-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed json fields get moved over #1146
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1146 +/- ##
==========================================
+ Coverage 83.82% 83.83% +0.01%
==========================================
Files 26 26
Lines 23388 23398 +10
==========================================
+ Hits 19604 19615 +11
+ Misses 3784 3783 -1
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku
It seems that a parse error occurs with the jq command when executed in the following procedure🤔 Could you please confirm?🙇
./hayabusa-new json-timeline -d ../hayabusa-sample-evtx -o out.json
cat out.json | jq
...
parse error: Expected another key-value pair at line 52522, column 5
@fukusuket Thanks you for pointing this out. Sorry to keep asking you to check. Would you check it? |
@hitenkoku Thank you for the update!
I am using this command to test: |
@YamatoSecurity I apologize for the delay in responding to your request. I have corrected the information you pointed out. Would you please check it?
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku
Thank you so much for fix :) I confirmed that there is no jq parse error!!
I checked the results for hayabusa-sample-evtx, the results were as follows. It seems that there are still cases where the field is moved. 🤔 Could you check this?🙇
% cat results.csv | grep "2021-04-22 19:04:37.081 +09:00"
"2021-04-22 19:04:37.081 +09:00","win10-02.offsec.lan","PwSh",4104,"info",135,"PwSh Scriptblock","ScriptBlock: Write-Host 'Final result: 1';","MessageNumber: 1 ¦ MessageTotal: 1 ¦ Path: ¦ ScriptBlockId: d4032236-9130-47e8-8602-626a2b5e46e7"
% cat results.json | jq 'select ( .Timestamp == "2021-04-22 19:04:37.081 +09:00" ) '
{
"Timestamp": "2021-04-22 19:04:37.081 +09:00",
"Computer": "win10-02.offsec.lan",
"Channel": "PwSh",
"EventID": 4104,
"Level": "info",
"RecordID": 135,
"RuleTitle": "PwSh Scriptblock",
"Details": {
"ScriptBlock": "Write-Host 'Final",
"result": "1';"
},
"ExtraFieldInfo": {
"MessageNumber": 1,
"MessageTotal": 1,
"Path": "",
"ScriptBlockId": "d4032236-9130-47e8-8602-626a2b5e46e7"
}
}
@fukusuket I apologize for the delay in responding to your request.
|
@hitenkoku
|
@YamatoSecurity Thanks for your comment. I fixed following problems in e1558c1 . Would you check it?
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku
Thank you so much for fix!!
I checked the keys under Details with the following command. Some fields still seem to be moved🤔 Could you check this?🙇
./hayabusa json-timeline -d ../hayabusa-sample-evtx -o results.json -C
cat results.json | jq 'select ((.Details != "-") and (.EventID == 4104))' | jq .Details | jq keys | sort | uniq
"(@danielhbohannon)\\r\\nLicense",
"2010",
"Dependencies",
"Function",
"Invoke-Obfuscation",
"Line",
"Name",
"Out-ConcatenatedString\\r\\nAuthor",
"Out-ObfuscatedMemberTokenLevel3\\r\\nAuthor",
"Out-ObfuscatedStringCommand\\r\\nAuthor",
"Out-ObfuscatedTypeToken\\r\\nAuthor",
"Out-RandomPowerShellStdInInvokeSyntax\\r\\nAuthor",
"Out-StringDelimitedConcatenatedAndReordered\\r\\nAuthor",
"ScriptBlock"
"ScriptBlock",
"Show-HelpMenu\\r\\nAuthor"
"\"<REDACTED\"",
"\"Error\"",
"\"`nERROR\"",
"\"`nWARNING\"",
"error"
"is"
"log"
"obfuscation"
"options"
"ordering"
"rundll32.exe"
[
]
@YamatoSecurity I have added key extraction criteria.
|
@hitenkoku
|
I'm sorry for commenting so many times🙇 EID
EID
|
…of details, allfieldinfo, extrafieldinfo #1145
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku I checked the refactor PR and merged it because it was working well.
It seems there are some conflicts. Could you merge this after fixing the conflicts?
@YamatoSecurity I checked CI error ( https://github.com/Yamato-Security/hayabusa/actions/runs/6204910522/job/16847511183 ). This error was caused by time crate in hayabusa-evtx. Could you check it?
|
@hitenkoku Thanks for fixing this. I approved the hayabusa-evtx PR so you can merge it. |
@YamatoSecurity Thanks for your check! But CI stopped by same reason 🤔 |
CI's coverage has an error, but we will merge for the following reason. It has been approved by @YamatoSecurity via chat.
|
What Changed
CommandLine
field in JSON output.I would appreciate it if you could review when you have time.