Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add timeline-start/timeline-end option to search command #1545

Merged
merged 3 commits into from
Jan 16, 2025
Merged

feat: add timeline-start/timeline-end option to search command #1545

merged 3 commits into from
Jan 16, 2025

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Jan 16, 2025
edited
Loading

What Changed

Evidence

Integration-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/12811214757

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket added the enhancement New feature or request label Jan 16, 2025
@fukusuket fukusuket added this to the 3.1 milestone Jan 16, 2025
@fukusuket fukusuket self-assigned this Jan 16, 2025
@fukusuket
Copy link
Collaborator Author

help

 ./hayabusa search --help
Hayabusa v3.0.1 - 3rd Year Anniversary Release
Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)

Usage:
  hayabusa.exe search <INPUT> <--keywords "<KEYWORDS>" OR --regex "<REGEX>"> [OPTIONS]

Display Settings:
  -K, --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:\Windows\System32\winevt\Logs folder

Filtering:
  -a, --and-logic              Search keywords with AND logic (default: OR)
  -F, --filter <FILTER...>     Filter by specific field(s)
  -i, --ignore-case            Case-insensitive keyword search
  -k, --keyword <KEYWORD...>   Search by keyword(s)
  -r, --regex <REGEX>          Search by regular expression
      --time-offset <OFFSET>   Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)
      --timeline-end <DATE>    End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00")
      --timeline-start <DATE>  Start time of the event logs to load (ex: "2020-02-22 00:00:00 +09:00")

Output:
  -b, --disable-abbreviations  Disable abbreviations
  -J, --JSON-output            Save the search results in JSON format (ex: -J -o results.json)
  -L, --JSONL-output           Save the search results in JSONL format (ex: -L -o results.jsonl)
  -M, --multiline              Output event field information in multiple rows for CSV output
  -o, --output <FILE>          Save the search results in CSV format (ex: search.csv)

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
  -O, --ISO-8601          Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
  -U, --UTC               Output time in UTC format (default: local time)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Jan 16, 2025
edited
Loading

start-timeline/end-timeline

with no option

% ./hayabusa search -d ../hayabusa-sample-evtx -k psexec  -q
Searching...

Start time: 2025/01/16 23:43
Total event log files: 598
Total file size: 139.2 MB

Currently searching. Please wait.

[00:00:01] 598 / 598   [========================================] 100%

Scanning finished.
                                                                                                                                               Timestamp · EventTitle · Hostname · Channel · Event ID · Record ID · AllFieldInfo · EvtxFile
2020-12-10 01:52:34.562 +09:00 · Process Creation · MSEDGEWIN10 · Sysmon · 1 · 549480 · CommandLine: "C:\Users\Public\psexecprivesc.exe" C:\Windows\System32\mspaint.exe ¦ Company: ? ¦ CurrentDirectory: C:\Users\Public\ ¦ Description: ? ¦ FileVersion: ? ¦ Hashes: SHA1=D7BADB1E51B7F5AB36D218854698215436C77D69,MD5=45C9D210322AC8F8AEC6D2AB003F82A9,SHA256=F60E25BFB2BF7CB3E3CBD47F6A6D12941BD0BC0CF5B5626415607FDF0ACD2132,IMPHASH=6BC87C5562804B37769BD928D309AFDA ¦ Image: C:\Users\Public\psexecprivesc.exe ¦ IntegrityLevel: Medium ¦ LogonGuid: 747F3D96-FBCC-5FD0-0000-0020CB857400 ¦ LogonId: 0x7485cb ¦ OriginalFileName: ? ¦ ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ¦ ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ¦ ParentProcessGuid: 747F3D96-FBFF-5FD0-0000-0010BEC87C00 ¦ ParentProcessId: 14512 ¦ ProcessGuid: 747F3D96-00D2-5FD1-0000-0010FA4C5301 ¦ ProcessId: 13004 ¦ Product: ? ¦ RuleName:  ¦ TerminalSessionId: 3 ¦ User: MSEDGEWIN10\user02 ¦ UtcTime: 2020-12-09 16:52:34.559 · ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx

2020-12-10 01:52:34.622 +09:00 · Named Pipe Created · MSEDGEWIN10 · Sysmon · 17 · 549481 · EventType: CreatePipe ¦ Image: C:\Users\Public\psexecprivesc.exe ¦ PipeName: \PSEXESVC ¦ ProcessGuid: 747F3D96-00D2-5FD1-0000-0010FA4C5301 ¦ ProcessId: 13004 ¦ RuleName:  ¦ UtcTime: 2020-12-09 16:52:34.611 · ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx

2020-12-10 01:52:44.864 +09:00 · Named Pipe Connection · MSEDGEWIN10 · Sysmon · 18 · 549486 · EventType: ConnectPipe ¦ Image: C:\Users\Public\psexecprivesc.exe ¦ PipeName: \PSEXESVC ¦ ProcessGuid: 747F3D96-00D2-5FD1-0000-0010FA4C5301 ¦ ProcessId: 13004 ¦ RuleName:  ¦ UtcTime: 2020-12-09 16:52:44.863 · ../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx

2021-04-22 17:51:22.992 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435142 · AccessList: %%4423 ¦ AccessMask: 0x80 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60052 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.025 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435149 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60051 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.042 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435151 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60052 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.044 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435153 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60049 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.171 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435155 · AccessList: %%1537 %%4423 ¦ AccessMask: 0x10080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60051 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c366 ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-12-05 06:19:16.741 +09:00 · Process Creation · fs03vuln.offsec.lan · Sysmon · 1 · 48593 · CommandLine: PsExec64.exe -i -s cmd ¦ Company: Sysinternals - www.sysinternals.com ¦ CurrentDirectory: C:\TOOLS\ ¦ Description: Execute processes remotely ¦ FileVersion: 2.2 ¦ Hashes: SHA1=FB0A150601470195C47B4E8D87FCB3F50292BEB2,MD5=9321C107D1F7E336CDA550A2BF049108,SHA256=AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4,IMPHASH=159D56D406180A332FBC99290F30700E ¦ Image: C:\TOOLS\PsExec64.exe ¦ IntegrityLevel: High ¦ LogonGuid: A57649D1-9E9D-61A6-56EF-830000000000 ¦ LogonId: 0x83ef56 ¦ OriginalFileName: psexec.c ¦ ParentCommandLine: "C:\Windows\system32\cmd.exe" ¦ ParentImage: C:\Windows\System32\cmd.exe ¦ ParentProcessGuid: A57649D1-ACE8-61A6-885B-920000000000 ¦ ParentProcessId: 532 ¦ ProcessGuid: A57649D1-DB54-61AB-775C-DC0100000000 ¦ ProcessId: 2124 ¦ Product: Sysinternals PsExec ¦ RuleName: technique_id=T1035,technique_name=Service Execution ¦ TerminalSessionId: 2 ¦ User: OFFSEC\admmig ¦ UtcTime: 2021-12-04 21:19:16.741 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID11,13,17,18-PSexec as system execution.evtx

Total findings: 9
Elapsed time: 00:00:01.029

with option

% ./hayabusa search -d ../hayabusa-sample-evtx -k psexec -q --timeline-start "2021-04-22 00:00:00 +09:00" --timeline-end "2021-04-22 23:59:59 +09:00"
Searching...

Start time: 2025/01/16 23:46
Total event log files: 598
Total file size: 139.2 MB

Currently searching. Please wait.

[00:00:00] 598 / 598   [========================================] 100%

Scanning finished.
                                                                                                                                               Timestamp · EventTitle · Hostname · Channel · Event ID · Record ID · AllFieldInfo · EvtxFile
2021-04-22 17:51:22.992 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435142 · AccessList: %%4423 ¦ AccessMask: 0x80 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60052 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.025 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435149 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60051 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.042 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435151 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60052 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

2021-04-22 17:51:23.044 +09:00 · Network share object checked for client access · fs03vuln.offsec.lan · Sec · 5145 · 435153 · AccessList: %%1541 %%4423 ¦ AccessMask: 0x100080 ¦ AccessReason: - ¦ IpAddress: 10.23.23.9 ¦ IpPort: 60049 ¦ ObjectType: File ¦ RelativeTargetName: Users\admmig\Desktop\MS17_010_psexec.evtx ¦ ShareLocalPath: \??\C:\ ¦ ShareName: \\*\C$ ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x6c49d ¦ SubjectUserName: admmig ¦ SubjectUserSid: S-1-5-21-4230534742-2542757381-3142984815-1111 · ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx

Total findings: 4
Elapsed time: 00:00:00.971

@fukusuket fukusuket marked this pull request as ready for review January 16, 2025 14:48
YamatoSecurity
YamatoSecurity approved these changes Jan 16, 2025
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 93ca1f0 into main Jan 16, 2025
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1543-add-start-end-time-option-search-cmd branch January 16, 2025 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
3.1 (2025/2/22 Ninja Day)
Development

Successfully merging this pull request may close these issues.

Add --timeline-start/--timeline-end option to search command
2 participants
@fukusuket @YamatoSecurity