_access
- attack.t1212
- attack.lateral_movement
- attack.t1210
- attack.impact
- attack.t1499.004

44
rules/sigma/builtin/application/win_av_relevant_match.yml
View File

@@ -1,44 +0,0 @@
title: Relevant Anti-Virus Event
ruletype: Sigma
author: Florian Roth
date: 2017/02/19
description: This detection method points out highly relevant Antivirus events
detection:
SELECTION_1:
- HTool-
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- .WinCred.
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
SELECTION_2:
- Keygen
- Crack
condition: ((SELECTION_1) and not (SELECTION_2))
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
level: high
logsource:
product: windows
service: application
modified: 2021/11/20
status: experimental
tags:
- attack.resource_development
- attack.t1588

28
rules/sigma/builtin/application/win_software_atera_rmm_agent_install.yml
View File

@@ -1,28 +0,0 @@
title: Atera Agent Installation
ruletype: Sigma
author: Bhabesh Raj
date: 2021/09/01
description: Detects successful installation of Atera Remote Monitoring & Management
(RMM) agent as recently found to be used by Conti operators
detection:
SELECTION_1:
EventID: 1033
SELECTION_2:
Provider_Name: MsiInstaller
SELECTION_3:
Message: '*AteraAgent*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate Atera agent installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
status: experimental
tags:
- attack.t1219

28
rules/sigma/builtin/application/win_susp_backup_delete.yml
View File

@@ -1,28 +0,0 @@
title: Backup Catalog Deleted
ruletype: Sigma
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
date: 2017/05/12
description: Detects backup catalog deletions
detection:
SELECTION_1:
EventID: 524
SELECTION_2:
Provider_Name: Microsoft-Windows-Backup
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 9703792d-fd9a-456d-a672-ff92efe4806a
level: medium
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
status: experimental
tags:
- attack.defense_evasion
- attack.t1107
- attack.t1070.004

39
rules/sigma/builtin/application/win_susp_msmpeng_crash.yml
View File

@@ -1,39 +0,0 @@
title: Microsoft Malware Protection Engine Crash
ruletype: Sigma
author: Florian Roth
date: 2017/05/09
description: This rule detects a suspicious crash of the Microsoft Malware Protection
Engine
detection:
SELECTION_1:
Provider_Name: Application Error
SELECTION_2:
EventID: 1000
SELECTION_3:
Provider_Name: Windows Error Reporting
SELECTION_4:
EventID: 1001
SELECTION_5:
- MsMpEng.exe
SELECTION_6:
- mpengine.dll
condition: (((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4)) and
(SELECTION_5 and SELECTION_6))
falsepositives:
- MsMpEng.exe can crash when C:\ is full
id: 6c82cf5c-090d-4d57-9188-533577631108
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
- https://technet.microsoft.com/en-us/library/security/4022344
status: experimental
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1211
- attack.t1562.001

32
rules/sigma/builtin/application/win_vul_cve_2020_0688.yml
View File

@@ -1,32 +0,0 @@
title: CVE-2020-0688 Exploitation via Eventlog
ruletype: Sigma
author: Florian Roth, wagga
date: 2020/02/29
description: Detects the exploitation of Microsoft Exchange vulnerability as described
in CVE-2020-0688
detection:
SELECTION_1:
EventID: 4
SELECTION_2:
Provider_Name: MSExchange Control Panel
SELECTION_3:
Level: Error
SELECTION_4:
- '&__VIEWSTATE='
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and SELECTION_4)
falsepositives:
- Unknown
id: d6266bf5-935e-4661-b477-78772735a7cb
level: high
logsource:
product: windows
service: application
modified: 2021/10/13
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
- https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
status: experimental
tags:
- attack.initial_access
- attack.t1190

27
rules/sigma/builtin/application/win_vul_cve_2021_41379.yml
View File

@@ -1,27 +0,0 @@
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
ruletype: Sigma
author: Florian Roth
date: 2021/11/22
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
detection:
SELECTION_1:
EventID: 1033
SELECTION_2:
Provider_Name: MsiInstaller
SELECTION_3:
- test pkg
condition: ((SELECTION_1 and SELECTION_2) and SELECTION_3)
falsepositives:
- Other MSI packages for which your admins have used that name
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
level: high
logsource:
product: windows
service: application
references:
- https://github.com/klinix5/InstallerFileTakeOver
status: experimental
tags:
- attack.initial_access
- attack.t1190

40
rules/sigma/builtin/security/win_aadhealth_mon_agent_regkey_access.yml
View File

@@ -1,40 +0,0 @@
title: Azure AD Health Monitoring Agent Registry Keys Access
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

42
rules/sigma/builtin/security/win_aadhealth_svc_agent_regkey_access.yml
View File

@@ -1,42 +0,0 @@
title: Azure AD Health Service Agents Registry Keys Access
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
description: |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
detection:
SELECTION_1:
EventID: 4656
SELECTION_2:
EventID: 4663
SELECTION_3:
ObjectType: Key
SELECTION_4:
ObjectName: \REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent
SELECTION_5:
ProcessName:
- '*Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe*'
- '*Microsoft.Identity.Health.Adfs.InsightsService.exe*'
- '*Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe*'
- '*Microsoft.Identity.Health.Adfs.PshSurrogate.exe*'
- '*Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe*'
condition: (((SELECTION_1 or SELECTION_2) and SELECTION_3 and SELECTION_4) and not
(SELECTION_5))
falsepositives:
- Unknown
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
level: medium
logsource:
product: windows
service: security
references:
- https://o365blog.com/post/hybridhealthagent/
- https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
status: experimental
tags:
- attack.discovery
- attack.t1012

35
rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml
View File

@@ -1,35 +0,0 @@
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
ruletype: Sigma
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
date: 2019/04/03
description: backdooring domain object to grant the rights associated with DCSync
to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeLDAPDisplayName: ntSecurityDescriptor
SELECTION_3:
AttributeValue:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute
of event 5136 and verify if it's a regular user or DC computer account.
id: 2c99737c-585d-4431-b61a-c911d86ff32f
level: critical
logsource:
product: windows
service: security
modified: 2021/07/09
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
status: experimental
tags:
- attack.persistence
- attack.t1098

44
rules/sigma/builtin/security/win_account_discovery.yml
View File

@@ -1,44 +0,0 @@
title: AD Privileged Users or Groups Reconnaissance
ruletype: Sigma
author: Samir Bousseaden
date: 2019/04/03
description: Detect priv users or groups recon based on 4661 eventid and known privileged
users or groups SIDs
detection:
SELECTION_1:
EventID: 4661
SELECTION_2:
ObjectType:
- SAM_USER
- SAM_GROUP
SELECTION_3:
ObjectName:
- '*-512'
- '*-502'
- '*-500'
- '*-505'
- '*-519'
- '*-520'
- '*-544'
- '*-551'
- '*-555'
SELECTION_4:
ObjectName: '*admin*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4))
falsepositives:
- if source account name is not an admin then its super suspicious
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
level: high
logsource:
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
product: windows
service: security
modified: 2021/09/08
references:
- https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

33
rules/sigma/builtin/security/win_ad_object_writedac_access.yml
View File

@@ -1,33 +0,0 @@
title: AD Object WriteDAC Access
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
description: Detects WRITE_DAC access to a domain object
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectServer: DS
SELECTION_3:
AccessMask: '0x40000'
SELECTION_4:
ObjectType:
- 19195a5b-6da0-11d0-afd3-00c04fd930c9
- domainDNS
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html
status: test
tags:
- attack.defense_evasion
- attack.t1222
- attack.t1222.001

42
rules/sigma/builtin/security/win_ad_replication_non_machine_account.yml
View File

@@ -1,42 +0,0 @@
title: Active Directory Replication from Non Machine Account
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/07/26
description: Detects potential abuse of Active Directory Replication Service (ADRS)
from a non machine account to request credentials.
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
AccessMask: '0x100'
SELECTION_3:
Properties:
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*89e95b76-444d-4c62-991a-0facbeda640c*'
SELECTION_4:
SubjectUserName: '*$'
SELECTION_5:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) and not (SELECTION_4
or SELECTION_5))
falsepositives:
- Unknown
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
id: 17d619c1-e020-4347-957e-1d1207455c93
level: critical
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
status: test
tags:
- attack.credential_access
- attack.t1003
- attack.t1003.006

35
rules/sigma/builtin/security/win_ad_user_enumeration.yml
View File

@@ -1,35 +0,0 @@
title: AD User Enumeration
ruletype: Sigma
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
SELECTION_1:
EventID: 4662
SELECTION_2:
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
SELECTION_3:
SubjectUserName: '*$'
SELECTION_4:
SubjectUserName: MSOL_*
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
definition: Requires the "Read all properties" permission on the user object to
be audited for the "Everyone" principal
product: windows
service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002

35
rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability.yml
View File

@@ -1,35 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability
ruletype: Sigma
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_3:
EventID: 4899
SELECTION_4:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
level: low
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access

49
rules/sigma/builtin/security/win_adcs_certificate_template_configuration_vulnerability_eku.yml
View File

@@ -1,49 +0,0 @@
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
ruletype: Sigma
author: Orlinum , BlueDefenZer
date: 2021/11/17
description: Detects certificate creation with template allowing risk permission subject
and risky EKU
detection:
SELECTION_1:
EventID: 4898
SELECTION_2:
TemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_3:
TemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
SELECTION_4:
EventID: 4899
SELECTION_5:
NewTemplateContent:
- '*1.3.6.1.5.5.7.3.2*'
- '*1.3.6.1.5.2.3.4*'
- '*1.3.6.1.4.1.311.20.2.2*'
- '*2.5.29.37.0*'
SELECTION_6:
NewTemplateContent: '*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5
and SELECTION_6))
falsepositives:
- Administrator activity
- Penetration tests
- Proxy SSL certificate with subject modification
- Smart card enrollement
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
level: high
logsource:
definition: Certificate services loaded a template would trigger event ID 4898 and
certificate Services template was updated would trigger event ID 4899. A risk
permission seems to be comming if template contain specific flag with risky EKU.
product: windows
service: security
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
status: experimental
tags:
- attack.privilege_escalation
- attack.credential_access

37
rules/sigma/builtin/security/win_admin_rdp_login.yml
View File

@@ -1,37 +0,0 @@
title: Admin User Remote Logon
ruletype: Sigma
author: juju4
date: 2017/10/29
description: Detect remote login by Administrator user (depending on internal pattern).
detection:
SELECTION_1:
EventID: 4624
SELECTION_2:
LogonType: 10
SELECTION_3:
AuthenticationPackageName: Negotiate
SELECTION_4:
TargetUserName: Admin*
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administrative activity.
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
level: low
logsource:
definition: 'Requirements: Identifiable administrators usernames (pattern or special
unique character. ex: "Admin-*"), internal policy mandating use only as secondary
account'
product: windows
service: security
modified: 2021/07/07
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
status: experimental
tags:
- attack.lateral_movement
- attack.t1078
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005

29
rules/sigma/builtin/security/win_admin_share_access.yml
View File

@@ -1,29 +0,0 @@
title: Access to ADMIN$ Share
ruletype: Sigma
author: Florian Roth
date: 2017/03/04
description: Detects access to $ADMIN share
detection:
SELECTION_1:
EventID: 5140
SELECTION_2:
ShareName: Admin$
SELECTION_3:
SubjectUserName: '*$'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Legitimate administrative activity
id: 098d7118-55bc-4912-a836-dc6483a8d150
level: low
logsource:
definition: The advanced audit policy setting "Object Access > Audit File Share"
must be configured for Success/Failure
product: windows
service: security
modified: 2021/11/27
status: test
tags:
- attack.lateral_movement
- attack.t1077
- attack.t1021.002

32
rules/sigma/builtin/security/win_alert_active_directory_user_control.yml
View File

@@ -1,32 +0,0 @@
title: Enabled User Right in AD to Control User Objects
ruletype: Sigma
author: '@neu5ron'
date: 2017/07/30
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege
right in Active Directory it would allow control of other AD user objects.
detection:
SELECTION_1:
EventID: 4704
SELECTION_2:
PrivilegeList:
- '*SeEnableDelegationPrivilege*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
level: high
logsource:
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy
Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy
Change'
product: windows
service: security
modified: 2021/12/02
references:
- https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
status: test
tags:
- attack.persistence
- attack.t1098

48
rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml
View File

@@ -1,48 +0,0 @@
title: Active Directory User Backdoors
ruletype: Sigma
author: '@neu5ron'
date: 2017/04/13
description: Detects scenarios where one can control another users or computers account
without having to use their credentials.
detection:
SELECTION_1:
EventID: 4738
SELECTION_2:
AllowedToDelegateTo: '-'
SELECTION_3:
AllowedToDelegateTo|re: ^$
SELECTION_4:
EventID: 5136
SELECTION_5:
AttributeLDAPDisplayName: msDS-AllowedToDelegateTo
SELECTION_6:
ObjectClass: user
SELECTION_7:
AttributeLDAPDisplayName: servicePrincipalName
SELECTION_8:
AttributeLDAPDisplayName: msDS-AllowedToActOnBehalfOfOtherIdentity
condition: ((SELECTION_1 and not (SELECTION_2 or SELECTION_3)) or (SELECTION_4
and (SELECTION_5 or (SELECTION_6 and SELECTION_7) or SELECTION_8)))
falsepositives:
- Unknown
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
level: high
logsource:
definition: 'Requirements: Audit Policy : Account Management > Audit User Account
Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit User Account
Management, DS Access > Audit Directory Service Changes, Group Policy : Computer
Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\DS Access\Audit Directory Service Changes'
product: windows
service: security
modified: 2021/11/27
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
status: test
tags:
- attack.t1098
- attack.persistence

Some files were not shown because too many files have changed in this diff Show More