Cheat Sheet - Hayabusa

auteqia included in category Cheat Sheets

2025-04-20 2025-04-20 551 words 3 minutes

Contents

Export to further analysis / Timeline

Export to CSV Timeline

bash

./hayabusa csv-timeline -d input-evtx/ -o results.csv

Send it to TimelineExplorer
Send it to ELK
Send it to LibreOffice by adding -M to the capture

Export to CSV for Timesketch

bash

./hayabusa csv-timeline -d .input-evtx/ --RFC-3339 -o timesketch-import.csv -p timesketch -U

More on Timesketch here

Export to json

bash

./hayabusa json-timeline -d input-evtx/ -o results.json

Analyzing with JQ

Quick check for the eventID :

bash

cat results.json | jq '.EventID'

Count the occurences :

bash

cat results.json | jq '.EventID' | sort | uniq -c

Top 10 occurences :

bash

cat results.json | jq '.EventID' | sort | uniq -c | sort -nr | head -n 10

Extract a certain eventID :

bash

cat results.json | jq 'select ( .EventID == 4624 ) '

Extract eventID 4624 with LogonType 3 (Network logon) :

bash

cat results.json | jq 'select ( ( .EventID == 4624 ) and ( .Details.Type == 3 ) ) '

Transfer json to csv :

bash

cat results.json | jq 'select ( (.Channel == "Sec" ) and ( .EventID == 4624 ) ) | [ .Timestamp , .Computer , .Details[]? ] | @csv ' -r

Finding dates with most alerts :

bash

cat results.json | jq ' .Timestamp | .[:10] ' -r | sort | uniq -c | sort

Reconstructing powershell logs :

bash

cat results.json | jq 'select ( .EventID == 4104) | .Timestamp[:16] , " " , .Details.ScriptBlock , "\n" ' -jr

Get all the targeted IPs :

bash

cat results.json | jq 'select ( .Details.TgtIP? ) | .Details.TgtIP ' -r | sort | uniq

Count up times a certain target IP was connected to :

bash

cat results.json | jq 'select ( .Details.TgtIP? ) | .Details.TgtIP ' -r | sort | uniq -c | sort -n

Details on a certain target IP :

bash

cat results.json | jq 'select ( .Details.TgtIP? == "93.184.220.29" ) '

With Sysmon enabled, extract binary hashes :

bash

cat results.json | jq 'select ( .Details.Hashes? ) | .Details.Hashes ' -r

Extract md5 and remove duplicatas :

bash

cat results.json | jq 'select ( .Details.Hashes? ) | .Details.Hashes | .[4:36] ' -r | sort | uniq

Extract Powershell logs :

bash

cat results.json | jq 'select ( .EventID == 4104 and .Details.ScriptBlock? != "n/a"  and .Computer == "COMPUTER-A.domain.local" ) | .Details.ScriptBlock , "\r\n"' -j | awk '{ gsub(/\\r\\n/,"\r\n"); print; }' | awk '{ gsub(/\\t/, "\t"); print; }' | awk '{ gsub(/\\n/, "\r\n"); print; }' > 4104-PowerShell-Logs.ps1

More here

HTML Report

bash

./hayabusa -d input-evtx/ -o output.csv -H hayabusa-report.html

Predefined rules

bash

./hayabusa csv-timeline -d input-evtx/ -r sigma/rules/

Set to UTC timestamp

bash

./hayabusa csv-timeline -d -U input-evtx/

Run on live machine

bash

hayabusa.exe csv-timeline -l -m low

search command

Search for IP with a Regex

bash

..hayabusa search -d input-evtx/ -r "(?:[0-9]{1,3}\.){3}[0-9]{1,3}"

Search for the Workstation name

bash

./hayabusa search -d input-evtx/ -r ".*" -F WorkstationName:"kali"

Keyword

Search for the “mimikatz” string and case insensitive

bash

./hayabusa search -d input-evtx/ -i -k "mimikatz"

Multiple keywords

bash

./hayabusa csv-timeline -d input-evtx/ -k "mimikatz" -k "sliver"

extract-base64 command

this will extract base64 strings from the following events :

Security 4688 CommandLine
Sysmon 1 CommandLine, ParentCommandLine
System 7045 ImagePath
PowerShell Operational 4104
PowerShell Operational 4103

bash

./hayabusa extract-base64 -d evtx-input/

Rules

Update default rules

bash

./hayabusa update-rules