Merge branch 'feature/sysmon3' of https://github.com/YamatoSecurity/YamatoEventAnalyzer into feature/sysmon3
This commit is contained in:
kazuminn
@@ -51,7 +51,7 @@ impl Detection {
|
|||||||
&application.detection(event_id, &event.system, event_data);
|
&application.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
|
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
|
||||||
&powershell.detection(event_id, &event.system, event_data);
|
&powershell.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
|
} else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" {
|
||||||
&sysmon.detection(event_id, &event.system, event_data);
|
&sysmon.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Microsoft-Windows-Applocker/Operational" {
|
} else if channel == "Microsoft-Windows-Applocker/Operational" {
|
||||||
&applocker.detection(event_id, &event.system, event_data);
|
&applocker.detection(event_id, &event.system, event_data);
|
||||||
|
|||||||
@@ -1,82 +1,59 @@
|
|||||||
|
use crate::detections::utils::check_command;
|
||||||
use crate::models::event;
|
use crate::models::event;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
pub struct Sysmon {
|
pub struct Sysmon {
|
||||||
checkunsigned: u64,
|
checkunsigned: u16,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Sysmon {
|
impl Sysmon {
|
||||||
pub fn new() -> Sysmon {
|
pub fn new() -> Sysmon {
|
||||||
Sysmon {
|
Sysmon { checkunsigned: 0 }
|
||||||
//checkunsigned: 0, // DeepBlueでは0固定
|
|
||||||
checkunsigned: 1, // 開発用に1
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn detection(
|
pub fn detection(
|
||||||
&mut self,
|
&mut self,
|
||||||
event_id: String,
|
event_id: String,
|
||||||
system: &event::System,
|
_system: &event::System,
|
||||||
event_data: HashMap<String, String>,
|
event_data: HashMap<String, String>,
|
||||||
) {
|
) {
|
||||||
if event_id == "1" {
|
self.check_command_lines(&event_id, &event_data);
|
||||||
&self.check_command_lines(event_data);
|
self.check_for_unsigned_files(&event_id, &event_data);
|
||||||
} else if event_id == "7" {
|
}
|
||||||
&self.check_for_unsigned_files(event_data);
|
|
||||||
}
|
fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
|
||||||
|
if event_id != "1" {
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
|
|
||||||
// Check command lines
|
|
||||||
if let Some(_command_line) = event_data.get("CommandLine") {
|
if let Some(_command_line) = event_data.get("CommandLine") {
|
||||||
if let Some(_date) = event_data.get("UtcTime") {
|
let default = "".to_string();
|
||||||
println!("Date : {} (UTC)", _date);
|
let _creater = event_data.get("ParentImage").unwrap_or(&default);
|
||||||
}
|
|
||||||
println!("Log : Sysmon");
|
check_command(1, _command_line, 1000, 0, "", _creater);
|
||||||
//if let Some(_creater) = event_data.get("ParentImage") {
|
|
||||||
// println!("_creater : {}", _image);
|
|
||||||
//}
|
|
||||||
self.check_command("1".to_string(), _command_line.to_string());
|
|
||||||
println!("");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
|
fn check_for_unsigned_files(
|
||||||
// Check for unsigned EXEs/DLLs:
|
&mut self,
|
||||||
// This can be very chatty, so it's disabled.
|
event_id: &String,
|
||||||
// Set $checkunsigned to 1 (global variable section) to enable:
|
event_data: &HashMap<String, String>,
|
||||||
|
) {
|
||||||
|
if event_id != "7" {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if self.checkunsigned == 1 {
|
if self.checkunsigned == 1 {
|
||||||
if let Some(_signed) = event_data.get("Signed") {
|
let default = "".to_string();
|
||||||
|
let _signed = event_data.get("Signed").unwrap_or(&default);
|
||||||
if _signed == "false" {
|
if _signed == "false" {
|
||||||
if let Some(_date) = event_data.get("UtcTime") {
|
let _image = event_data.get("Image").unwrap_or(&default);
|
||||||
println!("Date : {} (UTC)", _date);
|
let _command_line = event_data.get("ImageLoaded").unwrap_or(&default);
|
||||||
}
|
|
||||||
println!("Log : Sysmon");
|
|
||||||
println!("EventID : 7");
|
|
||||||
println!("Message : Unsigned Image (DLL)");
|
println!("Message : Unsigned Image (DLL)");
|
||||||
if let Some(_image) = event_data.get("Image") {
|
|
||||||
println!("Result : Loaded by: {}", _image);
|
println!("Result : Loaded by: {}", _image);
|
||||||
}
|
|
||||||
if let Some(_command_line) = event_data.get("ImageLoaded") {
|
|
||||||
println!("Command : {}", _command_line);
|
println!("Command : {}", _command_line);
|
||||||
}
|
}
|
||||||
println!("");
|
};
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
fn check_command(&mut self, _event_id: String, _command_line: String) {
|
|
||||||
let _result = "(TBD)";
|
|
||||||
let _decoded = "(TBD)";
|
|
||||||
|
|
||||||
// TBD
|
|
||||||
|
|
||||||
// Write-Output $obj
|
|
||||||
println!("EventID : {}", _event_id);
|
|
||||||
println!("Message : Suspicious Command Line");
|
|
||||||
println!("Result : {}", _result);
|
|
||||||
println!("Command : {}", _command_line);
|
|
||||||
println!("Decoded : {}", _decoded);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user