CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'feature/#11' of https://github.com/YamatoSecurity/YamatoEventAnalyzer into master

Browse Source
This commit is contained in:
Kazuminn
2020-10-11 21:08:06 +09:00
parent 0663f8403d 850caa8a53
commit 38c781fef1
3 changed files with 26 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/detections/application.rs
View File

@@ -25,7 +25,7 @@ impl Application {
fn emet(&mut self, system: &event::System) {
match &system.provider.name {
Some(name) => {
if (name != "EMET") {
if name != "EMET" {
return;
}
}

11
src/detections/powershell.rs
View File

@@ -57,11 +57,12 @@ impl PowerShell {
) {
// リモートコマンドを実行します
let default = String::from("");
let message_num = event_data.get("MessageNumber");
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if let Some(_) = message_num {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
let path = event_data.get("Path").unwrap().to_string();
if path == "".to_string() {
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if commandline.to_string() != default {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
}
}
}
}

60
src/detections/utils.rs
View File

@@ -88,58 +88,36 @@ pub fn check_command(
fn check_obfu(string: &str) -> std::string::String {
let mut obfutext = "".to_string();
let lowercasestring = string.to_lowercase();
let length = lowercasestring.len();
let length = lowercasestring.len() as f64;
let mut minpercent = 0.65;
let maxbinary = 0.50;
let mut re = Regex::new(r"[a-z0-9/¥;:|.]").unwrap();
let mut noalphastring = "";
if let Some(_caps) = re.captures(&lowercasestring) {
if let Some(_data) = _caps.get(0) {
noalphastring = _data.as_str();
}
}
let noalphastring = re.replace_all(&lowercasestring, "");
re = Regex::new(r"[01]").unwrap();
let mut nobinarystring = "";
if let Some(_caps) = re.captures(&lowercasestring) {
if let Some(_data) = _caps.get(0) {
nobinarystring = _data.as_str();
}
}
let nobinarystring = re.replace_all(&lowercasestring, "");
if length > 0 {
let mut percent = (length - noalphastring.len()) / length;
if ((length / 100) as f64) < minpercent {
minpercent = (length / 100) as f64;
if length > 0.0 {
let mut percent = (length - noalphastring.len() as f64) / length;
if ((length / 100.0) as f64) < minpercent {
minpercent = length / 100.0;
}
if percent < minpercent as usize {
if percent < minpercent {
obfutext.push_str("Possible command obfuscation: only ");
re = Regex::new(r"\{0:P0}").unwrap();
let percent = &percent.to_string();
if let Some(_caps) = re.captures(percent) {
if let Some(_data) = _caps.get(0) {
obfutext.push_str(_data.as_str());
}
}
obfutext.push_str("alphanumeric and common symbols\n");
let percent = (percent * 100.0) as usize;
obfutext.push_str(&percent.to_string());
obfutext.push_str("% alphanumeric and common symbols\n");
}
percent = (nobinarystring.len().wrapping_sub(length) / length) / length;
let binarypercent = 1_usize.wrapping_sub(percent);
if binarypercent > maxbinary as usize {
percent = ((nobinarystring.len().wrapping_sub(length as usize) as f64) / length) / length;
let binarypercent = 1.0 - percent;
if binarypercent > maxbinary {
obfutext.push_str("Possible command obfuscation: ");
re = Regex::new(r"\{0:P0}").unwrap();
let binarypercent = &binarypercent.to_string();
if let Some(_caps) = re.captures(binarypercent) {
if let Some(_data) = _caps.get(0) {
obfutext.push_str(_data.as_str());
}
}
obfutext.push_str("zeroes and ones (possible numeric or binary encoding)\n");
let binarypercent = (binarypercent * 100.0) as usize;
obfutext.push_str(&binarypercent.to_string());
obfutext.push_str("% zeroes and ones (possible numeric or binary encoding)\n");
}
}
return obfutext;