What is Hayabusa?

I am a huge fan of the open source Hayabusa from Yamato Security and you’ll soon know why.

Description pulled directly from the repo:

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. It is written in Rust and supports multi-threading in order to be as fast as possible…
<snip>
Hayabusa can be run either on single running systems for live analysis, by gathering logs from single or multiple systems for offline analysis, or by running the Hayabusa artifact with Velociraptor for enterprise-wide threat hunting and incident response. The output will be consolidated into a single CSV timeline for easy analysis in Excel, Timeline Explorer, Elastic Stack, Timesketch, etc...

TL;DR: Hayabusa uses Sigma as well as built-in rules to assess Windows Event Logs for known threats. It’s cross-platform and runs on just about anything you’re likely using for analysis.

Pro Tip: Due to the clear-text threat signatures that Hayabusa comes packed with, you may experience issues with some AV/EDR products as they are not intelligent enough to determine whether it’s an actual threat, or simply matches signatures of a threat. This is a common problem with many threat hunting tools that contain clear-text signatures. Keep this in mind when running Hayabusa in production! While it’s possible to use a tool like Velociraptor to deploy and run Hayabusa in production, you may encounter issues with AV/EDR for this reason.

Let’s get hands-on with it!

First, you’ll need a testing VM to pull down Hayabusa and some event logs with malicious activity. For guidance, check out this post where I give advice on where to get a Windows 11 development VM.

These steps will assume you are using a Windows VM like the one we setup here.

1. First let’s download all the tools and samples we’ll be using.

   1. Launch an Administrative PowerShell console to run the following commands. Keep this console open throughout this guide.

      1. Change into our working directory

         cd C:\Windows\Temp

      2. Download Eric Zimmerman’s Timeline Explorer which will make viewing our outputted CSVs much easier.

         Invoke-WebRequest -Uri https://f001.backblazeb2.com/file/EricZimmermanTools/TimelineExplorer.zip -OutFile C:\Windows\Temp\TimelineExplorer.zip

         1. Note, Zimmerman’s tools require .net, so if you encounter issues running it, install this.

      3. Unzip Timeline Explorer.

         Expand-Archive -LiteralPath C:\Windows\Temp\TimelineExplorer.zip C:\Windows\Temp

      4. Download Hayabusa 2.3.1 for Win64.

         Invoke-WebRequest -Uri https://github.com/Yamato-Security/hayabusa/releases/download/v2.3.1/hayabusa-2.3.1-win-64-bit.zip -OutFile C:\Windows\Temp\hayabusa-2.3.1-win-64-bit.zip

         1. Note: there may be a newer version available but this is latest version as of this post, I am locking in on it for the sake of the guide.

      5. Unzip Hayabusa.

         Expand-Archive -LiteralPath C:\Windows\Temp\hayabusa-2.3.1-win-64-bit.zip -DestinationPath C:\Windows\Temp\hayabusa

      6. Download some sample EVTX files from sbousseaden’s EVTX-ATTACK-SAMPLES repo.

         Invoke-WebRequest -Uri https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/archive/refs/heads/master.zip -Outfile EVTX-ATTACK-SAMPLES.zip

      7. Unzip the event log samples.

         Expand-Archive -LiteralPath C:\Windows\Temp\EVTX-ATTACK-SAMPLES.zip -DestinationPath C:\Windows\Temp

      8. For convenience, let’s collect all the various EVTX files in the repo and stage them in one folder to make our analysis easier. Copy and paste this entire script into your console and press Enter.

         # Set the source folder where .evtx files are located
         $sourceFolder = "C:\Windows\Temp\EVTX-ATTACK-SAMPLES-master\"
         
         # Set the destination folder where .evtx files should be moved
         $destinationFolder = "C:\Windows\Temp\evtx_files"
         
         # Create the destination folder if it doesn't already exist
         if (!(Test-Path $destinationFolder)) {
             New-Item -ItemType Directory -Path $destinationFolder | Out-Null
         }
         
         # Set the starting number for the sequential numbering
         $number = 0
         
         # Recursively find all .evtx files in the source folder
         Get-ChildItem -Path $sourceFolder -Recurse -Filter *.evtx | ForEach-Object {
             # Append the sequential number to the file name
             $newFileName = $_.BaseName + "_" + $number.ToString() + $_.Extension
             
             # Copy the file to the destination folder with the new name
             Copy-Item $_.FullName -Destination (Join-Path $destinationFolder $newFileName)
             
             # Increment the sequential number
             $number++
         }
         
         Write-Host "$number files copied to $destinationFolder."
         

2. Let’s make sure we’re using the latest Hayabusa detection rules

   1. In the same Administrative PowerShell prompt, run the following commands

   2. Examine the available command options

      .\hayabusa\hayabusa-2.3.1-win-x64.exe help

   3. Now update the rules

      .\hayabusa\hayabusa-2.3.1-win-x64.exe update-rules

      

3. Now let’s find threats in our sample EVTX files

   1. Run the following command in your Administrative PowerShell prompt

      .\hayabusa\hayabusa-2.3.1-win-x64.exe csv-timeline -d .\evtx_files\ -o hayabusa-output.csv

   2. After a few minutes, Hayabusa should output a summary of its findings

      

   3. Now let’s examine the output file using Timeline Explorer by running this command

      .\TimelineExplorer\TimelineExplorer.exe .\hayabusa-output.csv

      

   4. As you can see, Timeline Explorer is, at its simplest, a CSV viewer. However, it has some cool capabilities that make analyzing a CSV much easier.

      1. Drag the following column headers to the top in order to group by them, see the short clip below for a visual aid.

         1. Level

         2. Computer

         3. Rule Title

      2. It is now much easier to navigate the data, grouped by criticality of the detection and the computer it occurred on.

         

4. Explore the data!

   1. You may notice the outputted events do not contain all of the information from the original event log that the signature fired on. To get a more verbose version that includes all of this data, re-run Hayabusa with the following command

      .\hayabusa\hayabusa-2.3.1-win-x64.exe csv-timeline -d .\evtx_files\ -o hayabusa-output-super-verbose.csv -p super-verbose

   2. Then view the verbose output in Timeline Explorer

      .\TimelineExplorer\TimelineExplorer.exe .\hayabusa-output-super-verbose.csv

5. Now go find threats :)