-
Notifications
You must be signed in to change notification settings - Fork 209
Usage Examples
DustInDark edited this page Apr 21, 2022
·
2 revisions
- Run hayabusa against one Windows event log file:
hayabusa.exe -f eventlog.evtx- Run hayabusa against the sample-evtx directory with multiple Windows event log files:
hayabusa.exe -d .\hayabusa-sample-evtx- Export to a single CSV file for further analysis with excel, timeline explorer, elastic stack, etc... and include all field information:
hayabusa.exe -d .\hayabusa-sample-evtx -o results.csv -F- Only run hayabusa rules (the default is to run all the rules in
-r .\rules):
hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa -o results.csv- Only run hayabusa rules for logs that are enabled by default on Windows:
hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default -o results.csv- Only run hayabusa rules for sysmon logs:
hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\sysmon -o results.csv- Only run sigma rules:
hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\sigma -o results.csv- Enable deprecated rules (those with
statusmarked asdeprecated) and noisy rules (those whose rule ID is listed in.\rules\config\noisy_rules.txt):
hayabusa.exe -d .\hayabusa-sample-evtx --enable-noisy-rules --enable-deprecated-rules -o results.csv- Only run rules to analyze logons and output in the UTC timezone:
hayabusa.exe -d .\hayabusa-sample-evtx -r .\rules\hayabusa\default\events\Security\Logons -U -o results.csv- Run on a live Windows machine (requires Administrator privileges) and only detect alerts (potentially malicious behavior):
hayabusa.exe -l -m low- Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to
keywords-Ip Addresses.txt,keywords-Users.txt, etc...):
hayabusa.exe -l -m critical -p -o keywords- Print Event ID statistics:
hayabusa.exe -f Security.evtx -s- Print verbose information (useful for determining which files take long to process, parsing errors, etc...):
hayabusa.exe -d .\hayabusa-sample-evtx -v- Verbose output example:
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information\u{a0}Compile After Delivery/sysmon.evtx"
1 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.20 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx"
2 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.39 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets\u{a0}Kerberoasting/Security.evtx"
3 / 509 [>-------------------------------------------------------------------------------------------------------------------------------------------] 0.59 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx"
4 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.79 % 1s
Checking target evtx FilePath: "./hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution\u{a0}InstallUtil/sysmon.evtx"
5 / 509 [=>------------------------------------------------------------------------------------------------------------------------------------------] 0.98 % 1s- Quiet error mode:
By default, hayabusa will save error messages to error log files.
If you do not want to save error messages, please add
-Q.