Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] ComplexData fields are not extracted correctly(csv-timeline/json-timeline/search) #1520

Open
fukusuket opened this issue Nov 30, 2024 · 1 comment
Open

[bug] ComplexData fields are not extracted correctly(csv-timeline/json-timeline/search) #1520

fukusuket opened this issue Nov 30, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented Nov 30, 2024
edited
Loading

Describe the bug
ComplexData fields are not extracted correctly.

Step to Reproduce

author: TEST
date: 2024/11/30
title: "TEST"
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: test
logsource:
  product: windows
  service: system
detection:
  selection:
    Channel: System
    EventID: 26
  condition: selection

./hayabusa-2.19.0-mac-aarch64 json-timeline -d ../hayabusa-sample-evtx -r test.yml -w

Actual behavior
2.19.0

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "ComplexData": "",
        "Group": 0,
        "IdleStateCount": 1,
        "Name": ["IdleState", "PerfState"],
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
    }
}

2.18.0

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "ComplexData": 1,
        "Group": 0,
        "IdleStateCount": 1,
        "Name": "PerfState",
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
    }
}

Expected behavior
Perhaps the following outputs(Expected results will need to be discussed)

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "Group": 0,
        "IdleStateCount": 1,
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
        "IdleState": 1,
        "PerfState": ""
    }
}

Screenshots
evtx

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Kernel-Processor-Power" Guid="{0f67e49f-fe51-4e9f-b490-6f2948cc6027}" /> 
  <EventID>26</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-09-20T13:07:36.6093750Z" /> 
  <EventRecordID>8286</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="68" /> 
  <Channel>System</Channel> 
  <Computer>IE10Win7</Computer> 
  <Security UserID="S[-](https://github.com/Yamato-Security/hayabusa/issues/1520#)1-5-18" /> 
  </System>
- <EventData>
  <Data Name="Group">0</Data> 
  <Data Name="Number">0</Data> 
  <Data Name="IdleStateCount">1</Data> 
  <Data Name="PerfStateCount">0</Data> 
  <Data Name="ThrottleStateCount">8</Data> 
  <ComplexData Name="IdleState">01</ComplexData> 
  <ComplexData Name="PerfState" /> 
  </EventData>
  </Event>

Environment

  • OS: macOS Sequoia 15.1.1
  • hayabusa version 2.19.0 2.18.0(I haven't checked, but I think it occurs in earlier versions as well)

Additional context
I think the difference between 2.19.0 and 2.18.0 is due to the merge of the following. (neither version is extracting correctly).
@fukusuket fukusuket added the bug Something isn't working label Nov 30, 2024
@fukusuket fukusuket mentioned this issue Nov 30, 2024
Merged
@fukusuket fukusuket changed the title [bug] ComplexData fields are not extracted correctly [bug] ComplexData fields are not extracted correctly(csv-timeline/json-timeline/search) Nov 30, 2024
@fukusuket
Copy link
Collaborator Author

omerbenamram/evtx#245
evtx_dump result:

Record 4802
{
  "Event": {
    "#attributes": {
      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
    },
    "System": {
      "Provider": {
        "#attributes": {
          "Name": "Microsoft-Windows-Kernel-Processor-Power",
          "Guid": "0F67E49F-FE51-4E9F-B490-6F2948CC6027"
        }
      },
      "EventID": 26,
      "Version": 0,
      "Level": 4,
      "Task": 4,
      "Opcode": 0,
      "Keywords": "0x8000000000000000",
      "TimeCreated": {
        "#attributes": {
          "SystemTime": "2014-11-26T23:25:49.018448Z"
        }
      },
      "EventRecordID": 4802,
      "Correlation": null,
      "Execution": {
        "#attributes": {
          "ProcessID": 4,
          "ThreadID": 68
        }
      },
      "Channel": "System",
      "Computer": "IE10Win7",
      "Security": {
        "#attributes": {
          "UserID": "S-1-5-18"
        }
      }
    },
    "EventData": {
      "Group": 0,
      "Number": 0,
      "IdleStateCount": 1,
      "PerfStateCount": 0,
      "ThrottleStateCount": 8,
      "ComplexData": {
        "#attributes": {
          "Name": "PerfState"
        },
        "#text": ""
      },
      "ComplexData_1": {
        "#attributes": {
          "Name": "IdleState"
        },
        "#text": "01"
      }
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fukusuket