Missing even data in Details

[zpravaiz]

Hi,
I was trying to use hayabusa to solve a CTF which requires to parse sysmon evtx file. I was assuming hayabusa will run csv-timeline and will provide all the event description in Detail, which I will use solve the challenge. But it turnout large part of description was missing in csv file. Is this a know behaviour or some bug? I am using latest version on hayabusa on mac.

I would appreciate your response.

Thanks

[AndrewRathbun]

Try using something like EvtxECmd which parses every event log, message, ID etc and doesn't use Sigma rules. Tools like Chainsaw and Hayabusa are great, but they only rely on hits from a given ruleset, which very likely omits a lot of data by design. My personal recommendation is to use EvtxECmd primarily when parsing event logs and then using a tool like Chainsaw or Hayabusa to leverage detection rulesets for IOCs to pivot off of. I'd never use the latter as my only event log parser as that's not really what it's meant for, IMO. Great tools, but you have to know their interned purpose and role they serve in your investigation. EvtxECmd won't give me low hanging fruit detection based on the awesome work of threat hunters via Sigma rules, but it allows me to see the XML payload of every evtx file, and I'm guessing that would've solved the problem for you in your CTF scenario.

Hope that makes sense and good luck.

[hitenkoku]

Hello,

I do not know what is required by that CTF.
If you want a proper answer, it would be easier to provide the command you executed.

If you need all the information in the detected record, please check the data in %AllFieldInfo% field.

Here is the profile from which you can get the %AllFieldInfo% data.

- all-field-info
- all-field-info-verbose
- super-verbose
- timesketch-verbose

If you want to set up a profile, do the following with the -p option: hayabusa csv-timeline -p all-field-info

Best Regards

[AndrewRathbun]

Detected record is the keyword. It's possible there may have not been a rule that would've provided a detection for the specific recorded event that the CTF was referencing in the question. I think it would be prudent for OP to test on their own if Hayabusa would've been the right tool for this particular job. That being said, I run EvtxECmd, Chainsaw, and Hayabusa on every endpoint I analyze at work, as well as Thor. You just have to know the limitations each tool has and the value each tool can provide.

[YamatoSecurity]

@zpravaiz Hayabusa has rules to detect all sysmon events. (If it doesn't detect a sysmon event that you need then that would be considered a bug so please report it but you should be able to detect all sysmon events.) By default, only the most important fields in an event are outputted in the Details column. You can easy get all field information by changing the output profile as @hitenkoku mentioned to any of the following:

- all-field-info
- all-field-info-verbose
- super-verbose
- timesketch-verbose

Just add -p super-verbose to the command line to get as much info as possible.
This is all explained in the readme but many people ask about this so in the next version coming out in a few weeks we are going to output all information by default.

[zpravaiz]

Thank you all,
It really helped me learn more about tools and approach the data.

I tried an older version of Hayabusa (2.5) which did not report some HASH in the sysmon events. I downloaded 2.5.1 which reported the missing hashes but did not report the command lines, which I know now should be able to get by changing the profile.

Thank you @AndrewRathbun for the explanation on how to prioritize the tools.