Full Report
In part 1 of this post, we’ll discuss how Hayabusa and “Security Operations and Forensics ELK” (SOF-ELK) can help us wrangle EVTX files (Windows Event Log files) for maximum effect during a Windows endpoint investigation! The post Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Hayabusa
## Overview
Hayabusa is a fast forensic timeline generator and threat hunting tool specifically designed for Windows Event Logs (EVTX files). Its purpose is to efficiently parse, filter, and search large volumes of event logs to reduce noise and highlight event log entries relevant to security investigations.
## Technical Details
- Type: Tool
- Platform: Windows, macOS, Linux
- Capabilities: Generates forensic timelines from EVTX files, incorporates over 4,000 SIGMA rules and 170 built-in detection rules, outputs results in CSV or JSON format showing timestamp, rule title, severity, and event details.
- First Seen: Not explicitly mentioned, but developed and supported by Yamato Security.
## MITRE ATT&CK Mapping
*The article discusses the analysis of artifacts generated by potential malicious activity but focuses on the tool's capability to *detect* activity rather than mapping the tool itself to an ATT&CK technique. Since Hayabusa processes evidence of adversary behavior, the mapping below reflects the general function of analyzing log artifacts.*
- T1003 - OS Credential Dumping (When Hayabusa rules successfully flag credential dumping events recorded in logs)
- T1003.001 - LSASS Memory
- T1083 - File and Directory Discovery (When Hayabusa rules flag reconnaissance activities recorded in logs)
## Functionality
### Core Capabilities
- **Log Wrangling:** Processes voluminous Windows Event Log (EVTX) files generated on endpoints.
- **Rule-Based Detection:** Utilizes a large set of detection rules (including SIGMA rules) to identify suspicious events rapidly.
- **Timeline Generation:** Creates simplified output timelines (CSV/JSON) containing only rule "hits."
- **Data Reduction:** Achieves a significant reduction (around 75%) in the number of event log entries requiring manual review.
### Advanced Features
- **Severity Prioritization:** Output includes severity levels ("info" to "emergency"), allowing analysts to prioritize investigation by focusing on high-severity hits ("critical" and "high").
- **Rule Updates:** Supports updating its rule set via the command line (`update-rules`).
## Indicators of Compromise
- File Hashes: N/A (This section applies to malware/IOCs derived from analysis, not the tool itself.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- N/A (Hayabusa is a defensive/forensic tool used by Blue Teams and investigators.)
## Detection Methods
- Signature-based detection: Rule hits generated by Hayabusa's extensive rule set against EVTX data.
- Behavioral detection: Focused analysis on patterns flagged by rules within the event logs.
- YARA rules: Supported via included SIGMA rules, which are often convertible or analogous to YARA concepts for log parsing.
## Mitigation Strategies
- **Proactive Logging:** Ensuring comprehensive Windows Event Logging is enabled on endpoints to provide sufficient artifact data for Hayabusa ingestion.
- **Baselining:** Establishing normal log volumes and event patterns to better identify anomalies flagged by Hayabusa.
## Related Tools/Techniques
- SOF-ELK (Security Operations and Forensics ELK): Used in conjunction with Hayabusa for ingesting, parsing, and providing an intuitive web UI for searching and filtering Hayabusa's output data.
- Rapid Endpoint Investigations workflow: A workflow leveraging Hayabusa and SOF-ELK for scaling log analysis across many systems.
***
# Tool/Technique: SOF-ELK (Security Operations and Forensics ELK)
## Overview
SOF-ELK, created by Phil Hagen, is a big data analytics platform packaged as a pre-built Virtual Machine. It is specifically designed to cater to the needs of computer forensic investigators and analysts, providing capabilities to ingest, parse, search, sort, and filter large datasets, including the output from Hayabusa.
## Technical Details
- Type: Tool/Framework (Log Analytics Platform)
- Platform: Delivered as a prepackaged Virtual Machine (runs on appropriate virtualization software).
- Capabilities: Ingests and parses various log types (including Hayabusa output), provides an intuitive web UI for visualization and complex querying (using KQL), supports scaling analysis.
- First Seen: N/A
## MITRE ATT&CK Mapping
*The tool facilitates the **Collection** and **Analysis** phases of an investigation, helping analysts map findings to adversary techniques.*
- T1005 - Data from Local System (Facilitates the analysis of data collected from local systems, such as EVTX files.)
- T1560 - Archive Collected Data (While SOF-ELK analyzes data, its visualization capabilities streamline identifying what needs to be archived post-analysis.)
## Functionality
### Core Capabilities
- **Data Ingestion:** Built-in parsers for various log types, including prebuilt parsers for Hayabusa output.
- **Data Analytics and Visualization:** Provides a web UI for advanced searching, sorting, and filtering of ingested data.
- **Persistence of Context:** Allows users to copy/paste URLs containing applied filters/queries to preserve analytical context across different sessions or tabs.
### Advanced Features
- **Kibana Query Language (KQL):** Used for complex filtering. Example provided: filtering results based on severity levels: `NOT rule.level: "info" and NOT rule.level: "low" and NOT rule.level: "med"`.
- **Integration with Endpoint Analysis:** Seamlessly handles the CSV/JSON output generated by Hayabusa for large-scale review.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- N/A (SOf-ELK is a defensive/forensic tool.)
## Detection Methods
- Querying against ingested data using KQL to filter based on known malicious patterns or high-severity flags derived from other tools (like Hayabusa).
## Mitigation Strategies
- **Platform Hardening:** Securing the SOF-ELK VM and ensuring only authorized personnel have access to the web UI and underlying data.
- **Data Lifecycle Management:** Implementing procedures for exporting and archiving analyzed data for long-term retention.
## Related Tools/Techniques
- Hayabusa: The primary source of structured, rule-hit data fed into SOF-ELK for large-scale analysis.
- Elastic Stack (Underlying technology).