<aside> <img src="/icons/home_lightgray.svg" alt="/icons/home_lightgray.svg" width="40px" /> HOME

Forensic Tools

Penetration Tools

Vulnerabilities & CVE

BB & Other

CFT

Blog & Books (KNiggas)

About(CV)

</aside>

<aside> <img src="/icons/list-indent_blue.svg" alt="/icons/list-indent_blue.svg" width="40px" /> Table of Contents

</aside>

Untitled

Info

Hayabusa - это инструмент для быстрого создания хронологии событий в журнале Windows и поиска угроз по YARA рулам как локально с хоста, так и с собранных ранее журналов событий, созданный японской группой Yamato Security. Hayabusa написан на языке Rust и поддерживает многопоточность. Совместимые с Sigma правила обнаружения Hayabusa написаны на YML, чтобы быть как можно более легко настраиваемыми и расширяемыми. Hayabusa можно запускать как на отдельных работающих системах для анализа в реальном времени, так и путем сбора журналов с одной или нескольких систем для анализа в автономном режиме, а также путем запуска артефакта Hayabusa вместе с Velociraptor для поиска угроз и реагирования на инциденты в масштабах предприятия. Полученные результаты будут сведены в единую временную шкалу CSV для удобного анализа в LibreOffice, Timeline Explorer, Elastic Stack, Timesketch и т. д..

GitHub - Yamato-Security/hayabusa: Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Фичи

** Cross-platform support: Windows, Linux, macOS.
*	Developed in Rust to be memory safe and fast.
*	Multi-thread support delivering up to a 5x speed improvement.
*	Creates single easy-to-analyze timelines for forensic investigations and incident response.
*	Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
*	Sigma rule support to convert sigma rules to hayabusa rules.
*	Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as |equalsfield and |endswithfield.
*	Computer metrics. (Useful for filtering on/out certain computers with a large amount of events.)
*	Event ID metrics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
*	Rule tuning configuration by excluding unneeded or noisy rules.
*	MITRE ATT&CK mapping of tactics.
*	Rule level tuning.
*	Create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events.
*	Output all fields for more thorough investigations.
*	Successful and failed logon summary.
*	Enterprise-wide threat hunting and DFIR on all endpoints with Velociraptor.
*	Output to CSV, JSON/JSONL and HTML Summary Reports.
*	Daily Sigma rule updates.
*	Support for JSON-formatted log input.
*	Log field normalization. (Converting multiple fields with different naming conventions into the same field name.)
*	Log enrichment by adding GeoIP (ASN, city, country) information to IP addresses.
*	Search all events for keywords or regular expressions.
*	Field data mapping. (Ex: 0xc0000234 -> ACCOUNT LOCKED)
*	Evtx record carving from evtx slack space.
*	Event de-duplication when outputting. (Useful when recovery records is enabled or when you include backed up evtx files, evtx files from VSS, etc...)
*	Scan setting wizard to help choose which rules to enable easier. (In order to reduce false positives, etc...)
*	PowerShell classic log field parsing and extraction.*

Installation

https://github.com/Yamato-Security/hayabusa/releases/

Windows

hayabusa-2.14.0-win-x64.zip

<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-win-aarch64.zip>

Linux

hayabusa-2.14.0-linux-intel.zip

<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-linux.zip>

#sudo apt install libssl-dev

MacOS (ARM)

hayabusa-2.14.0-mac-arm.zip

<https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-mac.zip>

#brew install pkg-config
#brew install openssl

Collect Data

Windows

.\\hayabusa-2.14.0-win-x64.exe update-rules

.\\hayabusa-2.14.0-win-x64.exe -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv

Linux

chmod +x ./hayabusa-2.14.0-lin-x64-gnu;
./hayabusa-2.14.0-lin-x64-gnu update-rules

./hayabusa-2.14.0-lin-x64-gnu -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv

MacOS

chmod +x ./hayabusa-2.14.0-mac-aarch64; 
./hayabusa-2.13.0-mac-aarch64 update-rules

./hayabusa -d FOLDER -Q -V -L -T -p -s --contributors --European-time -G -H Report.html -o Report.csv

Logon Summary

.\\hayabusa-2.14.0-win-x64.exe logon-summary -d /FORENSICS/INCIDENTS/v_SRV5178_29022024_141835/CollectedData -o LogonSummary.csv

Check uploaded Events

.\\hayabusa-2.14.0-win-x64.exe csv-timeline -d /FORENSICS/INCIDENTS/v_SRV5178_29022024_141835/CollectedData -o csv-timeline.csv

✔ Which set of detection rules would you like to load? · **5**. Core++ (3731 rules) ( status: experimental, test, stable | level: medium, high, critical )
✔ Include Emerging Threats rules? (339 rules) · yes
✔ Include Threat Hunting rules? (62 rules) · yes
✔ Include sysmon rules? (1865 rules) · yes

Check Local Events

.\\hayabusa-2.14.0-win-x64.exe logon-summary -l -o logon-summary.csv
.\\hayabusa-2.14.0-win-x64.exe csv-timeline -l -o csv-timeline.csv

По результату создадутся csv файлы которые необходимо проанализировать