Script
script
The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.
Attributes
Caption | Name | Type | Description |
---|---|---|---|
File | file |
File[] |
Entity:FILE Present if this script is associated with a file. Not present in the case of a file-less script. |
Hashes | hashes |
Fingerprint[] |
Entity:FINGERPRINT An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.
|
Name | name |
String | Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis. |
Parent Unique ID | parent_uid |
String |
This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.
|
Raw Data | raw_data |
JSON |
Group:context The event data as received from the event source. |
Record ID | record_id |
String |
Group:primary Unique identifier for the object |
Script Content | script_content |
Long String[] |
Entity:SCRIPT_CONTENT The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated. |
Type | type |
String |
The script type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.
|
Type ID | type_id |
Integer |
The normalized script type ID.
|
Unique ID | uid |
String |
Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.
|
Unmapped | unmapped |
Unmapped[] | Data from the source that was not mapped into the schema. |
Relationships
Inbound Relationships
These objects and events reference Script in their attributes:
Outbound Relationships
Script references the following objects and events in its attributes:
This page describes ocsf-1.4.0
Updated 10 days ago