Merge pull request #4 from YamatoSecurity/feature/sysmon
Feature/sysmon
This commit is contained in:
siamease
GitHub
@@ -3,6 +3,7 @@ extern crate quick_xml;
|
||||
use crate::detections::application;
|
||||
use crate::detections::common;
|
||||
use crate::detections::security;
|
||||
use crate::detections::sysmon;
|
||||
use crate::detections::system;
|
||||
use crate::models::event;
|
||||
use evtx::EvtxParser;
|
||||
@@ -26,6 +27,7 @@ impl Detection {
|
||||
let mut security = security::Security::new();
|
||||
let mut system = system::System::new();
|
||||
let mut application = application::Application::new();
|
||||
let mut sysmon = sysmon::Sysmon::new();
|
||||
|
||||
for record in parser.records() {
|
||||
match record {
|
||||
@@ -43,6 +45,8 @@ impl Detection {
|
||||
&system.detection(event_id, &event.system, event_data);
|
||||
} else if channel == "Application" {
|
||||
&application.detection(event_id, &event.system, event_data);
|
||||
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
|
||||
&sysmon.detection(event_id, &event.system, event_data);
|
||||
} else {
|
||||
//&other.detection();
|
||||
}
|
||||
|
||||
@@ -2,5 +2,6 @@ mod application;
|
||||
mod common;
|
||||
pub mod detection;
|
||||
mod security;
|
||||
mod sysmon;
|
||||
mod system;
|
||||
mod utils;
|
||||
|
||||
82
src/detections/sysmon.rs
Normal file
82
src/detections/sysmon.rs
Normal file
@@ -0,0 +1,82 @@
|
||||
use crate::models::event;
|
||||
use std::collections::HashMap;
|
||||
|
||||
pub struct Sysmon {
|
||||
checkunsigned: u64,
|
||||
}
|
||||
|
||||
impl Sysmon {
|
||||
pub fn new() -> Sysmon {
|
||||
Sysmon {
|
||||
//checkunsigned: 0, // DeepBlueでは0固定
|
||||
checkunsigned: 1, // 開発用に1
|
||||
}
|
||||
}
|
||||
|
||||
pub fn detection(
|
||||
&mut self,
|
||||
event_id: String,
|
||||
system: &event::System,
|
||||
event_data: HashMap<String, String>,
|
||||
) {
|
||||
if event_id == "1" {
|
||||
&self.check_command_lines(event_data);
|
||||
} else if event_id == "7" {
|
||||
&self.check_for_unsigned_files(event_data);
|
||||
}
|
||||
}
|
||||
|
||||
fn check_command_lines(&mut self, event_data: HashMap<String, String>) {
|
||||
// Check command lines
|
||||
if let Some(_command_line) = event_data.get("CommandLine") {
|
||||
if let Some(_date) = event_data.get("UtcTime") {
|
||||
println!("Date : {} (UTC)", _date);
|
||||
}
|
||||
println!("Log : Sysmon");
|
||||
//if let Some(_creater) = event_data.get("ParentImage") {
|
||||
// println!("_creater : {}", _image);
|
||||
//}
|
||||
self.check_command("1".to_string(), _command_line.to_string());
|
||||
println!("");
|
||||
}
|
||||
}
|
||||
|
||||
fn check_for_unsigned_files(&mut self, event_data: HashMap<String, String>) {
|
||||
// Check for unsigned EXEs/DLLs:
|
||||
// This can be very chatty, so it's disabled.
|
||||
// Set $checkunsigned to 1 (global variable section) to enable:
|
||||
if self.checkunsigned == 1 {
|
||||
if let Some(_signed) = event_data.get("Signed") {
|
||||
if _signed == "false" {
|
||||
if let Some(_date) = event_data.get("UtcTime") {
|
||||
println!("Date : {} (UTC)", _date);
|
||||
}
|
||||
println!("Log : Sysmon");
|
||||
println!("EventID : 7");
|
||||
println!("Message : Unsigned Image (DLL)");
|
||||
if let Some(_image) = event_data.get("Image") {
|
||||
println!("Result : Loaded by: {}", _image);
|
||||
}
|
||||
if let Some(_command_line) = event_data.get("ImageLoaded") {
|
||||
println!("Command : {}", _command_line);
|
||||
}
|
||||
println!("");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
fn check_command(&mut self, _event_id: String, _command_line: String) {
|
||||
let _result = "(TBD)";
|
||||
let _decoded = "(TBD)";
|
||||
|
||||
// TBD
|
||||
|
||||
// Write-Output $obj
|
||||
println!("EventID : {}", _event_id);
|
||||
println!("Message : Suspicious Command Line");
|
||||
println!("Result : {}", _result);
|
||||
println!("Command : {}", _command_line);
|
||||
println!("Decoded : {}", _decoded);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user