fukusuket
commented
1 week ago rules_config_files.txt
ls -la
total 123032
drwx------@ 9 fukusuke staff 288 11 13 22:05 .
drwxr-xr-x 10 fukusuke staff 320 11 13 21:53 ..
-rw-r--r--@ 1 fukusuke staff 6148 11 13 20:23 .DS_Store
-rw-r--r--@ 1 fukusuke staff 7957970 11 13 22:51 encoded_rules.yml
-rwxr-xr-x@ 1 fukusuke staff 10943960 11 13 22:50 hayabusa
-rwxr-xr-x@ 1 fukusuke staff 10927352 11 13 03:41 hayabusa-2.19.0-mac-aarch64
drwxr-xr-x@ 3 fukusuke staff 96 11 13 19:41 logs
-rw-r--r--@ 1 fukusuke staff 142924 11 13 22:51 rules_config_files.txtupdate-rules
% ./hayabusa update-rules
โโ โโณโโโโณโ โโณโโโโณโโโโโ โโณโโโโณโโโโ
โโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโ
โโโโโโ โโฃโโโโโซโ โโโโโโซโ โโโโโโซโ โโ
โโโโโโโโโโโโโโโโโโโโโโโ โโฃโโโโโโโโ
โโ โโโโโโ โโ โโโโโโโโโโโโโโโโโโโโโ
โโ โโปโ โโ โโ โโ โโปโโโโปโโโโปโโโโปโ โโ
by Yamato Security
Crafted for the relentless hunter~
Start time: 2024/11/13 23:40
Rules file encoded_rules.yml updated successfully.
Config file rules_config_files.txt updated successfully.
ๅนณๅธธๅฟๆฏ้ - Heijoushin Kore Dou - An ordinary mind is the way.% ./hayabusa update-rules -q
Start time: 2024/11/13 23:41
Rules file encoded_rules.yml updated successfully.
Config file rules_config_files.txt updated successfully.csv-timeline
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -o timeline.csv -C
โโ โโณโโโโณโ โโณโโโโณโโโโโ โโณโโโโณโโโโ
โโ โโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโ
โโโโโโ โโฃโโโโโซโ โโโโโโซโ โโโโโโซโ โโ
โโโโโโโโโโโโโโโโโโโโโโโ โโฃโโโโโโโโ
โโ โโโโโโ โโ โโโโโโโโโโโโโโโโโโโโโ
โโ โโปโ โโ โโ โโ โโปโโโโปโโโโปโโโโปโ โโ
by Yamato Security
Cutting through the noise, straight to the threats~
Start time: 2024/11/13 23:42
Total event log files: 598
Total file size: 139.2 MB
Loading detection rules. Please wait.
Excluded rules: 26
Noisy rules: 12 (Disabled)
Deprecated rules: 216 (5.00%) (Disabled)
Experimental rules: 373 (8.63%)
Stable rules: 241 (5.58%)
Test rules: 3,706 (85.79%)
Unsupported rules: 42 (0.97%) (Disabled)
Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)
Hayabusa rules: 175
Sigma rules: 4,145
Total detection rules: 4,320
Creating the channel filter. Please wait.
Evtx files loaded after channel filter: 585
Detection rules enabled after channel filter: 4,248
Output profile: standard
Scanning in progress. Please wait.
[00:00:07] 585 / 585 [========================================] 100%
Scanning finished. Please wait while the results are being saved.
Rule Authors:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Florian Roth (152) Nasreddine Bencherchali (114) Zach Mathis (110) oscd.community (88) โ
โ frack113 (84) Tim Shelton (27) Daniil Yugoslavskiy (19) Teymur Kheirkhabarov (19) โ
โ Christian Burkard (16) Jonhnathan Ribeiro (16) Thomas Patzke (16) Markus Neis (13) โ
โ Roberto Rodriguez @Cyb3r... (12) Roberto Rodriguez (12) Timur Zinniatullin (11) Elastic (11) โ
โ Tim Rauch (10) Samir Bousseaden (10) Swachchhanda Shrawan Poudel (10) E.M. Anhaus (10) โ
โ OTR (9) Victor Sergeev (7) Michael Haag (7) X__Junior (6) โ
โ Natalia Shornikova (6) Endgame) (6) omkar72 (5) Sander Wiebing (5) โ
โ Arnim Rupp (5) Ecco (5) David ANDRE (5) Gleb Sukhodolskiy (4) โ
โ Endgame (4) @neu5ron (4) Tobias Michalski (4) JHasenbusch (4) โ
โ Ilyas Ochkov (3) Max Altgelt (3) Wojciech Lesicki (3) Harish Segar (3) โ
โ Eric Conrad (3) Andreas Hunkeler (3) elhoim (3) Yusuke Matsui (3) โ
โ Christopher Peacock @sec... (3) Nikita Nazarov (3) Janantha Marasinghe (3) Tom Ueltschi (3) โ
โ pH-T (3) Fukusuke Takahashi (3) SOC Prime (2) Aleksey Potapov (2) โ
โ Sean Metcalf (2) Jordan Lloyd (2) Nik Seetharaman (2) Hieu Tran (2) โ
โ Chakib Gzenayi (2) juju4 (2) Zach Stanford @svch0st (2) @SBousseaden (2) โ
โ Austin Songer @austinsonger (2) D3F7A5105 (2) Anton Kutepov (2) Vasiliy Burov (2) โ
โ wagga (2) Tony Lambert) (2) Vadim Khrykov (2) James Pemberton@4A616D6573 (2) โ
โ Alexandr Yampolskyi (2) @twjackomo (2) Jakob Weinzettl (2) SCYTHE @scythe_io (2) โ
โ Hosni Mribah (2) Sreeman (2) FPT.EagleEye (2) Perez Diego (2) โ
โ Mark Russinovich (2) Dimitrios Slamaris (2) Daniel Bohannon (2) FPT.EagleEye Team (2) โ
โ Cyb3rEng (2) Karneades (2) KevTheHermit (1) fuzzyf10w (1) โ
โ Dave Kennedy (1) Yassine Oukessou (1) @gott_cyber (1) @dreadphones (1) โ
โ Tom U. @c_APT_ure (1) Benjamin Delpy (1) Zaw Min Htun (1) Julia Fomina (1) โ
โ @scythe_io (1) Stamatis Chatzimangou (1) James Pemberton @4A616D6573 (1) @oscd_initiative (1) โ
โ Andreas Braathen (1) Matthew Green @mgreen27 (1) Cedric MAURUGEON (1) Sorina Ionescu (1) โ
โ keepwatch (1) Tuan Le (1) Romaissa Adjailia (1) Jason Lynch (1) โ
โ Jose Rodriguez (1) David Burkett (1) Markus Neis @Karneades (1) Subhash Popuri (1) โ
โ Jack Croock (1) Ivan Dyachkov (1) Pushkarev Dmitry (1) Oddvar Moe (1) โ
โ SBousseaden (1) Maxime Thiebaut (1) Alec Costello (1) Sherif Eldeeb (1) โ
โ John Lambert (1) Modexp (1) Trent Liffick (1) Teymur Kheirkhabarov @He... (1) โ
โ Swisscom CSIRT (1) blueteam0ps (1) Jeff Warren (1) @kostastsale (1) โ
โ NVISO (1) Kutepov Anton (1) James Pemberton@4A616D65... (1) James Dickenson (1) โ
โ Dominik Schaudel (1) Mangatas Tondang (1) @caliskanfurkan_ (1) @Joseliyo_Jstnk (1) โ
โ David Strassegger (1) alias support) (1) rukawa (1) Ahmed Farouk (1) โ
โ vburov (1) Sami Ruohonen (1) Semanur Guneysu @semanurtg (1) Justin C. (1) โ
โ Omer Faruk Celik (1) Bartlomiej Czyz @bczyz1 (1) MalGamy (1) Dan Beavin) (1) โ
โ Margaritis Dimitrios (1) Stephen Lincoln `@slinco... (1) @signalblur (1) EagleEye Team (1) โ
โ Austin Songer (1) Dmitriy Lifanov (1) Relativity (1) @juju4 (1) โ
โ Tom Kern (1) Center for Threat Inform... (1) CD_ROM_ (1) Maxence Fossat (1) โ
โ @svch0st (1) Christopher Peacock @Sec... (1) mdecrevoisier (1) Scott Dermott (1) โ
โ j4son (1) @atc_project (1) Bhabesh Raj (1) Open Threat Research (1) โ
โ Mark Woan (1) Maxim Pavlunin (1) Daniel Koifman (1) Tony Lambert (1) โ
โ Bartlomiej Czyz (1) Timon Hackenjos (1) Ali Alwashali (1) Fatih Sirin (1) โ
โ Josh Nickels (1) Mustafa Kaan Demir (1) Furkan CALISKAN (1) Oleg Kolesnikov @securon... (1) โ
โ Nextron Systems (1) SCYTHE (1) @2xxeformyshirt (1) Georg Lauenstein (1) โ
โ Joseliyo Sanchez (1) Joshua Wright (1) Anish Bogati (1) โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Results Summary:
Events with hits / Total events: 19,752 / 46,495 (Data reduction: 26,743 events (57.52%))
Total | Unique detections: 32,232 | 672
Total | Unique critical detections: 51 (0.16%) | 20 (0.00%)
Total | Unique high detections: 5,586 (17.33%) | 260 (9.08%)
Total | Unique medium detections: 2,151 (6.67%) | 247 (12.50%)
Total | Unique low detections: 6,145 (19.06%) | 84 (36.76%)
Total | Unique informational detections: 18,299 (56.77%) | 61 (38.69%)
Dates with most total detections:
critical: 2019-07-19 (16), high: 2016-09-20 (3,650), medium: 2019-05-19 (249), low: 2016-09-20 (3,708), informational: 2016-08-19 (2,115)
Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (9), srvdefender01.offsec.lan (2), fs01.offsec.lan (1), win10-02.offsec.lan (1), rootdc1.offsec.lan (1)
high: MSEDGEWIN10 (103), IEWIN7 (60), fs03vuln.offsec.lan (23), IE10Win7 (23), FS03.offsec.lan (22)
medium: MSEDGEWIN10 (92), IEWIN7 (59), FS03.offsec.lan (27), fs03vuln.offsec.lan (24), rootdc1.offsec.lan (18)
low: MSEDGEWIN10 (38), IEWIN7 (21), FS03.offsec.lan (19), fs03vuln.offsec.lan (15), fs01.offsec.lan (12)
informational: IEWIN7 (18), MSEDGEWIN10 (17), PC01.example.corp (15), fs01.offsec.lan (14), IE10Win7 (14)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Top critical alerts: Top high alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Sticky Key Like Backdoor Usage - Registry (8) Metasploit SMB Authentication (3,562) โ
โ Active Directory Replication from Non Machine Account (6) Suspicious Service Path (277) โ
โ CobaltStrike Service Installations - System (6) Suspicious Service Installation Script (250) โ
โ WannaCry Ransomware Activity (4) PowerShell Scripts Installed as Services (250) โ
โ Defender Alert (Severe) (4) Suspicous Service Name (80) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top medium alerts: Top low alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Potentially Malicious PwSh (235) Logon Failure (Wrong Password) (3,580) โ
โ Reg Key Value Set (Sysmon Alert) (107) Possible LOLBIN (1,418) โ
โ Proc Injection (104) Non Interactive PowerShell Process Spawned (326) โ
โ Remote Thread Creation In Uncommon Target Image (93) Proc Access (156) โ
โ Remote Thread Creation Via PowerShell (93) DLL Loaded (Sysmon Alert) (109) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top informational alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Proc Exec (11,173) Svc Installed (331) โ
โ NetShare File Access (2,558) Explicit Logon (304) โ
โ PwSh Scriptblock (789) New Non-USB PnP Device (268) โ
โ PwSh Pipeline Exec (680) Net Conn (243) โ
โ NetShare Access (403) File Created (212) โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Saved file: timeline.csv (31.9 MB)
Elapsed time: 00:00:08.1687
Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls
็ฅ่กๅไธ - Chi Kou Gou Itsu - Knowledge and action must be inseparable.% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -o timeline.csv -C -q
Start time: 2024/11/13 23:42
Total event log files: 598
Total file size: 139.2 MB
Loading detection rules. Please wait.
Excluded rules: 26
Noisy rules: 12 (Disabled)
Deprecated rules: 216 (5.00%) (Disabled)
Experimental rules: 373 (8.63%)
Stable rules: 241 (5.58%)
Test rules: 3,706 (85.79%)
Unsupported rules: 42 (0.97%) (Disabled)
Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)
Hayabusa rules: 175
Sigma rules: 4,145
Total detection rules: 4,320
Creating the channel filter. Please wait.
Evtx files loaded after channel filter: 585
Detection rules enabled after channel filter: 4,248
Output profile: standard
Scanning in progress. Please wait.
[00:00:07] 585 / 585 [========================================] 100%
Scanning finished. Please wait while the results are being saved.
Rule Authors:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Florian Roth (152) Nasreddine Bencherchali (114) Zach Mathis (110) oscd.community (88) โ
โ frack113 (84) Tim Shelton (27) Teymur Kheirkhabarov (19) Daniil Yugoslavskiy (19) โ
โ Thomas Patzke (16) Jonhnathan Ribeiro (16) Christian Burkard (16) Markus Neis (13) โ
โ Roberto Rodriguez @Cyb3r... (12) Roberto Rodriguez (12) Timur Zinniatullin (11) Elastic (11) โ
โ E.M. Anhaus (10) Swachchhanda Shrawan Poudel (10) Samir Bousseaden (10) Tim Rauch (10) โ
โ OTR (9) Victor Sergeev (7) Michael Haag (7) X__Junior (6) โ
โ Natalia Shornikova (6) Endgame) (6) omkar72 (5) Ecco (5) โ
โ David ANDRE (5) Sander Wiebing (5) Arnim Rupp (5) Endgame (4) โ
โ @neu5ron (4) Tobias Michalski (4) JHasenbusch (4) Gleb Sukhodolskiy (4) โ
โ Fukusuke Takahashi (3) Max Altgelt (3) pH-T (3) Christopher Peacock @sec... (3) โ
โ Eric Conrad (3) Andreas Hunkeler (3) Wojciech Lesicki (3) Yusuke Matsui (3) โ
โ Janantha Marasinghe (3) Ilyas Ochkov (3) Harish Segar (3) elhoim (3) โ
โ Nikita Nazarov (3) Tom Ueltschi (3) Zach Stanford @svch0st (2) juju4 (2) โ
โ Sreeman (2) @twjackomo (2) D3F7A5105 (2) Perez Diego (2) โ
โ Alexandr Yampolskyi (2) Hosni Mribah (2) Vadim Khrykov (2) wagga (2) โ
โ Cyb3rEng (2) Daniel Bohannon (2) Austin Songer @austinsonger (2) Aleksey Potapov (2) โ
โ SOC Prime (2) Vasiliy Burov (2) Tony Lambert) (2) Chakib Gzenayi (2) โ
โ Karneades (2) SCYTHE @scythe_io (2) Nik Seetharaman (2) @SBousseaden (2) โ
โ Sean Metcalf (2) FPT.EagleEye (2) James Pemberton@4A616D6573 (2) Jakob Weinzettl (2) โ
โ Dimitrios Slamaris (2) FPT.EagleEye Team (2) Jordan Lloyd (2) Hieu Tran (2) โ
โ Anton Kutepov (2) Mark Russinovich (2) Cedric MAURUGEON (1) Jeff Warren (1) โ
โ Jack Croock (1) James Pemberton@4A616D65... (1) Mangatas Tondang (1) Christopher Peacock @Sec... (1) โ
โ Ali Alwashali (1) Furkan CALISKAN (1) Tom U. @c_APT_ure (1) Yassine Oukessou (1) โ
โ Sherif Eldeeb (1) Oddvar Moe (1) @2xxeformyshirt (1) Dmitriy Lifanov (1) โ
โ @caliskanfurkan_ (1) John Lambert (1) mdecrevoisier (1) Teymur Kheirkhabarov @He... (1) โ
โ Timon Hackenjos (1) Dan Beavin) (1) Subhash Popuri (1) @Joseliyo_Jstnk (1) โ
โ David Burkett (1) Tom Kern (1) Julia Fomina (1) fuzzyf10w (1) โ
โ @kostastsale (1) Tony Lambert (1) Trent Liffick (1) Maxence Fossat (1) โ
โ blueteam0ps (1) Bhabesh Raj (1) Center for Threat Inform... (1) @signalblur (1) โ
โ Modexp (1) Open Threat Research (1) @atc_project (1) Markus Neis @Karneades (1) โ
โ MalGamy (1) Mustafa Kaan Demir (1) Ivan Dyachkov (1) Swisscom CSIRT (1) โ
โ Alec Costello (1) Anish Bogati (1) CD_ROM_ (1) Stephen Lincoln `@slinco... (1) โ
โ Justin C. (1) @scythe_io (1) Fatih Sirin (1) Daniel Koifman (1) โ
โ Pushkarev Dmitry (1) James Pemberton @4A616D6573 (1) Relativity (1) Tuan Le (1) โ
โ Jason Lynch (1) Sorina Ionescu (1) James Dickenson (1) Romaissa Adjailia (1) โ
โ SCYTHE (1) @dreadphones (1) alias support) (1) keepwatch (1) โ
โ Omer Faruk Celik (1) Austin Songer (1) Josh Nickels (1) Bartlomiej Czyz (1) โ
โ @gott_cyber (1) Mark Woan (1) Dominik Schaudel (1) Scott Dermott (1) โ
โ Joseliyo Sanchez (1) Jose Rodriguez (1) NVISO (1) KevTheHermit (1) โ
โ Zaw Min Htun (1) Kutepov Anton (1) j4son (1) Sami Ruohonen (1) โ
โ Stamatis Chatzimangou (1) David Strassegger (1) Ahmed Farouk (1) Semanur Guneysu @semanurtg (1) โ
โ Oleg Kolesnikov @securon... (1) SBousseaden (1) Joshua Wright (1) @svch0st (1) โ
โ Margaritis Dimitrios (1) Benjamin Delpy (1) Matthew Green @mgreen27 (1) Nextron Systems (1) โ
โ @oscd_initiative (1) Dave Kennedy (1) Georg Lauenstein (1) rukawa (1) โ
โ EagleEye Team (1) Bartlomiej Czyz @bczyz1 (1) Maxime Thiebaut (1) Maxim Pavlunin (1) โ
โ Andreas Braathen (1) @juju4 (1) vburov (1) โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Results Summary:
Events with hits / Total events: 19,752 / 46,495 (Data reduction: 26,743 events (57.52%))
Total | Unique detections: 32,232 | 672
Total | Unique critical detections: 51 (0.16%) | 20 (0.00%)
Total | Unique high detections: 5,586 (17.33%) | 260 (9.08%)
Total | Unique medium detections: 2,151 (6.67%) | 247 (12.50%)
Total | Unique low detections: 6,145 (19.06%) | 84 (36.76%)
Total | Unique informational detections: 18,299 (56.77%) | 61 (38.69%)
Dates with most total detections:
critical: 2019-07-19 (16), high: 2016-09-20 (3,650), medium: 2019-05-19 (249), low: 2016-09-20 (3,708), informational: 2016-08-19 (2,115)
Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (9), srvdefender01.offsec.lan (2), DC1.insecurebank.local (1), DESKTOP-PIU87N6 (1), IEWIN7 (1)
high: MSEDGEWIN10 (103), IEWIN7 (60), IE10Win7 (23), fs03vuln.offsec.lan (23), FS03.offsec.lan (22)
medium: MSEDGEWIN10 (92), IEWIN7 (59), FS03.offsec.lan (27), fs03vuln.offsec.lan (24), rootdc1.offsec.lan (18)
low: MSEDGEWIN10 (38), IEWIN7 (21), FS03.offsec.lan (19), fs03vuln.offsec.lan (15), fs01.offsec.lan (12)
informational: IEWIN7 (18), MSEDGEWIN10 (17), PC01.example.corp (15), IE10Win7 (14), FS03.offsec.lan (14)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Top critical alerts: Top high alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Sticky Key Like Backdoor Usage - Registry (8) Metasploit SMB Authentication (3,562) โ
โ CobaltStrike Service Installations - System (6) Suspicious Service Path (277) โ
โ Active Directory Replication from Non Machine Account (6) PowerShell Scripts Installed as Services (250) โ
โ WannaCry Ransomware Activity (4) Suspicious Service Installation Script (250) โ
โ Defender Alert (Severe) (4) Suspicous Service Name (80) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top medium alerts: Top low alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Potentially Malicious PwSh (235) Logon Failure (Wrong Password) (3,580) โ
โ Reg Key Value Set (Sysmon Alert) (107) Possible LOLBIN (1,418) โ
โ Proc Injection (104) Non Interactive PowerShell Process Spawned (326) โ
โ Remote Thread Creation Via PowerShell (93) Proc Access (156) โ
โ Remote Thread Creation In Uncommon Target Image (93) DLL Loaded (Sysmon Alert) (109) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top informational alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Proc Exec (11,173) Svc Installed (331) โ
โ NetShare File Access (2,558) Explicit Logon (304) โ
โ PwSh Scriptblock (789) New Non-USB PnP Device (268) โ
โ PwSh Pipeline Exec (680) Net Conn (243) โ
โ NetShare Access (403) File Created (212) โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Saved file: timeline.csv (31.9 MB)
Elapsed time: 00:00:08.1445
Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls
What Changed
Evidence
Integration-Test
https://github.com/Yamato-Security/hayabusa/actions/runs/11818702742
I would appreciate it if you could check it out when you have time๐