diff --git a/src/detections/detection.rs b/src/detections/detection.rs index aec7c3e8..d19722d3 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -51,7 +51,7 @@ impl Detection { &application.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-PowerShell/Operational" { &powershell.detection(event_id, &event.system, event_data); - } else if channel == "Microsoft-Windows-Sysmon/Operational" { + } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" { &sysmon.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-Applocker/Operational" { &applocker.detection(event_id, &event.system, event_data); diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..37f01874 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,82 +1,59 @@ +use crate::detections::utils::check_command; use crate::models::event; use std::collections::HashMap; pub struct Sysmon { - checkunsigned: u64, + checkunsigned: u16, } impl Sysmon { pub fn new() -> Sysmon { - Sysmon { - //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 - } + Sysmon { checkunsigned: 0 } } pub fn detection( &mut self, event_id: String, - system: &event::System, + _system: &event::System, event_data: HashMap, ) { - if event_id == "1" { - &self.check_command_lines(event_data); - } else if event_id == "7" { - &self.check_for_unsigned_files(event_data); - } + self.check_command_lines(&event_id, &event_data); + self.check_for_unsigned_files(&event_id, &event_data); } - fn check_command_lines(&mut self, event_data: HashMap) { - // Check command lines + fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap) { + if event_id != "1" { + return; + } + if let Some(_command_line) = event_data.get("CommandLine") { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + let default = "".to_string(); + let _creater = event_data.get("ParentImage").unwrap_or(&default); + + check_command(1, _command_line, 1000, 0, "", _creater); } } - fn check_for_unsigned_files(&mut self, event_data: HashMap) { - // Check for unsigned EXEs/DLLs: - // This can be very chatty, so it's disabled. - // Set $checkunsigned to 1 (global variable section) to enable: + fn check_for_unsigned_files( + &mut self, + event_id: &String, + event_data: &HashMap, + ) { + if event_id != "7" { + return; + } + if self.checkunsigned == 1 { - if let Some(_signed) = event_data.get("Signed") { - if _signed == "false" { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - println!("EventID : 7"); - println!("Message : Unsigned Image (DLL)"); - if let Some(_image) = event_data.get("Image") { - println!("Result : Loaded by: {}", _image); - } - if let Some(_command_line) = event_data.get("ImageLoaded") { - println!("Command : {}", _command_line); - } - println!(""); - } + let default = "".to_string(); + let _signed = event_data.get("Signed").unwrap_or(&default); + if _signed == "false" { + let _image = event_data.get("Image").unwrap_or(&default); + let _command_line = event_data.get("ImageLoaded").unwrap_or(&default); + + println!("Message : Unsigned Image (DLL)"); + println!("Result : Loaded by: {}", _image); + println!("Command : {}", _command_line); } - } - } - - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); + }; } }