Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: copy all .git commit history by specifying fetch-depth #1430

Merged
merged 2 commits into from
Oct 10, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Oct 9, 2024

What Changed

Evidence

I will check if update-rules can be executed when there is a new commit in hayabusa_rules.

fukusuke@fukusukenoMacBook-Air hayabusa-2.18.0-mac-arm % ./hayabusa-2.18.0-mac-aarch64 update-rules -q
Start time: 2024/10/10 07:31

 - Renamed Powershell Under Powershell Channel (Modified: 2024-10-08 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml)
 - CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (Modified: 2024-10-08 | Path: rules/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml)
 - Antivirus Password Dumper Detection (Modified: 2024-10-08 | Path: rules/sigma/builtin/category/antivirus/av_password_dumper.yml)
 - Alternate PowerShell Hosts Pipe (Modified: 2024-10-07 | Path: rules/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml)
 - Suspicious Non PowerShell WSMAN COM Provider (Modified: 2024-10-08 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml)
 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml)
 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml)

Updated Sigma rules: 7
Rules updated successfully.

I have confirmed that update-rules can be run with today's update of hayabusa_rules.

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket added the bug Something isn't working label Oct 9, 2024
@fukusuket fukusuket added this to the 2.18.0 Sector Release milestone Oct 9, 2024
@fukusuket fukusuket self-assigned this Oct 9, 2024
@fukusuket fukusuket changed the title fix: copy all .git commit history by specify fetch-depth fix: copy all .git commit history by specifying fetch-depth Oct 9, 2024
@fukusuket fukusuket marked this pull request as ready for review October 9, 2024 22:34
@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 9, 2024

Windows 11(x64)

PS C:\tmp\hayabusa-2.18.0-win-x64> .\hayabusa-2.18.0-win-x64.exe update-rules -q
Start time: 2024/10/10 07:43

 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules\sigma\builtin\process_creation\proc_creation_win_hktl_certipy.yml)
 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules\sigma\sysmon\process_creation\proc_creation_win_hktl_certipy.yml)
 - Renamed Powershell Under Powershell Channel (Modified: 2024-10-08 | Path: rules\sigma\builtin\powershell\powershell_classic\posh_pc_renamed_powershell.yml)
 - CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (Modified: 2024-10-08 | Path: rules\sigma\builtin\code_integrity\win_codeintegrity_attempted_dll_load.yml)
 - Alternate PowerShell Hosts Pipe (Modified: 2024-10-07 | Path: rules\sigma\sysmon\pipe_created\pipe_created_powershell_alternate_host_pipe.yml)
 - Suspicious Non PowerShell WSMAN COM Provider (Modified: 2024-10-08 | Path: rules\sigma\builtin\powershell\powershell_classic\posh_pc_wsman_com_provider_no_powershell.yml)
 - Antivirus Password Dumper Detection (Modified: 2024-10-08 | Path: rules\sigma\builtin\category\antivirus\av_password_dumper.yml)

Updated Sigma rules: 7
Rules updated successfully.

PS C:\tmp\hayabusa-2.18.0-win-x64> .\hayabusa-2.18.0-win-x64.exe csv-timeline -d ..\hayabusa-sample-evtx\ -w -o timeline.csv -q -D -n -u -C
Start time: 2024/10/10 07:44

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,497

Output profile: standard

Scanning in progress. Please wait.
[00:00:18] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (197)                Nasreddine Bencherchali (123)     Zach Mathis (121)                 oscd.community (120)              frack113 (108)                   │
│ Tim Shelton (34)                  Daniil Yugoslavskiy (26)          Teymur Kheirkhabarov (25)         Jonhnathan Ribeiro (23)           Thomas Patzke (21)               │
│ Tim Rauch (18)                    Timur Zinniatullin (17)           Christian Burkard (17)            Markus Neis (16)                  Roberto Rodriguez @Cyb3r... (15) │
│ E.M. Anhaus (14)                  Roberto Rodriguez (14)            Elastic (13)                      Michael Haag (12)                 Samir Bousseaden (11)            │
│ OTR (9)                           Endgame) (9)                      Victor Sergeev (9)                Swachchhanda Shrawan Poudel (9)   juju4 (8)                        │
│ Natalia Shornikova (8)            David ANDRE (7)                   Endgame (7)                       JHasenbusch (7)                   Ecco (6)                         │
│ X__Junior (6)                     omkar72 (5)                       Sander Wiebing (5)                Gleb Sukhodolskiy (5)             Christopher Peacock @sec... (4)  │
│ Janantha Marasinghe (4)           Andreas Hunkeler (4)              keepwatch (4)                     Tobias Michalski (4)              Arnim Rupp (4)                   │
│ @neu5ron (4)                      Max Altgelt (4)                   Mauricio Velazco (4)              Vadim Khrykov (3)                 pH-T (3)                         │
│ Dimitrios Slamaris (3)            FPT.EagleEye (3)                  Nikita Nazarov (3)                wagga (3)                         Mark Russinovich (3)             │
│ FPT.EagleEye Team (3)             @twjackomo (3)                    Sherif Eldeeb (3)                 James Pemberton@4A616D6573 (3)    Vasiliy Burov (3)                │
│ Harish Segar (3)                  Austin Songer @austinsonger (3)   Eric Conrad (3)                   Ilyas Ochkov (3)                  SOC Prime (3)                    │
│ Aleksey Potapov (3)               Wojciech Lesicki (3)              Jakob Weinzettl (3)               Yusuke Matsui (3)                 Perez Diego (3)                  │
│ Daniel Bohannon (3)               Cyb3rEng (3)                      Hieu Tran (3)                     Fukusuke Takahashi (3)            Alexandr Yampolskyi (3)          │
│ SCYTHE @scythe_io (3)             @dreadphones (2)                  Justin C. (2)                     D3F7A5105 (2)                     @SBousseaden (2)                 │
│ Zach Stanford @svch0st (2)        Relativity (2)                    Sreeman (2)                       Nik Seetharaman (2)               Trent Liffick (2)                │
│ Karneades (2)                     Yassine Oukessou (2)              Tom Ueltschi (2)                  @2xxeformyshirt (2)               elhoim (2)                       │
│ Tony Lambert) (2)                 Hosni Mribah (2)                  Sean Metcalf (2)                  Zaw Min Htun (2)                  Tony Lambert (2)                 │
│ Oleg Kolesnikov @securon... (2)   Anton Kutepov (2)                 James Pemberton@4A616D65... (2)   Mark Woan (2)                     Chakib Gzenayi (2)               │
│ Maxime Thiebaut (2)               Bartlomiej Czyz (2)               James Dickenson (2)               Modexp (2)                        Romaissa Adjailia (2)            │
│ @juju4 (1)                        Georg Lauenstein (1)              Teymur Kheirkhabarov @He... (1)   Matthew Green @mgreen27 (1)       Omer Faruk Celik (1)             │
│ Andreas Braathen (1)              SBousseaden (1)                   John Lambert (1)                  David Burkett (1)                 Jack Croock (1)                  │
│ Stephen Lincoln `@slinco... (1)   @Joseliyo_Jstnk (1)               Dave Kennedy (1)                  CD_ROM_ (1)                       vburov (1)                       │
│ NVISO (1)                         Alec Costello (1)                 Jason Lynch (1)                   @oscd_initiative (1)              Pushkarev Dmitry (1)             │
│ Center for Threat Inform... (1)   Markus Neis @Karneades (1)        Anish Bogati (1)                  Aaron Herman (1)                  @caliskanfurkan_ (1)             │
│ Austin Songer (1)                 Joshua Wright (1)                 James Pemberton @4A616D6573 (1)   fuzzyf10w (1)                     Ali Alwashali (1)                │
│ Stamatis Chatzimangou (1)         Joseliyo Sanchez (1)              Dominik Schaudel (1)              rukawa (1)                        Mangatas Tondang (1)             │
│ Ivan Dyachkov (1)                 Bhabesh Raj (1)                   David Strassegger (1)             Kutepov Anton (1)                 Dmitriy Lifanov (1)              │
│ KevTheHermit (1)                  Julia Fomina (1)                  Dan Beavin) (1)                   Maxence Fossat (1)                @kostastsale (1)                 │
│ blueteam0ps (1)                   Tom U. @c_APT_ure (1)             Nextron Systems (1)               Tuan Le (1)                       Benjamin Delpy (1)               │
│ Furkan CALISKAN (1)               MalGamy (1)                       Timon Hackenjos (1)               Open Threat Research (1)          Tom Kern (1)                     │
│ @atc_project (1)                  Mustafa Kaan Demir (1)            Oddvar Moe (1)                    Bartlomiej Czyz @bczyz1 (1)       j4son (1)                        │
│ Christopher Peacock @Sec... (1)   Josh Nickels (1)                  Scott Dermott (1)                 Cédric Hien (1)                   Jai Minton (1)                   │
│ Swisscom CSIRT (1)                Jeff Warren (1)                   Sorina Ionescu (1)                @gott_cyber (1)                   @scythe_io (1)                   │
│ SCYTHE (1)                        Jose Rodriguez (1)                Semanur Guneysu @semanurtg (1)    Sami Ruohonen (1)                 Cedric MAURUGEON (1)             │
│ @signalblur (1)                   Margaritis Dimitrios (1)          Maxim Pavlunin (1)                Fatih Sirin (1)                   @svch0st (1)                     │
│ Subhash Popuri (1)                mdecrevoisier (1)                 EagleEye Team (1)                                                                                    │
╰─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╌──────────────────────────────────╯

Results Summary:

Events with hits / Total events: 21,119 / 46,413 (Data reduction: 25,294 events (54.50%))

Total | Unique detections: 34,593 | 740
Total | Unique critical detections: 53 (0.15%) | 21 (0.00%)
Total | Unique high detections: 5,731 (16.57%) | 282 (9.32%)
Total | Unique medium detections: 2,444 (7.07%) | 264 (14.05%)
Total | Unique low detections: 6,667 (19.27%) | 104 (35.68%)
Total | Unique informational detections: 19,698 (56.94%) | 69 (38.11%)

Dates with most total detections:
critical: 2019-07-19 (16), high: 2016-09-20 (3,650), medium: 2019-05-19 (332), low: 2016-09-20 (3,725), informational: 2016-08-19 (2,140)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (10), FS03.offsec.lan (2), srvdefender01.offsec.lan (2), Isaac (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (119), IEWIN7 (68), fs03vuln.offsec.lan (28), FS03.offsec.lan (27), IE10Win7 (24)
medium: MSEDGEWIN10 (99), IEWIN7 (67), FS03.offsec.lan (29), fs03vuln.offsec.lan (26), rootdc1.offsec.lan (22)
low: MSEDGEWIN10 (50), IEWIN7 (25), FS03.offsec.lan (24), fs03vuln.offsec.lan (19), srvdefender01.offsec.lan (16)
informational: MSEDGEWIN10 (23), IEWIN7 (22), PC01.example.corp (19), IE8Win7 (18), IE10Win7 (17)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                        Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)               Metasploit SMB Authentication (3,562)            │
│ Active Directory Replication from Non Machine Account (6)   Suspicious Service Path (277)                    │
│ CobaltStrike Service Installations - System (6)             Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                            PowerShell Scripts Installed as Services (250)   │
│ Defender Alert (Severe) (4)                                 Suspicous Service Name (80)                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                          Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (235)                            Logon Failure (Wrong Password) (3,564)           │
│ Proc Injection (104)                                        Possible LOLBIN (1,418)                          │
│ Reg Key Value Set (Sysmon Alert) (103)                      Non Interactive PowerShell Process Spawned (325) │
│ Remote Thread Creation In Uncommon Target Image (93)        Rare Service Installations (321)                 │
│ Suspicious Remote Thread Target (93)                        Proc Access (156)                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Proc Exec (11,173)                                          Logon (Service) (Noisy) (434)                    │
│ NetShare File Access (2,558)                                NetShare Access (403)                            │
│ PwSh Scriptblock (789)                                      Svc Installed (331)                              │
│ PwSh Pipeline Exec (680)                                    Explicit Logon (304)                             │
│ DLL Loaded (Noisy) (550)                                    New Non-USB PnP Device (268)                     │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (33.5 MB)

Elapsed time: 00:00:21.1654

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 9, 2024

Ubuntu 22.04 LTS(intel-gnu)

fukusuke@ub:~/hayabusa$ ./hayabusa-2.18.0-lin-intel-x64-gnu update-rules -q
Start time: 2024/10/09 23:08

 - Renamed Powershell Under Powershell Channel (Modified: 2024-10-08 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml)
 - CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (Modified: 2024-10-08 | Path: rules/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml)
 - Antivirus Password Dumper Detection (Modified: 2024-10-08 | Path: rules/sigma/builtin/category/antivirus/av_password_dumper.yml)
 - Alternate PowerShell Hosts Pipe (Modified: 2024-10-07 | Path: rules/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml)
 - Suspicious Non PowerShell WSMAN COM Provider (Modified: 2024-10-08 | Path: rules/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml)
 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml)
 - HackTool - Certipy Execution (Modified: 2024-10-08 | Path: rules/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml)

Updated Sigma rules: 7
Rules updated successfully.

fukusuke@ub:~/hayabusa$ ./hayabusa-2.18.0-lin-intel-x64-gnu csv-timeline -d ./hayabusa-sample-evtx/ -w -q -D -n -u -o timeline.csv -p super-verbose
Start time: 2024/10/09 23:09

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 216 (4.72%)
Experimental rules: 432 (9.44%)
Stable rules: 255 (5.57%)
Test rules: 3,627 (79.28%)
Unsupported rules: 45 (0.98%)

Hayabusa rules: 181
Sigma rules: 4,394
Total detection rules: 4,575

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,497

Output profile: super-verbose

Scanning in progress. Please wait.

[00:00:13] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

Rule Authors:

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (197)                Nasreddine Bencherchali (123)     Zach Mathis (121)                  oscd.community (120)            │
│ frack113 (108)                    Tim Shelton (34)                  Daniil Yugoslavskiy (26)           Teymur Kheirkhabarov (25)       │
│ Jonhnathan Ribeiro (23)           Thomas Patzke (21)                Tim Rauch (18)                     Timur Zinniatullin (17)         │
│ Christian Burkard (17)            Markus Neis (16)                  Roberto Rodriguez @Cyb3r... (15)   E.M. Anhaus (14)                │
│ Roberto Rodriguez (14)            Elastic (13)                      Michael Haag (12)                  Samir Bousseaden (11)           │
│ OTR (9)                           Endgame) (9)                      Victor Sergeev (9)                 Swachchhanda Shrawan Poudel (9) │
│ juju4 (8)                         Natalia Shornikova (8)            David ANDRE (7)                    Endgame (7)                     │
│ JHasenbusch (7)                   Ecco (6)                          X__Junior (6)                      omkar72 (5)                     │
│ Sander Wiebing (5)                Gleb Sukhodolskiy (5)             Christopher Peacock @sec... (4)    Janantha Marasinghe (4)         │
│ Andreas Hunkeler (4)              keepwatch (4)                     Tobias Michalski (4)               Arnim Rupp (4)                  │
│ @neu5ron (4)                      Max Altgelt (4)                   Mauricio Velazco (4)               Vadim Khrykov (3)               │
│ pH-T (3)                          Dimitrios Slamaris (3)            FPT.EagleEye (3)                   Nikita Nazarov (3)              │
│ wagga (3)                         Mark Russinovich (3)              FPT.EagleEye Team (3)              @twjackomo (3)                  │
│ Sherif Eldeeb (3)                 James Pemberton@4A616D6573 (3)    Vasiliy Burov (3)                  Harish Segar (3)                │
│ Austin Songer @austinsonger (3)   Eric Conrad (3)                   Ilyas Ochkov (3)                   SOC Prime (3)                   │
│ Aleksey Potapov (3)               Wojciech Lesicki (3)              Jakob Weinzettl (3)                Yusuke Matsui (3)               │
│ Perez Diego (3)                   Daniel Bohannon (3)               Cyb3rEng (3)                       Hieu Tran (3)                   │
│ Fukusuke Takahashi (3)            Alexandr Yampolskyi (3)           SCYTHE @scythe_io (3)              @dreadphones (2)                │
│ Justin C. (2)                     D3F7A5105 (2)                     @SBousseaden (2)                   Zach Stanford @svch0st (2)      │
│ Relativity (2)                    Sreeman (2)                       Nik Seetharaman (2)                Trent Liffick (2)               │
│ Karneades (2)                     Yassine Oukessou (2)              Tom Ueltschi (2)                   @2xxeformyshirt (2)             │
│ elhoim (2)                        Tony Lambert) (2)                 Hosni Mribah (2)                   Sean Metcalf (2)                │
│ Zaw Min Htun (2)                  Tony Lambert (2)                  James Pemberton@4A616D65... (2)    Oleg Kolesnikov @securon... (2) │
│ Mark Woan (2)                     Anton Kutepov (2)                 Chakib Gzenayi (2)                 Maxime Thiebaut (2)             │
│ Bartlomiej Czyz (2)               James Dickenson (2)               Modexp (2)                         Romaissa Adjailia (2)           │
│ EagleEye Team (1)                 Georg Lauenstein (1)              Teymur Kheirkhabarov @He... (1)    Matthew Green @mgreen27 (1)     │
│ Omer Faruk Celik (1)              Andreas Braathen (1)              SBousseaden (1)                    Stephen Lincoln `@slinco... (1) │
│ David Burkett (1)                 Jack Croock (1)                   John Lambert (1)                   @Joseliyo_Jstnk (1)             │
│ Dave Kennedy (1)                  CD_ROM_ (1)                       vburov (1)                         NVISO (1)                       │
│ Alec Costello (1)                 Jason Lynch (1)                   Pushkarev Dmitry (1)               @oscd_initiative (1)            │
│ Center for Threat Inform... (1)   Markus Neis @Karneades (1)        Anish Bogati (1)                   Aaron Herman (1)                │
│ fuzzyf10w (1)                     James Pemberton @4A616D6573 (1)   Austin Songer (1)                  Ali Alwashali (1)               │
│ Joshua Wright (1)                 @caliskanfurkan_ (1)              Stamatis Chatzimangou (1)          Joseliyo Sanchez (1)            │
│ Dominik Schaudel (1)              rukawa (1)                        Mangatas Tondang (1)               Ivan Dyachkov (1)               │
│ Bhabesh Raj (1)                   David Strassegger (1)             Kutepov Anton (1)                  Dmitriy Lifanov (1)             │
│ KevTheHermit (1)                  Julia Fomina (1)                  @kostastsale (1)                   Maxence Fossat (1)              │
│ Dan Beavin) (1)                   blueteam0ps (1)                   Tom U. @c_APT_ure (1)              Nextron Systems (1)             │
│ MalGamy (1)                       Benjamin Delpy (1)                Tuan Le (1)                        Furkan CALISKAN (1)             │
│ Timon Hackenjos (1)               Oddvar Moe (1)                    @atc_project (1)                   Tom Kern (1)                    │
│ Mustafa Kaan Demir (1)            Open Threat Research (1)          Bartlomiej Czyz @bczyz1 (1)        j4son (1)                       │
│ Christopher Peacock @Sec... (1)   Josh Nickels (1)                  Scott Dermott (1)                  Jai Minton (1)                  │
│ Swisscom CSIRT (1)                Cédric Hien (1)                   Jeff Warren (1)                    Sorina Ionescu (1)              │
│ @gott_cyber (1)                   @scythe_io (1)                    Jose Rodriguez (1)                 Semanur Guneysu @semanurtg (1)  │
│ SCYTHE (1)                        Sami Ruohonen (1)                 Fatih Sirin (1)                    @signalblur (1)                 │
│ Margaritis Dimitrios (1)          @svch0st (1)                      Maxim Pavlunin (1)                 Cedric MAURUGEON (1)            │
│ Subhash Popuri (1)                mdecrevoisier (1)                 @juju4 (1)                                                         │
╰─────────────────────────────────╌─────────────────────────────────╌──────────────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 21,119 / 46,413 (Data reduction: 25,294 events (54.50%))

Total | Unique detections: 34,593 | 740
Total | Unique critical detections: 53 (0.15%) | 21 (0.00%)
Total | Unique high detections: 5,731 (16.57%) | 282 (9.32%)
Total | Unique medium detections: 2,444 (7.07%) | 264 (14.05%)
Total | Unique low detections: 6,667 (19.27%) | 104 (35.68%)
Total | Unique informational detections: 19,698 (56.94%) | 69 (38.11%)

Dates with most total detections:
critical: 2019-07-19 (11), high: 2016-09-19 (3,627), medium: 2019-05-18 (332), low: 2016-09-19 (3,679), informational: 2016-09-03 (2,291)

Top 5 computers with most unique detections:
critical: MSEDGEWIN10 (10), FS03.offsec.lan (2), srvdefender01.offsec.lan (2), Isaac (1), win10-02.offsec.lan (1)
high: MSEDGEWIN10 (119), IEWIN7 (68), fs03vuln.offsec.lan (28), FS03.offsec.lan (27), IE10Win7 (24)
medium: MSEDGEWIN10 (99), IEWIN7 (67), FS03.offsec.lan (29), fs03vuln.offsec.lan (26), rootdc1.offsec.lan (22)
low: MSEDGEWIN10 (50), IEWIN7 (25), FS03.offsec.lan (24), fs03vuln.offsec.lan (19), srvdefender01.offsec.lan (16)
informational: MSEDGEWIN10 (23), IEWIN7 (22), PC01.example.corp (19), IE8Win7 (18), IE10Win7 (17)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                                        Top high alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Sticky Key Like Backdoor Usage - Registry (8)               Metasploit SMB Authentication (3,562)            │
│ Active Directory Replication from Non Machine Account (6)   Suspicious Service Path (277)                    │
│ CobaltStrike Service Installations - System (6)             Suspicious Service Installation Script (250)     │
│ WannaCry Ransomware Activity (4)                            PowerShell Scripts Installed as Services (250)   │
│ Defender Alert (Severe) (4)                                 Suspicous Service Name (80)                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                                          Top low alerts:                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Potentially Malicious PwSh (235)                            Logon Failure (Wrong Password) (3,564)           │
│ Proc Injection (104)                                        Possible LOLBIN (1,418)                          │
│ Reg Key Value Set (Sysmon Alert) (103)                      Non Interactive PowerShell Process Spawned (325) │
│ Remote Thread Creation In Uncommon Target Image (93)        Rare Service Installations (321)                 │
│ Suspicious Remote Thread Target (93)                        Proc Access (156)                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                    │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Proc Exec (11,173)                                          Logon (Service) (Noisy) (434)                    │
│ NetShare File Access (2,558)                                NetShare Access (403)                            │
│ PwSh Scriptblock (789)                                      Svc Installed (331)                              │
│ PwSh Pipeline Exec (680)                                    Explicit Logon (304)                             │
│ DLL Loaded (Noisy) (550)                                    New Non-USB PnP Device (268)                     │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (40.9 MB)

Elapsed time: 00:00:16.930

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

@fukusuket
Copy link
Collaborator Author

Ubuntu 22.04 LTS(musl)

musl binary failed... :( I'll fix this ...

fukusuke@ub:~/hayabusa$ ./hayabusa-2.18.0-lin-intel-x64-musl update-rules -q
./hayabusa-2.18.0-lin-intel-x64-musl: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.39' not found (required by ./hayabusa-2.18.0-lin-intel-x64-musl)
./hayabusa-2.18.0-lin-intel-x64-musl: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by ./hayabusa-2.18.0-lin-intel-x64-musl)

@fukusuket
Copy link
Collaborator Author

fukusuket commented Oct 9, 2024

@YamatoSecurity
Sorry, the investigation of the musl binary is going to take some time, could you please let us deal with this as a separate issue?🙏 (This may be a difficult issue to solve on our side ...)

Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket LGTM! Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 0e6251e into main Oct 10, 2024
16 checks passed
@YamatoSecurity YamatoSecurity deleted the 1429-fix-release-automation-update-rules-error branch October 10, 2024 02:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[bug] update-rules fails for packages created with Release Automation
2 participants