Added Script Activity event class. (#1159)

#### Related Issue: #1156 #### Description of changes: Added a Script Activity event class to the System category as described in the related issue. Signed-off-by: Dave McCormack <[email protected]> Co-authored-by: Paul Agbabian <[email protected]>
ocsf · Aug 22, 2024 · d90dcfc · d90dcfc
1 parent fe3ec22
commit d90dcfc
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -42,6 +42,7 @@ Thankyou! -->
 ### Added
 * #### Event Classes
     1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+    2. Added `Script Activity` event class to the System category. #1159
 
 ### Improved
 * #### Objects

diff --git a/dictionary.json b/dictionary.json
@@ -3199,6 +3199,11 @@
       "description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
       "type": "process"
     },
+    "parent_uid": {
+      "caption": "Parent Unique ID",
+      "description": "The unique identifier of an object's parent object. See specific usage.",
+      "type": "string_t"
+    },
     "path": {
       "caption": "Path",
       "description": "The path that pertains to the event or object. See specific usage.",
@@ -3929,6 +3934,17 @@
         }
       }
     },
+    "script": {
+      "caption": "Script",
+      "description": "The script object.",
+      "type": "script"
+    },
+    "script_content": {
+      "observable": 36,
+      "caption": "Script Content",
+      "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding.",
+      "type": "string_t"
+    },
     "section_a": {
       "caption": "JA4 Section A",
       "description": "The 'a' section of the JA4 fingerprint.",

diff --git a/events/system/script.json b/events/system/script.json
@@ -0,0 +1,21 @@
+{
+  "caption": "Script Activity",
+  "description": "Script Activity events report when a process executes a script.",
+  "extends": "system",
+  "name": "script_activity",
+  "uid": 9,
+  "attributes": {
+    "activity_id": {
+      "enum": {
+        "1": {
+          "caption": "Execute"
+        }
+      }
+    },
+    "script": {
+      "description": "The script that was the target of the activity.",
+      "group": "primary",
+      "requirement": "required"
+    }
+  }
+}
diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json
@@ -34,6 +34,7 @@
       "url",
       "user",
       "job",
+      "script",
       "reg_key",
       "reg_value",
       "win_service"

diff --git a/objects/evidences.json b/objects/evidences.json
@@ -71,6 +71,10 @@
     "job": {
       "description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
       "requirement": "recommended"
+    },
+    "script": {
+      "description": "Describes details about the script that was associated with the activity that triggered the detection.",
+      "requirement": "recommended"
     }
   },
   "constraints": {
@@ -90,7 +94,8 @@
       "src_endpoint",
       "url",
       "user",
-      "job"
+      "job",
+      "script"
     ]
   }
 }
diff --git a/objects/script.json b/objects/script.json
@@ -0,0 +1,63 @@
+{
+  "caption": "Script",
+  "description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.",
+  "extends": "object",
+  "name": "script",
+  "attributes": {
+    "file": {
+      "description": "Present if this script is associated with a file. Not present in the case of a file-less script.",
+      "requirement": "optional"
+    },
+    "hashes": {
+      "description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the <code>script_content</code> attribute.",
+      "requirement": "recommended"
+    },
+    "parent_uid": {
+      "description": "When a script is a dynamically executed sub-script, and when the underlying script engine supports use of the <code>uid</code> attribute, this <code>parent_uid</code> attribute identifies the parent script.",
+      "requirement": "optional"
+    },
+    "script_content": {
+      "requirement": "required"
+    },
+    "type": {
+      "description": "The script type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the event source.",
+      "requirement": "optional"
+    },
+    "type_id": {
+      "description": "The normalized script type ID.",
+      "requirement": "required",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The script type is unknown."
+        },
+        "1": {
+          "caption": "Windows Command Prompt"
+        },
+        "2": {
+          "caption": "PowerShell"
+        },
+        "3": {
+          "caption": "Python"
+        },
+        "4": {
+          "caption": "JavaScript"
+        },
+        "5": {
+          "caption": "VBScript"
+        },
+        "6": {
+          "caption": "Unix Shell"
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The script type is not mapped. See the <code>type</code> attribute which contains an event source specific value."
+        }
+      }
+    },
+    "uid": {
+      "description": "Some script engines assign a unique ID to each individual execution of a given script, e.g. PowerShell's Script Block ID. This <code>uid</code> attribute enables a dynamically executed sub-script to refer to its parent.",
+      "requirement": "optional"
+    }
+  }
+}