From 42f8483485a80bde93813d5e78689077ef39e0e8 Mon Sep 17 00:00:00 2001 From: siamease Date: Fri, 2 Oct 2020 00:10:38 +0900 Subject: [PATCH 1/4] add sysmon --- src/detections/detection.rs | 4 ++++ src/detections/mod.rs | 1 + src/detections/sysmon.rs | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 src/detections/sysmon.rs diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 756fcf4c..417c5cd8 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -4,6 +4,7 @@ use crate::detections::application; use crate::detections::common; use crate::detections::security; use crate::detections::system; +use crate::detections::sysmon; use crate::models::event; use evtx::EvtxParser; use quick_xml::de::DeError; @@ -26,6 +27,7 @@ impl Detection { let mut security = security::Security::new(); let mut system = system::System::new(); let mut application = application::Application::new(); + let mut sysmon = sysmon::Sysmon::new(); for record in parser.records() { match record { @@ -43,6 +45,8 @@ impl Detection { &system.detection(event_id, &event.system, event_data); } else if channel == "Application" { &application.detection(event_id, &event.system, event_data); + } else if channel == "Microsoft-Windows-Sysmon/Operational" { + &sysmon.detection(event_id, &event.system, event_data); } else { //&other.detection(); } diff --git a/src/detections/mod.rs b/src/detections/mod.rs index 7238b4aa..2e67495c 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -3,3 +3,4 @@ mod common; pub mod detection; mod security; mod system; +mod sysmon; \ No newline at end of file diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs new file mode 100644 index 00000000..34bfb6f8 --- /dev/null +++ b/src/detections/sysmon.rs @@ -0,0 +1,37 @@ +use crate::models::event; +use std::collections::HashMap; + +pub struct Sysmon {} + +impl Sysmon { + pub fn new() -> Sysmon { + Sysmon {} + } + + pub fn detection( + &mut self, + event_id: String, + system: &event::System, + event_data: HashMap, + ) { + if event_id == "1" { + &self.sysmon_event_1(event_data); + } else if event_id == "7" { + &self.sysmon_event_7(event_data); + } + } + + fn sysmon_event_1(&mut self, event_data: HashMap) { + println!("Message : Sysmon event 1"); + if let Some(_image) = event_data.get("Image") { + println!("_image : {}",_image); + } + if let Some(_command_line) = event_data.get("CommandLine") { + println!("_command_line : {}",_command_line); + } + } + + fn sysmon_event_7(&mut self, event_data: HashMap) { + println!("Message : Sysmon event 7"); + } +} From fa9f3813ae7aa381d9458e7722b3caff1c4adfbb Mon Sep 17 00:00:00 2001 From: siamease Date: Fri, 2 Oct 2020 00:14:33 +0900 Subject: [PATCH 2/4] add sysmon --- src/detections/detection.rs | 2 +- src/detections/mod.rs | 2 +- src/detections/sysmon.rs | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 417c5cd8..4f07f017 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -3,8 +3,8 @@ extern crate quick_xml; use crate::detections::application; use crate::detections::common; use crate::detections::security; -use crate::detections::system; use crate::detections::sysmon; +use crate::detections::system; use crate::models::event; use evtx::EvtxParser; use quick_xml::de::DeError; diff --git a/src/detections/mod.rs b/src/detections/mod.rs index 2e67495c..3b50be07 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -2,5 +2,5 @@ mod application; mod common; pub mod detection; mod security; +mod sysmon; mod system; -mod sysmon; \ No newline at end of file diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 34bfb6f8..613bf183 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -24,10 +24,10 @@ impl Sysmon { fn sysmon_event_1(&mut self, event_data: HashMap) { println!("Message : Sysmon event 1"); if let Some(_image) = event_data.get("Image") { - println!("_image : {}",_image); + println!("_image : {}", _image); } if let Some(_command_line) = event_data.get("CommandLine") { - println!("_command_line : {}",_command_line); + println!("_command_line : {}", _command_line); } } From c62c8dc32688c92ad4c37f49522e3a3057389ed1 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 00:16:47 +0900 Subject: [PATCH 3/4] fix --- src/detections/sysmon.rs | 49 +++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 613bf183..7cbab355 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -1,11 +1,16 @@ use crate::models::event; use std::collections::HashMap; -pub struct Sysmon {} +pub struct Sysmon { + checkunsigned: u64, +} impl Sysmon { pub fn new() -> Sysmon { - Sysmon {} + Sysmon { + //checkunsigned: 0, + checkunsigned: 1, + } } pub fn detection( @@ -15,23 +20,45 @@ impl Sysmon { event_data: HashMap, ) { if event_id == "1" { - &self.sysmon_event_1(event_data); + &self.check_command_lines(event_data); } else if event_id == "7" { - &self.sysmon_event_7(event_data); + &self.check_for_unsigned_files(event_data); } } - fn sysmon_event_1(&mut self, event_data: HashMap) { - println!("Message : Sysmon event 1"); - if let Some(_image) = event_data.get("Image") { - println!("_image : {}", _image); + fn check_command_lines(&mut self, event_data: HashMap) { + // Check command lines + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); } + println!("Log : Sysmon"); + println!("EventID : 1"); + //if let Some(_creater) = event_data.get("ParentImage") { + // println!("_creater : {}", _image); + //} if let Some(_command_line) = event_data.get("CommandLine") { - println!("_command_line : {}", _command_line); + self.check_command("1", event_data); + println!("Command : {}", _command_line); + } + println!(""); + } + + fn check_for_unsigned_files(&mut self, event_data: HashMap) { + // Check for unsigned EXEs/DLLs: + // This can be very chatty, so it's disabled. + // Set $checkunsigned to 1 (global variable section) to enable: + if self.checkunsigned == 1 { + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); + } + println!("Log : Sysmon"); + println!("EventID : 7"); + //# TBD + println!(""); } } - fn sysmon_event_7(&mut self, event_data: HashMap) { - println!("Message : Sysmon event 7"); + fn check_command(&mut self, event_id: String, event_data: HashMap) { + //# TBD } } From 1c2ec6e6dd5e87dcf04c7cd96fafb7249f17e844 Mon Sep 17 00:00:00 2001 From: siamease Date: Wed, 7 Oct 2020 00:56:03 +0900 Subject: [PATCH 4/4] Implementation --- src/detections/sysmon.rs | 60 ++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/src/detections/sysmon.rs b/src/detections/sysmon.rs index 7cbab355..165e39db 100644 --- a/src/detections/sysmon.rs +++ b/src/detections/sysmon.rs @@ -8,8 +8,8 @@ pub struct Sysmon { impl Sysmon { pub fn new() -> Sysmon { Sysmon { - //checkunsigned: 0, - checkunsigned: 1, + //checkunsigned: 0, // DeepBlueでは0固定 + checkunsigned: 1, // 開発用に1 } } @@ -28,19 +28,17 @@ impl Sysmon { fn check_command_lines(&mut self, event_data: HashMap) { // Check command lines - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); - } - println!("Log : Sysmon"); - println!("EventID : 1"); - //if let Some(_creater) = event_data.get("ParentImage") { - // println!("_creater : {}", _image); - //} if let Some(_command_line) = event_data.get("CommandLine") { - self.check_command("1", event_data); - println!("Command : {}", _command_line); + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); + } + println!("Log : Sysmon"); + //if let Some(_creater) = event_data.get("ParentImage") { + // println!("_creater : {}", _image); + //} + self.check_command("1".to_string(), _command_line.to_string()); + println!(""); } - println!(""); } fn check_for_unsigned_files(&mut self, event_data: HashMap) { @@ -48,17 +46,37 @@ impl Sysmon { // This can be very chatty, so it's disabled. // Set $checkunsigned to 1 (global variable section) to enable: if self.checkunsigned == 1 { - if let Some(_date) = event_data.get("UtcTime") { - println!("Date : {} (UTC)", _date); + if let Some(_signed) = event_data.get("Signed") { + if _signed == "false" { + if let Some(_date) = event_data.get("UtcTime") { + println!("Date : {} (UTC)", _date); + } + println!("Log : Sysmon"); + println!("EventID : 7"); + println!("Message : Unsigned Image (DLL)"); + if let Some(_image) = event_data.get("Image") { + println!("Result : Loaded by: {}", _image); + } + if let Some(_command_line) = event_data.get("ImageLoaded") { + println!("Command : {}", _command_line); + } + println!(""); + } } - println!("Log : Sysmon"); - println!("EventID : 7"); - //# TBD - println!(""); } } - fn check_command(&mut self, event_id: String, event_data: HashMap) { - //# TBD + fn check_command(&mut self, _event_id: String, _command_line: String) { + let _result = "(TBD)"; + let _decoded = "(TBD)"; + + // TBD + + // Write-Output $obj + println!("EventID : {}", _event_id); + println!("Message : Suspicious Command Line"); + println!("Result : {}", _result); + println!("Command : {}", _command_line); + println!("Decoded : {}", _decoded); } }