設計変更
This commit is contained in:
akiranishikawa
@@ -1,4 +1,15 @@
|
|||||||
|
|
||||||
pub fn detection() {
|
pub struct Application {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl Application {
|
||||||
|
|
||||||
|
pub fn new() -> Application {
|
||||||
|
Application{}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn detection(&self) {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -1,23 +1,42 @@
|
|||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
pub fn detection(event_id: String, event_data: HashMap<String, String>,
|
#[derive(Debug)]
|
||||||
alert_all_admin: i32, total_admin_logons: &mut i32,
|
pub struct Security {
|
||||||
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
|
alert_all_admin: i32,
|
||||||
multiple_admin_logons: &mut HashMap<String, i32>) {
|
total_admin_logons: i32,
|
||||||
|
admin_logons: HashMap<String, HashMap<String, i32>>,
|
||||||
|
multiple_admin_logons: HashMap<String, i32>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Security {
|
||||||
|
pub fn new() -> Security {
|
||||||
|
Security{
|
||||||
|
alert_all_admin: 0,
|
||||||
|
total_admin_logons: 0,
|
||||||
|
admin_logons: HashMap::new(),
|
||||||
|
multiple_admin_logons: HashMap::new(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn disp(&self) {
|
||||||
|
if self.total_admin_logons > 0 {
|
||||||
|
println!("total_admin_logons:{}", self.total_admin_logons);
|
||||||
|
println!("admin_logons:{:?}", self.admin_logons);
|
||||||
|
println!("multiple_admin_logons:{:?}", self.multiple_admin_logons);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn detection(&mut self, event_id: String, event_data: HashMap<String, String>) {
|
||||||
|
|
||||||
if event_id == "4672" {
|
if event_id == "4672" {
|
||||||
se_debug_privilege(event_data, alert_all_admin, total_admin_logons,
|
&self.se_debug_privilege(event_data);
|
||||||
admin_logons, multiple_admin_logons);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
// Special privileges assigned to new logon (possible admin access)
|
// Special privileges assigned to new logon (possible admin access)
|
||||||
//
|
//
|
||||||
fn se_debug_privilege(event_data: HashMap<String, String>,
|
fn se_debug_privilege(&mut self, event_data: HashMap<String, String>) {
|
||||||
alert_all_admin: i32, total_admin_logons: &mut i32,
|
|
||||||
admin_logons: &mut HashMap<String, HashMap<String, i32>>,
|
|
||||||
multiple_admin_logons: &mut HashMap<String, i32>) {
|
|
||||||
|
|
||||||
match event_data.get("PrivilegeList") {
|
match event_data.get("PrivilegeList") {
|
||||||
Some(privileage_list) => {
|
Some(privileage_list) => {
|
||||||
@@ -26,7 +45,7 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
|
|||||||
|
|
||||||
// alert_all_adminが有効であれば、標準出力して知らせる
|
// alert_all_adminが有効であれば、標準出力して知らせる
|
||||||
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
|
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
|
||||||
if alert_all_admin == 1 {
|
if self.alert_all_admin == 1 {
|
||||||
println!("Logon with SeDebugPrivilege (admin access)");
|
println!("Logon with SeDebugPrivilege (admin access)");
|
||||||
println!("Username:{}", event_data["SubjectUserName"]);
|
println!("Username:{}", event_data["SubjectUserName"]);
|
||||||
println!("Domain:{}", event_data["SubjectDomainName"]);
|
println!("Domain:{}", event_data["SubjectDomainName"]);
|
||||||
@@ -34,26 +53,26 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
|
|||||||
println!("Domain:{}", event_data["PrivilegeList"]);
|
println!("Domain:{}", event_data["PrivilegeList"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
*total_admin_logons += 1;
|
self.total_admin_logons += 1;
|
||||||
|
|
||||||
// admin_logons配列にusernameが含まれているか確認
|
// admin_logons配列にusernameが含まれているか確認
|
||||||
match admin_logons.get(&event_data["SubjectUserName"]) {
|
match self.admin_logons.get(&event_data["SubjectUserName"]) {
|
||||||
Some(sid) => {
|
Some(sid) => {
|
||||||
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
|
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
|
||||||
// マルチログオンのデータをセット
|
// マルチログオンのデータをセット
|
||||||
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
|
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
|
||||||
multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
|
self.multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
|
||||||
|
|
||||||
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
||||||
count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1);
|
count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1);
|
||||||
admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
|
self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
None => {
|
None => {
|
||||||
// admin_logons配列にセットUserNameとSIDとカウンタをセット
|
// admin_logons配列にセットUserNameとSIDとカウンタをセット
|
||||||
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
let mut count_hash: HashMap<String, i32> = HashMap::new();
|
||||||
count_hash.insert(event_data["SubjectUserSid"].to_string(), 1);
|
count_hash.insert(event_data["SubjectUserSid"].to_string(), 1);
|
||||||
admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
|
self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -67,3 +86,5 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,4 +1,15 @@
|
|||||||
|
|
||||||
pub fn detection() {
|
pub struct System {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl System {
|
||||||
|
|
||||||
|
pub fn new() -> System {
|
||||||
|
System{}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn detection(&self) {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
28
src/main.rs
28
src/main.rs
@@ -5,7 +5,6 @@ use evtx::EvtxParser;
|
|||||||
use std::env;
|
use std::env;
|
||||||
use std::process;
|
use std::process;
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
use std::collections::HashMap;
|
|
||||||
use quick_xml::de::{DeError};
|
use quick_xml::de::{DeError};
|
||||||
use yamato_event_analyzer::models::event;
|
use yamato_event_analyzer::models::event;
|
||||||
use yamato_event_analyzer::detections::security;
|
use yamato_event_analyzer::detections::security;
|
||||||
@@ -16,17 +15,16 @@ fn main() -> Result<(), DeError> {
|
|||||||
|
|
||||||
let args: Vec<String> = env::args().collect();
|
let args: Vec<String> = env::args().collect();
|
||||||
let fp: PathBuf;
|
let fp: PathBuf;
|
||||||
if args.len() > 1 {
|
if (args.len() > 1) {
|
||||||
fp = PathBuf::from(args[1].to_string());
|
fp = PathBuf::from(args[1].to_string());
|
||||||
} else {
|
} else {
|
||||||
fp = PathBuf::from(format!("./samples/security.evtx"));
|
fp = PathBuf::from(format!("./samples/security.evtx"));
|
||||||
}
|
}
|
||||||
|
|
||||||
let alert_all_admin = 0;
|
|
||||||
let mut total_admin_logons = 0;
|
|
||||||
let mut admin_logons: HashMap<String, HashMap<String, i32>> = HashMap::new();
|
|
||||||
let mut multiple_admin_logons: HashMap<String, i32> = HashMap::new();
|
|
||||||
|
|
||||||
|
let mut security = security::Security::new();
|
||||||
|
let mut system = system::System::new();
|
||||||
|
let mut application = application::Application::new();
|
||||||
let mut parser = match EvtxParser::from_path(fp) {
|
let mut parser = match EvtxParser::from_path(fp) {
|
||||||
Ok(pointer) => pointer,
|
Ok(pointer) => pointer,
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
@@ -41,17 +39,13 @@ fn main() -> Result<(), DeError> {
|
|||||||
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
|
let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
|
||||||
let event_id = event.System.EventID.to_string();
|
let event_id = event.System.EventID.to_string();
|
||||||
|
|
||||||
// ログがSecurity.evtxなら
|
|
||||||
if event.System.Channel == "Security" {
|
if event.System.Channel == "Security" {
|
||||||
let event_data = event.parse_event_data();
|
let event_data = event.parse_event_data();
|
||||||
security::detection(event_id,
|
&security.detection(event_id, event_data);
|
||||||
event_data, alert_all_admin, &mut total_admin_logons,
|
|
||||||
&mut admin_logons, &mut multiple_admin_logons
|
|
||||||
);
|
|
||||||
} else if event.System.Channel == "System" {
|
} else if event.System.Channel == "System" {
|
||||||
system::detection();
|
&system.detection();
|
||||||
} else if event.System.Channel == "Application" {
|
} else if event.System.Channel == "Application" {
|
||||||
application::detection();
|
&application.detection();
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
Err(e) => eprintln!("{}", e),
|
Err(e) => eprintln!("{}", e),
|
||||||
@@ -59,13 +53,9 @@ fn main() -> Result<(), DeError> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
////////////////////////////
|
////////////////////////////
|
||||||
// 表示 別ファイルでやりたい
|
// 表示
|
||||||
////////////////////////////
|
////////////////////////////
|
||||||
if total_admin_logons > 0 {
|
security.disp();
|
||||||
println!("total_admin_logons:{}", total_admin_logons);
|
|
||||||
println!("admin_logons:{:?}", admin_logons);
|
|
||||||
println!("multiple_admin_logons:{:?}", multiple_admin_logons);
|
|
||||||
}
|
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user