Incident response and threat hunting using hayabusa tool
Hayabusa is an incident response and threat detection tool by Yamato security professionals in Japan. Its leverage sigma rules and its own rules to detect threat from event logs. This tool is solely made for windows incident response. But prerequisite is, proper event logging should be configured so that this tool can give most out of it.
You can also give this tool event logs in the form of .evtx format. Then this tool will also analyze that. Let’s see how we can use this during IR scenario.
Suppose you have experienced that your AD has been breached and you have properly logging configured. Then this tool will greatly help you if attacker did not able to clear the event logs.
Taking some commands from Eric Capuano’s blog.
- First let’s download this tool and put it on our temp folder. As of now, this is the latest version of this tool. If any later version comes at the time of your use, then please download the latest one. All the way below process is shown using as command line but you can do the same using GUI.
Invoke-WebRequest -Uri https://github.com/Yamato-Security/hayabusa/releases/download/v2.3.1/hayabusa-2.9.0-win-64-bit.zip -OutFile C:\Windows\Temp\hayabusa-2.9.0-win-64-bit.zip2. Now unzip the tool. Again you can do it via gui or via command line.
Expand-Archive -LiteralPath C:\Windows\Temp\hayabusa-2.9.0-win-64-bit.zip -DestinationPath C:\Windows\Temp\hayabusa3. Download some sample EVTX files from sbousseaden’s EVTX-ATTACK-SAMPLES repo.
Invoke-WebRequest -Uri https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/refs/heads/master.zip -Outfile EVTX-ATTACK-SAMPLES.zip4. Unzip it.
Expand-Archive -LiteralPath C:\Windows\Temp\EVTX-ATTACK-SAMPLES.zip -DestinationPath C:\Windows\Temp5. For convenience, let’s collect all the various EVTX files in the repo and stage them in one folder to make our analysis easier. Copy and paste this entire script into your console and press Enter. Or you can just do it manually in GUI.
# Set the source folder where .evtx files are located
$sourceFolder = "C:\Windows\Temp\EVTX-ATTACK-SAMPLES-master\"
# Set the destination folder where .evtx files should be moved
$destinationFolder = "C:\Windows\Temp\evtx_files"
# Create the destination folder if it doesn't already exist
if (!(Test-Path $destinationFolder)) {
New-Item -ItemType Directory -Path $destinationFolder | Out-Null
}
# Set the starting number for the sequential numbering
$number = 0
# Recursively find all .evtx files in the source folder
Get-ChildItem -Path $sourceFolder -Recurse -Filter *.evtx | ForEach-Object {
# Append the sequential number to the file name
$newFileName = $_.BaseName + "_" + $number.ToString() + $_.Extension
# Copy the file to the destination folder with the new name
Copy-Item $_.FullName -Destination (Join-Path $destinationFolder $newFileName)
# Increment the sequential number
$number++
}
Write-Host "$number files copied to $destinationFolder."6. Now let’s make sure we are using latest hayabusa detection rules. Go to the temp folder where you have downloaded hayabusa.
.\hayabusa\hayabusa-2.9.0-win-x64.exe update-rulesThe above command will update sigma rules and hayabusa’s own rules.
7. Now let’s start the tool and see how it find threats from our sample .evtx files. Remember we accumulated all the sampled .evtx log files under evtx_files folder using the above script.
.\hayabusa\hayabusa-2.9.0-win-x64.exe csv-timeline -d .\evtx_files\ -o hayabusa-output.csvAfter a short time, hayabusa will give you the analysis result. Like the below image.
8. Now let’s examine the hayabusa-output.csv file using Eric Zimmersman’s Timeline Explorer tool for better visibility and understandings.
.\TimelineExplorer\TimelineExplorer.exe .\hayabusa-output.csv
9. As you can see, Timeline Explorer is, at its simplest, a CSV viewer. However, it has some cool capabilities that make analyzing a CSV much easier.
a) Drag the following column headers to the top left in order to group by them.
Level
Computer
Rule Title
It is now much easier to navigate the data, grouped by criticality of the detection and the computer it occurred on.
We need to drag column headers to the top left to see the data that is grouped by that corresponding column.
We dragged the Level column to the left just like the above image. Now you can see the data is now grouped by the Level which is critical, high, medium, low so on.
Now we dragged the Computer column to the left beneath the Level column. Now see, there are 31 events in critical category. Now it is showing you who are those computers where these total 31 events had occured and how many times they occured, this tool also tells that to you. How cool is that.
The same goes for Rule Title column as well. I hope now you understand how this tool works. The below image will clear you more.
Don’t understand? In critical level there are total 31 events. Out of 31 events only 3 events belongs to alice.insecurebank.local computer. Now we want to see what are those 3 events!!! Those are actually the Rule Title. It is actually grouping all the Rules that actually happened/matched on that computer.
10. Now if you do not give -p super-verbose flag in the command then you will get say 50% of the analysis result. To get full analysis result, launch below command.
.\hayabusa\hayabusa-2.9.0-win-x64.exe csv-timeline -d .\evtx_files\ -o hayabusa-output-super-verbose.csv -p super-verboseNow analysis and find threats.
Thanks. I hope this blog will help you to hold with another awesome tool during your IR activity. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
