From 605214f02835d9161b83e4a181576e3f3307a7d9 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 21 Sep 2023 18:55:33 +0900 Subject: [PATCH] finalize 2.9.0 --- CHANGELOG-Japanese.md | 15 ++---- CHANGELOG.md | 23 +++------ Cargo.lock | 98 +++++++++++++++++---------------------- Cargo.toml | 6 +-- README.md | 16 +++---- rules | 2 +- src/detections/configs.rs | 24 +++++----- src/main.rs | 2 +- 8 files changed, 78 insertions(+), 108 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 53bf82b43..588bb9e9c 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,31 +1,24 @@ # 変更点 -## 2.9.0 [2023/XX/XX] "xxx Release" - -**新機能:** - -- XXX +## 2.9.0 [2023/09/22] "Autumn Rain Release" **改善:** - ディレクトリパスの指定にバックスラッシュを使用すべきではないことを示すエラーメッセージを追加した。 (#1166) (@hitenkoku, 提案者: @joswr1ght) - 一度に読み込むレコード数の最適化。(#1175) (@yamatosecurity) - プログレスバー内にあるバックスラッシュの表示をスラッシュに変更した。 (#1172) (@hitenkoku) +- JSON形式で出力する際に、`count`ルールの`Details`フィールドを文字列にし、パースしやすくした。(#1179) (@hitenkoku) **バグ修正:** -- XXX - -**その他:** - -- XXX +- まれにJSONフィールドが正しくパースされなかった。(#1145) (@hitenkoku) ## 2.8.0 [2023/09/01] "Double X Release" **新機能:** - フィールドマッピング設定に16進数値を10進数に変換する`HexToDecimal`機能に対応した。 (元の16進数のプロセスIDを変換するのに便利。) (#1133) (@fukusuket) -- `csv-timeline`と`json-timeline`に`-x, --recover-records`オプションを追加し、空ページのファイルカービングによってevtxレコードを復元できるようにした。(#952) (@hitenkoku) (Evtxカービング機能は@forensicmattに実装された。) +- `csv-timeline`と`json-timeline`に`-x, --recover-records`オプションを追加し、evtxのスラックスペースのファイルカービングによってevtxレコードを復元できるようにした。(#952) (@hitenkoku) (Evtxカービング機能は@forensicmattに実装された。) - `csv-timeline`と`json-timeline`に`-X, --remove-duplicate-detections`オプションを追加した。(`-x`を使用する場合、重複データのあるバックアップログを含める場合などに便利。) (#1157) (@fukusuket) - `csv-timeline`、`json-timeline`、`logon-summary`、`eid-metrics`、`pivot-keywords-list`、`search`コマンドに、直近のイベントだけをスキャンするための`--timeline-offset`オプションを追加した。 (#1159) (@hitenkoku) - `search`コマンドに`-a, --and-logic`オプションを追加し、複数のキーワードをAND条件で検索できるようにした。 (#1162) (@hitenkoku) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55886e735..de710d6d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,35 +1,24 @@ # Changes -## 2.9.0 [2023/XX/XX] "xxx Release" - -**New Features:** - -- XXX - -**New Features:** - -- XXX +## 2.9.0 [2023/09/22] "Autumn Rain Release" **Enhancements:** - Added an error message to indicate that when you can't load evtx files in Windows due to specifying a directory path with spaces in it, you need to remove the trailing backslash. (#1166) (@hitenkoku, thanks for the suggestion from @joswr1ght) -- Optimized the number of records to load at a time. (#1175) (@yamatosecurity) -- Replaced double backslashes in paths in under the progress bar on Windows systems with single forward slashes. (#1172) (@hitenkoku) +- Optimized the number of records to load at a time for performance. (#1175) (@yamatosecurity) +- Replaced double backslashes in paths under the progress bar on Windows systems with single forward slashes. (#1172) (@hitenkoku) +- Made the `Details` field for `count` rules a string in the JSON output for easier parsing. (#1179) (@hitenkoku) **Bug Fixes:** -- XXX - -**Other:** - -- XXX +- In rare cases, JSON fields would not be correctly parsed. (#1145) (@hitenkoku) ## 2.8.0 [2023/09/01] "Double X Release" **New Features:** - Added support for `HexToDecimal` in the field mapping configuration files to convert hex values to decimal. (Useful for converting the original process IDs from hex to decimal.) (#1133) (@fukusuket) -- Added `-x, --recover-records` option to `csv-timeline` and `json-timeline` to recover evtx records through file carving on empty pages. (#952) (@hitenkoku) (Evtx carving feature is thanks to @forensicmatt) +- Added `-x, --recover-records` option to `csv-timeline` and `json-timeline` to recover evtx records through file carving in evtx slack space. (#952) (@hitenkoku) (Evtx carving feature is thanks to @forensicmatt) - Added `-X, --remove-duplicate-detections` option to `csv-timeline` and `json-timeline` to not output any duplicate detection entries. (Useful when you use `-x`, include backup logs or logs extracted from VSS with duplicate data, etc...) - Added a `--timeline-offset` option to `csv-timeline`, `json-timeline`, `logon-summary`, `eid-metrics`, `pivot-keywords-list` and `search` commands to scan just recent events based on a offset of years, months, days, hours, etc... (#1159) (@hitenkoku) - Added a `-a, --and-logic` option in the `search` command to search keywords with AND logic. (#1162) (@hitenkoku) diff --git a/Cargo.lock b/Cargo.lock index 7a1e5cac3..a94030de0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -30,9 +30,9 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "1.0.5" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c378d78423fdad8089616f827526ee33c19f2fddbd5de1629152c9593ba4783" +checksum = "ea5d730647d4fadd988536d06fecce94b7b4f2a7efdae548f1cf4b63205518ab" dependencies = [ "memchr", ] @@ -305,9 +305,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.4.3" +version = "4.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "84ed82781cea27b43c9b106a979fe450a13a31aab0500595fb3fc06616de08e6" +checksum = "b1d7b8d5ec32af0fadc644bf1fd509a688c2103b185644bb1e29d164e0703136" dependencies = [ "clap_builder", "clap_derive", @@ -315,9 +315,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.2" +version = "4.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2bb9faaa7c2ef94b2743a21f5a29e6f0010dff4caa69ac8e9d6cf8b6fa74da08" +checksum = "5179bb514e4d7c2051749d8fcefa2ed6d06a9f4e6d69faf3805f5d80b8cf8d56" dependencies = [ "anstream", "anstyle", @@ -334,7 +334,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", ] [[package]] @@ -417,16 +417,6 @@ dependencies = [ "cfg-if", ] -[[package]] -name = "crossbeam-channel" -version = "0.5.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a33c2bf77f2df06183c3aa30d1e96c0695a313d4f9c453cc3762a6db39f99200" -dependencies = [ - "cfg-if", - "crossbeam-utils", -] - [[package]] name = "crossbeam-deque" version = "0.8.3" @@ -688,7 +678,7 @@ dependencies = [ [[package]] name = "evtx" version = "0.8.7" -source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git?rev=c8391f1#c8391f173eb5d80b9def72ffd68e2a5c6867c945" +source = "git+https://github.com/Yamato-Security/hayabusa-evtx.git?rev=c3eeadf#c3eeadf08def3aa8e6fa46eae326258f5bbd1ab7" dependencies = [ "anyhow", "bitflags 2.4.0", @@ -798,9 +788,9 @@ checksum = "6fb8d784f27acf97159b40fc4db5ecd8aa23b9ad5ef69cdd136d3bc80665f0c0" [[package]] name = "git2" -version = "0.18.0" +version = "0.18.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "12ef350ba88a33b4d524b1d1c79096c9ade5ef8c59395df0e60d1e1889414c0e" +checksum = "fbf97ba92db08df386e10c8ede66a2a0369bd277090afd8710e19e38de9ec0cd" dependencies = [ "bitflags 2.4.0", "libc", @@ -835,14 +825,14 @@ dependencies = [ [[package]] name = "hayabusa" -version = "2.9.0-dev" +version = "2.9.0" dependencies = [ "aho-corasick", "base64", "bytesize", "chrono", "cidr-utils", - "clap 4.4.3", + "clap 4.4.4", "comfy-table", "compact_str", "crossbeam-utils", @@ -904,9 +894,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "443144c8cdadd93ebf52ddb4056d257f5b52c04d3c804e657d19eb73fc33668b" +checksum = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7" [[package]] name = "hex" @@ -998,9 +988,9 @@ dependencies = [ [[package]] name = "indoc" -version = "2.0.3" +version = "2.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2c785eefb63ebd0e33416dfcb8d6da0bf27ce752843a45632a67bf10d4d4b5c4" +checksum = "1e186cfbae8084e513daff4240b4797e342f988cecda4fb6c939150f96315fd8" [[package]] name = "instant" @@ -1017,7 +1007,7 @@ version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eae7b9aee968036d54dce06cebaefd919e4472e753296daccd6d344e3e2df0c2" dependencies = [ - "hermit-abi 0.3.2", + "hermit-abi 0.3.3", "libc", "windows-sys 0.48.0", ] @@ -1110,7 +1100,7 @@ checksum = "8244e0ff6c548152c07559ee9779dec5a5411eeee5bfd6146b38bd414a6841c6" dependencies = [ "anyhow", "chrono", - "clap 4.4.3", + "clap 4.4.4", "file-chunker", "memmap2 0.7.1", "num_cpus", @@ -1434,7 +1424,7 @@ version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" dependencies = [ - "hermit-abi 0.3.2", + "hermit-abi 0.3.3", "libc", ] @@ -1491,7 +1481,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", ] [[package]] @@ -1502,9 +1492,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" [[package]] name = "openssl-src" -version = "300.1.3+3.1.2" +version = "300.1.5+3.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd2c101a165fff9935e34def4669595ab1c7847943c42be86e21503e482be107" +checksum = "559068e4c12950d7dcaa1857a61725c0d38d4fc03ff8e070ab31a75d6e316491" dependencies = [ "cc", ] @@ -1688,9 +1678,9 @@ dependencies = [ [[package]] name = "rayon" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d2df5196e37bcc87abebc0053e20787d73847bb33134a69841207dd0a47f03b" +checksum = "9c27db03db7734835b3f53954b534c91069375ce6ccaa2e065441e07d9b6cdb1" dependencies = [ "either", "rayon-core", @@ -1698,14 +1688,12 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.11.0" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8f95bd6966f5c87776639160a66bd8ab9895d9d4ab01ddba9fc60661aebe8d" +checksum = "5ce3fb6ad83f861aac485e76e1985cd109d9a3713802152be56c3b1f0e0658ed" dependencies = [ - "crossbeam-channel", "crossbeam-deque", "crossbeam-utils", - "num_cpus", ] [[package]] @@ -1812,9 +1800,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.13" +version = "0.38.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7db8590df6dfcd144d22afd1b83b36c21a18d7cbc1dc4bb5295a8712e9eb662" +checksum = "747c788e9ce8e92b12cd485c49ddf90723550b654b32508f979b71a7b1ecda4f" dependencies = [ "bitflags 2.4.0", "errno", @@ -1933,7 +1921,7 @@ checksum = "4eca7ac642d82aa35b60049a6eccb4be6be75e599bd2e9adb5f875a737654af2" dependencies = [ "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", ] [[package]] @@ -2026,9 +2014,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" +checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" [[package]] name = "socket2" @@ -2148,9 +2136,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.35" +version = "2.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59bf04c28bee9043ed9ea1e41afc0552288d3aba9c6efdd78903b802926f4879" +checksum = "7303ef2c05cd654186cb250d29049a24840ca25d2747c25c0381c8d9e2f582e8" dependencies = [ "proc-macro2", "quote", @@ -2166,7 +2154,7 @@ dependencies = [ "cfg-if", "fastrand", "redox_syscall", - "rustix 0.38.13", + "rustix 0.38.14", "windows-sys 0.48.0", ] @@ -2195,7 +2183,7 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21bebf2b7c9e0a515f6e0f8c51dc0f8e4696391e6f1ff30379559f8365fb0df7" dependencies = [ - "rustix 0.38.13", + "rustix 0.38.14", "windows-sys 0.48.0", ] @@ -2228,7 +2216,7 @@ checksum = "49922ecae66cc8a249b77e68d1d0623c1b2c514f0060c27cdc68bd62a1219d35" dependencies = [ "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", ] [[package]] @@ -2341,7 +2329,7 @@ checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", ] [[package]] @@ -2376,9 +2364,9 @@ dependencies = [ [[package]] name = "unicode-width" -version = "0.1.10" +version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b" +checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85" [[package]] name = "untrusted" @@ -2468,7 +2456,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", "wasm-bindgen-shared", ] @@ -2490,7 +2478,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.35", + "syn 2.0.37", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -2538,9 +2526,9 @@ checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" [[package]] name = "winapi-util" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" +checksum = "f29e6f9198ba0d26b4c9f07dbe6f9ed633e1f3d5b8b414090084349e46a52596" dependencies = [ "winapi", ] diff --git a/Cargo.toml b/Cargo.toml index c1ca840e2..f0ec99041 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,17 +1,17 @@ [package] name = "hayabusa" -version = "2.9.0-dev" +version = "2.9.0" repository = "https://github.com/Yamato-Security/hayabusa" authors = ["Yamato Security @SecurityYamato"] edition = "2021" -rust-version = "1.71.0" +rust-version = "1.72.1" include = ["src/**/*", "LICENSE.txt", "README.md", "CHANGELOG.md"] [dependencies] itertools = "*" dashmap = "*" clap = { version = "4.*", features = ["derive", "cargo", "color"]} -evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , features = ["fast-alloc"] , rev = "c8391f1" } # 0.8.7 2023/08/30 update +evtx = { git = "https://github.com/Yamato-Security/hayabusa-evtx.git" , features = ["fast-alloc"] , rev = "c3eeadf" } # 0.8.7 2023/09/21 update quick-xml = {version = "0.*", features = ["serialize"] } serde = { version = "1.*", features = ["derive"] } serde_json = { version = "1.0"} diff --git a/README.md b/README.md index 7c9556a0f..1e10ecadc 100644 --- a/README.md +++ b/README.md @@ -248,7 +248,7 @@ You can learn how to analyze JSON-formatted results with `jq` [here](doc/Analysi * Log enrichment by adding GeoIP (ASN, city, country) information to IP addresses. * Search all events for keywords or regular expressions. * Field data mapping. (Ex: `0xc0000234` -> `ACCOUNT LOCKED`) -* Evtx record carving from empty space. +* Evtx record carving from evtx slack space. * Event de-duplication when outputting. (Useful when recovery records is enabled or when you include backed up evtx files, evtx files from VSS, etc...) # Downloads @@ -475,7 +475,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: --timeline-offset Scan recent events based on an offset (ex: 1y, 3M, 30d, 24h, 30m) @@ -514,7 +514,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: --exclude-computer Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB) @@ -579,7 +579,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: --exclude-computer Do not scan specified computer names (ex: ComputerA) (ex: ComputerA,ComputerB) @@ -635,7 +635,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: -E, --EID-filter Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt) @@ -705,7 +705,7 @@ Input: -d, --directory Directory of multiple .evtx files -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: -a, --and-logic Search keywords with AND logic (default: OR) @@ -793,7 +793,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: -E, --EID-filter Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt) @@ -1051,7 +1051,7 @@ Input: -f, --file File path to one .evtx file -l, --live-analysis Analyze the local C:\Windows\System32\winevt\Logs folder -J, --JSON-input Scan JSON formatted logs instead of .evtx (.json or .jsonl) - -x, --recover-records Carve evtx records from empty pages (default: disabled) + -x, --recover-records Carve evtx records from slack space (default: disabled) Filtering: -E, --EID-filter Scan only common EIDs for faster speed (./rules/config/target_event_IDs.txt) diff --git a/rules b/rules index a2dc8dad8..73149dce2 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit a2dc8dad83ee487f7459414d4e67eff54ac2d6e8 +Subproject commit 73149dce2cb3251a803be556a5ff1a267613ef0c diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 60cc6c033..56a941221 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -727,7 +727,7 @@ fn check_thread_number(config: &Config) -> Option { pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -737,7 +737,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 360 @@ -747,7 +747,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 383 @@ -757,7 +757,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 310 @@ -767,7 +767,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 420 @@ -777,7 +777,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 450 @@ -787,7 +787,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 470 @@ -797,7 +797,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 380 @@ -807,7 +807,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 451 @@ -825,7 +825,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -1502,7 +1502,7 @@ pub struct InputOption { #[arg(help_heading = Some("Input"), short = 'l', long = "live-analysis", conflicts_with_all = ["filepath", "directory", "json_input"], display_order = 380)] pub live_analysis: bool, - /// Carve evtx records from empty pages (default: disabled) + /// Carve evtx records from slack space (default: disabled) #[arg(help_heading = Some("Input"), short = 'x', long = "recover-records", conflicts_with = "json_input", display_order = 440)] pub recover_records: bool, @@ -1618,7 +1618,7 @@ pub struct ComputerMetricsOption { #[derive(Parser, Clone, Debug)] #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.8.0 - Double X Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", + help_template = "\nHayabusa v2.9.0 - Autumn Rain Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", term_width = 400, disable_help_flag = true )] diff --git a/src/main.rs b/src/main.rs index 03606facd..f4dd616a9 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1007,7 +1007,7 @@ impl App { || stored_static.search_flag || stored_static.computer_metrics_flag) { - println!("Loading detections rules. Please wait."); + println!("Loading detection rules. Please wait."); println!(); }