CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

設計変更、警告修正

Browse Source
This commit is contained in:
akiranishikawa
2020-09-19 19:35:20 +09:00
parent c9143dc7b6
commit ca94249bbe
4 changed files with 41 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/detections/application.rs
View File

@@ -0,0 +1,4 @@
pub fn detection() {
}

17
src/detections/security.rs
View File

@@ -1,9 +1,20 @@
use std::collections::HashMap;
pub fn detection(event_id: String, event_data: HashMap<String, String>,
alert_all_admin: i32, total_admin_logons: &mut i32,
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
multiple_admin_logons: &mut HashMap<String, i32>) {
if event_id == "4672" {
se_debug_privilege(event_data, alert_all_admin, total_admin_logons,
admin_logons, multiple_admin_logons);
}
}
//
// Special privileges assigned to new logon (possible admin access)
//
pub fn se_debug_privilege(event_data: HashMap<String, String>,
fn se_debug_privilege(event_data: HashMap<String, String>,
alert_all_admin: i32, total_admin_logons: &mut i32,
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
multiple_admin_logons: &mut HashMap<String, i32>) {
@@ -15,7 +26,7 @@ pub fn se_debug_privilege(event_data: HashMap<String, String>,
// alert_all_adminが有効であれば、標準出力して知らせる
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
if (alert_all_admin == 1) {
if alert_all_admin == 1 {
println!("Logon with SeDebugPrivilege (admin access)");
println!("Username:{}", event_data["SubjectUserName"]);
println!("Domain:{}", event_data["SubjectDomainName"]);
@@ -30,7 +41,7 @@ pub fn se_debug_privilege(event_data: HashMap<String, String>,
Some(sid) => {
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
// マルチログオンのデータをセット
if (event_data["SubjectUserName"] != event_data["SubjectUserSid"]) { // One username with multiple admin logon SIDs
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
let mut count_hash: HashMap<String, i32> = HashMap::new();

4
src/detections/system.rs
View File

@@ -0,0 +1,4 @@
pub fn detection() {
}

27
src/main.rs
View File

@@ -9,12 +9,14 @@ use std::collections::HashMap;
use quick_xml::de::{DeError};
use yamato_event_analyzer::models::event;
use yamato_event_analyzer::detections::security;
use yamato_event_analyzer::detections::system;
use yamato_event_analyzer::detections::application;
fn main() -> Result<(), DeError> {
let args: Vec<String> = env::args().collect();
let fp: PathBuf;
if (args.len() > 1) {
if args.len() > 1 {
fp = PathBuf::from(args[1].to_string());
} else {
fp = PathBuf::from(format!("./samples/security.evtx"));
@@ -37,20 +39,29 @@ fn main() -> Result<(), DeError> {
match record {
Ok(r) => {
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
let event_id = event.System.EventID.to_string();
// ログがSecurity.evtxなら
if (event.System.Channel == "Security") {
if (event.System.EventID == "4672") {
let event_data = event.parse_event_data();
security::se_debug_privilege(event_data, alert_all_admin, &mut total_admin_logons,
&mut admin_logons, &mut multiple_admin_logons);
}
if event.System.Channel == "Security" {
let event_data = event.parse_event_data();
security::detection(event_id,
event_data, alert_all_admin, &mut total_admin_logons,
&mut admin_logons, &mut multiple_admin_logons
);
} else if event.System.Channel == "System" {
system::detection();
} else if event.System.Channel == "Application" {
application::detection();
}
},
Err(e) => eprintln!("{}", e),
}
}
if (total_admin_logons > 0) {
////////////////////////////
// 表示 別ファイルでやりたい
////////////////////////////
if total_admin_logons > 0 {
println!("total_admin_logons:{}", total_admin_logons);
println!("admin_logons:{:?}", admin_logons);
println!("multiple_admin_logons:{:?}", multiple_admin_logons);