happen "The description string for parameter reference (%1) could not be found" when read DeepBlueCLI EVTX #48
Assignees
Labels
bug
Something isn't working
Comments
|
対象のファイルを確認したところ DeepBlueCLI\evtx\many-events-system.evtx であることが判明。 DeepBlueCLIはイベントIDを指定して取得を行っているため対象となるログが取得範囲外になっていたためエラーとなっていなかった模様。(ログのイベントID条件をDeepBlueCLIで外してみたら同じエラーが発生しました) 原因は%%が含まれているレコードがあったときに発生しているようで、さがしてみましたが対処方法としては以下くらいしかなさそうです 対処策として以下でPowerShell自体のコードの修正が提案されてますが、Pull Requestが送付されていないため問題がそのまま残ってしまっているようです |
|
確認してみましたが対象のレコードのみを読み込みをスキップするのみとなっていた |
|
今の状態だとcatchされずに標準エラー出力で出力されてしまうのでcatchしてwarning文を出すくらいにしたほうがよい |
hitenkoku
added a commit
that referenced
this issue
Sep 20, 2021
hitenkoku
added
bug
hitenkoku
added a commit
that referenced
this issue
Nov 2, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
|
対処完了。マージ済みの為クローズする |
hitenkoku
added a commit
that referenced
this issue
Nov 3, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
YamatoSecurity
added a commit
that referenced
this issue
Dec 24, 2021
* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DeepBlueCLIのEVTXを読み込んだ際に以下のようにエラーが出ることを確認した。
The text was updated successfully, but these errors were encountered: