<aside> <img src="/icons/home_lightgray.svg" alt="/icons/home_lightgray.svg" width="40px" /> HOME
</aside>
<aside> <img src="/icons/list-indent_blue.svg" alt="/icons/list-indent_blue.svg" width="40px" /> Table of Contents
</aside>
Hayabusa - это инструмент для быстрого создания хронологии событий в журнале Windows и поиска угроз по YARA рулам как локально с хоста, так и с собранных ранее журналов событий, созданный японской группой Yamato Security. Hayabusa написан на языке Rust и поддерживает многопоточность. Совместимые с Sigma правила обнаружения Hayabusa написаны на YML, чтобы быть как можно более легко настраиваемыми и расширяемыми. Hayabusa можно запускать как на отдельных работающих системах для анализа в реальном времени, так и путем сбора журналов с одной или нескольких систем для анализа в автономном режиме, а также путем запуска артефакта Hayabusa вместе с Velociraptor для поиска угроз и реагирования на инциденты в масштабах предприятия. Полученные результаты будут сведены в единую временную шкалу CSV для удобного анализа в LibreOffice, Timeline Explorer, Elastic Stack, Timesketch и т. д..
** Cross-platform support: Windows, Linux, macOS.
* Developed in Rust to be memory safe and fast.
* Multi-thread support delivering up to a 5x speed improvement.
* Creates single easy-to-analyze timelines for forensic investigations and incident response.
* Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
* Sigma rule support to convert sigma rules to hayabusa rules.
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as |equalsfield and |endswithfield.
* Computer metrics. (Useful for filtering on/out certain computers with a large amount of events.)
* Event ID metrics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
* Rule tuning configuration by excluding unneeded or noisy rules.
* MITRE ATT&CK mapping of tactics.
* Rule level tuning.
* Create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events.
* Output all fields for more thorough investigations.
* Successful and failed logon summary.
* Enterprise-wide threat hunting and DFIR on all endpoints with Velociraptor.
* Output to CSV, JSON/JSONL and HTML Summary Reports.
* Daily Sigma rule updates.
* Support for JSON-formatted log input.
* Log field normalization. (Converting multiple fields with different naming conventions into the same field name.)
* Log enrichment by adding GeoIP (ASN, city, country) information to IP addresses.
* Search all events for keywords or regular expressions.
* Field data mapping. (Ex: 0xc0000234 -> ACCOUNT LOCKED)
* Evtx record carving from evtx slack space.
* Event de-duplication when outputting. (Useful when recovery records is enabled or when you include backed up evtx files, evtx files from VSS, etc...)
* Scan setting wizard to help choose which rules to enable easier. (In order to reduce false positives, etc...)
* PowerShell classic log field parsing and extraction.*
https://github.com/Yamato-Security/hayabusa/releases/
<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-win-aarch64.zip>
hayabusa-2.14.0-linux-intel.zip
<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-linux.zip>
#sudo apt install libssl-dev
<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-mac.zip>
#brew install pkg-config
#brew install openssl
.\\hayabusa-2.14.0-win-x64.exe update-rules
.\\hayabusa-2.14.0-win-x64.exe -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv
chmod +x ./hayabusa-2.14.0-lin-x64-gnu;
./hayabusa-2.14.0-lin-x64-gnu update-rules
./hayabusa-2.14.0-lin-x64-gnu -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv
chmod +x ./hayabusa-2.14.0-mac-aarch64;
./hayabusa-2.13.0-mac-aarch64 update-rules
./hayabusa -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv
.\\hayabusa-2.14.0-win-x64.exe logon-summary -d /FORENSICS/INCIDENTS/v_SRV5178_29022024_141835/CollectedData -o LogonSummary.csv
.\\hayabusa-2.14.0-win-x64.exe csv-timeline -d /FORENSICS/INCIDENTS/v_SRV5178_29022024_141835/CollectedData -o csv-timeline.csv
✔ Which set of detection rules would you like to load? · **5**. Core++ (3731 rules) ( status: experimental, test, stable | level: medium, high, critical )
✔ Include Emerging Threats rules? (339 rules) · yes
✔ Include Threat Hunting rules? (62 rules) · yes
✔ Include sysmon rules? (1865 rules) · yes
.\\hayabusa-2.14.0-win-x64.exe logon-summary -l -o logon-summary.csv
.\\hayabusa-2.14.0-win-x64.exe csv-timeline -l -o csv-timeline.csv
По результату создадутся csv файлы которые необходимо проанализировать