add check_command()
This commit is contained in:
Kazuminn
29
Cargo.lock
generated
29
Cargo.lock
generated
@@ -70,6 +70,12 @@ dependencies = [
|
||||
"rustc-demangle",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "base64"
|
||||
version = "0.12.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff"
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "1.2.1"
|
||||
@@ -184,6 +190,15 @@ dependencies = [
|
||||
"build_const",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "crc32fast"
|
||||
version = "1.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ba125de2af0df55319f41944744ad91c71113bf74a4646efff39afe1f6842db1"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "crossbeam-channel"
|
||||
version = "0.4.4"
|
||||
@@ -389,6 +404,18 @@ dependencies = [
|
||||
"winstructs",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "flate2"
|
||||
version = "1.0.18"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "da80be589a72651dcda34d8b35bcdc9b7254ad06325611074d9cc0fbb19f60ee"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"crc32fast",
|
||||
"libc",
|
||||
"miniz_oxide",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "fs_extra"
|
||||
version = "1.2.0"
|
||||
@@ -1150,9 +1177,11 @@ dependencies = [
|
||||
name = "yamato_event_analyzer"
|
||||
version = "0.1.0"
|
||||
dependencies = [
|
||||
"base64",
|
||||
"clap",
|
||||
"csv",
|
||||
"evtx",
|
||||
"flate2",
|
||||
"quick-xml 0.17.2",
|
||||
"regex",
|
||||
"serde",
|
||||
|
||||
@@ -14,3 +14,5 @@ serde_json = { version = "1.0"}
|
||||
clap = "*"
|
||||
regex = "1"
|
||||
csv = "1.1"
|
||||
base64 = "*"
|
||||
flate2 = "1.0"
|
||||
@@ -1,12 +1,95 @@
|
||||
extern crate base64;
|
||||
extern crate csv;
|
||||
extern crate regex;
|
||||
|
||||
use flate2::read::GzDecoder;
|
||||
use regex::Regex;
|
||||
use std::env;
|
||||
use std::fs::File;
|
||||
use std::io::prelude::*;
|
||||
use std::io::prelude::*;
|
||||
use std::str;
|
||||
use std::string::String;
|
||||
|
||||
pub fn check_command(
|
||||
event_id: usize,
|
||||
commandline: &str,
|
||||
minlength: usize,
|
||||
servicecmd: usize,
|
||||
servicename: &str,
|
||||
creator: &str,
|
||||
) {
|
||||
let mut text = "".to_string();
|
||||
let mut base64 = "".to_string();
|
||||
|
||||
let mut f = File::open("whitelist.txt").expect("file not found");
|
||||
let mut contents = String::new();
|
||||
f.read_to_string(&mut contents);
|
||||
|
||||
let mut rdr = csv::Reader::from_reader(contents.as_bytes());
|
||||
|
||||
for entry in rdr.records() {
|
||||
if let Ok(_data) = entry {
|
||||
if (commandline == &_data[0]) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
if commandline.len() > minlength {
|
||||
text.push_str("Long Command Line: greater than ");
|
||||
text.push_str(&minlength.to_string());
|
||||
text.push_str("bytes\n");
|
||||
}
|
||||
text.push_str(&check_obfu(commandline));
|
||||
text.push_str(&check_regex(commandline, 0));
|
||||
text.push_str(&check_creator(commandline, creator));
|
||||
if (Regex::new(r"\-enc.*[A-Za-z0-9/+=]{100}")
|
||||
.unwrap()
|
||||
.is_match(commandline))
|
||||
{
|
||||
let re = Regex::new(r"^.* \-Enc(odedCommand)? ").unwrap();
|
||||
base64.push_str(&re.replace_all(commandline, ""));
|
||||
} else if (Regex::new(r":FromBase64String\(")
|
||||
.unwrap()
|
||||
.is_match(commandline))
|
||||
{
|
||||
let re = Regex::new(r"^^.*:FromBase64String\(\'*").unwrap();
|
||||
base64.push_str(&re.replace_all(commandline, ""));
|
||||
let re = Regex::new(r"\'.*$").unwrap();
|
||||
base64.push_str(&re.replace_all(&base64.to_string(), ""));
|
||||
}
|
||||
if (!base64.is_empty()) {
|
||||
if (Regex::new(r"Compression.GzipStream.*Decompress")
|
||||
.unwrap()
|
||||
.is_match(commandline))
|
||||
{
|
||||
let decoded = base64::decode(base64).unwrap();
|
||||
let mut d = GzDecoder::new(decoded.as_slice());
|
||||
let mut uncompressed = String::new();
|
||||
d.read_to_string(&mut uncompressed).unwrap();
|
||||
println!("Decoded : {}", uncompressed);
|
||||
text.push_str("Base64-encoded and compressed function\n");
|
||||
} else {
|
||||
let decoded = base64::decode(base64).unwrap();
|
||||
println!("Decoded : {}", str::from_utf8(decoded.as_slice()).unwrap());
|
||||
text.push_str("Base64-encoded function\n");
|
||||
text.push_str(&check_obfu(str::from_utf8(decoded.as_slice()).unwrap()));
|
||||
text.push_str(&check_regex(str::from_utf8(decoded.as_slice()).unwrap(), 0));
|
||||
}
|
||||
}
|
||||
if !text.is_empty() {
|
||||
if servicecmd != 0 {
|
||||
println!("Message : Suspicious Service Command");
|
||||
println!("Results : Service name: {}\n", servicename);
|
||||
} else {
|
||||
println!("Message : Suspicious Command Line");
|
||||
}
|
||||
println!("command : {}", commandline);
|
||||
println!("result : {}", text);
|
||||
println!("EventID : {}", event_id);
|
||||
}
|
||||
}
|
||||
|
||||
fn check_obfu(string: &str) -> std::string::String {
|
||||
let mut obfutext = "".to_string();
|
||||
let mut lowercasestring = string.to_lowercase();
|
||||
@@ -24,7 +107,7 @@ fn check_obfu(string: &str) -> std::string::String {
|
||||
|
||||
if (length > 0) {
|
||||
let mut percent = ((length - noalphastring.len()) / length);
|
||||
if ((length / 100) as f64)< minpercent {
|
||||
if ((length / 100) as f64) < minpercent {
|
||||
minpercent = (length / 100) as f64;
|
||||
}
|
||||
if percent < minpercent as usize {
|
||||
@@ -32,10 +115,10 @@ fn check_obfu(string: &str) -> std::string::String {
|
||||
let percent = &percent.to_string();
|
||||
let caps = re.captures(percent).unwrap();
|
||||
obfutext.push_str("Possible command obfuscation: only ");
|
||||
obfutext.push_str(caps.get(0).unwrap().as_str());
|
||||
obfutext.push_str(caps.get(0).unwrap().as_str());
|
||||
obfutext.push_str("alphanumeric and common symbols\n");
|
||||
}
|
||||
percent = ((nobinarystring.len() - length / length) /length);
|
||||
percent = ((nobinarystring.len() - length / length) / length);
|
||||
let mut binarypercent = 1 - percent;
|
||||
if binarypercent > maxbinary as usize {
|
||||
re = Regex::new(r"{0:P0}").unwrap();
|
||||
@@ -49,7 +132,7 @@ fn check_obfu(string: &str) -> std::string::String {
|
||||
return obfutext;
|
||||
}
|
||||
|
||||
fn check_regex(string: &str, r#type: &str) -> std::string::String {
|
||||
fn check_regex(string: &str, r#type: usize) -> std::string::String {
|
||||
let mut f = File::open("regexes.txt").expect("file not found");
|
||||
let mut contents = String::new();
|
||||
f.read_to_string(&mut contents);
|
||||
@@ -58,19 +141,16 @@ fn check_regex(string: &str, r#type: &str) -> std::string::String {
|
||||
|
||||
let mut regextext = "".to_string();
|
||||
for regex in rdr.records() {
|
||||
match regex {
|
||||
if let Ok(_data) = regex {
|
||||
/*
|
||||
data[0] is type.
|
||||
data[1] is regex.
|
||||
data[2] is string.
|
||||
*/
|
||||
Ok(_data) => {
|
||||
if &_data[0] == r#type && &_data[1] == string {
|
||||
regextext.push_str(&_data[2]);
|
||||
regextext.push_str("\n");
|
||||
}
|
||||
if &_data[0] == r#type.to_string() && &_data[1] == string {
|
||||
regextext.push_str(&_data[2]);
|
||||
regextext.push_str("\n");
|
||||
}
|
||||
Err(_data) => (),
|
||||
}
|
||||
}
|
||||
return regextext;
|
||||
|
||||
3
whitelist.txt
Normal file
3
whitelist.txt
Normal file
@@ -0,0 +1,3 @@
|
||||
regex
|
||||
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
|
||||
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
|
||||
Reference in New Issue
Block a user