Merge branch 'master' into feature/powershell
This commit is contained in:
nishikawaakira
GitHub
@@ -5,6 +5,7 @@ use crate::detections::application;
|
||||
use crate::detections::common;
|
||||
use crate::detections::powershell;
|
||||
use crate::detections::security;
|
||||
use crate::detections::sysmon;
|
||||
use crate::detections::system;
|
||||
use crate::models::event;
|
||||
use evtx::EvtxParser;
|
||||
@@ -30,6 +31,7 @@ impl Detection {
|
||||
let mut security = security::Security::new();
|
||||
let mut system = system::System::new();
|
||||
let mut application = application::Application::new();
|
||||
let mut sysmon = sysmon::Sysmon::new();
|
||||
let mut powershell = powershell::PowerShell::new();
|
||||
|
||||
let mut f = File::open("whitelist.txt").expect("file not found");
|
||||
@@ -49,13 +51,15 @@ impl Detection {
|
||||
&common.detection(&event.system, &event_data);
|
||||
//&common.detection(&event.system, &event_data);
|
||||
if channel == "Security" {
|
||||
&security.detection(event_id, &event.system, event_data);
|
||||
&security.detection(event_id, &event.system, &event.user_data, event_data);
|
||||
} else if channel == "System" {
|
||||
&system.detection(event_id, &event.system, event_data);
|
||||
} else if channel == "Application" {
|
||||
&application.detection(event_id, &event.system, event_data);
|
||||
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
|
||||
&powershell.detection(event_id, &event.system, event_data, &mut rdr);
|
||||
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
|
||||
&sysmon.detection(event_id, &event.system, event_data);
|
||||
} else {
|
||||
//&other.detection();
|
||||
}
|
||||
|
||||
@@ -3,5 +3,6 @@ mod common;
|
||||
pub mod detection;
|
||||
mod powershell;
|
||||
mod security;
|
||||
mod sysmon;
|
||||
mod system;
|
||||
mod utils;
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
82
src/detections/sysmon.rs
Normal file
82
src/detections/sysmon.rs
Normal file
@@ -0,0 +1,82 @@
|
||||
use crate::models::event;
|
||||
use std::collections::HashMap;
|
||||
|
||||
pub struct Sysmon {
|
||||
checkunsigned: u64,
|
||||
}
|
||||
|
||||
impl Sysmon {
|
||||
pub fn new() -> Sysmon {
|
||||
Sysmon {
|
||||
//checkunsigned: 0, // DeepBlueでは0固定
|
||||
checkunsigned: 1, // 開発用に1
|
||||
}
|
||||
}
|
||||
|
||||
pub fn detection(
|
||||
&mut self,
|
||||
event_id: String,
|
||||
system: &event::System,
|
||||
event_data: HashMap<String, String>,
|
||||
) {
|
||||
if event_id == "1" {
|
||||
&self.check_command_lines(event_data);
|
||||
} else if event_id == "7" {
|
||||
&self.check_for_unsigned_files(event_data);
|
||||
}
|
||||
}
|
||||
|
||||
fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
|
||||
// Check command lines
|
||||
if let Some(_command_line) = event_data.get("CommandLine") {
|
||||
if let Some(_date) = event_data.get("UtcTime") {
|
||||
println!("Date : {} (UTC)", _date);
|
||||
}
|
||||
println!("Log : Sysmon");
|
||||
//if let Some(_creater) = event_data.get("ParentImage") {
|
||||
// println!("_creater : {}", _image);
|
||||
//}
|
||||
self.check_command("1".to_string(), _command_line.to_string());
|
||||
println!("");
|
||||
}
|
||||
}
|
||||
|
||||
fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
|
||||
// Check for unsigned EXEs/DLLs:
|
||||
// This can be very chatty, so it's disabled.
|
||||
// Set $checkunsigned to 1 (global variable section) to enable:
|
||||
if self.checkunsigned == 1 {
|
||||
if let Some(_signed) = event_data.get("Signed") {
|
||||
if _signed == "false" {
|
||||
if let Some(_date) = event_data.get("UtcTime") {
|
||||
println!("Date : {} (UTC)", _date);
|
||||
}
|
||||
println!("Log : Sysmon");
|
||||
println!("EventID : 7");
|
||||
println!("Message : Unsigned Image (DLL)");
|
||||
if let Some(_image) = event_data.get("Image") {
|
||||
println!("Result : Loaded by: {}", _image);
|
||||
}
|
||||
if let Some(_command_line) = event_data.get("ImageLoaded") {
|
||||
println!("Command : {}", _command_line);
|
||||
}
|
||||
println!("");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn check_command(&mut self, _event_id: String, _command_line: String) {
|
||||
let _result = "(TBD)";
|
||||
let _decoded = "(TBD)";
|
||||
|
||||
// TBD
|
||||
|
||||
// Write-Output $obj
|
||||
println!("EventID : {}", _event_id);
|
||||
println!("Message : Suspicious Command Line");
|
||||
println!("Result : {}", _result);
|
||||
println!("Command : {}", _command_line);
|
||||
println!("Decoded : {}", _decoded);
|
||||
}
|
||||
}
|
||||
@@ -72,12 +72,32 @@ pub struct EventData {
|
||||
pub data: Option<Vec<Data>>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, PartialEq)]
|
||||
pub struct UserData {
|
||||
#[serde(rename = "LogFileCleared")]
|
||||
pub log_file_cleared: Option<LogFileCleared>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, PartialEq)]
|
||||
pub struct LogFileCleared {
|
||||
#[serde(rename = "SubjectUserSid")]
|
||||
pub subject_user_sid: Option<String>,
|
||||
#[serde(rename = "SubjectUserName")]
|
||||
pub subject_user_name: Option<String>,
|
||||
#[serde(rename = "SubjectDomainName")]
|
||||
pub subject_domain_name: Option<String>,
|
||||
#[serde(rename = "SubjectLogonId")]
|
||||
pub subject_logon_id: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, PartialEq)]
|
||||
pub struct Evtx {
|
||||
#[serde(rename = "System")]
|
||||
pub system: System,
|
||||
#[serde(rename = "EventData")]
|
||||
pub event_data: Option<EventData>,
|
||||
#[serde(rename = "UserData")]
|
||||
pub user_data: Option<UserData>,
|
||||
}
|
||||
|
||||
impl Evtx {
|
||||
|
||||
Reference in New Issue
Block a user