Files

DustInDark 199a8231c1 v1.0でリリースしない機能の削除、contributorsの表示、levelオプションのデフォルト値修正 #141 #211 (#218 )

* changed default level to Low #211

* fixed usage #211

* erased Lang option #195

* changed output credit to contributors #141

* Removed contributor information for uncreated features and features that will not be introduced in v1.0. #141

* removed slack notification feature #202

- removed config option
- removed artifact slack notification call

* removed description of slack notification #202

* fixed default level to Low #211

* removed description about slack notification #202

2021-11-20 09:56:59 +09:00

5.9 KiB

Raw Blame History

Hayabusa

Hayabusa is a very fast Windows event analyzer used for creating forensic timelines and performing threat hunting based on IoCs written in either hayabusa or SIGMA rules. It can be run live, offline, pushed out as agents to be run on endpoints in an enterprise after an incident.

About Hayabusa

Hayabusa ("falcon" in Japanese) was written by the Yamato Security group in Japan. First inspired by the DeepblueCLI Windows event log analyzer, we started in 2020 porting it over to Rust for the RustyBlue project, then created SIGMA-like flexible signatures based in YAML, and then added a backend to SIGMA to support converting SIGMA rules into hayabusa rules. Supporting multi-threading, (to our knowledge) it is currently the fastest forensics timeline generator and threat hunting tool as well supports the most features in SIGMA. It can analyze multiple Windows event logs and consolidate the results into one timeline for easy analysis. It will output in CSV to be imported into tools like Timeline Explorer and Excel for analysis.

Screenshots

Add screenshots here.

Features

Cross-platform support: Windows, Linux, macOS (Intel + ARM)
Faster than a hayabusa falcon!
English and Japanese support
Multi-thread support
Creating event timelines for forensic investigations and incident response
Threat hunting based on IoC signatures written in easy to read/create/edit YAML based hayabusa rules
SIGMA support to convert SIGMA rules to hayabusa rules
Event log statistics (Useful for getting a picture of what types of events there are and for tuning your log settings)

Downloads

You can download pre-compiled binaries for the Windows, Linux and macOS at Releases.

Usage

Command line options

USAGE:
    hayabusa.exe [FLAGS] [OPTIONS]

FLAGS:
        --credits       Prints a list of contributors
    -h, --help          Prints help information
        --rfc-2822      Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600
    -s, --statistics    Prints statistics for event logs
    -u, --utc           Output time in UTC format (default: local time)
    -V, --version       Prints version information

OPTIONS:
        --csv-timeline <CSV_TIMELINE>                          Save timeline to CSV file
    -d, --directory <DIRECTORY>                                Event log files directory
    -f, --filepath <FILEPATH>                                  Event file path
        --human-readable-timeline <HUMAN_READABLE_TIMELINE>    Human readable timeline
    -l, --lang <LANG>                                          Output language
    -t, --threadnum <NUM>                                      Number of threads (Default is the number of CPU cores)

Usage examples

Run hayabusa against one Windows event log file:

hayabusa.exe --filepath=eventlog.evtx

Run hayabusa against a directory with multiple Windows event log files:

hayabusa.exe --directory=.\evtx

Export to a CSV file:

hayabusa.exe --directory=.\evtx --csv-timeline results.csv

Hayabusa rules

Hayabusa attack detection rules are written in a SIGMA-like YAML format.

Please read AboutRuleCreation-English.md to understand about how to create rules.

All of the rules are in the rules folder. You can check out the current rules to use as a template in creating new ones.

Compiling from source

If you have rust installed, you can compile from source with the following command.

cargo build --release

There is no "one tool to rule them all" and we have found that each have their own merits so we recommend checking out these other great tools and projects and see which ones you like.

APT-Hunter - Attack detection tool written in Python.
Chainsaw - A similar SIGMA based attack detection tool written in Rust.
DeepBlueCLI - Attack detection tool written in Powershell.
EvtxToElk - Python tool to send Evtx data to Elastic Stack.
EVTX ATTACK Samples - EVTX attack sample event log files by SBousseaden.
EVTX-to-MITRE-Attack - Another great repository of EVTX attack sample logs mapped to ATT&CK.
EVTX parser - the Rust library we used written by @OBenamram.
LogonTracer - A graphical interface to visualize logons to detect lateral movement by JPCERTCC.
RustyBlue - Rust port of DeepBlueCLI by Eric Conrad.
SIGMA - Generic SIEM rules.
so-import-evtx - Import evtx files into Security Onion.
Timeline Explorer - The best CSV timeline analyzer by Eric Zimmerman.
Zircolite - SIGMA based attack detection tool written in Python.

License

Hayabusa is released under GPLv3 and all rules are release under the Detection Rule License (DRL) 1.1

Contributing

We would love any form of contributing. Pull requests and rule creation are the best but feature requests, notifying us of bugs, etc... are also very welcome.

At the least, if you like our tool then please give us a star on Github and show your support!

5.9 KiB Raw Blame History