Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: specify compile target explicitly in Release Automation #1436

Merged
merged 1 commit into from
Oct 11, 2024
Merged

fix: specify compile target explicitly in Release Automation #1436

merged 1 commit into from
Oct 11, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Oct 11, 2024
edited
Loading

@fukusuket fukusuket self-assigned this Oct 11, 2024
@fukusuket fukusuket added the bug Something isn't working label Oct 11, 2024
@fukusuket fukusuket added this to the 2.18.0 Sector Release milestone Oct 11, 2024
@fukusuket
Copy link
Collaborator Author

hayabusa-2.18.0-mac-arm

fukusuke@fukusukenoMacBook-Air hayabusa-2.18.0-mac-arm % ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -D -n -u -q -
o timeline.csv -p super-verbose
Start time: 2024/10/11 11:20

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,497

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:07] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:
...

Results Summary:

Events with hits / Total events: 21,119 / 46,413 (Data reduction: 25,294 events (54.50%))

Total | Unique detections: 34,593 | 740
Total | Unique critical detections: 53 (0.15%) | 21 (0.00%)
Total | Unique high detections: 5,731 (16.57%) | 282 (9.32%)
Total | Unique medium detections: 2,444 (7.07%) | 264 (14.05%)
Total | Unique low detections: 6,667 (19.27%) | 104 (35.68%)
Total | Unique informational detections: 19,698 (56.94%) | 69 (38.11%)

Dates with most total detections:
critical: 2019-07-19 (16), high: 2016-09-20 (3,650), medium: 2019-05-19 (332), low: 2016-09-20 (3,725), informational: 2016-08-19 (2,140)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (10), FS03.offsec.lan (2), srvdefender01.offsec.lan (2), Isaac (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (119), IEWIN7 (68), fs03vuln.offsec.lan (28), FS03.offsec.lan (27), IE10Win7 (24)
medium: MSEDGEWIN10 (99), IEWIN7 (67), FS03.offsec.lan (29), fs03vuln.offsec.lan (26), rootdc1.offsec.lan (22)
low: MSEDGEWIN10 (50), IEWIN7 (25), FS03.offsec.lan (24), fs03vuln.offsec.lan (19), srvdefender01.offsec.lan (16)
informational: MSEDGEWIN10 (23), IEWIN7 (22), PC01.example.corp (19), IE8Win7 (18), IE10Win7 (17)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                        Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)               Metasploit SMB Authentication (3,562)            │
│ Active Directory Replication from Non Machine Account (6)   Suspicious Service Path (277)                    │
│ CobaltStrike Service Installations - System (6)             Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                            PowerShell Scripts Installed as Services (250)   │
│ Defender Alert (Severe) (4)                                 Suspicous Service Name (80)                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                          Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (235)                            Logon Failure (Wrong Password) (3,564)           │
│ Proc Injection (104)                                        Possible LOLBIN (1,418)                          │
│ Reg Key Value Set (Sysmon Alert) (103)                      Non Interactive PowerShell Process Spawned (325) │
│ Remote Thread Creation In Uncommon Target Image (93)        Rare Service Installations (321)                 │
│ Suspicious Remote Thread Target (93)                        Proc Access (156)                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Proc Exec (11,173)                                          Logon (Service) (Noisy) (434)                    │
│ NetShare File Access (2,558)                                NetShare Access (403)                            │
│ PwSh Scriptblock (789)                                      Svc Installed (331)                              │
│ PwSh Pipeline Exec (680)                                    Explicit Logon (304)                             │
│ DLL Loaded (Noisy) (550)                                    New Non-USB PnP Device (268)                     │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (41.0 MB)

Elapsed time: 00:00:09.1090

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 11, 2024
edited
Loading

hayabusa-2.18.0-linux-intel-gnu

fukusuke@ub:~/test$ ldd hayabusa-2.18.0-lin-intel-x64-gnu
	linux-vdso.so.1 (0x00007ffeab9f4000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f3a20794000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f3a20774000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f3a2068d000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3a20464000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3a2163c000)

fukusuke@ub:~/test$ ./hayabusa-2.18.0-lin-intel-x64-gnu csv-timeline -d ./hayabusa-sample-evtx -w -D -n -u -q -o timeline.csv -p super-verbose
Start time: 2024/10/11 02:27

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,497

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:13] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:
...

Results Summary:

Events with hits / Total events: 21,119 / 46,413 (Data reduction: 25,294 events (54.50%))

Total | Unique detections: 34,593 | 740
Total | Unique critical detections: 53 (0.15%) | 21 (0.00%)
Total | Unique high detections: 5,731 (16.57%) | 282 (9.32%)
Total | Unique medium detections: 2,444 (7.07%) | 264 (14.05%)
Total | Unique low detections: 6,667 (19.27%) | 104 (35.68%)
Total | Unique informational detections: 19,698 (56.94%) | 69 (38.11%)

Dates with most total detections:
critical: 2019-07-19 (11), high: 2016-09-19 (3,627), medium: 2019-05-18 (332), low: 2016-09-19 (3,679), informational: 2016-09-03 (2,291)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (10), FS03.offsec.lan (2), srvdefender01.offsec.lan (2), Isaac (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (119), IEWIN7 (68), fs03vuln.offsec.lan (28), FS03.offsec.lan (27), IE10Win7 (24)
medium: MSEDGEWIN10 (99), IEWIN7 (67), FS03.offsec.lan (29), fs03vuln.offsec.lan (26), rootdc1.offsec.lan (22)
low: MSEDGEWIN10 (50), IEWIN7 (25), FS03.offsec.lan (24), fs03vuln.offsec.lan (19), srvdefender01.offsec.lan (16)
informational: MSEDGEWIN10 (23), IEWIN7 (22), PC01.example.corp (19), IE8Win7 (18), IE10Win7 (17)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                        Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)               Metasploit SMB Authentication (3,562)            │
│ Active Directory Replication from Non Machine Account (6)   Suspicious Service Path (277)                    │
│ CobaltStrike Service Installations - System (6)             Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                            PowerShell Scripts Installed as Services (250)   │
│ Defender Alert (Severe) (4)                                 Suspicous Service Name (80)                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                          Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (235)                            Logon Failure (Wrong Password) (3,564)           │
│ Proc Injection (104)                                        Possible LOLBIN (1,418)                          │
│ Reg Key Value Set (Sysmon Alert) (103)                      Non Interactive PowerShell Process Spawned (325) │
│ Remote Thread Creation In Uncommon Target Image (93)        Rare Service Installations (321)                 │
│ Suspicious Remote Thread Target (93)                        Proc Access (156)                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Proc Exec (11,173)                                          Logon (Service) (Noisy) (434)                    │
│ NetShare File Access (2,558)                                NetShare Access (403)                            │
│ PwSh Scriptblock (789)                                      Svc Installed (331)                              │
│ PwSh Pipeline Exec (680)                                    Explicit Logon (304)                             │
│ DLL Loaded (Noisy) (550)                                    New Non-USB PnP Device (268)                     │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (40.9 MB)

Elapsed time: 00:00:16.942
...

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 11, 2024
edited
Loading

hayabusa-2.18.0-linux-intel-musl

fukusuke@ub:~/test$ ldd hayabusa-2.18.0-lin-intel-x64-musl
	statically linked

fukusuke@ub:~/test$ ./hayabusa-2.18.0-lin-intel-x64-musl csv-timeline -d ./hayabusa-sample-evtx -w -D -n -u -q -o timeline.csv -p super-verboseStart time: 2024/10/11 02:29

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,497

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:14] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:
...

Results Summary:

Events with hits / Total events: 21,119 / 46,413 (Data reduction: 25,294 events (54.50%))

Total | Unique detections: 34,593 | 740
Total | Unique critical detections: 53 (0.15%) | 21 (0.00%)
Total | Unique high detections: 5,731 (16.57%) | 282 (9.32%)
Total | Unique medium detections: 2,444 (7.07%) | 264 (14.05%)
Total | Unique low detections: 6,667 (19.27%) | 104 (35.68%)
Total | Unique informational detections: 19,698 (56.94%) | 69 (38.11%)

Dates with most total detections:
critical: 2019-07-19 (11), high: 2016-09-19 (3,627), medium: 2019-05-18 (332), low: 2016-09-19 (3,679), informational: 2016-09-03 (2,291)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (10), FS03.offsec.lan (2), srvdefender01.offsec.lan (2), Isaac (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (119), IEWIN7 (68), fs03vuln.offsec.lan (28), FS03.offsec.lan (27), IE10Win7 (24)
medium: MSEDGEWIN10 (99), IEWIN7 (67), FS03.offsec.lan (29), fs03vuln.offsec.lan (26), rootdc1.offsec.lan (22)
low: MSEDGEWIN10 (50), IEWIN7 (25), FS03.offsec.lan (24), fs03vuln.offsec.lan (19), srvdefender01.offsec.lan (16)
informational: MSEDGEWIN10 (23), IEWIN7 (22), PC01.example.corp (19), IE8Win7 (18), IE10Win7 (17)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                        Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)               Metasploit SMB Authentication (3,562)            │
│ Active Directory Replication from Non Machine Account (6)   Suspicious Service Path (277)                    │
│ CobaltStrike Service Installations - System (6)             Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                            PowerShell Scripts Installed as Services (250)   │
│ Defender Alert (Severe) (4)                                 Suspicous Service Name (80)                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                          Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (235)                            Logon Failure (Wrong Password) (3,564)           │
│ Proc Injection (104)                                        Possible LOLBIN (1,418)                          │
│ Reg Key Value Set (Sysmon Alert) (103)                      Non Interactive PowerShell Process Spawned (325) │
│ Remote Thread Creation In Uncommon Target Image (93)        Rare Service Installations (321)                 │
│ Suspicious Remote Thread Target (93)                        Proc Access (156)                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Proc Exec (11,173)                                          Logon (Service) (Noisy) (434)                    │
│ NetShare File Access (2,558)                                NetShare Access (403)                            │
│ PwSh Scriptblock (789)                                      Svc Installed (331)                              │
│ PwSh Pipeline Exec (680)                                    Explicit Logon (304)                             │
│ DLL Loaded (Noisy) (550)                                    New Non-USB PnP Device (268)                     │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (40.9 MB)

Elapsed time: 00:00:22.506
...

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 11, 2024
edited
Loading

hayabusa-2.18.0-win-x64

C:\tmp\hayabusa-2.18.0-win-x64>hayabusa-2.18.0-win-x64.exe json-timeline -l -w -n -u -D -o timeline.jsonl -q -p super-verbose -L -C
Start time: 2024/10/11 11:41

Total event log files: 356
Total file size: 253.3 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 2,282

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:05] 26 / 26   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Zach Mathis (39)                  frack113 (18)                    Florian Roth (11)            Nasreddine Bencherchali (6)   Fukusuke Takahashi (4)   Roberto Rodriguez @Cyb3r... (4) │
│ Arnim Rupp (3)                    oscd.community (3)               Bhabesh Raj (2)              Ján Trenčanský (2)            Tim Shelton (2)          Open Threat Research (2)        │
│ Harish Segar (2)                  Cian Heasley (1)                 Nikita Nazarov (1)           Gleb Sukhodolskiy (1)         Timur Zinniatullin (1)   @redcanary (1)                  │
│ Timur Zinniatullin oscd.... (1)   James Pemberton@4A616D6573 (1)   Zach Stanford @svch0st (1)   Roberto Rodriguez (1)         OTR (1)                  Teymur Kheirkhabarov (1)        │
╰─────────────────────────────────╌────────────────────────────────╌────────────────────────────╌─────────────────────────────╌────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 19,304 / 120,522 (Data reduction: 101,218 events (83.98%))

Total | Unique detections: 20,034 | 82
Total | Unique critical detections: 381 (1.90%) | 3 (0.00%)
Total | Unique high detections: 223 (1.11%) | 10 (40.24%)
Total | Unique medium detections: 707 (3.53%) | 20 (19.51%)
Total | Unique low detections: 15,292 (76.33%) | 16 (24.39%)
Total | Unique informational detections: 3,431 (17.13%) | 33 (12.20%)

Dates with most total detections:
critical: 2024-06-01 (46), high: 2024-06-04 (24), medium: 2024-07-27 (173), low: 2024-10-06 (2,375), informational: 2024-10-09 (316)

Top 5 computers with most unique detections:
critical: mouse (3)
high: mouse (10)
medium: mouse (19), MyComputer (2)
low: mouse (16)
informational: mouse (33), MyComputer (1), DESKTOP-CNG7416 (1), DESKTOP-9HFNL0J (1)

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                            Top high alerts:                                                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Defender Alert (Severe) (372)                                   Antivirus Relevant File Paths Alerts (158)                                      │
│ Antivirus Password Dumper Detection (8)                         Microsoft Defender Blocked from Loading Unsigned DLL (24)                       │
│ Antivirus Exploitation Framework Detection (1)                  Antivirus Hacktool Detection (9)                                                │
│ n/a                                                             Powershell Token Obfuscation - Powershell (8)                                   │
│ n/a                                                             Defender Alert (High) (7)                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                              Top low alerts:                                                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (536)                                Credential Manager Enumerated (14,196)                                          │
│ Uncommon PowerShell Hosts (83)                                  Rare Service Installations (301)                                                │
│ Suspicious Non PowerShell WSMAN COM Provider (24)               CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (299) │
│ BITS Transfer Job With Uncommon Or Suspicious Remote TLD (22)   Credential Manager Accessed (224)                                               │
│ Usage Of Web Request Commands And Cmdlets - ScriptBlock (11)    Volume Shadow Copy Mount (79)                                                   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon (Service) (Noisy) (769)                                   RDS Sess Start (Noisy) (200)                                                    │
│ PwSh Engine Started (321)                                       RDS Sess Logon (200)                                                            │
│ Svc Installed (304)                                             RDS Sess Logoff (195)                                                           │
│ WMI Provider Started (289)                                      Office App PopUp (180)                                                          │
│ Bits Job Created (224)                                          RDS Sess Disconnect (138)                                                       │
╰───────────────────────────────────────────────────────────────╌─────────────────────────────────────────────────────────────────────────────────╯

Saved file: timeline.jsonl (30.0 MB)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 11, 2024
edited
Loading

hayabusa-2.18.0-win-x64-live-responce

C:\tmp\hayabusa-2.18.0-win-x64-live-response>hayabusa-2.18.0-win-x64.exe json-timeline -l -w -n -u -D -o timeline.jsonl -q -p super-verbose -L -C
Start time: 2024/10/11 11:38

Total event log files: 356
Total file size: 253.3 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 434 (9.47%)
Stable rules: 255 (5.57%)
Test rules: 3,631 (79.26%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,400
Total detection rules: 4,581

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 3,880

Output profile: super-verbose

Scanning in progress. Please wait.

[00:01:22] 26 / 26   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Zach Mathis (39)                  frack113 (18)                    Florian Roth (11)            Nasreddine Bencherchali (6)   Fukusuke Takahashi (4)   Roberto Rodriguez @Cyb3r... (4) │
│ Arnim Rupp (3)                    oscd.community (3)               Bhabesh Raj (2)              Ján Trenčanský (2)            Tim Shelton (2)          Open Threat Research (2)        │
│ Harish Segar (2)                  Cian Heasley (1)                 Nikita Nazarov (1)           Gleb Sukhodolskiy (1)         Timur Zinniatullin (1)   @redcanary (1)                  │
│ Timur Zinniatullin oscd.... (1)   James Pemberton@4A616D6573 (1)   Zach Stanford @svch0st (1)   Roberto Rodriguez (1)         OTR (1)                  Teymur Kheirkhabarov (1)        │
╰─────────────────────────────────╌────────────────────────────────╌────────────────────────────╌─────────────────────────────╌────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 19,295 / 120,514 (Data reduction: 101,219 events (83.99%))

Total | Unique detections: 20,025 | 82
Total | Unique critical detections: 381 (1.90%) | 3 (0.00%)
Total | Unique high detections: 223 (1.11%) | 10 (40.24%)
Total | Unique medium detections: 707 (3.53%) | 20 (19.51%)
Total | Unique low detections: 15,292 (76.36%) | 16 (24.39%)
Total | Unique informational detections: 3,422 (17.09%) | 33 (12.20%)

Dates with most total detections:
critical: 2024-06-01 (46), high: 2024-06-04 (24), medium: 2024-07-27 (173), low: 2024-10-06 (2,375), informational: 2024-10-09 (316)

Top 5 computers with most unique detections:
critical: mouse (3)
high: mouse (10)
medium: mouse (19), MyComputer (2)
low: mouse (16)
informational: mouse (33), MyComputer (1), DESKTOP-CNG7416 (1), DESKTOP-9HFNL0J (1)

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                            Top high alerts:                                                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Defender Alert (Severe) (372)                                   Antivirus Relevant File Paths Alerts (158)                                      │
│ Antivirus Password Dumper Detection (8)                         Microsoft Defender Blocked from Loading Unsigned DLL (24)                       │
│ Antivirus Exploitation Framework Detection (1)                  Antivirus Hacktool Detection (9)                                                │
│ n/a                                                             Powershell Token Obfuscation - Powershell (8)                                   │
│ n/a                                                             Defender Alert (High) (7)                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                              Top low alerts:                                                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (536)                                Credential Manager Enumerated (14,196)                                          │
│ Uncommon PowerShell Hosts (83)                                  Rare Service Installations (301)                                                │
│ Suspicious Non PowerShell WSMAN COM Provider (24)               CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (299) │
│ BITS Transfer Job With Uncommon Or Suspicious Remote TLD (22)   Credential Manager Accessed (224)                                               │
│ Usage Of Web Request Commands And Cmdlets - ScriptBlock (11)    Volume Shadow Copy Mount (79)                                                   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                                                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon (Service) (Noisy) (764)                                   RDS Sess Start (Noisy) (200)                                                    │
│ PwSh Engine Started (321)                                       RDS Sess Logon (200)                                                            │
│ Svc Installed (304)                                             RDS Sess Logoff (195)                                                           │
│ WMI Provider Started (291)                                      Office App PopUp (180)                                                          │
│ Bits Job Created (219)                                          RDS Sess Disconnect (138)                                                       │
╰───────────────────────────────────────────────────────────────╌─────────────────────────────────────────────────────────────────────────────────╯

Saved file: timeline.jsonl (29.8 MB)

Elapsed time: 00:01:25.582
...

@fukusuket fukusuket marked this pull request as ready for review October 11, 2024 02:31
YamatoSecurity
YamatoSecurity approved these changes Oct 11, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit b804a1c into main Oct 11, 2024
15 checks passed
@YamatoSecurity YamatoSecurity deleted the 1431-fix-musl-binary-action branch October 11, 2024 02:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
2.18.0 Sector Release
2 participants
@fukusuket @YamatoSecurity