Add: DeepBlueCLI PowerShell's rules
This commit is contained in:
itiB
@@ -4,6 +4,7 @@ use crate::detections::application;
|
|||||||
use crate::detections::common;
|
use crate::detections::common;
|
||||||
use crate::detections::security;
|
use crate::detections::security;
|
||||||
use crate::detections::system;
|
use crate::detections::system;
|
||||||
|
use crate::detections::powershell;
|
||||||
use crate::models::event;
|
use crate::models::event;
|
||||||
use evtx::EvtxParser;
|
use evtx::EvtxParser;
|
||||||
use quick_xml::de::DeError;
|
use quick_xml::de::DeError;
|
||||||
@@ -26,6 +27,7 @@ impl Detection {
|
|||||||
let mut security = security::Security::new();
|
let mut security = security::Security::new();
|
||||||
let mut system = system::System::new();
|
let mut system = system::System::new();
|
||||||
let mut application = application::Application::new();
|
let mut application = application::Application::new();
|
||||||
|
let mut powershell = powershell::PowerShell::new();
|
||||||
|
|
||||||
for record in parser.records() {
|
for record in parser.records() {
|
||||||
match record {
|
match record {
|
||||||
@@ -43,6 +45,8 @@ impl Detection {
|
|||||||
&system.detection(event_id, &event.system, event_data);
|
&system.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Application" {
|
} else if channel == "Application" {
|
||||||
&application.detection(event_id, &event.system, event_data);
|
&application.detection(event_id, &event.system, event_data);
|
||||||
|
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
|
||||||
|
&powershell.detection(event_id, &event.system, event_data);
|
||||||
} else {
|
} else {
|
||||||
//&other.detection();
|
//&other.detection();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
mod application;
|
mod application;
|
||||||
mod common;
|
mod common;
|
||||||
pub mod detection;
|
pub mod detection;
|
||||||
|
mod powershell;
|
||||||
mod security;
|
mod security;
|
||||||
mod system;
|
mod system;
|
||||||
mod utils;
|
mod utils;
|
||||||
|
|||||||
51
src/detections/powershell.rs
Normal file
51
src/detections/powershell.rs
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
use crate::models::event;
|
||||||
|
use std::collections::HashMap;
|
||||||
|
|
||||||
|
pub struct PowerShell {}
|
||||||
|
|
||||||
|
impl PowerShell {
|
||||||
|
pub fn new() -> PowerShell {
|
||||||
|
PowerShell {}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn detection(
|
||||||
|
&mut self,
|
||||||
|
event_id: String,
|
||||||
|
_system: &event::System,
|
||||||
|
event_data: HashMap<String, String>,
|
||||||
|
) {
|
||||||
|
if event_id == "4103" {
|
||||||
|
&self.execute_pipeline(&event_data);
|
||||||
|
} else if event_id == "4104" {
|
||||||
|
&self.execute_remote_command(&event_data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn execute_pipeline(&mut self, _event_data: &HashMap<String, String>) {
|
||||||
|
// PowerShell Error Code: 4103 is absent.
|
||||||
|
// ToDo: Correct Log & Check
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
|
||||||
|
println!(
|
||||||
|
"<Execute Remote Command from Powershell Log>
|
||||||
|
Path: {}
|
||||||
|
MessageTotal: {}
|
||||||
|
ScriptBlockText: {}
|
||||||
|
ScriptBlockId: {}
|
||||||
|
MessageNumber: {}",
|
||||||
|
event_data.get("Path").unwrap_or(&String::from("")),
|
||||||
|
event_data.get("MessageTotal").unwrap_or(&String::from("")),
|
||||||
|
event_data
|
||||||
|
.get("ScriptBlockText")
|
||||||
|
.unwrap_or(&String::from("")),
|
||||||
|
event_data
|
||||||
|
.get("ScriptBlockId")
|
||||||
|
.unwrap_or(&String::from("")),
|
||||||
|
event_data.get("MessageNumber").unwrap_or(&String::from("")),
|
||||||
|
);
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user