Changelog

Info

This page mirrors the project CHANGELOG.md. See the Releases page for downloads.

2.17.0 [xxxx/xx/xx]

Enhancements:

• Added a command line timeline to the sysmon-process-tree command. (#305) (@fukusuket)

2.16.1 [2026/05/09] - Golden Week Release

Bug Fixes:

• Takajo 2.16.0 was not able to run on Windows platforms due to missing the duckdb DLL. (#303) (@fukusuket)

2.16.0 [2026/04/29] - Showa Day Release

Enhancements:

• Add DuckDB as the default database backend for html-report and html-server commands, with --sqlite flag to use SQLite as a fallback. DuckDB provides 4-24x faster analytical queries and ~7x smaller file sizes. (#298) (@nishikawaakira)
• Support for MITRE ATT&CK v19. (@fukusuket)

2.15.1 [2026/01/31] - Daikanpa Release

Enhancements:

• Improved the metrics-user output so it separates successful logons and failed logons per user. We also added the total number of logons to identify outliers. (#294) (@fukusuket)

2.15.0 [2025/12/20] - Winter Release

New Features:

• Added a convert-flatten-json command for importing JSONL data into Timesketch. (#277) (@fukusuket)

Bug Fixes:

• Fixed a parsing bug in the automagic command. (#278) (@fukusuket)
• Handle missing RecordID in JSON parsing for HTML report and server commands. (#279) (@fukusuket)
• Dates in the html-server was being converted to local time. (#281) (@fukusuket)
• OS information was not included in the computer metrics output with automagic. (#286) (@fukusuket)
• Timeline CSV files had an extra comma in the header which was causing problems when loading. (#282) (@fukusuket)
• Fixed broken links in the html-server command. (#280) (@fukusuket)

2.14.0 [2025/11/15] - CODE BLUE Release

Enhancements:

• Updated the mitre-attack.json output to support MITRE ATT&CK to v18. (#274) (@fukusuket)

2.13.1 [2025/10/20] - Tenshinhan Day Release

Bug Fixes:

• The previous bug fix did not result in correct output if -p super-verbose was not supplied with Hayabusa. (@fukusuket)

2.13.0 [2025/10/18] - Tenshinhan Day Release

Bug Fixes:

• Added input validation to prevent conversion errors. (#271) (@fukusuket)

2.12.0 [2025/10/10] - Binary Day Release

Enhancements:

• html-server command now runs completely offline. (#267) (@nishikawaakira)

Bug Fixes:

• automagic was not properly generating the LogoffTime column. (#269) (@fukusuket)

2.11.0 [2025/08/01] - Blackhat Arsenal Release

Enhancements:

• Improved readability in the html-server report. (#204) (@nishikawaakira)
• Sigma rules are now displayed in the browser if you click on the link. (#257) (@nishikawaakira)
• Added colors to the Computer Summary page in the html-server command. (#201) (@nishikawaakira)
• html-server report now supports sorting of rules by Count, First Date and Last Date. (#199) (@nishikawaakira)
• Detection rule list is linked to the search now for html-server. (#264) (@nishikawaakira)

Bug Fixes:

• The URL link in the result of the vt-ip-lookup command was incorrect. (#259) (@fukusuket)

2.10.0 [2025/05/20] - AUSCERT/SINCON Release

Enhancements:

• MITRE ATT&CK data updated to v17 for ttp-visualize-sigma and ttp-visualize commands. (#247) (@fukusuket)
• You don't need to reanalyze the JSONL timeline when running html-server command multiple times. (#232) (@nishikawaakira)
• Files are now better organized. (#242) (nishikawaakira)

Bug Fixes:

• Fixed broken output in the automagic summary table. (#250) (@fukusuket)

2.9.2 [2025/04/12] - Sakura Release

Enhancements:

• The metrics-computer command computes the uptime more accurately. (#243) (@fukusuket)

Bug Fixes:

• The config files needed for the metrics-computer command were not included so it would fail. (#244) (@fukusuket)

2.9.1 [2025/04/10] - Sakura Release

Bug Fixes:

• The Takajo executable would not be executed unless renamed to takajo.exe. (#240) (@fukusuket)

2.9.0 [2025/04/02] - Vegemite Release

New Features:

• metrics-computers command that extracts out the same info as Hayabusa's computer-metrics command (number of events by computers, OS info, uptime, timezone) (#234) (@fukusuket)
• metrics-users command to create out a summary of users that have logged on to each computer. (#237) (@fukusuket)

Enhancements:

• Graceful exit and warning when Takajo is not run from the unzipped directory. (#230) (@fukusuket)
• Added RDS Gateway Logon events to the timeline-logon command. (#233) (@fukusuket)

2.8.0 [2025/02/22] Ninja Day Release

Enhancements:

• RDP logon and logoff information has been added to the timeline-logon timeline. (#209) (@fukusuket)
• MITRE ATT&CK updated to version 16.1. (#219) (@fukusuket)

Bug Fixes:

• The split-csv-timeline command would create separate timelines for correlation events but now they are properly added to the correct computer timelines. (#211) (@fukusuket)

2.7.1 [2024/10/31] Halloween Release

Bug Fixes:

• The Source IP Address and Source Computer fields for 4624 successful logon events in the logon timeline were backwards. (#208) (@fukusuket)

2.7.0 [2024/10/24] SecTor Release

New Features:

extract-credentials command: extract out plaintext credentials from the command line information in Security 4688 and Sysmon 1 events. Ex: wmic, schtasks, net user, psexec usage. (#192) (@fukusuket) html-server command: create a dynamic server to view the HTML summary reports. (@nishikawaakira)

Enhancements:

• Detection summary for Total Detections and Unique Detections in the Rule Summary page of the HTML report has been consolidated into one table. (#182) (@nishikawaakira)
• Computer summary page was added to the HTML report. (#183) (@nishikawaakira)
• Added a list of detected alerts to the Rule Summary page. (#175) (@nishikawaakira)
• Detection Rule List lists more detailed information. (#176) (@nishikawaakira)

Bug Fixes:

• Invalid JSON line errors would display with the default Hayabusa profile. (#169) (@nishikawaakira)
• Graphs were being aggregated to the first date for each rule. (#191) (@nishikawaakira)

Other:

• License is changed from GPL-3.0 to AGPL-3.0. (@yamatosecurity)

2.6.0 [2024/08/23] HITCON Release

New Features:

• New html-report command to create a HTML summary report. (#165) (@nishikawaakira)

Enhancements:

• Added -f, --failedLogons to the stack-logons command and added stacked failed logon information to the automagic command output. (#152) (@fukusuket)
• Updated MITRE ATT&CK to v15.0. (#155) (@fukusuket)

Bug Fixes:

• Fixed a compile error on macOS due to https://github.com/treeform/puppy/issues/118 . (#158) (@YamatoSecurity)
• Fixed a compile error when using nim 2.0.6. (#162) (@fukusuket)
• Alert level information was not being shown in the timeline-suspicious-processes command. (#167) (@fukusuket)

2.5.0 [2024/03/30] - BSides Tokyo Release

New Features:

• automagic command: automatically executes as many commands as possible and output results to a new folder. (#132) (@fukusuket)
• stack-computers command: stack the Computer (default) or SrcComp fields as well as provide alert information. (#125) (@fukusuket)
• stack-ip-addresses command: stack the SrcIP (default) or TgtIP fields as well as provide alert information. (#129) (@fukusuket)
• stack-users command: stack the TgtUser (default) or SrcUser fields as well as provide alert information. (#130) (@fukusuket)
• You can now specify a directory of .jsonl files to scan. #133 (@hitenkoku)

Enhancements:

• Refactoring to remove duplicate code. (#99) (@fukusuket)
• Processing speed is more than twice as fast by changing the JSON parsing to jsony. (#122) (@fukusuket)
• Added decimal points in large numbers to make them easier to read. (#120) (@fukusuket)

2.4.0 [2024/02/22] - Ninja Day Release

New Features:

• stack-cmdlines command: stack executed command lines. (#94) (@fukusuket)
• stack-dns command: stack DNS requests. (#95) (@fukusuket)
• stack-processes command: stack executed processes. (#93) (@fukusuket)
• stack-tasks command: parse and stack scheduled tasks. (#97) (@fukusuket)
• timeline-tasks command: parse created scheduled task events into a CSV file. (#110) (@fukusuket)
• ttp-visualize-sigma command: extracts out TTPs from sigma rules and puts in a JSON file to upload to MITRE ATT&CK Navigator to visualize in a heatmap. (#92) (@fukusuket)

Enhancements:

• ttp-visualize command: added color gradient to the heatmap. (#90) (@fukusuket)

Bug Fixes:

• split-csv-timeline command failed with Haybuasa 2.13.0 CSV results. (#103) (@fukusuket)

2.3.1 [2024/01/27] - Year Of The Dragon Release

Enhancements:

• In the ttp-visualize command, the name of the rule that detected the technique will now be shown in the comment when hovering over the technique in MITRE ATT&CK Navigator. (#82) (@fukusuket)
• Added rule titles to the ttp-summary command output. (#83) (@fukusuket)

Bug Fixes:

• The CSV file would not be saved in the timeline-suspicious-process command if either the number of Security 4688 or Sysmon 1 events was zero while having events in the other format. (#86) (@YamatoSecurity)

2.3.0 [2023/12/23] - SECCON Christmas Release

New Features:

• Added the ttp-visualize command to extract TTPs and create a JSON file to visualize in ATT&CK Navigator. (#76) (@fukusuket)
• Added the ttp-summary command to summarize tactics and techniques found in each computer. (#78) (@fukusuket)

Bug Fixes:

• Fixed a display error (mojibake) in the timeline-partition-diagnostic command. (#74) (@fukusuket)

2.2.0 [2023/12/03] - Nasi Lemak Release

New Features:

• Added timeline-partition-diagnostic command to parse the Windows 10 Microsoft-Windows-Partition%4Diagnostic.evtx log file and report information about all the connected devices and their Volume Serial Numbers, both currently present on the device and previously existed. (Based on https://github.com/theAtropos4n6/Partition-4DiagnosticParser) (#70) (@fukusuket)

Enhancements:

• Improved the display of the progress bar in the vt-lookup command. (#68) (@fukusuket)

Bug Fixes:

• Fixed an unhandled exception bug when key is not found. (#65) (@fukusuket)
• Newline handling was not done properly in extract-scriptblocks command for JSON input. (#71) (@fukusuket)

2.1.0 [2023/10/31] - Halloween Release

New Features:

• New extract-scriptblocks command to reassemble PowerShell EID 4104 ScriptBlock logs. (#47) (@fukusuket)

Enhancements:

• Takajo now compiles with Nim 2.0.0. (#31) (@fukusuket)
• Replaced HTTP with Puppy to reduce external dependencies. (#33) (@fukusuket)
• Made VirusTotal lookups multi-threaded to increase performance. (#33) (@fukusuket)
• Added file existence checks when specifying the timeline. (@fukusuket)
• Added a warning when the timeline is not in JSONL format. (#43) (@fukusuket)
• Output root process information in the sysmon-process-tree command. Processes are now sorted by timestamp. (#54) (@fukusuket)

Bug Fixes*:

• timeline-suspicious-processes would crash when Hayabusa results from version 2.8.0+ was used. (#35) (@fukusuket)
• Fixed a JSON parsing error in VirusTotal lookups when an invalid API key was specified. (@fukusuket)
• Fixed a bug in sysmon-process-tree in which process information would sometimes be outputted twice. (#52) (@fukusuket)
• timeline-suspicious-processes was not correctly outputting ParentPGUID field. Improved PID decimal conversion. (#50) (@fukusuket)
• Fixed an error when the specified PGUID was invalid or does not exist in the JSONL timeline. (#53) (@fukusuket)

2.0.0 [2022/08/03] - SANS DFIR Summit 2023 Release

New Features:

• list-domains: create a list of unique domains. (@YamatoSecurity)
• list-hashes: create a list of process hashes to be used with vt-hash-lookup. (@YamatoSecurity)
• list-ip-addresses: create a list of unique target and/or source IP addresses. (@YamatoSecurity)
• split-csv-timeline: split up a large CSV file into smaller ones based on the computer name. (@YamatoSecurity)
• split-json-timeline: split up a large JSONL timeline into smaller ones based on the computer name. (@fukusuket)
• stack-logons: stack logons by target user, target computer, source IP address and source computer. (@YamatoSecurity)
• sysmon-process-tree: output the process tree of a certain process. (@hitenkoku)
• timeline-logon: create a CSV timeline of logon events. (@YamatoSecurity)
• timeline-suspicious-processes: create a CSV timeline of suspicious processes. (@YamatoSecurity)
• vt-domain-lookup: look up a list of domains on VirusTotal. (@YamatoSecurity)
• vt-hash-lookup: look up a list of hashes on VirusTotal. (@YamatoSecurity)
• vt-ip-lookup: look up a list of IP addresses on VirusTotal. (@YamatoSecurity)

v1.0.0 [2022/10/28] - Code Blue 2022 Bluebox Release

New Features:

• list-undetected-evtx-files: List up all of the .evtx files that Hayabusa didn't have a detection rule for. (#4) (@hitenkoku)
• list-unused-rules: List up all of the .yml detection rules that were not used. (#4) (@hitenkoku)
• Added Logo. If you want to hide the logo, use the -q, --quiet option. (#12) (@YamatoSecurity @hitenkoku)
• Added result output option. (-o, --output ) (#11) (@hitenkoku)