Update: call check_command() from PowerShell's error 4104

2020-10-06 00:55:36 +09:00
parent 2220500a9c
commit 7f2bbcc1f1
1 changed files with 18 additions and 17 deletions
--- a/src/detections/powershell.rs
+++ b/src/detections/powershell.rs
@@ -1,5 +1,9 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
+use std::fs::File;
+use std::io::prelude::*;
+extern crate csv;

 pub struct PowerShell {}

@@ -28,23 +32,20 @@ impl PowerShell {
    }

    fn execute_remote_command(&mut self, event_data: &HashMap<String, String>) {
-        println!(
-            "<Execute Remote Command from Powershell Log>
-    Path: {}
-    MessageTotal: {}
-    ScriptBlockText: {}
-    ScriptBlockId: {}
-    MessageNumber: {}",
-            event_data.get("Path").unwrap_or(&String::from("")),
-            event_data.get("MessageTotal").unwrap_or(&String::from("")),
-            event_data
-                .get("ScriptBlockText")
-                .unwrap_or(&String::from("")),
-            event_data
-                .get("ScriptBlockId")
-                .unwrap_or(&String::from("")),
-            event_data.get("MessageNumber").unwrap_or(&String::from("")),
-        );
+        // リモートコマンドを実行します
+        let default = String::from("");
+        let message_num = event_data.get("MessageNumber");
+        let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
+
+        let mut f = File::open("whitelist.txt").expect("file not found");
+        let mut contents = String::new();
+        let _ = f.read_to_string(&mut contents);
+
+        let rdr = csv::Reader::from_reader(contents.as_bytes());
+        match message_num {
+            Some(_) => utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr),
+            _ => {}
+        }

        return;
    }