Guides

Script

Suggest Edits

script

The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term script here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.

Attributes

CaptionNameTypeDescription
File file File[] Present if this script is associated with a file. Not present in the case of a file-less script.
Hashes hashes Fingerprint[] An array of the script's cryptographic hashes. Note that these hashes are calculated on the script in its original encoding, and not on the normalized UTF-8 encoding found in the script_content attribute.
Name name String Unique identifier for the script or macro, independent of the containing file, used for tracking, auditing, and security analysis.
Parent Unique ID parent_uid String This attribute relates a sub-script to a parent script having the matching uid attribute. In the case of PowerShell, sub-script execution can be identified by matching the activity correlation ID of the raw ETW events provided by the OS.
Raw Data raw_data String The raw event/finding data as received from the source.
Record ID record_id String Unique identifier for the object
Script Content script_content Long String[] The script content, normalized to UTF-8 encoding irrespective of its original encoding. When emitting this attribute, it may be appropriate to truncate large scripts. When consuming this attribute, large scripts should be anticipated.
Type type String The script type, normalized to the caption of the type_id value. In the case of 'Other', it is defined by the event source.
Type ID type_id Integer The normalized script type ID.
  • 0: Unknown (UNKNOWN)
  • 1: Windows Command Prompt (WINDOWS_COMMAND_PROMPT)
  • 2: PowerShell (POWERSHELL)
  • 3: Python (PYTHON)
  • 4: JavaScript (JAVASCRIPT)
  • 5: VBScript (VBSCRIPT)
  • 6: Unix Shell (UNIX_SHELL)
  • 7: VBA (VBA)
  • 99: Other (OTHER)
Unique ID uid String Some script engines assign a unique ID to each individual execution of a given script. This attribute captures that unique ID. In the case of PowerShell, the unique ID corresponds to the ScriptBlockId in the raw ETW events provided by the OS.
Unmapped Data unmapped Object[] The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Relationships

Script shown in context

Inbound Relationships

These objects and events reference Script in their attributes:

Outbound Relationships

Script references the following objects and events in its attributes:

This page describes qdm-1.4.0+ocsf-1.4.0

Updated 5 days ago