JSON fields get moved over (Refactor JSON output) #1145

YamatoSecurity · 2023-07-28T12:02:49Z

The following strings in CommandLine fields cause fields to move over in JSON output.
For example:
CommandLine: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-5a100a46-6754-48bf-98b6-dfb4c811c821 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-b38dbe39-ce8b-4a71-8054-d0accc0482d4 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-61321756-2096-4402-9b44-c68086290bbe -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-e0d636ca-60f5-4943-b7be-84693e092f71 -LifetimeId:ef873069-e8fe-4ac0-9ef4-6ab5ebfed851 -DeviceGroupId:-HostArg:0

becomes the following:

{
  "Timestamp": "2022-06-07 14:52:30.489 +00:00",
  "Computer": "WN5IELM6OTU.swutrust.local",
  "Channel": "Sec",
  "EventID": 4688,
  "Level": "info",
  "RecordID": 58393,
  "RuleTitle": "Proc Exec",
  "Details": {
    "Cmdline": "\"C:\\Windows\\System32\\WUDFHost.exe\" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\\UMDFCommunicationPorts\\WUDF\\HostProcess-5a100a46-6754-48bf-98b6-dfb4c811c821 -SystemEventPortName:\\UMDFCommunicationPorts\\WUDF\\HostProcess-b38dbe39-ce8b-4a71-8054-d0accc0482d4 -IoCancelEventPortName:\\UMDFCommunicationPorts\\WUDF\\HostProcess-61321756-2096-4402-9b44-c68086290bbe -NonStateChangingEventPortName:\\UMDFCommunicationPorts\\WUDF\\HostProcess-e0d636ca-60f5-4943-b7be-84693e092f71 -LifetimeId:ef873069-e8fe-4ac0-9ef4-6ab5ebfed851 | -HostArg:0\"",
    "-DeviceGroupId": "C:\\Windows\\System32\\WUDFHost.exe",
    "Proc": "0x4d8",
    "PID": "WN5IELM6OTU$",
    "User": "0x3e7"
  }
}

Another example: CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result:1';

becomes this in JSON:

  "Details": {
    "Cmdline": "powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final | 1';",
    "result": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Proc": "0x1c58",
    "PID": "WN5IELM6OTU$",
    "User": "0x3e7"
  }

@hitenkoku Is this difficult to fix? If this will take time, maybe we can ask @fukusuket to take a look at it?
(I can send an evtx file to test by DM.)

The text was updated successfully, but these errors were encountered:

…meline #1145

…t:" #1145

…ield value #1145

…line #1145

… added exclude key condition #1145

…d newline character from key #1145

…of details, allfieldinfo, extrafieldinfo #1145

…t value of details, allfieldinfo, extrafieldinfo #1145" This reverts commit 364b544.

… in json-timeline #1145

…d in JSON output #1145

style: cargo fmt WIP: fix(afterfact/detection/message): fixed misprocessing of details field in JSON output #1145

YamatoSecurity added the bug Something isn't working label Jul 28, 2023

hitenkoku self-assigned this Jul 28, 2023

hitenkoku added this to the v2.8.0 milestone Jul 28, 2023

hitenkoku added a commit that referenced this issue Jul 29, 2023

fix(afterfact): fixed wrong field name separate processing #1145

72bc568

hitenkoku added a commit that referenced this issue Jul 29, 2023

fix(afterfact): fixed comma separate field data processing in json-ti…

77ee339

…meline #1145

hitenkoku added a commit that referenced this issue Jul 29, 2023

fix(afterfact): fixed field wrong separate processing in "Final resul…

0df9a85

…t:" #1145

hitenkoku added a commit that referenced this issue Jul 29, 2023

docs(CHANGELOG): added #1145

fba4422

hitenkoku linked a pull request Jul 29, 2023 that will close this issue

Fixed json fields get moved over #1146

Merged

hitenkoku added a commit that referenced this issue Jul 30, 2023

feat(afterfact): fixed jq error to output file #1145

9035e75

hitenkoku added a commit that referenced this issue Aug 1, 2023

fix(afterfact): fixed ScriptBlockText gets put inside ScriptBlockId f…

a3bd812

…ield value #1145

hitenkoku added a commit that referenced this issue Aug 2, 2023

fix(afterfact): fixed wrong separate in ScriptBlockText field #1145

3b4146f

hitenkoku added a commit that referenced this issue Aug 2, 2023

fix(afterfact): fixed wrong field separate to cmd option in json-time…

e1558c1

…line #1145

hitenkoku added a commit that referenced this issue Aug 2, 2023

fix(afterfact): fixed wrong field separate #1145

b02cfac

hitenkoku added a commit that referenced this issue Aug 3, 2023

fix(afterfact): reverted json field name extract length condition and…

593af2d

… added exclude key condition #1145

hitenkoku added a commit that referenced this issue Aug 3, 2023

fix(afterfact): modified extract json key condition #1145

73579cd

hitenkoku added a commit that referenced this issue Aug 3, 2023

fix(afterfact): fixed key extract condition to exclude string include…

8f7d913

…d newline character from key #1145

hitenkoku added a commit that referenced this issue Aug 16, 2023

fix(afterfact): fixed cmdline moved over #1145

b6f0de6

hitenkoku added a commit that referenced this issue Aug 22, 2023

fix(afterfact): fixed json parse error #1145

6f3690d

hitenkoku modified the milestones: v2.8.0, v2.9.0 Aug 31, 2023

YamatoSecurity changed the title ~~JSON fields get moved over~~ JSON fields get moved over (Refactor JSON output) Aug 31, 2023

YamatoSecurity assigned fukusuket Aug 31, 2023

hitenkoku added a commit that referenced this issue Sep 2, 2023

feat: refactoring JSON output processing #1145

cb60c1d

hitenkoku added a commit that referenced this issue Sep 2, 2023

test: fixed test due to code refactoring #1145

45bcde5

hitenkoku added a commit that referenced this issue Sep 2, 2023

refactor(afterfact): to remove unused vec processing to output value …

364b544

…of details, allfieldinfo, extrafieldinfo #1145

hitenkoku added a commit that referenced this issue Sep 2, 2023

Revert "refactor(afterfact): to remove unused vec processing to outpu…

29f36d0

…t value of details, allfieldinfo, extrafieldinfo #1145" This reverts commit 364b544.

hitenkoku added a commit that referenced this issue Sep 2, 2023

fix(message): fixed error by test #1145

7b0684c

hitenkoku added a commit that referenced this issue Sep 3, 2023

fix(message): fixed processing of removing special character #1145

0266489

hitenkoku added a commit that referenced this issue Sep 3, 2023

fix(message): fixed porcessing of removing newline character #1145

4d208b0

hitenkoku added a commit that referenced this issue Sep 4, 2023

fix(message): fixed unmatched details key #1145

0b7f228

hitenkoku added a commit that referenced this issue Sep 4, 2023

UI(message): rearranged Details and ExtraFieldInfo keys slpabetically…

b44109c

… in json-timeline #1145

hitenkoku added a commit that referenced this issue Sep 5, 2023

fix(afterfact): added details key is none case #1145

7e837a0

hitenkoku added a commit that referenced this issue Sep 13, 2023

fix(afterfact/detection/message): fixed misprocessing of details fiel…

313ae24

…d in JSON output #1145

hitenkoku added a commit that referenced this issue Sep 13, 2023

fix(afterfact): added details key is none case #1145

7de9af7

style: cargo fmt WIP: fix(afterfact/detection/message): fixed misprocessing of details field in JSON output #1145

hitenkoku added a commit that referenced this issue Sep 13, 2023

fix(afterfact/message): fixed Details field output misprocessing #1145

4a93008

hitenkoku closed this as completed in #1146 Sep 21, 2023

hitenkoku added a commit that referenced this issue Oct 17, 2023

docs(CHANGELOG): modified #1145 #1189

69b90bc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JSON fields get moved over (Refactor JSON output) #1145

JSON fields get moved over (Refactor JSON output) #1145

YamatoSecurity commented Jul 28, 2023

JSON fields get moved over (Refactor JSON output) #1145

JSON fields get moved over (Refactor JSON output) #1145

Comments

YamatoSecurity commented Jul 28, 2023