-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Activity class required to represent script execution events #1156
Comments
Would you also be adding a I definitely support this idea, the Microsoft And for some color for other's, here's an example of that from a Windows honeypot running on AWS
|
@jonrau-at-queryai - Yes, I will create a |
For what it is worth, there is some script activity that we've successfully been able to translate to 'process activity', since a script runs as a process - namely, Powershell |
#### Related Issue: #1156 #### Description of changes: Added a Script Activity event class to the System category as described in the related issue. Signed-off-by: Dave McCormack <[email protected]> Co-authored-by: Paul Agbabian <[email protected]>
TL;DR - The schema needs a new activity class to represent script execution events.
Most Windows EDR products provide visibility into the execution of PowerShell, Python, VBScript, JavaScript, Office macros, etc. Win10 and later provides an API that security products can use to obtain synchronous notification when content is executed by a supported scripting engine. In the case of PowerShell, asynchronous notification via ETW is also supported. I'm not a macOS guy but my understanding is that EDRs on that platform also provide telemetry on execution of shell scripts, Python, Node, etc.
In the interests of clarity, I'd like to head off possible confusion that may arise from a narrower understanding of the term "script execution". That narrower understanding is based on the plain vanilla case where an interpreter (powershell, python, bash, wscript, cmd, etc.) starts, executes a script in a file, and then exits. Here script execution aligns with the lifetime of the interpreter process, and one might therefore think that script excecution could be represented by adding attributes to the
Process Activity
class. However, script execution in general doesn't align with process lifetime.In much the same way that a process might create thousands of files, modify thousands of registry keys, or make thousands of network connections during its lifetime, so might a process execute thousands of scripts. So just as we have unique activity classes to represent all of these other things that a process can do, so should we have an activity class for when it executes a script.
Let me give a few examples to clarify what I mean:
eval
in javascript and bash,iex
in powershell). Each dynamically executed sub-script is a separate script execution. This pattern is often seen in file-less attacks where one tiny command can download and execute the real payload.All of these script execution cases are potentially observed by an EDR, and should therefore be representable by an activity event.
I propose to address this issue in a forthcoming PR which will add a
Script Activity
class.The text was updated successfully, but these errors were encountered: