Enhancements:
- RDP logon and logoff information has been added to the
timeline-logontimeline. #209 (@fukusuket) - MITRE ATT&CK updated to version 16.1. (#219) (@fukusuket)
Bug Fixes:
- The Source IP Address and Source Computer fields for
4624successful logon events in the logon timeline were backwards. (#208) (@fukusuket)
New Features:
extract-credentials command: extract out plaintext credentials from the command line information in Security 4688 and Sysmon 1 events. Ex: wmic, schtasks, net user, psexec usage. (#192) (@fukusuket)
html-server command: create a dynamic server to view the HTML summary reports. (@nishikawaakira)
Enhancements:
- Detection summary for Total Detections and Unique Detections in the Rule Summary page of the HTML report has been consolidated into one table. (#182) (@nishikawaakira)
- Computer summary page was added to the HTML report. (#183) (@nishikawaakira)
- Added a list of detected alerts to the Rule Summary page. (#175) (@nishikawaakira)
- Detection Rule List lists more detailed information. (#176) (@nishikawaakira)
Bug Fixes:
Invalid JSON lineerrors would display with the default Hayabusa profile. (#169) (@nishikawaakira)- Graphs were being aggregated to the first date for each rule. (#191) (@nishikawaakira)
Other:
- License is changed from GPL-3.0 to AGPL-3.0. (@yamatosecurity)
New Features:
- New
html-reportcommand to create a HTML summary report. (#165) (@nishikawaakira)
Enhancements:
- Added
-f, --failedLogonsto thestack-logonscommand and added stacked failed logon information to theautomagiccommand output. (#152) (@fukusuket) - Updated MITRE ATT&CK to v15.0. (#155) (@fukusuket)
Bug Fixes:
- Fixed a compile error on macOS due to treeform/puppy#118 . (#158) (@YamatoSecurity)
- Fixed a compile error when using nim 2.0.6. (#162) (@fukusuket)
- Alert level information was not being shown in the
timeline-suspicious-processescommand. (#167) (@fukusuket)
New Features:
automagiccommand: automatically executes as many commands as possible and output results to a new folder. (#132) (@fukusuket)stack-computerscommand: stack theComputer(default) orSrcCompfields as well as provide alert information. (#125) (@fukusuket)stack-ip-addressescommand: stack theSrcIP(default) orTgtIPfields as well as provide alert information. (#129) (@fukusuket)stack-userscommand: stack theTgtUser(default) orSrcUserfields as well as provide alert information. (#130) (@fukusuket)- You can now specify a directory of
.jsonlfiles to scan. #133 (@hitenkoku)
Enhancements:
- Refactoring to remove duplicate code. (#99) (@fukusuket)
- Processing speed is more than twice as fast by changing the JSON parsing to
jsony. (#122) (@fukusuket) - Added decimal points in large numbers to make them easier to read. (#120) (@fukusuket)
New Features:
stack-cmdlinescommand: stack executed command lines. (#94) (@fukusuket)stack-dnscommand: stack DNS requests. (#95) (@fukusuket)stack-processescommand: stack executed processes. (#93) (@fukusuket)stack-taskscommand: parse and stack scheduled tasks. (#97) (@fukusuket)timeline-taskscommand: parse created scheduled task events into a CSV file. (#110) (@fukusuket)ttp-visualize-sigmacommand: extracts out TTPs from sigma rules and puts in a JSON file to upload to MITRE ATT&CK Navigator to visualize in a heatmap. (#92) (@fukusuket)
Enhancements:
ttp-visualizecommand: added color gradient to the heatmap. (#90) (@fukusuket)
Bug Fixes:
split-csv-timelinecommand failed with Haybuasa 2.13.0 CSV results. (#103) (@fukusuket)
Enhancements:
- In the
ttp-visualizecommand, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket) - Added rule titles to the
ttp-summarycommand output. (#83) (@fukusuket)
Bug Fixes:
- The CSV file would not be saved in the
timeline-suspicious-processcommand if either the number of Security 4688 or Sysmon 1 events was zero while having events in the other format. (#86) (@YamatoSecurity)
New Features:
- Added the
ttp-visualizecommand to extract TTPs and create a JSON file to visualize in ATT&CK Navigator. (#76) (@fukusuket) - Added the
ttp-summarycommand to summarize tactics and techniques found in each computer. (#78) (@fukusuket)
Bug Fixes:
- Fixed a display error (mojibake) in the
timeline-partition-diagnosticcommand. (#74) (@fukusuket)
New Features:
- Added
timeline-partition-diagnosticcommand to parse the Windows 10Microsoft-Windows-Partition%4Diagnostic.evtxlog file and report information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed. (Based on https://github.com/theAtropos4n6/Partition-4DiagnosticParser) (#70) (@fukusuket)
Enhancements:
- Improved the display of the progress bar in the
vt-lookupcommand. (#68) (@fukusuket)
Bug Fixes:
- Fixed an unhandled exception bug when key is not found. (#65) (@fukusuket)
- Newline handling was not done properly in
extract-scriptblockscommand for JSON input. (#71) (@fukusuket)
New Features:
- New
extract-scriptblockscommand to reassemble PowerShell EID 4104 ScriptBlock logs. (#47) (@fukusuket)
Enhancements:
- Takajo now compiles with Nim 2.0.0. (#31) (@fukusuket)
- Replaced HTTP with Puppy to reduce external dependencies. (#33) (@fukusuket)
- Made VirusTotal lookups multi-threaded to increase performance. (#33) (@fukusuket)
- Added file existence checks when specifying the timeline. (@fukusuket)
- Added a warning when the timeline is not in JSONL format. (#43) (@fukusuket)
- Output root process information in the
sysmon-process-treecommand. Processes are now sorted by timestamp. (#54) (@fukusuket)
Bug Fixes:*
timeline-suspicious-processeswould crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket)- Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket)
- Fixed a bug in
sysmon-process-treein which process information would sometimes be outputted twice. (#52) (@fukusuket) timeline-suspicious-processeswas not correctly outputtingParentPGUIDfield. Improved PID decimal conversion. (#50) (@fukusuket)- Fixed an error when the specified
PGUIDwas invalid or does not exist in the JSONL timeline. (#53) (@fukusuket)
2.0.0 [2022/08/03] - SANS DFIR Summit 2023 Release
New Features:
list-domains: create a list of unique domains. (@YamatoSecurity)list-hashes: create a list of process hashes to be used with vt-hash-lookup. (@YamatoSecurity)list-ip-addresses: create a list of unique target and/or source IP addresses. (@YamatoSecurity)split-csv-timeline: split up a large CSV file into smaller ones based on the computer name. (@YamatoSecurity)split-json-timeline: split up a large JSONL timeline into smaller ones based on the computer name. (@fukusuket)stack-logons: stack logons by target user, target computer, source IP address and source computer. (@YamatoSecurity)sysmon-process-tree: output the process tree of a certain process. (@hitenkoku)timeline-logon: create a CSV timeline of logon events. (@YamatoSecurity)timeline-suspicious-processes: create a CSV timeline of suspicious processes. (@YamatoSecurity)vt-domain-lookup: look up a list of domains on VirusTotal. (@YamatoSecurity)vt-hash-lookup: look up a list of hashes on VirusTotal. (@YamatoSecurity)vt-ip-lookup: look up a list of IP addresses on VirusTotal. (@YamatoSecurity)
v1.0.0 [2022/10/28] - Code Blue 2022 Bluebox Release
New Features:
list-undetected-evtx-files: List up all of the.evtxfiles that Hayabusa didn't have a detection rule for. (#4) (@hitenkoku)list-unused-rules: List up all of the.ymldetection rules that were not used. (#4) (@hitenkoku)- Added Logo. If you want to hide the logo, use the
-q, --quietoption. (#12) (@YamatoSecurity @hitenkoku) - Added result output option. (
-o, --output) (#11) (@hitenkoku)