New command: `stack-processes` #93

YamatoSecurity · 2024-02-09T22:58:25Z

stack-processes: stack executed processes

This command basically does this:

cat ../hayabusa/sample.json l | jq 'select(.EventID==1 or .EventID==4688) | .Details.Proc' -r | sort | uniq -c | sort -rn
7032 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
3556 C:\Windows\System32\cmd.exe
2552 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2136 C:\Windows\System32\conhost.exe
1024 C:\Windows\System32\dllhost.exe
 984 C:\Windows\System32\SearchFilterHost.exe
 932 C:\Windows\System32\SearchProtocolHost.exe
 594 C:\Windows\System32\cscript.exe
 586 C:\Program Files\Windows Media Player\wmpnscfg.exe
 540 C:\Windows\System32\PING.EXE
 426 C:\Windows\System32\rundll32.exe
 386 C:\Program Files\Google\Chrome\Application\chrome.exe
...

default output to stdout can be same as above with an option to save to a CSV file.
Also should include 2 options to filter out either Sysmon 1 logs (--ignoreSysmon) or Security 4688 logs (--ignoreSecurity).

The text was updated successfully, but these errors were encountered:

YamatoSecurity added the enhancement New feature or request label Feb 9, 2024

YamatoSecurity added this to the v2.4.0 milestone Feb 9, 2024

YamatoSecurity assigned fukusuket Feb 9, 2024

fukusuket mentioned this issue Feb 10, 2024

feat: add stack-processes command #101

Merged

YamatoSecurity closed this as completed in #101 Feb 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New command: `stack-processes` #93

New command: `stack-processes` #93

YamatoSecurity commented Feb 9, 2024

New command: stack-processes #93

New command: stack-processes #93

Comments

YamatoSecurity commented Feb 9, 2024

New command: `stack-processes` #93

New command: `stack-processes` #93