CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #12 from YamatoSecurity/feature/toml

Browse Source 
Feature/toml
This commit is contained in:
nishikawaakira
2020-10-11 14:46:48 +09:00
committed by GitHub
parent 22edee0332 7e9ce2fbe8
commit 0663f8403d
11 changed files with 237 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
Cargo.lock generated
View File

@@ -1071,6 +1071,15 @@ dependencies = [
"winapi",
]
[[package]]
name = "toml"
version = "0.5.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a"
dependencies = [
"serde",
]
[[package]]
name = "unicode-width"
version = "0.1.8"
@@ -1185,5 +1194,7 @@ dependencies = [
"quick-xml 0.17.2",
"regex",
"serde",
"serde_derive",
"serde_json",
"toml",
]

4
Cargo.toml
View File

@@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" }
quick-xml = {version = "0.17", features = ["serialize"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = { version = "1.0"}
serde_derive = "1.0"
clap = "*"
regex = "1"
csv = "1.1"
base64 = "*"
flate2 = "1.0"
flate2 = "1.0"
toml = "0.5"

2
rules/test.toml Normal file
View File

@@ -0,0 +1,2 @@
[rule]
severity = "high"

192
src/detections/security.rs
View File

@@ -261,7 +261,10 @@ impl Security {
}
msges.push("Sensititive Privilege Use Exceeds Threshold".to_string());
msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string());
msges.push(
"Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made"
.to_string(),
);
let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str);
msges.push(format!("Username: {}", username));
@@ -335,7 +338,9 @@ impl Security {
// let v_username = Vec::new();
let mut v_username = Vec::new();
self.passspray_2_user.keys().for_each(|u| v_username.push(u));
self.passspray_2_user
.keys()
.for_each(|u| v_username.push(u));
v_username.sort();
let usernames: String = v_username.iter().fold(
self.empty_str.to_string(),
@@ -665,7 +670,8 @@ mod tests {
// eventidが異なりヒットしないパターン
#[test]
fn test_add_member_security_group_noteq_eventid() {
let xml_str = get_add_member_security_group_xml().replace(r"<EventID>4732</EventID>", r"<EventID>4757</EventID>");
let xml_str = get_add_member_security_group_xml()
.replace(r"<EventID>4732</EventID>", r"<EventID>4757</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -683,7 +689,10 @@ mod tests {
// グループがAdministratorsじゃなくてHitしないパターン
#[test]
fn test_add_member_security_not_administrators() {
let xml_str = get_add_member_security_group_xml().replace(r"<Data Name='TargetUserName'>Administrators</Data>", r"<Data Name='TargetUserName'>local</Data>");
let xml_str = get_add_member_security_group_xml().replace(
r"<Data Name='TargetUserName'>Administrators</Data>",
r"<Data Name='TargetUserName'>local</Data>",
);
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -746,10 +755,7 @@ mod tests {
&"Username: ".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"User SID: ",
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string()));
assert_eq!(Option::None, ite.next());
}
@@ -795,10 +801,10 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
sec.max_failed_logons = 5;
let ite = [1,2,3,4,5,6,7].iter();
ite.for_each(|i|{
let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| {
sec.failed_logon(
&event.system.event_id.to_string(),
&event.parse_event_data(),
@@ -813,9 +819,13 @@ mod tests {
fn test_failed_logon_hit() {
let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='TargetUserName'>Administrator</Data>", r"<Data Name='TargetUserName'>localuser</Data>")).unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='TargetUserName'>Administrator</Data>",
r"<Data Name='TargetUserName'>localuser</Data>",
))
.unwrap();
let mut sec = security::Security::new();
let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -825,13 +835,13 @@ mod tests {
);
assert_eq!(1, sec.total_failed_logons);
let ite = [1,2,3,4,5,6,7].iter();
ite.for_each(|i|{
let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
let fail_cnt = i +1;
let fail_cnt = i + 1;
assert_eq!(fail_cnt, sec.total_failed_logons);
if fail_cnt > 5 {
let v = sec.disp_login_failed().unwrap();
@@ -848,7 +858,7 @@ mod tests {
&format!("Total logon failures: {}", fail_cnt),
ite.next().unwrap_or(&"".to_string())
);
// assert_eq!(Option::None, ite.next());
// assert_eq!(Option::None, ite.next());
} else {
assert_eq!(Option::None, sec.disp_login_failed());
}
@@ -870,14 +880,25 @@ mod tests {
);
}
// 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
#[test]
fn test_failed_logon_noteq_eventid() {
// 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
#[test]
fn test_failed_logon_noteq_eventid() {
let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4625</EventID>",r"<EventID>4626</EventID>")).unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4625</EventID>",r"<EventID>4626</EventID>").replace(r"<Data Name='TargetUserName'>Administrator</Data>", r"<Data Name='TargetUserName'>localuser</Data>")).unwrap();
let event: event::Evtx = quick_xml::de::from_str(
&xml_str.replace(r"<EventID>4625</EventID>", r"<EventID>4626</EventID>"),
)
.unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(
&xml_str
.replace(r"<EventID>4625</EventID>", r"<EventID>4626</EventID>")
.replace(
r"<Data Name='TargetUserName'>Administrator</Data>",
r"<Data Name='TargetUserName'>localuser</Data>",
),
)
.unwrap();
let mut sec = security::Security::new();
let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -887,16 +908,16 @@ mod tests {
);
assert_eq!(0, sec.total_failed_logons);
let ite = [1,2,3,4,5,6,7].iter();
ite.for_each(|_i|{
let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
assert_eq!(0, sec.total_failed_logons);
assert_eq!(Option::None, sec.disp_login_failed());
});
}
});
}
fn get_failed_logon_xml() -> String {
return r#"<?xml version="1.0" encoding="utf-8" standalone="yes"?>
@@ -940,7 +961,8 @@ mod tests {
<Data Name='IpAddress'>192.168.198.149</Data>
<Data Name='IpPort'>33083</Data>
</EventData>
</Event>"#.to_string();
</Event>"#
.to_string();
}
// Hitするパターンとしないパターンをまとめてテスト
@@ -949,10 +971,10 @@ mod tests {
let xml_str = get_sensitive_prividedge_hit();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
let ite = [1,2,3,4,5,6,7].iter();
let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
// i == 7ときにHitしない
@@ -984,15 +1006,19 @@ mod tests {
// eventidが異なるので、Hitしないテスト
#[test]
fn test_sensitive_priviledge_noteq_eventid() {
let xml_str = get_sensitive_prividedge_hit().replace(r"<EventID>4673</EventID>", r"<EventID>4674</EventID>");
let xml_str = get_sensitive_prividedge_hit()
.replace(r"<EventID>4673</EventID>", r"<EventID>4674</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
let ite = [1,2,3,4,5,6,7].iter();
let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
let msg = sec.sensitive_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg);
});
}
@@ -1037,16 +1063,31 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(
&"Possible Hidden Service Attempt".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(
&"User: Sec504".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"Target service: nginx".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"WRITE_DAC".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(Option::None, ite.next());
}
@@ -1054,11 +1095,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_accessmask() {
let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='AccessMask'>%%1539",r"<Data Name='AccessMask'>%%1538")).unwrap();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='AccessMask'>%%1539",
r"<Data Name='AccessMask'>%%1538",
))
.unwrap();
let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg);
}
@@ -1066,11 +1114,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_service() {
let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='ProcessName'>C:\Windows\System32\services.exe</Data>",r"<Data Name='ProcessName'>C:\Windows\System32\lsass.exe</Data>")).unwrap();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='ProcessName'>C:\Windows\System32\services.exe</Data>",
r"<Data Name='ProcessName'>C:\Windows\System32\lsass.exe</Data>",
))
.unwrap();
let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg);
}
@@ -1078,11 +1133,17 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_eventid() {
let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4674</EventID>",r"<EventID>4675</EventID>")).unwrap();
let event: event::Evtx = quick_xml::de::from_str(
&xml_str.replace(r"<EventID>4674</EventID>", r"<EventID>4675</EventID>"),
)
.unwrap();
let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg);
}
@@ -1130,12 +1191,11 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
// counterがreset確認のため、2回実行
test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
}
// eventid異なるので、Hitしないはず
#[test]
fn test_pass_spray_noteq_eventid() {
@@ -1144,12 +1204,12 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
// counterがreset確認のため、2回実行
test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
}
fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) {
fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) {
[1,2,3,4,5,6,7].iter().for_each(|i| {
let rep_str = format!(r#"<Data Name='TargetUserName'>smisenar{}</Data>"#,i);
let event_id_tag = format!("<EventID>{}</EventID>", event_id);
@@ -1173,7 +1233,7 @@ mod tests {
});
});
}
fn get_passs_pray_hit() -> String {
return r#"<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
@@ -1224,22 +1284,32 @@ mod tests {
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(
&"Audit Log Clear".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"The Audit log was cleared".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"Security ID: jwrig".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(Option::None, ite.next());
}
// eventid違うのでHitしないはず
#[test]
fn test_audit_log_cleared_noteq_eventid() {
let xml_str = get_audit_log_cleared_xml().replace(r"<EventID>1102</EventID>", r"<EventID>1103</EventID>");
let xml_str = get_audit_log_cleared_xml()
.replace(r"<EventID>1102</EventID>", r"<EventID>1103</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data);
assert_eq!(Option::None, msg);
}
}
fn get_audit_log_cleared_xml() -> String {
return r#"<?xml version="1.0" encoding="utf-8" standalone="yes"?>

1
src/lib.rs
View File

@@ -1,2 +1,3 @@
pub mod detections;
pub mod models;
pub mod toml;

1
src/main.rs
View File

@@ -6,6 +6,7 @@ use evtx::EvtxParser;
use quick_xml::de::DeError;
use std::{path::PathBuf, process};
use yamato_event_analyzer::detections::detection;
use yamato_event_analyzer::toml;
fn build_app() -> clap::App<'static, 'static> {
let program = std::env::args()

1
src/models/mod.rs
View File

@@ -1 +1,2 @@
pub mod event;
pub mod rule;

13
src/models/rule.rs Normal file
View File

@@ -0,0 +1,13 @@
extern crate serde;
use serde::Deserialize;
#[derive(Debug, Deserialize)]
pub struct Rule {
pub severity: Option<String>,
pub name: Option<String>,
}
#[derive(Debug, Deserialize)]
pub struct Toml {
pub rule: Rule,
}

69
src/toml.rs Normal file
View File

@@ -0,0 +1,69 @@
extern crate serde_derive;
extern crate toml;
use crate::models::rule;
use std::fs;
use std::io;
use std::io::{BufReader, Read};
use std::path::{Path, PathBuf};
pub struct ParseToml {
pub rules: Vec<Result<rule::Toml, toml::de::Error>>,
}
impl ParseToml {
pub fn new() -> ParseToml {
ParseToml { rules: Vec::new() }
}
fn read_file(&self, path: PathBuf) -> Result<String, String> {
let mut file_content = String::new();
let mut fr = fs::File::open(path)
.map(|f| BufReader::new(f))
.map_err(|e| e.to_string())?;
fr.read_to_string(&mut file_content)
.map_err(|e| e.to_string())?;
Ok(file_content)
}
fn read_dir<P: AsRef<Path>>(&mut self, path: P) -> io::Result<String> {
Ok(fs::read_dir(path)?
.filter_map(|entry| {
let entry = entry.ok()?;
if entry.file_type().ok()?.is_file() {
match self.read_file(entry.path()) {
Ok(s) => &self.rules.push(toml::from_str(&s)),
Err(e) => panic!("fail to read file: {}", e),
};
}
Some("")
})
.collect())
}
}
#[cfg(test)]
mod tests {
use crate::toml;
#[test]
fn test_read_toml() {
let mut toml = toml::ParseToml::new();
&toml.read_dir("test_files/rules".to_string());
for rule in toml.rules {
match rule {
Ok(_rule) => {
if let Some(severity) = _rule.rule.severity {
assert_eq!("high", severity);
}
}
Err(_) => (),
}
}
}
}

2
test_files/rules/test.toml Normal file
View File

@@ -0,0 +1,2 @@
[rule]
severity = "high"

3
test_files/rules/test2.toml Normal file
View File

@@ -0,0 +1,3 @@
[rule]
severity = "high"
name = "test2"