diff --git a/src/detections/application.rs b/src/detections/application.rs
index 921a841b..4162c276 100644
--- a/src/detections/application.rs
+++ b/src/detections/application.rs
@@ -25,7 +25,7 @@ impl Application {
fn emet(&mut self, system: &event::System) {
match &system.provider.name {
Some(name) => {
- if (name != "EMET") {
+ if name != "EMET" {
return;
}
}
diff --git a/src/detections/powershell.rs b/src/detections/powershell.rs
index df9edf53..17566307 100644
--- a/src/detections/powershell.rs
+++ b/src/detections/powershell.rs
@@ -57,11 +57,12 @@ impl PowerShell {
) {
// リモートコマンドを実行します
let default = String::from("");
- let message_num = event_data.get("MessageNumber");
- let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
-
- if let Some(_) = message_num {
- utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
+ let path = event_data.get("Path").unwrap().to_string();
+ if path == "".to_string() {
+ let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
+ if commandline.to_string() != default {
+ utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
+ }
}
}
}
diff --git a/src/detections/security.rs b/src/detections/security.rs
index 97a30ce5..7818e7c2 100644
--- a/src/detections/security.rs
+++ b/src/detections/security.rs
@@ -261,7 +261,10 @@ impl Security {
}
msges.push("Sensititive Privilege Use Exceeds Threshold".to_string());
- msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string());
+ msges.push(
+ "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made"
+ .to_string(),
+ );
let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str);
msges.push(format!("Username: {}", username));
@@ -335,7 +338,9 @@ impl Security {
// let v_username = Vec::new();
let mut v_username = Vec::new();
- self.passspray_2_user.keys().for_each(|u| v_username.push(u));
+ self.passspray_2_user
+ .keys()
+ .for_each(|u| v_username.push(u));
v_username.sort();
let usernames: String = v_username.iter().fold(
self.empty_str.to_string(),
@@ -665,7 +670,8 @@ mod tests {
// eventidが異なりヒットしないパターン
#[test]
fn test_add_member_security_group_noteq_eventid() {
- let xml_str = get_add_member_security_group_xml().replace(r"4732", r"4757");
+ let xml_str = get_add_member_security_group_xml()
+ .replace(r"4732", r"4757");
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -683,7 +689,10 @@ mod tests {
// グループがAdministratorsじゃなくてHitしないパターン
#[test]
fn test_add_member_security_not_administrators() {
- let xml_str = get_add_member_security_group_xml().replace(r"Administrators", r"local");
+ let xml_str = get_add_member_security_group_xml().replace(
+ r"Administrators",
+ r"local",
+ );
let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| {
println!("{}", e.to_string());
@@ -746,10 +755,7 @@ mod tests {
&"Username: ".to_string(),
ite.next().unwrap_or(&"".to_string())
);
- assert_eq!(
- &"User SID: ",
- ite.next().unwrap_or(&"".to_string())
- );
+ assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string()));
assert_eq!(Option::None, ite.next());
}
@@ -795,10 +801,10 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
-
+
sec.max_failed_logons = 5;
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|i| {
sec.failed_logon(
&event.system.event_id.to_string(),
&event.parse_event_data(),
@@ -813,9 +819,13 @@ mod tests {
fn test_failed_logon_hit() {
let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"Administrator", r"localuser")).unwrap();
+ let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"Administrator",
+ r"localuser",
+ ))
+ .unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -825,13 +835,13 @@ mod tests {
);
assert_eq!(1, sec.total_failed_logons);
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
- let fail_cnt = i +1;
+ let fail_cnt = i + 1;
assert_eq!(fail_cnt, sec.total_failed_logons);
if fail_cnt > 5 {
let v = sec.disp_login_failed().unwrap();
@@ -848,7 +858,7 @@ mod tests {
&format!("Total logon failures: {}", fail_cnt),
ite.next().unwrap_or(&"".to_string())
);
- // assert_eq!(Option::None, ite.next());
+ // assert_eq!(Option::None, ite.next());
} else {
assert_eq!(Option::None, sec.disp_login_failed());
}
@@ -870,14 +880,25 @@ mod tests {
);
}
- // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
- #[test]
- fn test_failed_logon_noteq_eventid() {
+ // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。
+ #[test]
+ fn test_failed_logon_noteq_eventid() {
let xml_str = get_failed_logon_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626")).unwrap();
- let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626").replace(r"Administrator", r"localuser")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(
+ &xml_str.replace(r"4625", r"4626"),
+ )
+ .unwrap();
+ let event_another: event::Evtx = quick_xml::de::from_str(
+ &xml_str
+ .replace(r"4625", r"4626")
+ .replace(
+ r"Administrator",
+ r"localuser",
+ ),
+ )
+ .unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_failed_logons = 5;
// メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目
@@ -887,16 +908,16 @@ mod tests {
);
assert_eq!(0, sec.total_failed_logons);
- let ite = [1,2,3,4,5,6,7].iter();
- ite.for_each(|_i|{
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
+ ite.for_each(|_i| {
sec.failed_logon(
&event_another.system.event_id.to_string(),
&event_another.parse_event_data(),
);
assert_eq!(0, sec.total_failed_logons);
assert_eq!(Option::None, sec.disp_login_failed());
- });
- }
+ });
+ }
fn get_failed_logon_xml() -> String {
return r#"
@@ -940,7 +961,8 @@ mod tests {
192.168.198.149
33083
- "#.to_string();
+ "#
+ .to_string();
}
// Hitするパターンとしないパターンをまとめてテスト
@@ -949,10 +971,10 @@ mod tests {
let xml_str = get_sensitive_prividedge_hit();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
- let ite = [1,2,3,4,5,6,7].iter();
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
// i == 7ときにHitしない
@@ -984,15 +1006,19 @@ mod tests {
// eventidが異なるので、Hitしないテスト
#[test]
fn test_sensitive_priviledge_noteq_eventid() {
- let xml_str = get_sensitive_prividedge_hit().replace(r"4673", r"4674");
+ let xml_str = get_sensitive_prividedge_hit()
+ .replace(r"4673", r"4674");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
- let mut sec = security::Security::new();
+ let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6;
- let ite = [1,2,3,4,5,6,7].iter();
+ let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i| {
- let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
+ let msg = sec.sensitive_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
assert_eq!(Option::None, msg);
});
}
@@ -1037,16 +1063,31 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
- assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"Possible Hidden Service Attempt".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"User: Sec504".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"Target service: nginx".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"WRITE_DAC".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(Option::None, ite.next());
}
@@ -1054,11 +1095,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_accessmask() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"%%1539",r"%%1538")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"%%1539",
+ r"%%1538",
+ ))
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1066,11 +1114,18 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_service() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"C:\Windows\System32\services.exe",r"C:\Windows\System32\lsass.exe")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
+ r"C:\Windows\System32\services.exe",
+ r"C:\Windows\System32\lsass.exe",
+ ))
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1078,11 +1133,17 @@ mod tests {
#[test]
fn test_attempt_priviledge_noteq_eventid() {
let xml_str = get_attempt_priviledge_xml();
- let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4674",r"4675")).unwrap();
+ let event: event::Evtx = quick_xml::de::from_str(
+ &xml_str.replace(r"4674", r"4675"),
+ )
+ .unwrap();
let mut sec = security::Security::new();
- let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
-
+ let msg = sec.attempt_priviledge(
+ &event.system.event_id.to_string(),
+ &event.parse_event_data(),
+ );
+
assert_eq!(Option::None, msg);
}
@@ -1130,12 +1191,11 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
- test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
+ test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
// counterがreset確認のため、2回実行
- test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true);
+ test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
}
-
// eventid異なるので、Hitしないはず
#[test]
fn test_pass_spray_noteq_eventid() {
@@ -1144,12 +1204,12 @@ mod tests {
sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6;
- test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
+ test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
// counterがreset確認のため、2回実行
- test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false);
+ test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
}
- fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) {
+ fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) {
[1,2,3,4,5,6,7].iter().for_each(|i| {
let rep_str = format!(r#"smisenar{}"#,i);
let event_id_tag = format!("{}", event_id);
@@ -1173,7 +1233,7 @@ mod tests {
});
});
}
-
+
fn get_passs_pray_hit() -> String {
return r#"
@@ -1224,22 +1284,32 @@ mod tests {
assert_ne!(Option::None, msg);
let v = msg.unwrap();
let mut ite = v.iter();
- assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string()));
- assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string()));
+ assert_eq!(
+ &"Audit Log Clear".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"The Audit log was cleared".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
+ assert_eq!(
+ &"Security ID: jwrig".to_string(),
+ ite.next().unwrap_or(&"".to_string())
+ );
assert_eq!(Option::None, ite.next());
}
// eventid違うのでHitしないはず
#[test]
fn test_audit_log_cleared_noteq_eventid() {
- let xml_str = get_audit_log_cleared_xml().replace(r"1102", r"1103");
+ let xml_str = get_audit_log_cleared_xml()
+ .replace(r"1102", r"1103");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new();
let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data);
assert_eq!(Option::None, msg);
- }
+ }
fn get_audit_log_cleared_xml() -> String {
return r#"
diff --git a/src/detections/utils.rs b/src/detections/utils.rs
index ba9aaf39..0855e2da 100644
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -88,58 +88,36 @@ pub fn check_command(
fn check_obfu(string: &str) -> std::string::String {
let mut obfutext = "".to_string();
let lowercasestring = string.to_lowercase();
- let length = lowercasestring.len();
+ let length = lowercasestring.len() as f64;
let mut minpercent = 0.65;
let maxbinary = 0.50;
let mut re = Regex::new(r"[a-z0-9/¥;:|.]").unwrap();
- let mut noalphastring = "";
- if let Some(_caps) = re.captures(&lowercasestring) {
- if let Some(_data) = _caps.get(0) {
- noalphastring = _data.as_str();
- }
- }
+ let noalphastring = re.replace_all(&lowercasestring, "");
re = Regex::new(r"[01]").unwrap();
- let mut nobinarystring = "";
- if let Some(_caps) = re.captures(&lowercasestring) {
- if let Some(_data) = _caps.get(0) {
- nobinarystring = _data.as_str();
- }
- }
+ let nobinarystring = re.replace_all(&lowercasestring, "");
- if length > 0 {
- let mut percent = (length - noalphastring.len()) / length;
- if ((length / 100) as f64) < minpercent {
- minpercent = (length / 100) as f64;
+ if length > 0.0 {
+ let mut percent = (length - noalphastring.len() as f64) / length;
+ if ((length / 100.0) as f64) < minpercent {
+ minpercent = length / 100.0;
}
- if percent < minpercent as usize {
+
+ if percent < minpercent {
obfutext.push_str("Possible command obfuscation: only ");
-
- re = Regex::new(r"\{0:P0}").unwrap();
- let percent = &percent.to_string();
- if let Some(_caps) = re.captures(percent) {
- if let Some(_data) = _caps.get(0) {
- obfutext.push_str(_data.as_str());
- }
- }
-
- obfutext.push_str("alphanumeric and common symbols\n");
+ let percent = (percent * 100.0) as usize;
+ obfutext.push_str(&percent.to_string());
+ obfutext.push_str("% alphanumeric and common symbols\n");
}
- percent = (nobinarystring.len().wrapping_sub(length) / length) / length;
- let binarypercent = 1_usize.wrapping_sub(percent);
- if binarypercent > maxbinary as usize {
+
+ percent = ((nobinarystring.len().wrapping_sub(length as usize) as f64) / length) / length;
+ let binarypercent = 1.0 - percent;
+ if binarypercent > maxbinary {
obfutext.push_str("Possible command obfuscation: ");
-
- re = Regex::new(r"\{0:P0}").unwrap();
- let binarypercent = &binarypercent.to_string();
- if let Some(_caps) = re.captures(binarypercent) {
- if let Some(_data) = _caps.get(0) {
- obfutext.push_str(_data.as_str());
- }
- }
-
- obfutext.push_str("zeroes and ones (possible numeric or binary encoding)\n");
+ let binarypercent = (binarypercent * 100.0) as usize;
+ obfutext.push_str(&binarypercent.to_string());
+ obfutext.push_str("% zeroes and ones (possible numeric or binary encoding)\n");
}
}
return obfutext;