Velociraptor Hayabusa Live Detection #
These rules are automatically imported from the Hayabusa project and SigmaHQ.
Rules are automatically compiled using the configuation file into an artifact pack.
To download the latest version of the artifact pack click here
These rules are designed to work in live mode. This means the rules will match events on the endpoint directly as the event logs are written to the system event logs. Velociraptor will therefore forward only matching detections rather than all events.
This artifact relies on the watch_evtx()
plugin. This plugin will
follow the windows event logs (similar to tail -f
on Linux) and
parse events periodically.
There are some differences between this approach as compared to real
event log sources (such as ETW
):
- The log file following approach amortizes CPU load over time, if the check period is not too frequent CPU load can be lower than ETW.
- The
watch_evtx()
approach does not rely on Windows ETW and therefore does not impact limited ETW session resources. - ETW based monitoring is more real time, which will send detections to the server sooner.