CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update: read messages from rules/**.toml

Browse Source
This commit is contained in:
itiB
2020-10-29 23:00:55 +09:00
parent c53b4b6f46
commit 1d8a9c19d2
8 changed files with 61 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/detections/powershell.rs
View File

@@ -1,8 +1,8 @@
use crate::detections::utils;
use crate::models::event;
use crate::detections::print::MESSAGES;
use regex::Regex;
use std::collections::HashMap;
extern crate csv;
pub struct PowerShell {}
@@ -25,6 +25,10 @@ impl PowerShell {
if event_id != "4103" {
return;
}
let message = MESSAGES.lock().unwrap();
println!("{}", message.return_message("4103"));
let default = String::from("");
let commandline = event_data.get("ContextInfo").unwrap_or(&default);
@@ -48,6 +52,9 @@ impl PowerShell {
if event_id != "4104" {
return;
}
let message = MESSAGES.lock().unwrap();
println!("{}", message.return_message("4104"));
let default = String::from("");
let path = event_data.get("Path").unwrap().to_string();
if path == "".to_string() {