Skip to content

[bug] ComplexData fields are not extracted correctly(csv-timeline/json-timeline/search) #1520

New issue
New issue
Open
Open
[bug] ComplexData fields are not extracted correctly(csv-timeline/json-timeline/search)#1520
Labels
bugSomething isn't working
@fukusuket

Description

@fukusuket
fukusuket
opened on Nov 30, 2024

Describe the bug
ComplexData fields are not extracted correctly.

Step to Reproduce

author: TEST
date: 2024/11/30
title: "TEST"
id: 9fa273cc-bcb2-4789-85e3-14ca253ac7f4
level: informational
status: test
logsource:
  product: windows
  service: system
detection:
  selection:
    Channel: System
    EventID: 26
  condition: selection

./hayabusa-2.19.0-mac-aarch64 json-timeline -d ../hayabusa-sample-evtx -r test.yml -w

Actual behavior
2.19.0

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "ComplexData": "",
        "Group": 0,
        "IdleStateCount": 1,
        "Name": ["IdleState", "PerfState"],
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
    }
}

2.18.0

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "ComplexData": 1,
        "Group": 0,
        "IdleStateCount": 1,
        "Name": "PerfState",
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
    }
}

Expected behavior
Perhaps the following outputs(Expected results will need to be discussed)

{
    "Timestamp": "2016-09-20 22:07:36.609 +09:00",
    "RuleTitle": "TEST",
    "Level": "info",
    "Computer": "IE10Win7",
    "Channel": "Sys",
    "EventID": 26,
    "RecordID": 8286,
    "Details": {},
    "ExtraFieldInfo": {
        "Group": 0,
        "IdleStateCount": 1,
        "Number": 0,
        "PerfStateCount": 0,
        "ThrottleStateCount": 8
        "IdleState": 1,
        "PerfState": ""
    }
}

Screenshots
evtx

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="Microsoft-Windows-Kernel-Processor-Power" Guid="{0f67e49f-fe51-4e9f-b490-6f2948cc6027}" /> 
  <EventID>26</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>4</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-09-20T13:07:36.6093750Z" /> 
  <EventRecordID>8286</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="68" /> 
  <Channel>System</Channel> 
  <Computer>IE10Win7</Computer> 
  <Security UserID="S[-](https://github.com/Yamato-Security/hayabusa/issues/1520#)1-5-18" /> 
  </System>
- <EventData>
  <Data Name="Group">0</Data> 
  <Data Name="Number">0</Data> 
  <Data Name="IdleStateCount">1</Data> 
  <Data Name="PerfStateCount">0</Data> 
  <Data Name="ThrottleStateCount">8</Data> 
  <ComplexData Name="IdleState">01</ComplexData> 
  <ComplexData Name="PerfState" /> 
  </EventData>
  </Event>

Environment

  • OS: macOS Sequoia 15.1.1
  • hayabusa version 2.19.0 2.18.0(I haven't checked, but I think it occurs in earlier versions as well)

Additional context
I think the difference between 2.19.0 and 2.18.0 is due to the merge of the following. (neither version is extracting correctly).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions