About Hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in Rust and supports multi-threading in order to be as fast as possible. We have provided a tool to convert Sigma rules into Hayabusa rule format. The Sigma-compatible Hayabusa detection rules are written in YML in order to be as easily customizable and extensible as possible. Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV timeline for easy analysis in LibreOffice, Timeline Explorer, Elastic Stack, Timesketch, etc...

Companion Projects

• EnableWindowsLogSettings - Documentation and scripts to properly enable Windows event logs.
• Hayabusa Rules - Detection rules for hayabusa.
• Hayabusa Sample EVTXs - Sample evtx files to use for testing hayabusa/sigma detection rules.
• Takajo - An analyzer for hayabusa results.
• WELA (Windows Event Log Analyzer) - An analyzer for Windows event logs written in PowerShell.

Table of Contents

• About Hayabusa
• Companion Projects
  • Table of Contents
  • Main Goals
    • Threat Hunting and Enterprise-wide DFIR
    • Fast Forensics Timeline Generation
• Screenshots
  • Startup
  • DFIR Timeline Terminal Output
  • Keyword Search Results
  • Detection Fequency Timeline (-T option)
  • Results Summary
  • HTML Results Summary (-H option)
  • DFIR Timeline Analysis in LibreOffice (-M Multiline Output)
  • DFIR Timeline Analysis in Timeline Explorer
  • Critical Alert Filtering and Computer Grouping in Timeline Explorer
  • Analysis with the Elastic Stack Dashboard
  • Analysis in Timesketch
• Importing and Analyzing Timeline Results
• Analyzing JSON-formatted results with JQ
• Features
• Downloads
• Git Cloning
• Advanced: Compiling From Source (Optional)
  • Updating Rust Packages
  • Cross-compiling 32-bit Windows Binaries
  • macOS Compiling Notes
  • Linux Compiling Notes
  • Cross-compiling Linux MUSL Binaries
• Running Hayabusa
  • Scan Wizard
    • Core Rules
    • Core+ Rules
    • Core++ Rules
    • Emerging Threats (ET) Add-On Rules
    • Threat Hunting (TH) Add-On Rules
  • Caution: Anti-Virus/EDR Warnings and Slow Runtimes
  • Windows
    • Error when trying to scan a file or directory with a space in the path
  • Linux
  • macOS
• Command List
  • Analysis Commands:
  • DFIR Timeline Commands:
  • General Commands:
• Command Usage
  • Analysis Commands
    • computer-metrics command
      • computer-metrics command examples
      • computer-metrics screenshot
    • eid-metrics command
      • eid-metrics command examples
      • eid-metrics command config file
      • eid-metrics screenshot
    • logon-summary command
      • logon-summary command examples
      • logon-summary screenshots
    • pivot-keywords-list command
      • pivot-keywords-list command examples
      • pivot-keywords-list config file
    • search command
      • search command examples
      • search command config files
  • DFIR Timeline Commands
    • csv-timeline command
      • csv-timeline command examples
      • Advanced - GeoIP Log Enrichment
        • GeoIP config file
        • Automatic updates of GeoIP databases
      • csv-timeline command config files
    • json-timeline command
      • json-timeline command examples and config files
    • level-tuning command
      • level-tuning command examples
      • level-tuning config file
    • list-profiles command
    • set-default-profile command
      • set-default-profile command examples
    • update-rules command
      • update-rules command example
• Timeline Output
  • Output Profiles
    • 1. minimal profile output
    • 2. standard profile output
    • 3. verbose profile output
    • 4. all-field-info profile output
    • 5. all-field-info-verbose profile output
    • 6. super-verbose profile output
    • 7. timesketch-minimal profile output
    • 8. timesketch-verbose profile output
    • Profile Comparison
    • Profile Field Aliases
      • Extra Profile Field Aliases
  • Level Abbrevations
  • MITRE ATT&CK Tactics Abbreviations
  • Channel Abbreviations
  • Other Abbreviations
  • Progress Bar
  • Color Output
  • Results Summary
    • Detection Fequency Timeline
• Hayabusa Rules
  • Sigma v.s. Hayabusa (Built-in Sigma Compatible) Rules
• Other Windows Event Log Analyzers and Related Resources
• Windows Logging Recommendations
• Sysmon Related Projects
• Community Documentation
  • English
  • Japanese
• Contribution
• Bug Submission
• License
• Twitter

Main Goals

Threat Hunting and Enterprise-wide DFIR

Hayabusa currently has over 4000 Sigma rules and over 170 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with Velociraptor's Hayabusa artifact. By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching Eric Capuano's Velociraptor walkthrough here.

Fast Forensics Timeline Generation

Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa's goal is to extract out only useful data and present it in a concise as possible easy-to-read format that is usable not only by professionally trained analysts but any Windows system administrator. Hayabusa hopes to let analysts get 80% of their work done in 20% of the time when compared to traditional Windows event log analysis.

Screenshots

Startup

DFIR Timeline Terminal Output

Keyword Search Results

Detection Fequency Timeline (-T option)

Results Summary

HTML Results Summary (-H option)

DFIR Timeline Analysis in LibreOffice (-M Multiline Output)

DFIR Timeline Analysis in Timeline Explorer

Critical Alert Filtering and Computer Grouping in Timeline Explorer

Analysis with the Elastic Stack Dashboard

![Elastic Stack Dashboard