New Features:
- Support for the
gt,gte,lt,ltefield modifiers. (#1433) (@fukusuket) - New
log-metricscommand to get information about.evtxfiles. (computer names, event count, first timestamp, last timestamp, channels, providers) (#1474) (@fukusuket)
Enhancements:
- Updated the
yaml-rustcrate toyaml-rust2. (#461) (@yamatosecurity) windashcharacters are now being dynamically read fromrules/config/windash_characters.txt. (#1440) (@fukusuket)logon-summarycommand now displays logon information from RDP events. Note: Hayabusa will output more detailed information when saving to a file. (#1468) (@fukusuket)- The colors were updated to make it easier to read. (#1480) (@yamatosecurity)
- Added start and finish messages of the day. (#1492) (@fukusuket)
Bug Fixes:
logon-summarycommand would sometimes crash with corrupted logs. (#1477) (@fukusuket)- Some results would be displayed after the progress bar when outputting results to the terminal with
csv-timelineandjson-timeline. (#1459) (@fukusuket) - The detailed field value results in aggregation rule alerts were not sorted so
csv-timelineandjson-timelinewould not output completely exact results each time. (#1466) (@fukusuket) - Updated
hayabusa-evtxcrate to0.8.12. (@yamatosecurity)- JSON field output order is now preserved according to the original XML. (omerbenamram/evtx #241)
- Multiple sub-nodes with attributes and the same name would be overwritten and only the last one kept. (omerbenamram/evtx #245)
logon-summaryandeid-metricswould sometimes output multiple progress bars. #1479 (@fukusuket)
Other:
- The
--timeline-offsetoption has been renamed to--time-offset. (#1490) (@yamatosecurity)
New Features:
- Support for the
fieldrefmodifier (alias to theequalsfieldmodifier). (#1409) (@hitenkoku) - The
fieldref|endswithmodifier was created as an alias toendswithfieldto replace it in the future. (#1437) (@fukusuket) - Support for
fieldref|startswithandfieldref|containsmodifiers. (#1439) (@fukusuket) - Support for XOR encoded rules to minimize files put on the system as well as bypass anti-virus products that give false positives on rules. (#1419) (@fukusuket)
- We will include packages in the Releases page that are already configured to use this. If you wanted to manually configure this though, download encoded_rules.yml and place it in the Hayabusa's root folder. This file is created from the rules in the hayabusa-rules repository and is automatically updated anytime there is a rule update. Delete all of the files inside the
rulesfolder except for theconfigdirectory as those files are not yet contained in a single file. - Note: The report generated by the
-Hoption cannot create a link to the rule (only the rule name is outputted.) rules/configconfig files are now loaded from a single file rules_config_files.txt to reduce the number of files needed to be stored on a target system for live response. (#1420) (@fukusuket)
- We will include packages in the Releases page that are already configured to use this. If you wanted to manually configure this though, download encoded_rules.yml and place it in the Hayabusa's root folder. This file is created from the rules in the hayabusa-rules repository and is automatically updated anytime there is a rule update. Delete all of the files inside the
Bug Fixes:
- Unneeded line breaks when using
-oin thesearchcommand. (#1425) (@fukusuket) - Sigma correlation rules required the
group-byfield but now it is optional. (#1442) (@fukusuket) - Hayabusa will give an error message if the rules referenced by a correlation rule are not found. (#1444) (@fukusuket)
- Field information was not being outputted when the
all-field-infoprofiles were used. (#1450) (@fukusuket)
Other:
- License is changed from GPL-3.0 to AGPL-3.0. (@yamatosecurity)
New Features:
- Support for the Sigma V2
|re:submodifers. (#1399) (@fukusuket)- Reference: https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-modifiers-appendix.md
|re|i:: (insensitive) disable case-sensitive matching.|re|m:: (multi-line) match across multiple lines.^/$match the start/end of line.|re|s:: (single-line) the dot character (.) matches all characters, including the newline character.
- Reference: https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-modifiers-appendix.md
- Support for the Sigma V2
|exists:modifier. (#1400) (@hitenkoku) - Support for the Sigma V2
|cased:modifier. (#1401) (@hitenkoku)
Enhancements:
- Support for the newer version 0.6.x
cidr-utilscrate. (#1366) (@hitenkoku) - Added support for Sigma correlation rule's
namelookup. (#1363) (@fukusuket) - Enabled low memory mode by default.
-s, --low-memory-modeis now-s, --sort-events- Sort events before outputting results. (warning: this uses much more memory!). (#1361) (@hitenkoku)- Note: you need to enable sorting in order to use
-R, --remove-duplicate-dataand-X, --remove-duplicate-detections.
- Note: you need to enable sorting in order to use
- Sigma correlation reference rules now do not output alerts by default. You can enable them by adding
generate: trueto the rule. (#1367) (@fukusuket) Datafields are now displayed as indexed strings instead of as allDatafields or in an array for JSON. (#1371) (@fukusuket)- Before:
"Data": ["17514", "Multiprocessor Free", "Service Pack 1"] - After:
"Data[3]": "17514", "Data[4]": "Multiprocessor Free", "Data[5]": "Service Pack 1"
- Before:
- The configuration files in the
configfolder are now also embedded in the binary to reduce the number of files in the release package. (#1370) (@hitenkoku)- Note: you will not be able to run the
set-default-profilecommand without theconfigdirectory files as it relies onconfig/default_profile.yaml.
- Note: you will not be able to run the
- Aggregation rule alerts now show
ChannelandEventIDinformation even when there are multiple results. (#1342) (@fukusuket) - In the JSON timeline, when there is no information in the
Detailsfield, we changed the default output of"-"to{}in order to make parsing easier. (#1386) (@hitenkoku) - Added support for the
–(en dash),—(em dash), and―(horizontal bar) characters for thewindashmodifier to prevent signature bypass. (#1392) (@hitenkoku) - Updated the MITRE ATT&CK tags to support Sigma version 2 format. (Ex:
defense_evasion=>defense-evasion) (@fukusuket) - Updated the
evtxcrate to the latest for enhancements and bug fixes.
Bug Fixes:
- Sigma correlation rule count was not showing up in
Events with hits. (#1373) (@fukusuket) - Correlation rule count was not showing up in
Events with hits. (#1374) (@fukusuket) - Aggregation condition rule count was not showing up in
Events with hits. (#1375) (@fukusuket) - In rare cases, the list of rule authors would not be displayed to the terminal. (#1383) (@fukusuket)
New Features:
- By default now, only rules that are applicable to loaded evtx files will be enabled. This is based on the
Channelfield in.evtxfile and.ymlrule. For example, ifSecurity.evtxwas being scanned, then only rules that haveChannel: Securitydefined will be used against this file. In our benchmarks, this usually gives a speed benefit of around 20% when scanning singleevtxfiles but can give up a 10x speed performance depending on the file. If you think there are multiple channels being used in a single.evtxfile or you want to use rules that do not have theChannelfield defined in order to scan all.evtxfiles regardless of the channel, then you can turn off this filtering with the-A, --enable-all-rulesoption incsv-timelineandjson-timeline. (#1317) (@fukusuket)- Currently, the only two detection rules that do not have
Channeldefined and are intended to scan all.evtxfiles are the following:
- Currently, the only two detection rules that do not have
- By default now,
.evtxfiles that have applicable rules will be loaded. So for example, if you are scanning a directory of various event logs but only enable a rule that is looking forChannel: Securitythen Hayabusa will ignore all non-security event logs. In our benchmarks, this gives a speed benefit of around 10% with normal scans and up to 60%+ performance increase when scanning with a single rule. If you want to load all.evtxfiles regardless of channel, then you can turn off this filtering with the-a, --scan-all-evtx-filesoption incsv-timelineandjson-timeline. (#1318) (@fukusuket) - Note: Channel filtering only works with .evtx files and you will receive an error if you try to load event logs from a JSON file with
-J, --json-inputand also specify-Aor-a. (#1345) (@fukusuket) - Support for Sigma Correlation's Event Count. (#1337) (@fukusuket)
- Support for Sigma Correlation's Value Count. (#1338) (@fukusuket)
Enhancements:
- You can now specify multiple directories with the
-d, --directoryoption. (#1335) (@hitenkoku) - You can now analyze Splunk logs exported from the REST API. (#1083) (@hitenkoku)
- You can now specify multiple groups with
count. Ex:count() by IpAddress,SubStatus,LogonType >= 2Also, the output has been updated. Ex:[condition] count(TargetUserName) by IpAddress > 3 in timeframe [result] count: 4 TargetUserName:tanaka/Administrator/adsyncadmin/suzuki IpAddress:- timeframe:5m->Count: 4 ¦ TargetUserName: tanaka/Administrator/adsyncadmin/suzuki ¦ IpAddress: -(#1339) (@fukusuket) - Added support for specifying an optional
Provider_Namefield in field data mapping files (rules/config/data_mapping/*.yaml) as well as support forData[x]notation. (#1350) (@fukusuket) - JSON output in count rules now separates field information. (#1342) (@fukusuket)
- Before:
"Details": "[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m" - After:
"Details": { "Count": 3558, "IpAddress": "192.168.198.149" }
- Before:
Enhancements:
- Added support for
windashfield modifier (ex.|contains|windash:,|contains|all|windash:) in sigma rules. (#1319) (@hitenkoku)- https://sigmahq.io/docs/basics/modifiers.html#windash
- Note: currently on the backend we convert the use of
windashin rules so they are compatibile with previous versions of Hayabusa, however, around the end of May we will start to keep the use ofwindashas-is so please update to this version before then or else you will recieve rule parsing errors if you update rules.
Bug Fixes:
-Tdetection frequency timeline was not usable in version 2.14.0. (#1322) (@fukusuket)- Fixed
windashnot working when there is a wildcard. (#1327) (@hitenkoku)
New Features:
- Added
--include-statusoption: You can specify rules based on theirstatus. (#1193) (@hitenkoku) - Added a
-s, --low-memory-modeoption that uses up to 95% less memory. However, in order to do this, Hayabusa cannot sort results nor use-R, --remove-duplicate-dataand/or-X, --remove-duplicate-detectionsin combination. (#1254) (@hach1yon @hitenkoku)
Enhancements:
- Removed unused crates. (@YamatoSecurity)
- JSON input now supports the format exported from Splunk. (#1083) (@hitenkoku)
- Performance enchancements. (#1277, #1278) (@fukusuket)
- Reordered
searchresult fields to look similar to thecsv-timelinecommand results. (#1297) (@hitenkoku) - Added master piece character in ascii art eggs. R.I.P. lovely master hidden behind the gas mask. (#1304) (@hitenkoku)
- Unified help option format in
computer-metricscommand with other commands. (#1314) (@hitenkoku)
Bug Fixes:
- JSON output of the
searchcommand was missing theAllFieldInfofield. (#1251) (@hitenkoku) - The time the user took to choose options in the scan wizard was included in elapsed time so we now exclude that. (#1291) (@hitenkoku)
- Fixed
-h, --helpoption is being displayed multiple times. (#1309) (@hitenkoku)
Enhancements:
- Adjusted the
searchcommand's Filter option to be an exact match and support wildcard characters. (#1240) (@hitenkoku) - Any time there is a change in a detection rule, it will be displayed when running the
update-rulescommand. Previously, only rules that updated theirmodifiedfield would be displayed. (#1243) (@hitenkoku) - The
json-timelinecommand now outputs in JSON format when outputting to the terminal. (#1197) (@hitenkoku) - Added support for parsing JSON input when the data is inside an array. (#1248) (@hitenkoku)
- Changed the
‖separator into a·separator to make it easier to read and render properly on older terminals. (#1258) (@YamatoSecurity) - Added a
-h, --helpoption to General Options for all commands. (#1255) (@hitenkoku) - Changed the
Detailsoutput in thejson-timelinecommand from alphabetical order to the original order. - Loading detection rules is now skipped when running commands that do not need them. (#1263) (@hitenkoku)
- Improved the standard output colors in the
csv-timelinecommand. (#1271) (@hitenkoku) - Refactoring and performance enhancements. (#1268, #1260) (@hach1yon)
Bug Fixes:
- Removed newline characters in the
searchcommand output. (#1253) (@hitenkoku) - Fixed the progress bar and wizard colored output when the
--no-coloroption is used. (#1256) (@hitenkoku) - Fixed a panic when the local timezone was not able to be identified. This was fixed in the
chronocrate version 0.4.32. (#1273)
Enhancements:
%MitreTactics%,%MitreTags%,%OtherTags%fields are now outputted as an array of strings in JSON output. (#1230) (@hitenkoku)- Added a summary of MITRE ATT&CK tactics that were detected for each computer in the HTML report. In order to use this feature, you need to use a profile that includes the
%MitreTactics%field. (#1226) (@hitenkoku) - Output messages about reporting issues and false positives when using
csv-timelineorjson-timelinecommands. (#1236) (@hitenkoku)
Bug Fixes:
- In JSON output, multiple field names with the same names were not outputted as an array so only one result would be returned when parsing with
jq. We fixed this by outputting multiple field data with the same field name inside an array. (#1202) (@hitenkoku) - Fixed a bug in the
csv-timeline,json-timeline,eid-metrics,logon-summary,pivot-keywords-listandsearchcommands so that Hayabusa will quit whenever no input option (-l,-for-d) is specified. (#1235) (@hitenkoku)
New Features:
- Extraction of fields from PowerShell classic logs. (Can disable with
--no-pwsh-field-extraction) (#1220) (@fukusuket)
Enhancements:
- Added rule count in the scan wizard. (#1206) (@hitenkoku)
Enhancements:
- Added questions to the scan wizard. (#1207) (@hitenkoku)
Bug Fixes:
update-rulescommand would outputYou currently have the latest ruleseven if new rules were downloaded in version2.10.0. (#1209) (@fukusuket)- Regular expressions would sometimes be incorrectly handled. (#1212) (@fukusuket)
- In the rare case that there is no
Datafield such as for JSON input, a panic would occur. (#1215) (@fukusuket)
Enhancements:
- Added a scan wizard to help new users choose which rules they want to enable. Add the
-w, --no-wizardoption to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku) - Added the
--include-tagoption to thepivot-keywords-listcommand to only load rules with the specifiedtagsfield. (#1195) (@hitenkoku) - Added the
--exclude-tagoption to thepivot-keywords-listcommand to exclude rules with specifictagsfrom being loaded. (#1195) (@hitenkoku)
Bug Fixes:
- Fixed that field information defined in
Detailswas also output toExtraFieldInfoin some cases. (#1145) (@hitenkoku) - Fixed output of newline and tab characters in
AllFieldInfoin JSON output. (#1189) (@hitenkoku) - Fixed output of space characters in some fields in standard output. (#1192) (@hitenkoku)
Enhancements:
- Added an error message to indicate that when you can't load evtx files in Windows due to specifying a directory path with spaces in it, you need to remove the trailing backslash. (#1166) (@hitenkoku, thanks for the suggestion from @joswr1ght)
- Optimized the number of records to load at a time for performance. (#1175) (@yamatosecurity)
- Replaced double backslashes in paths under the progress bar on Windows systems with single forward slashes. (#1172) (@hitenkoku)
- Made the
Detailsfield forcountrules a string in the JSON output for easier parsing. (#1179) (@hitenkoku) - Changed the default number of threads from number of CPUs to the estimate of the default amount of parallelism a program should use (
std::thread::available_parallelism). (#1182) (@hitenkoku)
Bug Fixes:
- Fixed JSON fields would not be correctly parsed in rare cases. (#1145) (@hitenkoku)
Other:
- Removed the unmaintained
hhmmsscrate that uses an oldtimecrate in order to pass the code coverage CI checks. (#1181) (@hitenkoku)
New Features:
- Added support for
HexToDecimalin the field mapping configuration files to convert hex values to decimal. (Useful for converting the original process IDs from hex to decimal.) (#1133) (@fukusuket) - Added
-x, --recover-recordsoption tocsv-timelineandjson-timelineto recover evtx records through file carving in evtx slack space. (#952) (@hitenkoku) (Evtx carving feature is thanks to @forensicmatt) - Added
-X, --remove-duplicate-detectionsoption tocsv-timelineandjson-timelineto not output any duplicate detection entries. (Useful when you use-x, include backup logs or logs extracted from VSS with duplicate data, etc...) - Added a
--timeline-offsetoption tocsv-timeline,json-timeline,logon-summary,eid-metrics,pivot-keywords-listandsearchcommands to scan just recent events based on a offset of years, months, days, hours, etc... (#1159) (@hitenkoku) - Added a
-a, --and-logicoption in thesearchcommand to search keywords with AND logic. (#1162) (@hitenkoku)
Other:
- When using
-x, --recover-records, an additional%RecoveredRecord%field will be added to the output profile and will outputYto indicate if a record was recovered. (#1160) (@hitenkoku)
New Features:
- Certain code numbers are now mapped to human-readable messages based on the
.yamlconfig files in./rules/config/data_mapping. (Example:%%2307will be converted toACCOUNT LOCKOUT). You can turn off this behavior with the-F, --no-field-data-mappingoption. (#177) (@fukusuket) - Added the
-R, --remove-duplicate-dataoption in thecsv-timelinecommand to replace duplicate field data with the stringDUPin the%Details%,%AllFieldInfo%,%ExtraFieldInfo%columns to reduce file size. (#1056) (@hitenkoku) - Added the
-P, --proven-rulesoption incsv-timelineandjson-timelinecommands. When used, Hayabusa will only load rules that have been proven to work. These are defined by rule ID in the./rules/config/proven_rules.txtconfig file. (#1115) (@hitenkoku) - Added the
--include-tagoption tocsv-timelineandjson-timelinecommands to only load rules with the specifiedtagsfield. (#1108) (@hitenkoku) - Added the
--exclude-tagoption tocsv-timelineandjson-timelinecommands to exclude rules with specifictagsfrom being loaded. (#1118) (@hitenkoku) - Added
--include-categoryand--exclude-categoryoptions tocsv-timelineandjson-timelinecommands. When using--include-category, only rules with the specifiedcategoryfield will be loaded.--exclude-categorywill exclude rules from being loaded based oncategory. (#1119) (@hitenkoku) - Added the
computer-metricscommand to list up how many events there are based on computer name. (#1116) (@hitenkoku) - Added
--include-computerand--exclude-computeroptions tocsv-timeline,json-timeline,metrics,logon-summaryandpivot-keywords-listcommands. The--include-computeroption only scans the specified computer(s).--exclude-computerexcludes them. (#1117) (@hitenkoku) - Added
--include-eidand--exclude-eidoptions tocsv-timeline,json-timeline, andpivot-keywords-listcommands. The--include-eidoption only scans the specified EventID(s).--exclude-eidexcludes them. (#1130) (@hitenkoku) - Added the
-R, --remove-duplicate-dataoption to thejson-timelinecommand to replace duplicate field data with the stringDUPin the%Details%,%AllFieldInfo%,%ExtraFieldInfo%fields to reduce file size. (#1134) (@hitenkoku)
Enhancements:
- Ignore corrupted event records with timestamps before 2007/1/31 when Windows Vista was released with the new
.evtxlog format. (#1102) (@fukusuket) - When
--outputis set in themetricscommand, the results will not be displayed to screen. (#1099) (@hitenkoku) - Added the
-C, --clobberoption to overwrite existing output files in thepivot-keywords-listcommand. (#1125) (@hitenkoku) - Renamed the
metricscommand toeid-metrics. (#1128) (@hitenkoku) - Reduced progress bar width to leave room for adjustment of the terminal. (#1135) (@hitenkoku)
- Added support for outputing timestamps in the following formats in the
searchcommand:--European-time,--ISO-8601,--RFC-2822,--RFC-3339,--US-time,--US-military-time,-U, --UTC. (#1040) (@hitenkoku) - Replaced the ETA time in the progress bar with elapsed time as the ETA time was not accurate. (#1143) (@YamatoSecurity)
- Added
--timeline-startand--timeline-endto thelogon-summarycommand. (#1152) (@hitenkoku)
Bug Fixes:
- The total number of records being displayed in the
metricsandlogon-summarycommands differed from thecsv-timelinecommand. (#1105) (@hitenkoku) - Changed rule count by rule ID instead of path. (#1113) (@hitenkoku)
- Fixed a problem with incorrect field splitting in the
CommandLinefield in JSON output. (#1145) (@hitenkoku) --timeline-startand--timeline-endwere not working correctly with thejson-timelinecommand. (#1148) (@hitenkoku)--timeline-startand--timeline-endwere not working correctly with thepivot-keywords-listcommand. (#1150) (@hitenkoku)
Other:
- The total count of unique detections are now based on rule IDs instead of rule file paths. (#1111) (@hitenkoku)
- Renamed the
--live_analysisoption to--live-analysis. (#1139) (@hitenkoku) - Renamed the
metricscommand toeid-metrics. (#1128) (@hitenkoku)
New Features:
- Added support for
'|all':keyword in sigma rules. (#1038) (@kazuminn)
Enhancements:
- Added
%ExtraFieldInfo%alias to output profiles which will output all of the other fields that do not get outputted inDetails. This is now included in the defaultstandardoutput profile. (#900) (@hitenkoku) - Added error messages for incompatible arguments. (#1054) (@YamatoSecurity)
- The output profile name is now outputted to standard output and in the HTML report. (#1055) (@hitenkoku)
- Added rule author names next to rule alerts in the HTML report. (#1065) (@hitenkoku)
- Made the table width shorter to prevent tables breaking in smaller terminal sizes. (#1071) (@hitenkoku)
- Added the
-C, --clobberoption to overwrite existing output files incsv-timeline,json-timeline,metrics,logon-summary, andsearchcommands. (#1063) (@YamatoSecurity, @hitenkoku) - Made the HTML report portable by embedding the images and inlining CSS. (#1078) (@hitenkoku, thanks for the suggestion from @joswr1ght)
- Speed improvements in the output. (#1088) (@hitenkoku, @fukusuket)
- The
metricscommand now performs word wrapping to make sure the table gets rendered correctly. (#1067) (@garigariganzy) searchcommand results can now be outputted to JSON/JSONL. (#1041) (@hitenkoku)
Bug Fixes:
MitreTactics,MitreTags,OtherTagsfields were not being outputted in thejson-timelinecommand. (#1062) (@hitenkoku)- The detection frequency timeline (
-T) would not output when theno-summaryoption was also enabled. (#1072) (@hitenkoku) - Control characters would not be escaped in the
json-timelinecommand causing a JSON parsing error. (#1068) (@hitenkoku) - In the
metricscommand, channels would not be abbreviated if they were lowercase. (#1066) (@garigariganzy) - Fixed an issue where some fields were misaligned in the JSON output. (#1086) (@hitenkoku)
Enhancements:
- Reduced memory usage by half when using newly converted rules. (#1047) (@fukusuket)
Bug Fixes:
- Data in certain fields such as
AccessMaskwould not be separated by spaces when outputted from thedetailsfield. (#1035) (@hitenkoku) - Multiple spaces would be condensed to a single space when outputting to JSON. (#1048) (@hitenkoku)
- Output would be in color even if
--no-colorwas used in thepivot-keywords-listcommand. (#1044) (@kazuminn)
Enhancements:
- Added
-M, --multilineoption to search command. (#1017) (@hitenkoku) - Deleted return characters in the output of the
searchcommand. (#1003) (@hitenkoku) regexcrate updated to 1.8 which allows unnecessary escapes in regular expressions reducing parsing errors. (#1018) (@YamatoSecurity)- Deleted return characters in output of the
csv-timelinecommand. (#1019) (@hitenkoku) - Don't show new version information with the
update-rulescommand when building a newer dev build. (#1028) (@hitenkoku) - Sorted
searchtimeline order. (#1033) (@hitenkoku) - Enhanced
pivot-keywords-listterminal output. (#1022) (@kazuminn)
Bug Fixes:
- Unconverted sigma rules that search for a string that end in a backslash would not be detected. Also
|containsconditions would not match if the string was located in the beginning. (#1025) (@fukusuket) - In versions 2.3.3-2.4.0, informational level alerts in the Results Summary would show the top 5 events twice instead of the top 10 events. (#1031) (@hitenkoku)
New Features:
- Added
searchcommand to search for specified keywords in records. (#617) (@itiB, @hitenkoku) - Added
-r, --regexoption in thesearchcommand to search for regular expressions. (#992) (@itiB)
Enhancements:
- Alphabetically sorted commands. (#991) (@hitenkoku)
- Added attribute information of
Event.UserDatato the output ofAllFieldInfoincsv-timeline,json-timelineandsearchcommands. (#1006) (@hitenkoku) - Updated Aho-Corasick crate to 1.0. (#1013) (@hitenkoku)
Bug Fixes:
- Fixed timestamps that did not exist from being displayed in the event frequency timeline (
-T, --visualize-timeline) in version 2.3.3. (#977) (@hitenkoku)
Enhancements:
- Removed an extra space when outputting the rule
levelto files (CSV, JSON, JSONL). (#979) (@hitenkoku) - Rule authors are now outputted in multiple lines with the
-M, --multilineoption. (#980) (@hitenkoku) - Approximately 3-5% speed increase by replacing String with CoW. (#984) (@hitenkoku)
- Made sure text after the logo does not turn green with recent clap versions. (#989) (@hitenkoku)
Bug Fixes:
- Fixed a crash when the
level-tuningcommand was executed on version 2.3.0. (#977) (@hitenkoku)
Enhancements:
- Added
-M, --multilineoption in thecsv-timelinecommand. (#972) (@hitenkoku)
Enhancements:
- Added double quotes in CSV fields of
csv-timelineoutput to support multiple lines in fields. (#965) (@hitenkoku) - Updated
logon-summaryheaders. (#964) (@yamatosecurity) - Added short-hand option
-Dfor--enable-deprecated-rulesand-ufor--enable-unsupported-rules. (@yamatosecurity) - Reordered option in Filtering and changed option help contents. (#969) (@hitenkoku)
Bug Fixes:
- Fixed a crash when the
update-rulescommand was executed on version 2.3.0. (#965) (@hitenkoku) - Fixed long underlines displayed in the help menu in Command Prompt and PowerShell prompt. (#911) (@yamatosecurity)
New Features:
- Added support for
|cidr. (#961) (@fukusuket) - Added support for
1 of selection*andall of selection*. (#957) (@fukusuket) - Added support for the
|contains|allpipe keyword. (#945) (@hitenkoku) - Added the
--enable-unsupported-rulesoption to enable rules marked asunsupported. (#949) (@hitenkoku)
Enhancements:
- Approximately 2-3% speed increase and memory usage reduction by improving string contains check. (#947) (@hitenkoku)
Bug Fixes:
- Some event titles would be displayed as
Unknownin themetricscommand even if they were defined. (#943) (@hitenkoku)
New Features:
- Added support for the
|base64offset|containspipe keyword. (#705) (@hitenkoku)
Enhancements:
- Reorganized the grouping of command line options. (#918) (@hitenkoku)
- Reduced memory usage by approximately 75% when reading JSONL formatted logs. (#921) (@fukusuket)
- Channel names are now further abbreviated in the metrics, json-timeline, csv-timeline commands according to
rules/config/generic_abbreviations.txt. (#923) (@hitenkoku) - Reduced parsing errors by updating the evtx crate. (@YamatoSecurity)
- Provider names (
%Provider%field) are now abbreviated like channel names according torules/config/provider_abbreviations.txtandrules/config/generic_abbreviations.txt. (#932) (@hitenkoku) - Print the first and last timestamps in the metrics command when the
-ddirectory option is used. (#935) (@hitenkoku) - Added first and last timestamp to Results Summary. (#938) (@hitenkoku)
- Added Time Format options for
logon-summary,metricscommands. (#938) (@hitenkoku) \r,\n, and\tcharacters are preserved (not converted to spaces) when saving results with thejson-outputcommand. (#940) (@hitenkoku)
Bug Fixes:
- The first and last timestamps in the
logon-summaryandmetricscommands were blank. (#920) (@hitenkoku) - Event titles stopped being shown in the
metricscommand during development of 2.2.2. (#933) (@hitenkoku)
New Features:
- Added support for input of JSON-formatted event logs (
-J, --JSON-input). (#386) (@hitenkoku) - Log enrichment by outputting the ASN organization, city and country of source and destination IP addresses based on MaxMind GeoIP databases (
-G, --GeoIP). (#879) (@hitenkoku) - Added the
-e, --exact-leveloption to scan for only specific rule levels. (#899) (@hitenkoku)
Enhancements:
- Added the executed command line to the HTML report. (#877) (@hitenkoku)
- Approximately 3% speed increase and memory usage reduction by performing exact string matching on Event IDs. (#882) (@fukusuket)
- Approximately 14% speed increase and memory usage reduction by filtering before regex usage. (#883) (@fukusuket)
- Approximately 8% speed increase and memory usage reduction by case-insensitive comparisons instead of regex usage. (#884) (@fukusuket)
- Approximately 5% speed increase and memory usage reduction by reducing regex usage in wildcard expressions. (#890) (@fukusuket)
- Further speed increase and memory usage reduction by removing unnecessary regex usage. (#894) (@fukusuket)
- Approximately 3% speed increase and 10% memory usage reduction by reducing regex usage. (#898) (@fukuseket)
- Improved
-T, --visualize-timelineby increasing the height of the markers to make it easier to read. (#902) (@hitenkoku) - Reduced memory usage by approximately 50% when reading JSON/L formatted logs. (#906) (@fukusuket)
- Alphabetically sorted options based on their long names. (#904) (@hitenkoku)
- Added JSON input support (
-J, --JSON-inputoption) forlogon-summary,metricsandpivot-keywords-listcommands. (#908) (@hitenkoku)
Bug Fixes:
- Fixed a bug when rules with 4 consecutive backslashes in their conditions would not be detected. (#897) (@fukusuket)
- When parsing PowerShell EID 4103, the
Payloadfield would be separated into multiple fields when outputting to JSON. (#895) (@hitenkoku) - Fixed a crash when looking up event log file size. (#914) (@hitenkoku)
Vulnerability Fixes:
- Updated the git2 and gitlib2 crates to prevent a possible SSH MITM attack (CVE-2023-22742) when updating rules and config files. (#888) (@YamatoSecurity)
Enhancements:
- Speed improvements. (#847) (@hitenkoku)
- Improved speed by up to 20% by improving I/O processesing. (#858) (@fukusuket)
- The timeline order of detections are now sorted to a fixed order even when the timestamp is identical. (#827) (@hitenkoku)
Bug Fixes:
- Successful login CSV results were not correctly being outputted when using the logon timeline function. (#849) (@hitenkoku)
- Removed unnecessary line breaks that would occur when using the
-J, --jsonloption. (#852) (@hitenkoku)
New Features:
- Command usage and help menu are now done by subcommands. (#656) (@hitenkoku)
New Features:
- Added a new pipe keyword. (
|endswithfield) (#740) (@hach1yon) - Added
--debugoption to display memory utilization at runtime. (#788) (@fukusuket)
Enhancements:
- Updated clap crate package to version 4 and changed the
--visualize-timelineshort option-Vto-T. (#725) (@hitenkoku) - Added output of logon types, source computer and source IP address in Logon Summary as well as failed logons. (#835) (@garigariganzy @hitenkoku)
- Optimized speed and memory usage. (#787) (@fukusuket)
- Changed output color in eggs ascii art.(#839) (@hitenkoku)
- Made the
--debugoption hidden by default. (#841) (@hitenkoku) - Added color to the ascii art eggs. (#839) (@hitenkoku)
Bug Fixes:
- Fixed a bug where evtx files would not be loaded if run from a command prompt and the directory path was enclosed in double quotes. (#828) (@hitenkoku)
- Fixed unneeded spaces outputted when there were rule parsing errors. (#829) (@hitenkoku)
Enhancements:
- Specified the minimum Rust version
rust-versionfield inCargo.tomlto avoid build dependency errors. (#802) (@hitenkoku) - Reduced memory usage. (#806) (@fukusuket)
- Added the support for the
%RenderedMessage%field in output profiles which is the rendered message in logs forwarded by WEC. (#760) (@hitenkoku)
Bug Fixes:
- Fixed a problem where rules using the
Datafield were not being detected. (#775) (@hitenkoku) - Fixed a problem where the
%MitreTags%and%MitreTactics%fields would randomly miss values. (#807) (@fukusuket)
New Features:
- Added the
--ISO-8601output time format option. This good to use when importing to Elastic Stack. It is exactly the same as what is in the original log. (#767) (@hitenkoku)
Enhancements:
- Event ID filtering is now turned off by default. Use the
-e, --eid-filteroption to filter by Event ID. (Will usually be 10%+ faster but with a small chance of false negatives.) (#759) (@hitenkoku) - Print an easy to understand error message when a user tries to download new rules with a different user account. (#758) (@fukusuket)
- Added total and unique detecion count information in the HTML Report. (#762) (@hitenkoku)
- Removed unnecessary array structure in the JSON output. (#766)(@hitenkoku)
- Added rule authors (
%RuleAuthor%), rule creation date (%RuleCreationDate%), rule modified date (%RuleModifiedDate%), and rule status (%Status%) fields to output profiles. (#761) (@hitenkoku) - Changed Details field in JSON output to an object. (#773) (@hitenkoku)
- Removed
build.rsand changed the memory allocator to mimalloc for a speed increase of 20-30% on Intel-based OSes. (#657) (@fukusuket) - Replaced
%RecordInformation%alias in output profiles to%AllFieldInfo%, and changed theAllFieldInfofield in JSON output to an object. (#750) (@hitenkoku) - Removed
HBFI-prefix inAllFieldInfofield of json output. (#791) (@hitenkoku) - Don't display result summary, etc... when
--no-summaryoption is used. (This is good to use when using as a Velociraptor agent, etc... It will usually be 10% faster.) (#780) (@hitenkoku) - Reduced memory usage and improved speed performance. (#778 #790) (@hitenkoku)
- Don't display Rule Authors list when authors list is empty. (#795) (@hitenkoku)
- Added rule ID (
%RuleID%) and Provider Name (%Provider%) fields to output profiles. (#794) (@hitenkoku)
Bug Fixes:
- Fixed rule author unique rule count. (It was displaying one extra.) (#783) (@hitenkoku)
New Features:
- Added
--list-profilesoption to print a list of output profiles. (#746) (@hitenkoku)
Enhancements:
- Moved the saved file line and shortened the update option output. (#754) (@YamatoSecurity)
- Limited rule author names of detected alerts to 40 characters. (#751) (@hitenkoku)
Bug Fixes:
- Fixed a bug where field information would get moved over in JSON/JSONL output when a drive letter (ex:
c:) was in the field. (#748) (@hitenkoku)
Enhancements:
- Hayabusa now checks Channel and EID information based on
rules/config/channel_eid_info.txtto provide more accurate results. (#463) (@garigariganzy) - Do not display a message about loading detection rules when using the
-Mor-Loptions. (#730) (@hitenkoku) - Added a table of rule authors to standard output. (#724) (@hitenkoku)
- Ignore event records when the channel name is
null(ETW events) when scanning and showing EID metrics. (#727) (@hitenkoku)
Bug Fixes:
- Fixed a bug where the same Channel and EID would be counted separately with the
-Moption. (#729) (@hitenkoku)
New Features:
- Added a HTML summary report output option (
-H, --html-report). (#689) (@hitenkoku, @nishikawaakira)
Enhancements:
- Changed Event ID Statistics option to Event ID Metrics option. (
-s, --statistics->-M, --metrics) (#706) (@hitenkoku) (Note:statistics_event_info.txtwas changed toevent_id_info.txt.) - Display new version of Hayabusa link when updating rules if there is a newer version. (#710) (@hitenkoku)
- Added logo in HTML summary output. (#714) (@hitenkoku)
- Unified output to one table when using
-Mor-Lwith the-doption. (#707) (@hitenkoku) - Added Channel column to metrics output. (#707) (@hitenkoku)
- Removed First Timestamp and Last Timestamp of
-Mand-Loption with the-doption. (#707) (@hitenkoku) - Added csv output option(
-o --output) when-Mor-Loption is used. (#707) (@hitenkoku) - Separated Count and Percent columns in metric output. (#707) (@hitenkoku)
- Changed output table format of the metric option and logon information crate from prettytable-rs to comfy_table. (#707) (@hitenkoku)
- Added favicon.png in HTML summary output. (#722) (@hitenkoku)
New Features:
- You can now save the timeline to JSON files with the
-j, --jsonoption. (#654) (@hitenkoku) - You can now save the timeline to JSONL files with the
-J, --jsonloption. (#694) (@hitenkoku)
Enhancements:
- Added top alerts to results summary. (#667) (@hitenkoku)
- Added
--no-summaryoption to not display the results summary. (#672) (@hitenkoku) - Made the results summary more compact. (#675 #678) (@hitenkoku)
- Made Channel field in channel_abbreviations.txt case-insensitive. (#685) (@hitenkoku)
- Changed pipe separator character in output from
|to‖. (#687) (@hitenkoku) - Added color to Saved alerts and events / Total events analyzed. (#690) (@hitenkoku)
- Updated evtx crate to 0.8.0. (better handling when headers or date values are invalid.)
- Updated output profiles. (@YamatoSecurity)
Bug Fixes:
- Hayabusa would crash with
-Loption (logon summary option). (#674) (@hitenkoku) - Hayabusa would continue to scan without the correct config files but now will print and error and gracefully terminate. (#681) (@hitenkoku)
- Fixed total events from the number of scanned events to actual events in evtx. (#683) (@hitenkoku)
Enhancements:
- Re-released v1.5.1 with an updated output profile that is compatible with Timesketch. (#668) (@YamatoSecurity)
Bug Fixes:
- Critical, medium and low level alerts were not being displayed in color. (#663) (@fukusuket)
- Hayabusa would crash when an evtx file specified with
-fdid not exist. (#664) (@fukusuket)
New Features:
- Customizable output of fields defined at
config/profiles.yamlandconfig/default_profile.yaml. (#165) (@hitenkoku) - Implemented the
nullkeyword for rule detection. It is used to check if a target field exists or not. (#643) (@hitenkoku) - Added output to JSON option (
-jand--json-timeline) (#654) (@hitenkoku)
Enhancements:
- Trimmed
./from the rule path when updating. (#642) (@hitenkoku) - Added new output aliases for MITRE ATT&CK tags and other tags. (#637) (@hitenkoku)
- Organized the menu output when
-his used. (#651) (@YamatoSecurity and @hitenkoku) - Added commas to summary numbers to make them easier to read. (#649) (@hitenkoku)
- Added output percentage of detections in Result Summary. (#658) (@hitenkoku)
Bug Fixes:
- Fixed miscalculation of Data Reduction due to aggregation condition rule detection. (#640) (@hitenkoku)
- Fixed a race condition bug where a few events (around 0.01%) would not be detected. (#639 #660) (@fukusuket)
Bug Fixes:
- Hayabusa would not run on Windows 11 when the VC redistribute package was not installed but now everything is compiled statically. (#635) (@fukusuket)
Enhancements:
- You can now update rules to a custom directory by combining the
--update-rulesand--rulesoptions. (#615) (@hitenkoku) - Improved speed with parallel processing by up to 20% with large files. (#479) (@kazuminn)
- When saving files with
-o, the.ymldetection rule path column changed fromRulePathtoRuleFileand only the rule file name will be saved in order to decrease file size. (#623) (@hitenkoku)
Bug Fixes:
- Fixed a runtime error when hayabusa is run from a different path than the current directory. (#618) (@hitenkoku)
Enhancements:
- When no
detailsfield is defined in a rule nor in./rules/config/default_details.txt, all fields will be outputted to thedetailscolumn. (#606) (@hitenkoku) - Added the
-D, --deep-scanoption. Now by default, events are filtered by Event IDs that there are detection rules for defined in./rules/config/target_event_IDs.txt. This should improve performance by 25~55% while still detecting almost everything. If you want to do a thorough scan on all events, you can disable the event ID filter with-D, --deep-scan. (#608) (@hitenkoku) channel_abbreviations.txt,statistics_event_info.txtandtarget_event_IDs.txthave been moved from theconfigdirectory to therules/configdirectory in order to provide updates with-U, --update-rules.
New Features:
- Added
--target-file-extoption. You can specify additional file extensions to scan in addtition to the default.evtxfiles. For example,--target-file-ext evtx_dataor multiple extensions with--target-file-ext evtx1 evtx2. (#586) (@hitenkoku) - Added
--exclude-statusoption: You can ignore rules based on theirstatus. (#596) (@hitenkoku)
Enhancements:
- Added default details output based on
rules/config/default_details.txtwhen nodetailsfield in a rule is specified. (i.e. Sigma rules) (#359) (@hitenkoku) - Updated clap crate package to version 3. (#413) (@hitnekoku)
- Updated the default usage and help menu. (#387) (@hitenkoku)
- Hayabusa can be run from any directory, not just from the current directory. (#592) (@hitenkoku)
- Added saved file size output when
outputis specified. (#595) (@hitenkoku)
Bug Fixes:
- Fixed output error and program termination when long output is displayed with color. (#603) (@hitenkoku)
- Ignore loading yml files in
rules/tools/sigmac/testfilesto fixExcluded rulescount. (#602) (@hitenkoku)
Enhancements:
- Changed the evtx Rust crate from 0.7.2 to 0.7.3 with updated packages. (@YamatoSecurity)
New Features:
- You can now specify specific fields when there are multiple fields with the same name (Ex:
Data). In thedetailsline in a rule, specify a placeholder like%Data[1]%to display the firstDatafield. (#487) (@hitenkoku) - Added loaded rules status summary. (#583) (@hitenkoku)
Enhancements:
- Debug symbols are stripped by default for smaller Linux and macOS binaries. (#568) (@YamatoSecurity)
- Updated crate packages (@YamatoSecurity)
- Added new output time format options. (
--US-time,--US-military-time,--European-time) (#574) (@hitenkoku) - Changed the output time format when
--rfc-3339option is enabled. (#574) (@hitenkoku) - Changed the
-R / --display-record-idoption to-R / --hide-record-idand now by default the event record ID is displayed. You can hide the record ID with-R / --hide-record-id. (#579) (@hitenkoku) - Added rule loading message. (#583) (@hitenkoku)
Bug Fixes:
- The RecordID and RecordInformation column headers would be shown even if those options were not enabled. (#577) (@hitenkoku)
New Features:
- Added
-V / --visualize-timelineoption: Event Frequency Timeline feature to visualize the number of events. (Note: There needs to be more than 5 events and you need to use a terminal like Windows Terminal, iTerm2, etc... for it to properly render.) (#533, #566) (@hitenkoku) - Display all the
tagsdefined in a rule to theMitreAttackcolumn when saving to CSV file with the--all-tagsoption. (#525) (@hitenkoku) - Added the
-R / --display-record-idoption: Display the event record ID (<Event><System><EventRecordID>). (#548) (@hitenkoku) - Display dates with most detections. (#550) (@hitenkoku)
- Display the top 5 computers with the most unique detections. (#557) (@hitenkoku)
Enhancements:
- In the
detailsline in a rule, when a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted asn/a(not available). (#528) (@hitenkoku) - Display total event and data reduction count. (How many and what percent of events were ignored.) (#538) (@hitenkoku)
- New logo. (#536) (@YamatoSecurity)
- Display total evtx file size. (#540) (@hitenkoku)
- Changed logo color. (#537) (@hitenkoku)
- Display the original
Channelname when not specified inchannel_abbrevations.txt. (#553) (@hitenkoku) - Display separately
Ignored rulestoExclude rules,Noisy rules, andDeprecated rules. (#556) (@hitenkoku) - Display results messge when
outputoption is set. (#561) (@hitenkoku)
Bug Fixes:
- Fixed the
--start-timelineand--end-timelineoptions as they were not working. (#546) (@hitenkoku) - Fixed crash bug when level in rule is not valid. (#560) (@hitenkoku)
New Features:
- Added a logon summary feature. (
-L/--logon-summary) (@garigariganzy)
Enhancements:
- Colored output is now on by default and supports Command and Powershell prompts. (@hitenkoku)
Bug Fixes:
- Fixed a bug in the update feature when the rules repository does not exist but the rules folder exists. (#516) (@hitenkoku)
- Fixed a rule parsing error bug when there were .yml files in a .git folder. (#524) (@hitenkoku)
- Fixed wrong version number in the 1.2.1 binary.
New Features:
- Added a
Channelcolumn to the output based on the./config/channel_abbreviations.txtconfig file. (@hitenkoku) - Rule and rule config files are now forcefully updated. (@hitenkoku)
Bug Fixes:
- Rules marked as noisy or excluded would not have their
levelchanged with--level-tuningbut now all rules will be checked. (@hitenkoku)
New Features:
- Specify config directory (
-C / --config): When specifying a different rules directory, the rules config directory will still be the defaultrules/config, so this option is useful when you want to test rules and their config files in a different directory. (@hitenkoku) |equalsfieldaggregator: In order to write rules that compare if two fields are equal or not. (@hach1yon)- Pivot keyword list generator feature (
-p / --pivot-keywords-list): Will generate a list of keywords to grep for to quickly identify compromised machines, suspicious usernames, files, etc... (@kazuminn) -F / --full-dataoption: Will output all field information in addition to the fields defined in the rule’sdetails. (@hach1yon)--level-tuningoption: You can tune the risklevelin hayabusa and sigma rules to your environment. (@itib and @hitenkoku)
Enhancements:
- Updated detection rules and documentation. (@YamatoSecurity)
- Mac and Linux binaries now statically compile the OpenSSL libraries. (@YamatoSecurity)
- Performance and accuracy improvement for fields with tabs, etc... in them. (@hach1yon and @hitenkoku)
- Fields that are not defined in eventkey_alias.txt will automatically be searched in Event.EventData. (@kazuminn and @hitenkoku)
- When updating rules, the names of new rules as well as the count will be displayed. (@hitenkoku)
- Removed all Clippy warnings from the source code. (@hitenkoku and @hach1yon)
- Updated the event ID and title config file (
timeline_event_info.txt) and changed the name tostatistics_event_info.txt. (@YamatoSecurity and @garigariganzy) - 32-bit Hayabusa Windows binaries are now prevented from running on 64-bit Windows as it would cause unexpected results. (@hitenkoku)
- MITRE ATT&CK tag output can be customized in
output_tag.txt. (@hitenkoku) - Added Channel column output. (@hitenkoku)
Bug Fixes:
.ymlfiles in the.gitfolder would cause parse errors so they are now ignored. (@hitenkoku)- Removed unnecessary newline due to loading test file rules. (@hitenkoku)
- Fixed output stopping in Windows Terminal due a bug in Terminal itself. (@hitenkoku)
New Features:
- Can specify a single rule with the
-r / --rulesoption. (Great for testing rules!) (@kazuminn) - Rule update option (
-u / --update-rules): Update to the latest rules in the hayabusa-rules repository. (@hitenkoku) - Live analysis option (
-l / --live-analysis): Can easily perform live analysis on Windows machines without specifying the Windows event log directory. (@hitenkoku)
Enhancements:
- Updated documentation. (@kazuminn , @hitenkoku , @YamatoSecurity)
- Updated rules. (20+ Hayabusa rules, 200+ Sigma rules) (@YamatoSecurity)
- Windows binaries are now statically compiled so installing Visual C++ Redistributable is not required. (@hitenkoku)
- Color output (
-c / --color) for terminals that support True Color (Windows Terminal, iTerm2, etc...). (@hitenkoku) - MITRE ATT&CK tactics are included in the saved CSV output. (@hitenkoku)
- Performance improvement. (@hitenkoku)
- Comments added to exclusion and noisy config files. (@kazuminn)
- Using faster memory allocators (rpmalloc for Windows, jemalloc for macOS and Linux.) (@kazuminn)
- Updated cargo crates. (@YamatoSecurity)
Bug Fixes:
- Made the clap library version static to make
cargo updatemore stable. (@hitenkoku) - Some rules were not alerting if there were tabs or carriage returns in the fields. (@hitenkoku)
- Removed Excel result sample files as they were being flagged by anti-virus. (@YamatoSecurity)
- Updated the Rust evtx library to 0.7.2 (@YamatoSecurity)
- Initial release.