add

2020-10-24 18:08:11 +09:00
parent f8a77b0a1f
commit e7a75ff780
2 changed files with 54 additions and 18 deletions
--- a/src/detections/system.rs
+++ b/src/detections/system.rs
@@ -1,3 +1,4 @@
+use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;

@@ -15,42 +16,73 @@ impl System {
        event_data: HashMap<String, String>,
    ) {
        self.system_log_clear(&event_id);
-        self.windows_event_log(&event_id, event_data);
-        self.new_service_created(&event_id);
-        self.interactive_service_warning(&event_id);
-        self.suspicious_service_name(&event_id);
+        self.windows_event_log(&event_id, &event_data);
+        self.new_service_created(&event_id, &event_data);
+        self.interactive_service_warning(&event_id, &event_data);
+        self.suspicious_service_name(&event_id, &event_data);
    }

-    fn new_service_created(&mut self, event_id: &String) {
+    fn new_service_created(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
        if event_id != "7045" {
-            return
+            return;
+        }
+
+        let servicename = &event_data["ServiceName"];
+        let commandline = &event_data["ImagePath"];
+        let text = utils::check_regex(&servicename, 1);
+        if !text.is_empty() {
+            println!("Message : New Service Created");
+            println!("Command : {}", commandline);
+            println!("Results : Service name: {}", servicename);
+            println!("Results : {}", text);
+        }
+        if !commandline.is_empty() {
+            utils::check_command(7045, &commandline, 1000, 0, &servicename, &"");
        }
    }

-    fn interactive_service_warning(&mut self, event_id: &String) {
+    fn interactive_service_warning(
+        &mut self,
+        event_id: &String,
+        event_data: &HashMap<String, String>,
+    ) {
        if event_id != "7030" {
-            return
+            return;
        }
+
+        let servicename = &event_data["param1"];
+        println!("Message : Interactive service warning");
+        println!("Results : Service name: {}", servicename);
+        println!("Results : Malware (and some third party software) trigger this warning");
+        println!("{}", utils::check_regex(&servicename, 1));
    }

-    fn suspicious_service_name(&mut self, event_id: &String) {
+    fn suspicious_service_name(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
        if event_id != "7036" {
-            return
+            return;
+        }
+
+        let servicename = &event_data["param1"];
+        let text = utils::check_regex(&servicename, 1);
+        if !text.is_empty() {
+            println!("Message : Suspicious Service Name");
+            println!("Results : Service name: {}", servicename);
+            println!("Results : {}", text);
        }
    }

    fn system_log_clear(&mut self, event_id: &String) {
        if event_id != "104" {
-            return
+            return;
        }

        println!("Message : System Log Clear");
        println!("Results : The System log was cleared.");
    }

-    fn windows_event_log(&mut self, event_id: &String, event_data: HashMap<String, String>) {
+    fn windows_event_log(&mut self, event_id: &String, event_data: &HashMap<String, String>) {
        if event_id != "7040" {
-            return
+            return;
        }

        if let Some(_param1) = event_data.get("param1") {
--- a/src/detections/utils.rs
+++ b/src/detections/utils.rs
@@ -51,9 +51,9 @@ pub fn check_command(
        .unwrap()
        .is_match(commandline)
    {
-        let re = Regex::new(r"^^.*:FromBase64String\(\'*").unwrap();
+        let re = Regex::new(r"^.*:FromBase64String\('*").unwrap();
        base64.push_str(&re.replace_all(commandline, ""));
-        let re = Regex::new(r"\'.*$").unwrap();
+        let re = Regex::new(r"'.*$").unwrap();
        base64.push_str(&re.replace_all(&base64.to_string(), ""));
    }
    if !base64.is_empty() {
@@ -61,12 +61,16 @@ pub fn check_command(
            .unwrap()
            .is_match(commandline)
        {
-            let decoded = base64::decode(base64).unwrap();
+            /*
+            if let decoded = base64::decode(&base64) {
            let mut d = GzDecoder::new(decoded.as_slice());
            let mut uncompressed = String::new();
            d.read_to_string(&mut uncompressed).unwrap();
            println!("Decoded : {}", uncompressed);
            text.push_str("Base64-encoded and compressed function\n");
+
+            }
+            */
        } else {
            let decoded = base64::decode(base64).unwrap();
            println!("Decoded : {}", str::from_utf8(decoded.as_slice()).unwrap());
@@ -76,6 +80,7 @@ pub fn check_command(
        }
    }
    if !text.is_empty() {
+        println!("EventID : {}", event_id);
        if servicecmd != 0 {
            println!("Message : Suspicious Service Command");
            println!("Results : Service name: {}\n", servicename);
@@ -84,7 +89,6 @@ pub fn check_command(
        }
        println!("command : {}", commandline);
        println!("result : {}", text);
-        println!("EventID : {}", event_id);
    }
 }

@@ -126,7 +130,7 @@ fn check_obfu(string: &str) -> std::string::String {
    return obfutext;
 }

-fn check_regex(string: &str, r#type: usize) -> std::string::String {
+pub fn check_regex(string: &str, r#type: usize) -> std::string::String {
    let empty = "".to_string();
    let mut regextext = "".to_string();
    for line in configs::singleton().regex {