Add: DeepBlueCLI PowerShell's rules

2020-10-05 02:24:55 +09:00
parent 3ea4381393
commit 2220500a9c
3 changed files with 56 additions and 0 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -4,6 +4,7 @@ use crate::detections::application;
 use crate::detections::common;
 use crate::detections::security;
 use crate::detections::system;
+use crate::detections::powershell;
 use crate::models::event;
 use evtx::EvtxParser;
 use quick_xml::de::DeError;
@@ -26,6 +27,7 @@ impl Detection {
        let mut security = security::Security::new();
        let mut system = system::System::new();
        let mut application = application::Application::new();
+        let mut powershell = powershell::PowerShell::new();

        for record in parser.records() {
            match record {
@@ -43,6 +45,8 @@ impl Detection {
                        &system.detection(event_id, &event.system, event_data);
                    } else if channel == "Application" {
                        &application.detection(event_id, &event.system, event_data);
+                    } else if channel == "Microsoft-Windows-PowerShell/Operational" {
+                        &powershell.detection(event_id, &event.system, event_data);
                    } else {
                        //&other.detection();
                    }
--- a/src/detections/mod.rs
+++ b/src/detections/mod.rs
@@ -1,6 +1,7 @@
 mod application;
 mod common;
 pub mod detection;
+mod powershell;
 mod security;
 mod system;
 mod utils;
--- a/src/detections/powershell.rs
+++ b/src/detections/powershell.rs
@@ -0,0 +1,51 @@
+use crate::models::event;
+use std::collections::HashMap;
+
+pub struct PowerShell {}
+
+impl PowerShell {
+    pub fn new() -> PowerShell {
+        PowerShell {}
+    }
+
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        _system: &event::System,
+        event_data: HashMap<String, String>,
+    ) {
+        if event_id == "4103" {
+            &self.execute_pipeline(&event_data);
+        } else if event_id == "4104" {
+            &self.execute_remote_command(&event_data);
+        }
+    }
+
+    fn execute_pipeline(&mut self, _event_data: &HashMap<String, String>) {
+        // PowerShell Error Code: 4103 is absent.
+        // ToDo: Correct Log & Check
+        return;
+    }
+
+    fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
+        println!(
+            "<Execute Remote Command from Powershell Log>
+    Path: {}
+    MessageTotal: {}
+    ScriptBlockText: {}
+    ScriptBlockId: {}
+    MessageNumber: {}",
+            event_data.get("Path").unwrap_or(&String::from("")),
+            event_data.get("MessageTotal").unwrap_or(&String::from("")),
+            event_data
+                .get("ScriptBlockText")
+                .unwrap_or(&String::from("")),
+            event_data
+                .get("ScriptBlockId")
+                .unwrap_or(&String::from("")),
+            event_data.get("MessageNumber").unwrap_or(&String::from("")),
+        );
+
+        return;
+    }
+}