| eval actor_process_file_name=ucast(map_get(actor_process_file,"name"), "string", null) | eval actor_process_file_path=ucast(map_get(actor_process_file,"path"), "string", null) | eval actor_process_file=ucast(map_get(actor_process,"file"), "map", null) | eval actor_process_pid=ucast(map_get(actor_process,"pid"), "string", null) | eval actor_process=ucast(map_get(actor,"process"), "map", null) | eval actor_user_name=ucast(map_get(actor_user,"name"), "string", null) | eval actor_user=ucast(map_get(actor,"user"), "map", null) | eval actor=ucast(map_get(input_event,"actor"), "map", null) | eval process_cmd_line=ucast(map_get(process,"cmd_line"), "string", null) | eval process_file_name=ucast(map_get(process_file,"name"), "string", null) | eval process_file_path=ucast(map_get(process_file,"path"), "string", null)
| eval process_file=ucast(map_get(process,"file"), "map", null) | eval process_pid=ucast(map_get(process,"pid"), "string", null) | eval process=ucast(map_get(input_event,"process"), "map", null) | eval metadata_uid = ucast(map_get(metadata, "uid"),"string", null) | eval metadata = ucast(map_get(input_event, "metadata"),"map", null) | eval timestamp = ucast(map_get(input_event,"time"),"long", null) Review its contents or execution behavior for further analysis. During triage, identify the source of the file being decoded. Similarly, the file will be encoded in HEX and later decoded for further execution. Note that there are two additional command switches that may be used - encodehex and decodehex. Once decoded, it will be loaded by a parallel process. Malicious usage will include decoding a encoded file that was downloaded. Encoding will convert a file to base64 with -BEGIN CERTIFICATE- and -END CERTIFICATE- tags. CertUtil.exe may be used to encode and decode a file, including PE and script code.
0 kommentar(er)
