Merge pull request #73 from Yamato-Security/finalize-2.2.0

finalize 2.2.0
Yamato-Security · Dec 3, 2023 · fdcdc51 · fdcdc51
2 parents 6907fd7 + ae3a62a
commit fdcdc51
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 5 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -1,6 +1,6 @@
 # 変更点
 
-## x.x.x [xxxx/xx/xx]
+## 2.2.0 [2023/12/03] - Nasi Lemak Release
 
 **新機能:**
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changes
 
-## x.x.x [xxxx/xx/xx]
+## 2.2.0 [2023/12/03] - Nasi Lemak Release
 
 **New Features:**
 

diff --git a/README-Japanese.md b/README-Japanese.md
@@ -75,6 +75,8 @@ Takajōは、日本語で["鷹狩りのスキルに優れた人"](https://en.wik
   - [Timelineコマンド](#timelineコマンド-1)
     - [`timeline-logon`コマンド](#timeline-logonコマンド)
       - [`timeline-logon`コマンドの使用例](#timeline-logonコマンドの使用例)
+    - [`timeline-partition-diagnostic`コマンド](#timeline-partition-diagnosticコマンド)
+      - [`timeline-partition-diagnostic`コマンドの使用例](#timeline-partition-diagnosticコマンドの使用例)
     - [`timeline-suspicious-processes`コマンド](#timeline-suspicious-processesコマンド)
       - [`timeline-suspicious-processes`コマンドの使用例](#timeline-suspicious-processesコマンドの使用例)
   - [VirusTotalコマンド](#virustotalコマンド-1)
@@ -145,6 +147,7 @@ Nimがインストールされている場合、以下のコマンドでソー
 ## Timelineコマンド
 * `timeline-logon`: ログオンイベントのCSVタイムラインを作成する
 * `timeline-suspicious-processes`: 不審なプロセスのCSVタイムラインを作成する
+* `timeline-partition-diagnostic`: partition diagnosticイベントのCSVタイムラインを作成する
 
 ## VirusTotalコマンド
 * `vt-domain-lookup`: VirusTotalでドメインのリストを検索し、悪意のあるドメインをレポートする
@@ -563,9 +566,41 @@ hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
 takajo.exe timeline-logon -t ../hayabusa/timeline.jsonl -o logon-timeline.csv
 ```
 
+### `timeline-partition-diagnostic`コマンド
+
+partition diagnosticイベントのCSVタイムラインを作成します。Windows 10の`Microsoft-Windows-Partition%4Diagnostic.evtx`を解析し、現在および過去に接続されたデバイスのボリュームシリアル番号を出力します。
+この処理は [Partition-4DiagnosticParser](https://github.com/theAtropos4n6/Partition-4DiagnosticParser)を参考にして作成されました。
+
+* 入力: `JSONL`
+* プロファイル: `すべて`
+* 出力: `CSV`
+
+必須オプション:
+
+- `-t, --timeline <JSONL-FILE>`: HayabusaのJSONLタイムライン
+
+任意オプション:
+
+- `-o, --output <CSV-FILE>`: 結果を保存するCSVファイル
+- `-q, --quiet`: ロゴを出力しない (デフォルト: `false`)
+
+#### `timeline-partition-diagnostic`コマンドの使用例
+
+HayabusaでJSONLタイムラインを作成する:
+
+```
+hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
+```
+
+接続されたデバイスのCSVタイムラインを作成する:
+
+```
+takajo.exe timeline-partition-diagnostic -t ../hayabusa/timeline.jsonl -o partition-diagnostic-timeline.csv
+```
+
 ### `timeline-suspicious-processes`コマンド
 
-不審なプロセスのCSVタイムラインを作成する
+不審なプロセスのCSVタイムラインを作成します。
 
 * 入力: `JSONL`
 * プロファイル: `all-field-info` と `all-field-info-verbose` 以外すべて

diff --git a/README.md b/README.md
@@ -76,6 +76,8 @@ Takajō means ["Falconer"](https://en.wikipedia.org/wiki/Falconry) in Japanese a
   - [Timeline Commands](#timeline-commands-1)
     - [`timeline-logon` command](#timeline-logon-command)
       - [`timeline-logon` command examples](#timeline-logon-command-examples)
+    - [`timeline-partition-diagnostic` command](#timeline-partition-diagnostic-command)
+      - [`timeline-partition-diagnostic` command examples](#timeline-partition-diagnostic-command-examples)
     - [`timeline-suspicious-processes` command](#timeline-suspicious-processes-command)
       - [`timeline-suspicious-processes` command examples](#timeline-suspicious-processes-command-examples)
   - [VirusTotal Commands](#virustotal-commands-1)
@@ -146,6 +148,7 @@ If you have Nim installed, you can compile from source with the following comman
 
 ## Timeline Commands
 * `timeline-logon`: create a CSV timeline of logon events
+* `timeline-partition-diagnostic`: create a CSV timeline of partition diagnostic events
 * `timeline-suspicious-processes`: create a CSV timeline of suspicious processes
 
 ## VirusTotal Commands
@@ -590,6 +593,38 @@ Save logon timeline to a CSV file:
 takajo.exe timeline-logon -t ../hayabusa/timeline.jsonl -o logon-timeline.csv
 ```
 
+### `timeline-partition-diagnostic` command
+
+Creates a CSV timeline of partition diagnostic events by parsing Windows 10 `Microsoft-Windows-Partition%4Diagnostic.evtx` files and reporting information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed.
+This process is based on the tool [Partition-4DiagnosticParser](https://github.com/theAtropos4n6/Partition-4DiagnosticParser).
+
+* Input: `JSONL`
+* Profile: Any
+* Output: `CSV`
+
+Required options:
+
+- `-t, --timeline <JSONL-FILE>`: JSONL timeline created by Hayabusa.
+
+Options:
+
+- `-o, --output <CSV-FILE>`: the CSV file to save the results to.
+- `-q, --quiet`: do not display logo. (default: `false`)
+
+#### `timeline-partition-diagnostic` command examples
+
+Prepare JSONL timeline with Hayabusa:
+
+```
+hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w
+```
+
+Create a CSV timeline of connected devices:
+
+```
+takajo.exe timeline-partition-diagnostic -t ../hayabusa/timeline.jsonl -o partition-diagnostic-timeline.csv
+```
+
 ### `timeline-suspicious-processes` command
 
 Create a CSV timeline of suspicious processes.

diff --git a/src/takajo.nim b/src/takajo.nim
@@ -36,7 +36,7 @@ include takajopkg/vtIpLookup
 include takajopkg/vtHashLookup
 
 when isMainModule:
-    clCfg.version = "2.1.0"
+    clCfg.version = "2.2.0"
     const examples = "Examples:\p"
     const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
     const example_list_domains = "  list-domains -t ../hayabusa/timeline.jsonl -o domains.txt\p"
@@ -55,7 +55,7 @@ when isMainModule:
     const example_vt_hash_lookup = "  vt-hash-lookup -a <API-KEY> --hashList case-1-MD5-hashes.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
     const example_vt_ip_lookup = "  vt-ip-lookup -a <API-KEY> --ipList ipAddresses.txt -r 1000 -o results.csv --jsonOutput responses.json\p"
 
-    clCfg.useMulti = "Version: 2.1.0 Halloween Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
+    clCfg.useMulti = "Version: 2.2.0 Nasi Lemak Release\pUsage: takajo.exe <COMMAND>\p\pCommands:\p$subcmds\pCommand help: $command help <COMMAND>\p\p" &
         examples & example_extract_scriptblocks & example_list_domains & example_list_hashes & example_list_ip_addresses & example_list_undetected_evtx & example_list_unused_rules &
         example_split_csv_timeline & example_split_json_timeline & example_stack_logons & example_sysmon_process_tree &
         example_timeline_logon & example_timeline_partition_diagnostic & example_timeline_suspicious_processes &