diff --git a/src/detections/application.rs b/src/detections/application.rs index 921a841b..4162c276 100644 --- a/src/detections/application.rs +++ b/src/detections/application.rs @@ -25,7 +25,7 @@ impl Application { fn emet(&mut self, system: &event::System) { match &system.provider.name { Some(name) => { - if (name != "EMET") { + if name != "EMET" { return; } } diff --git a/src/detections/powershell.rs b/src/detections/powershell.rs index df9edf53..17566307 100644 --- a/src/detections/powershell.rs +++ b/src/detections/powershell.rs @@ -57,11 +57,12 @@ impl PowerShell { ) { // リモートコマンドを実行します let default = String::from(""); - let message_num = event_data.get("MessageNumber"); - let commandline = event_data.get("ScriptBlockText").unwrap_or(&default); - - if let Some(_) = message_num { - utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr); + let path = event_data.get("Path").unwrap().to_string(); + if path == "".to_string() { + let commandline = event_data.get("ScriptBlockText").unwrap_or(&default); + if commandline.to_string() != default { + utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr); + } } } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index ba9aaf39..0855e2da 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -88,58 +88,36 @@ pub fn check_command( fn check_obfu(string: &str) -> std::string::String { let mut obfutext = "".to_string(); let lowercasestring = string.to_lowercase(); - let length = lowercasestring.len(); + let length = lowercasestring.len() as f64; let mut minpercent = 0.65; let maxbinary = 0.50; let mut re = Regex::new(r"[a-z0-9/¥;:|.]").unwrap(); - let mut noalphastring = ""; - if let Some(_caps) = re.captures(&lowercasestring) { - if let Some(_data) = _caps.get(0) { - noalphastring = _data.as_str(); - } - } + let noalphastring = re.replace_all(&lowercasestring, ""); re = Regex::new(r"[01]").unwrap(); - let mut nobinarystring = ""; - if let Some(_caps) = re.captures(&lowercasestring) { - if let Some(_data) = _caps.get(0) { - nobinarystring = _data.as_str(); - } - } + let nobinarystring = re.replace_all(&lowercasestring, ""); - if length > 0 { - let mut percent = (length - noalphastring.len()) / length; - if ((length / 100) as f64) < minpercent { - minpercent = (length / 100) as f64; + if length > 0.0 { + let mut percent = (length - noalphastring.len() as f64) / length; + if ((length / 100.0) as f64) < minpercent { + minpercent = length / 100.0; } - if percent < minpercent as usize { + + if percent < minpercent { obfutext.push_str("Possible command obfuscation: only "); - - re = Regex::new(r"\{0:P0}").unwrap(); - let percent = &percent.to_string(); - if let Some(_caps) = re.captures(percent) { - if let Some(_data) = _caps.get(0) { - obfutext.push_str(_data.as_str()); - } - } - - obfutext.push_str("alphanumeric and common symbols\n"); + let percent = (percent * 100.0) as usize; + obfutext.push_str(&percent.to_string()); + obfutext.push_str("% alphanumeric and common symbols\n"); } - percent = (nobinarystring.len().wrapping_sub(length) / length) / length; - let binarypercent = 1_usize.wrapping_sub(percent); - if binarypercent > maxbinary as usize { + + percent = ((nobinarystring.len().wrapping_sub(length as usize) as f64) / length) / length; + let binarypercent = 1.0 - percent; + if binarypercent > maxbinary { obfutext.push_str("Possible command obfuscation: "); - - re = Regex::new(r"\{0:P0}").unwrap(); - let binarypercent = &binarypercent.to_string(); - if let Some(_caps) = re.captures(binarypercent) { - if let Some(_data) = _caps.get(0) { - obfutext.push_str(_data.as_str()); - } - } - - obfutext.push_str("zeroes and ones (possible numeric or binary encoding)\n"); + let binarypercent = (binarypercent * 100.0) as usize; + obfutext.push_str(&binarypercent.to_string()); + obfutext.push_str("% zeroes and ones (possible numeric or binary encoding)\n"); } } return obfutext;