Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool.
This artifact runs Hayabusa on the endpoint against the specified Windows event log directory, and generates and uploads a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc.
name: Windows.EventLogs.Hayabusa
description: |
[Hayabusa](https://github.com/Yamato-Security/hayabusa) is a
Windows event log fast forensics timeline generator and threat
hunting tool.
This artifact runs Hayabusa on the endpoint against the specified
Windows event log directory, and generates and uploads a single CSV
file for further analysis with excel, timeline explorer, elastic
stack, etc.
author: Eric Capuano - @eric_capuano, Whitney Champion - @shortxstack, Zach Mathis - @yamatosecurity
tools:
- name: Hayabusa-2.3.3
url: https://github.com/Yamato-Security/hayabusa/releases/download/v2.3.3/hayabusa-2.3.3-win-64-bit.zip
expected_hash: bacf8596bf94715c85017f1a4236c5488de5573a0987742c20421f6e958e1ff0
version: 2.3.3
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: UTC
description: "Output time in UTC format"
type: bool
default: Y
- name: UpdateRules
description: "Update rules before scanning"
type: bool
default: Y
- name: NoisyRules
description: "Enable rules marked as noisy"
type: bool
default: N
- name: OutputProfile
description: "Decide how much data you want back"
default: standard
type: choices
choices:
- minimal
- standard
- verbose
- all-field-info
- all-field-info-verbose
- super-verbose
- timesketch-minimal
- timesketch-verbose
- name: EIDFilter
description: "Scan only common Event IDs for quicker scans"
type: bool
default: N
- name: MinimalLevel
description: "Minimum level for rules"
default: informational
type: choices
choices:
- informational
- low
- medium
- high
- critical
- name: Threads
description: "Number of threads"
type: int
default: 2
sources:
- name: Upload
query: |
-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Hayabusa-2.3.3", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET HayabusaExe <= TmpDir + '\\hayabusa-2.3.3-win-x64.exe'
-- Optionally update the rules
LET _ <= if(condition=UpdateRules, then={
SELECT * FROM execve(argv=['cmd.exe', '/c', 'cd', TmpDir, '&', HayabusaExe, 'update-rules']) })
LET CSVFile <= TmpDir + '\\hayabusa_results.csv'
-- Build the command line considering all options
LET cmdline <= filter(list=(
HayabusaExe, "csv-timeline", "--live-analysis",
"--output", CSVFile,
"--min-level", MinimalLevel,
"--profile", OutputProfile,
"--quiet", "--no-summary",
"--threads", str(str=Threads),
if(condition=UTC, then="--UTC"),
if(condition=NoisyRules, then="--enable-noisy-rules"),
if(condition=EIDFilter, then="--eid-filter")
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecHB <= SELECT *
FROM execve(argv=cmdline, sep="\n", length=9999999)
WHERE log(message=Stdout)
-- Upload the raw file.
SELECT upload(file=CSVFile) AS Uploads FROM scope()
- name: Results
query: |
SELECT *, timestamp(string=Timestamp) AS EventTime
FROM parse_csv(filename=CSVFile)