分析命令¶
computer-metrics 命令¶
您可以使用 computer-metrics 命令來檢查根據 <System><Computer> 欄位中定義的每台電腦各有多少事件。
請注意,您無法完全依賴 Computer 欄位來依照事件的原始電腦來區分事件。
Windows 11 在儲存到事件記錄時,有時會使用完全不同的 Computer 名稱。
此外,Windows 10 有時會將 Computer 名稱全部以小寫記錄。
此命令不使用任何偵測規則,因此會分析所有事件。
這是一個適合執行的命令,可快速查看哪些電腦擁有最多記錄。
有了這些資訊後,您便可在建立時間軸時使用 --include-computer 或 --exclude-computer 選項,依照電腦建立多個時間軸或排除特定電腦的事件,使您的時間軸產生更有效率。
Usage: computer-metrics <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
Filtering:
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
Output:
-o, --output <FILE> Save the results in CSV format (ex: computer-metrics.csv)
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
computer-metrics 命令範例¶
- 從目錄印出電腦名稱統計資料:
hayabusa.exe computer-metrics -d ../logs - 將結果儲存為 CSV 檔案:
hayabusa.exe computer-metrics -d ../logs -o computer-metrics.csv
computer-metrics 螢幕截圖¶
eid-metrics 命令¶
您可以使用 eid-metrics 命令印出依頻道區分的事件 ID(<System><EventID> 欄位)的總數與百分比。
此命令不使用任何偵測規則,因此會掃描所有事件。
Usage: eid-metrics <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Filtering:
--exclude-computer <COMPUTER...> Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--include-computer <COMPUTER...> Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
Output:
-b, --disable-abbreviations Disable abbreviations
-o, --output <FILE> Save the Metrics in CSV format (ex: metrics.csv)
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
Time Format:
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
-O, --ISO-8601 Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
-U, --UTC Output time in UTC format (default: local time)
eid-metrics 命令範例¶
- 從單一檔案印出事件 ID 統計資料:
hayabusa.exe eid-metrics -f Security.evtx - 從目錄印出事件 ID 統計資料:
hayabusa.exe eid-metrics -d ../logs - 將結果儲存為 CSV 檔案:
hayabusa.exe eid-metrics -f Security.evtx -o eid-metrics.csv
eid-metrics 命令設定檔¶
事件的頻道、事件 ID 與標題定義於 rules/config/channel_eid_info.txt。
範例:
Channel,EventID,EventTitle
Microsoft-Windows-Sysmon/Operational,1,Process Creation.
Microsoft-Windows-Sysmon/Operational,2,File Creation Timestamp Changed. (Possible Timestomping)
Microsoft-Windows-Sysmon/Operational,3,Network Connection.
Microsoft-Windows-Sysmon/Operational,4,Sysmon Service State Changed.
eid-metrics 螢幕截圖¶
expand-list 命令¶
從規則資料夾中擷取 expand 預留位置。
這在建立設定檔以使用任何採用 expand 欄位修飾符的規則時很有用。
若要使用 expand 規則,您只需在 ./config/expand/ 目錄下建立一個以 expand 欄位修飾符命名的 .txt 檔案,並將所有要檢查的值放入該檔案中。
例如,若規則的 detection 邏輯為:
detection:
selection:
EventID: 5145
RelativeTargetName|contains: '\winreg'
filter_main:
IpAddress|expand: '%Admins_Workstations%'
condition: selection and not filter_main
您會建立文字檔 ./config/expand/Admins_Workstations.txt 並放入如下的值:
這基本上會檢查與下列相同的邏輯:
若設定檔不存在,Hayabusa 仍會載入 expand 規則但忽略它。
Usage: expand-list <INPUT> [OPTIONS]
General Options:
-h, --help Show the help menu
-r, --rules <DIR/FILE> Specify rule directory (default: ./rules)
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
expand-list 命令範例¶
- 從預設的
rules目錄擷取expand欄位修飾符:hayabusa.exe expand-list - 從
sigma目錄擷取expand欄位修飾符:hayabusa.exe eid-metrics -r ../sigma
expand-list 結果¶
5 unique expand placeholders found:
Admins_Workstations
DC-MACHINE-NAME
Workstations
internal_domains
domain_controller_hostnames
extract-base64 命令¶
此命令會從下列事件中擷取 base64 字串、將其解碼,並指出所使用的編碼類型。 * Security 4688 CommandLine * Sysmon 1 CommandLine, ParentCommandLine * System 7045 ImagePath * PowerShell Operational 4104 * PowerShell Operational 4103
Usage: extract-base64 <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Filtering:
--exclude-computer <COMPUTER...> Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--include-computer <COMPUTER...> Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
Output:
-o, --output <FILE> Extract Base64 strings
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
Time Format:
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
-O, --ISO-8601 Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
-U, --UTC Output time in UTC format (default: local time)
extract-base64 命令範例¶
- 掃描目錄並輸出至終端機:
hayabusa.exe extract-base64 -d ../hayabusa-sample-evtx - 掃描目錄並輸出至 CSV 檔案:
hayabusa.exe eid-metrics -r ../sigma -o base64-extracted.csv
extract-base64 結果¶
輸出至終端機時,由於空間有限,只會顯示下列欄位: * Timestamp * Computer * Base64 String * Decoded String (if not binary)
儲存為 CSV 檔案時,會儲存下列欄位:
* Timestamp
* Computer
* Base64 String
* Decoded String (if not binary)
* Original Field
* Length
* Binary (Y/N)
* Double Encoding (when Y, it usually is malicious)
* Encoding Type
* File Type
* Event
* Record ID
* File Name
log-metrics 命令¶
您可以使用 log-metrics 命令印出事件記錄內的下列中繼資料:
* Filename
* Computer names
* Number of events
* First timestamp
* Last timestamp
* Channels
* Providers
此命令不使用任何偵測規則,因此會掃描所有事件。
Usage: log-metrics <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Filtering:
--exclude-computer <COMPUTER...> Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--include-computer <COMPUTER...> Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
Output:
-b, --disable-abbreviations Disable abbreviations
-M, --multiline Output event field information in multiple rows for CSV output
-o, --output <FILE> Save the Metrics in CSV format (ex: metrics.csv)
-S, --tab-separator Separate event field information by tabs
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
Time Format:
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
-O, --ISO-8601 Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
-U, --UTC Output time in UTC format (default: local time)
log-metrics 命令範例¶
- 從單一檔案印出事件 ID 統計資料:
hayabusa.exe log-metrics -f Security.evtx - 從目錄印出事件 ID 統計資料:
hayabusa.exe log-metrics -d ../logs - 將結果儲存為 CSV 檔案:
hayabusa.exe log-metrics -d ../logs -o eid-metrics.csv
log-metrics 螢幕截圖¶
logon-summary 命令¶
您可以使用 logon-summary 命令輸出登入資訊摘要(登入使用者名稱以及成功與失敗的登入次數)。
您可以使用 -f 顯示單一 evtx 檔案的登入資訊,或使用 -d 選項顯示多個 evtx 檔案的登入資訊。
成功的登入取自下列事件:
* Security 4624 (Successful Logon)
* RDS-LSM 21 (Remote Desktop Service Local Session Manager Logon)
* RDS-GTW 302 (Remote Desktop Service Gateway Logon)
失敗的登入取自 Security 4625 事件。
Usage: logon-summary <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Filtering:
--exclude-computer <COMPUTER...> Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--include-computer <COMPUTER...> Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
--timeline-end <DATE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
--timeline-start <DATE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
Output:
-o, --output <FILENAME-PREFIX> Save the logon summary to two CSV files (ex: -o logon-summary)
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
Time Format:
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
-O, --ISO-8601 Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
-U, --UTC Output time in UTC format (default: local time)
logon-summary 命令範例¶
- 印出登入摘要:
hayabusa.exe logon-summary -f Security.evtx - 儲存登入摘要結果:
hayabusa.exe logon-summary -d ../logs -o logon-summary.csv
logon-summary 螢幕截圖¶
pivot-keywords-list 命令¶
您可以使用 pivot-keywords-list 命令建立一份唯一的樞紐關鍵字清單,以快速識別異常的使用者、主機名稱、處理程序等,並關聯各事件。
重要:依預設,hayabusa 會傳回所有事件(資訊等級以上)的結果,因此我們強烈建議將 pivot-keywords-list 命令與 -m, --min-level 選項搭配使用。
例如,先以 -m critical 僅從 critical 警示建立關鍵字,然後再繼續使用 -m high、-m medium 等。
您的結果中很可能會有符合許多正常事件的常見關鍵字,因此在手動檢查結果並將唯一關鍵字整理至單一檔案後,您便可使用如 grep -f keywords.txt timeline.csv 之類的命令建立一份縮小範圍的可疑活動時間軸。
Usage: pivot-keywords-list <INPUT> [OPTIONS]
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl)
-w, --no-wizard Do not ask questions. Scan for all events and alerts
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
Filtering:
-E, --EID-filter Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt)
-D, --enable-deprecated-rules Enable rules with a status of deprecated
-n, --enable-noisy-rules Enable rules set to noisy (./rules/config/noisy_rules.txt)
-u, --enable-unsupported-rules Enable rules with a status of unsupported
-e, --exact-level <LEVEL> Only load rules with a specific level (informational, low, medium, high, critical)
--exclude-computer <COMPUTER...> Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--exclude-eid <EID...> Do not scan specific EIDs for faster speed (ex: 1) (ex: 1,4688)
--exclude-status <STATUS...> Do not load rules according to status (ex: experimental) (ex: stable,test)
--exclude-tag <TAG...> Do not load rules with specific tags (ex: sysmon)
--include-computer <COMPUTER...> Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
--include-eid <EID...> Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)
--include-status <STATUS...> Only load rules with specific status (ex: experimental) (ex: stable,test)
--include-tag <TAG...> Only load rules with specific tags (ex: attack.execution,attack.discovery)
-m, --min-level <LEVEL> Minimum level for rules to load (default: informational)
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
--timeline-end <DATE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
--timeline-start <DATE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
Output:
-o, --output <FILENAME-PREFIX> Save pivot words to separate files (ex: PivotKeywords)
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
pivot-keywords-list 命令範例¶
- 將樞紐關鍵字輸出至螢幕:
hayabusa.exe pivot-keywords-list -d ../logs -m critical - 從 critical 警示建立一份樞紐關鍵字清單並儲存結果。(結果會儲存至
keywords-Ip Addresses.txt、keywords-Users.txt等):
pivot-keywords-list 設定檔¶
您可以透過編輯 ./rules/config/pivot_keywords.txt 來自訂要搜尋的關鍵字。
此頁面 為預設設定。
格式為 KeywordName.FieldName。例如,在建立 Users 清單時,hayabusa 會列出 SubjectUserName、TargetUserName 與 User 欄位中的所有值。
search 命令¶
search 命令讓您可以對所有事件進行關鍵字搜尋。
(不僅僅是 Hayabusa 偵測結果。)
這有助於判斷在 Hayabusa 未偵測到的事件中是否存在任何證據。
Usage: hayabusa.exe search <INPUT> <--keywords "<KEYWORDS>" OR --regex "<REGEX>"> [OPTIONS]
Display Settings:
-K, --no-color Disable color output
-q, --quiet Quiet mode: do not display the launch banner
-v, --verbose Output verbose information
General Options:
-C, --clobber Overwrite files when saving
-h, --help Show the help menu
-Q, --quiet-errors Quiet errors mode: do not save error logs
-x, --recover-records Carve evtx records from slack space (default: disabled)
-c, --rules-config <DIR> Specify custom rule config directory (default: ./rules/config)
-t, --threads <NUMBER> Number of threads (default: optimal number for performance)
--target-file-ext <FILE-EXT...> Specify additional evtx file extensions (ex: evtx_data)
-s, --sort Sort results before saving the file (warning: this uses much more memory!)
Input:
-d, --directory <DIR> Directory of multiple .evtx files
-f, --file <FILE> File path to one .evtx file
-l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder
Filtering:
-a, --and-logic Search keywords with AND logic (default: OR)
-F, --filter <FILTER...> Filter by specific field(s)
-i, --ignore-case Case-insensitive keyword search
-k, --keyword <KEYWORD...> Search by keyword(s)
-r, --regex <REGEX> Search by regular expression
--time-offset <OFFSET> Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
--timeline-end <DATE> End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
--timeline-start <DATE> Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")
Output:
-b, --disable-abbreviations Disable abbreviations
-J, --JSON-output Save the search results in JSON format (ex: -J -o results.json)
-L, --JSONL-output Save the search results in JSONL format (ex: -L -o results.jsonl)
-M, --multiline Output event field information in multiple rows for CSV output
-o, --output <FILE> Save the search results in CSV format (ex: search.csv)
-S, --tab-separator Separate event field information by tabs
Time Format:
--European-time Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
-O, --ISO-8601 Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
--RFC-2822 Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
--RFC-3339 Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
--US-military-time Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
--US-time Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
-U, --UTC Output time in UTC format (default: local time)
search 命令範例¶
- 在
../hayabusa-sample-evtx目錄中搜尋關鍵字mimikatz:
注意:只要在資料中任何位置找到
mimikatz,關鍵字就會比對成功。這並非完全比對。
- 在
../hayabusa-sample-evtx目錄中搜尋關鍵字mimikatz或kali:
- 在
../hayabusa-sample-evtx目錄中搜尋關鍵字mimikatz並忽略大小寫:
- 使用正規表示式在
../hayabusa-sample-evtx目錄中搜尋 IP 位址:
- 搜尋
../hayabusa-sample-evtx目錄並顯示所有WorkstationName欄位為kali的事件:
注意:
.*是用來比對每個事件的正規表示式。
search 命令設定檔¶
./rules/config/channel_abbreviations.txt:頻道名稱與其縮寫的對應。