CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

設計変更

Browse Source
This commit is contained in:
akiranishikawa
2020-09-20 06:04:03 +09:00
parent 5d2a4b4d4c
commit d3b368b680
4 changed files with 112 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/detections/application.rs
View File

@@ -1,4 +1,15 @@
pub fn detection() { pub struct Application {
} }
impl Application {
pub fn new() -> Application {
Application{}
}
pub fn detection(&self) {
}
}

127
src/detections/security.rs
View File

@@ -1,67 +1,88 @@
use std::collections::HashMap; use std::collections::HashMap;
pub fn detection(event_id: String, event_data: HashMap<String, String>, #[derive(Debug)]
alert_all_admin: i32, total_admin_logons: &mut i32, pub struct Security {
admin_logons: &mut HashMap<String, HashMap<String, i32>>, alert_all_admin: i32,
multiple_admin_logons: &mut HashMap<String, i32>) { total_admin_logons: i32,
admin_logons: HashMap<String, HashMap<String, i32>>,
if event_id == "4672" { multiple_admin_logons: HashMap<String, i32>,
se_debug_privilege(event_data, alert_all_admin, total_admin_logons,
admin_logons, multiple_admin_logons);
}
} }
// impl Security {
// Special privileges assigned to new logon (possible admin access) pub fn new() -> Security {
// Security{
fn se_debug_privilege(event_data: HashMap<String, String>, alert_all_admin: 0,
alert_all_admin: i32, total_admin_logons: &mut i32, total_admin_logons: 0,
admin_logons: &mut HashMap<String, HashMap<String, i32>>, admin_logons: HashMap::new(),
multiple_admin_logons: &mut HashMap<String, i32>) { multiple_admin_logons: HashMap::new(),
}
}
match event_data.get("PrivilegeList") { pub fn disp(&self) {
Some(privileage_list) => { if self.total_admin_logons > 0 {
match privileage_list.find("SeDebugPrivilege") { println!("total_admin_logons:{}", self.total_admin_logons);
Some(data) => { println!("admin_logons:{:?}", self.admin_logons);
println!("multiple_admin_logons:{:?}", self.multiple_admin_logons);
}
}
// alert_all_adminが有効であれば、標準出力して知らせる pub fn detection(&mut self, event_id: String, event_data: HashMap<String, String>) {
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
if alert_all_admin == 1 {
println!("Logon with SeDebugPrivilege (admin access)");
println!("Username:{}", event_data["SubjectUserName"]);
println!("Domain:{}", event_data["SubjectDomainName"]);
println!("User SID:{}", event_data["SubjectUserSid"]);
println!("Domain:{}", event_data["PrivilegeList"]);
}
*total_admin_logons += 1; if event_id == "4672" {
&self.se_debug_privilege(event_data);
}
}
// admin_logons配列にusernameが含まれているか確認 //
match admin_logons.get(&event_data["SubjectUserName"]) { // Special privileges assigned to new logon (possible admin access)
Some(sid) => { //
// 含まれていれば、マルチユーザが管理者としてログインしているか確認 fn se_debug_privilege(&mut self, event_data: HashMap<String, String>) {
// マルチログオンのデータをセット
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
let mut count_hash: HashMap<String, i32> = HashMap::new(); match event_data.get("PrivilegeList") {
count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1); Some(privileage_list) => {
admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash); match privileage_list.find("SeDebugPrivilege") {
} Some(data) => {
},
None => {
// admin_logons配列にセットUserNameとSIDとカウンタをセット
let mut count_hash: HashMap<String, i32> = HashMap::new();
count_hash.insert(event_data["SubjectUserSid"].to_string(), 1);
admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
// alert_all_adminが有効であれば、標準出力して知らせる
// DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
if self.alert_all_admin == 1 {
println!("Logon with SeDebugPrivilege (admin access)");
println!("Username:{}", event_data["SubjectUserName"]);
println!("Domain:{}", event_data["SubjectDomainName"]);
println!("User SID:{}", event_data["SubjectUserSid"]);
println!("Domain:{}", event_data["PrivilegeList"]);
} }
}
}, self.total_admin_logons += 1;
None => (),
} // admin_logons配列にusernameが含まれているか確認
}, match self.admin_logons.get(&event_data["SubjectUserName"]) {
None => (), Some(sid) => {
// 含まれていれば、マルチユーザが管理者としてログインしているか確認
// マルチログオンのデータをセット
if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs
self.multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
let mut count_hash: HashMap<String, i32> = HashMap::new();
count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1);
self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
}
},
None => {
// admin_logons配列にセットUserNameとSIDとカウンタをセット
let mut count_hash: HashMap<String, i32> = HashMap::new();
count_hash.insert(event_data["SubjectUserSid"].to_string(), 1);
self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
}
}
},
None => (),
}
},
None => (),
}
} }

13
src/detections/system.rs
View File

@@ -1,4 +1,15 @@
pub fn detection() { pub struct System {
} }
impl System {
pub fn new() -> System {
System{}
}
pub fn detection(&self) {
}
}

28
src/main.rs
View File

@@ -5,7 +5,6 @@ use evtx::EvtxParser;
use std::env; use std::env;
use std::process; use std::process;
use std::path::PathBuf; use std::path::PathBuf;
use std::collections::HashMap;
use quick_xml::de::{DeError}; use quick_xml::de::{DeError};
use yamato_event_analyzer::models::event; use yamato_event_analyzer::models::event;
use yamato_event_analyzer::detections::security; use yamato_event_analyzer::detections::security;
@@ -16,17 +15,16 @@ fn main() -> Result<(), DeError> {
let args: Vec<String> = env::args().collect(); let args: Vec<String> = env::args().collect();
let fp: PathBuf; let fp: PathBuf;
if args.len() > 1 { if (args.len() > 1) {
fp = PathBuf::from(args[1].to_string()); fp = PathBuf::from(args[1].to_string());
} else { } else {
fp = PathBuf::from(format!("./samples/security.evtx")); fp = PathBuf::from(format!("./samples/security.evtx"));
} }
let alert_all_admin = 0;
let mut total_admin_logons = 0;
let mut admin_logons: HashMap<String, HashMap<String, i32>> = HashMap::new();
let mut multiple_admin_logons: HashMap<String, i32> = HashMap::new();
let mut security = security::Security::new();
let mut system = system::System::new();
let mut application = application::Application::new();
let mut parser = match EvtxParser::from_path(fp) { let mut parser = match EvtxParser::from_path(fp) {
Ok(pointer) => pointer, Ok(pointer) => pointer,
Err(e) => { Err(e) => {
@@ -41,17 +39,13 @@ fn main() -> Result<(), DeError> {
let event: event::Evtx = quick_xml::de::from_str(&r.data)?; let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
let event_id = event.System.EventID.to_string(); let event_id = event.System.EventID.to_string();
// ログがSecurity.evtxなら
if event.System.Channel == "Security" { if event.System.Channel == "Security" {
let event_data = event.parse_event_data(); let event_data = event.parse_event_data();
security::detection(event_id, &security.detection(event_id, event_data);
event_data, alert_all_admin, &mut total_admin_logons,
&mut admin_logons, &mut multiple_admin_logons
);
} else if event.System.Channel == "System" { } else if event.System.Channel == "System" {
system::detection(); &system.detection();
} else if event.System.Channel == "Application" { } else if event.System.Channel == "Application" {
application::detection(); &application.detection();
} }
}, },
Err(e) => eprintln!("{}", e), Err(e) => eprintln!("{}", e),
@@ -59,13 +53,9 @@ fn main() -> Result<(), DeError> {
} }
//////////////////////////// ////////////////////////////
// 表示 別ファイルでやりたい // 表示
//////////////////////////// ////////////////////////////
if total_admin_logons > 0 { security.disp();
println!("total_admin_logons:{}", total_admin_logons);
println!("admin_logons:{:?}", admin_logons);
println!("multiple_admin_logons:{:?}", multiple_admin_logons);
}
Ok(()) Ok(())
} }