Merge pull request #87 from Yamato-Security/86-fix-output-bug-new-rel…

…ease

Fixed CSV output bug and finalized for 2.3.1

CHANGELOG-Japanese.md

@@ -1,12 +1,16 @@
 # 変更点
 
-## 2.x.x [xxxx/xx/xx]
+## 2.3.1 [2024/01/27] - Year Of The Dragon Release
 
 **改善:**
 
 - `ttp-visualize` コマンドで、MITRE ATT&CK Navigator上のテクニックをマウスオーバーしたときに、検知ルール名が表示されるようした。(#82) (@fukusuket)
 - `ttp-summary`コマンドの結果にルールのタイトルを追加した。(#83) (@fukusuket)
 
+**バグ修正:**
+
+`timeline-suspicious-process`コマンドで、Security 4688またはSysmon 1のイベント数が0であり、他の形式のイベントがある場合、CSVファイルは保存されなかった。(#86) (@YamatoSecurity)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **新機能:**

CHANGELOG.md

@@ -1,12 +1,16 @@
 # Changes
 
-## 2.x.x [xxxx/xx/xx]
+## 2.3.1 [2024/01/27] - Year Of The Dragon Release
 
 **Enhancements:**
 
 - In the `ttp-visualize` command, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket)
 - Added rule titles to the `ttp-summary` command output. (#83) (@fukusuket)
 
+**Bug Fixes:**
+
+- The CSV file would not be saved in the `timeline-suspicious-process` command if either the number of Security 4688 or Sysmon 1 events was zero while having events in the other format. (#86) (@YamatoSecurity)
+
 ## 2.3.0 [2023/12/23] - SECCON Christmas Release
 
 **New Features:**

src/takajo.nim

@@ -38,7 +38,7 @@ include takajopkg/vtIpLookup
 include takajopkg/vtHashLookup
 
 when isMainModule:
-    clCfg.version = "2.3.0"
+    clCfg.version = "2.3.1"
     const examples = "Examples:\p"
     const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
     const example_list_domains = "  list-domains -t ../hayabusa/timeline.jsonl -o domains.txt\p"
@@ -59,7 +59,7 @@ when isMainModule:
     const example_vt_hash_lookup = "  vt-hash-lookup -a <API-KEY> --hashList case-1-MD5-hashes.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
     const example_vt_ip_lookup = "  vt-ip-lookup -a <API-KEY> --ipList ipAddresses.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
 
-    clCfg.useMulti = "Version: 2.3.0 SECCON Christmas Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
+    clCfg.useMulti = "Version: 2.3.1 Year Of The Dragon Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
         examples & example_extract_scriptblocks &
         example_list_domains & example_list_hashes & example_list_ip_addresses & example_list_undetected_evtx & example_list_unused_rules &
         example_split_csv_timeline & example_split_json_timeline & example_stack_logons & example_sysmon_process_tree &

src/takajopkg/timelineSuspiciousProcesses.nim

@@ -209,7 +209,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
                 seqOfResultsTables.add(singleResultTable)
     bar.finish()
 
-    if output != "" and suspicousProcessCount_Sec_4688 != 0 and suspicousProcessCount_Sysmon_1 != 0: # Save results to CSV
+    if output != "" and (suspicousProcessCount_Sec_4688 > 0 or suspicousProcessCount_Sysmon_1 > 0): # Save results to CSV
         # Open file to save results
         var outputFile = open(output, fmWrite)
         let header = ["Timestamp", "Computer", "Type", "Level", "Rule", "RuleAuthor", "Cmdline", "Process", "PID", "User", "LID", "LGUID", "ProcessGUID", "ParentCmdline", "ParentPID", "ParentPGUID", "Description", "Product", "Company", "MD5 Hash", "SHA1 Hash", "SHA256 Hash", "Import Hash"]
@@ -228,6 +228,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
         outputFile.close()
         let fileSize = getFileSize(output)
 
+        echo ""
         echo "Saved results to " & output & " (" & formatFileSize(fileSize) & ")"
         echo ""
 

takajo.nimble

@@ -1,6 +1,6 @@
 # Package
 
-version       = "2.3.0"
+version       = "2.3.1"
 author        = "Yamato Security @SecurityYamato"
 description   = "Takajo is an analyzer for Hayabusa results."
 license       = "GPL-3.0"