Merge pull request #594 from Yamato-Security/586-evtx-files-with-different-extension-option

evtx files with different extension option( --add-file-extentions)
2022-06-21 12:09:41 +09:00
parent 5f5f5c1807 e37371a077
commit b4ef082525
6 changed files with 68 additions and 22 deletions
--- a/CHANGELOG-Japanese.md
+++ b/CHANGELOG-Japanese.md
@@ -4,7 +4,7 @@

 **新機能:**

- XXX
+- `--target-file-ext` オプションの追加。evtx以外の拡張子を指定する事ができます。ただし、ファイルの中身の形式はevtxファイル形式である必要があります。 (#586) (@hitenkoku)

 **改善:**

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,7 +4,7 @@

 **New Features:**

- XXX
+- Added `--target-file-ext` option. You can specify additional file extensions to scan in addtition to the default `.evtx` files. For example, `--target-file-ext evtx_data` or multiple extensions with `--target-file-ext evtx1 evtx2`. (#586) (@hitenkoku)

 **Enhancements:**

--- a/README-Japanese.md
+++ b/README-Japanese.md
@@ -331,6 +331,7 @@ OPTIONS:
        --RFC-3339                            RFC 3339形式で日付と時刻を出力する (例: 2022-02-22 22:00:00.123456-06:00)
        --US-military-time                    24時間制(ミリタリータイム)のアメリカ形式で日付と時刻を出力する (例: 02-22-2022 22:00:00.123 -06:00)
        --US-time                             アメリカ形式で日付と時刻を出力する (例: 02-22-2022 10:00:00.123 PM -06:00)
+        --target-file-ext <EVTX_FILE_EXT>...  evtx以外の拡張子を解析対象に追加する。 (例１: evtx_data 例２：evtx1 evtx2)
        --all-tags                            出力したCSVファイルにルール内のタグ情報を全て出力する
    -c, --config <RULE_CONFIG_DIRECTORY>      ルールフォルダのコンフィグディレクトリ (デフォルト: ./rules/config)
        --contributors                        コントリビュータの一覧表示
--- a/README.md
+++ b/README.md
@@ -329,6 +329,7 @@ OPTIONS:
        --RFC-3339                            Output timestamp in RFC 3339 format (ex: 2022-02-22 22:00:00.123456-06:00)
        --US-military-time                    Output timestamp in US military time format (ex: 02-22-2022 22:00:00.123 -06:00)
        --US-time                             Output timestamp in US time format (ex: 02-22-2022 10:00:00.123 PM -06:00)
+        --target-file-ext <EVTX_FILE_EXT>...  Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2)
        --all-tags                            Output all tags when saving to a CSV file
    -c, --config <RULE_CONFIG_DIRECTORY>      Specify custom rule config folder (default: ./rules/config)
        --contributors                        Print the list of contributors
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -30,6 +30,8 @@ lazy_static! {
    pub static ref IDS_REGEX: Regex =
        Regex::new(r"^[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}$").unwrap();
    pub static ref TERM_SIZE: Option<(Width, Height)> = terminal_size();
+    pub static ref TARGET_EXTENSIONS: HashSet<String> =
+        get_target_extensions(CONFIG.read().unwrap().args.evtx_file_ext.as_ref());
 }

 pub struct ConfigReader<'a> {
@@ -205,6 +207,10 @@ pub struct Config {
    /// Print the list of contributors
    #[clap(long)]
    pub contributors: bool,
+
+    /// Specify additional target file extensions (ex: evtx_data) (ex: evtx1 evtx2)
+    #[clap(long = "target-file-ext", multiple_values = true)]
+    pub evtx_file_ext: Option<Vec<String>>,
 }

 impl ConfigReader<'_> {
@@ -453,6 +459,14 @@ pub fn load_pivot_keywords(path: &str) {
    });
 }

+/// --target-file-extで追加された拡張子から、調査対象ファイルの拡張子セットを返す関数
+pub fn get_target_extensions(arg: Option<&Vec<String>>) -> HashSet<String> {
+    let mut target_file_extensions: HashSet<String> =
+        arg.unwrap_or(&Vec::new()).iter().cloned().collect();
+    target_file_extensions.insert(String::from("evtx"));
+    target_file_extensions
+}
+
 #[derive(Debug, Clone)]
 pub struct EventInfo {
    pub evttitle: String,
@@ -524,6 +538,7 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig {
 mod tests {
    use crate::detections::configs;
    use chrono::{DateTime, Utc};
+    use hashbrown::HashSet;

    //     #[test]
    //     #[ignore]
@@ -567,4 +582,26 @@ mod tests {
        assert!(time_filter.is_target(&start_time));
        assert!(time_filter.is_target(&end_time));
    }
+
+    #[test]
+    fn test_get_target_extensions() {
+        let data = vec!["evtx_data".to_string(), "evtx_stars".to_string()];
+        let arg = Some(&data);
+        let ret = configs::get_target_extensions(arg);
+        let expect: HashSet<&str> = HashSet::from(["evtx", "evtx_data", "evtx_stars"]);
+        assert_eq!(ret.len(), expect.len());
+        for contents in expect.iter() {
+            assert!(ret.contains(&contents.to_string()));
+        }
+    }
+
+    #[test]
+    fn no_target_extensions() {
+        let ret = configs::get_target_extensions(None);
+        let expect: HashSet<&str> = HashSet::from(["evtx"]);
+        assert_eq!(ret.len(), expect.len());
+        for contents in expect.iter() {
+            assert!(ret.contains(&contents.to_string()));
+        }
+    }
 }
--- a/src/main.rs
+++ b/src/main.rs
@@ -11,7 +11,7 @@ use chrono::{DateTime, Datelike, Local, TimeZone};
 use evtx::{EvtxParser, ParserSettings};
 use git2::Repository;
 use hashbrown::{HashMap, HashSet};
-use hayabusa::detections::configs::{load_pivot_keywords, TargetEventTime};
+use hayabusa::detections::configs::{load_pivot_keywords, TargetEventTime, TARGET_EXTENSIONS};
 use hayabusa::detections::detection::{self, EvtxRecordInfo};
 use hayabusa::detections::pivot::PivotKeyword;
 use hayabusa::detections::pivot::PIVOT_KEYWORD;
@@ -186,6 +186,7 @@ impl App {
            .ok();
            println!();
        }
+
        if configs::CONFIG.read().unwrap().args.live_analysis {
            let live_analysis_list = self.collect_liveanalysis_files();
            if live_analysis_list.is_none() {
@@ -193,15 +194,20 @@ impl App {
            }
            self.analysis_files(live_analysis_list.unwrap(), &time_filter);
        } else if let Some(filepath) = &configs::CONFIG.read().unwrap().args.filepath {
-            if filepath.extension().unwrap_or_else(|| OsStr::new(".")) != "evtx"
-                || filepath
-                    .as_path()
-                    .file_stem()
+            if !TARGET_EXTENSIONS.contains(
+                filepath
+                    .extension()
                    .unwrap_or_else(|| OsStr::new("."))
                    .to_str()
-                    .unwrap()
-                    .trim()
-                    .starts_with('.')
+                    .unwrap(),
+            ) || filepath
+                .as_path()
+                .file_stem()
+                .unwrap_or_else(|| OsStr::new("."))
+                .to_str()
+                .unwrap()
+                .trim()
+                .starts_with('.')
            {
                AlertMessage::alert(
                    "--filepath only accepts .evtx files. Hidden files are ignored.",
@@ -397,18 +403,19 @@ impl App {
                    ret.extend(subdir_ret);
                    Option::Some(())
                });
-            } else {
-                let path_str = path.to_str().unwrap_or("");
-                if path_str.ends_with(".evtx")
-                    && !Path::new(path_str)
-                        .file_stem()
-                        .unwrap_or_else(|| OsStr::new("."))
-                        .to_str()
-                        .unwrap()
-                        .starts_with('.')
-                {
-                    ret.push(path);
-                }
+            } else if TARGET_EXTENSIONS.contains(
+                path.extension()
+                    .unwrap_or_else(|| OsStr::new(""))
+                    .to_str()
+                    .unwrap(),
+            ) && !path
+                .file_stem()
+                .unwrap_or_else(|| OsStr::new("."))
+                .to_str()
+                .unwrap()
+                .starts_with('.')
+            {
+                ret.push(path);
            }
        }