Kuiper modifies meaning of parsed data (quoting)

[heck-gd]

Hello,

we have an issue with the following line: https://github.com/DFIRKuiper/Kuiper/blob/dcb09077799da9ee9d063f87af8619b7683f0bad/kuiper/app/controllers/parser_management.py#L722

Assume you're doing forensics on PowerShell script executions and the following simplified script was executed and logged:

$foo = "test"
Write-Host "$foo"

When Kuiper parses a Windows event containing the above code, it will turn it into:

$foo = 'test'
Write-Host '$foo'

This is extremely problematic because it changes the meaning and essentially falsifies the collected data.

I'm wondering what the original reason for that replace was. We've changed it in our deployment a couple weeks ago and have not noticed any problem with Elasticsearch whatsoever.

And even if it does cause issues under very special circumstances, a generic replace on the entire data cannot be the solution.

[salehmuhaysin]

hello sorry, the problem not directly in the Elasticsearch, instead the rendering of the HTML of browse artifacts

so when you click equal it will add only the first part before "

i will fix it

[salehmuhaysin]

issue fixed and updated to the source code, and will be added to version 2.3.5