-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add extract-scriptblocks
command
#57
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fukusuket Thanks for your pull request.
LGTM.
LGTM! What you do think about outputting in terminal tables with nancy? |
@YamatoSecurity |
@YamatoSecurity |
In many cases, I think a large amount of detection results are output at the takajo/src/takajopkg/timelineSuspiciousProcesses.nim Lines 13 to 16 in 4f77848
|
@fukusuket Oh wow! Super fast! It is looking good. I'll take a look at it tonight. |
That sounds good. What about letting the user set the minimal level but have the default |
@YamatoSecurity |
@YamatoSecurity
But In PowerShell, the characters seem to be garbled as shown below, so I will investigate...🤔 |
The following are probably the causes :( Nancy using following ANSI escape sequences internally, But PowerShell 5.1 does not support ANSI escape sequences. (PowerShell 7 or Windows Terminal does support) If you use the Nim standard functions below, this issue does not seem to occur because the Windows API is executed directly (instead of using ANSI escape sequences). |
I created issue! |
It's probably difficult to deal with this on Nancy's side, so I implemented processing that does not use ANSI escape. |
@YamatoSecurity |
@fukusuket Looks great! I just realized it is probably better to include the Computer name in the summary table to know which computer the malicious scripts were found. Can you add a Computer column between the Timestamp and ScriptBlock ID? It will probably be too much information, so what about deleting the Complete/Incomplete column to make space? By looking at the The width for the events recovered |
@YamatoSecurity
(In Nancy, the width is automatically determined by the maximum number of characters in the column, and it seems that it cannot be set) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fukusuket Looks great! Thank you!
What Changed
<COMPUTER NAME>-<CREATION-DATE>-<ScriptBlock ID>.txt
summary.csv
Test
Environment
Test1 (hayabusa-sample-evtx ... T1059.001-PowerShell)
% ./hayabusa-main json-timeline -d ../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell -o timeline-ps.jsonl -L
% ./takajo extract-scriptblocks -t timeline-ps.jsonl -q
Test2(hayabusa-sample-evtx)
Execute following command.
% ./hayabusa-main json-timeline -d ../hayabusa-sample-evtx/ -o timeline.jsonl -L
% ./takajo extract-scriptblocks -t timeline.jsonl
then compare ScriptBlockId uniq count and ./scriptblock-logs dir's file count as follows.
Test3(all-evtx)
% ./hayabusa-main json-timeline -d ../all-evtx/ -o timeline-all.jsonl -L
% ./takajo extract-scriptblocks -t timeline-all.jsonl
then compare ScriptBlockId uniq count and ./scriptblock-logs dir's file count as follows.
I would appreciate it if you could review when you have time🙏