Skip to content

Commit fdcdc51

Browse files
YamatoSecurityYamatoSecurity
authored
Merge pull request #73 from Yamato-Security/finalize-2.2.0
finalize 2.2.0
2 parents 6907fd7 + ae3a62a commit fdcdc51

5 files changed

Lines changed: 75 additions & 5 deletions

File tree

CHANGELOG-Japanese.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# 変更点
22

3-
## x.x.x [xxxx/xx/xx]
3+
## 2.2.0 [2023/12/03] - Nasi Lemak Release
44

55
**新機能:**
66

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Changes
22

3-
## x.x.x [xxxx/xx/xx]
3+
## 2.2.0 [2023/12/03] - Nasi Lemak Release
44

55
**New Features:**
66

README-Japanese.md

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ Takajōは、日本語で["鷹狩りのスキルに優れた人"](https://en.wik
7575
- [Timelineコマンド](#timelineコマンド-1)
7676
- [`timeline-logon`コマンド](#timeline-logonコマンド)
7777
- [`timeline-logon`コマンドの使用例](#timeline-logonコマンドの使用例)
78+
- [`timeline-partition-diagnostic`コマンド](#timeline-partition-diagnosticコマンド)
79+
- [`timeline-partition-diagnostic`コマンドの使用例](#timeline-partition-diagnosticコマンドの使用例)
7880
- [`timeline-suspicious-processes`コマンド](#timeline-suspicious-processesコマンド)
7981
- [`timeline-suspicious-processes`コマンドの使用例](#timeline-suspicious-processesコマンドの使用例)
8082
- [VirusTotalコマンド](#virustotalコマンド-1)
@@ -145,6 +147,7 @@ Nimがインストールされている場合、以下のコマンドでソー
145147
## Timelineコマンド
146148
* `timeline-logon`: ログオンイベントのCSVタイムラインを作成する
147149
* `timeline-suspicious-processes`: 不審なプロセスのCSVタイムラインを作成する
150+
* `timeline-partition-diagnostic`: partition diagnosticイベントのCSVタイムラインを作成する
148151

149152
## VirusTotalコマンド
150153
* `vt-domain-lookup`: VirusTotalでドメインのリストを検索し、悪意のあるドメインをレポートする
@@ -563,9 +566,41 @@ hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
563566
takajo.exe timeline-logon -t ../hayabusa/timeline.jsonl -o logon-timeline.csv
564567
```
565568

569+
### `timeline-partition-diagnostic`コマンド
570+
571+
partition diagnosticイベントのCSVタイムラインを作成します。Windows 10の`Microsoft-Windows-Partition%4Diagnostic.evtx`を解析し、現在および過去に接続されたデバイスのボリュームシリアル番号を出力します。
572+
この処理は [Partition-4DiagnosticParser](https://github.com/theAtropos4n6/Partition-4DiagnosticParser)を参考にして作成されました。
573+
574+
* 入力: `JSONL`
575+
* プロファイル: `すべて`
576+
* 出力: `CSV`
577+
578+
必須オプション:
579+
580+
- `-t, --timeline <JSONL-FILE>`: HayabusaのJSONLタイムライン
581+
582+
任意オプション:
583+
584+
- `-o, --output <CSV-FILE>`: 結果を保存するCSVファイル
585+
- `-q, --quiet`: ロゴを出力しない (デフォルト: `false`)
586+
587+
#### `timeline-partition-diagnostic`コマンドの使用例
588+
589+
HayabusaでJSONLタイムラインを作成する:
590+
591+
```
592+
hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
593+
```
594+
595+
接続されたデバイスのCSVタイムラインを作成する:
596+
597+
```
598+
takajo.exe timeline-partition-diagnostic -t ../hayabusa/timeline.jsonl -o partition-diagnostic-timeline.csv
599+
```
600+
566601
### `timeline-suspicious-processes`コマンド
567602

568-
不審なプロセスのCSVタイムラインを作成する
603+
不審なプロセスのCSVタイムラインを作成します。
569604

570605
* 入力: `JSONL`
571606
* プロファイル: `all-field-info``all-field-info-verbose` 以外すべて

README.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,8 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a
7676
- [Timeline Commands](#timeline-commands-1)
7777
- [`timeline-logon` command](#timeline-logon-command)
7878
- [`timeline-logon` command examples](#timeline-logon-command-examples)
79+
- [`timeline-partition-diagnostic` command](#timeline-partition-diagnostic-command)
80+
- [`timeline-partition-diagnostic` command examples](#timeline-partition-diagnostic-command-examples)
7981
- [`timeline-suspicious-processes` command](#timeline-suspicious-processes-command)
8082
- [`timeline-suspicious-processes` command examples](#timeline-suspicious-processes-command-examples)
8183
- [VirusTotal Commands](#virustotal-commands-1)
@@ -146,6 +148,7 @@ If you have Nim installed, you can compile from source with the following comman
146148

147149
## Timeline Commands
148150
* `timeline-logon`: create a CSV timeline of logon events
151+
* `timeline-partition-diagnostic`: create a CSV timeline of partition diagnostic events
149152
* `timeline-suspicious-processes`: create a CSV timeline of suspicious processes
150153

151154
## VirusTotal Commands
@@ -590,6 +593,38 @@ Save logon timeline to a CSV file:
590593
takajo.exe timeline-logon -t ../hayabusa/timeline.jsonl -o logon-timeline.csv
591594
```
592595

596+
### `timeline-partition-diagnostic` command
597+
598+
Creates a CSV timeline of partition diagnostic events by parsing Windows 10 `Microsoft-Windows-Partition%4Diagnostic.evtx` files and reporting information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed.
599+
This process is based on the tool [Partition-4DiagnosticParser](https://github.com/theAtropos4n6/Partition-4DiagnosticParser).
600+
601+
* Input: `JSONL`
602+
* Profile: Any
603+
* Output: `CSV`
604+
605+
Required options:
606+
607+
- `-t, --timeline <JSONL-FILE>`: JSONL timeline created by Hayabusa.
608+
609+
Options:
610+
611+
- `-o, --output <CSV-FILE>`: the CSV file to save the results to.
612+
- `-q, --quiet`: do not display logo. (default: `false`)
613+
614+
#### `timeline-partition-diagnostic` command examples
615+
616+
Prepare JSONL timeline with Hayabusa:
617+
618+
```
619+
hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
620+
```
621+
622+
Create a CSV timeline of connected devices:
623+
624+
```
625+
takajo.exe timeline-partition-diagnostic -t ../hayabusa/timeline.jsonl -o partition-diagnostic-timeline.csv
626+
```
627+
593628
### `timeline-suspicious-processes` command
594629

595630
Create a CSV timeline of suspicious processes.

src/takajo.nim

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ include takajopkg/vtIpLookup
3636
include takajopkg/vtHashLookup
3737

3838
when isMainModule:
39-
clCfg.version = "2.1.0"
39+
clCfg.version = "2.2.0"
4040
const examples = "Examples:\p"
4141
const example_extract_scriptblocks = " extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
4242
const example_list_domains = " list-domains -t ../hayabusa/timeline.jsonl -o domains.txt\p"
@@ -55,7 +55,7 @@ when isMainModule:
5555
const example_vt_hash_lookup = " vt-hash-lookup -a <API-KEY> --hashList case-1-MD5-hashes.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
5656
const example_vt_ip_lookup = " vt-ip-lookup -a <API-KEY> --ipList ipAddresses.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
5757

58-
clCfg.useMulti = "Version: 2.1.0 Halloween Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
58+
clCfg.useMulti = "Version: 2.2.0 Nasi Lemak Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
5959
examples & example_extract_scriptblocks & example_list_domains & example_list_hashes & example_list_ip_addresses & example_list_undetected_evtx & example_list_unused_rules &
6060
example_split_csv_timeline & example_split_json_timeline & example_stack_logons & example_sysmon_process_tree &
6161
example_timeline_logon & example_timeline_partition_diagnostic & example_timeline_suspicious_processes &

0 commit comments

Comments
 (0)