New Features:
stack-computerscommand: stack theComputer(default) orSrcCompfields as well as provide alert information. (#125) (@fukusuket)stack-ip-addressescommand: stack theSrcIP(default) orTgtIPfields as well as provide alert information. (#129) (@fukusuket)stack-userscommand: stack theTgtUser(default) orSrcUserfields as well as provide alert information. (#130) (@fukusuket)- You can now specify a directory of
.jsonlfiles to scan. #133 (@hitenkoku)
Enhancements:
- Refactoring to remove duplicate code. (#99) (@fukusuket)
- Processing speed is more than twice as fast by changing the JSON parsing to
jsony. (#122) (@fukusuket) - Added decimal points in large numbers to make them easier to read. (#120) (@fukusuket)
New Features:
stack-cmdlinescommand: stack executed command lines. (#94) (@fukusuket)stack-dnscommand: stack DNS requests. (#95) (@fukusuket)stack-processescommand: stack executed processes. (#93) (@fukusuket)stack-taskscommand: parse and stack scheduled tasks. (#97) (@fukusuket)timeline-taskscommand: parse created scheduled task events into a CSV file. (#110) (@fukusuket)ttp-visualize-sigmacommand: extracts out TTPs from sigma rules and puts in a JSON file to upload to MITRE ATT&CK Navigator to visualize in a heatmap. (#92) (@fukusuket)
Enhancements:
ttp-visualizecommand: added color gradient to the heatmap. (#90) (@fukusuket)
Bug Fixes:
split-csv-timelinecommand failed with Haybuasa 2.13.0 CSV results. (#103) (@fukusuket)
Enhancements:
- In the
ttp-visualizecommand, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket) - Added rule titles to the
ttp-summarycommand output. (#83) (@fukusuket)
Bug Fixes:
- The CSV file would not be saved in the
timeline-suspicious-processcommand if either the number of Security 4688 or Sysmon 1 events was zero while having events in the other format. (#86) (@YamatoSecurity)
New Features:
- Added the
ttp-visualizecommand to extract TTPs and create a JSON file to visualize in ATT&CK Navigator. (#76) (@fukusuket) - Added the
ttp-summarycommand to summarize tactics and techniques found in each computer. (#78) (@fukusuket)
Bug Fixes:
- Fixed a display error (mojibake) in the
timeline-partition-diagnosticcommand. (#74) (@fukusuket)
New Features:
- Added
timeline-partition-diagnosticcommand to parse the Windows 10Microsoft-Windows-Partition%4Diagnostic.evtxlog file and report information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed. (Based on https://github.com/theAtropos4n6/Partition-4DiagnosticParser) (#70) (@fukusuket)
Enhancements:
- Improved the display of the progress bar in the
vt-lookupcommand. (#68) (@fukusuket)
Bug Fixes:
- Fixed an unhandled exception bug when key is not found. (#65) (@fukusuket)
- Newline handling was not done properly in
extract-scriptblockscommand for JSON input. (#71) (@fukusuket)
New Features:
- New
extract-scriptblockscommand to reassemble PowerShell EID 4104 ScriptBlock logs. (#47) (@fukusuket)
Enhancements:
- Takajo now compiles with Nim 2.0.0. (#31) (@fukusuket)
- Replaced HTTP with Puppy to reduce external dependencies. (#33) (@fukusuket)
- Made VirusTotal lookups multi-threaded to increase performance. (#33) (@fukusuket)
- Added file existence checks when specifying the timeline. (@fukusuket)
- Added a warning when the timeline is not in JSONL format. (#43) (@fukusuket)
- Output root process information in the
sysmon-process-treecommand. Processes are now sorted by timestamp. (#54) (@fukusuket)
Bug Fixes:*
timeline-suspicious-processeswould crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket)- Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket)
- Fixed a bug in
sysmon-process-treein which process information would sometimes be outputted twice. (#52) (@fukusuket) timeline-suspicious-processeswas not correctly outputtingParentPGUIDfield. Improved PID decimal conversion. (#50) (@fukusuket)- Fixed an error when the specified
PGUIDwas invalid or does not exist in the JSONL timeline. (#53) (@fukusuket)
2.0.0 [2022/08/03] - SANS DFIR Summit 2023 Release
New Features:
list-domains: create a list of unique domains. (@YamatoSecurity)list-hashes: create a list of process hashes to be used with vt-hash-lookup. (@YamatoSecurity)list-ip-addresses: create a list of unique target and/or source IP addresses. (@YamatoSecurity)split-csv-timeline: split up a large CSV file into smaller ones based on the computer name. (@YamatoSecurity)split-json-timeline: split up a large JSONL timeline into smaller ones based on the computer name. (@fukusuket)stack-logons: stack logons by target user, target computer, source IP address and source computer. (@YamatoSecurity)sysmon-process-tree: output the process tree of a certain process. (@hitenkoku)timeline-logon: create a CSV timeline of logon events. (@YamatoSecurity)timeline-suspicious-processes: create a CSV timeline of suspicious processes. (@YamatoSecurity)vt-domain-lookup: look up a list of domains on VirusTotal. (@YamatoSecurity)vt-hash-lookup: look up a list of hashes on VirusTotal. (@YamatoSecurity)vt-ip-lookup: look up a list of IP addresses on VirusTotal. (@YamatoSecurity)
v1.0.0 [2022/10/28] - Code Blue 2022 Bluebox Release
New Features:
list-undetected-evtx-files: List up all of the.evtxfiles that Hayabusa didn't have a detection rule for. (#4) (@hitenkoku)list-unused-rules: List up all of the.ymldetection rules that were not used. (#4) (@hitenkoku)- Added Logo. If you want to hide the logo, use the
-q, --quietoption. (#12) (@YamatoSecurity @hitenkoku) - Added result output option. (
-o, --output) (#11) (@hitenkoku)