CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #18 from YamatoSecurity/feature/applocker

Browse Source 
applocker.rs
This commit is contained in:
nishikawaakira
2020-10-31 20:07:25 +09:00
committed by GitHub
parent b17bff1f99 c481aa7436
commit 52a165ea19
3 changed files with 58 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
src/detections/applocker.rs Normal file
View File

@@ -0,0 +1,53 @@
extern crate regex;
use crate::models::event;
use regex::Regex;
use std::collections::HashMap;
pub struct AppLocker {}
impl AppLocker {
pub fn new() -> AppLocker {
AppLocker {}
}
pub fn detection(
&mut self,
event_id: String,
_system: &event::System,
_event_data: HashMap<String, String>,
) {
self.applocker_log_warning(&event_id, &_system);
self.applocker_log_block(&event_id, &_system);
}
fn applocker_log_warning(&mut self, event_id: &String, system: &event::System) {
if event_id != "8003" {
return;
}
let re = Regex::new(r" was .*$").unwrap();
let default = "".to_string();
let message = &system.message.as_ref().unwrap_or(&default);
let command = re.replace_all(&message, "");
println!("Message Applocker Warning");
println!("Command : {}", command);
println!("Results : {}", message);
}
fn applocker_log_block(&mut self, event_id: &String, system: &event::System) {
if event_id != "8004" {
return;
}
let re = Regex::new(r" was .*$").unwrap();
let default = "".to_string();
let message = &system.message.as_ref().unwrap_or(&default);
let command = re.replace_all(&message, "");
println!("Message Applocker Block");
println!("Command : {}", command);
println!("Results : {}", message);
}
}

5
src/detections/detection.rs
View File

@@ -2,6 +2,7 @@ extern crate csv;
extern crate quick_xml; extern crate quick_xml;
use crate::detections::application; use crate::detections::application;
use crate::detections::applocker;
use crate::detections::common; use crate::detections::common;
use crate::detections::powershell; use crate::detections::powershell;
use crate::detections::security; use crate::detections::security;
@@ -29,6 +30,7 @@ impl Detection {
let mut security = security::Security::new(); let mut security = security::Security::new();
let mut system = system::System::new(); let mut system = system::System::new();
let mut application = application::Application::new(); let mut application = application::Application::new();
let mut applocker = applocker::AppLocker::new();
let mut sysmon = sysmon::Sysmon::new(); let mut sysmon = sysmon::Sysmon::new();
let mut powershell = powershell::PowerShell::new(); let mut powershell = powershell::PowerShell::new();
@@ -41,7 +43,6 @@ impl Detection {
let event_data = event.parse_event_data(); let event_data = event.parse_event_data();
&common.detection(&event.system, &event_data); &common.detection(&event.system, &event_data);
//&common.detection(&event.system, &event_data);
if channel == "Security" { if channel == "Security" {
&security.detection(event_id, &event.system, &event.user_data, event_data); &security.detection(event_id, &event.system, &event.user_data, event_data);
} else if channel == "System" { } else if channel == "System" {
@@ -52,6 +53,8 @@ impl Detection {
&powershell.detection(event_id, &event.system, event_data); &powershell.detection(event_id, &event.system, event_data);
} else if channel == "Microsoft-Windows-Sysmon/Operational" { } else if channel == "Microsoft-Windows-Sysmon/Operational" {
&sysmon.detection(event_id, &event.system, event_data); &sysmon.detection(event_id, &event.system, event_data);
} else if channel == "Microsoft-Windows-Applocker/Operational" {
&applocker.detection(event_id, &event.system, event_data);
} else { } else {
//&other.detection(); //&other.detection();
} }

1
src/detections/mod.rs
View File

@@ -1,4 +1,5 @@
mod application; mod application;
mod applocker;
mod common; mod common;
mod configs; mod configs;
pub mod detection; pub mod detection;