From e2086ea0b8b8cf10ebafe89f01f522847f327cc3 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:09:02 +0900 Subject: [PATCH 1/8] add utils::check_command support --- src/detections/sysmon.rs | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..a34e4462 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,8 @@ use crate::models::event; +use crate::detections::utils::check_command; use std::collections::HashMap; +use std::fs::File; +use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -33,11 +36,17 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + if let Some(_creater) = event_data.get("ParentImage") { + //println!("_creater : {}", _image); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); + //self.check_command("1".to_string(), _command_line.to_string()); + check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } + println!(""); } } @@ -66,6 +75,7 @@ impl Sysmon { } } + /* fn check_command(&mut self, _event_id: String, _command_line: String) { let _result = "(TBD)"; let _decoded = "(TBD)"; @@ -79,4 +89,5 @@ impl Sysmon { println!("Command : {}", _command_line); println!("Decoded : {}", _decoded); } + */ } From dd6f3c39a45a457b129b2fe6726bd8e15786f808 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:11:07 +0900 Subject: [PATCH 2/8] cleanup --- src/detections/sysmon.rs | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a34e4462..81ffd25e 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,15 +36,15 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //println!("_creater : {}", _image); - let minlength = 100; // TBD - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); - //self.check_command("1".to_string(), _command_line.to_string()); check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } else { + check_command(1, _command_line, minlength, 0, "", "", rdr); } println!(""); } @@ -74,20 +74,4 @@ impl Sysmon { } } } - - /* - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); - } - */ } From e2f9e0bdc6ce3e457b2b9ed64312b01863ff6e51 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 00:38:05 +0900 Subject: [PATCH 3/8] fix --- src/detections/sysmon.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 81ffd25e..7ce01b93 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,7 +36,7 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - let minlength = 100; // TBD + let minlength = 1000; let mut f = File::open("whitelist.txt").expect("file not found"); let mut contents = String::new(); f.read_to_string(&mut contents); @@ -46,7 +46,6 @@ impl Sysmon { } else { check_command(1, _command_line, minlength, 0, "", "", rdr); } - println!(""); } } @@ -69,7 +68,6 @@ impl Sysmon { if let Some(_command_line) = event_data.get("ImageLoaded") { println!("Command : {}", _command_line); } - println!(""); } } } From c914078b87a0bb9d68323c39816e15561320af32 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:01:19 +0900 Subject: [PATCH 4/8] fix --- src/detections/sysmon.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7ce01b93..628bba17 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,5 @@ -use crate::models::event; use crate::detections::utils::check_command; +use crate::models::event; use std::collections::HashMap; use std::fs::File; use std::io::prelude::*; @@ -12,7 +12,7 @@ impl Sysmon { pub fn new() -> Sysmon { Sysmon { //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 + checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } } @@ -37,14 +37,16 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); + //let mut f = File::open("whitelist.txt").expect("file not found"); + //let mut contents = String::new(); + //f.read_to_string(&mut contents); + //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater, rdr); + //check_command(1, _command_line, minlength, 0, "", _creater, rdr); + check_command(1, _command_line, minlength, 0, "", _creater); } else { - check_command(1, _command_line, minlength, 0, "", "", rdr); + //check_command(1, _command_line, minlength, 0, "", "", rdr); + check_command(1, _command_line, minlength, 0, "", ""); } } } From 714e4b0038fe5e3f82daafa97c7e798356ea2eb4 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:09:02 +0900 Subject: [PATCH 5/8] add utils::check_command support --- src/detections/sysmon.rs | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..a34e4462 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,8 @@ use crate::models::event; +use crate::detections::utils::check_command; use std::collections::HashMap; +use std::fs::File; +use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -33,11 +36,17 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + if let Some(_creater) = event_data.get("ParentImage") { + //println!("_creater : {}", _image); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); + //self.check_command("1".to_string(), _command_line.to_string()); + check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } + println!(""); } } @@ -66,6 +75,7 @@ impl Sysmon { } } + /* fn check_command(&mut self, _event_id: String, _command_line: String) { let _result = "(TBD)"; let _decoded = "(TBD)"; @@ -79,4 +89,5 @@ impl Sysmon { println!("Command : {}", _command_line); println!("Decoded : {}", _decoded); } + */ } From f5edf867e243129514cf267c0c43f28ddcf8db1c Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:11:07 +0900 Subject: [PATCH 6/8] cleanup --- src/detections/sysmon.rs | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a34e4462..81ffd25e 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,15 +36,15 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //println!("_creater : {}", _image); - let minlength = 100; // TBD - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); - //self.check_command("1".to_string(), _command_line.to_string()); check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } else { + check_command(1, _command_line, minlength, 0, "", "", rdr); } println!(""); } @@ -74,20 +74,4 @@ impl Sysmon { } } } - - /* - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); - } - */ } From 50ebf31b10ab5cc89fb40c4ab8684baf1e7385c6 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 00:38:05 +0900 Subject: [PATCH 7/8] fix --- src/detections/sysmon.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 81ffd25e..7ce01b93 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,7 +36,7 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - let minlength = 100; // TBD + let minlength = 1000; let mut f = File::open("whitelist.txt").expect("file not found"); let mut contents = String::new(); f.read_to_string(&mut contents); @@ -46,7 +46,6 @@ impl Sysmon { } else { check_command(1, _command_line, minlength, 0, "", "", rdr); } - println!(""); } } @@ -69,7 +68,6 @@ impl Sysmon { if let Some(_command_line) = event_data.get("ImageLoaded") { println!("Command : {}", _command_line); } - println!(""); } } } From 5c938693bf4c937dcb0cff1211d0c64ae25f9a84 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:01:19 +0900 Subject: [PATCH 8/8] fix --- src/detections/sysmon.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7ce01b93..628bba17 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,5 @@ -use crate::models::event; use crate::detections::utils::check_command; +use crate::models::event; use std::collections::HashMap; use std::fs::File; use std::io::prelude::*; @@ -12,7 +12,7 @@ impl Sysmon { pub fn new() -> Sysmon { Sysmon { //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 + checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } } @@ -37,14 +37,16 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); + //let mut f = File::open("whitelist.txt").expect("file not found"); + //let mut contents = String::new(); + //f.read_to_string(&mut contents); + //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater, rdr); + //check_command(1, _command_line, minlength, 0, "", _creater, rdr); + check_command(1, _command_line, minlength, 0, "", _creater); } else { - check_command(1, _command_line, minlength, 0, "", "", rdr); + //check_command(1, _command_line, minlength, 0, "", "", rdr); + check_command(1, _command_line, minlength, 0, "", ""); } } }