diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 28c1468c8..2b5264236 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -4,7 +4,7 @@ **新機能:** -- HTMLレポート機能 (`-H, --html-report`)の追加。 (#689) (@hitenkoku) +- HTMLレポート機能 (`-H, --html-report`)の追加。 (#689) (@hitenkoku, @nishikawaakira) **改善:** @@ -17,6 +17,7 @@ - メトリクスオプションとログオン情報オプションに対してcsv出力機能(`-o --output`)を追加した。 (#707) (@hitenkoku) - メトリクスオプションの出力を検出回数と全体の割合が1つのセルで表示されていた箇所を2つの列に分けた。 (#707) (@hitenkoku) - メトリクスオプションとログオン情報の画面出力に利用していたprettytable-rsクレートをcomfy_tableクレートに修正した. (#707) (@hitenkoku) +- HTMLレポート内にfavicon.pngを追加した。 (#722) (@hitenkoku) ## v1.6.0 [2022/09/16] diff --git a/CHANGELOG.md b/CHANGELOG.md index 97716bf9d..0dc700d05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,20 +4,21 @@ **New Features:** -- Added html summary output. (`-H, --html-report` option) (#689) (@hitenkoku) +- Added a HTML summary report output option (`-H, --html-report`). (#689) (@hitenkoku, @nishikawaakira) **Enhancements:** - Changed Event ID Statistics option to Event ID Metrics option. (`-s, --statistics` -> `-M, --metrics`) (#706) (@hitenkoku) (Note: `statistics_event_info.txt` was changed to `event_id_info.txt`.) -- Display new version of Hayabusa link when updating if there is a newer version. (#710) (@hitenkoku) +- Display new version of Hayabusa link when updating rules if there is a newer version. (#710) (@hitenkoku) - Added logo in HTML summary output. (#714) (@hitenkoku) -- Unified output one table of -M or -L option with -d option. (#707) (@hitenkoku) +- Unified output to one table when using `-M` or `-L` with the `-d` option. (#707) (@hitenkoku) - Added Channel column to metrics output. (#707) (@hitenkoku) -- Removed First Timestamp and Last Timestamp of -M and -L option with -d option. (#707) (@hitenkoku) -- Added csv output option(`-o --output`) when -M and -L option is used. (#707) (@hitenkoku) +- Removed First Timestamp and Last Timestamp of `-M` and `-L` option with the `-d` option. (#707) (@hitenkoku) +- Added csv output option(`-o --output`) when `-M` or `-L` option is used. (#707) (@hitenkoku) - Separated Count and Percent columns in metric output. (#707) (@hitenkoku) -- Changed output table format of metric option and logon information crate from prettytable-rs to comfy_table. (#707) (@hitenkoku) +- Changed output table format of the metric option and logon information crate from prettytable-rs to comfy_table. (#707) (@hitenkoku) +- Added favicon.png in HTML summary output. (#722) (@hitenkoku) ## v1.6.0 [2022/09/16] diff --git a/Cargo.lock b/Cargo.lock index ccbf9f918..bbb0e316d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -244,14 +244,14 @@ dependencies = [ [[package]] name = "console" -version = "0.15.1" +version = "0.15.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "89eab4d20ce20cea182308bca13088fecea9c05f6776cf287205d41a0ed3c847" +checksum = "c050367d967ced717c04b65d8c619d863ef9292ce0c5760028655a2fb298718c" dependencies = [ "encode_unicode", + "lazy_static", "libc", - "once_cell", - "terminal_size", + "terminal_size 0.1.17", "unicode-width", "winapi", ] @@ -513,6 +513,27 @@ dependencies = [ "termcolor", ] +[[package]] +name = "errno" +version = "0.2.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f639046355ee4f37944e44f60642c6f3a7efa3cf6b78c78a0d989a8ce6c396a1" +dependencies = [ + "errno-dragonfly", + "libc", + "winapi", +] + +[[package]] +name = "errno-dragonfly" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa68f1b12764fab894d2755d2518754e71b4fd80ecfb822714a1206c2aab39bf" +dependencies = [ + "cc", + "libc", +] + [[package]] name = "error-chain" version = "0.12.4" @@ -725,7 +746,7 @@ dependencies = [ [[package]] name = "hayabusa" -version = "1.7.0-dev" +version = "1.7.0" dependencies = [ "base64", "bytesize", @@ -764,7 +785,7 @@ dependencies = [ "serde_json", "static_vcruntime", "termcolor", - "terminal_size", + "terminal_size 0.2.1", "tokio", "yaml-rust", ] @@ -934,6 +955,12 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "io-lifetimes" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ea37f355c05dde75b84bba2d767906ad522e97cd9e2eef2be7a4ab7fb442c06" + [[package]] name = "ipnet" version = "2.5.0" @@ -1025,7 +1052,7 @@ dependencies = [ "rayon", "regex", "tempfile", - "terminal_size", + "terminal_size 0.1.17", ] [[package]] @@ -1086,6 +1113,12 @@ version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0717cef1bc8b636c6e1c1bbdefc09e6322da8a9321966e8928ef80d20f7f770f" +[[package]] +name = "linux-raw-sys" +version = "0.0.46" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4d2456c373231a208ad294c33dc5bff30051eafd954cd4caae83a712b12854d" + [[package]] name = "lock_api" version = "0.4.9" @@ -1247,9 +1280,9 @@ checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1" [[package]] name = "openssl" -version = "0.10.41" +version = "0.10.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "618febf65336490dfcf20b73f885f5651a0c89c64c2d4a8c3662585a70bf5bd0" +checksum = "12fc0523e3bd51a692c8850d075d74dc062ccf251c0110668cbd921917118a13" dependencies = [ "bitflags", "cfg-if", @@ -1288,9 +1321,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.75" +version = "0.9.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5f9bd0c2710541a3cda73d6f9ac4f1b240de4ae261065d309dbe73d9dceb42f" +checksum = "5230151e44c0f05157effb743e8d517472843121cf9243e8b81393edb5acd9ce" dependencies = [ "autocfg", "cc", @@ -1403,9 +1436,9 @@ checksum = "dbf0c48bc1d91375ae5c3cd81e3722dff1abcf81a30960240640d223f59fe0e5" [[package]] name = "proc-macro2" -version = "1.0.43" +version = "1.0.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a2ca2c61bc9f3d74d2886294ab7b9853abd9c1ad903a3ac7815c58989bb7bab" +checksum = "3edcd08cf4fea98d1ae6c9ddd3b8ccb1acac7c3693d62625969a7daa04a2ae36" dependencies = [ "unicode-ident", ] @@ -1607,6 +1640,20 @@ dependencies = [ "semver 0.9.0", ] +[[package]] +name = "rustix" +version = "0.35.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fbb2fda4666def1433b1b05431ab402e42a1084285477222b72d6c564c417cef" +dependencies = [ + "bitflags", + "errno", + "io-lifetimes", + "libc", + "linux-raw-sys", + "windows-sys", +] + [[package]] name = "rustversion" version = "1.0.9" @@ -1921,9 +1968,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.100" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52205623b1b0f064a4e71182c3b18ae902267282930c6d5462c91b859668426e" +checksum = "e90cde112c4b9690b8cbe810cba9ddd8bc1d7472e2cae317b69e9438c1cba7d2" dependencies = [ "proc-macro2", "quote", @@ -1963,6 +2010,16 @@ dependencies = [ "winapi", ] +[[package]] +name = "terminal_size" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8440c860cf79def6164e4a0a983bcc2305d82419177a0e0c71930d049e3ac5a1" +dependencies = [ + "rustix", + "windows-sys", +] + [[package]] name = "textwrap" version = "0.15.1" @@ -1971,18 +2028,18 @@ checksum = "949517c0cf1bf4ee812e2e07e08ab448e3ae0d23472aee8a06c985f0c8815b16" [[package]] name = "thiserror" -version = "1.0.35" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c53f98874615aea268107765aa1ed8f6116782501d18e53d08b471733bea6c85" +checksum = "10deb33631e3c9018b9baf9dcbbc4f737320d2b576bac10f6aefa048fa407e3e" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.35" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8b463991b4eab2d801e724172285ec4195c650e8ec79b149e6c2a8e6dd3f783" +checksum = "982d17546b47146b28f7c22e3d08465f6b8903d0ea13c1660d9d84a6e7adcdbb" dependencies = [ "proc-macro2", "quote", @@ -2073,9 +2130,9 @@ checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" [[package]] name = "tokio" -version = "1.21.1" +version = "1.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0020c875007ad96677dcc890298f4b942882c5d4eb7cc8f439fc3bf813dc9c95" +checksum = "a9e03c497dc955702ba729190dc4aac6f2a0ce97f913e5b1b5912fc5039d9099" dependencies = [ "autocfg", "bytes", @@ -2083,7 +2140,6 @@ dependencies = [ "memchr", "mio", "num_cpus", - "once_cell", "parking_lot", "pin-project-lite", "signal-hook-registry", diff --git a/Cargo.toml b/Cargo.toml index 48db1b778..0df35519c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hayabusa" -version = "1.7.0-dev" +version = "1.7.0" authors = ["Yamato Security @SecurityYamato"] edition = "2021" diff --git a/README-1.6.0-Japanese.pdf b/README-1.7.0-Japanese.pdf similarity index 85% rename from README-1.6.0-Japanese.pdf rename to README-1.7.0-Japanese.pdf index 1df027d52..97e6f7f32 100644 Binary files a/README-1.6.0-Japanese.pdf and b/README-1.7.0-Japanese.pdf differ diff --git a/README-1.6.0.pdf b/README-1.7.0.pdf similarity index 83% rename from README-1.6.0.pdf rename to README-1.7.0.pdf index d6be240a2..30397b8f3 100644 Binary files a/README-1.6.0.pdf and b/README-1.7.0.pdf differ diff --git a/README-Japanese.md b/README-Japanese.md index 7afb8aeb4..47fd2e1a4 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -41,6 +41,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/) - [Criticalアラートのフィルタリングとコンピュータごとのグルーピング](#criticalアラートのフィルタリングとコンピュータごとのグルーピング) - [Elastic Stackダッシュボードでの解析](#elastic-stackダッシュボードでの解析) - [Timesketchでの解析](#timesketchでの解析) + - [HTMLの結果サマリ](#htmlの結果サマリ) - [タイムラインのサンプル結果](#タイムラインのサンプル結果) - [特徴&機能](#特徴機能) - [ダウンロード](#ダウンロード) @@ -159,6 +160,10 @@ Hayabusaは従来のWindowsイベントログ分析解析と比較して、分 ![Timesketch](screenshots/TimesketchAnalysis.png) +## HTMLの結果サマリ + +![HTMLResultsSummary](screenshots/HTML-ResultsSummary.png) + # タイムラインのサンプル結果 CSVのタイムライン結果のサンプルは[こちら](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results)で確認できます。 @@ -207,7 +212,7 @@ git clone https://github.com/Yamato-Security/hayabusa.git --recursive `git pull --recurse-submodules`コマンド、もしくは以下のコマンドで`rules`フォルダを同期し、Hayabusaの最新のルールを更新することができます: ```bash -hayabusa-1.6.0-win-x64.exe -u +hayabusa-1.7.0-win-x64.exe -u ``` アップデートが失敗した場合は、`rules`フォルダの名前を変更してから、もう一回アップデートしてみて下さい。 @@ -312,20 +317,20 @@ Windows PC起動後の初回実行時に時間がかかる場合があります コマンドプロンプトやWindows Terminalから32ビットもしくは64ビットのWindowsバイナリをHayabusaのルートディレクトリから実行します。 -例: `hayabusa-1.6.0-windows-x64.exe` +例: `hayabusa-1.7.0-windows-x64.exe` ## Linux まず、バイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.6.0-linux-x64-gnu +chmod +x ./hayabusa-1.7.0-linux-x64-gnu ``` 次に、Hayabusaのルートディレクトリから実行します: ```bash -./hayabusa-1.6.0-linux-x64-gnu +./hayabusa-1.7.0-linux-x64-gnu ``` ## macOS @@ -333,13 +338,13 @@ chmod +x ./hayabusa-1.6.0-linux-x64-gnu まず、ターミナルやiTerm2からバイナリに実行権限を与える必要があります。 ```bash -chmod +x ./hayabusa-1.6.0-mac-intel +chmod +x ./hayabusa-1.7.0-mac-intel ``` 次に、Hayabusaのルートディレクトリから実行してみてください: ```bash -./hayabusa-1.6.0-mac-intel +./hayabusa-1.7.0-mac-intel ``` macOSの最新版では、以下のセキュリティ警告が出る可能性があります: @@ -353,7 +358,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き その後、ターミナルからもう一回実行してみてください: ```bash -./hayabusa-1.6.0-mac-intel +./hayabusa-1.7.0-mac-intel ``` 以下の警告が出るので、「開く」をクリックしてください。 @@ -438,91 +443,91 @@ TIME-FORMAT: * 1つのWindowsイベントログファイルに対してHayabusaを実行する: ```bash -hayabusa-1.6.0-win-x64.exe -f eventlog.evtx +hayabusa-1.7.0-win-x64.exe -f eventlog.evtx ``` * `verbose`プロファイルで複数のWindowsイベントログファイルのあるsample-evtxディレクトリに対して、Hayabusaを実行する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * 全てのフィールド情報も含めて1つのCSVファイルにエクスポートして、Excel、Timeline Explorer、Elastic Stack等でさらに分析することができる(注意: `verbose-details-and-all-field-info`プロファイルを使すると、出力するファイルのサイズがとても大きくなる!): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info ``` * タイムラインをJSON形式で保存する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j ``` * Hayabusaルールのみを実行する(デフォルトでは`-r .\rules`にあるすべてのルールが利用される): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Windowsでデフォルトで有効になっているログに対してのみ、Hayabusaルールを実行する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Sysmonログに対してのみHayabusaルールを実行する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Sigmaルールのみを実行する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * 廃棄(deprecated)されたルール(`status`が`deprecated`になっているルール)とノイジールール(`.\rules\config\noisy_rules.txt`にルールIDが書かれているルール)を有効にする: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-deprecated-rules --enable-noisy-rules -o results.csv ``` * ログオン情報を分析するルールのみを実行し、UTCタイムゾーンで出力する: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * 起動中のWindows端末上で実行し(Administrator権限が必要)、アラート(悪意のある可能性のある動作)のみを検知する: ```bash -hayabusa-1.6.0-win-x64.exe -l -m low +hayabusa-1.7.0-win-x64.exe -l -m low ``` * criticalレベルのアラートからピボットキーワードの一覧を作成する(結果は結果毎に`keywords-Ip Address.txt`や`keywords-Users.txt`等に出力される): ```bash -hayabusa-1.6.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.7.0-win-x64.exe -l -m critical -p -o keywords ``` * イベントIDの統計情報を出力する: ```bash -hayabusa-1.6.0-win-x64.exe -f Security.evtx -M +hayabusa-1.7.0-win-x64.exe -f Security.evtx -M ``` * ログオンサマリを出力する: ```bash -hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -M +hayabusa-1.7.0-win-x64.exe -L -f Security.evtx -M ``` * 詳細なメッセージを出力する(処理に時間がかかるファイル、パースエラー等を特定するのに便利): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose出力の例: @@ -543,7 +548,7 @@ Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_ * 結果を[Timesketch](https://timesketch.org/)にインポートできるCSV形式に保存する: ```bash -hayabusa-1.6.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U +hayabusa-1.7.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U ``` * エラーログの出力をさせないようにする: @@ -855,7 +860,7 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され ## 検知レベルのlevelチューニング Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。 -ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.6.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 +ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa-1.7.0-win-x64.exe --level-tuning`を実行することでルールファイルが書き換えられます。 ルールファイルが直接書き換えられることに注意して使用してください。 `./rules/config/level_tuning.txt`の例: @@ -904,7 +909,9 @@ id,new_level # Windowsイベントログ設定のススメ Windows機での悪性な活動を検知する為には、デフォルトのログ設定を改善することが必要です。 -以下のサイトを閲覧することをおすすめします。: +どのようなログ設定を有効にする必要があるのか、また、自動的に適切な設定を有効にするためのスクリプトを、別のプロジェクトとして作成しました: [https://github.com/Yamato-Security/EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings) + +以下のサイトを閲覧することもおすすめします。: * [JSCU-NL (Joint Sigint Cyber Unit Netherlands) Logging Essentials](https://github.com/JSCU-NL/logging-essentials) * [ACSC (Australian Cyber Security Centre) Logging and Fowarding Guide](https://www.cyber.gov.au/acsc/view-all-content/publications/windows-event-logging-and-forwarding) * [Malware Archaeology Cheat Sheets](https://www.malwarearchaeology.com/cheat-sheets) diff --git a/README.md b/README.md index e44eea5df..bce1b63b3 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre - [Critical Alert Filtering and Computer Grouping in Timeline Explorer](#critical-alert-filtering-and-computer-grouping-in-timeline-explorer) - [Analysis with the Elastic Stack Dashboard](#analysis-with-the-elastic-stack-dashboard) - [Analysis in Timesketch](#analysis-in-timesketch) + - [HTML Results Summary](#html-results-summary) - [Analyzing Sample Timeline Results](#analyzing-sample-timeline-results) - [Features](#features) - [Downloads](#downloads) @@ -151,6 +152,10 @@ Hayabusa hopes to let analysts get 80% of their work done in 20% of the time whe ![Timesketch](screenshots/TimesketchAnalysis.png) +## HTML Results Summary + +![HTMLResultsSummary](screenshots/HTML-ResultsSummary.png) + # Analyzing Sample Timeline Results You can check out a sample CSV timeline [here](https://github.com/Yamato-Security/hayabusa/tree/main/sample-results). @@ -199,7 +204,7 @@ Note: If you forget to use --recursive option, the `rules` folder, which is mana You can sync the `rules` folder and get latest Hayabusa rules with `git pull --recurse-submodules` or use the following command: ```bash -hayabusa-1.6.0-win-x64.exe -u +hayabusa-1.7.0-win-x64.exe -u ``` If the update fails, you may need to rename the `rules` folder and try again. @@ -304,20 +309,20 @@ You may experience slow runtime especially on the first run after a reboot due t In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary. -Example: `hayabusa-1.6.0-windows-x64.exe` +Example: `hayabusa-1.7.0-windows-x64.exe` ## Linux You first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.6.0-linux-x64-gnu +chmod +x ./hayabusa-1.7.0-linux-x64-gnu ``` Then run it from the Hayabusa root directory: ```bash -./hayabusa-1.6.0-linux-x64-gnu +./hayabusa-1.7.0-linux-x64-gnu ``` ## macOS @@ -325,13 +330,13 @@ Then run it from the Hayabusa root directory: From Terminal or iTerm2, you first need to make the binary executable. ```bash -chmod +x ./hayabusa-1.6.0-mac-intel +chmod +x ./hayabusa-1.7.0-mac-intel ``` Then, try to run it from the Hayabusa root directory: ```bash -./hayabusa-1.6.0-mac-intel +./hayabusa-1.7.0-mac-intel ``` On the latest version of macOS, you may receive the following security error when you try to run it: @@ -345,7 +350,7 @@ Click "Cancel" and then from System Preferences, open "Security & Privacy" and f After that, try to run it again. ```bash -./hayabusa-1.6.0-mac-intel +./hayabusa-1.7.0-mac-intel ``` The following warning will pop up, so please click "Open". @@ -429,91 +434,91 @@ TIME-FORMAT: * Run hayabusa against one Windows event log file with default standard profile: ```bash -hayabusa-1.6.0-win-x64.exe -f eventlog.evtx +hayabusa-1.7.0-win-x64.exe -f eventlog.evtx ``` * Run hayabusa against the sample-evtx directory with multiple Windows event log files with the verbose profile: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -P verbose ``` * Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information (Warning: your file output size will become much larger with the `verbose-details-and-all-field-info` profile!): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -P verbose-details-and-all-field-info ``` * Save the timline in JSON format: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -o results.json -j ``` * Only run hayabusa rules (the default is to run all the rules in `-r .\rules`): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv ``` * Only run hayabusa rules for logs that are enabled by default on Windows: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv ``` * Only run hayabusa rules for sysmon logs: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv ``` * Only run sigma rules: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv ``` * Enable deprecated rules (those with `status` marked as `deprecated`) and noisy rules (those whose rule ID is listed in `.\rules\config\noisy_rules.txt`): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv ``` * Only run rules to analyze logons and output in the UTC timezone: ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv ``` * Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior): ```bash -hayabusa-1.6.0-win-x64.exe -l -m low +hayabusa-1.7.0-win-x64.exe -l -m low ``` * Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to `keywords-Ip Addresses.txt`, `keywords-Users.txt`, etc...): ```bash -hayabusa-1.6.0-win-x64.exe -l -m critical -p -o keywords +hayabusa-1.7.0-win-x64.exe -l -m critical -p -o keywords ``` * Print Event ID metrics: ```bash -hayabusa-1.6.0-win-x64.exe -f Security.evtx -M +hayabusa-1.7.0-win-x64.exe -f Security.evtx -M ``` * Print logon summary: ```bash -hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -M +hayabusa-1.7.0-win-x64.exe -L -f Security.evtx -M ``` * Print verbose information (useful for determining which files take long to process, parsing errors, etc...): ```bash -hayabusa-1.6.0-win-x64.exe -d .\hayabusa-sample-evtx -v +hayabusa-1.7.0-win-x64.exe -d .\hayabusa-sample-evtx -v ``` * Verbose output example: @@ -534,7 +539,7 @@ Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_ * Output to a CSV format compatible to import into [Timesketch](https://timesketch.org/): ```bash -hayabusa-1.6.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U +hayabusa-1.7.0-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U ``` * Quiet error mode: @@ -846,7 +851,7 @@ You can also add a rule ID to `./rules/config/noisy_rules.txt` in order to ignor Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules. However, the actual risk level will differ between environments. -You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.6.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. +You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa-1.7.0-win-x64.exe --level-tuning` which will update the `level` line in the rule file. Please note that the rule file will be updated directly. `./rules/config/level_tuning.txt` sample line: @@ -895,7 +900,10 @@ There is no "one tool to rule them all" and we have found that each has its own # Windows Logging Recommendations -In order to properly detect malicious activity on Windows machines, you will need to improve the default log settings. We recommend the following sites for guidance: +In order to properly detect malicious activity on Windows machines, you will need to improve the default log settings. +We have created a seperate project to document what log settings need to be enabled as well as scripts to automatically enable the proper settings at [https://github.com/Yamato-Security/EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings). + +We also recommend the following sites for guidance: * [JSCU-NL (Joint Sigint Cyber Unit Netherlands) Logging Essentials](https://github.com/JSCU-NL/logging-essentials) * [ACSC (Australian Cyber Security Centre) Logging and Fowarding Guide](https://www.cyber.gov.au/acsc/view-all-content/publications/windows-event-logging-and-forwarding) * [Malware Archaeology Cheat Sheets](https://www.malwarearchaeology.com/cheat-sheets) diff --git a/config/html_report/favicon.png b/config/html_report/favicon.png new file mode 100644 index 000000000..0451346ec Binary files /dev/null and b/config/html_report/favicon.png differ diff --git a/rules b/rules index aaf910cdc..428abf7ca 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit aaf910cdcaca32e89b0f81b0af4e180228d21eb6 +Subproject commit 428abf7caa12a5170582b09342924e382bd333a0 diff --git a/screenshots/HTML-ResultsSummary.png b/screenshots/HTML-ResultsSummary.png new file mode 100644 index 000000000..ee0f6a4e6 Binary files /dev/null and b/screenshots/HTML-ResultsSummary.png differ