Update: call check_command() from PowerShell's error 4104

src/detections/powershell.rs

@@ -1,5 +1,9 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
+use std::fs::File;
+use std::io::prelude::*;
+extern crate csv;
 
 pub struct PowerShell {}
 
@@ -28,23 +32,20 @@ impl PowerShell {
     }
 
     fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
-        println!(
+        // リモートコマンドを実行します
-            "<Execute Remote Command from Powershell Log>
+        let default = String::from("");
-    Path: {}
+        let message_num = event_data.get("MessageNumber");
-    MessageTotal: {}
+        let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
-    ScriptBlockText: {}
+
-    ScriptBlockId: {}
+        let mut f = File::open("whitelist.txt").expect("file not found");
-    MessageNumber: {}",
+        let mut contents = String::new();
-            event_data.get("Path").unwrap_or(&String::from("")),
+        let _ = f.read_to_string(&mut contents);
-            event_data.get("MessageTotal").unwrap_or(&String::from("")),
+
-            event_data
+        let rdr = csv::Reader::from_reader(contents.as_bytes());
-                .get("ScriptBlockText")
+        match message_num {
-                .unwrap_or(&String::from("")),
+            Some(_) => utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr),
-            event_data
+            _ => {}
-                .get("ScriptBlockId")
+        }
-                .unwrap_or(&String::from("")),
-            event_data.get("MessageNumber").unwrap_or(&String::from("")),
-        );
 
         return;
     }