diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 16ef0337c..40d19b7f2 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,5 +1,11 @@ # 変更点 +## v1.4.3 [2022/08/03] + +**バグ修正:** + +- VC再頒布パッケージがインストールされていない環境でエラーが発生している状態を修正した。 (#635) (@fukusuket) + ## v1.4.2 [2022/07/24] **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f822bf4e..3b57e1aee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changes +## v1.4.3 [2022/08/03] + +**Bug Fixes:** + +- Hayabusa would not run on Windows 11 when the VC redistribute package was not installed but now everything is compiled statically. (#635) (@fukusuket) + ## v1.4.2 [2022/07/24] **Enhancements:** diff --git a/Cargo.lock b/Cargo.lock index 0122299a6..ff6dd48a7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -39,9 +39,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.58" +version = "1.0.59" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bb07d2053ccdbe10e2af2995a2f116c1330396493dc1269f6a91d0ae82e19704" +checksum = "c91f1f46651137be86f3a2b9a8359f9ab421d04d941c62b5982e1ca21113adf9" [[package]] name = "arrayref" @@ -133,9 +133,9 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" [[package]] name = "bytes" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0b3de4a0c5e67e16066a0715723abd91edc2f9001d09c46e1dca929351e130e" +checksum = "ec8a7b6a70fde80372154c65702f00a0f56f3e1c36abbc6c440484be248856db" [[package]] name = "bytesize" @@ -220,9 +220,9 @@ dependencies = [ [[package]] name = "clap" -version = "3.2.14" +version = "3.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54635806b078b7925d6e36810b1755f2a4b5b4d57560432c1ecf60bcbe10602b" +checksum = "a3dbbb6653e7c55cc8595ad3e1f7be8f32aba4eb7ff7f0fd1163d4f3d137c0a9" dependencies = [ "atty", "bitflags", @@ -237,9 +237,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "3.2.7" +version = "3.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "759bf187376e1afa7b85b959e6a664a3e7a95203415dba952ad19139e798f902" +checksum = "9ba52acd3b0a5c33aeada5cdaa3267cdc7c594a98731d4268cdc1532f4264cb4" dependencies = [ "heck", "proc-macro-error", @@ -259,14 +259,13 @@ dependencies = [ [[package]] name = "console" -version = "0.15.0" +version = "0.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28b32d32ca44b70c3e4acd7db1babf555fa026e385fb95f18028f88848b3c31" +checksum = "89eab4d20ce20cea182308bca13088fecea9c05f6776cf287205d41a0ed3c847" dependencies = [ "encode_unicode", "libc", "once_cell", - "regex", "terminal_size 0.1.17", "unicode-width", "winapi", @@ -529,7 +528,7 @@ dependencies = [ [[package]] name = "evtx" version = "0.7.3" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#1f873e3a7042185c0079b4b52d9eb34540dcf5f1" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git#773f4500a62e277a426167301960361320836255" dependencies = [ "anyhow", "bitflags", @@ -555,9 +554,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c3fcf0cee53519c866c09b5de1f6c56ff9d647101f81c1964fa632e148896cdf" +checksum = "a7a407cfaa3385c4ae6b23e84623d48c2798d06e3e6a1878f7f59f17b3f86499" dependencies = [ "instant", ] @@ -676,9 +675,9 @@ dependencies = [ [[package]] name = "git2" -version = "0.14.4" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0155506aab710a86160ddb504a480d2964d7ab5b9e62419be69e0032bc5931c" +checksum = "2994bee4a3a6a51eb90c218523be382fd7ea09b16380b9312e9dbe955ff7c7d1" dependencies = [ "bitflags", "libc", @@ -711,7 +710,7 @@ dependencies = [ "base64", "bytesize", "chrono", - "clap 3.2.14", + "clap 3.2.16", "crossbeam-utils", "csv", "dashmap", @@ -876,9 +875,9 @@ dependencies = [ [[package]] name = "indoc" -version = "1.0.6" +version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05a0bd019339e5d968b37855180087b7b9d512c5046fbd244cf8c95687927d6e" +checksum = "adab1eaa3408fb7f0c777a73e7465fd5656136fc93b670eb6df3c88c2c1344e3" [[package]] name = "instant" @@ -964,7 +963,7 @@ dependencies = [ "anyhow", "atty", "chrono", - "clap 3.2.14", + "clap 3.2.16", "file-chunker", "indicatif", "memmap2", @@ -990,9 +989,9 @@ checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" [[package]] name = "libgit2-sys" -version = "0.13.4+1.4.2" +version = "0.14.0+1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0fa6563431ede25f5cc7f6d803c6afbc1c5d3ad3d4925d12c882bf2b526f5d1" +checksum = "47a00859c70c8a4f7218e6d1cc32875c4b55f6799445b842b0d8ed5e4c3d959b" dependencies = [ "cc", "libc", @@ -1241,7 +1240,7 @@ checksum = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.2.15", + "redox_syscall 0.2.16", "smallvec", "windows-sys", ] @@ -1328,9 +1327,9 @@ checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5" [[package]] name = "proc-macro2" -version = "1.0.40" +version = "1.0.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7" +checksum = "c278e965f1d8cf32d6e0e96de3d3e79712178ae67986d9cf9151f51e95aac89b" dependencies = [ "unicode-ident", ] @@ -1343,9 +1342,9 @@ checksum = "e965d96c8162c607b0cd8d66047ad3c9fd35273c134d994327882c6e47f986a7" [[package]] name = "pulldown-cmark" -version = "0.9.1" +version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34f197a544b0c9ab3ae46c359a7ec9cbbb5c7bf97054266fecb7ead794a181d6" +checksum = "2d9cc634bc78768157b5cbfe988ffcd1dcba95cd2b2f03a88316c08c6d00ed63" dependencies = [ "bitflags", "memchr", @@ -1409,9 +1408,9 @@ checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" [[package]] name = "redox_syscall" -version = "0.2.15" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "534cfe58d6a18cc17120fbf4635d53d14691c1fe4d951064df9bd326178d7d5a" +checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" dependencies = [ "bitflags", ] @@ -1561,18 +1560,18 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3" [[package]] name = "serde" -version = "1.0.140" +version = "1.0.141" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc855a42c7967b7c369eb5860f7164ef1f6f81c20c7cc1141f2a604e18723b03" +checksum = "7af873f2c95b99fcb0bd0fe622a43e29514658873c8ceba88c4cb88833a22500" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.140" +version = "1.0.141" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f2122636b9fe3b81f1cb25099fcf2d3f542cdb1d45940d56c713158884a05da" +checksum = "75743a150d003dd863b51dc809bcad0d73f2102c53632f1e954e738192a3413f" dependencies = [ "proc-macro2", "quote", @@ -1752,7 +1751,7 @@ dependencies = [ "cfg-if", "fastrand", "libc", - "redox_syscall 0.2.15", + "redox_syscall 0.2.16", "remove_dir_all", "winapi", ] @@ -1898,9 +1897,9 @@ checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" [[package]] name = "tokio" -version = "1.20.0" +version = "1.20.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57aec3cfa4c296db7255446efb4928a6be304b431a806216105542a67b6ca82e" +checksum = "7a8325f63a7d4774dd041e363b2409ed1c5cbbd0f867795e661df066b2b0a581" dependencies = [ "autocfg", "bytes", @@ -1936,9 +1935,9 @@ checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" [[package]] name = "tracing" -version = "0.1.35" +version = "0.1.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" +checksum = "2fce9567bd60a67d08a16488756721ba392f24f29006402881e43b19aac64307" dependencies = [ "cfg-if", "pin-project-lite", @@ -1947,9 +1946,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.28" +version = "0.1.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b7358be39f2f274f322d2aaed611acc57f382e8eb1e5b48cb9ae30933495ce7" +checksum = "5aeea4303076558a00714b823f9ad67d58a3bbda1df83d8827d21193156e22f7" dependencies = [ "once_cell", ] @@ -2067,9 +2066,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.81" +version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994" +checksum = "fc7652e3f6c4706c8d9cd54832c4a4ccb9b5336e2c3bd154d5cccfbf1c1f5f7d" dependencies = [ "cfg-if", "wasm-bindgen-macro", @@ -2077,13 +2076,13 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.81" +version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a" +checksum = "662cd44805586bd52971b9586b1df85cdbbd9112e4ef4d8f41559c334dc6ac3f" dependencies = [ "bumpalo", - "lazy_static", "log", + "once_cell", "proc-macro2", "quote", "syn", @@ -2092,9 +2091,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.81" +version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa" +checksum = "b260f13d3012071dfb1512849c033b1925038373aea48ced3012c09df952c602" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2102,9 +2101,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.81" +version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048" +checksum = "5be8e654bdd9b79216c2929ab90721aa82faf65c48cdf08bdc4e7f51357b80da" dependencies = [ "proc-macro2", "quote", @@ -2115,9 +2114,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.81" +version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +checksum = "6598dd0bd3c7d51095ff6531a5b23e02acdc81804e30d8f07afb77b7215a140a" [[package]] name = "winapi" diff --git a/Cargo.toml b/Cargo.toml index 1ff028f91..e41e67bce 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.4.2" +version = "1.4.3" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/README-Japanese.md b/README-1.4.3-Japanese.md similarity index 97% rename from README-Japanese.md rename to README-1.4.3-Japanese.md index 84faba6d2..94d951718 100644 --- a/README-Japanese.md +++ b/README-1.4.3-Japanese.md @@ -182,7 +182,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.4.2-win-x64.exe -u +hayabusa-1.4.3-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -267,20 +267,20 @@ Windows PC起動後の初回実行時に時間がかかる場合があります コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.4.2-windows-x64.exe` +例: `hayabusa-1.4.3-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.4.2-linux-x64-gnu +chmod +x ./hayabusa-1.4.3-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.4.2-linux-x64-gnu +./hayabusa-1.4.3-linux-x64-gnu ``` ## macOS @@ -288,13 +288,13 @@ chmod +x ./hayabusa-1.4.2-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.4.2-mac-intel +chmod +x ./hayabusa-1.4.3-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.4.2-mac-intel +./hayabusa-1.4.3-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -308,7 +308,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.4.2-mac-intel +./hayabusa-1.4.3-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -370,79 +370,79 @@ OPTIONS: * 1つのWindowsイベントログファイルに対してHayabusaを実行します: ```bash -hayabusa-1.4.2-win-x64.exe -f eventlog.evtx +hayabusa-1.4.3-win-x64.exe -f eventlog.evtx ``` * 複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行します: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができます(注意: `-F`を有効にすると、出力するファイルのサイズがとても大きくなります!): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Hayabusaルールのみを実行します(デフォルトでは `-r .\rules` にあるすべてのルールが利用されます): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行します: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行します: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行します: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にします: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力します: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知します: ```bash -hayabusa-1.4.2-win-x64.exe -l -m low +hayabusa-1.4.3-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成します(結果は結果毎に`keywords-Ip Address.txt`や`keywords-Users.txt`等に出力されます): ```bash -hayabusa-1.4.2-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.4.3-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を取得します: ```bash -hayabusa-1.4.2-win-x64.exe -f Security.evtx -s +hayabusa-1.4.3-win-x64.exe -f Security.evtx -s ``` * 詳細なメッセージを出力します(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -661,7 +661,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.4.2-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.4.3-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: @@ -674,7 +674,7 @@ id,new_level ## イベントIDフィルタリング -バージョン1.4.2以降では、デフォルトでパフォーマンスを上げるために、検知ルールでイベントIDが定義されていないイベントを無視しています。 +バージョン1.4.3以降では、デフォルトでパフォーマンスを上げるために、検知ルールでイベントIDが定義されていないイベントを無視しています。 デフォルトでは`./rules/config/target_event_IDs.txt`で定義されたIDがスキャンされます。 If you want to scan all events, please use the `-D, --deep-scan` option. すべてのイベントをスキャンしたい場合は、`-D, --deep-scan`オプションを使用してください。 diff --git a/README-1.4.2.pdf b/README-1.4.3.pdf similarity index 94% rename from README-1.4.2.pdf rename to README-1.4.3.pdf index 2fea35e28..af1dbf3c8 100644 Binary files a/README-1.4.2.pdf and b/README-1.4.3.pdf differ diff --git a/README-1.4.2-Japanese.pdf b/README-Japanese.pdf similarity index 95% rename from README-1.4.2-Japanese.pdf rename to README-Japanese.pdf index cc564cd0e..fe0b7ab50 100644 Binary files a/README-1.4.2-Japanese.pdf and b/README-Japanese.pdf differ diff --git a/README.md b/README.md index fc81c4267..5ef7cd959 100644 --- a/README.md +++ b/README.md @@ -175,7 +175,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.4.2-win-x64.exe -u +hayabusa-1.4.3-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -263,20 +263,20 @@ You may experience slow runtime especially on the first run after a reboot due t In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary. -Example: `hayabusa-1.4.2-windows-x64.exe` +Example: `hayabusa-1.4.3-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.4.2-linux-x64-gnu +chmod +x ./hayabusa-1.4.3-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.4.2-linux-x64-gnu +./hayabusa-1.4.3-linux-x64-gnu ``` ## macOS @@ -284,13 +284,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.4.2-mac-intel +chmod +x ./hayabusa-1.4.3-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.4.2-mac-intel +./hayabusa-1.4.3-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -304,7 +304,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.4.2-mac-intel +./hayabusa-1.4.3-mac-intel ``` The following warning will pop up, so please click "Open". @@ -366,79 +366,79 @@ OPTIONS: * Run hayabusa against one Windows event log file: ```bash -hayabusa-1.4.2-win-x64.exe -f eventlog.evtx +hayabusa-1.4.3-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information (Warning: your file output size will become much larger with `-F` enabled!): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.4.2-win-x64.exe -l -m low +hayabusa-1.4.3-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.4.2-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.4.3-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID statistics: ```bash -hayabusa-1.4.2-win-x64.exe -f Security.evtx -s +hayabusa-1.4.3-win-x64.exe -f Security.evtx -s ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.4.2-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.4.3-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -657,7 +657,7 @@ You can also add a rule ID to `./rules/config/noisy_rules.txt` in order to ignor Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.4.2-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.4.3-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: @@ -671,7 +671,7 @@ In this case, the risk level of the rule with an `id` of `00000000-0000-0000-000 ## Event ID Filtering -As of version 1.4.2, by default, events are filtered by ID to improve performance by ignorning events that have no detection rules. +As of version 1.4.3, by default, events are filtered by ID to improve performance by ignorning events that have no detection rules. The IDs defined in `./rules/config/target_event_IDs.txt` will be scanned by default. If you want to scan all events, please use the `-D, --deep-scan` option. diff --git a/rules b/rules index 7be684d20..cf1ea8fd0 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 7be684d206203683fa190f23158a78079f310925 +Subproject commit cf1ea8fd0dd1ed3d09ac2961980350635911e53c