diff --git a/config/timeline_event_info.txt b/config/timeline_event_info.txt index d1e1e642..74fe361c 100644 --- a/config/timeline_event_info.txt +++ b/config/timeline_event_info.txt @@ -1,8 +1,11 @@ eventid,event_title,detect_flg,comment +1,Sysmon process creation,Yes, +59,Bits Job Creation,Yes, 1100,Event logging service was shut down,,Good for finding signs of anti-forensics but most likely false positives when the system shuts down. 1101,Audit Events Have Been Dropped By The Transport,, 1102,Event log was cleared,Yes,Should not happen normally so this is a good event to look out for. 1107,Event processing error,, +4103,Powershell execution pipeline,Yes, 4608,Windows started up,, 4610,An authentication package has been loaded by the Local Security Authority,, 4611,A trusted logon process has been registered with the Local Security Authority,, @@ -19,6 +22,8 @@ eventid,event_title,detect_flg,comment 4696,Primary token assigned to process,, 4692,Backup of data protection master key was attempted,, 4697,Service installed,, +4768,Kerberos TGT request,Yes, +4769,Kerberos service ticket request,Yes, 4717,System security access was granted to an account,, 4719,System audit policy was changed,, 4720,User account created,Yes, @@ -34,7 +39,7 @@ eventid,event_title,detect_flg,comment 4727,Security global group was changed,, 4738,User accounts properties changed,, 4739,Domain policy changed,, -4776,NTLM logon to local user,, +4776,NTLM logon to local user,Yes, 4778,RDP session reconnected or user switched back through Fast User Switching,, 4779,RDP session disconnected or user switched away through Fast User Switching,, 4797,Attempt to query the account for a blank password,, @@ -61,13 +66,15 @@ eventid,event_title,detect_flg,comment 5058,Key file operation,, 5059,Key migration operation,, 5061,Cryptographic operation,, -5140,Network share object was accessed,, +5140,Network share access,Yes, 5142,A network share object was added,, 5144,A network share object was deleted,, +5145,Network shared file access,Yes, 5379,Credential Manager credentials were read,, 5381,Vault credentials were read,, 5382,Vault credentials were read,, 5478,IPsec Services started,, 5889,An object was deleted to the COM+ Catalog,, 5890,An object was added to the COM+ Catalog,, +8001,Wireless access point connect,Yes, unregistered_event_id,Unknown,, diff --git a/src/detections/print.rs b/src/detections/print.rs index 380c2858..6c9ef6b8 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -47,6 +47,11 @@ lazy_static! { .args .is_present("quiet-errors"); pub static ref ERROR_LOG_STACK: Mutex> = Mutex::new(Vec::new()); + pub static ref STATISTICS_FLAG: bool = configs::CONFIG + .read() + .unwrap() + .args + .is_present("statistics"); } impl Message { diff --git a/src/main.rs b/src/main.rs index 2910353a..6bb33feb 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,6 +9,7 @@ use hayabusa::detections::print::AlertMessage; use hayabusa::detections::print::ERROR_LOG_PATH; use hayabusa::detections::print::ERROR_LOG_STACK; use hayabusa::detections::print::QUIET_ERRORS_FLAG; +use hayabusa::detections::print::STATISTICS_FLAG; use hayabusa::detections::rule::{get_detection_keys, RuleNode}; use hayabusa::filter; use hayabusa::omikuji::Omikuji; @@ -84,6 +85,9 @@ impl App { return; } } + if *STATISTICS_FLAG { + println!("Generating Event ID Statistics"); + } if let Some(filepath) = configs::CONFIG.read().unwrap().args.value_of("filepath") { if !filepath.ends_with(".evtx") { AlertMessage::alert( @@ -116,6 +120,7 @@ impl App { } let analysis_end_time: DateTime = Local::now(); let analysis_duration = analysis_end_time.signed_duration_since(analysis_start_time); + println!(""); println!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()); println!(""); @@ -205,7 +210,9 @@ impl App { pb.inc(); } detection.add_aggcondition_msges(&self.rt); - after_fact(); + if !*STATISTICS_FLAG { + after_fact(); + } } // Windowsイベントログファイルを1ファイル分解析する。 @@ -273,11 +280,13 @@ impl App { self.rule_keys.clone(), )); - // // timeline機能の実行 + // timeline機能の実行 tl.start(&records_per_detect); - // // ruleファイルの検知 - detection = detection.start(&self.rt, records_per_detect); + if !*STATISTICS_FLAG { + // ruleファイルの検知 + detection = detection.start(&self.rt, records_per_detect); + } } tl.tm_stats_dsp_msg();