CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

powershellの解析、Check-Commandの修正

Browse Source
This commit is contained in:
akiranishikawa
2020-10-11 14:47:39 +09:00
parent 22edee0332
commit 850caa8a53
4 changed files with 157 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/detections/powershell.rs
View File

@@ -57,11 +57,12 @@ impl PowerShell {
) {
// リモートコマンドを実行します
let default = String::from("");
let message_num = event_data.get("MessageNumber");
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if let Some(_) = message_num {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
let path = event_data.get("Path").unwrap().to_string();
if path == "".to_string() {
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if commandline.to_string() != default {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
}
}
}
}