feat: add config-critical-systems cmd

[fukusuket]

What Changed

• Closed New config-critical-systems command #1570

Evidence

Integration-Test

https://github.com/Yamato-Security/hayabusa/actions/runs/13343546597

I would appreciate it if you could check it out when you have time🙏

[fukusuket]

help

./hayabusa config-critical-systems -h
Hayabusa v3.1.0 - Dev Build
Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)

Usage:
  hayabusa.exe config-critical-systems <INPUT> [OPTIONS]

Input:
  -d, --directory <DIR>  Directory of multiple .evtx files
  -f, --file <FILE>      File path to one .evtx file

Display Settings:
  -K, --no-color  Disable color output
  -q, --quiet     Quiet mode: do not display the launch banner

General Options:
  -h, --help  Show the help menu

[fukusuket]

when config/critical_systems.txt not exists

./hayabusa config-critical-systems -d ../hayabusa-sample-evtx

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Finding needles in the hay stack~

This command tries to find critical systems like domain controllers and file servers by checking for logs that should only exist in those systems.
It will search for Security 4768 (Kerberos TGT requested) events to determine if it is a domain controller.
It will search for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server.

Start time: 2025/02/15 17:58
Total event log files: 598
Total file size: 139.2 MB

[00:00:00] 248 / 248   [========================================] 100%

Scanning finished.
                                                                                                                                                                          
DomainController found (3):
01566s-win16-ir.threebeesco.com
DC-Server-1.labcorp.local
rootdc1.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):
y
Added to the config/critical_systems.txt file.

FileServer found (10):
01566s-win16-ir.threebeesco.com
FS03.offsec.lan
IEWIN7
PC01.example.corp
WIN-77LTAPHIQ1R.example.corp
fs01.offsec.lan
fs02.offsec.lan
fs03vuln.offsec.lan
rootdc1.offsec.lan
srvdefender01.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):
y
Added to the config/critical_systems.txt file.

塞翁失馬 - Sai Ou Shitsu Ba - The old man lost his horse. (A blessing in disguise.)

[fukusuket]

when config/critical_systems.txt exists

% ./hayabusa config-critical-systems -d ../hayabusa-sample-evtx

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

As fast as a peregrine falcon~

This command tries to find critical systems like domain controllers and file servers by checking for logs that should only exist in those systems.
It will search for Security 4768 (Kerberos TGT requested) events to determine if it is a domain controller.
It will search for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server.

Warning: the config/critical_systems.txt file is not empty. Would you like to erase the contents first? (Y/n):
Y

Start time: 2025/02/15 17:59
Total event log files: 598
Total file size: 139.2 MB

[00:00:00] 248 / 248   [========================================] 100%

Scanning finished.
                                                                                                                                                                         
DomainController found (3):
01566s-win16-ir.threebeesco.com
DC-Server-1.labcorp.local
rootdc1.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):
Y
Added to the config/critical_systems.txt file.

FileServer found (10):
01566s-win16-ir.threebeesco.com
FS03.offsec.lan
IEWIN7
PC01.example.corp
WIN-77LTAPHIQ1R.example.corp
fs01.offsec.lan
fs02.offsec.lan
fs03vuln.offsec.lan
rootdc1.offsec.lan
srvdefender01.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):
Y
Added to the config/critical_systems.txt file.

笑いは心の薬 - Warai Wa Kokoro No Kusuri - Laughter is medicine for the soul.

fukusuke@fukusukenoAir hayabusa-3.1.0-mac-aarch64 % less ./config/critical_systems.txt
fukusuke@fukusukenoAir hayabusa-3.1.0-mac-aarch64 %
fukusuke@fukusukenoAir hayabusa-3.1.0-mac-aarch64 % cat ./config/critical_systems.txt
01566s-win16-ir.threebeesco.com
DC-Server-1.labcorp.local
rootdc1.offsec.lan
01566s-win16-ir.threebeesco.com
FS03.offsec.lan
IEWIN7
PC01.example.corp
WIN-77LTAPHIQ1R.example.corp
fs01.offsec.lan
fs02.offsec.lan
fs03vuln.offsec.lan
rootdc1.offsec.lan
srvdefender01.offsec.lan

[fukusuket]

csv-timeline

after config-critical-systems execution

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -q -o timeline.csv -C
Start time: 2025/02/15 18:00
Total event log files: 598
Total file size: 139.2 MB

Loading detection rules. Please wait.

Excluded rules: 27
Noisy rules: 12 (Disabled)

Deprecated rules: 215 (4.95%) (Disabled)
Experimental rules: 229 (5.28%)
Stable rules: 242 (5.58%)
Test rules: 3,869 (89.15%)
Unsupported rules: 42 (0.97%) (Disabled)

Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)

Expand rules: 0 (0.00%)
Enabled expand rules: 0 (0.00%)

Hayabusa rules: 176
Sigma rules: 4,164
Total detection rules: 4,340

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 585
Detection rules enabled after channel filter: 4,263

Output profile: standard

Scanning in progress. Please wait.

[00:00:05] 585 / 585   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                                                          Rule Authors:

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (180)                 Nasreddine Bencherchali (123)     Zach Mathis (110)                 oscd.community (108)            │
│ frack113 (91)                      Tim Shelton (33)                  Daniil Yugoslavskiy (23)          Jonhnathan Ribeiro (22)         │
│ Teymur Kheirkhabarov (21)          Thomas Patzke (20)                Christian Burkard (17)            Markus Neis (16)                │
│ Roberto Rodriguez @Cyb3r... (14)   Timur Zinniatullin (14)           E.M. Anhaus (12)                  Elastic (12)                    │
│ Roberto Rodriguez (12)             Tim Rauch (12)                    Michael Haag (11)                 Samir Bousseaden (11)           │
│ Swachchhanda Shrawan Poudel (10)   OTR (8)                           Victor Sergeev (8)                Natalia Shornikova (7)          │
│ Endgame) (7)                       Endgame (6)                       X__Junior (6)                     David ANDRE (6)                 │
│ JHasenbusch (6)                    Ecco (6)                          Arnim Rupp (5)                    Sander Wiebing (5)              │
│ omkar72 (5)                        Andreas Hunkeler (4)              Max Altgelt (4)                   Gleb Sukhodolskiy (4)           │
│ @neu5ron (4)                       Tobias Michalski (4)              elhoim (3)                        Eric Conrad (3)                 │
│ FPT.EagleEye Team (3)              Yusuke Matsui (3)                 juju4 (3)                         Janantha Marasinghe (3)         │
│ Christopher Peacock @sec... (3)    FPT.EagleEye (3)                  Hieu Tran (3)                     Ilyas Ochkov (3)                │
│ Vasiliy Burov (3)                  Austin Songer @austinsonger (3)   Nikita Nazarov (3)                James Pemberton@4A616D6573 (3)  │
│ pH-T (3)                           Daniel Bohannon (3)               Wojciech Lesicki (3)              @twjackomo (3)                  │
│ Anton Kutepov (3)                  wagga (3)                         Fukusuke Takahashi (3)            Relativity (2)                  │
│ Perez Diego (2)                    Yassine Oukessou (2)              SOC Prime (2)                     @SBousseaden (2)                │
│ Modexp (2)                         @2xxeformyshirt (2)               Aleksey Potapov (2)               Romaissa Adjailia (2)           │
│ Sean Metcalf (2)                   Sreeman (2)                       Karneades (2)                     Cyb3rEng (2)                    │
│ James Pemberton@4A616D65... (2)    Tony Lambert) (2)                 Jordan Lloyd (2)                  Darkrael (2)                    │
│ Justin C. (2)                      SCYTHE @scythe_io (2)             Dimitrios Slamaris (2)            Jakob Weinzettl (2)             │
│ Zach Stanford @svch0st (2)         Alexandr Yampolskyi (2)           Nik Seetharaman (2)               Chakib Gzenayi (2)              │
│ Mark Woan (2)                      Tom Ueltschi (2)                  Bartlomiej Czyz (2)               Oleg Kolesnikov @securon... (2) │
│ D3F7A5105 (2)                      Tony Lambert (2)                  Hosni Mribah (2)                  keepwatch (2)                   │
│ @dreadphones (2)                   Vadim Khrykov (2)                 Mark Russinovich (2)              Tom U. @c_APT_ure (1)           │
│ Swisscom CSIRT (1)                 Timon Hackenjos (1)               SCYTHE (1)                        @kostastsale (1)                │
│ Jason Lynch (1)                    David Burkett (1)                 KevTheHermit (1)                  Alec Costello (1)               │
│ Jose Rodriguez (1)                 Trent Liffick (1)                 CD_ROM_ (1)                       Georg Lauenstein (1)            │
│ Stamatis Chatzimangou (1)          Matthew Green @mgreen27 (1)       SBousseaden (1)                   MalGamy (1)                     │
│ Semanur Guneysu @semanurtg (1)     @juju4 (1)                        @scythe_io (1)                    John Lambert (1)                │
│ Dmitriy Lifanov (1)                Bartlomiej Czyz @bczyz1 (1)       Margaritis Dimitrios (1)          rukawa (1)                      │
│ alias support) (1)                 j4son (1)                         Center for Threat Inform... (1)   Christopher Peacock @Sec... (1) │
│ Julia Fomina (1)                   Andreas Braathen (1)              Furkan CALISKAN (1)               Sherif Eldeeb (1)               │
│ James Pemberton @4A616D6573 (1)    NVISO (1)                         Ahmed Farouk (1)                  Joseliyo Sanchez (1)            │
│ Mangatas Tondang (1)               mdecrevoisier (1)                 Fatih Sirin (1)                   Matt Anderson (1)               │
│ Pushkarev Dmitry (1)               Ali Alwashali (1)                 Anish Bogati (1)                  Tuan Le (1)                     │
│ Benjamin Delpy (1)                 Cedric MAURUGEON (1)              Maxime Thiebaut (1)               Chad Hudson (1)                 │
│ Nextron Systems (1)                Oddvar Moe (1)                    Tom Kern (1)                      Jack Croock (1)                 │
│ Maxence Fossat (1)                 Markus Neis @Karneades (1)        fuzzyf10w (1)                     Dominik Schaudel (1)            │
│ Sorina Ionescu (1)                 Bhabesh Raj (1)                   Harish Segar (1)                  @signalblur (1)                 │
│ @gott_cyber (1)                    The DFIR Report (1)               Open Threat Research (1)          James Dickenson (1)             │
│ David Strassegger (1)              Daniel Koifman (1)                vburov (1)                        @Joseliyo_Jstnk (1)             │
│ @atc_project (1)                   Kutepov Anton (1)                 EagleEye Team (1)                 Omer Faruk Celik (1)            │
│ Joshua Wright (1)                  @caliskanfurkan_ (1)              Ivan Dyachkov (1)                 Zaw Min Htun (1)                │
│ Stephen Lincoln `@slinco... (1)    @svch0st (1)                      Dave Kennedy (1)                  Mustafa Kaan Demir (1)          │
│ Austin Songer (1)                  Subhash Popuri (1)                blueteam0ps (1)                   Jeff Warren (1)                 │
│ Maxim Pavlunin (1)                 Scott Dermott (1)                 Sami Ruohonen (1)                 Dan Beavin) (1)                 │
│ Teymur Kheirkhabarov @He... (1)    @oscd_initiative (1)              Josh Nickels (1)                                                  │
╰──────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╌─────────────────────────────────╯

Results Summary:

Events with hits / Total events: 19,827 / 46,495 (Data reduction: 26,668 events (57.36%))

Total | Unique detections: 32,392 | 671
Total | Unique emergency detections: 10 (0.03%) | 4 (0.00%)
Total | Unique critical detections: 1,323 (4.08%) | 110 (8.94%)
Total | Unique high detections: 5,345 (16.50%) | 252 (9.54%)
Total | Unique medium detections: 2,401 (7.41%) | 181 (26.97%)
Total | Unique low detections: 5,017 (15.49%) | 64 (37.56%)
Total | Unique informational detections: 18,296 (56.48%) | 60 (16.39%)

Dates with most total detections:
emergency: 2020-08-02 (3), critical: 2021-11-03 (794), high: 2016-09-20 (3,650), medium: 2021-11-03 (733), low: 2016-09-20 (3,708), informational: 2016-08-19 (2,115),

Top 5 computers with most unique detections:
emergency: srvdefender01.offsec.lan (2), FS03.offsec.lan (1), rootdc1.offsec.lan (1), IEWIN7 (1), fs03vuln.offsec.lan (1)
critical: IEWIN7 (61), FS03.offsec.lan (26), fs03vuln.offsec.lan (23), rootdc1.offsec.lan (15), srvdefender01.offsec.lan (13)
high: MSEDGEWIN10 (102), IEWIN7 (58), FS03.offsec.lan (28), fs03vuln.offsec.lan (24), IE10Win7 (23)
medium: MSEDGEWIN10 (91), FS03.offsec.lan (21), IEWIN7 (21), fs03vuln.offsec.lan (17), IE10Win7 (16)
low: MSEDGEWIN10 (38), IE10Win7 (12), LAPTOP-JU4M3I0E (9), jump01.offsec.lan (8), win10-02.offsec.lan (7)
informational: IEWIN7 (18), MSEDGEWIN10 (17), PC01.example.corp (15), FS03.offsec.lan (14), IE8Win7 (14)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top emergency alerts:                                       Top critical alerts:                             │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Active Directory Replication from Non Machine Account (3)   Suspicious Service Path (246)                    │
│ Potential SystemNightmare Exploitation Attempt (2)          PowerShell Scripts Installed as Services (244)   │
│ HackTool - Mimikatz Kirbi File Creation (1)                 Suspicious Service Installation Script (244)     │
│ Sticky Key Like Backdoor Execution (1)                      Malicious PowerShell Scripts - PoshModule (64)   │
│ Malicious Named Pipe Created (1)                            Suspicious Service Name (62)                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top high alerts:                                            Top medium alerts:                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Metasploit SMB Authentication (3,561)                       Possible LOLBIN (611)                            │
│ Proc Injection (100)                                        Non Interactive PowerShell Process Spawned (261) │
│ Remote Thread Creation Via PowerShell (93)                  Potentially Malicious PwSh (171)                 │
│ Remote Thread Creation In Uncommon Target Image (93)        Proc Access (91)                                 │
│ Log File Cleared (87)                                       User with Privileges Logon (80)                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top low alerts:                                             Top informational alerts:                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon Failure (Wrong Password) (3,575)                      Proc Exec (11,173)                               │
│ Possible LOLBIN (807)                                       NetShare File Access (2,558)                     │
│ User with Privileges Logon (99)                             PwSh Scriptblock (789)                           │
│ CMD Shell Output Redirect (84)                              PwSh Pipeline Exec (680)                         │
│ DLL Loaded (Sysmon Alert) (71)                              NetShare Access (403)                            │
╰───────────────────────────────────────────────────────────╌──────────────────────────────────────────────────╯

Saved file: timeline.csv (33.2 MB)

Elapsed time: 00:00:06.702

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

[YamatoSecurity]

@fukusuket Looking good! Thanks so much!
One small thing, it seems that the hostname will be added twice if it is detected as both a DC and FS. For example, rootdc1.offsec.lan in this case. Is it possible to check to see if the host already exists in the file and if so, do not add it twice?

[fukusuket]

@YamatoSecurity
Thank you for checking! I fixed it! Could you check it?🙏

[YamatoSecurity]

@fukusuket Sorry, small issue. Can you require either the -d or -f flags so we get an error when no options are specified. Similar to the csv-timeline command.

./target/release/hayabusa config-critical-systems

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Elevating Windows DFIR to new heights~

This command tries to find critical systems like domain controllers and file servers by checking for logs that should only exist in those systems.
It will search for Security 4768 (Kerberos TGT requested) events to determine if it is a domain controller.
It will search for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server.

Start time: 2025/02/15 21:33
塞翁失馬 - Sai Ou Shitsu Ba - The old man lost his horse. (A blessing in disguise.)

hayabusa % ./target/release/hayabusa csv-timeline
error: the following required arguments were not provided:
  <--directory <DIR>|--file <FILE>|--live-analysis>

Usage: hayabusa csv-timeline <--directory <DIR>|--file <FILE>|--live-analysis>

For more information, try '--help'.

[YamatoSecurity]

Humm.. It seems like it does not save the file now.

DomainController found (3):
01566s-win16-ir.threebeesco.com
DC-Server-1.labcorp.local
rootdc1.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):

FileServer found (10):
01566s-win16-ir.threebeesco.com
FS03.offsec.lan
IEWIN7
PC01.example.corp
WIN-77LTAPHIQ1R.example.corp
fs01.offsec.lan
fs02.offsec.lan
fs03vuln.offsec.lan
rootdc1.offsec.lan
srvdefender01.offsec.lan

Would you like to add them to the config/critical_systems.txt file? (Y/n):

千里の道も一歩から - Senri No Michi Mo Ippo Kara - A journey of a thousand miles begins with a single step.

 hayabusa % cat config/critical_systems.txt
 hayabusa %

Also, can you change DomainController found to Domain Controllers found and FileServer found to File Servers found?

[YamatoSecurity]

I thought it might be because i was running ./target/release/hayabusa but when I copied it to root and ran ./hayabusa-test config-critical-systems -d ../hayabusa-sample-evtx it still does not save the information.

[YamatoSecurity]

One more thing, it looks a little weird after the Would you like to add them to the config/critical_systems.txt file? (Y/n): line because it goes to a new line. Can you have the user input on the same line? Or preferable use the same way as our scan wizard?

[YamatoSecurity]

Can you add the message Any hostnames added to the critical_systems.txt file will have all alerts above low increased by one level with a maximum of emergency level. after It will search for Security 5140 (Network Share Access) or 5145 (Network Share File Access) events to determine if it is a file server. ?

[fukusuket]

@YamatoSecurity
Thank you for checking! I fixed it! Could you check it?🙏

[YamatoSecurity]

@fukusuket The UI is looking great now!
Just one thing, can you make a 1 line space after No DomainController found. and No FileServer found.?
And make the red color of No DomainController found. the same as Warning: the config/critical_systems.txt file is not empty. Would you like to erase the contents first?. It is a little hard to read on my screen.

Running against some test data, I found some false positives using the EID 5140 event so I think we should just determine it based on EID 5145. Could you remove the checking of EID 5140?

[fukusuket]

@YamatoSecurity
Thank you for checking! I updated it! Could you check it?🙏

[YamatoSecurity]

@fukusuket LGTM! Everything looks perfect! Thanks so much!!