From 59f292f3572108a24bdd30392cec0d8fbd35104c Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 30 Mar 2024 07:01:43 +0900 Subject: [PATCH 1/2] finalize 2.5.0 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- README.md | 269 +++++++++++++++++++++----- src/takajo.nim | 178 ++++++++--------- src/takajopkg/automagic.nim | 2 +- src/takajopkg/extractScriptblocks.nim | 2 +- src/takajopkg/stackCmdlines.nim | 2 +- src/takajopkg/stackProcesses.nim | 2 +- takajo.nimble | 2 +- 9 files changed, 320 insertions(+), 141 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 6eae2cd..3daefc5 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,6 @@ # 変更点 -## 2.5.0 [xxxx/xx/xx] +## 2.5.0 [2024/03/30] - BSides Tokyo Release **新機能:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 671032b..782659f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changes -## 2.5.0 [xxxx/xx/xx] +## 2.5.0 [2024/03/30] - BSides Tokyo Release **New Features:** diff --git a/README.md b/README.md index e28304a..c4498c0 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a - [Git cloning](#git-cloning) - [Advanced: Compiling From Source (Optional)](#advanced-compiling-from-source-optional) - [Command List](#command-list) + - [Automation Commands](#automation-commands) - [Extract Commands](#extract-commands) - [List Commands](#list-commands) - [Split Commands](#split-commands) @@ -50,6 +51,9 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a - [TTP Commands](#ttp-commands) - [VirusTotal Commands](#virustotal-commands) - [Command Usage](#command-usage) +- [Automation Commands](#automation-commands-1) + - [`automagic` command](#automagic-command) + - [`automagic` command examples](#automagic-command-examples) - [Extract Commands](#extract-commands-1) - [`extract-scriptblocks` command](#extract-scriptblocks-command) - [`extract-scriptblocks` command example](#extract-scriptblocks-command-example) @@ -73,8 +77,12 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a - [Stack Commands](#stack-commands-1) - [`stack-cmdlines` command](#stack-cmdlines-command) - [`stack-cmdlines` command examples](#stack-cmdlines-command-examples) + - [`stack-computers` command](#stack-computers-command) + - [`stack-computers` command examples](#stack-computers-command-examples) - [`stack-dns` command](#stack-dns-command) - [`stack-dns` command examples](#stack-dns-command-examples) + - [`stack-ip-addresses` command](#stack-ip-addresses-command) + - [`stack-ip-addresses` command examples](#stack-ip-addresses-command-examples) - [`stack-logons` command](#stack-logons-command) - [`stack-logons` command examples](#stack-logons-command-examples) - [`stack-processes` command](#stack-processes-command) @@ -83,6 +91,8 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a - [`stack-services` command examples](#stack-services-command-examples) - [`stack-tasks` command](#stack-tasks-command) - [`stack-tasks` command examples](#stack-tasks-command-examples) + - [`stack-users` command](#stack-users-command) + - [`stack-users` command examples](#stack-users-command-examples) - [Sysmon Commands](#sysmon-commands-1) - [`sysmon-process-tree` command](#sysmon-process-tree-command) - [`sysmon-process-tree` command examples](#sysmon-process-tree-command-examples) @@ -155,6 +165,9 @@ If you have Nim installed, you can compile from source with the following comman # Command List +## Automation Commands +* `automagic`: automatically executes as many commands as possible and output results to a new folder + ## Extract Commands * `extract-scriptblocks`: extract and reassemble PowerShell EID 4104 script block logs @@ -171,11 +184,14 @@ If you have Nim installed, you can compile from source with the following comman ## Stack Commands * `stack-cmdlines`: stack executed command lines +* `stack-computers`: stack computers * `stack-dns`: stack DNS queries and responses +* `stack-ip-addresses`: stack target IP addresses (`TgtIP` field) or source IP addresses (`SrcIP` field) * `stack-logons`: stack logons by target user, target computer, source IP address and source computer * `stack-processes`: stack executed processes -* `stack-services`: stack new service names and processes -* `stack-tasks`: stack new scheduled tasks +* `stack-services`: stack service names and paths from `System 7040` and `Security 4697` events +* `stack-tasks`: stack new scheduled tasks from `Security 4698` events and parse out XML task content +* `stack-users`: stack target users (`TgtUser` field) or source users (`SrcUser` field) ## Sysmon Commands * `sysmon-process-tree`: output the process tree of a certain process @@ -198,6 +214,51 @@ If you have Nim installed, you can compile from source with the following comman # Command Usage +# Automation Commands + +### `automagic` command + +Automatically executes as many commands as possible and output results to a new folder + +> Note: You should use the `verbose` or `super-verbose` profile to utilize all commands. + +* Input: JSONL file or directory of JSONL files +* Profile: Any besides `all-field-info` and `all-field-info-verbose` +* Output: A new folder with all of the results in different files + +Required options: + +- `-t, --timeline `: Hayabusa JSONL timeline file or directory. + +Options: + +- `-d, --displayTable`: display the results table (default: `false`) +- `-l, --level`: specify the minimum alert level (default: `low`) +- `-o, --output`: output directory (default: `case-1`) +- `-q, --quiet`: do not display the launch banner (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) + +#### `automagic` command examples + +Prepare the JSONL timeline with Hayabusa: + +``` +hayabusa.exe json-timeline -d -L -o timeline.jsonl -w -p verbose +``` + +Run as many Takajo commands as possible and save results under the `case-1` folder: + +``` +takajo.exe automagic -t ../hayabusa/timeline.jsonl -o case-1 +``` + +Run as many Takajo commands as possible on the `hayabusa-results` directory and save results under the `case-1` folder: + +``` +takajo.exe automagic -t ../hayabusa/hayabusa-results/ -o case-1 +``` + + ## Extract Commands ### `extract-scriptblocks` command @@ -212,13 +273,14 @@ Extracts and reassemles PowerShell EID 4104 script block logs. Required options: -- `-t, --timeline `: Hayabusa JSONL timeline file or directory +- `-t, --timeline `: Hayabusa JSONL timeline file or directory Options: - `-l, --level`: specify the minimum alert level (default: `low`) - `-o, --output`: output directory (default: `scriptblock-logs`) - `-q, --quiet`: do not display the launch banner (default: `false`) + - `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `extract-scriptblocks` command example @@ -251,14 +313,15 @@ Currently it will only check queried domains in Sysmon EID 22 logs but will be u Required options: -- `-o, --output `: save results to a text file. -- `-t, --timeline `: Hayabusa JSONL timeline file or directory. + - `-o, --output `: save results to a text file. + - `-t, --timeline `: Hayabusa JSONL timeline file or directory. Options: -- `-s, --includeSubdomains`: include subdomains. (default: `false`) -- `-w, --includeWorkstations`: include local workstation names. (default: `false`) -- `-q, --quiet`: do not display logo. (default: `false`) + - `-s, --includeSubdomains`: include subdomains (default: `false`) + - `-w, --includeWorkstations`: include local workstation names (default: `false`) + - `-q, --quiet`: do not display logo (default: `false`) + - `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `list-domains` command examples @@ -290,13 +353,14 @@ Create a list of process hashes to be used with vt-hash-lookup (input: JSONL, pr Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. -- `-o, --output `: specify the base name to save the text results to. + - `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files + - `-o, --output `: specify the base name to save the text results to. Options: -- `-l, --level`: specify the minimum level. (default: `high`) -- `-q, --quiet`: do not display logo. (default: `false`) + - `-l, --level`: specify the minimum level. (default: `high`) + - `-q, --quiet`: do not display logo. (default: `false`) + - `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `list-hashes` command examples @@ -325,15 +389,16 @@ It will extract the `TgtIP` fields for target IP addresses and `SrcIP` fields fo Required options: -- `-o, --output `: save results to a text file. -- `-t, --timeline `: Hayabusa JSONL timeline file or directory. + - `-o, --output `: save results to a text file. + - `-t, --timeline `: Hayabusa JSONL timeline file or directory. Options: -- `-i, --inbound`: include inbound traffic. (default: `true`) -- `-O, --outbound`: include outbound traffic. (default: `true`) -- `-p, --privateIp`: include private IP addresses (default: `false`) -- `-q, --quiet`: do not display logo. (default: `false`) + - `-i, --inbound`: include inbound traffic. (default: `true`) + - `-O, --outbound`: include outbound traffic. (default: `true`) + - `-p, --privateIp`: include private IP addresses (default: `false`) + - `-q, --quiet`: do not display logo. (default: `false`) + - `-s, --skipProgressBar`: "do not display the progress bar (default: `false`) #### `list-ip-addresses` command examples @@ -496,7 +561,7 @@ Split up a large JSONL timeline into smaller ones based on the computer name. Required options: -- `-t, --timeline `: Hayabusa JSONL timeline file or directory. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory. Options: @@ -527,7 +592,7 @@ takajo.exe split-json-timeline -t ../hayabusa/timeline.jsonl -o case-1-jsonl ### `stack-cmdlines` command -This command will stack executed command lines by extracting information from Sysmon 1 and Security 4688 events. +This command will stack executed command lines by extracting information from `Sysmon 1` and `Security 4688` events. * Input: JSONL * Profile: Any besides `all-field-info` and `all-field-info-verbose` @@ -535,15 +600,16 @@ This command will stack executed command lines by extracting information from Sy Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: -- `-l, --level`: specify the minimum alert level (default: `low`) +- `-l, --level`: specify the minimum alert level (default: `informational`) - `-y, --ignoreSysmon`: exclude Sysmon 1 events (default: `false`) - `-e, --ignoreSecurity`: exclude Security 4688 events (default: `false`) -- `-o, --output `: the CSV file to save the results to. +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-cmdlines` command examples @@ -559,6 +625,40 @@ Save to CSV: takajo.exe stack-cmdlines -t ../hayabusa/timeline.jsonl -o stack-cmdlines.csv ``` +### `stack-computers` command + +This command will stack computer hostnames according to the `Computer` field. + +* Input: JSONL +* Profile: Any besides `all-field-info` and `all-field-info-verbose` +* Output: Terminal or CSV file + +Required options: + +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files + +Options: + +- `-l, --level`: specify the minimum alert level (default: `informational`) +- `-c, --sourceComputers`: stack source computers instead of target computers (default: false) +- `-o, --output `: the CSV file to save the results to (default: `stdout`) +- `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) + +#### `stack-computers` command examples + +Output to terminal: + +``` +takajo.exe stack-computers -t ../hayabusa/timeline.jsonl +``` + +Save to CSV: + +``` +takajo.exe stack-computers -t ../hayabusa/timeline.jsonl -o stack-computers.csv +``` + ### `stack-dns` command This command will stack DNS queries and responses from Sysmon 22 events. @@ -569,13 +669,14 @@ This command will stack DNS queries and responses from Sysmon 22 events. Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: - `-l, --level`: specify the minimum alert level (default: `informational`) -- `-o, --output `: the CSV file to save the results to. +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-dns` command examples @@ -591,6 +692,40 @@ Save to CSV: takajo.exe stack-dns -t ../hayabusa/timeline.jsonl -o stack-dns.csv ``` +### `stack-ip-addresses` command + +This command will stack the target IP addresses (`TgtIP` field) or source IP addresses (`SrcIP` field). + +* Input: JSONL +* Profile: Any besides `all-field-info` and `all-field-info-verbose` +* Output: Terminal or CSV file + +Required options: + +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files + +Options: + +- `-l, --level`: specify the minimum alert level (default: `informational`) +- `-a, --targetIpAddresses`: stack target IP addresses instead of source IP addresses (default: `false`) +- `-o, --output `: the CSV file to save the results to (default: `stdout`) +- `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) + +#### `stack-ip-addresses` command examples + +Output to terminal: + +``` +takajo.exe stack-ip-addresses -t ../hayabusa/timeline.jsonl +``` + +Save to CSV: + +``` +takajo.exe stack-ip-addresses -t ../hayabusa/timeline.jsonl -o stack-ip-addresses.csv +``` + ### `stack-logons` command Creates a list logons according to `Target User`, `Target Computer`, `Logon Type`, `Source IP Address`, `Source Computer`. @@ -602,13 +737,14 @@ Results are filtered out when the source IP address is a local IP address by def Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: - `-l, --localSrcIpAddresses`: include results when the source IP address is local. -- `-o, --output `: the CSV file to save the results to. +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-logons` command examples @@ -634,13 +770,16 @@ This command will stack executed processes from Sysmon 1 and Security 4688 event Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: - `-l, --level`: specify the minimum alert level (default: `low`) -- `-o, --output `: the CSV file to save the results to. +- `-y, --ignoreSysmon`: exclude Sysmon 1 events (default: `false`) +- `-e, --ignoreSecurity`: exclude Security 4688 events (default: `false`) +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-processes` command examples @@ -666,15 +805,16 @@ This command will stack service names and paths from System 7040 and Security 46 Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: - `-l, --level`: specify the minimum alert level (default: `informational`) - `-y, --ignoreSystem`: exclude System 7040 events (default: `false`) - `-e, --ignoreSecurity`: exclude Security 4697 events (default: `false`) -- `-o, --output `: the CSV file to save the results to. +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-services` command examples @@ -700,13 +840,14 @@ This command will stack new scheduled tasks from Security 4698 events and parse Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: - `-l, --level`: specify the minimum alert level (default: `informational`) -- `-o, --output `: the CSV file to save the results to. +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) #### `stack-tasks` command examples @@ -722,6 +863,42 @@ Save to CSV: takajo.exe stack-tasks -t ../hayabusa/timeline.jsonl -o stack-tasks.csv ``` +### `stack-users` command + +This command will stack the target users (`TgtUser` field (default)) or source users (`SrcUser` field) in any event that has those fields as well as show alert information. + +* Input: JSONL +* Profile: Any besides `all-field-info` and `all-field-info-verbose` +* Output: Terminal or CSV file + +Required options: + +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files + +Options: + +- `-s, --sourceUsers`: stack source users instead of target users (default: false) +- `-c, --filterComputerAccounts`: filter out computer accounts (default: true) +- `-f, --filterSystemAccounts`: filter out system accounts (default: true) +- `-l, --level`: specify the minimum alert level (default: `informational`) +- `-o, --output `: the CSV file to save the results to (default: `stdout`) +- `-q, --quiet`: do not display logo. (default: `false`) +- `-s, --skipProgressBar`: do not display the progress bar (default: `false`) + +#### `stack-users` command examples + +Output to terminal: + +``` +takajo.exe stack-users -t ../hayabusa/timeline.jsonl +``` + +Save to CSV: + +``` +takajo.exe stack-users -t ../hayabusa/timeline.jsonl -o stack-users.csv +``` + ## Sysmon Commands ### `sysmon-process-tree` command @@ -735,7 +912,7 @@ Output the process tree of a certain process, such as a suspicious or malicious Required options: - `-p, --processGuid `: sysmon process GUID -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -782,7 +959,7 @@ This makes it easier to detect lateral movement, password guessing/spraying, pri Required options: - `-o, --output `: the CSV file to save the results to. -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -820,7 +997,7 @@ This process is based on the tool [Partition-4DiagnosticParser](https://github.c Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -851,12 +1028,12 @@ Create a CSV timeline of suspicious processes. Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: -- `-l, --level `: specify the minimum alert level. (default: `high`) -- `-o, --output `: the CSV file to save the results to. +- `-l, --level `: specify the minimum alert level (default: `high`) +- `-o, --output `: the CSV file to save the results to (default: `stdout`) - `-q, --quiet`: do not display logo. (default: `false`) #### `timeline-suspicious-processes` command examples @@ -870,19 +1047,19 @@ hayabusa.exe json-timeline -d -L -o timeline.jsonl -w Search for processes that had an alert level of `high` or above and output results to screen: ``` -takajo.exe timeline-suspicious-process -t ../hayabusa/timeline.jsonl +takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl ``` Search for processes that had an alert level of `low` or above and output results to screen: ``` -takajo.exe timeline-suspicious-process -t ../hayabusa/timeline.jsonl -l low +takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl -l low ``` Save the results to a CSV file: ``` -takajo.exe timeline-suspicious-process -t ../hayabusa/timeline.jsonl -o suspicous-processes.csv +takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl -o suspicous-processes.csv ``` #### `timeline-suspicious-processes` screenshot @@ -899,7 +1076,7 @@ This command will stack new scheduled tasks from Security 4698 events and parse Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -932,7 +1109,7 @@ This command summarize tactics and techniques found in each computer according t Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -973,7 +1150,7 @@ This command extracts TTPs and create a JSON file to visualize in [MITRE ATT&CK Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: @@ -1010,7 +1187,7 @@ This command extracts TTPs from Sigma and create a JSON file to visualize in [MI Required options: -- `-t, --timeline `: JSONL timeline created by Hayabusa. +- `-t, --timeline `: Hayabusa JSONL timeline file or directory of JSONL files Options: diff --git a/src/takajo.nim b/src/takajo.nim index 570e32e..ef81f3a 100644 --- a/src/takajo.nim +++ b/src/takajo.nim @@ -58,7 +58,7 @@ include takajopkg/automagic when isMainModule: - clCfg.version = "2.5.0-dev" + clCfg.version = "2.5.0" const examples = "Examples:\p" const example_automagic = " automagic -t ../hayabusa/timeline.jsonl [--level low] [--displayTable] -o case-1\p" const example_extract_scriptblocks = " extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p" @@ -90,7 +90,7 @@ when isMainModule: const example_vt_hash_lookup = " vt-hash-lookup -a --hashList case-1-MD5-hashes.txt -r 1000 -o results.csv --jsonOutput responses.json\p" const example_vt_ip_lookup = " vt-ip-lookup -a --ipList ipAddresses.txt -r 1000 -o results.csv --jsonOutput responses.json\p" - clCfg.useMulti = "Version: 2.5.0 Dev Build\pUsage: takajo.exe \p\pCommands:\p$subcmds\pCommand help: $command help \p\p" & + clCfg.useMulti = "Version: 2.5.0 BSides Tokyo Release\pUsage: takajo.exe \p\pCommands:\p$subcmds\pCommand help: $command help \p\p" & examples & example_automagic & example_extract_scriptblocks & @@ -109,11 +109,11 @@ when isMainModule: autoMagic, cmdName = "automagic", doc = "automatically executes as many commands as possible and output results to a new folder", help = { - "level": "specify the minimum alert level (default: low)", - "skipProgressBar": "do not display the progress bar", - "displayTable": "display the result table", - "output": "output directory (default: scriptblock-logs)", - "quiet": "do not display the launch banner", + "displayTable": "display the results table (default: false)", + "level": "specify the minimum alert level (default: informational)", + "output": "output directory (default: case-1)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", } ], @@ -121,10 +121,10 @@ when isMainModule: extractScriptblocks, cmdName = "extract-scriptblocks", doc = "extract and reassemble PowerShell EID 4104 script block logs", help = { - "level": "specify the minimum alert level (default: low)", - "skipProgressBar": "do not display the progress bar", + "level": "specify the minimum alert level (default: informational)", "output": "output directory (default: scriptblock-logs)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", } ], @@ -134,9 +134,9 @@ when isMainModule: help = { "includeSubdomains": "include subdomains", "includeWorkstations": "include local workstation names", - "skipProgressBar": "do not display the progress bar", "output": "save results to a text file", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { @@ -149,9 +149,9 @@ when isMainModule: doc = "create a list of process hashes to be used with vt-hash-lookup", help = { "level": "specify the minimum alert level", - "skipProgressBar": "do not display the progress bar", "output": "specify the base name to save results to text files (ex: -o case-1)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], @@ -161,10 +161,10 @@ when isMainModule: help = { "inbound": "include inbound traffic", "outbound": "include outbound traffic", - "skipProgressBar": "do not display the progress bar", "output": "save results to a text file", "privateIp": "include private IP addresses", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { @@ -179,7 +179,7 @@ when isMainModule: "columnName": "specify a custom column header name", "evtxDir": "directory of .evtx files you scanned with Hayabusa", "output": "save the results to a text file (default: stdout)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "timeline": "Hayabusa CSV timeline (profile: any verbose profile)", } ], @@ -189,7 +189,7 @@ when isMainModule: help = { "columnName": "specify a custom column header name", "output": "save the results to a text file (default: stdout)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "rulesDir": "Hayabusa rules directory", "timeline": "Hayabusa CSV timeline (profile: any verbose profile)", } @@ -200,7 +200,7 @@ when isMainModule: help = { "makeMultiline": "output fields in multiple lines", "output": "output directory (default: output)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "timeline": "Hayabusa non-multiline CSV timeline (profile: any)", } ], @@ -209,40 +209,40 @@ when isMainModule: doc = "split up a large JSONL timeline into smaller ones based on the computer name", help = { "output": "output directory (default: output)", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", } ], [ - stackComputers, cmdName = "stack-computers", - doc = "stack computers", + stackCmdlines, cmdName = "stack-cmdlines", + doc = "stack executed command lines", help = { - "level": "specify the minimum alert level (default: low)", - "sourceComputers" : "stack source computers instead of target computers", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "level": "specify the minimum alert level (default: informational)", + "ignoreSecurity": "exclude Security 4688 events (default: false)", + "ignoreSysmon": "exclude Sysmon 1 events (default: false)", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { - "sourceComputers": 'c' + "ignoreSysmon": 'y', + "ignoreSecurity": 'e' } ], [ - stackCmdlines, cmdName = "stack-cmdlines", - doc = "stack executed command lines", + stackComputers, cmdName = "stack-computers", + doc = "stack computers", help = { - "level": "specify the minimum alert level (default: low)", - "ignoreSysmon": "exclude Sysmon 1 events", - "ignoreSecurity": "exclude Security 4688 events", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "level": "specify the minimum alert level (default: informational)", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", + "sourceComputers" : "stack source computers instead of target computers (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { - "ignoreSysmon": 'y', - "ignoreSecurity": 'e' + "sourceComputers": 'c' } ], [ @@ -250,21 +250,21 @@ when isMainModule: doc = "stack DNS queries and responses", help = { "level": "specify the minimum alert level (default: informational)", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], [ stackIpAddresses, cmdName = "stack-ip-addresses", - doc = "stack ipaddresses", + doc = "stack the target IP addresses (TgtIP field) or source IP addresses (SrcIP field)", help = { "level": "specify the minimum alert level (default: informational)", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "targetIpAddresses" : "stack target IP addresses instead of source IP addresses", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", }, short = { @@ -276,9 +276,9 @@ when isMainModule: doc = "stack logons by target user, target computer, source IP address and source computer", help = { "localSrcIpAddresses": "include results when the source IP address is local", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], @@ -286,12 +286,12 @@ when isMainModule: stackProcesses, cmdName = "stack-processes", doc = "stack executed processes", help = { - "level": "specify the minimum alert level (default: low)", - "ignoreSysmon": "exclude Sysmon 1 events", + "level": "specify the minimum alert level (default: informational)", "ignoreSecurity": "exclude Security 4688 events", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "ignoreSysmon": "exclude Sysmon 1 events", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { @@ -301,12 +301,14 @@ when isMainModule: ], [ stackServices, cmdName = "stack-services", - doc = "stack service names and paths", + doc = "stack service names and paths from System 7040 and Security 4697 events", help = { "level": "specify the minimum alert level (default: informational)", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", + "ignoreSecurity": "exclude Security 4697 events (default: false)", + "ignoreSystem": "exclude System 7040 events (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { @@ -316,26 +318,26 @@ when isMainModule: ], [ stackTasks, cmdName = "stack-tasks", - doc = "stack new scheduled tasks", + doc = "stack new scheduled tasks from Security 4698 events and parse out XML task content", help = { "level": "specify the minimum alert level (default: informational)", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], [ stackUsers, cmdName = "stack-users", - doc = "stack users", + doc = "stack target users (TgtUser field) or source users (SrcUser field)", help = { "level": "specify the minimum alert level (default: informational)", - "sourceUsers" : "stack source users instead of target users (default: false)", "filterComputerAccounts": "filter out computer accounts (default: true)", "filterSystemAccounts": "filter out system accounts (default: true)", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", + "sourceUsers" : "stack source users instead of target users (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", }, short = { @@ -349,7 +351,7 @@ when isMainModule: help = { "output": "save results to a text file", "processGuid": "sysmon process GUID", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], @@ -361,8 +363,8 @@ when isMainModule: "output": "save results to a CSV file", "outputAdminLogonEvents": "output admin logon events as separate entries", "outputLogoffEvents": "output logoff events as separate entries", - "skipProgressBar": "do not display the progress bar", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", }, short = { @@ -374,9 +376,9 @@ when isMainModule: timelinePartitionDiagnostic, cmdName = "timeline-partition-diagnostic", doc = "create a CSV timeline of partition diagnostic events", help = { - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", } ], @@ -385,9 +387,9 @@ when isMainModule: doc = "create a CSV timeline of suspicious processes", help = { "level": "specify the minimum alert level", - "skipProgressBar": "do not display the progress bar", - "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any besides all-field-info*)", } ], @@ -395,9 +397,9 @@ when isMainModule: timelineTasks, cmdName = "timeline-tasks", doc = "create a CSV timeline of scheduled tasks", help = { - "skipProgressBar": "do not display the progress bar", "output": "save results to a CSV file", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any)", } ], @@ -405,9 +407,9 @@ when isMainModule: ttpSummary, cmdName = "ttp-summary", doc = "summarize tactics and techniques found in each computer", help = { - "skipProgressBar": "do not display the progress bar", - "output": "save results to a csv file", - "quiet": "do not display the launch banner", + "output": "save results to a CSV file (default: stdout)", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any verbose profile)", } ], @@ -415,9 +417,9 @@ when isMainModule: ttpVisualize, cmdName = "ttp-visualize", doc = "extract TTPs and create a JSON file to visualize in MITRE ATT&CK Navigator", help = { - "skipProgressBar": "do not display the progress bar", "output": "save results to a json file", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", + "skipProgressBar": "do not display the progress bar (default: false)", "timeline": "Hayabusa JSONL timeline file or directory (profile: any verbose profile)", } ], @@ -426,7 +428,7 @@ when isMainModule: doc = "extract TTPs from Sigma and create a JSON file to visualize in MITRE ATT&CK Navigator", help = { "output": "save results to a json file", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", "rulesDir": "Sigma rules directory", } ], @@ -437,9 +439,9 @@ when isMainModule: "apiKey": "your VirusTotal API key", "domainList": "a text file list of domains", "jsonOutput": "save all responses to a JSON file", - "output": "save results to a CSV file", + "output": "save results to a CSV file (default: stdout)", "rateLimit": "set the rate per minute for requests", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", } ], [ @@ -451,7 +453,7 @@ when isMainModule: "jsonOutput": "save all responses to a JSON file", "output": "save results to a text file", "rateLimit": "set the rate per minute for requests", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", }, short = { "hashList": 'H' @@ -464,9 +466,9 @@ when isMainModule: "apiKey": "your VirusTotal API key", "ipList": "a text file list of IP addresses", "jsonOutput": "save all responses to a JSON file", - "output": "save results to a CSV file", + "output": "save results to a CSV file (default: stdout)", "rateLimit": "set the rate per minute for requests", - "quiet": "do not display the launch banner", + "quiet": "do not display the launch banner (default: false)", } ] ) \ No newline at end of file diff --git a/src/takajopkg/automagic.nim b/src/takajopkg/automagic.nim index 640e557..4f9a776 100644 --- a/src/takajopkg/automagic.nim +++ b/src/takajopkg/automagic.nim @@ -4,7 +4,7 @@ type AutoMagicCmd* = ref object of AbstractCmd level: string -proc autoMagic(level: string = "low", skipProgressBar: bool = false, +proc autoMagic(level: string = "informational", skipProgressBar: bool = false, displayTable: bool = false, output: string = "case-1", quiet: bool = false, timeline: string) = checkArgs(quiet, timeline, level) diff --git a/src/takajopkg/extractScriptblocks.nim b/src/takajopkg/extractScriptblocks.nim index 62f349a..f0ed4d5 100644 --- a/src/takajopkg/extractScriptblocks.nim +++ b/src/takajopkg/extractScriptblocks.nim @@ -142,7 +142,7 @@ method resultOutput*(self: ExtractScriptBlocksCmd) = self.output & "/*.txt") -proc extractScriptblocks(level: string = "low", skipProgressBar: bool = false, +proc extractScriptblocks(level: string = "informational", skipProgressBar: bool = false, output: string = "scriptblock-logs", quiet: bool = false, timeline: string) = checkArgs(quiet, timeline, level) diff --git a/src/takajopkg/stackCmdlines.nim b/src/takajopkg/stackCmdlines.nim index 450f2d6..e5bfedd 100644 --- a/src/takajopkg/stackCmdlines.nim +++ b/src/takajopkg/stackCmdlines.nim @@ -20,7 +20,7 @@ method analyze*(self: StackCmdlineCmd, x: HayabusaJson) = method resultOutput*(self: StackCmdlineCmd) = outputResult(self, self.stack, isMinColumns = true) -proc stackCmdlines(level: string = "low", ignoreSysmon: bool = false, +proc stackCmdlines(level: string = "informational", ignoreSysmon: bool = false, ignoreSecurity: bool = false, skipProgressBar: bool = false, output: string = "", quiet: bool = false, timeline: string) = checkArgs(quiet, timeline, level) diff --git a/src/takajopkg/stackProcesses.nim b/src/takajopkg/stackProcesses.nim index a8ccc45..febbabd 100644 --- a/src/takajopkg/stackProcesses.nim +++ b/src/takajopkg/stackProcesses.nim @@ -20,7 +20,7 @@ method analyze*(self: StackProcessesCmd, x: HayabusaJson) = method resultOutput*(self: StackProcessesCmd) = outputResult(self, self.stack, isMinColumns = true) -proc stackProcesses(level: string = "low", ignoreSysmon: bool = false, +proc stackProcesses(level: string = "informational", ignoreSysmon: bool = false, ignoreSecurity: bool = false, skipProgressBar: bool = false, output: string = "", quiet: bool = false, timeline: string) = checkArgs(quiet, timeline, level) diff --git a/takajo.nimble b/takajo.nimble index ee5c0b5..688661a 100644 --- a/takajo.nimble +++ b/takajo.nimble @@ -13,7 +13,7 @@ bin = @["takajo"] requires "nim >= 2.0.0" requires "cligen >= 1.5" -requires "suru#f6f1e607c585b2bc2f71309996643f0555ff6349" +requires "suru" requires "puppy >= 2.1.0" requires "termstyle" requires "nancy" From c9df455143488d2c3a3f3b0390eb603691c99a53 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 30 Mar 2024 07:14:59 +0900 Subject: [PATCH 2/2] revert suru version --- takajo.nimble | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/takajo.nimble b/takajo.nimble index 688661a..ee5c0b5 100644 --- a/takajo.nimble +++ b/takajo.nimble @@ -13,7 +13,7 @@ bin = @["takajo"] requires "nim >= 2.0.0" requires "cligen >= 1.5" -requires "suru" +requires "suru#f6f1e607c585b2bc2f71309996643f0555ff6349" requires "puppy >= 2.1.0" requires "termstyle" requires "nancy"