YamatoSecurity
commented
12 months ago @fukusuket Sorry, I wanted to implement this but am super busy at the moment. Would you be interested in implementing this?
Command extract-scriptblocks : extract and reassemble PowerShell EID 4104 script block logs
Arguments:
-o=, --output= string "scriptblock-logs" output directory (default: scriptblock-logs)
-q, --quiet bool false do not display the launch banner
-t=, --timeline= string REQUIRED Hayabusa JSONL timelineScriptblocks will be reassembled based on ScriptBlock ID field in the ExtraFieldInfo and saved to the same file. I want to include timestamps for when the commands were executed inside the file.
The file name should be in the format: <COMPUTER NAME>-<CREATION-DATE>-<ScriptBlock ID>.txt
After saving the files, a summary should be printed to standard out as well as saved to the file summary.txt in the newly created directory.
I'd like the table summary something similar to https://news.sophos.com/wp-content/uploads/2021/12/06_ScriptedApproach.png
But have the headers, Creation Time, Script ID, Script Name, Results, Extracted Records
Script Nameis written in thePathfield. Sometimes it is blank so in that case outputno-path.Creation Timeis the timestamp of the first logResultsis eitherIncompleteorCompleteExtracted Recordsis how many records were successfully extracted. For example:10/100
References:
fukusuket
Create command to reconstruct PowerShell 4104 ScriptBlock logs similar to https://github.com/Yamato-Security/hayabusa/blob/main/doc/AnalysisWithJQ-English.md#9-extract-powershell-logs