Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support v2 modifier(ge/gte/lt/lte) #1463

Merged
merged 2 commits into from
Oct 29, 2024
Merged

feat: add support v2 modifier(ge/gte/lt/lte) #1463

merged 2 commits into from
Oct 29, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Oct 29, 2024
edited
Loading

What Changed

Evidence

Integration-Test

All commands completed successfully.
https://github.com/Yamato-Security/hayabusa/actions/runs/11576545760

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket self-assigned this Oct 29, 2024
@fukusuket fukusuket added the enhancement New feature or request label Oct 29, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 29, 2024
edited
Loading

gte

author: TEST
date: 2024/10/29
title: 'TEST'
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|gte: 10
    condition: selection
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r test.yml -q
...

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo
2019-02-14 03:02:04.426 +09:00 · TEST · info · PC01.example.corp · Sec · 4624 · 227701 · Type: 11 - CACHED INTERACTIVE ¦ TgtUser: user01 ¦ SrcComp: PC01 ¦ SrcIP: 127.0.0.1 ¦ LID: 0x1414c8 · AuthenticationPackageName: Negotiate ¦ IpPort: 0 ¦ KeyLength: 0 ¦ LmPackageName: - ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ LogonProcessName: User32 ¦ ProcessId: 1796 ¦ ProcessName: C:\Windows\System32\winlogon.exe ¦ SubjectDomainName: EXAMPLE ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: PC01$ ¦ SubjectUserSid: S-1-5-18 ¦ TargetDomainName: EXAMPLE ¦ TargetUserSid: S-1-5-21-1587066498-1489273250-1035260531-1106 ¦ TransmittedServices: -
2019-02-14 03:04:58.363 +09:00 · TEST · info · PC01.example.corp · Sec · 4624 · 227762 · Type: 10 - REMOTE INTERACTIVE ¦ TgtUser: admin01 ¦ SrcComp: PC01 ¦ SrcIP: 127.0.0.1 ¦ LID: 0x14a321 · AuthenticationPackageName: Negotiate ¦ IpPort: 49274 ¦ KeyLength: 0 ¦ LmPackageName: - ¦ LogonGuid: AF83A89C-C68A-5397-5AC6-24A0C4D2BAF6 ¦ LogonProcessName: User32 ¦ ProcessId: 1208 ¦ ProcessName: C:\Windows\System32\winlogon.exe ¦ SubjectDomainName: EXAMPLE ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: PC01$ ¦ SubjectUserSid: S-1-5-18 ¦ TargetDomainName: EXAMPLE ¦ TargetUserSid: S-1-5-21-1587066498-1489273250-1035260531-1108 ¦ TransmittedServices: -
2019-02-14 00:26:53.356 +09:00 · TEST · info · PC02.example.corp · Sec · 4624 · 5315 · Type: 10 - REMOTE INTERACTIVE ¦ TgtUser: IEUser ¦ SrcComp: PC02 ¦ SrcIP: 127.0.0.1 ¦ LID: 0x45120 · AuthenticationPackageName: Negotiate ¦ IpPort: 49164 ¦ KeyLength: 0 ¦ LmPackageName: - ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ LogonProcessName: User32 ¦ ProcessId: 1624 ¦ ProcessName: C:\Windows\System32\winlogon.exe ¦ SubjectDomainName: EXAMPLE ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: PC02$ ¦ SubjectUserSid: S-1-5-18 ¦ TargetUserSid: S-1-5-21-3583694148-1414552638-2922671848-1000 ¦ TransmittedServices: -

[00:00:00] 248 / 248   [========================================] 100%

@fukusuket
Copy link
Collaborator Author

gt

author: TEST
date: 2024/10/29
title: 'TEST'
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|gt: 10
    condition: selection
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r test.yml -q

Timestamp · RuleTitle · Level · Computer · Channel · EventID · RecordID · Details · ExtraFieldInfo
2019-02-14 03:02:04.426 +09:00 · TEST · info · PC01.example.corp · Sec · 4624 · 227701 · Type: 11 - CACHED INTERACTIVE ¦ TgtUser: user01 ¦ SrcComp: PC01 ¦ SrcIP: 127.0.0.1 ¦ LID: 0x1414c8 · AuthenticationPackageName: Negotiate ¦ IpPort: 0 ¦ KeyLength: 0 ¦ LmPackageName: - ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ LogonProcessName: User32 ¦ ProcessId: 1796 ¦ ProcessName: C:\Windows\System32\winlogon.exe ¦ SubjectDomainName: EXAMPLE ¦ SubjectLogonId: 0x3e7 ¦ SubjectUserName: PC01$ ¦ SubjectUserSid: S-1-5-18 ¦ TargetDomainName: EXAMPLE ¦ TargetUserSid: S-1-5-21-1587066498-1489273250-1035260531-1106 ¦ TransmittedServices: -

[00:00:00] 248 / 248   [========================================] 100%

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 29, 2024
edited
Loading

lt

author: TEST
date: 2024/10/29
title: 'TEST'
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|lt: 2
    condition: selection
% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r test.yml -q

2013-10-24 02:30:52.625 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 507 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
2013-10-24 02:33:10.078 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 986 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
2013-10-24 02:50:25.546 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 1039 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
...

@fukusuket
Copy link
Collaborator Author

lte

date: 2024/10/29
title: 'TEST'
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        Channel: Security
        EventID: 4624
        LogonType|lte: 0
    condition: selection
./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -r test.yml -q
2013-10-24 01:16:13.843 +09:00 · TEST · info · 37L4247D28-05 · Sec · 4624 · 2 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
2013-10-24 01:18:50.500 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 40 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
2013-10-24 02:30:52.625 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 507 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18
2013-10-24 02:33:10.078 +09:00 · TEST · info · IE8Win7 · Sec · 4624 · 986 · Type: 0 - SYSTEM ¦ TgtUser: SYSTEM ¦ SrcComp: - ¦ SrcIP: - ¦ LID: 0x3e7 · KeyLength: 0 ¦ LogonGuid: 00000000-0000-0000-0000-000000000000 ¦ ProcessId: 4 ¦ ProcessName:  ¦ SubjectLogonId: 0x0 ¦ SubjectUserSid: S-1-0-0 ¦ TargetDomainName: NT AUTHORITY ¦ TargetUserSid: S-1-5-18

YamatoSecurity
YamatoSecurity approved these changes Oct 29, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 5973ffc into main Oct 29, 2024
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1433-v2-modifier-ge-lt-gte-lte branch October 29, 2024 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
3.0 3rd Year Anniversary Release
Development

Successfully merging this pull request may close these issues.

Implement gt, lt, etc.. modifiers
2 participants
@fukusuket @YamatoSecurity