Class: Script
The Script object describes a script or command that can be executed by a
shell, script engine, or interpreter. Examples include Bash, JavsScript,
PowerShell, Python, VBScript, etc. Note that the term script here
denotes not only a script contained within a file but also a script or command
typed interactively by a user, supplied on the command line, or provided by
some other file-less mechanism.
URI: ocsf:Script
classDiagram
class Script
click Script href "../Script/"
Object <|-- Script
click Object href "../Object/"
Script : file
Script --> "0..1" File : file
click File href "../File/"
Script : hashes
Script --> "* _recommended_" Fingerprint : hashes
click Fingerprint href "../Fingerprint/"
Script : name
Script : parent_uid
Script : script_content
Script --> "1" LongString : script_content
click LongString href "../LongString/"
Script : type
Script : type_id
Script --> "1" ScriptTypeIdEnum : type_id
click ScriptTypeIdEnum href "../ScriptTypeIdEnum/"
Script : uid
Inheritance
- OcsfObject
- Object
- Script
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| file | 0..1 File |
Present if this script is associated with a file | direct |
| hashes | * recommended Fingerprint |
An array of the script's cryptographic hashes | direct |
| name | 0..1 String |
Unique identifier for the script or macro, independent of the containing file... | direct |
| parent_uid | 0..1 String |
This attribute relates a sub-script to a parent script having the matching | direct |
| script_content | 1 LongString |
The script content, normalized to UTF-8 encoding irrespective of its original | direct |
| type | 0..1 String |
The script type, normalized to the caption of the type_id value |
direct |
| type_id | 1 ScriptTypeIdEnum |
The normalized script type ID | direct |
| uid | 0..1 String |
Some script engines assign a unique ID to each individual execution of a give... | direct |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Osint | script | range | Script |
| Evidences | script | range | Script |
| ScriptActivity | script | range | Script |
| WindowsEvidences | script | range | Script |
In Subsets
Aliases
- Script
See Also
Notes
- D3FEND™ Ontology d3f:ExecutableScript. — https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Script |
| native | ocsf:Script |
LinkML Source
Direct
name: Script
description: 'The Script object describes a script or command that can be executed
by a
shell, script engine, or interpreter. Examples include Bash, JavsScript,
PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here
denotes not only a script contained within a file but also a script or command
typed interactively by a user, supplied on the command line, or provided by
some other file-less mechanism.'
notes:
- 'D3FEND™ Ontology d3f:ExecutableScript. —
https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/
aliases:
- Script
is_a: Object
slots:
- file
- hashes
- name
- parent_uid
- script_content
- type
- type_id
- uid
slot_usage:
file:
name: file
description: 'Present if this script is associated with a file. Not present in
the case of a
file-less script.'
hashes:
name: hashes
description: 'An array of the script''s cryptographic hashes. Note that these
hashes are
calculated on the script in its original encoding, and not on the normalized
UTF-8 encoding found in the <code>script_content</code> attribute.'
recommended: true
name:
name: name
description: 'Unique identifier for the script or macro, independent of the containing
file,
used for tracking, auditing, and security analysis.'
parent_uid:
name: parent_uid
description: 'This attribute relates a sub-script to a parent script having the
matching
<code>uid</code> attribute. In the case of PowerShell, sub-script execution
can
be identified by matching the activity correlation ID of the raw ETW events
provided by the OS.'
script_content:
name: script_content
required: true
type:
name: type
description: 'The script type, normalized to the caption of the <code>type_id</code>
value.
In the case of ''Other'', it is defined by the event source.'
type_id:
name: type_id
description: The normalized script type ID.
range: ScriptTypeIdEnum
required: true
uid:
name: uid
description: 'Some script engines assign a unique ID to each individual execution
of a given
script. This attribute captures that unique ID. In the case of PowerShell, the
unique ID corresponds to the <code>ScriptBlockId</code> in the raw ETW events
provided by the OS.'
Induced
name: Script
description: 'The Script object describes a script or command that can be executed
by a
shell, script engine, or interpreter. Examples include Bash, JavsScript,
PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here
denotes not only a script contained within a file but also a script or command
typed interactively by a user, supplied on the command line, or provided by
some other file-less mechanism.'
notes:
- 'D3FEND™ Ontology d3f:ExecutableScript. —
https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/'
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/
aliases:
- Script
is_a: Object
slot_usage:
file:
name: file
description: 'Present if this script is associated with a file. Not present in
the case of a
file-less script.'
hashes:
name: hashes
description: 'An array of the script''s cryptographic hashes. Note that these
hashes are
calculated on the script in its original encoding, and not on the normalized
UTF-8 encoding found in the <code>script_content</code> attribute.'
recommended: true
name:
name: name
description: 'Unique identifier for the script or macro, independent of the containing
file,
used for tracking, auditing, and security analysis.'
parent_uid:
name: parent_uid
description: 'This attribute relates a sub-script to a parent script having the
matching
<code>uid</code> attribute. In the case of PowerShell, sub-script execution
can
be identified by matching the activity correlation ID of the raw ETW events
provided by the OS.'
script_content:
name: script_content
required: true
type:
name: type
description: 'The script type, normalized to the caption of the <code>type_id</code>
value.
In the case of ''Other'', it is defined by the event source.'
type_id:
name: type_id
description: The normalized script type ID.
range: ScriptTypeIdEnum
required: true
uid:
name: uid
description: 'Some script engines assign a unique ID to each individual execution
of a given
script. This attribute captures that unique ID. In the case of PowerShell, the
unique ID corresponds to the <code>ScriptBlockId</code> in the raw ETW events
provided by the OS.'
attributes:
file:
name: file
description: 'Present if this script is associated with a file. Not present in
the case of a
file-less script.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- File
rank: 1000
alias: file
owner: Script
domain_of:
- Osint
- QueryEvidence
- Script
- AffectedCode
- Databucket
- Evidences
- Job
- KernelDriver
- Module
- Process
- FileHosting
- FileQuery
- DataSecurityFinding
- EmailFileActivity
- FtpActivity
- HttpActivity
- NetworkFileActivity
- RdpActivity
- SmbActivity
- SshActivity
- FileRemediationActivity
- EventLogActvity
- FileActivity
range: File
hashes:
name: hashes
description: 'An array of the script''s cryptographic hashes. Note that these
hashes are
calculated on the script in its original encoding, and not on the normalized
UTF-8 encoding found in the <code>script_content</code> attribute.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Hashes
rank: 1000
alias: hashes
owner: Script
domain_of:
- Script
- File
range: Fingerprint
recommended: true
multivalued: true
name:
name: name
description: 'Unique identifier for the script or macro, independent of the containing
file,
used for tracking, auditing, and security analysis.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Name
rank: 1000
alias: name
owner: Script
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- Parameter
- PrivilegeInfo
- San
- Scim
- Script
- ServicePrivilegeAnalysis
- SoftwareComponent
- Sso
- StartupItem
- ThreatActor
- Token
- Entity
- Resource
- Account
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- AutonomousSystem
- Campaign
- Check
- CisBenchmark
- CisBenchmarkResult
- CisControl
- ClassifierDetails
- Container
- D3fTactic
- D3fTechnique
- Database
- Databucket
- DomainContact
- Edge
- Endpoint
- Enrichment
- EnvironmentVariable
- Evidences
- Extension
- Feature
- File
- Graph
- Group
- HttpCookie
- HttpHeader
- Idp
- Image
- Job
- Kernel
- KeyValueObject
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metric
- Mitigation
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- ResourceDetails
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- FtpActivity
- RegValue
- WinResource
- WinService
- PrefetchQuery
range: string
parent_uid:
name: parent_uid
description: 'This attribute relates a sub-script to a parent script having the
matching
<code>uid</code> attribute. In the case of PowerShell, sub-script execution
can
be identified by matching the activity correlation ID of the raw ETW events
provided by the OS.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Parent Unique ID
rank: 1000
alias: parent_uid
owner: Script
domain_of:
- Script
- Span
range: string
script_content:
name: script_content
annotations:
observable_id:
tag: observable_id
value: 36
description: 'The script content, normalized to UTF-8 encoding irrespective of
its original
encoding. When emitting this attribute, it may be appropriate to truncate large
scripts. When consuming this attribute, large scripts should be anticipated.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Script Content
rank: 1000
alias: script_content
owner: Script
domain_of:
- Script
range: LongString
required: true
type:
name: type
description: 'The script type, normalized to the caption of the <code>type_id</code>
value.
In the case of ''Other'', it is defined by the event source.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type
rank: 1000
alias: type
owner: Script
domain_of:
- AnalysisTarget
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- ProgrammaticCredential
- RelatedEvent
- San
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Dns
- Resource
- Account
- Agent
- Analytic
- ApplicationObject
- AuthenticationToken
- ClassifierDetails
- Cve
- Database
- Databucket
- DiscoveryDetails
- DnsAnswer
- DomainContact
- EncryptionDetails
- Endpoint
- Enrichment
- File
- Graph
- Group
- Ja4Fingerprint
- Kernel
- ManagedEntity
- Metadata
- Module
- NetworkEndpoint
- NetworkInterface
- Node
- PeripheralDevice
- Policy
- Rule
- Scan
- Trait
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- WebResource
- Device
- DatastoreActivity
- FtpActivity
- RegValue
- WinResource
range: string
type_id:
name: type_id
annotations:
sibling:
tag: sibling
value: type
description: The normalized script type ID.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Type ID
rank: 1000
alias: type_id
owner: Script
domain_of:
- Observable
- Os
- Osint
- Package
- PrivilegeInfo
- Sbom
- Script
- SoftwareComponent
- StartupItem
- ThreatActor
- Ticket
- Timespan
- TlsExtension
- Token
- Account
- Agent
- Analytic
- AuthenticationToken
- Database
- Databucket
- DomainContact
- Endpoint
- File
- Ja4Fingerprint
- Kernel
- ManagedEntity
- NetworkEndpoint
- NetworkInterface
- PeripheralDevice
- Scan
- UnmannedAerialSystem
- UnmannedSystemOperatingArea
- User
- Device
- DatastoreActivity
- RegValue
- WinResource
range: ScriptTypeIdEnum
required: true
uid:
name: uid
description: 'Some script engines assign a unique ID to each individual execution
of a given
script. This attribute captures that unique ID. In the case of PowerShell, the
unique ID corresponds to the <code>ScriptBlockId</code> in the raw ETW events
provided by the OS.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Script
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string