Projects & Ecosystem

Companion Projects

• EnableWindowsLogSettings - Documentation and scripts to properly enable Windows event logs.
• Hayabusa Encoded Rules - The same as Hayabusa Rules repository but the rules and config files are stored in one file and XORed to prevent false positives from anti-virus.
• Hayabusa Rules - Hayabusa and curated Sigma detection rules used Hayabusa.
• Hayabusa EVTX - A more maintained fork of the evtx crate.
• Hayabusa Sample EVTXs - Sample evtx files to use for testing hayabusa/sigma detection rules.
• Presentations - Presentations from talks that we have given about our tools and resources.
• Sigma to Hayabusa Converter - Curates upstream Windows event log based Sigma rules into an easier to use form.
• Takajo - An analyzer for hayabusa results.
• WELA (Windows Event Log Analyzer) - An analyzer for Windows event logs written in PowerShell. (Deprecated and replaced by Takajo.)

Third-Party Projects That Use Hayabusa

• AllthingsTimesketch - A NodeRED workflow that imports Plaso and Hayabusa results into Timesketch.
• LimaCharlie - Provides cloud-based security tools and infrastructure to fit your needs.
• OpenRelik - An open-source (Apache-2.0) platform designed to streamline collaborative digital forensic investigations.
• Splunk4DFIR - Quickly spin up a splunk instance with Docker to browse through logs and tools output during your investigations.
• Velociraptor - A tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.

Other Windows Event Log Analyzers and Related Resources

• APT-Hunter - Attack detection tool written in Python.
• Awesome Event IDs - Collection of Event ID resources useful for Digital Forensics and Incident Response
• Chainsaw - Another sigma-based attack detection tool written in Rust.
• DeepBlueCLI - Attack detection tool written in Powershell by Eric Conrad.
• Epagneul - Graph visualization for Windows event logs.
• EventList - Map security baseline event IDs to MITRE ATT&CK by Miriam Wiesner.
• Mapping MITRE ATT&CK with Window Event Log IDs - by Michel de CREVOISIER
• EvtxECmd - Evtx parser by Eric Zimmerman.
• EVTXtract - Recover EVTX log files from unallocated space and memory images.
• EvtxToElk - Python tool to send Evtx data to Elastic Stack.
• EVTX ATTACK Samples - EVTX attack sample event log files by SBousseaden.
• EVTX-to-MITRE-Attack - EVTX attack sample event log files mapped to ATT&CK by Michel de CREVOISIER
• EVTX parser - the Rust evtx library we use written by @OBenamram.
• Grafiki - Sysmon and PowerShell log visualizer.
• LogonTracer - A graphical interface to visualize logons to detect lateral movement by JPCERTCC.
• NSA Windows Event Monitoring Guidance - NSA's guide on what to monitor for.
• RustyBlue - Rust port of DeepBlueCLI by Yamato Security.
• Sigma - Community based generic SIEM rules.
• SOF-ELK - A pre-packaged VM with Elastic Stack to import data for DFIR analysis by Phil Hagen
• so-import-evtx - Import evtx files into Security Onion.
• SysmonTools - Configuration and off-line log visualization tool for Sysmon.
• Timeline Explorer - The best CSV timeline analyzer by Eric Zimmerman.
• Windows Event Log Analysis - Analyst Reference - by Forward Defense's Steve Anson.
• Zircolite - Sigma-based attack detection tool written in Python.