Issues with recently added Script Activity class #1197
Comments
pagbabian-splunk
pushed a commit
that referenced
this issue
Oct 15, 2024
#### Related Issue: #1197 #### Description of changes: As described in the issue but to recap: - Added an ~`is_script_truncated`~ `is_script_content_truncated` flag. - Added an entry to the `type_id` enum in the `script` object. - Improved descriptions in previous PR as requested at the time. Signed-off-by: Dave McCormack <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
PR 1159 added the
Script Activityevent class to the schema. It was authored by myself and merged on 22nd August. Within a week of this, I realised on trying to implement this in our product there were two omissions in this original PR:type_idenum for VBA macros as used in Word docs, Excel sheets, etc. As folks will no doubt be aware, this is one of the most common techniques used by adversaries.scriptobject, I forgot to provide a flag so that the product could indicate that it had truncated the script.Additonally, at the time of the original PR I was asked to clarify the language in some of the descriptions for the new schema objects.
I actually did all of the above locally at the time but forgot to open an issue and PR here until about 10 minutes ago. Sorry! I'll open a PR for this issue in a few mins.
The text was updated successfully, but these errors were encountered: