From 1c2ec6e6dd5e87dcf04c7cd96fafb7249f17e844 Mon Sep 17 00:00:00 2001
From: siamease <tomoomi@gmail.com>
Date: Wed, 7 Oct 2020 00:56:03 +0900
Subject: [PATCH] Implementation

---
 src/detections/sysmon.rs | 60 ++++++++++++++++++++++++++--------------
 1 file changed, 39 insertions(+), 21 deletions(-)

diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs
index 7cbab355..165e39db 100644
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -8,8 +8,8 @@ pub struct Sysmon {
 impl Sysmon {
     pub fn new() -> Sysmon {
         Sysmon {
-            //checkunsigned: 0,
-            checkunsigned: 1,
+            //checkunsigned: 0, //  DeepBlueでは0固定
+            checkunsigned: 1, //  開発用に1
         }
     }
 
@@ -28,19 +28,17 @@ impl Sysmon {
 
     fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
         // Check command lines
-        if let Some(_date) = event_data.get("UtcTime") {
-            println!("Date    : {} (UTC)", _date);
-        }
-        println!("Log     : Sysmon");
-        println!("EventID : 1");
-        //if let Some(_creater) = event_data.get("ParentImage") {
-        //    println!("_creater : {}", _image);
-        //}
         if let Some(_command_line) = event_data.get("CommandLine") {
-            self.check_command("1", event_data);
-            println!("Command : {}", _command_line);
+            if let Some(_date) = event_data.get("UtcTime") {
+                println!("Date    : {} (UTC)", _date);
+            }
+            println!("Log     : Sysmon");
+            //if let Some(_creater) = event_data.get("ParentImage") {
+            //    println!("_creater : {}", _image);
+            //}
+            self.check_command("1".to_string(), _command_line.to_string());
+            println!("");
         }
-        println!("");
     }
 
     fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
@@ -48,17 +46,37 @@ impl Sysmon {
         // This can be very chatty, so it's disabled.
         // Set $checkunsigned to 1 (global variable section) to enable:
         if self.checkunsigned == 1 {
-            if let Some(_date) = event_data.get("UtcTime") {
-                println!("Date    : {} (UTC)", _date);
+            if let Some(_signed) = event_data.get("Signed") {
+                if _signed == "false" {
+                    if let Some(_date) = event_data.get("UtcTime") {
+                        println!("Date    : {} (UTC)", _date);
+                    }
+                    println!("Log     : Sysmon");
+                    println!("EventID : 7");
+                    println!("Message : Unsigned Image (DLL)");
+                    if let Some(_image) = event_data.get("Image") {
+                        println!("Result  : Loaded by: {}", _image);
+                    }
+                    if let Some(_command_line) = event_data.get("ImageLoaded") {
+                        println!("Command : {}", _command_line);
+                    }
+                    println!("");
+                }
             }
-            println!("Log     : Sysmon");
-            println!("EventID : 7");
-            //# TBD
-            println!("");
         }
     }
 
-    fn check_command(&mut self, event_id: String, event_data: HashMap<String, String>) {
-        //# TBD
+    fn check_command(&mut self, _event_id: String, _command_line: String) {
+        let _result = "(TBD)";
+        let _decoded = "(TBD)";
+
+        //  TBD
+
+        //  Write-Output $obj
+        println!("EventID : {}", _event_id);
+        println!("Message : Suspicious Command Line");
+        println!("Result  : {}", _result);
+        println!("Command : {}", _command_line);
+        println!("Decoded : {}", _decoded);
     }
 }