search

Yamato-Security / hayabusa

Hayabusa (éš¼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
GNU Affero General Public License v3.0
2.26k stars 200 forks source link

Hayabusa may occasionally suspends on Windows #867

Closed fukusuket closed 1 year ago

fukusuket commented 1 year ago

Describe the bug About 1 out of 10 times hayabuse.exe suspends when analyzing large evtxes(6.1GB evtx). At first I thought it was a hardware problem on my PC, but it happened on another PC, so I'm reporting this issue.

Step to Reproduce Repeat the following steps about 10 times on Windows 10.

  1. Launch task manager(Check for changes in CPU usage)
  2. Launch Command prompt
  3. hayabusa.exe -d large evtx(6.1GB evtx) -o out.csv
  4. Check CPU usage in Task Manager

then about 1 out of 10 times hayabuse.exe hangs.

Screenshots hayabusa does not use any CPU/Mem/Disk resources and suspends as below and the analysis never ends. error

Additional context But after above suspends, pressing Enter key in console restarts analysis process. So it may be a problem of Progressbar or Windows standard output ... ?🤔

Environment (please complete the following information):

I will continue to investigate reproduction conditions and versions.

YamatoSecurity commented 1 year ago
Screen Shot 2023-01-07 at 5 48 36 PM

I had a similar problem when running on Mac but found out that it was due to Mac's sleeping function. I often use Hayabusa in the background so I turn off the display but it pause Hayabusa. I fixed it by checking the "Prevent your Mac from automatically sleeping when the display is off". I think you can also use the caffeinate command.

This is probably a different issue but just to be sure, you have the display running the whole time? Maybe there is a similar issue on your Windows environment where the OS is stopping it for some reason? Does it happen with Windows Terminal as well or just Command Prompt?

fukusuket commented 1 year ago

Thank you for the information! I see, it looks like a similar problem ... 🤔

In my case, this issue occurs under the following conditions.

I'll check if it also happens in Windows Terminal or Powershell. Also check if the OS sleep settings are having an effect.

I also feel that the sound of the cooling fan suddenly becomes quiet, so the sleep setting may be the cause.... 🤔

fukusuket commented 1 year ago

Sorry! It was caused by the spec of Windows Command Prompt(and PowerShell Console)😅 I reproduced it with the following steps.

  1. Launch task manager(Check for changes in CPU usage)
  2. Launch Command prompt
  3. hayabusa.exe -d large evtx(6.1GB evtx) -o out.csv
  4. Left-click on the command prompt as soon as the Progressbar appears
  5. then CPU usage goes to 0%

It was caused by the specification that clicking makes the command prompt edit mode and suspends the program. ref: https://softantenna.com/blog/windows-10-command-prompt-no-stop/

close this issue because it was not Hayabusa's problem.