From e2086ea0b8b8cf10ebafe89f01f522847f327cc3 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:09:02 +0900 Subject: [PATCH 01/22] add utils::check_command support --- src/detections/sysmon.rs | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..a34e4462 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,8 @@ use crate::models::event; +use crate::detections::utils::check_command; use std::collections::HashMap; +use std::fs::File; +use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -33,11 +36,17 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + if let Some(_creater) = event_data.get("ParentImage") { + //println!("_creater : {}", _image); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); + //self.check_command("1".to_string(), _command_line.to_string()); + check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } + println!(""); } } @@ -66,6 +75,7 @@ impl Sysmon { } } + /* fn check_command(&mut self, _event_id: String, _command_line: String) { let _result = "(TBD)"; let _decoded = "(TBD)"; @@ -79,4 +89,5 @@ impl Sysmon { println!("Command : {}", _command_line); println!("Decoded : {}", _decoded); } + */ } From dd6f3c39a45a457b129b2fe6726bd8e15786f808 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:11:07 +0900 Subject: [PATCH 02/22] cleanup --- src/detections/sysmon.rs | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a34e4462..81ffd25e 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,15 +36,15 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //println!("_creater : {}", _image); - let minlength = 100; // TBD - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); - //self.check_command("1".to_string(), _command_line.to_string()); check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } else { + check_command(1, _command_line, minlength, 0, "", "", rdr); } println!(""); } @@ -74,20 +74,4 @@ impl Sysmon { } } } - - /* - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); - } - */ } From e2f9e0bdc6ce3e457b2b9ed64312b01863ff6e51 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 00:38:05 +0900 Subject: [PATCH 03/22] fix --- src/detections/sysmon.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 81ffd25e..7ce01b93 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,7 +36,7 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - let minlength = 100; // TBD + let minlength = 1000; let mut f = File::open("whitelist.txt").expect("file not found"); let mut contents = String::new(); f.read_to_string(&mut contents); @@ -46,7 +46,6 @@ impl Sysmon { } else { check_command(1, _command_line, minlength, 0, "", "", rdr); } - println!(""); } } @@ -69,7 +68,6 @@ impl Sysmon { if let Some(_command_line) = event_data.get("ImageLoaded") { println!("Command : {}", _command_line); } - println!(""); } } } From c914078b87a0bb9d68323c39816e15561320af32 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:01:19 +0900 Subject: [PATCH 04/22] fix --- src/detections/sysmon.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7ce01b93..628bba17 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,5 @@ -use crate::models::event; use crate::detections::utils::check_command; +use crate::models::event; use std::collections::HashMap; use std::fs::File; use std::io::prelude::*; @@ -12,7 +12,7 @@ impl Sysmon { pub fn new() -> Sysmon { Sysmon { //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 + checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } } @@ -37,14 +37,16 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); + //let mut f = File::open("whitelist.txt").expect("file not found"); + //let mut contents = String::new(); + //f.read_to_string(&mut contents); + //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater, rdr); + //check_command(1, _command_line, minlength, 0, "", _creater, rdr); + check_command(1, _command_line, minlength, 0, "", _creater); } else { - check_command(1, _command_line, minlength, 0, "", "", rdr); + //check_command(1, _command_line, minlength, 0, "", "", rdr); + check_command(1, _command_line, minlength, 0, "", ""); } } } From 714e4b0038fe5e3f82daafa97c7e798356ea2eb4 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:09:02 +0900 Subject: [PATCH 05/22] add utils::check_command support --- src/detections/sysmon.rs | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..a34e4462 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,8 @@ use crate::models::event; +use crate::detections::utils::check_command; use std::collections::HashMap; +use std::fs::File; +use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -33,11 +36,17 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + if let Some(_creater) = event_data.get("ParentImage") { + //println!("_creater : {}", _image); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); + //self.check_command("1".to_string(), _command_line.to_string()); + check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } + println!(""); } } @@ -66,6 +75,7 @@ impl Sysmon { } } + /* fn check_command(&mut self, _event_id: String, _command_line: String) { let _result = "(TBD)"; let _decoded = "(TBD)"; @@ -79,4 +89,5 @@ impl Sysmon { println!("Command : {}", _command_line); println!("Decoded : {}", _decoded); } + */ } From f5edf867e243129514cf267c0c43f28ddcf8db1c Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:11:07 +0900 Subject: [PATCH 06/22] cleanup --- src/detections/sysmon.rs | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a34e4462..81ffd25e 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,15 +36,15 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //println!("_creater : {}", _image); - let minlength = 100; // TBD - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); - //self.check_command("1".to_string(), _command_line.to_string()); check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } else { + check_command(1, _command_line, minlength, 0, "", "", rdr); } println!(""); } @@ -74,20 +74,4 @@ impl Sysmon { } } } - - /* - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); - } - */ } From 50ebf31b10ab5cc89fb40c4ab8684baf1e7385c6 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 00:38:05 +0900 Subject: [PATCH 07/22] fix --- src/detections/sysmon.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 81ffd25e..7ce01b93 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,7 +36,7 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - let minlength = 100; // TBD + let minlength = 1000; let mut f = File::open("whitelist.txt").expect("file not found"); let mut contents = String::new(); f.read_to_string(&mut contents); @@ -46,7 +46,6 @@ impl Sysmon { } else { check_command(1, _command_line, minlength, 0, "", "", rdr); } - println!(""); } } @@ -69,7 +68,6 @@ impl Sysmon { if let Some(_command_line) = event_data.get("ImageLoaded") { println!("Command : {}", _command_line); } - println!(""); } } } From 5c938693bf4c937dcb0cff1211d0c64ae25f9a84 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:01:19 +0900 Subject: [PATCH 08/22] fix --- src/detections/sysmon.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7ce01b93..628bba17 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,5 @@ -use crate::models::event; use crate::detections::utils::check_command; +use crate::models::event; use std::collections::HashMap; use std::fs::File; use std::io::prelude::*; @@ -12,7 +12,7 @@ impl Sysmon { pub fn new() -> Sysmon { Sysmon { //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 + checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } } @@ -37,14 +37,16 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); + //let mut f = File::open("whitelist.txt").expect("file not found"); + //let mut contents = String::new(); + //f.read_to_string(&mut contents); + //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater, rdr); + //check_command(1, _command_line, minlength, 0, "", _creater, rdr); + check_command(1, _command_line, minlength, 0, "", _creater); } else { - check_command(1, _command_line, minlength, 0, "", "", rdr); + //check_command(1, _command_line, minlength, 0, "", "", rdr); + check_command(1, _command_line, minlength, 0, "", ""); } } } From 88b699800719170feec5534193c592d428a614c4 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:09:02 +0900 Subject: [PATCH 09/22] add utils::check_command support --- src/detections/sysmon.rs | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 165e39db..a34e4462 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,8 @@ use crate::models::event; +use crate::detections::utils::check_command; use std::collections::HashMap; +use std::fs::File; +use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -33,11 +36,17 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} - self.check_command("1".to_string(), _command_line.to_string()); - println!(""); + if let Some(_creater) = event_data.get("ParentImage") { + //println!("_creater : {}", _image); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); + //self.check_command("1".to_string(), _command_line.to_string()); + check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } + println!(""); } } @@ -66,6 +75,7 @@ impl Sysmon { } } + /* fn check_command(&mut self, _event_id: String, _command_line: String) { let _result = "(TBD)"; let _decoded = "(TBD)"; @@ -79,4 +89,5 @@ impl Sysmon { println!("Command : {}", _command_line); println!("Decoded : {}", _decoded); } + */ } From 942a7fad3a07c1e6a92ca3ef2dcf568b5362819c Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 02:11:07 +0900 Subject: [PATCH 10/22] cleanup --- src/detections/sysmon.rs | 30 +++++++----------------------- 1 file changed, 7 insertions(+), 23 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a34e4462..81ffd25e 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,15 +36,15 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); + let minlength = 100; // TBD + let mut f = File::open("whitelist.txt").expect("file not found"); + let mut contents = String::new(); + f.read_to_string(&mut contents); + let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //println!("_creater : {}", _image); - let minlength = 100; // TBD - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); - //self.check_command("1".to_string(), _command_line.to_string()); check_command(1, _command_line, minlength, 0, "", _creater, rdr); + } else { + check_command(1, _command_line, minlength, 0, "", "", rdr); } println!(""); } @@ -74,20 +74,4 @@ impl Sysmon { } } } - - /* - fn check_command(&mut self, _event_id: String, _command_line: String) { - let _result = "(TBD)"; - let _decoded = "(TBD)"; - - // TBD - - // Write-Output $obj - println!("EventID : {}", _event_id); - println!("Message : Suspicious Command Line"); - println!("Result : {}", _result); - println!("Command : {}", _command_line); - println!("Decoded : {}", _decoded); - } - */ } From bc031202ef55fd7d55cf0abb402aa34227ed43fc Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 00:38:05 +0900 Subject: [PATCH 11/22] fix --- src/detections/sysmon.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 81ffd25e..7ce01b93 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -36,7 +36,7 @@ impl Sysmon { println!("Date : {} (UTC)", _date); } println!("Log : Sysmon"); - let minlength = 100; // TBD + let minlength = 1000; let mut f = File::open("whitelist.txt").expect("file not found"); let mut contents = String::new(); f.read_to_string(&mut contents); @@ -46,7 +46,6 @@ impl Sysmon { } else { check_command(1, _command_line, minlength, 0, "", "", rdr); } - println!(""); } } @@ -69,7 +68,6 @@ impl Sysmon { if let Some(_command_line) = event_data.get("ImageLoaded") { println!("Command : {}", _command_line); } - println!(""); } } } From bd483ee6b69c01d117f3dc4f2b7b7b694b114631 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:01:19 +0900 Subject: [PATCH 12/22] fix --- src/detections/sysmon.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7ce01b93..628bba17 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,5 +1,5 @@ -use crate::models::event; use crate::detections::utils::check_command; +use crate::models::event; use std::collections::HashMap; use std::fs::File; use std::io::prelude::*; @@ -12,7 +12,7 @@ impl Sysmon { pub fn new() -> Sysmon { Sysmon { //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 + checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } } @@ -37,14 +37,16 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - let rdr = csv::Reader::from_reader(contents.as_bytes()); + //let mut f = File::open("whitelist.txt").expect("file not found"); + //let mut contents = String::new(); + //f.read_to_string(&mut contents); + //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater, rdr); + //check_command(1, _command_line, minlength, 0, "", _creater, rdr); + check_command(1, _command_line, minlength, 0, "", _creater); } else { - check_command(1, _command_line, minlength, 0, "", "", rdr); + //check_command(1, _command_line, minlength, 0, "", "", rdr); + check_command(1, _command_line, minlength, 0, "", ""); } } } From ee908aca73b74c59bb679786996b9c8cf0a8eec1 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 01:08:49 +0900 Subject: [PATCH 13/22] fix --- src/detections/sysmon.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 628bba17..59712ed3 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,8 +1,8 @@ use crate::detections::utils::check_command; use crate::models::event; use std::collections::HashMap; -use std::fs::File; -use std::io::prelude::*; +//use std::fs::File; +//use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, From 4725e95048f4252528c44c2b7f229142aabc938a Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 02:19:39 +0900 Subject: [PATCH 14/22] remove rdr --- src/detections/sysmon.rs | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 59712ed3..a523057f 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,8 +1,6 @@ use crate::detections::utils::check_command; use crate::models::event; use std::collections::HashMap; -//use std::fs::File; -//use std::io::prelude::*; pub struct Sysmon { checkunsigned: u64, @@ -37,15 +35,9 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - //let mut f = File::open("whitelist.txt").expect("file not found"); - //let mut contents = String::new(); - //f.read_to_string(&mut contents); - //let rdr = csv::Reader::from_reader(contents.as_bytes()); if let Some(_creater) = event_data.get("ParentImage") { - //check_command(1, _command_line, minlength, 0, "", _creater, rdr); check_command(1, _command_line, minlength, 0, "", _creater); } else { - //check_command(1, _command_line, minlength, 0, "", "", rdr); check_command(1, _command_line, minlength, 0, "", ""); } } From 7f23656437bbcabd352709b0fd1af3b2b0ae1978 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 02:45:37 +0900 Subject: [PATCH 15/22] brushup / add test skelton --- src/detections/sysmon.rs | 49 +++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index a523057f..aabc069c 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -3,12 +3,14 @@ use crate::models::event; use std::collections::HashMap; pub struct Sysmon { + empty_str: String, checkunsigned: u64, } impl Sysmon { pub fn new() -> Sysmon { Sysmon { + empty_str: String::default(), //checkunsigned: 0, // DeepBlueでは0固定 checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) } @@ -17,7 +19,7 @@ impl Sysmon { pub fn detection( &mut self, event_id: String, - system: &event::System, + _system: &event::System, event_data: HashMap, ) { if event_id == "1" { @@ -35,11 +37,8 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - if let Some(_creater) = event_data.get("ParentImage") { - check_command(1, _command_line, minlength, 0, "", _creater); - } else { - check_command(1, _command_line, minlength, 0, "", ""); - } + let _creater = event_data.get("ParentImage").unwrap_or(&self.empty_str); + check_command(1, _command_line, minlength, 0, "", _creater); } } @@ -48,22 +47,30 @@ impl Sysmon { // This can be very chatty, so it's disabled. // Set $checkunsigned to 1 (global variable section) to enable: if self.checkunsigned == 1 { - if let Some(_signed) = event_data.get("Signed") { - if _signed == "false" { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - println!("EventID : 7"); - println!("Message : Unsigned Image (DLL)"); - if let Some(_image) = event_data.get("Image") { - println!("Result : Loaded by: {}", _image); - } - if let Some(_command_line) = event_data.get("ImageLoaded") { - println!("Command : {}", _command_line); - } - } + let _signed = event_data.get("Signed").unwrap_or(&self.empty_str); + if _signed == "false" { + let _date = event_data.get("UtcTime").unwrap_or(&self.empty_str); + println!("Date : {} (UTC)", _date); + println!("Log : Sysmon"); + println!("EventID : 7"); + println!("Message : Unsigned Image (DLL)"); + let _image = event_data.get("Image").unwrap_or(&self.empty_str); + println!("Result : Loaded by: {}", _image); + let _command_line = event_data.get("ImageLoaded").unwrap_or(&self.empty_str); + println!("Command : {}", _command_line); } } } } + +#[cfg(test)] +mod tests { + extern crate quick_xml; + use crate::detections::sysmon; + use crate::models::event; + + #[test] + fn test_skelton_hit() { + assert_eq!(1,1); + } +} From 816189b29defafa14e234a0a419bf650d0d0096c Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 02:49:39 +0900 Subject: [PATCH 16/22] change function style --- src/detections/sysmon.rs | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index aabc069c..f25807b6 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -22,14 +22,15 @@ impl Sysmon { _system: &event::System, event_data: HashMap, ) { - if event_id == "1" { - &self.check_command_lines(event_data); - } else if event_id == "7" { - &self.check_for_unsigned_files(event_data); - } + &self.check_command_lines(&event_id,&event_data); + &self.check_for_unsigned_files(&event_id,&event_data); } - fn check_command_lines(&mut self, event_data: HashMap) { + fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap) { + if event_id != "4" { + return; + } + // Check command lines if let Some(_command_line) = event_data.get("CommandLine") { if let Some(_date) = event_data.get("UtcTime") { @@ -42,7 +43,11 @@ impl Sysmon { } } - fn check_for_unsigned_files(&mut self, event_data: HashMap) { + fn check_for_unsigned_files(&mut self, event_id: &String, event_data: &HashMap) { + if event_id != "7" { + return; + } + // Check for unsigned EXEs/DLLs: // This can be very chatty, so it's disabled. // Set $checkunsigned to 1 (global variable section) to enable: From b83fc1c5f5e523c00bcf2a4480d31ff02202ce25 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 02:56:19 +0900 Subject: [PATCH 17/22] fix --- src/detections/sysmon.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index f25807b6..31d0ea7a 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -22,8 +22,8 @@ impl Sysmon { _system: &event::System, event_data: HashMap, ) { - &self.check_command_lines(&event_id,&event_data); - &self.check_for_unsigned_files(&event_id,&event_data); + &self.check_command_lines(&event_id, &event_data); + &self.check_for_unsigned_files(&event_id, &event_data); } fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap) { @@ -43,7 +43,11 @@ impl Sysmon { } } - fn check_for_unsigned_files(&mut self, event_id: &String, event_data: &HashMap) { + fn check_for_unsigned_files( + &mut self, + event_id: &String, + event_data: &HashMap, + ) { if event_id != "7" { return; } @@ -76,6 +80,6 @@ mod tests { #[test] fn test_skelton_hit() { - assert_eq!(1,1); + assert_eq!(1, 1); } } From 551963abf0c62848c940e35d060ae0beb5e7fd1e Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 03:11:54 +0900 Subject: [PATCH 18/22] fix --- src/detections/sysmon.rs | 53 +++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7c450161..31d0ea7a 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,8 +1,6 @@ use crate::detections::utils::check_command; use crate::models::event; use std::collections::HashMap; -use std::fs::File; -use std::io::prelude::*; pub struct Sysmon { empty_str: String, @@ -40,17 +38,8 @@ impl Sysmon { } println!("Log : Sysmon"); let minlength = 1000; - //let mut f = File::open("whitelist.txt").expect("file not found"); - //let mut contents = String::new(); - //f.read_to_string(&mut contents); - //let rdr = csv::Reader::from_reader(contents.as_bytes()); - if let Some(_creater) = event_data.get("ParentImage") { - //check_command(1, _command_line, minlength, 0, "", _creater, rdr); - check_command(1, _command_line, minlength, 0, "", _creater); - } else { - //check_command(1, _command_line, minlength, 0, "", "", rdr); - check_command(1, _command_line, minlength, 0, "", ""); - } + let _creater = event_data.get("ParentImage").unwrap_or(&self.empty_str); + check_command(1, _command_line, minlength, 0, "", _creater); } } @@ -67,22 +56,30 @@ impl Sysmon { // This can be very chatty, so it's disabled. // Set $checkunsigned to 1 (global variable section) to enable: if self.checkunsigned == 1 { - if let Some(_signed) = event_data.get("Signed") { - if _signed == "false" { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - println!("EventID : 7"); - println!("Message : Unsigned Image (DLL)"); - if let Some(_image) = event_data.get("Image") { - println!("Result : Loaded by: {}", _image); - } - if let Some(_command_line) = event_data.get("ImageLoaded") { - println!("Command : {}", _command_line); - } - } + let _signed = event_data.get("Signed").unwrap_or(&self.empty_str); + if _signed == "false" { + let _date = event_data.get("UtcTime").unwrap_or(&self.empty_str); + println!("Date : {} (UTC)", _date); + println!("Log : Sysmon"); + println!("EventID : 7"); + println!("Message : Unsigned Image (DLL)"); + let _image = event_data.get("Image").unwrap_or(&self.empty_str); + println!("Result : Loaded by: {}", _image); + let _command_line = event_data.get("ImageLoaded").unwrap_or(&self.empty_str); + println!("Command : {}", _command_line); } } } } + +#[cfg(test)] +mod tests { + extern crate quick_xml; + use crate::detections::sysmon; + use crate::models::event; + + #[test] + fn test_skelton_hit() { + assert_eq!(1, 1); + } +} From dd5083ffc0791663e4f1837e949ed2ec684c6604 Mon Sep 17 00:00:00 2001 From: siamease Date: Sun, 25 Oct 2020 03:15:48 +0900 Subject: [PATCH 19/22] fix no --- src/detections/sysmon.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 31d0ea7a..f0f81c72 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -27,7 +27,7 @@ impl Sysmon { } fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap) { - if event_id != "4" { + if event_id != "1" { return; } From 355d43e24a37aa94cfe3b75324d44eb42f58ae5e Mon Sep 17 00:00:00 2001 From: kazuminn Date: Sat, 31 Oct 2020 22:02:18 +0900 Subject: [PATCH 20/22] fix channel for applocker --- src/detections/detection.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index fbb6e111..e33be7a3 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -50,7 +50,7 @@ impl Detection { &application.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-PowerShell/Operational" { &powershell.detection(event_id, &event.system, event_data); - } else if channel == "Microsoft-Windows-Sysmon/Operational" { + } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" { &sysmon.detection(event_id, &event.system, event_data); } else { //&other.detection(); From ea56104c0ff830f121dd4a42fe839778a0b555ef Mon Sep 17 00:00:00 2001 From: kazuminn Date: Sat, 31 Oct 2020 22:07:02 +0900 Subject: [PATCH 21/22] refactor --- src/detections/sysmon.rs | 54 +++++++++++----------------------------- 1 file changed, 14 insertions(+), 40 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index f0f81c72..37f01874 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -3,17 +3,12 @@ use crate::models::event; use std::collections::HashMap; pub struct Sysmon { - empty_str: String, - checkunsigned: u64, + checkunsigned: u16, } impl Sysmon { pub fn new() -> Sysmon { - Sysmon { - empty_str: String::default(), - //checkunsigned: 0, // DeepBlueでは0固定 - checkunsigned: 1, // 開発用に1 (configから設定可能になる予定) - } + Sysmon { checkunsigned: 0 } } pub fn detection( @@ -22,8 +17,8 @@ impl Sysmon { _system: &event::System, event_data: HashMap, ) { - &self.check_command_lines(&event_id, &event_data); - &self.check_for_unsigned_files(&event_id, &event_data); + self.check_command_lines(&event_id, &event_data); + self.check_for_unsigned_files(&event_id, &event_data); } fn check_command_lines(&mut self, event_id: &String, event_data: &HashMap) { @@ -31,15 +26,11 @@ impl Sysmon { return; } - // Check command lines if let Some(_command_line) = event_data.get("CommandLine") { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - let minlength = 1000; - let _creater = event_data.get("ParentImage").unwrap_or(&self.empty_str); - check_command(1, _command_line, minlength, 0, "", _creater); + let default = "".to_string(); + let _creater = event_data.get("ParentImage").unwrap_or(&default); + + check_command(1, _command_line, 1000, 0, "", _creater); } } @@ -52,34 +43,17 @@ impl Sysmon { return; } - // Check for unsigned EXEs/DLLs: - // This can be very chatty, so it's disabled. - // Set $checkunsigned to 1 (global variable section) to enable: if self.checkunsigned == 1 { - let _signed = event_data.get("Signed").unwrap_or(&self.empty_str); + let default = "".to_string(); + let _signed = event_data.get("Signed").unwrap_or(&default); if _signed == "false" { - let _date = event_data.get("UtcTime").unwrap_or(&self.empty_str); - println!("Date : {} (UTC)", _date); - println!("Log : Sysmon"); - println!("EventID : 7"); + let _image = event_data.get("Image").unwrap_or(&default); + let _command_line = event_data.get("ImageLoaded").unwrap_or(&default); + println!("Message : Unsigned Image (DLL)"); - let _image = event_data.get("Image").unwrap_or(&self.empty_str); println!("Result : Loaded by: {}", _image); - let _command_line = event_data.get("ImageLoaded").unwrap_or(&self.empty_str); println!("Command : {}", _command_line); } - } - } -} - -#[cfg(test)] -mod tests { - extern crate quick_xml; - use crate::detections::sysmon; - use crate::models::event; - - #[test] - fn test_skelton_hit() { - assert_eq!(1, 1); + }; } } From bebb77735341e7143b42455f0f9ec1621842aa8c Mon Sep 17 00:00:00 2001 From: kazuminn Date: Sun, 1 Nov 2020 16:14:14 +0900 Subject: [PATCH 22/22] =?UTF-8?q?=E6=8C=87=E6=91=98=E3=81=95=E3=82=8C?= =?UTF-8?q?=E3=81=9F=E3=81=A8=E3=81=93=E3=82=8D=E3=82=92=E7=9B=B4=E3=81=97?= =?UTF-8?q?=E3=81=9F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/detections/detection.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index d19722d3..0c3ce7cc 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -51,9 +51,9 @@ impl Detection { &application.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-PowerShell/Operational" { &powershell.detection(event_id, &event.system, event_data); - } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" { + } else if channel == "Microsoft-Windows-Sysmon/Operational" { &sysmon.detection(event_id, &event.system, event_data); - } else if channel == "Microsoft-Windows-Applocker/Operational" { + } else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" { &applocker.detection(event_id, &event.system, event_data); } else { //&other.detection();