Merge pull request #342 from Yamato-Security/fix/-s_option_except_timeline#341

Fix/ s option except timeline#341
2021-12-23 12:35:02 +09:00
parent 88b7593ea9 b85ccd5af3
commit acaae4b328
3 changed files with 27 additions and 6 deletions
--- a/config/timeline_event_info.txt
+++ b/config/timeline_event_info.txt
@@ -1,8 +1,11 @@
 eventid,event_title,detect_flg,comment
+1,Sysmon process creation,Yes,
+59,Bits Job Creation,Yes,
 1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down.
 1101,Audit Events Have Been Dropped By The Transport,,
 1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for.
 1107,Event processing error,,
+4103,Powershell execution pipeline,Yes,
 4608,Windows started up,,
 4610,An authentication package has been loaded by the Local Security Authority,,
 4611,A trusted logon process has been registered with the Local Security Authority,,
@@ -19,6 +22,8 @@ eventid,event_title,detect_flg,comment
 4696,Primary token assigned to process,,
 4692,Backup of data protection master key was attempted,,
 4697,Service installed,,
+4768,Kerberos TGT request,Yes,
+4769,Kerberos service ticket request,Yes,
 4717,System security access was granted to an account,,
 4719,System audit policy was changed,,
 4720,User account created,Yes,
@@ -34,7 +39,7 @@ eventid,event_title,detect_flg,comment
 4727,Security global group was changed,,
 4738,User accounts properties changed,,
 4739,Domain policy changed,,
-4776,NTLM logon to local user,,
+4776,NTLM logon to local user,Yes,
 4778,RDP session reconnected or user switched back through Fast User Switching,,
 4779,RDP session disconnected or user switched away through Fast User Switching,,
 4797,Attempt to query the account for a blank password,,
@@ -61,13 +66,15 @@ eventid,event_title,detect_flg,comment
 5058,Key file operation,,
 5059,Key migration operation,,
 5061,Cryptographic operation,,
-5140,Network share object was accessed,,
+5140,Network share access,Yes,
 5142,A network share object was added,,
 5144,A network share object was deleted,,
+5145,Network shared file access,Yes,
 5379,Credential Manager credentials were read,,
 5381,Vault credentials were read,,
 5382,Vault credentials were read,,
 5478,IPsec Services started,,
 5889,An object was deleted to the COM+ Catalog,,
 5890,An object was added to the COM+ Catalog,,
+8001,Wireless access point connect,Yes,
 unregistered_event_id,Unknown,,
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -47,6 +47,11 @@ lazy_static! {
        .args
        .is_present("quiet-errors");
    pub static ref ERROR_LOG_STACK: Mutex<Vec<String>> = Mutex::new(Vec::new());
+    pub static ref STATISTICS_FLAG: bool = configs::CONFIG
+        .read()
+        .unwrap()
+        .args
+        .is_present("statistics");
 }

 impl Message {
--- a/src/main.rs
+++ b/src/main.rs
@@ -9,6 +9,7 @@ use hayabusa::detections::print::AlertMessage;
 use hayabusa::detections::print::ERROR_LOG_PATH;
 use hayabusa::detections::print::ERROR_LOG_STACK;
 use hayabusa::detections::print::QUIET_ERRORS_FLAG;
+use hayabusa::detections::print::STATISTICS_FLAG;
 use hayabusa::detections::rule::{get_detection_keys, RuleNode};
 use hayabusa::filter;
 use hayabusa::omikuji::Omikuji;
@@ -84,6 +85,9 @@ impl App {
                return;
            }
        }
+        if *STATISTICS_FLAG {
+            println!("Generating Event ID Statistics");
+        }
        if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") {
            if !filepath.ends_with(".evtx") {
                AlertMessage::alert(
@@ -116,6 +120,7 @@ impl App {
        }
        let analysis_end_time: DateTime<Local> = Local::now();
        let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time);
+        println!("");
        println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx());
        println!("");

@@ -205,7 +210,9 @@ impl App {
            pb.inc();
        }
        detection.add_aggcondition_msges(&self.rt);
-        after_fact();
+        if !*STATISTICS_FLAG {
+            after_fact();
+        }
    }

    // Windowsイベントログファイルを1ファイル分解析する。
@@ -273,11 +280,13 @@ impl App {
                self.rule_keys.clone(),
            ));

-            // // timeline機能の実行
+            // timeline機能の実行
            tl.start(&records_per_detect);

-            // // ruleファイルの検知
-            detection = detection.start(&self.rt, records_per_detect);
+            if !*STATISTICS_FLAG {
+                // ruleファイルの検知
+                detection = detection.start(&self.rt, records_per_detect);
+            }
        }

        tl.tm_stats_dsp_msg();