palantir / windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Other
1.23k stars 268 forks source link

Wrapping of Image_Path and Hashes #15

Closed spaz1729 closed 6 years ago

spaz1729 commented 6 years ago

We are working to implementing Autoruns to Event Viewer and we are seeing Sha256 and PESHA256 hashes wrapping to a new field in the Event Log Like shown. As a result Splunk sees these as new fields. Any ideas on why this is happening or to prevent it?

Time : 5/20/2017 8:45 AM Entry Location : HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar Entry : PXCIEaddin6 Enabled : enabled Category : Internet Explorer Profile : System-wide Description : HTML to PDF Converter IE plugin (V6) Signer : (Verified) Tracker Software Products (Canada) Ltd Company : Tracker Software Products (Canada) Ltd. Image Path : c:\program files\tracker software\pdf-xchange 6\pxcieaddin6.dll Version : 6.0.322.4 Launch String : HKCR\CLSID{42DFA04F-0F16-418e-B80C-AB97A5AFAD3A} MD5 : E685B5B6DAF436F0F478CC53400CCFE6 SHA-1 : 2760AE0DC2310B15B0EB2FB8857FB4906690981D PESHA-1 : AB4F6A5DDC84C86F7728DA9A9F899F391F9F226F PESHA-256 : 2653BAA13DA152435F928F7F2A7FA9AD61460B528C01A02F24D75869852522 C0 SHA-256 : BA7B4379FC57846339771AAB8586750B98CF46F5F6CF4671F51EC7FD919F6E 58 IMP : B24E0B13376B276CD4B317E5369AAD95

spaz1729 commented 6 years ago

image Here is an image as well

clong commented 6 years ago

Hey @spaz1729 - thanks for the report! We're aware of the issue and are looking into ways to resolve it.

spaz1729 commented 6 years ago

Hey Chris!

We fixed it by using this in the auto runs script.

$item = $(Write-Output $item | Out-String -Width 1000)

It seems the shell was using the default width for command prompt and wrapping he text. Using the width option solved our issue.

On Mar 7, 2018, at 4:27 PM, Chris Long notifications@github.com<mailto:notifications@github.com> wrote:

Hey @spaz1729https://github.com/spaz1729 - thanks for the report! We're aware of the issue and are looking into ways to resolve it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/palantir/windows-event-forwarding/issues/15#issuecomment-371307642, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AYT0mZHIoMf-SGx3u0rCUYZvX2Xx3jTQks5tcF6vgaJpZM4SF0Ur.

clong commented 6 years ago

Oh awesome, thank you! We'll test out that fix and update the code to include it in the near future!

clong commented 6 years ago

Tested and verified this fix. Committed the fix in https://github.com/palantir/windows-event-forwarding/commit/779810071849421dadcd69073952cb57f78db9c9. Thanks a bunch @spaz1729 !