New `config-critical-systems` command

[YamatoSecurity]

It is cumbersome to manually try to find critical systems to put in config/critical_systems.txt so it would be nice to automate this.
I think we can do this by checking for Security 4768 (Kerberos TGT requested) events to determine if it is a domain controller and checking for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server.

hayabusa.exe config-critical-systems <INPUT>

Display Settings:
  -K, --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file

Example:

hayabusa.exe config-critical-systems -d ../hayabusa-sample-evtx

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Elevating Windows DFIR to new heights~

This command tries to find critical systems like domain controllers and file servers by checking for logs that should only exist in those systems. 
It will search for Security 4768 (Kerberos TGT requested) events to determine if it is a domain controller.
It will search for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server.

Warning: the config/critical_systems.txt file is not empty. Would you like to erase the contents first? (Y/n):   (<red>)

Start time: 2025/02/12 08:32
Total event log files: 598
Total file size: 139.2 MB

Scanning in progress. Please wait.

<progress bar>

Scanning finished.

Domain controllers found ( 3 ):
DC1
DC2
DC3

Would you like to add them to the config/critical_systems.txt file? (Y/n): 

File servers found ( 2 ):
FS1
FS2

Would you like to add them to the config/critical_systems.txt file? (Y/n): 

or if no DCs or FS were found:

Scanning finished.

No domain controllers found. (<red>)

No file servers found. (<red>)

@fukusuket Could I ask you to do this one?

[fukusuket]

Yes, I would love to implement it!💪

[YamatoSecurity]

Update: I noticed that we will get false positives with EID 5140 for ShareName: \\*\IPC$ so we should filter these events out.
It will be good to know the name of the share, so we should show the user what SMB Shares were connected to in order for them to determine if they are a file server or someone's workstation.