search

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU General Public License v3.0
2.07k stars 183 forks source link

[bug] Timeline commands can read file but not folder #1382

Open Droid-HK47 opened 4 days ago

Droid-HK47 commented 4 days ago

Describe the bug

In a particular environment, the command json-timeline or csv-timeline cannot read the EVTX folder, but can read a file alone.

Step to Reproduce Steps to reproduce the behavior:

I think the bug cannot be reproduced because I have no problems with another computer, it might be proper to my environment.

  1. Try : .\hayabusa-2.16.0-win-x64.exe csv-timeline -d 'C:\\'
  2. Hayabusa will indicate "Total event log files : X". In winevt, I got something like 400 files with 3-4 GB.
  3. After loading the rules, Hayabusa will show
Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 0
Detection rules enabled after channel filter: 0

So it just ignore all the EVTX it was able to read just before. Then the program finishes without doing much analyses since it has filtered out all of them.

  1. Try : .\hayabusa-2.16.0-win-x64.exe csv-timeline -f 'C:\\Security.evtx'
  2. It works like a charm. So it seems it got problems with reading a folder ?
  3. --live-analysis got the same problem
  4. I have tried to take only 2 EVTX in another neighbor folder with the same rights (Security.evtx / Application.evtx) : It works
  5. I have double checked the rights of all the files. They are all in the scope of the user (Below local Admin / System, I have tried both). Defender has no logs trying to block something. I have checked in Procmon and I cannot see real problems (Successes and some "Buffer overflow", as usual, they exist also when it works)

Expected behavior

Just to not having the channel filter filtering all of the EVTX

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

Additional context

I know the problem seems linked to my environment (same problems of other machines from my enterprise regarding Hayabusa, it wasn't the case before). Could you verify if you have already seen such a behavior ?

YamatoSecurity commented 4 days ago

Thank you for reporting this. What happens when you scan the directory and add -a -A options to disable the channel filters?

fukusuket commented 2 days ago

I ran it on a newly created Windows 11 in Azure and it worked fine as follows. Thus, it appears to be a problem that occurs only in certain environments🤔 What about running it with the -a/-A/-v option, as @YamatoSecurity says?

スクリーンショット 2024-07-07 15 35 29 スクリーンショット 2024-07-07 15 35 46 スクリーンショット 2024-07-07 15 35 54
Droid-HK47 commented 19 hours ago

Hello here,

Could you point me out where in the doc are the parameter "-a"/"-A" ? I just found this under the command "search" :

-a, --and-logic Search keywords with AND logic (default: OR)

That isn't exactly what I was expecting.

Anyway, it just works, and I don't understand exactly what is wrong with the filter channel since I have used exactly the same version of Hayabusa on both computers with the same set of data on a Windows 11 machine. I guess the default channel filter is different for some reasons ?

EDIT : nevermind, I haven't found the -a under the main page of the GIT for csv-timeline, but it is actually in the help of the cmd line.