Merge branch 'feature/sysmon3' of https://github.com/YamatoSecurity/YamatoEventAnalyzer into feature/sysmon3

2020-11-01 16:07:49 +09:00
parent 52a165ea19 ea56104c0f
commit 42309b14be
2 changed files with 35 additions and 58 deletions
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -51,7 +51,7 @@ impl Detection {
                        &application.detection(event_id, &event.system, event_data);
                    } else if channel == "Microsoft-Windows-PowerShell/Operational" {
                        &powershell.detection(event_id, &event.system, event_data);
-                    } else if channel == "Microsoft-Windows-Sysmon/Operational" {
+                    } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" {
                        &sysmon.detection(event_id, &event.system, event_data);
                    } else if channel == "Microsoft-Windows-Applocker/Operational" {
                        &applocker.detection(event_id, &event.system, event_data);
--- a/src/detections/sysmon.rs
+++ b/src/detections/sysmon.rs
@@ -1,82 +1,59 @@
+use crate::detections::utils::check_command;
 use crate::models::event;
 use std::collections::HashMap;

 pub struct Sysmon {
-    checkunsigned: u64,
+    checkunsigned: u16,
 }

 impl Sysmon {
    pub fn new() -> Sysmon {
-        Sysmon {
-            //checkunsigned: 0, //  DeepBlueでは0固定
-            checkunsigned: 1, //  開発用に1
-        }
+        Sysmon { checkunsigned: 0 }
    }

    pub fn detection(
        &mut self,
        event_id: String,
-        system: &event::System,
+        _system: &event::System,
        event_data: HashMap<String, String>,
    ) {
-        if event_id == "1" {
-            &self.check_command_lines(event_data);
-        } else if event_id == "7" {
-            &self.check_for_unsigned_files(event_data);
-        }
+        self.check_command_lines(&event_id, &event_data);
+        self.check_for_unsigned_files(&event_id, &event_data);
    }

-    fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
-        // Check command lines
+    fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
+        if event_id != "1" {
+            return;
+        }
+
        if let Some(_command_line) = event_data.get("CommandLine") {
-            if let Some(_date) = event_data.get("UtcTime") {
-                println!("Date    : {} (UTC)", _date);
-            }
-            println!("Log     : Sysmon");
-            //if let Some(_creater) = event_data.get("ParentImage") {
-            //    println!("_creater : {}", _image);
-            //}
-            self.check_command("1".to_string(), _command_line.to_string());
-            println!("");
+            let default = "".to_string();
+            let _creater = event_data.get("ParentImage").unwrap_or(&default);
+
+            check_command(1, _command_line, 1000, 0, "", _creater);
        }
    }

-    fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
-        // Check for unsigned EXEs/DLLs:
-        // This can be very chatty, so it's disabled.
-        // Set $checkunsigned to 1 (global variable section) to enable:
+    fn check_for_unsigned_files(
+        &mut self,
+        event_id: &String,
+        event_data: &HashMap<String, String>,
+    ) {
+        if event_id != "7" {
+            return;
+        }
+
        if self.checkunsigned == 1 {
-            if let Some(_signed) = event_data.get("Signed") {
-                if _signed == "false" {
-                    if let Some(_date) = event_data.get("UtcTime") {
-                        println!("Date    : {} (UTC)", _date);
-                    }
-                    println!("Log     : Sysmon");
-                    println!("EventID : 7");
-                    println!("Message : Unsigned Image (DLL)");
-                    if let Some(_image) = event_data.get("Image") {
-                        println!("Result  : Loaded by: {}", _image);
-                    }
-                    if let Some(_command_line) = event_data.get("ImageLoaded") {
-                        println!("Command : {}", _command_line);
-                    }
-                    println!("");
-                }
+            let default = "".to_string();
+            let _signed = event_data.get("Signed").unwrap_or(&default);
+            if _signed == "false" {
+                let _image = event_data.get("Image").unwrap_or(&default);
+                let _command_line = event_data.get("ImageLoaded").unwrap_or(&default);
+
+                println!("Message : Unsigned Image (DLL)");
+                println!("Result  : Loaded by: {}", _image);
+                println!("Command : {}", _command_line);
            }
-        }
-    }
-
-    fn check_command(&mut self, _event_id: String, _command_line: String) {
-        let _result = "(TBD)";
-        let _decoded = "(TBD)";
-
-        //  TBD
-
-        //  Write-Output $obj
-        println!("EventID : {}", _event_id);
-        println!("Message : Suspicious Command Line");
-        println!("Result  : {}", _result);
-        println!("Command : {}", _command_line);
-        println!("Decoded : {}", _decoded);
+        };
    }
 }