Comments (22)
Thank you so much for mention :) Sounds interesting!
As mentioned in the comments above, there seem to be several options, so I'd like to start by researching each one๐ช
from hayabusa.
Sounds good! I'll try it๐ช
from hayabusa.
I tried following code(with wmi = "0.13.3"
)!
use std::collections::HashMap;
use wmi::{COMLibrary, Variant, WMIConnection};
fn main() -> Result<(), Box<dyn std::error::Error>> {
let com_con = COMLibrary::new()?;
let wmi_con = WMIConnection::new(com_con.into())?;
let query = "SELECT * FROM Win32_ShadowCopy";
let results: Vec<HashMap<String, Variant>> = wmi_con.raw_query(query)?;
let volumes: Vec<_> = results
.iter()
.filter_map(|map| map.get("VolumeName"))
.collect();
println!("{:?}", volumes);
Ok(())
}
then got following expected result๐
C:\tmp\vss\target\release>sample.exe
[String("\\\\?\\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\\"), String("\\\\?\\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\\")]
The above results match the vssadmin results.
C:\tmp\vss\target\release>vssadmin list shadows
vssadmin 1.1 - ใใชใฅใผใ ใทใฃใใฆ ใณใใผ ใตใผใใน็ฎก็ใณใใณใ ใฉใคใณ ใใผใซ
(C) Copyright 2001-2013 Microsoft Corp.
ใทใฃใใฆ ใณใใผ ใปใใ ID: {7f812a7d-4ad0-4a24-8c7b-c5b20649e1cd} ใฎๅ
ๅฎน
1 ๅใฎใทใฃใใฆ ใณใใผใไฝๆๆๅป: 2024/05/04 17:33:36
ใทใฃใใฆ ใณใใผ ID: {e3ff3feb-3ccc-4118-8f1a-ca09b55dc686}
ๅ
ใฎใใชใฅใผใ : (C:)\\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\
ใทใฃใใฆ ใณใใผ ใใชใฅใผใ : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
ๅ
ใฎใณใณใใฅใผใฟใผ: mouse
ใตใผใใน ใณใณใใฅใผใฟใผ: mouse
ใใญใใคใใผ: 'Microsoft Software Shadow Copy provider 1.0'
็จฎ้ก: ClientAccessibleWriters
ๅฑๆง: ๆไน
, ใฏใฉใคใขใณใ ใขใฏใปในๅฏ่ฝ, ่ชๅใชใชใผในใชใ, ๅทฎๅ, ่ชๅๅๅพฉ
ใทใฃใใฆ ใณใใผ ใปใใ ID: {bc538b53-b2bf-4dd0-8182-dcb42f1fed6a} ใฎๅ
ๅฎน
1 ๅใฎใทใฃใใฆ ใณใใผใไฝๆๆๅป: 2024/05/10 15:52:58
ใทใฃใใฆ ใณใใผ ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7}
ๅ
ใฎใใชใฅใผใ : (C:)\\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\
ใทใฃใใฆ ใณใใผ ใใชใฅใผใ : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9
ๅ
ใฎใณใณใใฅใผใฟใผ: mouse
ใตใผใใน ใณใณใใฅใผใฟใผ: mouse
ใใญใใคใใผ: 'Microsoft Software Shadow Copy provider 1.0'
็จฎ้ก: ClientAccessibleWriters
ๅฑๆง: ๆไน
, ใฏใฉใคใขใณใ ใขใฏใปในๅฏ่ฝ, ่ชๅใชใชใผในใชใ, ๅทฎๅ, ่ชๅๅๅพฉ
from hayabusa.
20240411 MTG memo:
- COMใง่กใใ็ดๆฅใณใใณใๅฎ่กใใใใโฆโฆ
- ๅฅในใฏใชใใใงใใใ๏ผ
- ้ๅบฆใ้ ใใชใๅฏ่ฝๆงใ้ซใ
- ๅ่ๅฎ่ฃ
- vssadminใCOMใHayabusaใใ็ดๆฅๅผใถๅ ดๅ
- Client/Server/Locale/Powershell/Terminal/Cmdใใใใงๅทฎ็ฐใใชใใ็ขบ่ชใใ็นใๅคใใชใใใ
from hayabusa.
@fukusuket I think I found a better way to do this than COM. We can query the information through WMI!
All we need to do is get the VolumeName information. In my test Win VM, I first created a snapshot with wmic shadowcopy call create Volume=C:\
then you can query the volume shadow information with the following PowerShell:
$shadowCopies = Get-WmiObject -Namespace "Root\cimv2" -Class "Win32_ShadowCopy"
foreach ($shadow in $shadowCopies) {
Write-Output "Volume Name: $($shadow.VolumeName)"
}
This crate can query WMI and thankfully seems to be maintained: https://github.com/ohadravid/wmi-rs
Since it is WMI, I do not think the query will change depending on the Windows version.
from hayabusa.
@fukusuket Great! Thanks!
Here is a reference that may help you:
https://github.com/trickster0/OffensiveRust/blob/master/wmi_execute/src/main.rs
from hayabusa.
The expected detection results were obtained as shown below.
-l option
hayabusa.exe csv-timeline -l -o main.csv -w -C -q
Start time: 2024/05/10 16:32
Total event log files: 356
Total file size: 209.3 MB
Loading detection rules. Please wait.
...
Deprecated rules: 208 (5.06%) (Disabled)
Experimental rules: 854 (20.79%)
Stable rules: 240 (5.84%)
Test rules: 3,014 (73.37%)
Unsupported rules: 45 (1.10%) (Disabled)
Hayabusa rules: 162
Sigma rules: 3,946
Total detection rules: 4,108
Creating the channel filter. Please wait.
Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 2,054
Results Summary:
Events with hits / Total events: 17,941 / 106,505 (Data reduction: 88,564 events (83.15%))
Total | Unique detections: 18,071 | 58
Total | Unique critical detections: 186 (1.03%) | 3 (0.00%)
Total | Unique high detections: 144 (0.80%) | 8 (43.10%)
Total | Unique medium detections: 319 (1.77%) | 11 (18.97%)
Total | Unique low detections: 15,802 (87.44%) | 11 (18.97%)
Total | Unique informational detections: 1,620 (8.96%) | 25 (13.79%)
volume shadow
hayabusa.exe csv-timeline -d \\?\Volume{1355c4a7-6b31-43a1-80f4-e35b98d9695f}\Windows\System32\winevt\Logs\ -q -o timeline-1.csv -C -w
Start time: 2024/05/10 16:34
Total event log files: 356
Total file size: 209.3 MB
Loading detection rules. Please wait.
...
Evtx files loaded after channel filter: 26
Detection rules enabled after channel filter: 2,054
Results Summary:
Events with hits / Total events: 17,941 / 106,507 (Data reduction: 88,566 events (83.16%))
Total | Unique detections: 18,071 | 58
Total | Unique critical detections: 186 (1.03%) | 3 (0.00%)
Total | Unique high detections: 144 (0.80%) | 8 (43.10%)
Total | Unique medium detections: 319 (1.77%) | 11 (18.97%)
Total | Unique low detections: 15,802 (87.44%) | 11 (18.97%)
Total | Unique informational detections: 1,620 (8.96%) | 25 (13.79%)
from hayabusa.
-l, --live-analysis
option is required
Yes, this is only possible with live analysis so we should require this.
- If
--scan-vss-backups
specified, then scan volume shadow in addition toC:\Windows\System32\winevt\Logs\
Yes!
- If there are multiple volume shadows๏ผๅ ใฎใใชใฅใผใ ๏ผ, scan all of them๏ผor Is it a specification that only one exists?)
There can be multiple volume shadows so I would like to scan them all. Note: There will probably be many duplicate events so users should probably also specify -X, --remove-duplicate-detections
. The problem will be if users want to use low memory mode because it is live analysis, then they won't be able to specify -X
. We can handle this after the scan with the sort
command that also deletes duplicate events.
- Add
--scan-vss-backups
inGeneral Options
(Therefore, it can be used with the following command)
General Options
is a good place for it.
computer-metrics
/eid-metrics
/logon-summary
/pivot-keywords-list
/search
/csv-timeline
/json-timeline
I was only thinking about csv-timeline
and json-timeline
but it might be useful for these other commands as well. The problem is there will be many duplicate events so I think it will mess up the results. Until we can support ignoring duplicate entries in the other commands then we should probably ignore them for now and just implement it in csv-timeline
and json-timeline
.
It would also be nice to see what volumes were found and their creation date.
Before:
Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110
Creating the channel filter. Please wait.
After
Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110
No shadow copy volumes found.
Creating the channel filter. Please wait.
or
Hayabusa rules: 162
Sigma rules: 3,948
Total detection rules: 4,110
Shadow copy volumes found:
2024/05/09 13:15:39 : (C:)\\?\Volume{a005d58f-0000-0000-0000-100000000000}\ (HarddiskVolumeShadowCopy1)
2024/05/10 18:12:10 : (C:)\\?\Volume{3ea7e1a6-0976-4717-a681-53838c5bf39c}\ (HarddiskVolumeShadowCopy2)
Creating the channel filter. Please wait.
I am guessing that extracting this information should be done before creating the channel filter but if there is a better place/time to do it then please change it to where ever you think is good.
I believe Original Volume
is the same as the C: drive.
I think we should use ใทใฃใใฆ ใณใใผ ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7} to scan the backup files.
ใทใฃใใฆ ใณใใผ ใปใใ ID: {bc538b53-b2bf-4dd0-8182-dcb42f1fed6a} is used as an ID for a set of copies if multiple snapshots were taken at the same time.
from hayabusa.
@fukusuket Ah, that is my mistake. I was using the original volume ID of the C: thinking it was the snapshot. It doesn't work for me directly on the command line. Only if the C: volume ID is used. I think we can do this by mounting the snapshot to a folder. (I don't want to add another volume to mount if possible).
mklink /d c:\Tools\hayabusa-2.15.0-win-x64\volumeshadowcopytest \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
.\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d c:\Tools\hayabusa-2.15.0-win-x64\volumeshadowcopytest
seems to work... however, unfortunately it gives these errors:
[00:00:00] 285 / 363 โ [===============================> ] 79%
"volumeshadowcopytest/Windows/System32/winevt/Logs/Microsoft-Windows-TCPIP%4Operational.evtx" An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
An error occurred while trying to read input.
When I tried to open the backed up Security.evtx
from Event Viewer, it gives the error: This media is write protected
If i copy out the files to a different directory then it works but trying to make copies of all the evtx files for live analysis is not ideal as evidence may be overwritten..
When i just type
a text file inside the mounted folder, it outputs without any error so maybe Hayabusa is not specifying that it is trying to open the file in read-only mode?
By default, it should open the file in read-only mode so I don't know why this would be the case though..
https://doc.rust-lang.org/rust-by-example/std_misc/file/open.html
Do you know if it is possible to add the reason for why the error happened like in the link above?
Right now we just get An error occurred while trying to read input.
which is too vague.
Could you check the code to see if Hayabusa is explicitly trying to open the .evtx files in read-only mode?
from hayabusa.
I tried wevtutil command then following result๐ข
C:\tmp\hayabusa-2.15.0-win-x64\volumeshadowcopytest>wevtutil qe "C:\tmp\hayabusa-2.15.0-win-x64\volumeshadowcopytest\Windows\System32\winevt\Logs\Application.evtx" /lf:true /f:text
ใคใใณใ ใญใฐ ใใกใคใซใๅฃใใฆใใพใใ
ใคใใณใ ใฏใจใชใ้ใใพใใใงใใใ
ใคใใณใ ใญใฐ ใใกใคใซใๅฃใใฆใใพใใ
from hayabusa.
@YamatoSecurity
I tried copying it and got the same error :(
I also checked another file (normal text, python script, exe... etc) then I found sometimes there are files that are partially filled with NULL characters, and this seems to be the cause of the corruption ...๐ค
from hayabusa.
@YamatoSecurity
In my environment, most files could not be read by hayabusa, regardless of robocopy or not.
Therefore, copying does not seem to solve this problem๐ฅ I think it will be difficult to implement unless we find a procedure that allows the files to be completely restored.
-l option
Results Summary:
Events with hits / Total events: 26,026 / 236,081 (Data reduction: 210,055 events (88.98%))
Total | Unique detections: 26,156 | 59
Total | Unique critical detections: 190 (0.73%) | 3 (0.00%)
Total | Unique high detections: 144 (0.55%) | 8 (42.37%)
Total | Unique medium detections: 328 (1.25%) | 11 (20.34%)
Total | Unique low detections: 23,684 (90.55%) | 12 (18.64%)
Total | Unique informational detections: 1,810 (6.92%) | 25 (13.56%)
Dates with most total detections:
critical: 2024-04-27 (38), high: 2024-01-26 (22), medium: 2023-10-12 (48), low: 2024-05-03 (4,279), informational: 2024-05-11 (158)
Top 5 computers with most unique detections:
critical: mouse (3)
high: mouse (7), DESKTOP-CNG7416 (1)
medium: mouse (10), MyComputer (2)
low: mouse (12), DESKTOP-CNG7416 (1)
informational: mouse (25), DESKTOP-CNG7416 (7), MyComputer (1), DESKTOP-9HFNL0J (1)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Top critical alerts: Top high alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Defender Alert (Severe) (186) Antivirus Relevant File Paths Alerts (106) โ
โ Antivirus Password Dumper Detection (3) Microsoft Defender Blocked from Loading Unsigned DLL (24) โ
โ Antivirus Exploitation Framework Detection (1) Antivirus Hacktool Detection (4) โ
โ n/a Microsoft Defender Tamper Protection Trigger (4) โ
โ n/a Defender Alert (High) (2) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top medium alerts: Top low alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Potentially Malicious PwSh (229) Credential Manager Enumerated (22,908) โ
โ Uncommon PowerShell Hosts (28) Credential Manager Accessed (367) โ
โ Suspicious Non PowerShell WSMAN COM Provider (24) CodeIntegrity - Unmet Signing Level Requirements By File Under Validation (322) โ
โ Uncommon AppX Package Locations (15) Volume Shadow Copy Mount (49) โ
โ BITS Transfer Job With Uncommon Or Suspicious Remote TLD (14) Application Uninstalled (20) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top informational alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Svc Installed (248) RDS Sess Logoff (138) โ
โ Bits Job Created (218) RDS Sess Disconnect (86) โ
โ PwSh Engine Started (185) Logoff (66) โ
โ WMI Provider Started (183) Device Conn (64) โ
โ RDS Sess Logon (141) Event Log Svc Started (62) โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
copy byexplorer
Results Summary:
Events with hits / Total events: 117 / 1,390 (Data reduction: 1,273 events (91.58%))
Total | Unique detections: 118 | 4
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (50.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (50.00%)
Total | Unique low detections: 116 (98.31%) | 2 (0.00%)
Total | Unique informational detections: 2 (1.69%) | 2 (0.00%)
Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: 2024-04-27 (116), informational: 2024-03-30 (2)
Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: mouse (2)
informational: mouse (2)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Top critical alerts: Top high alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top medium alerts: Top low alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ n/a Credential Manager Enumerated (115) โ
โ n/a Credential Manager Accessed (1) โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top informational alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ RDP Conn Attempt (1) n/a โ
โ RDP Attempt (1) n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
copy by robocopy
Results Summary:
Events with hits / Total events: 117 / 1,390 (Data reduction: 1,273 events (91.58%))
Total | Unique detections: 118 | 4
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (50.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (50.00%)
Total | Unique low detections: 116 (98.31%) | 2 (0.00%)
Total | Unique informational detections: 2 (1.69%) | 2 (0.00%)
Dates with most total detections:
critical: n/a, high: n/a, medium: n/a, low: 2024-04-27 (116), informational: 2024-03-30 (2)
Top 5 computers with most unique detections:
critical: n/a
high: n/a
medium: n/a
low: mouse (2)
informational: mouse (2)
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ Top critical alerts: Top high alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top medium alerts: Top low alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ n/a Credential Manager Enumerated (115) โ
โ n/a Credential Manager Accessed (1) โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Top informational alerts: โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ RDP Conn Attempt (1) n/a โ
โ RDP Attempt (1) n/a โ
โ n/a n/a โ
โ n/a n/a โ
โ n/a n/a โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
from hayabusa.
Is it correct to say that this function is available only on Windows because it uses Windows API commands?
It is unclear from where to what point hayabusa should respond.
I think it is too much to ask Hayabusa to do everything from vssadmin list shadow, which requires administrator privileges, but how about supporting it with another script?
from hayabusa.
Yes, this functionality would only be possible if the user specifies -l, --live-analysis
on a Windows machine with local Administrator privileges. Here is a link to some C++ source code that might help us out:
https://github.com/albertony/vss?tab=readme-ov-file#vshadow-source-code
https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/winbase/vss/vshadow/query.cpp
It does require some COM programming and may be different for Win 7 versus more recent versions of Windows. So would probably be easier just to call vssadmin
and parse the output..
from hayabusa.
I think the following specifications. What do you think?
-l, --live-analysis
option is required- If
--scan-vss-backups
specified, then scan volume shadow in addition toC:\Windows\System32\winevt\Logs\
- If there are multiple volume shadows๏ผๅ ใฎใใชใฅใผใ ๏ผ, scan all of them๏ผor Is it a specification that only one exists?)
- Add
--scan-vss-backups
inGeneral Options
(Therefore, it can be used with the following command)computer-metrics
/eid-metrics
/logon-summary
/pivot-keywords-list
/search
/csv-timeline
/json-timeline
If I have misunderstood the specifications, please let me know!๐
from hayabusa.
I have one more question!
If original volume specified, it means scanning from backup file?(not from the current evtx)
from hayabusa.
@YamatoSecurity
Thank you for comment! I see!
I think we should use ใทใฃใใฆ ใณใใผ ID: {8cfe7010-b6da-4c51-ac35-6f7b209806b7} to scan the backup files.
I tried ใทใฃใใฆ ใณใใผ ID , but I couldn't scan it with hayabusa ... :( ([ERROR] No .evtx files were found.
)
Is there a way to scan by ใทใฃใใฆ ใณใใผ ID?
from hayabusa.
Could you check the code to see if Hayabusa is explicitly trying to open the .evtx files in read-only mode?
The file is opened at the following code, but it is Read Only.
https://github.com/Yamato-Security/hayabusa-evtx/blob/main/src/evtx_parser.rs#L273
Also, in my environment, when I opened mounted folder's evtx in Event Viewer after mklink
, I got an error saying that the file was corrupted... :( Therefore, even after running mklink
, there may still be missing information to restore the file...?๐ค
from hayabusa.
@fukusuket Humm.. if you copy the file to a different directory and then scan it, does it work?
from hayabusa.
I got to work with copying with robocopy
:
robocopy c:\test\Windows\System32\winevt\Logs c:\testlogs
.\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d c:\testlogs
Can you test if it works with copying with robocopy?
from hayabusa.
Memo: I can run Hayabusa against the volume shadow backup with .\hayabusa-2.15.0-win-x64.exe csv-timeline -w -d \\.\HarddiskVolumeShadowCopy2\Windows\System32\winevt\Logs
without having to make a link first.
Unfortunately, I still get the file read errors. I am guessing that it is because the files only contain the block-level differential data which corrupts them unless they are copied out..
from hayabusa.
So i copied out the Security.evtx
file to the temp directory and the hashes don't match up so I am guessing that directly accessing the files is only good for metadata analysis and that it is necessary to copy out the files to check the content. Although I haven't read any article that talks about this and it is weird that you still can't read the file when you copy it out (but it works for me..)
While not ideal, one possibility would be to copy files out one at a time to a temp directory, scan the file, delete it then copy another file, etc... which at least would better than copying the entire directory (although not as easy to implement...)
from hayabusa.
Related Issues (20)
- Output numbers with commas
- `-h, --help` option is being displayed multiple times
- computer-metrics usage is different
- Only enable rule files that are applicable to the loaded evtx files
- Only load and scan evtx files based on loaded rules
- Support `windash` pipe modifier HOT 5
- Investigate chances to reduce memory, refactor code, etc...
- [bug] `-T(--visualize-timeline)` option does not work
- Can't get hayabusa to use JSON as input HOT 3
- Enhancement: Duplicate detections for logon-summary HOT 5
- Bug: `windash` not working when there is a * wildcard HOT 3
- Check out WatchAD2.0 by Qihoo360 HOT 1
- aarch64 musl binary can't run HOT 1
- Consistent output for Timeline Explorer HOT 5
- Allow `-d` to be specified multiple times HOT 1
- Sigma correlations support: Event Count HOT 3
- Sigma correlations support: Value Count HOT 1
- Support multiple grouping by in `count` HOT 1
- Improving count rule's output HOT 7
- [bug] Nothing is detected when using the `-J, --JSON-input` option with the timeline command because of `Channel` filter HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hayabusa.