-
Notifications
You must be signed in to change notification settings - Fork 0
/
Windows.EventLogs.Hayabusa.yaml
executable file
·113 lines (97 loc) · 3.41 KB
/
Windows.EventLogs.Hayabusa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
name: Windows.EventLogs.Hayabusa
description: |
[Hayabusa](https://github.com/Yamato-Security/hayabusa) is a
Windows event log fast forensics timeline generator and threat
hunting tool.
This artifact runs Hayabusa on the endpoint against the specified
Windows event log directory, and generates and uploads a single CSV
file for further analysis with excel, timeline explorer, elastic
stack, etc.
author: Eric Capuano - @eric_capuano, Whitney Champion - @shortxstack, Zach Mathis - @yamatosecurity
tools:
- name: Hayabusa-2.9.0
url: https://github.com/Yamato-Security/hayabusa/releases/download/v2.9.0/hayabusa-2.9.0-win-64-bit.zip
expected_hash: 870a6d07ea2a4ba82d19a98b4e656269ef88ebc7286ad8607bbeaaace4a84d44
version: 2.9.0
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: UTC
description: "Output time in UTC format"
type: bool
default: Y
- name: UpdateRules
description: "Update rules before scanning"
type: bool
default: Y
- name: NoisyRules
description: "Enable rules marked as noisy"
type: bool
default: N
- name: OutputProfile
description: "Decide how much data you want back"
default: standard
type: choices
choices:
- minimal
- standard
- verbose
- all-field-info
- all-field-info-verbose
- super-verbose
- timesketch-minimal
- timesketch-verbose
- name: EIDFilter
description: "Scan only common Event IDs for quicker scans"
type: bool
default: N
- name: MinimalLevel
description: "Minimum level for rules"
default: informational
type: choices
choices:
- informational
- low
- medium
- high
- critical
- name: Threads
description: "Number of threads"
type: int
default: 2
sources:
- name: Upload
query: |
-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Hayabusa-2.9.0", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET HayabusaExe <= TmpDir + '\\hayabusa-2.9.0-win-x64.exe'
-- Optionally update the rules
LET _ <= if(condition=UpdateRules, then={
SELECT * FROM execve(argv=['cmd.exe', '/c', 'cd', TmpDir, '&', HayabusaExe, 'update-rules']) })
LET CSVFile <= TmpDir + '\\hayabusa_results.csv'
-- Build the command line considering all options
LET cmdline <= filter(list=(
HayabusaExe, "csv-timeline", "--live-analysis",
"--output", CSVFile,
"--min-level", MinimalLevel,
"--profile", OutputProfile,
"--quiet", "--no-summary",
"--threads", str(str=Threads),
"--RFC-3339",
if(condition=NoisyRules, then="--enable-noisy-rules"),
if(condition=EIDFilter, then="--eid-filter")
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecHB <= SELECT *
FROM execve(argv=cmdline, sep="\n", length=9999999)
WHERE log(message=Stdout)
-- Upload the raw file.
SELECT upload(file=CSVFile) AS Uploads FROM scope()
- name: Results
query: |
SELECT *, timestamp(string=Timestamp) AS EventTime
FROM parse_csv(filename=CSVFile)