Home

Awesome

<div align="center"> <p> <img alt="Takajo Logō" src="logo.png" width="50%"> </p> [ <b>English</b> ] | [<a href="README-Japanese.md">日本語</a>] </div>
<p align="center"> <a href="https://github.com/Yamato-Security/takajo/releases"><img src="https://img.shields.io/github/v/release/Yamato-Security/takajo?color=blue&label=Stable%20Version&style=flat""/></a> <a href="https://github.com/Yamato-Security/takajo/releases"><img src="https://img.shields.io/github/downloads/Yamato-Security/takajo/total?style=flat&label=GitHub%F0%9F%A6%85Downloads&color=blue"/></a> <a href="https://github.com/Yamato-Security/takajo/stargazers"><img src="https://img.shields.io/github/stars/Yamato-Security/takajo?style=flat&label=GitHub%F0%9F%A6%85Stars"/></a> <a href="https://codeblue.jp/2022/en/talks/?content=talks_24"><img src="https://img.shields.io/badge/CODE%20BLUE%20Bluebox-2022-blue"></a> <a href="https://www.seccon.jp/2022/seccon_workshop/windows.html"><img src="https://img.shields.io/badge/SECCON-2023-blue"></a> <a href="https://www.sans.org/cyber-security-training-events/digital-forensics-summit-2023/"><img src="https://img.shields.io/badge/SANS%20DFIR%20Summit-2023-blue"></a> <a href="https://bsides.tokyo/2024/"><img src="https://img.shields.io/badge/BSides%20Tokyo-2024-blue"></a> <a href="https://www.hacker.or.jp/hack-fes-2024/"><img src="https://img.shields.io/badge/Hack%20Fes.-2024-blue"></a> <a href="https://hitcon.org/2024/CMT/"><img src="https://img.shields.io/badge/HITCON-2024-blue"></a> <a href="https://www.blackhat.com/sector/2024/briefings/schedule/index.html#performing-dfir-and-threat-hunting-with-yamato-security-oss-tools-and-community-driven-knowledge-41347"><img src="https://img.shields.io/badge/SecTor-2024-blue"></a> <a href=""><img src="https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen.svg" /></a> <a href="https://twitter.com/SecurityYamato"><img src="https://img.shields.io/twitter/follow/SecurityYamato?style=social"/></a> </p>

About Takajō

Takajō (鷹匠), created by Yamato Security, is a fast forensics analyzer for Hayabusa results written in Nim. Takajō means "Falconer" in Japanese and was chosen as it analyzes Hayabusa's "catches" (results).

Companion Projects

Table of Contents

Features

Downloads

Please download the latest stable version of Takajo with compiled binaries or compile the source code from the Releases page.

Note: we provide release binaries for 64-bit Windows and Intel and Arm-based macOS but not Linux because it is difficult to provide MUSL binaries for Linux at the moment.

Git cloning

You can git clone the repository with the following command and compile binary from source code:

Warning: The main branch of the repository is for development purposes so you may be able to access new features not yet officially released, however, there may be bugs so consider it unstable.

git clone https://github.com/Yamato-Security/takajo.git

Advanced: Compiling From Source (Optional)

First, install Nim with choosenim. Then you can compile from source with the following command:

> nimble update
> nimble build -d:release --threads:on

Command List

Automation Commands

Extract Commands

HTML Commands

List Commands

Split Commands

Stack Commands

Sysmon Commands

Timeline Commands

TTP Commands

VirusTotal Commands

Command Usage

Automation Commands

automagic command

Automatically executes as many commands as possible and output results to a new folder

Note: You should use the verbose or super-verbose profile to utilize all commands.

Required options:

Options:

automagic command examples

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p verbose

Run as many Takajo commands as possible and save results under the case-1 folder:

takajo.exe automagic -t ../hayabusa/timeline.jsonl -o case-1

Run as many Takajo commands as possible on the hayabusa-results directory and save results under the case-1 folder:

takajo.exe automagic -t ../hayabusa/hayabusa-results/ -o case-1

Extract Commands

extract-scriptblocks command

Extracts and reassemles PowerShell EID 4104 script block logs.

Note: The PowerShell scripts are best opened as .ps1 files with code syntax highlighting but we use the .txt extension in order to prevent any accidental running of malicious code.

Required options:

Options:

extract-scriptblocks command example

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Extract PowerShell EID 4104 script block logs to the scriptblock-logs directory:

takajo.exe extract-scriptblocks -t ../hayabusa/timeline.jsonl

extract-scriptblocks screenshot

extract-scriptblocks

HTML Commands

html-report command

Create HTML summary reports for rules and computers with detections. This command first creates an indexed SQLite database file in order to perform fast lookups on the data needed to create the summary reports.

Required options:

Options:

html-report command example

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p verbose

or

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p super-verbose

Create the HTML summary reports:

takajo.exe html-report -t ../hayabusa/hayabusa-results.jsonl -o htmlreport -r ../hayabusa/rules

html-report screenshots

Rule Summary

html-report-rule-summary

Computer Summary

html-report-computer-summary

Rule List

html-report-rule-list

html-server command

Create a dynamic web server to view HTML summary reports. This command first creates an indexed SQLite database file in order to perform fast lookups on the data needed to create the summary reports. It is similar to the html-report command but is more scalable and allows for filtering on dates and rules.

Required options:

Options:

html-report command example

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p verbose

or

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p super-verbose

Start the web server:

takajo.exe html-server -t ../hayabusa/hayabusa-results.jsonl -r ../hayabusa/rules

html-server screenshots

Rules List

html-server-rules-list

Computer Summary

html-server-computer-summary

Rule Filtering

html-server-date-filtering

Rule Filtering

html-server-rule-filtering

List Commands

list-domains command

Creates a list of unique domains to be used with vt-domain-lookup. Currently it will only check queried domains in Sysmon EID 22 logs but will be updated to support built-in Windows DNS Client and Server logs.

Required options:

Options:

list-domains command examples

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Save the results to a text file:

takajo.exe list-domains -t ../hayabusa/timeline.jsonl -o domains.txt

Include subdomains:

takajo.exe list-domains -t ../hayabusa/timeline.jsonl -o domains.txt -s

list-hashes command

Create a list of process hashes to be used with vt-hash-lookup (input: JSONL, profile: standard)

Required options:

Options:

list-hashes command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Save the results to a different text file for each hash type:

takajo.exe list-hashes -t ../hayabusa/timeline.jsonl -o case-1

For example, if MD5, SHA1 and IMPHASH hashes are stored in the sysmon logs, then the following files will be created: case-1-MD5-hashes.txt, case-1-SHA1-hashes.txt, case-1-ImportHashes.txt

list-ip-addresses command

Creates a list of unique target and/or source IP addresses to be used with vt-ip-lookup. It will extract the TgtIP fields for target IP addresses and SrcIP fields for source IP addresses in all results and output just the unique IP addresses to a text file.

Required options:

Options:

list-ip-addresses command examples

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Save the results to a text file:

takajo.exe list-ip-addresses -t ../hayabusa/timeline.jsonl -o ipAddresses.txt

Exclude inbound traffic:

takajo.exe list-ip-addresses -t ../hayabusa/timeline.jsonl -o ipAddresses.txt -i=false

Include private IP addresses:

takajo.exe list-ip-addresses -t ../hayabusa/timeline.jsonl -o ipAddresses.txt -p

list-undetected-evtx command

List up all of the .evtx files that Hayabusa didn't have a detection rule for. This is meant to be used on sample evtx files that all contain evidence of malicious activity such as the sample evtx files in the hayabusa-sample-evtx repository.

Required options:

Options:

list-undetected-evtx command examples

Prepare the CSV timeline with Hayabusa:

hayabusa.exe -d <EVTX-DIR> -p verbose -o timeline.csv -w

Output the results to screen:

takajo.exe list-undetected-evtx -t ../hayabusa/timeline.csv -e <EVTX-DIR>

Save the results to a text file:

takajo.exe list-undetected-evtx -t ../hayabusa/timeline.csv -e <EVTX-DIR> -o undetected-evtx.txt

list-unused-rules command

List up all of the .yml detection rules that did not detect anything. This is useful to help determine the reliablity of rules. That is, which rules are known to find malicious activity and which are still untested and need sample .evtx files.

Required options:

Options:

list-unused-rules command examples

Prepare the CSV timeline with Hayabusa:

hayabusa.exe csv-timeline -d <EVTX-DIR> -p verbose -o timeline.csv -w

Output the results to screen:

takajo.exe list-unused-rules -t ../hayabusa/timeline.csv -r ../hayabusa/rules

Save the results to a text file:

takajo.exe list-unused-rules -t ../hayabusa/timeline.csv -r ../hayabusa/rules -o unused-rules.txt

Split Commands

split-csv-timeline command

Split up a large CSV timeline into smaller ones based on the computer name.

Required options:

Options:

split-csv-timeline command examples

Prepare the CSV timeline with Hayabusa:

hayabusa.exe csv-timeline -d <EVTX-DIR> -o timeline.csv -w

Split the single CSV timeline into multiple CSV timelines in the default output directory:

takajo.exe split-csv-timeline -t ../hayabusa/timeline.csv

Separate field information with newline characters to make multi-line entries and save to the case-1-csv directory:

takajo.exe split-csv-timeline -t ../hayabusa/timeline.csv -m -o case-1-csv

split-json-timeline command

Split up a large JSONL timeline into smaller ones based on the computer name.

Required options:

Options:

split-json-timeline command examples

Prepare the JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Split the single JSONL timeline into multiple JSONL timelines in the default output directory:

takajo.exe split-json-timeline -t ../hayabusa/timeline.jsonl

Save to the case-1-jsonl directory:

takajo.exe split-json-timeline -t ../hayabusa/timeline.jsonl -o case-1-jsonl

Stack Commands

stack-cmdlines command

This command will stack executed command lines by extracting information from Sysmon 1 and Security 4688 events.

Required options:

Options:

stack-cmdlines command examples

Output to terminal:

takajo.exe stack-cmdlines -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-cmdlines -t ../hayabusa/timeline.jsonl -o stack-cmdlines.csv

stack-computers command

This command will stack computer hostnames according to the Computer field.

Required options:

Options:

stack-computers command examples

Output to terminal:

takajo.exe stack-computers -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-computers -t ../hayabusa/timeline.jsonl -o stack-computers.csv

stack-dns command

This command will stack DNS queries and responses from Sysmon 22 events.

Required options:

Options:

stack-dns command examples

Output to terminal:

takajo.exe stack-dns -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-dns -t ../hayabusa/timeline.jsonl -o stack-dns.csv

stack-ip-addresses command

This command will stack the target IP addresses (TgtIP field) or source IP addresses (SrcIP field).

Required options:

Options:

stack-ip-addresses command examples

Output to terminal:

takajo.exe stack-ip-addresses -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-ip-addresses -t ../hayabusa/timeline.jsonl -o stack-ip-addresses.csv

stack-logons command

Creates a list logons according to Target User, Target Computer, Logon Type, Source IP Address, Source Computer. Results are filtered out when the source IP address is a local IP address by default.

Required options:

Options:

stack-logons command examples

Run with default settings:

takajo.exe stack-logons -t ../hayabusa/timeline.jsonl

Include local logons:

takajo.exe stack-logons -t ../hayabusa/timeline.jsonl -l

stack-processes command

This command will stack executed processes from Sysmon 1 and Security 4688 events.

Required options:

Options:

stack-processes command examples

Output to terminal:

takajo.exe stack-processes -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-processes -t ../hayabusa/timeline.jsonl -o stack-processes.csv

stack-services command

This command will stack service names and paths from System 7040 and Security 4697 events.

Required options:

Options:

stack-services command examples

Output to terminal:

takajo.exe stack-services -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-services -t ../hayabusa/timeline.jsonl -o stack-services.csv

stack-tasks command

This command will stack new scheduled tasks from Security 4698 events and parse out the XML task content.

Required options:

Options:

stack-tasks command examples

Output to terminal:

takajo.exe stack-tasks -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-tasks -t ../hayabusa/timeline.jsonl -o stack-tasks.csv

stack-users command

This command will stack the target users (TgtUser field (default)) or source users (SrcUser field) in any event that has those fields as well as show alert information.

Required options:

Options:

stack-users command examples

Output to terminal:

takajo.exe stack-users -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe stack-users -t ../hayabusa/timeline.jsonl -o stack-users.csv

Sysmon Commands

sysmon-process-tree command

Output the process tree of a certain process, such as a suspicious or malicious process.

Required options:

Options:

sysmon-process-tree command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Save the results to a text file:

takajo.exe sysmon-process-tree -t ../hayabusa/timeline.jsonl -p "365ABB72-3D4A-5CEB-0000-0010FA93FD00" -o process-tree.txt

sysmon-process-tree screenshot

sysmon-process-tree

Timeline Commands

timeline-logon command

This command extracts information from the following logon events, normalizes the fields and saves the results to a CSV file:

This makes it easier to detect lateral movement, password guessing/spraying, privilege escalation, etc...

Required options:

Options:

timeline-logon command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Save logon timeline to a CSV file:

takajo.exe timeline-logon -t ../hayabusa/timeline.jsonl -o logon-timeline.csv

timeline-logon screenshot

timeline-logon

timeline-partition-diagnostic command

Creates a CSV timeline of partition diagnostic events by parsing Windows 10 Microsoft-Windows-Partition%4Diagnostic.evtx files and reporting information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed. This process is based on the tool Partition-4DiagnosticParser.

Required options:

Options:

timeline-partition-diagnostic command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Create a CSV timeline of connected devices:

takajo.exe timeline-partition-diagnostic -t ../hayabusa/timeline.jsonl -o partition-diagnostic-timeline.csv

timeline-suspicious-processes command

Create a CSV timeline of suspicious processes.

Required options:

Options:

timeline-suspicious-processes command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w

Search for processes that had an alert level of high or above and output results to screen:

takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl

Search for processes that had an alert level of low or above and output results to screen:

takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl -l low

Save the results to a CSV file:

takajo.exe timeline-suspicious-processes -t ../hayabusa/timeline.jsonl -o suspicous-processes.csv

timeline-suspicious-processes screenshot

timeline-suspicious-processes

timeline-tasks command

This command will stack new scheduled tasks from Security 4698 events and parse out the XML task content.

Required options:

Options:

timeline-tasks command examples

Output to terminal:

takajo.exe timeline-tasks -t ../hayabusa/timeline.jsonl

Save to CSV:

takajo.exe timeline-tasks -t ../hayabusa/timeline.jsonl -o timeline-tasks.csv

TTP Commands

ttp-summary command

This command summarize tactics and techniques found in each computer according to the MITRE ATT&CK TTPs defined in the tags field of the sigma rules.

Required options:

Options:

ttp-summary command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p verbose

Print TTP summary to terminal:

takajo.exe ttp-summary -t ../hayabusa/timeline.jsonl

Save the results to a CSV file:

takajo.exe ttp-summary -t ../hayabusa/timeline.jsonl -o ttp-summary.csv

ttp-summary screenshot

ttp-summary

ttp-visualize command

This command extracts TTPs and create a JSON file to visualize in MITRE ATT&CK Navigator.

Required options:

Options:

ttp-visualize command examples

Prepare JSONL timeline with Hayabusa:

hayabusa.exe json-timeline -d <EVTX-DIR> -L -o timeline.jsonl -w -p verbose

Extract out the TTPs and save to mitre-ttp-heatmap.json:

takajo.exe ttp-visualize -t ../hayabusa/timeline.jsonl

Open https://mitre-attack.github.io/attack-navigator/, click Open Existing Layer and upload the saved JSON file.

ttp-visualize screenshot

ttp-visualize

ttp-visualize-sigma command

This command extracts TTPs from Sigma and create a JSON file to visualize in MITRE ATT&CK Navigator.

Required options:

Options:

ttp-visualize-sigma command examples

Clone the Sigma repository:

git clone https://github.com/SigmaHQ/sigma.git

Extract out the TTPs from Sigma and save to mitre-attack-navigator.json:

takajo.exe ttp-visualize-sigma -r ../sigma

VirusTotal Commands

vt-domain-lookup command

Look up a list of domains on VirusTotal

Required options:

Options:

vt-domain-lookup command examples

First create a list of domains with the list-domains command. Then lookup those domains with the following:

takajo.exe vt-domain-lookup -a <API-KEY> -d domains.txt -o vt-domain-lookup.csv -r 1000 -j vt-domain-lookup.json

vt-hash-lookup command

Look up a list of hashes on VirusTotal.

Required options:

Options:

vt-hash-lookup command examples

takajo.exe vt-hash-lookup -a <API-KEY> -H MD5-hashes.txt -o vt-hash-lookup.csv -r 1000 -j vt-hash-lookup.json

vt-ip-lookup command

Look up a list of IP addresses on VirusTotal.

Required options:

Options:

vt-ip-lookup command examples

takajo.exe vt-ip-lookup -a <API-KEY> -i ipAddresses.txt -o vt-ip-lookup.csv -r 1000 -j vt-ip-lookup.json

Contribution

We would love any form of contribution. Pull requests, rule creation and sample evtx logs are the best but feature requests, notifying us of bugs, etc... are also very welcome.

At the least, if you like our tool then please give us a star on Github and show your support!

Bug Submission

Please submit any bugs you find here. This project is currently actively maintained and we are happy to fix any bugs reported.

If you find any issues (false positives, bugs, etc...) with Hayabusa, please report them to the hayabusa github issues page here.

If you find any issues (false positives, bugs, etc...) with Hayabusa rules, please report them to the hayabusa-rules github issues page here.

If you find any issues (false positives, bugs, etc...) with Sigma rules, please report them to the upstream SigmaHQ github issues page here.

License

Takajō is released under the AGPLv3 license.

Twitter

You can recieve the latest news about Takajō, Hayabusa, rule updates, other Yamato Security tools, etc... by following us on Twitter at @SecurityYamato.