CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

create configs

Browse Source
This commit is contained in:
ichiichi11
2020-10-11 23:40:08 +09:00
parent 0663f8403d
commit 261676574a
5 changed files with 95 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/detections/powershell.rs
View File

@@ -16,20 +16,15 @@ impl PowerShell {
event_id: String,
_system: &event::System,
event_data: HashMap<String, String>,
rdr: &mut csv::Reader<&[u8]>,
) {
if event_id == "4103" {
&self.execute_pipeline(&event_data, rdr);
&self.execute_pipeline(&event_data);
} else if event_id == "4104" {
&self.execute_remote_command(&event_data, rdr);
&self.execute_remote_command(&event_data);
}
}
fn execute_pipeline(
&mut self,
event_data: &HashMap<String, String>,
rdr: &mut csv::Reader<&[u8]>,
) {
fn execute_pipeline(&mut self, event_data: &HashMap<String, String>) {
// パイプライン実行をしています
let default = String::from("");
let commandline = event_data.get("ContextInfo").unwrap_or(&default);
@@ -45,23 +40,19 @@ impl PowerShell {
let command = rm_after.replace_all(&temp_command_with_extra, "");
if command != "" {
utils::check_command(4103, &command, 1000, 0, &default, &default, rdr);
utils::check_command(4103, &command, 1000, 0, &default, &default);
}
}
}
fn execute_remote_command(
&mut self,
event_data: &HashMap<String, String>,
rdr: &mut csv::Reader<&[u8]>,
) {
fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
// リモートコマンドを実行します
let default = String::from("");
let message_num = event_data.get("MessageNumber");
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if let Some(_) = message_num {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
utils::check_command(4104, &commandline, 1000, 0, &default, &default);
}
}
}