Hayabusa Analysis for Windows Event Logs
Hayabusa Analysis for Windows Event Logs

Hayabusa: Analysis for Windows Event Logs

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means “peregrine falcon” in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable.

It is written in Rust and supports multi-threading in order to be as fast as possible. We have provided a tool to convert Sigma rules into Hayabusa rule format. The Sigma-compatible Hayabusa detection rules are written in YML in order to be as easily customizable and extensible as possible.

Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV timeline for easy analysis in Excel, Timeline ExplorerElastic StackTimesketch, etc…

Main Goals

Threat Hunting and Enterprise-wide DFIR

Hayabusa currently has over 2600 Sigma rules and over 130 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with Velociraptor‘s Hayabusa artifact. By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching Eric Capuano‘s Velociraptor walkthrough here.

"
"

Fast Forensics Timeline Generation

Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa’s goal is to extract out only useful data and present it in a concise as possible easy-to-read format that is usable not only by professionally trained analysts but any Windows system administrator. Hayabusa hopes to let analysts get 80% of their work done in 20% of the time when compared to traditional Windows event log analysis.

Screenshots

Startup

Start of the Hayabusa program
Start of the Hayabusa program

Terminal Output

Output from terminal by Hayabusa
Output from terminal by Hayabusa

Event Fequency Timeline (-V option)

Chronology of event frequency
Chronology of event frequency

Results Summary

Results Summary by Hayabusa
Results Summary by Hayabusa

Analysis in Excel

Analysis in Excel by Hayabusa
Analysis in Excel by Hayabusa

Analysis in Timeline Explorer

Analysis in Timeline Explorer by Hayabusa
Analysis in Timeline Explorer by Hayabusa

Analysis in Timesketch

Analysis in Timesketch by Hayabusa
Analysis in Timesketch by Hayabusa

Features

  • Cross-platform support: Windows, Linux, macOS.
  • Developed in Rust to be memory safe and faster than a hayabusa falcon!
  • Multi-thread support delivering up to a 5x speed improvement.
  • Creates a single easy-to-analyze CSV timeline for forensic investigations and incident response.
  • Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
  • Sigma rule support to convert sigma rules to hayabusa rules.
  • Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as |equalsfield.
  • Event log statistics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
  • Rule tuning configuration by excluding unneeded or noisy rules.
  • MITRE ATT&CK mapping of tactics (only in saved CSV files).
  • Rule level tuning.
  • Create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc… as well as correlate events.
  • Output all fields for more thorough investigations.
  • Successful and failed logon summary.
  • Enterprise-wide threat hunting and DFIR on all endpoints with Velociraptor.

Downloads

Please download the latest stable version of Hayabusa with compiled binaries or compile the source code from the Releases page.

"
"

Git cloning

You can git clone the repository with the following command and compile binary from source code:

Warning: The main branch of the repository is for development purposes so you may be able to access new features not yet officially released, however, there may be bugs so consider it unstable.

git clone https://github.com/Yamato-Security/hayabusa.git --recursive

Note

If you forget to use –recursive option, the rules folder, which is managed as a git submodule, will not be cloned.

You can sync the rules folder and get latest Hayabusa rules with git pull --recurse-submodules or use the following command:

hayabusa-1.5.1-win-x64.exe -u

If the update fails, you may need to rename the rules folder and try again.

Caution: When updating, rules and config files in the rules folder are replaced with the latest rules and config files in the hayabusa-rules repository. Any changes you make to existing files will be overwritten, so we recommend that you make backups of any files that you edit before updating. If you are performing level tuning with --level-tuning, please re-tune your rule files after each update. If you add new rules inside of the rules folder, they will not be overwritten or deleted when updating.

Usage

Main commands

  • default: Create a fast forensics timeline.
  • --level-tuning: Custom tune the alerts’ level.
  • -L, --logon-summary: Print a summary of logon events.
  • -P, --pivot-keywords-list: Print a list of suspicious keywords to pivot on.
  • -s, --statistics: Print metrics of the count and percentage of events based on Event ID.
  • --set-default-profile: Change the default profile.
  • -u, --update: Sync the rules to the latest rules in the hayabusa-rules GitHub repository.

Command Line Options

USAGE:
    hayabusa.exe <INPUT> [OTHER-ACTIONS] [OPTIONS]

INPUT:
    -d, --directory <DIRECTORY>    Directory of multiple .evtx files
    -f, --file <FILE>              File path to one .evtx file
    -l, --live-analysis            Analyze the local C:\Windows\System32\winevt\Logs folder

ADVANCED:
    -c, --rules-config <DIRECTORY>              Specify custom rule config directory (default: ./rules/config)
    -Q, --quiet-errors                          Quiet errors mode: do not save error logs
    -r, --rules <DIRECTORY/FILE>                Specify a custom rule directory or file (default: ./rules)
    -t, --thread-number <NUMBER>                Thread number (default: optimal number for performance)
        --target-file-ext <EVTX_FILE_EXT>...    Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2)

OUTPUT:
    -o, --output <FILE>        Save the timeline in CSV format (ex: results.csv)
    -P, --profile <PROFILE>    Specify output profile (minimal, standard, verbose, verbose-all-field-info, verbose-details-and-all-field-info)

DISPLAY-SETTINGS:
        --no-color              Disable color output
        --no-summary            Do not display result summary
    -q, --quiet                 Quiet mode: do not display the launch banner
    -v, --verbose               Output verbose information
    -V, --visualize-timeline    Output event frequency timeline

FILTERING:
    -D, --deep-scan                     Disable event ID filter to scan all events (slower)
        --enable-deprecated-rules       Enable rules marked as deprecated
        --exclude-status <STATUS>...    Ignore rules according to status (ex: experimental) (ex: stable test)
    -m, --min-level <LEVEL>             Minimum level for rules (default: informational)
    -n, --enable-noisy-rules            Enable rules marked as noisy
        --timeline-end <DATE>           End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
        --timeline-start <DATE>         Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")

OTHER-ACTIONS:
        --contributors                     Print the list of contributors
    -L, --logon-summary                    Print a summary of successful and failed logons
        --level-tuning [<FILE>]            Tune alert levels (default: ./rules/config/level_tuning.txt)
    -p, --pivot-keywords-list              Create a list of pivot keywords
    -s, --statistics                       Print statistics of event IDs
        --set-default-profile <PROFILE>    Set default output profile
    -u, --update-rules                     Update to the latest rules in the hayabusa-rules github repository

TIME-FORMAT:
        --European-time       Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
        --RFC-2822            Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
        --RFC-3339            Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
        --US-military-time    Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
        --US-time             Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
    -U, --UTC                 Output time in UTC format (default: local time)

Usage Examples

  • Run hayabusa against one Windows event log file with default standard profile:
hayabusa-1.5.1-win-x64.exe -f eventlog.evtx
  • Run hayabusa against the sample-evtx directory with multiple Windows event log files with the verbose profile:
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -P verbose
  • Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc… and include all field information (Warning: your file output size will become much larger with the verbose-details-and-all-field-info profile!):
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -o results.csv -F
  • Only run hayabusa rules (the default is to run all the rules in -r .\rules):
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv
  • Only run hayabusa rules for logs that are enabled by default on Windows:
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv
  • Only run hayabusa rules for sysmon logs:
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv
  • Only run sigma rules:
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv
  • Enable deprecated rules (those with status marked as deprecated) and noisy rules (those whose rule ID is listed in .\rules\config\noisy_rules.txt):
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv
  • Only run rules to analyze logons and output in the UTC timezone:
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv
  • Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior):
hayabusa-1.5.1-win-x64.exe -l -m low
  • Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to keywords-Ip Addresses.txtkeywords-Users.txt, etc…):
hayabusa-1.5.1-win-x64.exe -l -m critical -p -o keywords
  • Print Event ID statistics:
hayabusa-1.5.1-win-x64.exe -f Security.evtx -s
  • Print logon summary:
hayabusa-1.5.1-win-x64.exe -L -f Security.evtx -s
  • Print verbose information (useful for determining which files take long to process, parsing errors, etc…):
hayabusa-1.5.1-win-x64.exe -d .\hayabusa-sample-evtx -v
  • Verbose output example:
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information\u{a0}Compile After Delivery/sysmon.evtx"
1 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.20 % 1s 
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx"
2 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.39 % 1s 
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets\u{a0}Kerberoasting/Security.evtx"
3 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.59 % 1s 
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx"
4 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.79 % 1s 
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution\u{a0}InstallUtil/sysmon.evtx"
5 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.98 % 1s
  • Output to a CSV format compatible to import into Timesketch:
hayabusa-1.5.1-win-x64.exe -d ../hayabusa-sample-evtx --RFC-3339 -o timesketch-import.csv -P timesketch -U
  • Quiet error mode: By default, hayabusa will save error messages to error log files. If you do not want to save error messages, please add -Q.
Dark Mode

hayabusa (this link opens in a new window) by Yamato-Security (this link opens in a new window)

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.