[Takajo] (https://github.com/Yamato-Security/takajo ) is a fast forensics analyzer for Hayabusa results written in Nim. Takajō means “Falconer” in Japanese and was chosen as it analyzes Hayabusa’s “catches” (results).
First, it will call Exchange.Windows.EventLogs.Hayabusa to execute the following commandline to create the hayabusa_results.jsonl: “hayabusa.exe json-timeline -d
name: Exchange.Windows.EventLogs.Hayabusa.Takajo
description: |
[Takajo] (https://github.com/Yamato-Security/takajo) is a fast forensics analyzer
for Hayabusa results written in Nim. Takajō means "Falconer" in Japanese
and was chosen as it analyzes Hayabusa's "catches" (results).
First, it will call Exchange.Windows.EventLogs.Hayabusa to execute the following commandline to create the hayabusa_results.jsonl: "hayabusa.exe json-timeline -d <EVTX-DIR> -L -o hayabusa_results.jsonl -w -p verbose"
Then, it will be launched Takajo with "automagic" option: which executes as many commands as possible and output results to a "case-0" folder and will upload all the content with the following commandline: "takajo.exe automagic -t hayabusa_tempdir/ -o case-0 "
All the output results will be uploaded.
author: Eric Capuano - @eric_capuano, Whitney Champion - @shortxstack, Zach Mathis - @yamatosecurity
tools:
- name: Hayabusa-2.14.0
url: https://github.com/Yamato-Security/hayabusa/releases/download/v2.14.0/hayabusa-2.14.0-win-x64.zip
expected_hash: de8abff4f6ed35f28e1e2897659e4f7adcca13ef84d2764afa786ca3f60224ec
- name: Takajo-2.5.0
url: https://github.com/Yamato-Security/takajo/releases/download/v2.5.0/takajo-2.5.0-win.zip
expected_hash: bba76ce84484c53145f7df368560cfeae267729df9c404e570ee7fb544c86b01
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: EvtxDirectory
description: "Directory of .evtx files"
default: C:/Windows/System32/winevt/Logs
sources:
- name: Upload
query: |
-- Fetch the binary
LET ToolzipHB <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Hayabusa-2.14.0", IsExecutable=FALSE)
LET TmpDirHB <= tempdir()
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=ToolzipHB.FullPath, output_directory=TmpDirHB)
LET HayabusaExe <= TmpDirHB + '\\hayabusa-2.14.0-win-x64.exe'
LET HayabusaCmd <= "json-timeline"
LET ResultFileHB <= TmpDirHB + '\\hayabusa_results.jsonl'
-- Build the command line considering all options
-- If it does not match if(condition...), it returns Null, so remove Null with filter(....regex=".+")
LET cmdlineHB <= filter(list=(
HayabusaExe, HayabusaCmd,
"-d", EvtxDirectory,
"-L",
"-o", ResultFileHB,
"-w",
"-p", "verbose",
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecHB <= SELECT *
FROM execve(argv=cmdlineHB, sep="\n", length=9999999)
WHERE log(message=Stdout)
-- Fetch the binary
LET ToolzipTK <= SELECT FullPath
FROM Artifact.Generic.Utils.FetchBinary(ToolName="Takajo-2.5.0", IsExecutable=FALSE)
-- Unzip the binary
LET _ <= SELECT *
FROM unzip(filename=ToolzipTK.FullPath, output_directory=TmpDirHB)
LET TakajoExe <= TmpDirHB + '\\takajo.exe'
LET TakajoCmd <= "automagic"
LET ResultFileTK <= TmpDirHB + '\\case-0\\'
-- Build the command line considering all options
-- If it does not match if(condition...), it returns Null, so remove Null with filter(....regex=".+")
LET cmdlineTK <= filter(list=(
TakajoExe, TakajoCmd,
"-q",
"-s",
"-t", TmpDirHB,
"-o", ResultFileTK,
), regex=".+")
-- Run the tool and divert messages to logs.
LET ExecTK <= SELECT *
FROM execve(argv=cmdlineTK, sep="\n", length=99999999)
WHERE log(message=Stdout)
-- Upload the results folder.
SELECT upload(file=OSPath, accessor=directory) AS Uploads FROM glob(globs="*\**", root=ResultFileTK)