hayabusa

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in Rust and supports multi-threading in order to be as fast as possible. We have provided a tool to convert Sigma rules into Hayabusa rule format. The Sigma-compatible Hayabusa detection rules are written in YML in order to be as easily customizable and extensible as possible. Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV timeline for easy analysis in LibreOffice, Timeline Explorer, Elastic Stack, Timesketch, etc...

• EnableWindowsLogSettings - Documentation and scripts to properly enable Windows event logs.
• Hayabusa Encoded Rules - The same as Hayabusa Rules repository but the rules and config files are stored in one file and XORed to prevent false positives from anti-virus.
• Hayabusa Rules - Hayabusa and curated Sigma detection rules used Hayabusa.
• Hayabusa EVTX - A more maintained fork of the evtx crate.
• Hayabusa Sample EVTXs - Sample evtx files to use for testing hayabusa/sigma detection rules.
• Presentations - Presentations from talks that we have given about our tools and resources.
• Sigma to Hayabusa Converter - Curates upstream Windows event log based Sigma rules into an easier to use form.
• Takajo - An analyzer for hayabusa results.
• WELA (Windows Event Log Analyzer) - An analyzer for Windows event logs written in PowerShell. (Deprecated and replaced by Takajo.)

• AllthingsTimesketch - A NodeRED workflow that imports Plaso and Hayabusa results into Timesketch.
• LimaCharlie - Provides cloud-based security tools and infrastructure to fit your needs.
• OpenRelik - An open-source (Apache-2.0) platform designed to streamline collaborative digital forensic investigations.
• Splunk4DFIR - Quickly spin up a splunk instance with Docker to browse through logs and tools output during your investigations.
• Velociraptor - A tool for collecting host based state information using The Velociraptor Query Language (VQL) queries.

• About Hayabusa
• Companion Projects
• Third-Party Projects That Use Hayabusa
  • Table of Contents
  • Main Goals
    • Threat Hunting and Enterprise-wide DFIR
    • Fast Forensics Timeline Generation
• Screenshots
  • Startup
  • DFIR Timeline Terminal Output
  • Keyword Search Results
  • Detection Fequency Timeline (-T option)
  • Results Summary
  • HTML Results Summary (-H option)
  • DFIR Timeline Analysis in LibreOffice (-M Multiline Output)
  • DFIR Timeline Analysis in Timeline Explorer
  • Critical Alert Filtering and Computer Grouping in Timeline Explorer
  • Analysis with the Elastic Stack Dashboard
  • Analysis in Timesketch
• Importing and Analyzing Timeline Results
• Analyzing JSON-formatted results with JQ
• Features
• Downloads
  • Windows live response packages
• Git Cloning
• Advanced: Compiling From Source (Optional)
  • Updating Rust Packages
  • Cross-compiling 32-bit Windows Binaries
  • macOS Compiling Notes
  • Linux Compiling Notes
  • Cross-compiling Linux MUSL Binaries
• Running Hayabusa
  • Caution: Anti-Virus/EDR Warnings and Slow Runtimes
  • Windows
    • Error when trying to scan a file or directory with a space in the path
  • Linux
  • macOS
• Command List
  • Analysis Commands:
  • DFIR Timeline Commands:
  • General Commands:
• Command Usage
  • Analysis Commands
    • computer-metrics command
      • computer-metrics command examples
      • computer-metrics screenshot
    • eid-metrics command
      • eid-metrics command examples
      • eid-metrics command config file
      • eid-metrics screenshot
    • logon-summary command
      • logon-summary command examples
      • logon-summary screenshots
    • pivot-keywords-list command
      • pivot-keywords-list command examples
      • pivot-keywords-list config file
    • search command
      • search command examples
      • search command config files
  • DFIR Timeline Commands
    • Scan Wizard
      • Core Rules
      • Core+ Rules
      • Core++ Rules
      • Emerging Threats (ET) Add-On Rules
      • Threat Hunting (TH) Add-On Rules
    • Channel-based event log and rules filtering
    • csv-timeline command
      • csv-timeline command examples
      • Advanced - GeoIP Log Enrichment
        • GeoIP config file
        • Automatic updates of GeoIP databases
      • csv-timeline command config files
    • json-timeline command
      • json-timeline command examples and config files
    • level-tuning command
      • level-tuning command examples
      • level-tuning config file
    • list-profiles command
    • set-default-profile command
      • set-default-profile command examples
    • update-rules command
      • update-rules command example
• Timeline Output
  • Output Profiles
    • 1. minimal profile output
    • 2. standard profile output
    • 3. verbose profile output
    • 4. all-field-info profile output
    • 5. all-field-info-verbose profile output
    • 6. super-verbose profile output
    • 7. timesketch-minimal profile output
    • 8. timesketch-verbose profile output
    • Profile Comparison
    • Profile Field Aliases
      • Extra Profile Field Aliases
  • Level Abbrevations
  • MITRE ATT&CK Tactics Abbreviations
  • Channel Abbreviations
  • Other Abbreviations
  • Progress Bar
  • Color Output
  • Results Summary
    • Detection Fequency Timeline
• Hayabusa Rules
  • Sigma v.s. Hayabusa (Built-in Sigma Compatible) Rules
• Other Windows Event Log Analyzers and Related Resources
• Windows Logging Recommendations
• Sysmon Related Projects
• Community Documentation
  • English
  • Japanese
• Contribution
• Bug Submission
• License
• Twitter

Hayabusa currently has over 4000 Sigma rules and over 170 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with Velociraptor's Hayabusa artifact. By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching Eric Capuano's Velociraptor walkthrough here.

Windows event log analysis has traditionally been a very long and tedious process because Windows event logs are 1) in a data format that is hard to analyze and 2) the majority of data is noise and not useful for investigations. Hayabusa's goal is to extract out only useful data and present it in a concise as possible easy-to-read format that is usable not only by professionally trained analysts but any Windows system administrator. Hayabusa hopes to let analysts get 80% of their work done in 20% of the time when compared to traditional Windows event log analysis.

You can learn how to analyze CSV timelines in Excel and Timeline Explorer here.

You can learn how to import CSV files into Elastic Stack here.

You can learn how to import CSV files into Timesketch here.

You can learn how to analyze JSON-formatted results with jq here.

• Cross-platform support: Windows, Linux, macOS.
• Developed in Rust to be memory safe and fast.
• Multi-thread support delivering up to a 5x speed improvement.
• Creates single easy-to-analyze timelines for forensic investigations and incident response.
• Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
• Sigma rule support to convert sigma rules to hayabusa rules.
• Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as |equalsfield and |endswithfield.
• Computer metrics. (Useful for filtering on/out certain computers with a large amount of events.)
• Event ID metrics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
• Rule tuning configuration by excluding unneeded or noisy rules.
• MITRE ATT&CK mapping of tactics.
• Rule level tuning.
• Create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events.
• Output all fields for more thorough investigations.
• Successful and failed logon summary.
• Enterprise-wide threat hunting and DFIR on all endpoints with Velociraptor.
• Output to CSV, JSON/JSONL and HTML Summary Reports.
• Daily Sigma rule updates.
• Support for JSON-formatted log input.
• Log field normalization. (Converting multiple fields with different naming conventions into the same field name.)
• Log enrichment by adding GeoIP (ASN, city, country) information to IP addresses.
• Search all events for keywords or regular expressions.
• Field data mapping. (Ex: 0xc0000234 -> ACCOUNT LOCKED)
• Evtx record carving from evtx slack space.
• Event de-duplication when outputting. (Useful when recovery records is enabled or when you include backed up evtx files, evtx files from VSS, etc...)
• Scan setting wizard to help choose which rules to enable easier. (In order to reduce false positives, etc...)
• PowerShell classic log field parsing and extraction.
• Low memory usage. (Note: this is possible by not sorting results. Best for running on agents or big data.)
• Filtering on Channels and Rules for the most efficient performance.

Please download the latest stable version of Hayabusa with compiled binaries or compile the source code from the Releases page.

We provide binaries for the following architectures:

• Linux ARM 64-bit GNU (hayabusa-x.x.x-lin-aarch64-gnu)
• Linux Intel 64-bit GNU (hayabusa-x.x.x-lin-x64-gnu)
• Linux Intel 64-bit MUSL (hayabusa-x.x.x-lin-x64-musl)
• macOS ARM 64-bit (hayabusa-x.x.x-mac-aarch64)
• macOS Intel 64-bit (hayabusa-x.x.x-mac-x64)
• Windows ARM 64-bit (hayabusa-x.x.x-win-aarch64.exe)
• Windows Intel 64-bit (hayabusa-x.x.x-win-x64.exe)
• Windows Intel 32-bit (hayabusa-x.x.x-win-x86.exe)

For some reason the Linux ARM MUSL binary does not run properly so we do not provide that binary. It is out of our control, so we plan on providing it in the future when it gets fixed.

As of v2.18.0, we are provide special Windows packages that use XOR-encoded rules provided in a single file as well as all of the config files combined into a single file (hosted at the hayabusa-encoded-rules repository). Just download the zip packages with live-response in the name. The zip files just include three files: the Hayabusa binary, XOR-encoded rules file and the config file. The purpose of these live response packages are for when running Hayabusa on client endpoints, we want to make sure that anti-virus scanners like Windows Defender do not give false positives on .yml rule files. Also, we want to minimize the amount of files being written to the system so that forensics artifacts like the USN Journal do not get overwritten.

You can git clone the repository with the following command and compile binary from source code:

Warning: The main branch of the repository is for development purposes so you may be able to access new features not yet officially released, however, there may be bugs so consider it unstable.

git clone https://github.com/Yamato-Security/hayabusa.git --recursive

Note: If you forget to use --recursive option, the rules folder, which is managed as a git submodule, will not be cloned.

You can sync the rules folder and get latest Hayabusa rules with git pull --recurse-submodules or use the following command:

hayabusa.exe update-rules

If the update fails, you may need to rename the rules folder and try again.

Caution: When updating, rules and config files in the rules folder are replaced with the latest rules and config files in the hayabusa-rules repository. Any changes you make to existing files will be overwritten, so we recommend that you make backups of any files that you edit before updating. If you are performing level tuning with level-tuning, please re-tune your rule files after each update. If you add new rules inside of the rules folder, they will not be overwritten or deleted when updating.

If you have Rust installed, you can compile from source with the following command:

Note: To compile, you usually need the latest version of Rust.

cargo build --release

You can download the latest unstable version from the main branch or the latest stable version from the Releases page.

Be sure to periodically update Rust with:

rustup update stable

The compiled binary will be outputted in the ./target/release folder.

You can update to the latest Rust crates before compiling:

cargo update

Please let us know if anything breaks after you update.

You can create 32-bit binaries on 64-bit Windows systems with the following:

rustup install stable-i686-pc-windows-msvc
rustup target add i686-pc-windows-msvc
rustup run stable-i686-pc-windows-msvc cargo build --release

Warning: Be sure to run rustup install stable-i686-pc-windows-msvc whenever there is a new stable version of Rust as rustup update stable will not update the compiler for cross compiling and you may receive build errors.

If you receive compile errors about openssl, you will need to install Homebrew and then install the following packages:

brew install pkg-config
brew install openssl

If you receive compile errors about openssl, you will need to install the following package.

Ubuntu-based distros:

sudo apt install libssl-dev

Fedora-based distros:

sudo yum install openssl-devel

On a Linux OS, first install the target.

rustup install stable-x86_64-unknown-linux-musl
rustup target add x86_64-unknown-linux-musl

Compile with:

cargo build --release --target=x86_64-unknown-linux-musl

Warning: Be sure to run rustup install stable-x86_64-unknown-linux-musl whenever there is a new stable version of Rust as rustup update stable will not update the compiler for cross compiling and you may receive build errors.

The MUSL binary will be created in the ./target/x86_64-unknown-linux-musl/release/ directory. MUSL binaries are are about 15% slower than the GNU binaries, however, they are more portable accross different versions and distributions of linux.

You may receive an alert from anti-virus or EDR products when trying to run hayabusa or even just when downloading the .yml rules as there will be keywords like mimikatz and suspicious PowerShell commands in the detection signature. These are false positives so will need to configure exclusions in your security products to allow hayabusa to run. If you are worried about malware or supply chain attacks, please check the hayabusa source code and compile the binaries yourself.

You may experience slow runtime especially on the first run after a reboot due to the real-time protection of Windows Defender. You can avoid this by temporarily turning real-time protection off or adding an exclusion to the hayabusa runtime directory. (Please take into consideration the security risks before doing these.)

In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary.

When using the built-in Command or PowerShell prompt in Windows, you may receive an error that Hayabusa was not able to load any .evtx files if there is a space in your file or directory path. In order to load the .evtx files properly, be sure to do the following:

1. Enclose the file or directory path with double quotes.
2. If it is a directory path, make sure that you do not include a backslash for the last character.

You first need to make the binary executable.

chmod +x ./hayabusa

Then run it from the Hayabusa root directory:

./hayabusa

From Terminal or iTerm2, you first need to make the binary executable.

chmod +x ./hayabusa

Then, try to run it from the Hayabusa root directory:

./hayabusa

On the latest version of macOS, you may receive the following security error when you try to run it:

Click "Cancel" and then from System Preferences, open "Security & Privacy" and from the General tab, click "Allow Anyway".

After that, try to run it again.

./hayabusa

The following warning will pop up, so please click "Open".

You should now be able to run hayabusa.

• computer-metrics: Print the number of events based on computer names.
• eid-metrics: Print the number and percentage of events based on Event ID.
• logon-summary: Print a summary of logon events.
• pivot-keywords-list: Print a list of suspicious keywords to pivot on.
• search: Search all events by keyword(s) or regular expressions

• csv-timeline: Save the timeline in CSV format.
• json-timeline: Save the timeline in JSON/JSONL format.
• level-tuning: Custom tune the alerts' level.
• list-profiles: List the available output profiles.
• set-default-profile: Change the default profile.
• update-rules: Sync the rules to the latest rules in the hayabusa-rules GitHub repository.

• help: Print this message or the help of the given subcommand(s)
• list-contributors: Print the list of contributors

You can use the computer-metrics command to check how many events there are according to each computer defined in the <System><Computer> field. Be aware that you cannot completely rely on the Computer field for separating events by their original computer. Windows 11 will sometimes use completely different Computer names when saving to event logs. Also, Windows 10 will sometimes record the Computer name in all lowercase. This command does not use any detection rules so will analyze all events. This is a good command to run to quickly see which computers have the most logs. With this information, you can then use the --include-computer or --exclude-computer options when creating your timelines to make your timeline generation more efficient by creating multiple timelines according to computer or exclude events from certain computers.

Usage: computer-metrics <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:WindowsSystem32winevtLogs folder

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -J, --JSON-input                     Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)

Filtering:
      --timeline-offset <OFFSET>  Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)

Output:
  -o, --output <FILE>  Save the results in CSV format (ex: computer-metrics.csv)

Display Settings:
      --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

• Print computer name metrics from a directory: hayabusa.exe computer-metrics -d ../logs
• Save results to a CSV file: hayabusa.exe computer-metrics -d ../logs -o computer-metrics.csv

You can use the eid-metrics command to print out the total number and percentage of event IDs (<System><EventID> field) seperated by channels. This command does not use any detection rules so will scan all events.

Usage: eid-metrics <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:WindowsSystem32winevtLogs folder

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -J, --JSON-input                     Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)

Filtering:
      --exclude-computer <COMPUTER...>  Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --include-computer <COMPUTER...>  Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --timeline-offset <OFFSET>        Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)

Output:
  -o, --output <FILE>  Save the Metrics in CSV format (ex: metrics.csv)

Display Settings:
      --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
      --ISO-8601          Output timestamp in ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
  -U, --UTC               Output time in UTC format (default: local time)

• Print Event ID metrics from a single file: hayabusa.exe eid-metrics -f Security.evtx
• Print Event ID metrics from a directory: hayabusa.exe eid-metrics -d ../logs
• Save results to a CSV file: hayabusa.exe eid-metrics -f Security.evtx -o eid-metrics.csv

The channel, event IDs and titles of the events are defined in rules/config/channel_eid_info.txt.

Example:

Channel,EventID,EventTitle
Microsoft-Windows-Sysmon/Operational,1,Process Creation.
Microsoft-Windows-Sysmon/Operational,2,File Creation Timestamp Changed. (Possible Timestomping)
Microsoft-Windows-Sysmon/Operational,3,Network Connection.
Microsoft-Windows-Sysmon/Operational,4,Sysmon Service State Changed.

You can use the logon-summary command to output logon information summary (logon usernames and successful and failed logon count). You can display the logon information for one evtx file with -f or multiple evtx files with the -d option.

Usage: logon-summary <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:WindowsSystem32winevtLogs folder

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -J, --JSON-input                     Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)

Filtering:
      --exclude-computer <COMPUTER...>  Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --include-computer <COMPUTER...>  Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --timeline-end <DATE>             End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
      --timeline-offset <OFFSET>        Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
      --timeline-start <DATE>           Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")

Output:
  -o, --output <FILENAME-PREFIX>  Save the logon summary to two CSV files (ex: -o logon-summary)

Display Settings:
      --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
      --ISO-8601          Output timestamp in ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
  -U, --UTC               Output time in UTC format (default: local time)

• Print logon summary: hayabusa.exe logon-summary -f Security.evtx
• Save logon summary results: hayabusa.exe logon-summary -d ../logs -o logon-summary.csv

You can use the pivot-keywords-list command to create a list of unique pivot keywords to quickly identify abnormal users, hostnames, processes, etc... as well as correlate events.

Important: by default, hayabusa will return results from all events (informational and higher) so we highly recommend combining the pivot-keywords-list command with the -m, --min-level option. For example, start off with only creating keywords from critical alerts with -m critical and then continue with -m high, -m medium, etc... There will most likely be common keywords in your results that will match on many normal events, so after manually checking the results and creating a list of unique keywords in a single file, you can then create a narrowed down timeline of suspicious activity with a command like grep -f keywords.txt timeline.csv.

Usage: pivot-keywords-list <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:WindowsSystem32winevtLogs folder

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -J, --JSON-input                     Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -w, --no-wizard                      Do not ask questions. Scan for all events and alerts
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)

Filtering:
  -E, --EID-filter                      Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt)
  -D, --enable-deprecated-rules         Enable rules with a status of deprecated
  -n, --enable-noisy-rules              Enable rules set to noisy (./rules/config/noisy_rules.txt)
  -u, --enable-unsupported-rules        Enable rules with a status of unsupported
  -e, --exact-level <LEVEL>             Only load rules with a specific level (informational, low, medium, high, critical)
      --exclude-computer <COMPUTER...>  Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --exclude-eid <EID...>            Do not scan specific EIDs for faster speed (ex: 1) (ex: 1,4688)
      --exclude-status <STATUS...>      Do not load rules according to status (ex: experimental) (ex: stable,test)
      --exclude-tag <TAG...>            Do not load rules with specific tags (ex: sysmon)
      --include-computer <COMPUTER...>  Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --include-eid <EID...>            Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)
      --include-status <STATUS...>      Only load rules with specific status (ex: experimental) (ex: stable,test)
      --include-tag <TAG...>            Only load rules with specific tags (ex: attack.execution,attack.discovery)
  -m, --min-level <LEVEL>               Minimum level for rules to load (default: informational)
      --timeline-end <DATE>             End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
      --timeline-offset <OFFSET>        Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
      --timeline-start <DATE>           Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")

Output:
  -o, --output <FILENAME-PREFIX>  Save pivot words to separate files (ex: PivotKeywords)

Display Settings:
      --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

• Output pivot keywords to screen: hayabusa.exe pivot-keywords-list -d ../logs -m critical
• Create a list of pivot keywords from critical alerts and save the results. (Results will be saved to keywords-Ip Addresses.txt, keywords-Users.txt, etc...):

hayabusa.exe pivot-keywords-list -d ../logs -m critical -o keywords`

You can customize what keywords you want to search for by editing ./rules/config/pivot_keywords.txt. This page is the default setting.

The format is KeywordName.FieldName. For example, when creating the list of Users, hayabusa will list up all the values in the SubjectUserName, TargetUserName and User fields.

The search command will let you keyword search on all events. (Not just Hayabusa detection results.) This is useful to determine if there is any evidence in events that are not detected by Hayabusa.

Usage: hayabusa.exe search <INPUT> <--keywords "<KEYWORDS>" OR --regex "<REGEX>"> [OPTIONS]

Display Settings:
      --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:WindowsSystem32winevtLogs folder

Filtering:
  -a, --and-logic                 Search keywords with AND logic (default: OR)
  -F, --filter <FILTER...>        Filter by specific field(s)
  -i, --ignore-case               Case-insensitive keyword search
  -k, --keyword <KEYWORD...>      Search by keyword(s)
  -r, --regex <REGEX>             Search by regular expression
      --timeline-offset <OFFSET>  Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)

Output:
  -J, --JSON-output    Save the search results in JSON format (ex: -J -o results.json)
  -L, --JSONL-output   Save the search results in JSONL format (ex: -L -o results.jsonl)
  -M, --multiline      Output event field information in multiple rows for CSV output
  -o, --output <FILE>  Save the search results in CSV format (ex: search.csv)

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
      --ISO-8601          Output timestamp in ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
  -U, --UTC               Output time in UTC format (default: local time)

• Search the ../hayabusa-sample-evtx directory for the keyword mimikatz: