Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Select an option

  • Save shortstack/6ea5a822d025c93fde497bff776a88a3 to your computer and use it in GitHub Desktop.

Select an option

Save shortstack/6ea5a822d025c93fde497bff776a88a3 to your computer and use it in GitHub Desktop.
Velociraptor Artifact - Process evtx files server side with Hayabusa
name: Server.Process.Windows.EventLogs.Hayabusa
author: Whitney Champion - bluesky @whit.zip, Eric Capuano - bluesky @eric.zip
description: |
Process evtx files server side with Hayabusa
type: SERVER
tools:
- name: Hayabusa-Linux-3.3.0
url: https://github.com/Yamato-Security/hayabusa/releases/download/v3.3.0/hayabusa-3.3.0-lin-x64-musl.zip
expected_hash: 549613b43da2c9afc4d30233efb6e88bf8a870a7879e555783eb0afd8e8e6043
version: 3.3.0
parameters:
- name: EvtxDirectory
description: "Directory of .evtx files"
default:
- name: ClientId
default:
- name: MinimalLevel
description: "Minimum level for rules"
default: medium
type: choices
choices:
- informational
- low
- medium
- high
- critical
- name: OutputFormat
description: "Choose the format of the result file"
default: csv
type: choices
choices:
- csv
- jsonl
- name: OutputProfile
description: "Decide how much data you want back"
default: standard
type: choices
choices:
- minimal
- standard
- verbose
- all-field-info
- all-field-info-verbose
- super-verbose
- timesketch-minimal
- timesketch-verbose
- name: OutputTimeFormat
description: "Choose the format of timestamp"
default: ISO-8601
type: choices
choices:
- European-time
- ISO-8601
- RFC-2822
- RFC-3339
- US-military-time
- US-time
- UTC
- name: Threads
description: "Number of threads"
type: int
default: 4
- name: UpdateRules
description: "Update rules before scanning"
type: bool
default: Y
- name: Sort
description: "Sort events before saving the file"
type: bool
default: N
- name: NoisyRules
description: "Enable rules marked as noisy"
type: bool
default: N
- name: EIDFilter
description: "Scan only common Event IDs for quicker scans"
type: bool
default: N
- name: TimeOffset
description: "Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)"
- name: TimelineStart
description: "Start time of the event logs to load (ex: '2020-02-22 00:00:00 +09:00')"
- name: TimelineEnd
description: "End time of the event logs to load (ex: '2022-02-22 23:59:59 +09:00')"
- name: ExcludeCategory
description: "Do not load rules with specified logsource categories (ex: process_creation,pipe_created)"
- name: ExcludeEID
description: "Do not scan specific EIDs for faster speed (ex: 1) (ex: 1,4688)"
- name: ExcludeStatus
description: "Do not load rules according to status (ex: experimental) (ex: stable,test)"
- name: ExcludeTag
description: "Do not load rules with specific tags (ex: sysmon)"
- name: IncludeCategory
description: "Only load rules with specified logsource categories (ex: process_creation,pipe_created)"
- name: IncludeEID
description: "Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)"
- name: IncludeTag
description: "Only load rules with specific tags (ex: attack.execution,attack.discovery)"
sources:
- name: HayabusaProcessing
query: |
-- Fetch the binary
LET Toolzip <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Hayabusa-Linux-3.3.0", IsExecutable=FALSE)
LET TmpDir <= tempdir()
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET HayabusaBin <= TmpDir + '/hayabusa-3.3.0-lin-x64-musl'
-- Optionally update the rules
LET _ <= if(condition=UpdateRules, then={
SELECT * FROM execve(argv=[HayabusaBin, 'update-rules'], cwd=TmpDir) })
LET HayabusaCmd <= if(condition=OutputFormat = "csv", then="csv-timeline", else="json-timeline")
LET ResultFile <= TmpDir + '/hayabusa_results.' + OutputFormat
-- Build the command line considering all options
LET cmdline <= filter(list=(
HayabusaBin, HayabusaCmd,
"--no-wizard",
"--quiet", "--no-summary",
"--directory", EvtxDirectory,
"--output", ResultFile,
"--min-level", MinimalLevel,
"--profile", OutputProfile,
"--" + OutputTimeFormat,
"--threads", str(str=Threads),
if(condition=OutputFormat = "jsonl", then="-L"),
if(condition=Sort, then="--sort"),
if(condition=NoisyRules, then="--enable-noisy-rules"),
if(condition=EIDFilter, then="--eid-filter"),
if(condition=TimeOffset, then="--time-offset"), if(condition=TimeOffset, then=TimeOffset),
if(condition=TimelineStart, then="--timeline-start"), if(condition=TimelineStart, then=TimelineStart),
if(condition=TimelineEnd, then="--timeline-end"), if(condition=TimelineEnd, then=TimelineEnd),
if(condition=ExcludeCategory, then="--exclude-category"), if(condition=ExcludeCategory, then=ExcludeCategory),
if(condition=ExcludeEID, then="--exclude-eid"), if(condition=ExcludeEID, then=ExcludeEID),
if(condition=ExcludeStatus, then="--exclude-status"), if(condition=ExcludeStatus, then=ExcludeStatus),
if(condition=ExcludeTag, then="--exclude-tag"), if(condition=ExcludeTag, then=ExcludeTag),
if(condition=IncludeCategory, then="--include-category"), if(condition=IncludeCategory, then=IncludeCategory),
if(condition=IncludeEID, then="--include-eid"), if(condition=IncludeEID, then=IncludeEID),
if(condition=IncludeTag, then="--include-tag"), if(condition=IncludeTag, then=IncludeTag),
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecHB <= SELECT *
FROM execve(argv=cmdline, cwd=TmpDir, sep="\n", length=9999999)
WHERE log(message=Stdout)
-- Upload the raw file.
LET Upload <= SELECT upload(file=ResultFile) AS Uploads FROM scope()
-- Parse the result file based on the output format
LET CSV_RESULT = SELECT * FROM parse_csv(filename=ResultFile)
LET JSONL_RESULT = SELECT * FROM parse_jsonl(filename=ResultFile)
LET s = scope()
SELECT ClientId, timestamp(string=s.Timestamp || s.datetime) AS EventTime, *
FROM if(condition= OutputFormat = "csv", then=CSV_RESULT, else=JSONL_RESULT)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment