Merge pull request #1550 from Yamato-Security/1549-Add-PowerShellClas…

…sic-EID400-extract-base64 1549 add power shell classic eid400 to extract-base64
Yamato-Security · Jan 21, 2025 · 029b7f9 · 029b7f9
2 parents 2c362b6 + 0b8ac01
commit 029b7f9
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -1,11 +1,12 @@
 # 変更点
 
-## 3.1.0 [xxxx/xx/xx]
+## 3.1.0 [2025/02/22] - Ninja Day Release
 
 **改善:**
 
 - `search`コマンドに`--timeline-start/--timeline-end`オプションを追加した。 (#1543) (@fukuseket)
 - チャンネルフィルタリングで `logon-summary` コマンドの速度を大幅に改善した。 (#1544) (@fukusuket)
+- `extract-base64`コマンドが`PowerShell Classic EID 400`イベントも対象するようになった。 (#1549) (@fukusuket)
 
 ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,11 +1,12 @@
 # Changes
 
-## 3.1.0 [xxxx/xx/xx]
+## 3.1.0 [2025/02/22] - Ninja Day Release
 
 **Enhancements:**
 
 - Added `--timeline-start/--timeline-end` options to the `search` command. (#1543) (@fukuseket)
 - Significantly improved the speed of the `logon-summary` command with channel filtering. (#1544) (@fukusuket)
+- The `extract-base64` command now also works on `PowerShell Classic EID 400` events. (#1549) (@fukusuket)
 
 ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release
 

diff --git a/src/timeline/extract_base64.rs b/src/timeline/extract_base64.rs
@@ -55,6 +55,7 @@ enum Event {
     Sysmon1,
     PwSh4104,
     PwSh4103,
+    PwShClassic400,
 }
 
 impl fmt::Display for Event {
@@ -64,6 +65,7 @@ impl fmt::Display for Event {
             Event::Sysmon1 => write!(f, "Sysmon 1"),
             Event::PwSh4104 => write!(f, "PwSh 4104"),
             Event::PwSh4103 => write!(f, "PwSh 4103"),
+            Event::PwShClassic400 => write!(f, "PwShClassic 400"),
         }
     }
 }
@@ -230,6 +232,9 @@ fn extract_payload(data: &Value) -> Vec<(Value, Event)> {
             } else if ch == "Microsoft-Windows-PowerShell/Operational" && id == 4103 {
                 let v = data["Event"]["EventData"]["Payload"].clone();
                 values.push((v, Event::PwSh4103));
+            } else if ch == "Windows PowerShell" && id == 400 {
+                let v = data["Event"]["EventData"]["Data"][2].clone();
+                values.push((v, Event::PwShClassic400));
             }
         }
     }