Implementation

2020-10-07 00:56:03 +09:00
parent c62c8dc326
commit 1c2ec6e6dd
1 changed files with 39 additions and 21 deletions
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -8,8 +8,8 @@ pub struct Sysmon {
 impl Sysmon {
    pub fn new() -> Sysmon {
        Sysmon {
-            //checkunsigned: 0,
-            checkunsigned: 1,
+            //checkunsigned: 0, //  DeepBlueでは0固定
+            checkunsigned: 1, //  開発用に1
        }
    }

@@ -28,19 +28,17 @@ impl Sysmon {

    fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
        // Check command lines
-        if let Some(_date) = event_data.get("UtcTime") {
-            println!("Date    : {} (UTC)", _date);
-        }
-        println!("Log     : Sysmon");
-        println!("EventID : 1");
-        //if let Some(_creater) = event_data.get("ParentImage") {
-        //    println!("_creater : {}", _image);
-        //}
        if let Some(_command_line) = event_data.get("CommandLine") {
-            self.check_command("1", event_data);
-            println!("Command : {}", _command_line);
+            if let Some(_date) = event_data.get("UtcTime") {
+                println!("Date    : {} (UTC)", _date);
+            }
+            println!("Log     : Sysmon");
+            //if let Some(_creater) = event_data.get("ParentImage") {
+            //    println!("_creater : {}", _image);
+            //}
+            self.check_command("1".to_string(), _command_line.to_string());
+            println!("");
        }
-        println!("");
    }

    fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
@@ -48,17 +46,37 @@ impl Sysmon {
        // This can be very chatty, so it's disabled.
        // Set $checkunsigned to 1 (global variable section) to enable:
        if self.checkunsigned == 1 {
-            if let Some(_date) = event_data.get("UtcTime") {
-                println!("Date    : {} (UTC)", _date);
+            if let Some(_signed) = event_data.get("Signed") {
+                if _signed == "false" {
+                    if let Some(_date) = event_data.get("UtcTime") {
+                        println!("Date    : {} (UTC)", _date);
+                    }
+                    println!("Log     : Sysmon");
+                    println!("EventID : 7");
+                    println!("Message : Unsigned Image (DLL)");
+                    if let Some(_image) = event_data.get("Image") {
+                        println!("Result  : Loaded by: {}", _image);
+                    }
+                    if let Some(_command_line) = event_data.get("ImageLoaded") {
+                        println!("Command : {}", _command_line);
+                    }
+                    println!("");
+                }
            }
-            println!("Log     : Sysmon");
-            println!("EventID : 7");
-            //# TBD
-            println!("");
        }
    }

-    fn check_command(&mut self, event_id: String, event_data: HashMap<String, String>) {
-        //# TBD
+    fn check_command(&mut self, _event_id: String, _command_line: String) {
+        let _result = "(TBD)";
+        let _decoded = "(TBD)";
+
+        //  TBD
+
+        //  Write-Output $obj
+        println!("EventID : {}", _event_id);
+        println!("Message : Suspicious Command Line");
+        println!("Result  : {}", _result);
+        println!("Command : {}", _command_line);
+        println!("Decoded : {}", _decoded);
    }
 }