設計変更、警告修正
This commit is contained in:
akiranishikawa
@@ -0,0 +1,4 @@
|
|||||||
|
|
||||||
|
pub fn detection() {
|
||||||
|
|
||||||
|
}
|
||||||
@@ -1,9 +1,20 @@
|
|||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
|
pub fn detection(event_id: String, event_data: HashMap<String, String>,
|
||||||
|
alert_all_admin: i32, total_admin_logons: &mut i32,
|
||||||
|
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
|
||||||
|
multiple_admin_logons: &mut HashMap<String, i32>) {
|
||||||
|
|
||||||
|
if event_id == "4672" {
|
||||||
|
se_debug_privilege(event_data, alert_all_admin, total_admin_logons,
|
||||||
|
admin_logons, multiple_admin_logons);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// Special privileges assigned to new logon (possible admin access)
|
// Special privileges assigned to new logon (possible admin access)
|
||||||
//
|
//
|
||||||
pub fn se_debug_privilege(event_data: HashMap<String, String>,
|
fn se_debug_privilege(event_data: HashMap<String, String>,
|
||||||
alert_all_admin: i32, total_admin_logons: &mut i32,
|
alert_all_admin: i32, total_admin_logons: &mut i32,
|
||||||
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
|
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
|
||||||
multiple_admin_logons: &mut HashMap<String, i32>) {
|
multiple_admin_logons: &mut HashMap<String, i32>) {
|
||||||
@@ -15,7 +26,7 @@ pub fn se_debug_privilege(event_data: HashMap<String, String>,
|
|||||||
|
|
||||||
// alert_all_adminが有効であれば、標準出力して知らせる
|
// alert_all_adminが有効であれば、標準出力して知らせる
|
||||||
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
|
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
|
||||||
if (alert_all_admin == 1) {
|
if alert_all_admin == 1 {
|
||||||
println!("Logon with SeDebugPrivilege (admin access)");
|
println!("Logon with SeDebugPrivilege (admin access)");
|
||||||
println!("Username:{}", event_data["SubjectUserName"]);
|
println!("Username:{}", event_data["SubjectUserName"]);
|
||||||
println!("Domain:{}", event_data["SubjectDomainName"]);
|
println!("Domain:{}", event_data["SubjectDomainName"]);
|
||||||
@@ -30,7 +41,7 @@ pub fn se_debug_privilege(event_data: HashMap<String, String>,
|
|||||||
Some(sid) => {
|
Some(sid) => {
|
||||||
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
|
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
|
||||||
// マルチログオンのデータをセット
|
// マルチログオンのデータをセット
|
||||||
if (event_data["SubjectUserName"] != event_data["SubjectUserSid"]) { // One username with multiple admin logon SIDs
|
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
|
||||||
multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
|
multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
|
||||||
|
|
||||||
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
|
||||||
|
pub fn detection() {
|
||||||
|
|
||||||
|
}
|
||||||
25
src/main.rs
25
src/main.rs
@@ -9,12 +9,14 @@ use std::collections::HashMap;
|
|||||||
use quick_xml::de::{DeError};
|
use quick_xml::de::{DeError};
|
||||||
use yamato_event_analyzer::models::event;
|
use yamato_event_analyzer::models::event;
|
||||||
use yamato_event_analyzer::detections::security;
|
use yamato_event_analyzer::detections::security;
|
||||||
|
use yamato_event_analyzer::detections::system;
|
||||||
|
use yamato_event_analyzer::detections::application;
|
||||||
|
|
||||||
fn main() -> Result<(), DeError> {
|
fn main() -> Result<(), DeError> {
|
||||||
|
|
||||||
let args: Vec<String> = env::args().collect();
|
let args: Vec<String> = env::args().collect();
|
||||||
let fp: PathBuf;
|
let fp: PathBuf;
|
||||||
if (args.len() > 1) {
|
if args.len() > 1 {
|
||||||
fp = PathBuf::from(args[1].to_string());
|
fp = PathBuf::from(args[1].to_string());
|
||||||
} else {
|
} else {
|
||||||
fp = PathBuf::from(format!("./samples/security.evtx"));
|
fp = PathBuf::from(format!("./samples/security.evtx"));
|
||||||
@@ -37,20 +39,29 @@ fn main() -> Result<(), DeError> {
|
|||||||
match record {
|
match record {
|
||||||
Ok(r) => {
|
Ok(r) => {
|
||||||
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
|
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
|
||||||
|
let event_id = event.System.EventID.to_string();
|
||||||
|
|
||||||
// ログがSecurity.evtxなら
|
// ログがSecurity.evtxなら
|
||||||
if (event.System.Channel == "Security") {
|
if event.System.Channel == "Security" {
|
||||||
if (event.System.EventID == "4672") {
|
|
||||||
let event_data = event.parse_event_data();
|
let event_data = event.parse_event_data();
|
||||||
security::se_debug_privilege(event_data, alert_all_admin, &mut total_admin_logons,
|
security::detection(event_id,
|
||||||
&mut admin_logons, &mut multiple_admin_logons);
|
event_data, alert_all_admin, &mut total_admin_logons,
|
||||||
}
|
&mut admin_logons, &mut multiple_admin_logons
|
||||||
|
);
|
||||||
|
} else if event.System.Channel == "System" {
|
||||||
|
system::detection();
|
||||||
|
} else if event.System.Channel == "Application" {
|
||||||
|
application::detection();
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
Err(e) => eprintln!("{}", e),
|
Err(e) => eprintln!("{}", e),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (total_admin_logons > 0) {
|
////////////////////////////
|
||||||
|
// 表示 別ファイルでやりたい
|
||||||
|
////////////////////////////
|
||||||
|
if total_admin_logons > 0 {
|
||||||
println!("total_admin_logons:{}", total_admin_logons);
|
println!("total_admin_logons:{}", total_admin_logons);
|
||||||
println!("admin_logons:{:?}", admin_logons);
|
println!("admin_logons:{:?}", admin_logons);
|
||||||
println!("multiple_admin_logons:{:?}", multiple_admin_logons);
|
println!("multiple_admin_logons:{:?}", multiple_admin_logons);
|
||||||
|
|||||||
Reference in New Issue
Block a user