CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

powershellの解析、Check-Commandの修正

Browse Source
This commit is contained in:
akiranishikawa
2020-10-11 14:47:39 +09:00
parent 22edee0332
commit 850caa8a53
4 changed files with 157 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/detections/application.rs
View File

@@ -25,7 +25,7 @@ impl Application {
fn emet(&mut self, system: &event::System) { fn emet(&mut self, system: &event::System) {
match &system.provider.name { match &system.provider.name {
Some(name) => { Some(name) => {
if (name != "EMET") { if name != "EMET" {
return; return;
} }
} }

7
src/detections/powershell.rs
View File

@@ -57,11 +57,12 @@ impl PowerShell {
) { ) {
// リモートコマンドを実行します // リモートコマンドを実行します
let default = String::from(""); let default = String::from("");
let message_num = event_data.get("MessageNumber"); let path = event_data.get("Path").unwrap().to_string();
if path == "".to_string() {
let commandline = event_data.get("ScriptBlockText").unwrap_or(&default); let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
if commandline.to_string() != default {
if let Some(_) = message_num {
utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr); utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr);
} }
} }
}
} }

158
src/detections/security.rs
View File

@@ -261,7 +261,10 @@ impl Security {
} }
msges.push("Sensititive Privilege Use Exceeds Threshold".to_string()); msges.push("Sensititive Privilege Use Exceeds Threshold".to_string());
msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string()); msges.push(
"Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made"
.to_string(),
);
let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str); let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str);
msges.push(format!("Username: {}", username)); msges.push(format!("Username: {}", username));
@@ -335,7 +338,9 @@ impl Security {
// let v_username = Vec::new(); // let v_username = Vec::new();
let mut v_username = Vec::new(); let mut v_username = Vec::new();
self.passspray_2_user.keys().for_each(|u| v_username.push(u)); self.passspray_2_user
.keys()
.for_each(|u| v_username.push(u));
v_username.sort(); v_username.sort();
let usernames: String = v_username.iter().fold( let usernames: String = v_username.iter().fold(
self.empty_str.to_string(), self.empty_str.to_string(),
@@ -665,7 +670,8 @@ mod tests {
// eventidが異なりヒットしないパターン // eventidが異なりヒットしないパターン
#[test] #[test]
fn test_add_member_security_group_noteq_eventid() { fn test_add_member_security_group_noteq_eventid() {
let xml_str = get_add_member_security_group_xml().replace(r"<EventID>4732</EventID>", r"<EventID>4757</EventID>"); let xml_str = get_add_member_security_group_xml()
.replace(r"<EventID>4732</EventID>", r"<EventID>4757</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str) let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| { .map_err(|e| {
println!("{}", e.to_string()); println!("{}", e.to_string());
@@ -683,7 +689,10 @@ mod tests {
// グループがAdministratorsじゃなくてHitしないパターン // グループがAdministratorsじゃなくてHitしないパターン
#[test] #[test]
fn test_add_member_security_not_administrators() { fn test_add_member_security_not_administrators() {
let xml_str = get_add_member_security_group_xml().replace(r"<Data Name='TargetUserName'>Administrators</Data>", r"<Data Name='TargetUserName'>local</Data>"); let xml_str = get_add_member_security_group_xml().replace(
r"<Data Name='TargetUserName'>Administrators</Data>",
r"<Data Name='TargetUserName'>local</Data>",
);
let event: event::Evtx = quick_xml::de::from_str(&xml_str) let event: event::Evtx = quick_xml::de::from_str(&xml_str)
.map_err(|e| { .map_err(|e| {
println!("{}", e.to_string()); println!("{}", e.to_string());
@@ -746,10 +755,7 @@ mod tests {
&"Username: ".to_string(), &"Username: ".to_string(),
ite.next().unwrap_or(&"".to_string()) ite.next().unwrap_or(&"".to_string())
); );
assert_eq!( assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string()));
&"User SID: ",
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(Option::None, ite.next()); assert_eq!(Option::None, ite.next());
} }
@@ -797,8 +803,8 @@ mod tests {
let mut sec = security::Security::new(); let mut sec = security::Security::new();
sec.max_failed_logons = 5; sec.max_failed_logons = 5;
let ite = [1,2,3,4,5,6,7].iter(); let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i|{ ite.for_each(|i| {
sec.failed_logon( sec.failed_logon(
&event.system.event_id.to_string(), &event.system.event_id.to_string(),
&event.parse_event_data(), &event.parse_event_data(),
@@ -813,7 +819,11 @@ mod tests {
fn test_failed_logon_hit() { fn test_failed_logon_hit() {
let xml_str = get_failed_logon_xml(); let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='TargetUserName'>Administrator</Data>", r"<Data Name='TargetUserName'>localuser</Data>")).unwrap(); let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='TargetUserName'>Administrator</Data>",
r"<Data Name='TargetUserName'>localuser</Data>",
))
.unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
sec.max_failed_logons = 5; sec.max_failed_logons = 5;
@@ -825,13 +835,13 @@ mod tests {
); );
assert_eq!(1, sec.total_failed_logons); assert_eq!(1, sec.total_failed_logons);
let ite = [1,2,3,4,5,6,7].iter(); let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i|{ ite.for_each(|i| {
sec.failed_logon( sec.failed_logon(
&event_another.system.event_id.to_string(), &event_another.system.event_id.to_string(),
&event_another.parse_event_data(), &event_another.parse_event_data(),
); );
let fail_cnt = i +1; let fail_cnt = i + 1;
assert_eq!(fail_cnt, sec.total_failed_logons); assert_eq!(fail_cnt, sec.total_failed_logons);
if fail_cnt > 5 { if fail_cnt > 5 {
let v = sec.disp_login_failed().unwrap(); let v = sec.disp_login_failed().unwrap();
@@ -874,8 +884,19 @@ mod tests {
#[test] #[test]
fn test_failed_logon_noteq_eventid() { fn test_failed_logon_noteq_eventid() {
let xml_str = get_failed_logon_xml(); let xml_str = get_failed_logon_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4625</EventID>",r"<EventID>4626</EventID>")).unwrap(); let event: event::Evtx = quick_xml::de::from_str(
let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4625</EventID>",r"<EventID>4626</EventID>").replace(r"<Data Name='TargetUserName'>Administrator</Data>", r"<Data Name='TargetUserName'>localuser</Data>")).unwrap(); &xml_str.replace(r"<EventID>4625</EventID>", r"<EventID>4626</EventID>"),
)
.unwrap();
let event_another: event::Evtx = quick_xml::de::from_str(
&xml_str
.replace(r"<EventID>4625</EventID>", r"<EventID>4626</EventID>")
.replace(
r"<Data Name='TargetUserName'>Administrator</Data>",
r"<Data Name='TargetUserName'>localuser</Data>",
),
)
.unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
sec.max_failed_logons = 5; sec.max_failed_logons = 5;
@@ -887,8 +908,8 @@ mod tests {
); );
assert_eq!(0, sec.total_failed_logons); assert_eq!(0, sec.total_failed_logons);
let ite = [1,2,3,4,5,6,7].iter(); let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i|{ ite.for_each(|_i| {
sec.failed_logon( sec.failed_logon(
&event_another.system.event_id.to_string(), &event_another.system.event_id.to_string(),
&event_another.parse_event_data(), &event_another.parse_event_data(),
@@ -940,7 +961,8 @@ mod tests {
<Data Name='IpAddress'>192.168.198.149</Data> <Data Name='IpAddress'>192.168.198.149</Data>
<Data Name='IpPort'>33083</Data> <Data Name='IpPort'>33083</Data>
</EventData> </EventData>
</Event>"#.to_string(); </Event>"#
.to_string();
} }
// Hitするパターンとしないパターンをまとめてテスト // Hitするパターンとしないパターンをまとめてテスト
@@ -952,7 +974,7 @@ mod tests {
let mut sec = security::Security::new(); let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6; sec.max_total_sensitive_privuse = 6;
let ite = [1,2,3,4,5,6,7].iter(); let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|i| { ite.for_each(|i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data());
// i == 7ときにHitしない // i == 7ときにHitしない
@@ -984,15 +1006,19 @@ mod tests {
// eventidが異なるので、Hitしないテスト // eventidが異なるので、Hitしないテスト
#[test] #[test]
fn test_sensitive_priviledge_noteq_eventid() { fn test_sensitive_priviledge_noteq_eventid() {
let xml_str = get_sensitive_prividedge_hit().replace(r"<EventID>4673</EventID>", r"<EventID>4674</EventID>"); let xml_str = get_sensitive_prividedge_hit()
.replace(r"<EventID>4673</EventID>", r"<EventID>4674</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
sec.max_total_sensitive_privuse = 6; sec.max_total_sensitive_privuse = 6;
let ite = [1,2,3,4,5,6,7].iter(); let ite = [1, 2, 3, 4, 5, 6, 7].iter();
ite.for_each(|_i| { ite.for_each(|_i| {
let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.sensitive_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg); assert_eq!(Option::None, msg);
}); });
} }
@@ -1037,16 +1063,31 @@ mod tests {
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_ne!(Option::None, msg); assert_ne!(Option::None, msg);
let v = msg.unwrap(); let v = msg.unwrap();
let mut ite = v.iter(); let mut ite = v.iter();
assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string())); assert_eq!(
&"Possible Hidden Service Attempt".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string())); assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string()));
assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string())); assert_eq!(
assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string())); &"User: Sec504".to_string(),
assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string())); ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"Target service: nginx".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"WRITE_DAC".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(Option::None, ite.next()); assert_eq!(Option::None, ite.next());
} }
@@ -1054,10 +1095,17 @@ mod tests {
#[test] #[test]
fn test_attempt_priviledge_noteq_accessmask() { fn test_attempt_priviledge_noteq_accessmask() {
let xml_str = get_attempt_priviledge_xml(); let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='AccessMask'>%%1539",r"<Data Name='AccessMask'>%%1538")).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='AccessMask'>%%1539",
r"<Data Name='AccessMask'>%%1538",
))
.unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg); assert_eq!(Option::None, msg);
} }
@@ -1066,10 +1114,17 @@ mod tests {
#[test] #[test]
fn test_attempt_priviledge_noteq_service() { fn test_attempt_priviledge_noteq_service() {
let xml_str = get_attempt_priviledge_xml(); let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<Data Name='ProcessName'>C:\Windows\System32\services.exe</Data>",r"<Data Name='ProcessName'>C:\Windows\System32\lsass.exe</Data>")).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(
r"<Data Name='ProcessName'>C:\Windows\System32\services.exe</Data>",
r"<Data Name='ProcessName'>C:\Windows\System32\lsass.exe</Data>",
))
.unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg); assert_eq!(Option::None, msg);
} }
@@ -1078,10 +1133,16 @@ mod tests {
#[test] #[test]
fn test_attempt_priviledge_noteq_eventid() { fn test_attempt_priviledge_noteq_eventid() {
let xml_str = get_attempt_priviledge_xml(); let xml_str = get_attempt_priviledge_xml();
let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"<EventID>4674</EventID>",r"<EventID>4675</EventID>")).unwrap(); let event: event::Evtx = quick_xml::de::from_str(
&xml_str.replace(r"<EventID>4674</EventID>", r"<EventID>4675</EventID>"),
)
.unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();
let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); let msg = sec.attempt_priviledge(
&event.system.event_id.to_string(),
&event.parse_event_data(),
);
assert_eq!(Option::None, msg); assert_eq!(Option::None, msg);
} }
@@ -1130,12 +1191,11 @@ mod tests {
sec.max_passspray_login = 6; sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6; sec.max_passspray_uniquser = 6;
test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
// counterがreset確認のため、2回実行 // counterがreset確認のため、2回実行
test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true);
} }
// eventid異なるので、Hitしないはず // eventid異なるので、Hitしないはず
#[test] #[test]
fn test_pass_spray_noteq_eventid() { fn test_pass_spray_noteq_eventid() {
@@ -1144,12 +1204,12 @@ mod tests {
sec.max_passspray_login = 6; sec.max_passspray_login = 6;
sec.max_passspray_uniquser = 6; sec.max_passspray_uniquser = 6;
test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
// counterがreset確認のため、2回実行 // counterがreset確認のため、2回実行
test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false);
} }
fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) { fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) {
[1,2,3,4,5,6,7].iter().for_each(|i| { [1,2,3,4,5,6,7].iter().for_each(|i| {
let rep_str = format!(r#"<Data Name='TargetUserName'>smisenar{}</Data>"#,i); let rep_str = format!(r#"<Data Name='TargetUserName'>smisenar{}</Data>"#,i);
let event_id_tag = format!("<EventID>{}</EventID>", event_id); let event_id_tag = format!("<EventID>{}</EventID>", event_id);
@@ -1224,16 +1284,26 @@ mod tests {
assert_ne!(Option::None, msg); assert_ne!(Option::None, msg);
let v = msg.unwrap(); let v = msg.unwrap();
let mut ite = v.iter(); let mut ite = v.iter();
assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string())); assert_eq!(
assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string())); &"Audit Log Clear".to_string(),
assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string())); ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"The Audit log was cleared".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(
&"Security ID: jwrig".to_string(),
ite.next().unwrap_or(&"".to_string())
);
assert_eq!(Option::None, ite.next()); assert_eq!(Option::None, ite.next());
} }
// eventid違うのでHitしないはず // eventid違うのでHitしないはず
#[test] #[test]
fn test_audit_log_cleared_noteq_eventid() { fn test_audit_log_cleared_noteq_eventid() {
let xml_str = get_audit_log_cleared_xml().replace(r"<EventID>1102</EventID>", r"<EventID>1103</EventID>"); let xml_str = get_audit_log_cleared_xml()
.replace(r"<EventID>1102</EventID>", r"<EventID>1103</EventID>");
let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap();
let mut sec = security::Security::new(); let mut sec = security::Security::new();

58
src/detections/utils.rs
View File

@@ -88,58 +88,36 @@ pub fn check_command(
fn check_obfu(string: &str) -> std::string::String { fn check_obfu(string: &str) -> std::string::String {
let mut obfutext = "".to_string(); let mut obfutext = "".to_string();
let lowercasestring = string.to_lowercase(); let lowercasestring = string.to_lowercase();
let length = lowercasestring.len(); let length = lowercasestring.len() as f64;
let mut minpercent = 0.65; let mut minpercent = 0.65;
let maxbinary = 0.50; let maxbinary = 0.50;
let mut re = Regex::new(r"[a-z0-9/¥;:|.]").unwrap(); let mut re = Regex::new(r"[a-z0-9/¥;:|.]").unwrap();
let mut noalphastring = ""; let noalphastring = re.replace_all(&lowercasestring, "");
if let Some(_caps) = re.captures(&lowercasestring) {
if let Some(_data) = _caps.get(0) {
noalphastring = _data.as_str();
}
}
re = Regex::new(r"[01]").unwrap(); re = Regex::new(r"[01]").unwrap();
let mut nobinarystring = ""; let nobinarystring = re.replace_all(&lowercasestring, "");
if let Some(_caps) = re.captures(&lowercasestring) {
if let Some(_data) = _caps.get(0) { if length > 0.0 {
nobinarystring = _data.as_str(); let mut percent = (length - noalphastring.len() as f64) / length;
} if ((length / 100.0) as f64) < minpercent {
minpercent = length / 100.0;
} }
if length > 0 { if percent < minpercent {
let mut percent = (length - noalphastring.len()) / length;
if ((length / 100) as f64) < minpercent {
minpercent = (length / 100) as f64;
}
if percent < minpercent as usize {
obfutext.push_str("Possible command obfuscation: only "); obfutext.push_str("Possible command obfuscation: only ");
let percent = (percent * 100.0) as usize;
re = Regex::new(r"\{0:P0}").unwrap(); obfutext.push_str(&percent.to_string());
let percent = &percent.to_string(); obfutext.push_str("% alphanumeric and common symbols\n");
if let Some(_caps) = re.captures(percent) {
if let Some(_data) = _caps.get(0) {
obfutext.push_str(_data.as_str());
}
} }
obfutext.push_str("alphanumeric and common symbols\n"); percent = ((nobinarystring.len().wrapping_sub(length as usize) as f64) / length) / length;
} let binarypercent = 1.0 - percent;
percent = (nobinarystring.len().wrapping_sub(length) / length) / length; if binarypercent > maxbinary {
let binarypercent = 1_usize.wrapping_sub(percent);
if binarypercent > maxbinary as usize {
obfutext.push_str("Possible command obfuscation: "); obfutext.push_str("Possible command obfuscation: ");
let binarypercent = (binarypercent * 100.0) as usize;
re = Regex::new(r"\{0:P0}").unwrap(); obfutext.push_str(&binarypercent.to_string());
let binarypercent = &binarypercent.to_string(); obfutext.push_str("% zeroes and ones (possible numeric or binary encoding)\n");
if let Some(_caps) = re.captures(binarypercent) {
if let Some(_data) = _caps.get(0) {
obfutext.push_str(_data.as_str());
}
}
obfutext.push_str("zeroes and ones (possible numeric or binary encoding)\n");
} }
} }
return obfutext; return obfutext;