fukusuke@fukusukenoMacBook-Air hayabusa-2.14.0-mac-arm % ./hayabusa-2.14.0-mac-aarch64 csv-timeline -d ../all-evtx -w -D -n -u -C -q -o timeline.csv --debug -s Start time: 2024/10/12 13:00 Total event log files: 2,239 Total file size: 8.8 GB Loading detection rules. Please wait. Excluded rules: 20 Noisy rules: 12 Deprecated rules: 204 (4.68%) Experimental rules: 1,020 (23.42%) Stable rules: 251 (5.76%) Test rules: 2,836 (65.11%) Unsupported rules: 45 (1.03%) Hayabusa rules: 174 Sigma rules: 4,182 Total enabled detection rules: 4,356 Output profile: standard Scanning in progress. Please wait. [00:10:22] 2,239 / 2,239 [========================================] 100% Scanning finished. Please wait while the results are being saved. Rule Authors: ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Zach Mathis (92) Nasreddine Bencherchali (63) frack113 (59) Florian Roth (38) │ │ oscd.community (37) Tim Shelton (15) Daniil Yugoslavskiy (12) Roberto Rodriguez (11) │ │ Roberto Rodriguez @Cyb3r... (11) Timur Zinniatullin (10) OTR (9) Victor Sergeev (8) │ │ Jonhnathan Ribeiro (6) Gleb Sukhodolskiy (6) KarneadesMarkus Neis (4) Jakob Weinzettl (4) │ │ juju4 (4) Bhabesh Raj (4) Ján Trenčanský (3) Sander Wiebing (3) │ │ Wietze Beukema (3) SOC Prime (3) Markus Neis (3) Thomas Patzke (3) │ │ Michael Haag (3) Teymur Kheirkhabarov (3) Alexandr Yampolskyi (3) Patrick Bareiss (2) │ │ Christopher Peacock @sec... (2) Dimitrios Slamaris (2) Aleksey Potapov (2) Oddvar Moe (2) │ │ James Pemberton@4A616D65... (2) Sreeman (2) Mark Woan (2) Anton Kutepov (2) │ │ Center for Threat Inform... (2) Mark Russinovich (2) Endgame (2) @gott_cyber (2) │ │ JHasenbusch (2) Fukusuke Takahashi (2) Sherif Eldeeb (2) Swachchhanda Shrawan Poudel (2) │ │ SCYTHE @scythe_io (2) Samir Bousseaden (1) Janantha Marasinghe (1) Matthew Green @mgreen27 (1) │ │ Ecco (1) Luc Génaux (1) Andreas Hunkeler (1) D3F7A5105 (1) │ │ Connor Martin (1) Stephen Lincoln @slincol... (1) Harish Segar (1) Eric Conrad (1) │ │ xorxes (1) Zach Stanford @svch0st (1) pH-T (1) Thurein Oo (1) │ │ Tim Rauch (1) FPT.EagleEye (1) @neu5ron (1) Open Threat Research (1) │ │ Cybex (1) Tom Kern (1) AlertIQ (1) X__Junior (1) │ │ Elastic (1) Anish Bogati (1) Cédric Hien (1) James Pemberton @4A616D6573 (1) │ │ @redcanary (1) Timur Zinniatullin oscd.... (1) Yusuke Matsui (1) Joshua Wright (1) │ │ Maxime Thiebaut (1) Perez Diego (1) xknow (1) @0xrawsec (1) │ │ Dmitry Uchakin (1) James Dickenson (1) Natalia Shornikova (1) Max Altgelt (1) │ │ mdecrevoisier (1) Michael R. (1) │ ╰──────────────────────────────────╌─────────────────────────────────╌──────────────────────────╌─────────────────────────────────╯ Results Summary: Events with hits / Total events: 5,969,042 / 6,611,184 (Data reduction: 642,142 events (9.71%)) Total | Unique detections: 6,108,111 | 309 Total | Unique critical detections: 0 (0.00%) | 0 (0.00%) Total | Unique high detections: 18,305 (0.30%) | 38 (22.65%) Total | Unique medium detections: 39,121 (0.64%) | 113 (28.48%) Total | Unique low detections: 1,704,933 (27.91%) | 88 (36.57%) Total | Unique informational detections: 4,345,752 (71.15%) | 70 (12.30%) Dates with most total detections: critical: n/a, high: 2023-11-06 (5,574), medium: 2023-11-06 (18,594), low: 2022-09-18 (915,410), informational: 2022-03-02 (1,231,211) Top 5 computers with most unique detections: critical: n/a high: WinDev2310Eval (24), DESKTOP-6D0DBMB (10), Agamemnon (10), DESKTOP-A8CALR3 (9), evtx-PC (7) medium: WinDev2310Eval (83), Agamemnon (38), DESKTOP-A8CALR3 (24), DESKTOP-6D0DBMB (23), evtx-PC (16) low: WinDev2310Eval (57), DESKTOP-6D0DBMB (40), Agamemnon (34), DESKTOP-A8CALR3 (33), evtx-PC (23) informational: WinDev2310Eval (49), DESKTOP-6D0DBMB (48), DESKTOP-A8CALR3 (47), WIN-TKC15D7KHUR (43), Agamemnon (40) ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Top critical alerts: Top high alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ n/a File Creation Date Changed to Another Year (15,884) │ │ n/a Windows Shell/Scripting Application File Write to Sus... (991) │ │ n/a EVTX Created In Uncommon Location (986) │ │ n/a Mimikatz Detection LSASS Access (131) │ │ n/a Proc Exec (Non-Exe Filetype) (60) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top medium alerts: Top low alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Raw Access Read (12,311) Proc Access (1,613,391) │ │ Process Ran With High Privilege (7,673) Possible Timestomping (71,065) │ │ Potential Credential Dumping Activity Via LSASS (6,135) Scheduled Task Created - Registry (8,185) │ │ Autorun Keys Modification (3,606) Shell Context Menu Command Tampering (4,283) │ │ LSASS Access From Program In Potentially Suspicious F... (2,396) Suspicious In-Memory Module Execution (2,878) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top informational alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Reg Key Create/Delete (Noisy) (1,714,224) Pipe Conn (39,460) │ │ Reg Key Value Set (Noisy) (1,151,506) Proc Exec (23,695) │ │ DLL Loaded (Noisy) (727,396) Proc Terminated (14,674) │ │ File Created (542,438) Net Conn (14,234) │ │ File Deleted (94,703) Pipe Created (10,602) │ ╰──────────────────────────────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯ Saved file: timeline.csv (4.2 GB) Elapsed time: 00:10:23.1742 Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls Errors were generated. Please check ./logs/errorlog-20241012_131108.log for details. Rule Parse Processing Time: 00:00:01.908 Analysis Processing Time: 00:10:22.677 Output Processing Time: 00:00:00.111 Memory usage stats: heap stats: peak total freed current unit count reserved: 2.0 GiB 2.0 GiB 0 2.0 GiB committed: 1.0 GiB 2.0 GiB 688.4 GiB -686.4 GiB ok reset: 0 purged: 57.3 GiB touched: 128.5 KiB 42.8 MiB 130.2 GiB -130.2 GiB ok segments: 26 685 671 14 not all freed! -abandoned: 1 1 0 1 not all freed! -cached: 0 0 0 0 ok pages: 0 0 1.2 Mi -1.2 Mi ok -abandoned: 5 5 0 5 not all freed! -extended: 0 -noretire: 0 mmaps: 0 commits: 0 resets: 0 purges: 24.6 Ki threads: 17 17 1 16 not all freed! searches: 0.0 avg numa nodes: 1 elapsed: 624.765 s process: user: 3912.202 s, system: 49.064 s, faults: 295, rss: 1.4 GiB, commit: 1.0 GiB fukusuke@fukusukenoMacBook-Air hayabusa-2.15.0-mac-arm % ./hayabusa-2.15.0-mac-aarch64 csv-timeline -d ../all-evtx -w -D -n -u -C -q -o timeline.csv --debug -s Start time: 2024/10/12 12:24 Total event log files: 2,239 Total file size: 8.8 GB Loading detection rules. Please wait. Excluded rules: 20 Noisy rules: 12 Deprecated rules: 204 (4.68%) Experimental rules: 1,020 (23.42%) Stable rules: 251 (5.76%) Test rules: 2,836 (65.11%) Unsupported rules: 45 (1.03%) Hayabusa rules: 174 Sigma rules: 4,182 Total enabled detection rules: 4,356 Output profile: standard Scanning in progress. Please wait. [00:09:23] 2,239 / 2,239 [========================================] 100% Scanning finished. Please wait while the results are being saved. Rule Authors: ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Zach Mathis (92) Nasreddine Bencherchali (63) frack113 (59) Florian Roth (38) │ │ oscd.community (37) Tim Shelton (15) Daniil Yugoslavskiy (12) Roberto Rodriguez (11) │ │ Roberto Rodriguez @Cyb3r... (11) Timur Zinniatullin (10) OTR (9) Victor Sergeev (8) │ │ Jonhnathan Ribeiro (6) Gleb Sukhodolskiy (6) KarneadesMarkus Neis (4) Jakob Weinzettl (4) │ │ juju4 (4) Bhabesh Raj (4) Ján Trenčanský (3) Sander Wiebing (3) │ │ Wietze Beukema (3) SOC Prime (3) Markus Neis (3) Thomas Patzke (3) │ │ Michael Haag (3) Teymur Kheirkhabarov (3) Alexandr Yampolskyi (3) Patrick Bareiss (2) │ │ Christopher Peacock @sec... (2) Dimitrios Slamaris (2) Aleksey Potapov (2) Oddvar Moe (2) │ │ James Pemberton@4A616D65... (2) Sreeman (2) Mark Woan (2) Anton Kutepov (2) │ │ Center for Threat Inform... (2) Mark Russinovich (2) Endgame (2) @gott_cyber (2) │ │ JHasenbusch (2) Fukusuke Takahashi (2) Sherif Eldeeb (2) Swachchhanda Shrawan Poudel (2) │ │ SCYTHE @scythe_io (2) Samir Bousseaden (1) Janantha Marasinghe (1) Matthew Green @mgreen27 (1) │ │ Ecco (1) Luc Génaux (1) Andreas Hunkeler (1) D3F7A5105 (1) │ │ Connor Martin (1) Stephen Lincoln @slincol... (1) Harish Segar (1) Eric Conrad (1) │ │ xorxes (1) Zach Stanford @svch0st (1) pH-T (1) Thurein Oo (1) │ │ Tim Rauch (1) FPT.EagleEye (1) @neu5ron (1) Open Threat Research (1) │ │ Cybex (1) Tom Kern (1) AlertIQ (1) X__Junior (1) │ │ Elastic (1) Anish Bogati (1) Cédric Hien (1) James Pemberton @4A616D6573 (1) │ │ @redcanary (1) Timur Zinniatullin oscd.... (1) Yusuke Matsui (1) Joshua Wright (1) │ │ Maxime Thiebaut (1) Perez Diego (1) xknow (1) @0xrawsec (1) │ │ Dmitry Uchakin (1) James Dickenson (1) Natalia Shornikova (1) Max Altgelt (1) │ │ mdecrevoisier (1) Michael R. (1) │ ╰──────────────────────────────────╌─────────────────────────────────╌──────────────────────────╌─────────────────────────────────╯ Results Summary: Events with hits / Total events: 5,969,042 / 6,611,184 (Data reduction: 642,142 events (9.71%)) Total | Unique detections: 6,108,111 | 309 Total | Unique critical detections: 0 (0.00%) | 0 (0.00%) Total | Unique high detections: 18,305 (0.30%) | 38 (22.65%) Total | Unique medium detections: 39,121 (0.64%) | 113 (28.48%) Total | Unique low detections: 1,704,933 (27.91%) | 88 (36.57%) Total | Unique informational detections: 4,345,752 (71.15%) | 70 (12.30%) Dates with most total detections: critical: n/a, high: 2023-11-06 (5,574), medium: 2023-11-06 (18,594), low: 2022-09-18 (915,410), informational: 2022-03-02 (1,231,211) Top 5 computers with most unique detections: critical: n/a high: WinDev2310Eval (24), DESKTOP-6D0DBMB (10), Agamemnon (10), DESKTOP-A8CALR3 (9), evtx-PC (7) medium: WinDev2310Eval (83), Agamemnon (38), DESKTOP-A8CALR3 (24), DESKTOP-6D0DBMB (23), evtx-PC (16) low: WinDev2310Eval (57), DESKTOP-6D0DBMB (40), Agamemnon (34), DESKTOP-A8CALR3 (33), evtx-PC (23) informational: WinDev2310Eval (49), DESKTOP-6D0DBMB (48), DESKTOP-A8CALR3 (47), WIN-TKC15D7KHUR (43), Agamemnon (40) ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Top critical alerts: Top high alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ n/a File Creation Date Changed to Another Year (15,884) │ │ n/a Windows Shell/Scripting Application File Write to Sus... (991) │ │ n/a EVTX Created In Uncommon Location (986) │ │ n/a Mimikatz Detection LSASS Access (131) │ │ n/a Proc Exec (Non-Exe Filetype) (60) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top medium alerts: Top low alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Raw Access Read (12,311) Proc Access (1,613,391) │ │ Process Ran With High Privilege (7,673) Possible Timestomping (71,065) │ │ Potential Credential Dumping Activity Via LSASS (6,135) Scheduled Task Created - Registry (8,185) │ │ Autorun Keys Modification (3,606) Shell Context Menu Command Tampering (4,283) │ │ LSASS Access From Program In Potentially Suspicious F... (2,396) Suspicious In-Memory Module Execution (2,878) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top informational alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Reg Key Create/Delete (Noisy) (1,714,224) Pipe Conn (39,460) │ │ Reg Key Value Set (Noisy) (1,151,506) Proc Exec (23,695) │ │ DLL Loaded (Noisy) (727,396) Proc Terminated (14,674) │ │ File Created (542,438) Net Conn (14,234) │ │ File Deleted (94,703) Pipe Created (10,602) │ ╰──────────────────────────────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯ Saved file: timeline.csv (4.2 GB) Elapsed time: 00:09:24.758 Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls Errors were generated. Please check ./logs/errorlog-20241012_123330.log for details. Rule Parse Processing Time: 00:00:01.503 Analysis Processing Time: 00:09:23.096 Output Processing Time: 00:00:00.112 Memory usage stats: heap stats: peak total freed current unit count reserved: 3.0 GiB 3.0 GiB 0 3.0 GiB committed: 1.0 GiB 3.0 GiB 876.2 GiB -873.2 GiB ok reset: 0 purged: 51.4 GiB touched: 128.5 KiB 45.6 MiB 130.4 GiB -130.3 GiB ok segments: 27 731 715 16 not all freed! -abandoned: 1 1 0 1 not all freed! -cached: 0 0 0 0 ok pages: 0 0 1.2 Mi -1.2 Mi ok -abandoned: 2 2 0 2 not all freed! -extended: 0 -noretire: 0 mmaps: 0 commits: 0 resets: 0 purges: 24.8 Ki threads: 17 17 1 16 not all freed! searches: 0.0 avg numa nodes: 1 elapsed: 564.824 s process: user: 3478.809 s, system: 46.038 s, faults: 53, rss: 1.5 GiB, commit: 1.0 GiB fukusuke@fukusukenoMacBook-Air hayabusa-2.16.0-mac-arm % ./hayabusa-2.16.0-mac-aarch64 csv-timeline -d ../all-evtx -w -D -n -u -C -q -o timeline.csv --debug -s Start time: 2024/10/12 12:35 Total event log files: 2,239 Total file size: 8.8 GB Loading detection rules. Please wait. Excluded rules: 20 Noisy rules: 12 Deprecated rules: 204 (4.68%) Experimental rules: 1,020 (23.42%) Stable rules: 251 (5.76%) Test rules: 2,836 (65.11%) Unsupported rules: 45 (1.03%) Hayabusa rules: 174 Sigma rules: 4,182 Total detection rules: 4,356 Creating the channel filter. Please wait. Evtx files loaded after channel filter: 145 Detection rules enabled after channel filter: 4,322 Output profile: standard Scanning in progress. Please wait. [00:09:14] 145 / 145 [========================================] 100% Scanning finished. Please wait while the results are being saved. Rule Authors: ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Zach Mathis (88) Nasreddine Bencherchali (63) frack113 (59) Florian Roth (38) │ │ oscd.community (37) Tim Shelton (15) Daniil Yugoslavskiy (12) Roberto Rodriguez (11) │ │ Roberto Rodriguez @Cyb3r... (11) Timur Zinniatullin (10) OTR (9) Victor Sergeev (8) │ │ Jonhnathan Ribeiro (6) Gleb Sukhodolskiy (6) KarneadesMarkus Neis (4) Jakob Weinzettl (4) │ │ juju4 (4) Bhabesh Raj (4) Ján Trenčanský (3) Sander Wiebing (3) │ │ Wietze Beukema (3) SOC Prime (3) Markus Neis (3) Thomas Patzke (3) │ │ Michael Haag (3) Teymur Kheirkhabarov (3) Alexandr Yampolskyi (3) Patrick Bareiss (2) │ │ Christopher Peacock @sec... (2) Dimitrios Slamaris (2) Aleksey Potapov (2) Oddvar Moe (2) │ │ James Pemberton@4A616D65... (2) Sreeman (2) Mark Woan (2) Anton Kutepov (2) │ │ Center for Threat Inform... (2) Mark Russinovich (2) Endgame (2) @gott_cyber (2) │ │ JHasenbusch (2) Fukusuke Takahashi (2) Sherif Eldeeb (2) Swachchhanda Shrawan Poudel (2) │ │ SCYTHE @scythe_io (2) Samir Bousseaden (1) Janantha Marasinghe (1) Matthew Green @mgreen27 (1) │ │ Ecco (1) Luc Génaux (1) Andreas Hunkeler (1) D3F7A5105 (1) │ │ Connor Martin (1) Stephen Lincoln @slincol... (1) Harish Segar (1) Eric Conrad (1) │ │ xorxes (1) Zach Stanford @svch0st (1) pH-T (1) Thurein Oo (1) │ │ Tim Rauch (1) FPT.EagleEye (1) @neu5ron (1) Open Threat Research (1) │ │ Cybex (1) Tom Kern (1) AlertIQ (1) X__Junior (1) │ │ Elastic (1) Anish Bogati (1) Cédric Hien (1) James Pemberton @4A616D6573 (1) │ │ @redcanary (1) Timur Zinniatullin oscd.... (1) Yusuke Matsui (1) Joshua Wright (1) │ │ Maxime Thiebaut (1) Perez Diego (1) xknow (1) @0xrawsec (1) │ │ Dmitry Uchakin (1) James Dickenson (1) Natalia Shornikova (1) Max Altgelt (1) │ │ mdecrevoisier (1) Michael R. (1) │ ╰──────────────────────────────────╌─────────────────────────────────╌──────────────────────────╌─────────────────────────────────╯ Results Summary: Events with hits / Total events: 5,968,477 / 6,463,018 (Data reduction: 494,541 events (7.65%)) Total | Unique detections: 6,107,529 | 305 Total | Unique critical detections: 0 (0.00%) | 0 (0.00%) Total | Unique high detections: 18,305 (0.30%) | 38 (22.30%) Total | Unique medium detections: 38,786 (0.64%) | 111 (28.85%) Total | Unique low detections: 1,704,933 (27.92%) | 88 (36.39%) Total | Unique informational detections: 4,345,505 (71.15%) | 68 (12.46%) Dates with most total detections: critical: n/a, high: 2023-11-06 (5,574), medium: 2023-11-06 (18,594), low: 2022-09-18 (915,410), informational: 2022-03-02 (1,231,193) Top 5 computers with most unique detections: critical: n/a high: WinDev2310Eval (24), DESKTOP-6D0DBMB (10), Agamemnon (10), DESKTOP-A8CALR3 (9), evtx-PC (7) medium: WinDev2310Eval (83), Agamemnon (37), DESKTOP-A8CALR3 (22), DESKTOP-6D0DBMB (22), evtx-PC (16) low: WinDev2310Eval (57), DESKTOP-6D0DBMB (40), Agamemnon (34), DESKTOP-A8CALR3 (33), evtx-PC (23) informational: WinDev2310Eval (47), DESKTOP-A8CALR3 (47), DESKTOP-6D0DBMB (47), WIN-TKC15D7KHUR (43), WIN-FPV0DSIC9O6 (39) ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Top critical alerts: Top high alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ n/a File Creation Date Changed to Another Year (15,884) │ │ n/a Windows Shell/Scripting Application File Write to Sus... (991) │ │ n/a EVTX Created In Uncommon Location (986) │ │ n/a Mimikatz Detection LSASS Access (131) │ │ n/a Proc Exec (Non-Exe Filetype) (60) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top medium alerts: Top low alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Raw Access Read (12,311) Proc Access (1,613,391) │ │ Process Ran With High Privilege (7,673) Possible Timestomping (71,065) │ │ Potential Credential Dumping Activity Via LSASS (6,135) Scheduled Task Created - Registry (8,185) │ │ Autorun Keys Modification (3,606) Shell Context Menu Command Tampering (4,283) │ │ LSASS Access From Program In Potentially Suspicious F... (2,396) Suspicious In-Memory Module Execution (2,878) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top informational alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Reg Key Create/Delete (Noisy) (1,714,224) Pipe Conn (39,460) │ │ Reg Key Value Set (Noisy) (1,151,506) Proc Exec (23,695) │ │ DLL Loaded (Noisy) (727,396) Proc Terminated (14,674) │ │ File Created (542,438) Net Conn (14,234) │ │ File Deleted (94,703) Pipe Created (10,602) │ ╰──────────────────────────────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯ Saved file: timeline.csv (4.2 GB) Elapsed time: 00:09:17.1504 Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls Errors were generated. Please check ./logs/errorlog-20241012_124513.log for details. Rule Parse Processing Time: 00:00:01.749 Analysis Processing Time: 00:09:16.593 Output Processing Time: 00:00:00.111 Memory usage stats: heap stats: peak total freed current unit count reserved: 5.2 GiB 5.3 GiB 384.0 MiB 5.0 GiB committed: 1.0 GiB 5.3 GiB 852.9 GiB -847.6 GiB ok reset: 0 purged: 44.1 GiB touched: 128.5 KiB 35.9 MiB 112.3 GiB -112.2 GiB ok segments: 27 576 564 12 not all freed -abandoned: 1 1 1 0 ok -cached: 0 0 0 0 ok pages: 0 0 1.1 Mi -1.1 Mi ok -abandoned: 2 2 2 0 ok -extended: 0 -noretire: 0 arenas: 5 -crossover: 0 -rollback: 0 mmaps: 0 commits: 0 resets: 0 purges: 19.6 Ki threads: 17 17 1 16 not all freed searches: 0.0 avg numa nodes: 1 elapsed: 558.527 s process: user: 3575.591 s, system: 51.176 s, faults: 309, rss: 1.5 GiB, commit: 1.0 GiB fukusuke@fukusukenoMacBook-Air hayabusa-2.17.0-mac-arm % ./hayabusa-2.17.0-mac-aarch64 csv-timeline -d ../all-evtx -w -D -n -u -C -q -o timeline.csv --debug Start time: 2024/10/12 12:49 Total event log files: 2,239 Total file size: 8.8 GB Loading detection rules. Please wait. Excluded rules: 20 Noisy rules: 12 Deprecated rules: 204 (4.68%) Experimental rules: 1,020 (23.42%) Stable rules: 251 (5.76%) Test rules: 2,836 (65.11%) Unsupported rules: 45 (1.03%) Hayabusa rules: 174 Sigma rules: 4,182 Total detection rules: 4,356 Creating the channel filter. Please wait. Evtx files loaded after channel filter: 145 Detection rules enabled after channel filter: 4,322 Output profile: standard Scanning in progress. Please wait. [00:09:16] 145 / 145 [========================================] 100% Scanning finished. Please wait while the results are being saved. Rule Authors: ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Zach Mathis (88) Nasreddine Bencherchali (63) frack113 (59) Florian Roth (38) │ │ oscd.community (37) Tim Shelton (15) Daniil Yugoslavskiy (12) Roberto Rodriguez (11) │ │ Roberto Rodriguez @Cyb3r... (11) Timur Zinniatullin (10) OTR (9) Victor Sergeev (8) │ │ Jonhnathan Ribeiro (6) Gleb Sukhodolskiy (6) KarneadesMarkus Neis (4) Jakob Weinzettl (4) │ │ juju4 (4) Bhabesh Raj (4) Ján Trenčanský (3) Sander Wiebing (3) │ │ Wietze Beukema (3) SOC Prime (3) Markus Neis (3) Thomas Patzke (3) │ │ Michael Haag (3) Teymur Kheirkhabarov (3) Alexandr Yampolskyi (3) Patrick Bareiss (2) │ │ Christopher Peacock @sec... (2) Dimitrios Slamaris (2) Aleksey Potapov (2) Oddvar Moe (2) │ │ James Pemberton@4A616D65... (2) Sreeman (2) Mark Woan (2) Anton Kutepov (2) │ │ Center for Threat Inform... (2) Mark Russinovich (2) Endgame (2) @gott_cyber (2) │ │ JHasenbusch (2) Fukusuke Takahashi (2) Sherif Eldeeb (2) Swachchhanda Shrawan Poudel (2) │ │ SCYTHE @scythe_io (2) Samir Bousseaden (1) Janantha Marasinghe (1) Matthew Green @mgreen27 (1) │ │ Ecco (1) Luc Génaux (1) Andreas Hunkeler (1) D3F7A5105 (1) │ │ Connor Martin (1) Stephen Lincoln @slincol... (1) Harish Segar (1) Eric Conrad (1) │ │ xorxes (1) Zach Stanford @svch0st (1) pH-T (1) Thurein Oo (1) │ │ Tim Rauch (1) FPT.EagleEye (1) @neu5ron (1) Open Threat Research (1) │ │ Cybex (1) Tom Kern (1) AlertIQ (1) X__Junior (1) │ │ Elastic (1) Anish Bogati (1) Cédric Hien (1) James Pemberton @4A616D6573 (1) │ │ @redcanary (1) Timur Zinniatullin oscd.... (1) Yusuke Matsui (1) Joshua Wright (1) │ │ Maxime Thiebaut (1) Perez Diego (1) xknow (1) @0xrawsec (1) │ │ Dmitry Uchakin (1) James Dickenson (1) Natalia Shornikova (1) Max Altgelt (1) │ │ mdecrevoisier (1) Michael R. (1) │ ╰──────────────────────────────────╌─────────────────────────────────╌──────────────────────────╌─────────────────────────────────╯ Results Summary: Events with hits / Total events: 5,968,477 / 6,463,018 (Data reduction: 494,541 events (7.65%)) Total | Unique detections: 6,107,529 | 305 Total | Unique critical detections: 0 (0.00%) | 0 (0.00%) Total | Unique high detections: 18,305 (0.30%) | 38 (22.30%) Total | Unique medium detections: 38,786 (0.64%) | 111 (28.85%) Total | Unique low detections: 1,704,933 (27.92%) | 88 (36.39%) Total | Unique informational detections: 4,345,505 (71.15%) | 68 (12.46%) Dates with most total detections: critical: n/a, high: 2023-11-06 (5,574), medium: 2023-11-06 (18,594), low: 2022-09-18 (915,410), informational: 2022-03-02 (1,231,193) Top 5 computers with most unique detections: critical: n/a high: WinDev2310Eval (24), DESKTOP-6D0DBMB (10), Agamemnon (10), DESKTOP-A8CALR3 (9), evtx-PC (7) medium: WinDev2310Eval (83), Agamemnon (37), DESKTOP-A8CALR3 (22), DESKTOP-6D0DBMB (22), evtx-PC (16) low: WinDev2310Eval (61), DESKTOP-6D0DBMB (42), Agamemnon (36), DESKTOP-A8CALR3 (35), evtx-PC (25) informational: WinDev2310Eval (47), DESKTOP-A8CALR3 (47), DESKTOP-6D0DBMB (47), WIN-TKC15D7KHUR (43), WIN-FPV0DSIC9O6 (39) ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Top critical alerts: Top high alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ n/a File Creation Date Changed to Another Year (15,884) │ │ n/a Windows Shell/Scripting Application File Write to Sus... (991) │ │ n/a EVTX Created In Uncommon Location (986) │ │ n/a Mimikatz Detection LSASS Access (131) │ │ n/a Proc Exec (Non-Exe Filetype) (60) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top medium alerts: Top low alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Raw Access Read (12,311) Proc Access (1,613,391) │ │ Process Ran With High Privilege (7,673) Possible Timestomping (71,065) │ │ Potential Credential Dumping Activity Via LSASS (6,135) Scheduled Task Created - Registry (8,185) │ │ Autorun Keys Modification (3,606) Shell Context Menu Command Tampering (4,283) │ │ LSASS Access From Program In Potentially Suspicious F... (2,396) Suspicious In-Memory Module Execution (2,878) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top informational alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Reg Key Create/Delete (Noisy) (1,714,224) Pipe Conn (39,460) │ │ Reg Key Value Set (Noisy) (1,151,506) Proc Exec (23,695) │ │ DLL Loaded (Noisy) (727,396) Proc Terminated (14,674) │ │ File Created (542,438) Net Conn (14,234) │ │ File Deleted (94,703) Pipe Created (10,602) │ ╰──────────────────────────────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯ Saved file: timeline.csv (4.2 GB) Elapsed time: 00:09:19.1570 Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls Errors were generated. Please check ./logs/errorlog-20241012_125831.log for details. Rule Parse Processing Time: 00:00:01.786 Analysis Processing Time: 00:09:18.617 Output Processing Time: 00:00:00.116 Memory usage stats: heap stats: peak total freed current unit count reserved: 5.2 GiB 5.3 GiB 384.0 MiB 5.0 GiB committed: 1.0 GiB 5.3 GiB 864.4 GiB -859.0 GiB ok reset: 0 purged: 48.5 GiB touched: 128.5 KiB 37.4 MiB 116.3 GiB -116.2 GiB ok segments: 27 600 590 10 not all freed -abandoned: 1 1 1 0 ok -cached: 0 0 0 0 ok pages: 0 0 1.1 Mi -1.1 Mi ok -abandoned: 2 2 2 0 ok -extended: 0 -noretire: 0 arenas: 5 -crossover: 0 -rollback: 0 mmaps: 0 commits: 0 resets: 0 purges: 21.5 Ki threads: 17 17 1 16 not all freed searches: 0.0 avg numa nodes: 1 elapsed: 560.488 s process: user: 3585.489 s, system: 48.808 s, faults: 320, rss: 1.5 GiB, commit: 1.0 GiB fukusuke@fukusukenoMacBook-Air hayabusa-2.18.0-mac-arm % ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../all-evtx -w -D -n -u -C -q -o timeline.csv --debug Start time: 2024/10/12 13:25 Total event log files: 2,239 Total file size: 8.8 GB Loading detection rules. Please wait. Excluded rules: 20 Noisy rules: 12 Deprecated rules: 204 (4.68%) Experimental rules: 1,020 (23.42%) Stable rules: 251 (5.76%) Test rules: 2,836 (65.11%) Unsupported rules: 45 (1.03%) Hayabusa rules: 174 Sigma rules: 4,182 Total detection rules: 4,356 Creating the channel filter. Please wait. Evtx files loaded after channel filter: 145 Detection rules enabled after channel filter: 4,322 Output profile: standard Scanning in progress. Please wait. [00:09:17] 145 / 145 [========================================] 100% Scanning finished. Please wait while the results are being saved. Rule Authors: ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Zach Mathis (88) Nasreddine Bencherchali (63) frack113 (59) Florian Roth (38) │ │ oscd.community (37) Tim Shelton (15) Daniil Yugoslavskiy (12) Roberto Rodriguez (11) │ │ Roberto Rodriguez @Cyb3r... (11) Timur Zinniatullin (10) OTR (9) Victor Sergeev (8) │ │ Jonhnathan Ribeiro (6) Gleb Sukhodolskiy (6) KarneadesMarkus Neis (4) Jakob Weinzettl (4) │ │ juju4 (4) Bhabesh Raj (4) Ján Trenčanský (3) Sander Wiebing (3) │ │ Wietze Beukema (3) SOC Prime (3) Markus Neis (3) Thomas Patzke (3) │ │ Michael Haag (3) Teymur Kheirkhabarov (3) Alexandr Yampolskyi (3) Patrick Bareiss (2) │ │ Christopher Peacock @sec... (2) Dimitrios Slamaris (2) Aleksey Potapov (2) Oddvar Moe (2) │ │ James Pemberton@4A616D65... (2) Sreeman (2) Mark Woan (2) Anton Kutepov (2) │ │ Center for Threat Inform... (2) Mark Russinovich (2) Endgame (2) @gott_cyber (2) │ │ JHasenbusch (2) Fukusuke Takahashi (2) Sherif Eldeeb (2) Swachchhanda Shrawan Poudel (2) │ │ SCYTHE @scythe_io (2) Samir Bousseaden (1) Janantha Marasinghe (1) Matthew Green @mgreen27 (1) │ │ Ecco (1) Luc Génaux (1) Andreas Hunkeler (1) D3F7A5105 (1) │ │ Connor Martin (1) Stephen Lincoln @slincol... (1) Harish Segar (1) Eric Conrad (1) │ │ xorxes (1) Zach Stanford @svch0st (1) pH-T (1) Thurein Oo (1) │ │ Tim Rauch (1) FPT.EagleEye (1) @neu5ron (1) Open Threat Research (1) │ │ Cybex (1) Tom Kern (1) AlertIQ (1) X__Junior (1) │ │ Elastic (1) Anish Bogati (1) Cédric Hien (1) James Pemberton @4A616D6573 (1) │ │ @redcanary (1) Timur Zinniatullin oscd.... (1) Yusuke Matsui (1) Joshua Wright (1) │ │ Maxime Thiebaut (1) Perez Diego (1) xknow (1) @0xrawsec (1) │ │ Dmitry Uchakin (1) James Dickenson (1) Natalia Shornikova (1) Max Altgelt (1) │ │ mdecrevoisier (1) Michael R. (1) │ ╰──────────────────────────────────╌─────────────────────────────────╌──────────────────────────╌─────────────────────────────────╯ Results Summary: Events with hits / Total events: 5,968,477 / 6,463,018 (Data reduction: 494,541 events (7.65%)) Total | Unique detections: 6,107,529 | 305 Total | Unique critical detections: 0 (0.00%) | 0 (0.00%) Total | Unique high detections: 18,305 (0.30%) | 38 (22.30%) Total | Unique medium detections: 38,786 (0.64%) | 111 (28.85%) Total | Unique low detections: 1,704,933 (27.92%) | 88 (36.39%) Total | Unique informational detections: 4,345,505 (71.15%) | 68 (12.46%) Dates with most total detections: critical: n/a, high: 2023-11-06 (5,574), medium: 2023-11-06 (18,594), low: 2022-09-18 (915,410), informational: 2022-03-02 (1,231,193) Top 5 computers with most unique detections: critical: n/a high: WinDev2310Eval (24), DESKTOP-6D0DBMB (10), Agamemnon (10), DESKTOP-A8CALR3 (9), evtx-PC (7) medium: WinDev2310Eval (83), Agamemnon (37), DESKTOP-A8CALR3 (22), DESKTOP-6D0DBMB (22), evtx-PC (16) low: WinDev2310Eval (61), DESKTOP-6D0DBMB (42), Agamemnon (36), DESKTOP-A8CALR3 (35), evtx-PC (25) informational: WinDev2310Eval (47), DESKTOP-A8CALR3 (47), DESKTOP-6D0DBMB (47), WIN-TKC15D7KHUR (43), WIN-FPV0DSIC9O6 (39) ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Top critical alerts: Top high alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ n/a File Creation Date Changed to Another Year (15,884) │ │ n/a Windows Shell/Scripting Application File Write to Sus... (991) │ │ n/a EVTX Created In Uncommon Location (986) │ │ n/a Mimikatz Detection LSASS Access (131) │ │ n/a Proc Exec (Non-Exe Filetype) (60) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top medium alerts: Top low alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Raw Access Read (12,311) Proc Access (1,613,391) │ │ Process Ran With High Privilege (7,673) Possible Timestomping (71,065) │ │ Potential Credential Dumping Activity Via LSASS (6,135) Scheduled Task Created - Registry (8,185) │ │ Autorun Keys Modification (3,606) Shell Context Menu Command Tampering (4,283) │ │ LSASS Access From Program In Potentially Suspicious F... (2,396) Suspicious In-Memory Module Execution (2,878) │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Top informational alerts: │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ Reg Key Create/Delete (Noisy) (1,714,224) Pipe Conn (39,460) │ │ Reg Key Value Set (Noisy) (1,151,506) Proc Exec (23,695) │ │ DLL Loaded (Noisy) (727,396) Proc Terminated (14,674) │ │ File Created (542,438) Net Conn (14,234) │ │ File Deleted (94,703) Pipe Created (10,602) │ ╰──────────────────────────────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯ Saved file: timeline.csv (4.2 GB) Elapsed time: 00:09:19.1841 Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls Errors were generated. Please check ./logs/errorlog-20241012_133511.log for details. Rule Parse Processing Time: 00:00:01.762 Analysis Processing Time: 00:09:18.932 Output Processing Time: 00:00:00.099 Memory usage stats: heap stats: peak total freed current unit count reserved: 5.2 GiB 5.3 GiB 384.0 MiB 5.0 GiB committed: 1.0 GiB 5.3 GiB 907.8 GiB -902.4 GiB ok reset: 0 purged: 46.3 GiB touched: 128.5 KiB 33.6 MiB 117.8 GiB -117.7 GiB ok segments: 27 540 530 10 not all freed -abandoned: 1 1 1 0 ok -cached: 0 0 0 0 ok pages: 0 0 1.1 Mi -1.1 Mi ok -abandoned: 4 4 4 0 ok -extended: 0 -noretire: 0 arenas: 5 -crossover: 0 -rollback: 0 mmaps: 0 commits: 0 resets: 0 purges: 18.7 Ki threads: 17 17 1 16 not all freed searches: 0.0 avg numa nodes: 1 elapsed: 560.870 s process: user: 3629.359 s, system: 46.991 s, faults: 322, rss: 1.5 GiB, commit: 1.0 GiB