diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 25a6864b..013e44fa 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -3,6 +3,7 @@ extern crate quick_xml; use crate::detections::application; use crate::detections::common; use crate::detections::security; +use crate::detections::sysmon; use crate::detections::system; use crate::models::event; use evtx::EvtxParser; @@ -26,6 +27,7 @@ impl Detection { let mut security = security::Security::new(); let mut system = system::System::new(); let mut application = application::Application::new(); + let mut sysmon = sysmon::Sysmon::new(); for record in parser.records() { match record { @@ -43,6 +45,8 @@ impl Detection { &system.detection(event_id, &event.system, event_data); } else if channel == "Application" { &application.detection(event_id, &event.system, event_data); + } else if channel == "Microsoft-Windows-Sysmon/Operational" { + &sysmon.detection(event_id, &event.system, event_data); } else { //&other.detection(); } diff --git a/src/detections/mod.rs b/src/detections/mod.rs index ba8b0f90..344ab59a 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -2,5 +2,6 @@ mod application; mod common; pub mod detection; mod security; +mod sysmon; mod system; mod utils; diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs new file mode 100644 index 00000000..165e39db --- /dev/null +++ b/src/detections/sysmon.rs @@ -0,0 +1,82 @@ +use crate::models::event; +use std::collections::HashMap; + +pub struct Sysmon { + checkunsigned: u64, +} + +impl Sysmon { + pub fn new() -> Sysmon { + Sysmon { + //checkunsigned: 0, // DeepBlueでは0固定 + checkunsigned: 1, // 開発用に1 + } + } + + pub fn detection( + &mut self, + event_id: String, + system: &event::System, + event_data: HashMap, + ) { + if event_id == "1" { + &self.check_command_lines(event_data); + } else if event_id == "7" { + &self.check_for_unsigned_files(event_data); + } + } + + fn check_command_lines(&mut self, event_data: HashMap) { + // Check command lines + if let Some(_command_line) = event_data.get("CommandLine") { + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); + } + println!("Log : Sysmon"); + //if let Some(_creater) = event_data.get("ParentImage") { + // println!("_creater : {}", _image); + //} + self.check_command("1".to_string(), _command_line.to_string()); + println!(""); + } + } + + fn check_for_unsigned_files(&mut self, event_data: HashMap) { + // Check for unsigned EXEs/DLLs: + // This can be very chatty, so it's disabled. + // Set $checkunsigned to 1 (global variable section) to enable: + if self.checkunsigned == 1 { + if let Some(_signed) = event_data.get("Signed") { + if _signed == "false" { + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); + } + println!("Log : Sysmon"); + println!("EventID : 7"); + println!("Message : Unsigned Image (DLL)"); + if let Some(_image) = event_data.get("Image") { + println!("Result : Loaded by: {}", _image); + } + if let Some(_command_line) = event_data.get("ImageLoaded") { + println!("Command : {}", _command_line); + } + println!(""); + } + } + } + } + + fn check_command(&mut self, _event_id: String, _command_line: String) { + let _result = "(TBD)"; + let _decoded = "(TBD)"; + + // TBD + + // Write-Output $obj + println!("EventID : {}", _event_id); + println!("Message : Suspicious Command Line"); + println!("Result : {}", _result); + println!("Command : {}", _command_line); + println!("Decoded : {}", _decoded); + } +}