fix: Fixed key to ParentPGUID. Removed PID hex conversion process　#49

Yamato-Security · Oct 7, 2023 · 23280ae · 23280ae
1 parent 75bf9b6
commit 23280ae
Showing 1 changed file with 4 additions and 8 deletions.
diff --git a/src/takajopkg/timelineSuspiciousProcesses.nim b/src/takajopkg/timelineSuspiciousProcesses.nim
@@ -66,11 +66,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
             ruleTitle = jsonLine["RuleTitle"].getStr()
             computer = jsonLine["Computer"].getStr()
             process = jsonLine["Details"]["Proc"].getStr()
-            pidStr = jsonLine["Details"]["PID"].getStr()
-            try:
-              pidStr = intToStr(fromHex[int](pidStr))
-            except ValueError:
-              discard # conversion errors in fromHex are assumed to have originally been decimal.
+            pidStr = $jsonLine["Details"]["PID"].getInt()
             user = jsonLine["Details"]["User"].getStr()
             lid = jsonLine["Details"]["LID"].getStr()
             try:
@@ -115,7 +111,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
             ruleTitle = jsonLine["RuleTitle"].getStr()
             computer = jsonLine["Computer"].getStr()
             process = jsonLine["Details"]["Proc"].getStr()
-            pidInt = jsonLine["Details"]["PID"].getInt()
+            pidStr = $jsonLine["Details"]["PID"].getInt()
             user = jsonLine["Details"]["User"].getStr()
             lid = jsonLine["Details"]["LID"].getStr()
             lguid = jsonLine["Details"]["LGUID"].getStr()
@@ -163,7 +159,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
                 echo "RuleAuthor: " & ruleAuthor
                 echo "Cmdline: " & cmdLine
                 echo "Process: " & process
-                echo "PID: " & $pidInt
+                echo "PID: " & pidStr
                 echo "User: " & user
                 echo "LID: " & lid
                 echo "LGUID: " & lguid
@@ -196,7 +192,7 @@ proc timelineSuspiciousProcesses(level: string = "high", output: string = "", qu
                 singleResultTable["ProcessGUID"] = processGuid
                 singleResultTable["ParentCmdline"] = parentCmdline
                 singleResultTable["ParentPID"] = parentPid
-                singleResultTable["ParentGUID"] = parentGuid
+                singleResultTable["ParentPGUID"] = parentGuid
                 singleResultTable["Description"] = description
                 singleResultTable["Product"] = product
                 singleResultTable["Company"] = company