diff --git a/Cargo.lock b/Cargo.lock
index 6b63ca2e..ab932e6f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1071,6 +1071,15 @@ dependencies = [
"winapi",
]
+[[package]]
+name = "toml"
+version = "0.5.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a"
+dependencies = [
+ "serde",
+]
+
[[package]]
name = "unicode-width"
version = "0.1.8"
@@ -1185,5 +1194,7 @@ dependencies = [
"quick-xml 0.17.2",
"regex",
"serde",
+ "serde_derive",
"serde_json",
+ "toml",
]
diff --git a/Cargo.toml b/Cargo.toml
index 863e7911..b28772bf 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" }
quick-xml = {version = "0.17", features = ["serialize"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = { version = "1.0"}
+serde_derive = "1.0"
clap = "*"
regex = "1"
csv = "1.1"
base64 = "*"
-flate2 = "1.0"
\ No newline at end of file
+flate2 = "1.0"
+toml = "0.5"
diff --git a/rules/test.toml b/rules/test.toml
new file mode 100644
index 00000000..08260f64
--- /dev/null
+++ b/rules/test.toml
@@ -0,0 +1,2 @@
+[rule]
+severity = "high"
diff --git a/src/detections/security.rs b/src/detections/security.rs
index 97a30ce5..7818e7c2 100644
--- a/src/detections/security.rs
+++ b/src/detections/security.rs
@@ -261,7 +261,10 @@ impl Security {
}
msges.push("Sensititive Privilege Use Exceeds Threshold".to_string());
- msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string());
+ msges.push(
+ "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made"
+ .to_string(),
+ );
let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str);
msges.push(format!("Username: {}", username));
@@ -335,7 +338,9 @@ impl Security {
// let v_username = Vec::new();
let mut v_username = Vec::new();
- self.passspray_2_user.keys().for_each(|u| v_username.push(u));
+ self.passspray_2_user
+ .keys()
+ .for_each(|u| v_username.push(u));
v_username.sort();
let usernames: String = v_username.iter().fold(
self.empty_str.to_string(),
@@ -665,7 +670,8 @@ mod tests {
// eventidが異なりヒットしないパターン
#[test]
fn test_add_member_security_group_noteq_eventid() {
- let xml_str = get_add_member_security_group_xml().replace(r"4732", r"4757");
+ let xml_str = get_add_member_security_group_xml()
+ .replace(r"4732", r"4757");
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -683,7 +689,10 @@ mod tests {
// グループがAdministratorsじゃなくてHitしないパターン
#[test]
fn test_add_member_security_not_administrators() {
- let xml_str = get_add_member_security_group_xml().replace(r"Administrators", r"local");
+ let xml_str = get_add_member_security_group_xml().replace(
+ r"Administrators",
+ r"local",
+ );
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -746,10 +755,7 @@ mod tests {
&"Username: ".to_string(),
ite.next().unwrap_or(&"".to_string())
);
- assert_eq!(
- &"User SID: ",
- ite.next().unwrap_or(&"".to_string())
- );
+ assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string()));
assert_eq!(Option::None, ite.next());
}
@@ -795,10 +801,10 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
-
+
sec.max_failed_logons = 5;
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|i| {
sec.failed_logon(
&event.system.event_id.to_string(),
&event.parse_event_data(),
@@ -813,9 +819,13 @@ mod tests {
fn test_failed_logon_hit() {
let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"Administrator", r"localuser")).unwrap();
+ let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"Administrator",
+ r"localuser",
+ ))
+ .unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -825,13 +835,13 @@ mod tests {
);
assert_eq!(1, sec.total_failed_logons);
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
- let fail_cnt = i +1;
+ let fail_cnt = i + 1;
assert_eq!(fail_cnt, sec.total_failed_logons);
if fail_cnt > 5 {
let v = sec.disp_login_failed().unwrap();
@@ -848,7 +858,7 @@ mod tests {
&format!("Total logon failures: {}", fail_cnt),
ite.next().unwrap_or(&"".to_string())
);
- // assert_eq!(Option::None, ite.next());
+ // assert_eq!(Option::None, ite.next());
} else {
assert_eq!(Option::None, sec.disp_login_failed());
}
@@ -870,14 +880,25 @@ mod tests {
);
}
- // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
- #[test]
- fn test_failed_logon_noteq_eventid() {
+ // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
+ #[test]
+ fn test_failed_logon_noteq_eventid() {
let xml_str = get_failed_logon_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626")).unwrap();
- let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626").replace(r"Administrator", r"localuser")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(
+ &xml_str.replace(r"4625", r"4626"),
+ )
+ .unwrap();
+ let event_another: event::Evtx = quick_xml::de::from_str(
+ &xml_str
+ .replace(r"4625", r"4626")
+ .replace(
+ r"Administrator",
+ r"localuser",
+ ),
+ )
+ .unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -887,16 +908,16 @@ mod tests {
);
assert_eq!(0, sec.total_failed_logons);
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|_i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|_i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
assert_eq!(0, sec.total_failed_logons);
assert_eq!(Option::None, sec.disp_login_failed());
- });
- }
+ });
+ }
fn get_failed_logon_xml() -> String {
return r#"
@@ -940,7 +961,8 @@ mod tests {
192.168.198.149
33083
- "#.to_string();
+ "#
+ .to_string();
}
// Hitするパターンとしないパターンをまとめてテスト
@@ -949,10 +971,10 @@ mod tests {
let xml_str = get_sensitive_prividedge_hit();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
- let ite = [1,2,3,4,5,6,7].iter();
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
// i == 7ときにHitしない
@@ -984,15 +1006,19 @@ mod tests {
// eventidが異なるので、Hitしないテスト
#[test]
fn test_sensitive_priviledge_noteq_eventid() {
- let xml_str = get_sensitive_prividedge_hit().replace(r"4673", r"4674");
+ let xml_str = get_sensitive_prividedge_hit()
+ .replace(r"4673", r"4674");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
- let ite = [1,2,3,4,5,6,7].iter();
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i| {
- let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
+ let msg = sec.sensitive_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
assert_eq!(Option::None, msg);
});
}
@@ -1037,16 +1063,31 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
- assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"Possible Hidden Service Attempt".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"User: Sec504".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"Target service: nginx".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"WRITE_DAC".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(Option::None, ite.next());
}
@@ -1054,11 +1095,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_accessmask() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"%%1539",r"%%1538")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"%%1539",
+ r"%%1538",
+ ))
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1066,11 +1114,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_service() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"C:\Windows\System32\services.exe",r"C:\Windows\System32\lsass.exe")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"C:\Windows\System32\services.exe",
+ r"C:\Windows\System32\lsass.exe",
+ ))
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1078,11 +1133,17 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_eventid() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4674",r"4675")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(
+ &xml_str.replace(r"4674", r"4675"),
+ )
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1130,12 +1191,11 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
- test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
+ test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
// counterがreset確認のため、2回実行
- test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
+ test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
}
-
// eventid異なるので、Hitしないはず
#[test]
fn test_pass_spray_noteq_eventid() {
@@ -1144,12 +1204,12 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
- test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
+ test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
// counterがreset確認のため、2回実行
- test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
+ test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
}
- fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) {
+ fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) {
[1,2,3,4,5,6,7].iter().for_each(|i| {
let rep_str = format!(r#"smisenar{}"#,i);
let event_id_tag = format!("{}", event_id);
@@ -1173,7 +1233,7 @@ mod tests {
});
});
}
-
+
fn get_passs_pray_hit() -> String {
return r#"
@@ -1224,22 +1284,32 @@ mod tests {
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
- assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"Audit Log Clear".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"The Audit log was cleared".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"Security ID: jwrig".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(Option::None, ite.next());
}
// eventid違うのでHitしないはず
#[test]
fn test_audit_log_cleared_noteq_eventid() {
- let xml_str = get_audit_log_cleared_xml().replace(r"1102", r"1103");
+ let xml_str = get_audit_log_cleared_xml()
+ .replace(r"1102", r"1103");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data);
assert_eq!(Option::None, msg);
- }
+ }
fn get_audit_log_cleared_xml() -> String {
return r#"
diff --git a/src/lib.rs b/src/lib.rs
index 2579ad53..72434c62 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,2 +1,3 @@
pub mod detections;
pub mod models;
+pub mod toml;
diff --git a/src/main.rs b/src/main.rs
index e099bf0a..96239b23 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,6 +6,7 @@ use evtx::EvtxParser;
use quick_xml::de::DeError;
use std::{path::PathBuf, process};
use yamato_event_analyzer::detections::detection;
+use yamato_event_analyzer::toml;
fn build_app() -> clap::App<'static, 'static> {
let program = std::env::args()
diff --git a/src/models/mod.rs b/src/models/mod.rs
index 53f11265..ee089cbc 100644
--- a/src/models/mod.rs
+++ b/src/models/mod.rs
@@ -1 +1,2 @@
pub mod event;
+pub mod rule;
diff --git a/src/models/rule.rs b/src/models/rule.rs
new file mode 100644
index 00000000..550bdc65
--- /dev/null
+++ b/src/models/rule.rs
@@ -0,0 +1,13 @@
+extern crate serde;
+use serde::Deserialize;
+
+#[derive(Debug, Deserialize)]
+pub struct Rule {
+ pub severity: Option,
+ pub name: Option,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct Toml {
+ pub rule: Rule,
+}
diff --git a/src/toml.rs b/src/toml.rs
new file mode 100644
index 00000000..9e1c366a
--- /dev/null
+++ b/src/toml.rs
@@ -0,0 +1,69 @@
+extern crate serde_derive;
+extern crate toml;
+
+use crate::models::rule;
+use std::fs;
+use std::io;
+use std::io::{BufReader, Read};
+use std::path::{Path, PathBuf};
+
+pub struct ParseToml {
+ pub rules: Vec>,
+}
+
+impl ParseToml {
+ pub fn new() -> ParseToml {
+ ParseToml { rules: Vec::new() }
+ }
+
+ fn read_file(&self, path: PathBuf) -> Result {
+ let mut file_content = String::new();
+
+ let mut fr = fs::File::open(path)
+ .map(|f| BufReader::new(f))
+ .map_err(|e| e.to_string())?;
+
+ fr.read_to_string(&mut file_content)
+ .map_err(|e| e.to_string())?;
+
+ Ok(file_content)
+ }
+
+ fn read_dir>(&mut self, path: P) -> io::Result {
+ Ok(fs::read_dir(path)?
+ .filter_map(|entry| {
+ let entry = entry.ok()?;
+ if entry.file_type().ok()?.is_file() {
+ match self.read_file(entry.path()) {
+ Ok(s) => &self.rules.push(toml::from_str(&s)),
+ Err(e) => panic!("fail to read file: {}", e),
+ };
+ }
+ Some("")
+ })
+ .collect())
+ }
+}
+
+#[cfg(test)]
+mod tests {
+
+ use crate::toml;
+
+ #[test]
+ fn test_read_toml() {
+ let mut toml = toml::ParseToml::new();
+ &toml.read_dir("test_files/rules".to_string());
+
+ for rule in toml.rules {
+ match rule {
+ Ok(_rule) => {
+ if let Some(severity) = _rule.rule.severity {
+ assert_eq!("high", severity);
+ }
+ }
+ Err(_) => (),
+ }
+ }
+ }
+}
diff --git a/test_files/rules/test.toml b/test_files/rules/test.toml
new file mode 100644
index 00000000..08260f64
--- /dev/null
+++ b/test_files/rules/test.toml
@@ -0,0 +1,2 @@
+[rule]
+severity = "high"
diff --git a/test_files/rules/test2.toml b/test_files/rules/test2.toml
new file mode 100644
index 00000000..9cebf717
--- /dev/null
+++ b/test_files/rules/test2.toml
@@ -0,0 +1,3 @@
+[rule]
+severity = "high"
+name = "test2"