@Tuesday
Query for TrueParentOf edge-class:
Query for SpoofedParentProcess edge-class:
After modifying SpoofParentProcessId function to show TrueProcessProcessId attribute:
Query for ProcessId = 1180:
After adding print('debug') in else statement:
After changing to if(r.field('TrueParentProcessGuid') != null):
Select from SpoofParentProcessId in ODB graph:
Â
@Thursday
Query for SpoofParentProcessId:
- All fields were filled up, ruling out the possibility that a missing field is causing the issue.
Â
Check value of variable spoof:
- Line 1: print(spoof) → value of variable spoof
- Line 2: print(spoof.length) → value of spoof.length
- Even though var spoof is not empty, spoof.length is returning 0.
- Since spoof.length == 0, the return statement is executed, thus causing the function to stop executing. Hence, line 8 onwards does not get executed i.e. found spoof line will not be printed out.
Â
Checking r.field('Hostname'), r.field('Organisation') & r.field('ProcessGuid'):
- Able to print all 3 fields, so the query should be able to work
- Query was successful in ODB as I was able to get a record
Â
After removing the if statement, the print('after') that I added gets printed out but not the found spoof line. Hence, I shifted the found spoof line before the if statement and separated the line into two:
Result:
- Able to print rid but not TrueParentProcessId.
Â
Findings so far:
- Appears that spoof is an empty variable because spoof.length == 0
- Initial thought is that the issue is with the variable spoof
- However, I was able to get an output from print('spoof'), which should mean that the variable is not empty.
- The query statement should be working since I was able to retrieve all 3 fields and all fields in SpoofParentProcessId are filled up. Furthermore, the query worked when I tried it out in ODB.
Â
Â