Closed YamatoSecurity closed 11 months ago
@fukusuket Sorry, I wanted to implement this but am super busy at the moment. Would you be interested in implementing this?
Command extract-scriptblocks
: extract and reassemble PowerShell EID 4104 script block logs
Arguments:
-o=, --output= string "scriptblock-logs" output directory (default: scriptblock-logs)
-q, --quiet bool false do not display the launch banner
-t=, --timeline= string REQUIRED Hayabusa JSONL timeline
Scriptblocks will be reassembled based on ScriptBlock ID field in the ExtraFieldInfo
and saved to the same file. I want to include timestamps for when the commands were executed inside the file.
The file name should be in the format: <COMPUTER NAME>-<CREATION-DATE>-<ScriptBlock ID>.txt
After saving the files, a summary should be printed to standard out as well as saved to the file summary.txt
in the newly created directory.
I'd like the table summary something similar to https://news.sophos.com/wp-content/uploads/2021/12/06_ScriptedApproach.png
But have the headers, Creation Time
, Script ID
, Script Name
, Results
, Extracted Records
Script Name
is written in the Path
field. Sometimes it is blank so in that case output no-path
.Creation Time
is the timestamp of the first logResults
is either Incomplete
or Complete
Extracted Records
is how many records were successfully extracted. For example: 10/100
References:
@YamatoSecurity Thank you for the mention :) Yes, I would love to implement it!💪
@fukusuket Thank you so much! I will assign you then.
Create command to reconstruct PowerShell 4104 ScriptBlock logs similar to https://github.com/Yamato-Security/hayabusa/blob/main/doc/AnalysisWithJQ-English.md#9-extract-powershell-logs