From 5f6908e1a9a3a239e50b980559be76f8978b75f8 Mon Sep 17 00:00:00 2001
From: Satoshi MIMURA <mimura1133@mimumimu.net>
Date: Sun, 18 Oct 2020 04:43:33 +0900
Subject: [PATCH 1/4] add : applocker.rs

---
 src/detections/applocker.rs | 49 +++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 src/detections/applocker.rs

diff --git a/src/detections/applocker.rs b/src/detections/applocker.rs
new file mode 100644
index 00000000..dd67c1a0
--- /dev/null
+++ b/src/detections/applocker.rs
@@ -0,0 +1,49 @@
+use crate::models::event;
+use std::collections::HashMap;
+
+pub struct AppLocker {}
+
+impl AppLocker {
+    pub fn new() -> AppLocker {
+        AppLocker {}
+    }
+
+    pub fn detection(
+        &mut self,
+        event_id: String,
+        AppLocker: &event::AppLocker,
+        event_data: HashMap<String, String>,
+    ) {
+        if event_id == "8003" {
+            &self.AppLocker_log_warning();
+        } else if event_id == "8004" {
+            &self.AppLocker_log_block(event_data);
+        }
+        // -- Not Implemented 8006 and 8007 on DeepBlueCLI, but reserved these ID. -- 
+        //
+        //} else if event_id == "8006" {
+        //    &self.windows_event_log(event_data);
+        //} else if event_id == "8007" {
+        //    &self.windows_event_log(event_data);
+        //}
+    }
+
+    fn AppLocker_log_warning(&mut self, applocker: &event::AppLocker) {
+        let re = Regex::new(r" was .*$").unwrap();
+        let command = re.replace_all(message, "");
+
+        println!("Message Applocker Warning");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+
+    fn AppLocker_log_block(&mut self, applocker: &event::AppLocker) {
+        let re = Regex::new(r" was .*$").unwrap();
+        let command = re.replace_all(message, "");
+
+        println!("Message Applocker Block");
+        println!("Command : {}", command);
+        println!("Results : {}", message);
+    }
+
+}

From 4649ff97b35748466b32249185048778c24da3b3 Mon Sep 17 00:00:00 2001
From: kazuminn <warugaki.k.k@gmail.com>
Date: Sat, 31 Oct 2020 19:06:36 +0900
Subject: [PATCH 2/4] fix applocker

---
 src/detections/applocker.rs | 42 ++++++++++++++++++++-----------------
 src/detections/mod.rs       |  1 +
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/detections/applocker.rs b/src/detections/applocker.rs
index dd67c1a0..f378d339 100644
--- a/src/detections/applocker.rs
+++ b/src/detections/applocker.rs
@@ -1,4 +1,7 @@
+extern crate regex;
+
 use crate::models::event;
+use regex::Regex;
 use std::collections::HashMap;
 
 pub struct AppLocker {}
@@ -11,39 +14,40 @@ impl AppLocker {
     pub fn detection(
         &mut self,
         event_id: String,
-        AppLocker: &event::AppLocker,
-        event_data: HashMap<String, String>,
+        _system: &event::System,
+        _event_data: HashMap<String, String>,
     ) {
-        if event_id == "8003" {
-            &self.AppLocker_log_warning();
-        } else if event_id == "8004" {
-            &self.AppLocker_log_block(event_data);
-        }
-        // -- Not Implemented 8006 and 8007 on DeepBlueCLI, but reserved these ID. -- 
-        //
-        //} else if event_id == "8006" {
-        //    &self.windows_event_log(event_data);
-        //} else if event_id == "8007" {
-        //    &self.windows_event_log(event_data);
-        //}
+        self.appLocker_log_warning(&event_id, &_system);
+        self.appLocker_log_block(&event_id, &_system);
     }
 
-    fn AppLocker_log_warning(&mut self, applocker: &event::AppLocker) {
+    fn appLocker_log_warning(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8003" {
+            return;
+        }
+
         let re = Regex::new(r" was .*$").unwrap();
-        let command = re.replace_all(message, "");
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");
 
         println!("Message Applocker Warning");
         println!("Command : {}", command);
         println!("Results : {}", message);
     }
 
-    fn AppLocker_log_block(&mut self, applocker: &event::AppLocker) {
+    fn appLocker_log_block(&mut self, event_id: &String, system: &event::System) {
+        if event_id != "8004" {
+            return;
+        }
+
         let re = Regex::new(r" was .*$").unwrap();
-        let command = re.replace_all(message, "");
+        let default = "".to_string();
+        let message = &system.message.as_ref().unwrap_or(&default);
+        let command = re.replace_all(&message, "");
 
         println!("Message Applocker Block");
         println!("Command : {}", command);
         println!("Results : {}", message);
     }
-
 }
diff --git a/src/detections/mod.rs b/src/detections/mod.rs
index 11454f71..ad3011e6 100644
--- a/src/detections/mod.rs
+++ b/src/detections/mod.rs
@@ -1,4 +1,5 @@
 mod application;
+mod applocker;
 mod common;
 mod configs;
 pub mod detection;

From 481cbaa18e0373b23a5a36765f7f104b33faefdd Mon Sep 17 00:00:00 2001
From: kazuminn <warugaki.k.k@gmail.com>
Date: Sat, 31 Oct 2020 19:12:09 +0900
Subject: [PATCH 3/4] exec from detection.rs

---
 src/detections/detection.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/detections/detection.rs b/src/detections/detection.rs
index fbb6e111..aec7c3e8 100644
--- a/src/detections/detection.rs
+++ b/src/detections/detection.rs
@@ -2,6 +2,7 @@ extern crate csv;
 extern crate quick_xml;
 
 use crate::detections::application;
+use crate::detections::applocker;
 use crate::detections::common;
 use crate::detections::powershell;
 use crate::detections::security;
@@ -29,6 +30,7 @@ impl Detection {
         let mut security = security::Security::new();
         let mut system = system::System::new();
         let mut application = application::Application::new();
+        let mut applocker = applocker::AppLocker::new();
         let mut sysmon = sysmon::Sysmon::new();
         let mut powershell = powershell::PowerShell::new();
 
@@ -41,7 +43,6 @@ impl Detection {
                     let event_data = event.parse_event_data();
 
                     &common.detection(&event.system, &event_data);
-                    //&common.detection(&event.system, &event_data);
                     if channel == "Security" {
                         &security.detection(event_id, &event.system, &event.user_data, event_data);
                     } else if channel == "System" {
@@ -52,6 +53,8 @@ impl Detection {
                         &powershell.detection(event_id, &event.system, event_data);
                     } else if channel == "Microsoft-Windows-Sysmon/Operational" {
                         &sysmon.detection(event_id, &event.system, event_data);
+                    } else if channel == "Microsoft-Windows-Applocker/Operational" {
+                        &applocker.detection(event_id, &event.system, event_data);
                     } else {
                         //&other.detection();
                     }

From c481aa74363936dcfed3ca9b76d3bb6322da960a Mon Sep 17 00:00:00 2001
From: kazuminn <warugaki.k.k@gmail.com>
Date: Sat, 31 Oct 2020 19:13:08 +0900
Subject: [PATCH 4/4] refactor

---
 src/detections/applocker.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/detections/applocker.rs b/src/detections/applocker.rs
index f378d339..2862bc3c 100644
--- a/src/detections/applocker.rs
+++ b/src/detections/applocker.rs
@@ -17,11 +17,11 @@ impl AppLocker {
         _system: &event::System,
         _event_data: HashMap<String, String>,
     ) {
-        self.appLocker_log_warning(&event_id, &_system);
-        self.appLocker_log_block(&event_id, &_system);
+        self.applocker_log_warning(&event_id, &_system);
+        self.applocker_log_block(&event_id, &_system);
     }
 
-    fn appLocker_log_warning(&mut self, event_id: &String, system: &event::System) {
+    fn applocker_log_warning(&mut self, event_id: &String, system: &event::System) {
         if event_id != "8003" {
             return;
         }
@@ -36,7 +36,7 @@ impl AppLocker {
         println!("Results : {}", message);
     }
 
-    fn appLocker_log_block(&mut self, event_id: &String, system: &event::System) {
+    fn applocker_log_block(&mut self, event_id: &String, system: &event::System) {
         if event_id != "8004" {
             return;
         }