Merge pull request #4 from YamatoSecurity/feature/sysmon
Feature/sysmon
This commit is contained in:
siamease
GitHub
@@ -3,6 +3,7 @@ extern crate quick_xml;
|
|||||||
use crate::detections::application;
|
use crate::detections::application;
|
||||||
use crate::detections::common;
|
use crate::detections::common;
|
||||||
use crate::detections::security;
|
use crate::detections::security;
|
||||||
|
use crate::detections::sysmon;
|
||||||
use crate::detections::system;
|
use crate::detections::system;
|
||||||
use crate::models::event;
|
use crate::models::event;
|
||||||
use evtx::EvtxParser;
|
use evtx::EvtxParser;
|
||||||
@@ -26,6 +27,7 @@ impl Detection {
|
|||||||
let mut security = security::Security::new();
|
let mut security = security::Security::new();
|
||||||
let mut system = system::System::new();
|
let mut system = system::System::new();
|
||||||
let mut application = application::Application::new();
|
let mut application = application::Application::new();
|
||||||
|
let mut sysmon = sysmon::Sysmon::new();
|
||||||
|
|
||||||
for record in parser.records() {
|
for record in parser.records() {
|
||||||
match record {
|
match record {
|
||||||
@@ -43,6 +45,8 @@ impl Detection {
|
|||||||
&system.detection(event_id, &event.system, event_data);
|
&system.detection(event_id, &event.system, event_data);
|
||||||
} else if channel == "Application" {
|
} else if channel == "Application" {
|
||||||
&application.detection(event_id, &event.system, event_data);
|
&application.detection(event_id, &event.system, event_data);
|
||||||
|
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
|
||||||
|
&sysmon.detection(event_id, &event.system, event_data);
|
||||||
} else {
|
} else {
|
||||||
//&other.detection();
|
//&other.detection();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,5 +2,6 @@ mod application;
|
|||||||
mod common;
|
mod common;
|
||||||
pub mod detection;
|
pub mod detection;
|
||||||
mod security;
|
mod security;
|
||||||
|
mod sysmon;
|
||||||
mod system;
|
mod system;
|
||||||
mod utils;
|
mod utils;
|
||||||
|
|||||||
82
src/detections/sysmon.rs
Normal file
82
src/detections/sysmon.rs
Normal file
@@ -0,0 +1,82 @@
|
|||||||
|
use crate::models::event;
|
||||||
|
use std::collections::HashMap;
|
||||||
|
|
||||||
|
pub struct Sysmon {
|
||||||
|
checkunsigned: u64,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Sysmon {
|
||||||
|
pub fn new() -> Sysmon {
|
||||||
|
Sysmon {
|
||||||
|
//checkunsigned: 0, // DeepBlueでは0固定
|
||||||
|
checkunsigned: 1, // 開発用に1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn detection(
|
||||||
|
&mut self,
|
||||||
|
event_id: String,
|
||||||
|
system: &event::System,
|
||||||
|
event_data: HashMap<String, String>,
|
||||||
|
) {
|
||||||
|
if event_id == "1" {
|
||||||
|
&self.check_command_lines(event_data);
|
||||||
|
} else if event_id == "7" {
|
||||||
|
&self.check_for_unsigned_files(event_data);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
|
||||||
|
// Check command lines
|
||||||
|
if let Some(_command_line) = event_data.get("CommandLine") {
|
||||||
|
if let Some(_date) = event_data.get("UtcTime") {
|
||||||
|
println!("Date : {} (UTC)", _date);
|
||||||
|
}
|
||||||
|
println!("Log : Sysmon");
|
||||||
|
//if let Some(_creater) = event_data.get("ParentImage") {
|
||||||
|
// println!("_creater : {}", _image);
|
||||||
|
//}
|
||||||
|
self.check_command("1".to_string(), _command_line.to_string());
|
||||||
|
println!("");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
|
||||||
|
// Check for unsigned EXEs/DLLs:
|
||||||
|
// This can be very chatty, so it's disabled.
|
||||||
|
// Set $checkunsigned to 1 (global variable section) to enable:
|
||||||
|
if self.checkunsigned == 1 {
|
||||||
|
if let Some(_signed) = event_data.get("Signed") {
|
||||||
|
if _signed == "false" {
|
||||||
|
if let Some(_date) = event_data.get("UtcTime") {
|
||||||
|
println!("Date : {} (UTC)", _date);
|
||||||
|
}
|
||||||
|
println!("Log : Sysmon");
|
||||||
|
println!("EventID : 7");
|
||||||
|
println!("Message : Unsigned Image (DLL)");
|
||||||
|
if let Some(_image) = event_data.get("Image") {
|
||||||
|
println!("Result : Loaded by: {}", _image);
|
||||||
|
}
|
||||||
|
if let Some(_command_line) = event_data.get("ImageLoaded") {
|
||||||
|
println!("Command : {}", _command_line);
|
||||||
|
}
|
||||||
|
println!("");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn check_command(&mut self, _event_id: String, _command_line: String) {
|
||||||
|
let _result = "(TBD)";
|
||||||
|
let _decoded = "(TBD)";
|
||||||
|
|
||||||
|
// TBD
|
||||||
|
|
||||||
|
// Write-Output $obj
|
||||||
|
println!("EventID : {}", _event_id);
|
||||||
|
println!("Message : Suspicious Command Line");
|
||||||
|
println!("Result : {}", _result);
|
||||||
|
println!("Command : {}", _command_line);
|
||||||
|
println!("Decoded : {}", _decoded);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user