diff --git a/CHANGELOG.md b/CHANGELOG.md
index b7e427fa4..8e34c8f9b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ Thankyou! -->
### Added
* #### Event Classes
1. Added `OSINT Inventory Info` event class to the Discovery category. #1154
+ 2. Added `Script Activity` event class to the System category. #1159
### Improved
* #### Objects
diff --git a/dictionary.json b/dictionary.json
index 2ced1b5ed..8a6c390f7 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -3199,6 +3199,11 @@
"description": "The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting.",
"type": "process"
},
+ "parent_uid": {
+ "caption": "Parent Unique ID",
+ "description": "The unique identifier of an object's parent object. See specific usage.",
+ "type": "string_t"
+ },
"path": {
"caption": "Path",
"description": "The path that pertains to the event or object. See specific usage.",
@@ -3925,6 +3930,17 @@
}
}
},
+ "script": {
+ "caption": "Script",
+ "description": "The script object.",
+ "type": "script"
+ },
+ "script_content": {
+ "observable": 36,
+ "caption": "Script Content",
+ "description": "The script content, normalized to UTF-8 encoding irrespective of its original encoding.",
+ "type": "string_t"
+ },
"section_a": {
"caption": "JA4 Section A",
"description": "The 'a' section of the JA4 fingerprint.",
diff --git a/events/system/script.json b/events/system/script.json
new file mode 100644
index 000000000..06830137d
--- /dev/null
+++ b/events/system/script.json
@@ -0,0 +1,21 @@
+{
+ "caption": "Script Activity",
+ "description": "Script Activity events report when a process executes a script.",
+ "extends": "system",
+ "name": "script_activity",
+ "uid": 9,
+ "attributes": {
+ "activity_id": {
+ "enum": {
+ "1": {
+ "caption": "Execute"
+ }
+ }
+ },
+ "script": {
+ "description": "The script that was the target of the activity.",
+ "group": "primary",
+ "requirement": "required"
+ }
+ }
+}
diff --git a/extensions/windows/objects/evidences.json b/extensions/windows/objects/evidences.json
index 9b4dff146..e8086b8e8 100644
--- a/extensions/windows/objects/evidences.json
+++ b/extensions/windows/objects/evidences.json
@@ -34,6 +34,7 @@
"url",
"user",
"job",
+ "script",
"reg_key",
"reg_value",
"win_service"
diff --git a/objects/evidences.json b/objects/evidences.json
index 8b41cc88c..95f431f20 100644
--- a/objects/evidences.json
+++ b/objects/evidences.json
@@ -71,6 +71,10 @@
"job": {
"description": "Describes details about the scheduled job that was associated with the activity that triggered the detection.",
"requirement": "recommended"
+ },
+ "script": {
+ "description": "Describes details about the script that was associated with the activity that triggered the detection.",
+ "requirement": "recommended"
}
},
"constraints": {
@@ -90,7 +94,8 @@
"src_endpoint",
"url",
"user",
- "job"
+ "job",
+ "script"
]
}
}
\ No newline at end of file
diff --git a/objects/script.json b/objects/script.json
new file mode 100644
index 000000000..6050053a1
--- /dev/null
+++ b/objects/script.json
@@ -0,0 +1,63 @@
+{
+ "caption": "Script",
+ "description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.",
+ "extends": "object",
+ "name": "script",
+ "attributes": {
+ "file": {
+ "description": "Present if this script is associated with a file. Not present in the case of a file-less script.",
+ "requirement": "optional"
+ },
+ "hashes": {
+ "description": "An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.",
+ "requirement": "recommended"
+ },
+ "parent_uid": {
+ "description": "When a script is a dynamically executed sub-script, and when the underlying script engine supports use of the uid attribute, this parent_uid attribute identifies the parent script.",
+ "requirement": "optional"
+ },
+ "script_content": {
+ "requirement": "required"
+ },
+ "type": {
+ "description": "The script type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "description": "The normalized script type ID.",
+ "requirement": "required",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The script type is unknown."
+ },
+ "1": {
+ "caption": "Windows Command Prompt"
+ },
+ "2": {
+ "caption": "PowerShell"
+ },
+ "3": {
+ "caption": "Python"
+ },
+ "4": {
+ "caption": "JavaScript"
+ },
+ "5": {
+ "caption": "VBScript"
+ },
+ "6": {
+ "caption": "Unix Shell"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The script type is not mapped. See the type attribute which contains an event source specific value."
+ }
+ }
+ },
+ "uid": {
+ "description": "Some script engines assign a unique ID to each individual execution of a given script, e.g. PowerShell's Script Block ID. This uid attribute enables a dynamically executed sub-script to refer to its parent.",
+ "requirement": "optional"
+ }
+ }
+}