Running Hayabusa
Commands like csv-timeline and json-timeline now have a scan wizard enabled by default.
This is intended to help users easily choose which detection rules they want to enable according to their needs and preferences.
The sets of detections rules to load are based off of the official lists in the Sigma project.
Details are explained in this blog post.
You can easily turn off the wizard and use Hayabusa in its traditional way by adding the -w, --no-wizard option.
The core rule set enables rules that have a status of test or stable and a level of high or critical.
These are high quality rules of high confidence and relevance and should not produce many false positives.
The rule status is test or stable which means no false positives were reported for over 6 months.
Rules will match on attacker techniques, generic suspicious activity, or malicious behavior.
It is the same as using the --exclude-status deprecated,unsupported,experimental --min-level high options.
The core+ rule set enables rules that have a status of test or stable and a level of medium or higher.
medium rules most often need additional tuning as certain applications, legitimate user behavior or scripts of an organization might be matched.
It is the same as using the --exclude-status deprecated,unsupported,experimental --min-level medium options.
The core++ rule set enables rules that have a status of experimental, test or stable and a level of medium or higher.
These rules are bleeding edge.
They are validated against the baseline evtx files available at the SigmaHQ project and reviewed by multiple detection engineers.
Other than that they are pretty much untested at first.
Use these if you want to be able to detect threats as early as possible at the cost of managing a higher threshold of false positives.
It is the same as using the --exclude-status deprecated,unsupported --min-level medium options.
The Emerging Threats (ET) rule set enables rules that have a tag of detection.emerging_threats.
These rules target specific threats and are especially useful for current threats where not much information is available yet.
These rules should not have many false positives but will decrease in relevance over time.
When these rules are not enabled, it is the same as using the --exclude-tag detection.emerging_threats option.
When running Hayabusa traditionally without the wizard, these rules will be included by default.
The Threat Hunting (TH) rule set enables rules that have a tag of detection.threat_hunting.
These rules may detect unknown malicious activity, however, will typicially have more false positives.
When these rules are not enabled, it is the same as using the --exclude-tag detection.threat_hunting option.
When running Hayabusa traditionally without the wizard, these rules will be included by default.
You may receive an alert from anti-virus or EDR products when trying to run hayabusa or even just when downloading the .yml rules as there will be keywords like mimikatz and suspicious PowerShell commands in the detection signature.
These are false positives so will need to configure exclusions in your security products to allow hayabusa to run.
If you are worried about malware or supply chain attacks, please check the hayabusa source code and compile the binaries yourself.
You may experience slow runtime especially on the first run after a reboot due to the real-time protection of Windows Defender. You can avoid this by temporarily turning real-time protection off or adding an exclusion to the hayabusa runtime directory. (Please take into consideration the security risks before doing these.)
In a Command/PowerShell Prompt or Windows Terminal, just run the appropriate 32-bit or 64-bit Windows binary.
When using the built-in Command or PowerShell prompt in Windows, you may receive an error that Hayabusa was not able to load any .evtx files if there is a space in your file or directory path. In order to load the .evtx files properly, be sure to do the following:
- Enclose the file or directory path with double quotes.
- If it is a directory path, make sure that you do not include a backslash for the last character.
You first need to make the binary executable.
chmod +x ./hayabusaThen run it from the Hayabusa root directory:
./hayabusaFrom Terminal or iTerm2, you first need to make the binary executable.
chmod +x ./hayabusaThen, try to run it from the Hayabusa root directory:
./hayabusaOn the latest version of macOS, you may receive the following security error when you try to run it:
Click "Cancel" and then from System Preferences, open "Security & Privacy" and from the General tab, click "Allow Anyway".
After that, try to run it again.
./hayabusaThe following warning will pop up, so please click "Open".
You should now be able to run Hayabusa.