CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add

Browse Source
This commit is contained in:
kazuminn
2020-10-24 18:08:11 +09:00
parent f8a77b0a1f
commit e7a75ff780
2 changed files with 54 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/detections/system.rs
View File

@@ -1,3 +1,4 @@
use crate::detections::utils;
use crate::models::event; use crate::models::event;
use std::collections::HashMap; use std::collections::HashMap;
@@ -15,42 +16,73 @@ impl System {
event_data: HashMap<String, String>, event_data: HashMap<String, String>,
) { ) {
self.system_log_clear(&event_id); self.system_log_clear(&event_id);
self.windows_event_log(&event_id, event_data); self.windows_event_log(&event_id, &event_data);
self.new_service_created(&event_id); self.new_service_created(&event_id, &event_data);
self.interactive_service_warning(&event_id); self.interactive_service_warning(&event_id, &event_data);
self.suspicious_service_name(&event_id); self.suspicious_service_name(&event_id, &event_data);
} }
fn new_service_created(&mut self, event_id: &String) { fn new_service_created(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
if event_id != "7045" { if event_id != "7045" {
return return;
}
let servicename = &event_data["ServiceName"];
let commandline = &event_data["ImagePath"];
let text = utils::check_regex(&servicename, 1);
if !text.is_empty() {
println!("Message : New Service Created");
println!("Command : {}", commandline);
println!("Results : Service name: {}", servicename);
println!("Results : {}", text);
}
if !commandline.is_empty() {
utils::check_command(7045, &commandline, 1000, 0, &servicename, &"");
} }
} }
fn interactive_service_warning(&mut self, event_id: &String) { fn interactive_service_warning(
&mut self,
event_id: &String,
event_data: &HashMap<String, String>,
) {
if event_id != "7030" { if event_id != "7030" {
return return;
} }
let servicename = &event_data["param1"];
println!("Message : Interactive service warning");
println!("Results : Service name: {}", servicename);
println!("Results : Malware (and some third party software) trigger this warning");
println!("{}", utils::check_regex(&servicename, 1));
} }
fn suspicious_service_name(&mut self, event_id: &String) { fn suspicious_service_name(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
if event_id != "7036" { if event_id != "7036" {
return return;
}
let servicename = &event_data["param1"];
let text = utils::check_regex(&servicename, 1);
if !text.is_empty() {
println!("Message : Suspicious Service Name");
println!("Results : Service name: {}", servicename);
println!("Results : {}", text);
} }
} }
fn system_log_clear(&mut self, event_id: &String) { fn system_log_clear(&mut self, event_id: &String) {
if event_id != "104" { if event_id != "104" {
return return;
} }
println!("Message : System Log Clear"); println!("Message : System Log Clear");
println!("Results : The System log was cleared."); println!("Results : The System log was cleared.");
} }
fn windows_event_log(&mut self, event_id: &String, event_data: HashMap<String, String>) { fn windows_event_log(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
if event_id != "7040" { if event_id != "7040" {
return return;
} }
if let Some(_param1) = event_data.get("param1") { if let Some(_param1) = event_data.get("param1") {

14
src/detections/utils.rs
View File

@@ -51,9 +51,9 @@ pub fn check_command(
.unwrap() .unwrap()
.is_match(commandline) .is_match(commandline)
{ {
let re = Regex::new(r"^^.*:FromBase64String\(\'*").unwrap(); let re = Regex::new(r"^.*:FromBase64String\('*").unwrap();
base64.push_str(&re.replace_all(commandline, "")); base64.push_str(&re.replace_all(commandline, ""));
let re = Regex::new(r"\'.*$").unwrap(); let re = Regex::new(r"'.*$").unwrap();
base64.push_str(&re.replace_all(&base64.to_string(), "")); base64.push_str(&re.replace_all(&base64.to_string(), ""));
} }
if !base64.is_empty() { if !base64.is_empty() {
@@ -61,12 +61,16 @@ pub fn check_command(
.unwrap() .unwrap()
.is_match(commandline) .is_match(commandline)
{ {
let decoded = base64::decode(base64).unwrap(); /*
if let decoded = base64::decode(&base64) {
let mut d = GzDecoder::new(decoded.as_slice()); let mut d = GzDecoder::new(decoded.as_slice());
let mut uncompressed = String::new(); let mut uncompressed = String::new();
d.read_to_string(&mut uncompressed).unwrap(); d.read_to_string(&mut uncompressed).unwrap();
println!("Decoded : {}", uncompressed); println!("Decoded : {}", uncompressed);
text.push_str("Base64-encoded and compressed function\n"); text.push_str("Base64-encoded and compressed function\n");
}
*/
} else { } else {
let decoded = base64::decode(base64).unwrap(); let decoded = base64::decode(base64).unwrap();
println!("Decoded : {}", str::from_utf8(decoded.as_slice()).unwrap()); println!("Decoded : {}", str::from_utf8(decoded.as_slice()).unwrap());
@@ -76,6 +80,7 @@ pub fn check_command(
} }
} }
if !text.is_empty() { if !text.is_empty() {
println!("EventID : {}", event_id);
if servicecmd != 0 { if servicecmd != 0 {
println!("Message : Suspicious Service Command"); println!("Message : Suspicious Service Command");
println!("Results : Service name: {}\n", servicename); println!("Results : Service name: {}\n", servicename);
@@ -84,7 +89,6 @@ pub fn check_command(
} }
println!("command : {}", commandline); println!("command : {}", commandline);
println!("result : {}", text); println!("result : {}", text);
println!("EventID : {}", event_id);
} }
} }
@@ -126,7 +130,7 @@ fn check_obfu(string: &str) -> std::string::String {
return obfutext; return obfutext;
} }
fn check_regex(string: &str, r#type: usize) -> std::string::String { pub fn check_regex(string: &str, r#type: usize) -> std::string::String {
let empty = "".to_string(); let empty = "".to_string();
let mut regextext = "".to_string(); let mut regextext = "".to_string();
for line in configs::singleton().regex { for line in configs::singleton().regex {