CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into feature/powershell

Browse Source
This commit is contained in:
nishikawaakira
2020-10-09 18:54:09 +09:00
committed by GitHub
parent 5f5251a4a4 d53518211d
commit 2ce9ed7e24
5 changed files with 1300 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/detections/detection.rs
View File

@@ -5,6 +5,7 @@ use crate::detections::application;
use crate::detections::common;
use crate::detections::powershell;
use crate::detections::security;
use crate::detections::sysmon;
use crate::detections::system;
use crate::models::event;
use evtx::EvtxParser;
@@ -30,6 +31,7 @@ impl Detection {
let mut security = security::Security::new();
let mut system = system::System::new();
let mut application = application::Application::new();
let mut sysmon = sysmon::Sysmon::new();
let mut powershell = powershell::PowerShell::new();
let mut f = File::open("whitelist.txt").expect("file not found");
@@ -49,13 +51,15 @@ impl Detection {
&common.detection(&event.system, &event_data);
//&common.detection(&event.system, &event_data);
if channel == "Security" {
&security.detection(event_id, &event.system, event_data);
&security.detection(event_id, &event.system, &event.user_data, event_data);
} else if channel == "System" {
&system.detection(event_id, &event.system, event_data);
} else if channel == "Application" {
&application.detection(event_id, &event.system, event_data);
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
&powershell.detection(event_id, &event.system, event_data, &mut rdr);
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
&sysmon.detection(event_id, &event.system, event_data);
} else {
//&other.detection();
}