From f4b438522c7ddfb6640d005a6dcf486e28838853 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:10:08 +0900 Subject: [PATCH 1/3] feat: add PowerShell Classic EID 400 to extract-base64 cmd --- src/timeline/extract_base64.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/timeline/extract_base64.rs b/src/timeline/extract_base64.rs index 558467f18..f70bb7f2e 100644 --- a/src/timeline/extract_base64.rs +++ b/src/timeline/extract_base64.rs @@ -55,6 +55,7 @@ enum Event { Sysmon1, PwSh4104, PwSh4103, + PwShClassic400, } impl fmt::Display for Event { @@ -64,6 +65,7 @@ impl fmt::Display for Event { Event::Sysmon1 => write!(f, "Sysmon 1"), Event::PwSh4104 => write!(f, "PwSh 4104"), Event::PwSh4103 => write!(f, "PwSh 4103"), + Event::PwShClassic400 => write!(f, "PwShClassic 400"), } } } @@ -230,6 +232,9 @@ fn extract_payload(data: &Value) -> Vec<(Value, Event)> { } else if ch == "Microsoft-Windows-PowerShell/Operational" && id == 4103 { let v = data["Event"]["EventData"]["Payload"].clone(); values.push((v, Event::PwSh4103)); + } else if ch == "Windows PowerShell" && id == 400 { + let v = data["Event"]["EventData"]["Data"].clone(); + values.push((v, Event::PwShClassic400)); } } } From 9657e0d77e99e84e692bea150ba7309fe143b0e1 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 20 Jan 2025 20:26:23 +0900 Subject: [PATCH 2/3] feat: add PowerShell Classic EID 400 to extract-base64 cmd --- src/timeline/extract_base64.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/timeline/extract_base64.rs b/src/timeline/extract_base64.rs index f70bb7f2e..71b20a264 100644 --- a/src/timeline/extract_base64.rs +++ b/src/timeline/extract_base64.rs @@ -233,7 +233,7 @@ fn extract_payload(data: &Value) -> Vec<(Value, Event)> { let v = data["Event"]["EventData"]["Payload"].clone(); values.push((v, Event::PwSh4103)); } else if ch == "Windows PowerShell" && id == 400 { - let v = data["Event"]["EventData"]["Data"].clone(); + let v = data["Event"]["EventData"]["Data"][2].clone(); values.push((v, Event::PwShClassic400)); } } From 0b8ac01a84db942c68ddefc56587655c105aae00 Mon Sep 17 00:00:00 2001 From: YamatoSecurity Date: Tue, 21 Jan 2025 11:15:20 +0900 Subject: [PATCH 3/3] update changelog --- CHANGELOG-Japanese.md | 3 ++- CHANGELOG.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 853b3299d..98b8e6040 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,11 +1,12 @@ # 変更点 -## 3.1.0 [xxxx/xx/xx] +## 3.1.0 [2025/02/22] - Ninja Day Release **改善:** - `search`コマンドに`--timeline-start/--timeline-end`オプションを追加した。 (#1543) (@fukuseket) - チャンネルフィルタリングで `logon-summary` コマンドの速度を大幅に改善した。 (#1544) (@fukusuket) +- `extract-base64`コマンドが`PowerShell Classic EID 400`イベントも対象するようになった。 (#1549) (@fukusuket) ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release diff --git a/CHANGELOG.md b/CHANGELOG.md index 0aa3c1e7d..4a1a01b09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,12 @@ # Changes -## 3.1.0 [xxxx/xx/xx] +## 3.1.0 [2025/02/22] - Ninja Day Release **Enhancements:** - Added `--timeline-start/--timeline-end` options to the `search` command. (#1543) (@fukuseket) - Significantly improved the speed of the `logon-summary` command with channel filtering. (#1544) (@fukusuket) +- The `extract-base64` command now also works on `PowerShell Classic EID 400` events. (#1549) (@fukusuket) ## 3.0.1 [2024/12/29] - 3rd Year Anniversary Release