From 6fc709c2b417af35bc872e55611d41068ae2e57c Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 09:59:08 +0900 Subject: [PATCH 1/6] =?UTF-8?q?Toml=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF?= =?UTF-8?q?=E6=A9=9F=E8=83=BD=E5=AE=9F=E8=A3=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Cargo.lock | 11 +++++++ Cargo.toml | 4 ++- rules/test.toml | 2 ++ src/lib.rs | 1 + src/main.rs | 2 ++ src/models/mod.rs | 1 + src/models/rule.rs | 14 +++++++++ src/toml.rs | 76 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 rules/test.toml create mode 100644 src/models/rule.rs create mode 100644 src/toml.rs diff --git a/Cargo.lock b/Cargo.lock index 6b63ca2e..ab932e6f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1071,6 +1071,15 @@ dependencies = [ "winapi", ] +[[package]] +name = "toml" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a" +dependencies = [ + "serde", +] + [[package]] name = "unicode-width" version = "0.1.8" @@ -1185,5 +1194,7 @@ dependencies = [ "quick-xml 0.17.2", "regex", "serde", + "serde_derive", "serde_json", + "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 863e7911..b28772bf 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" } quick-xml = {version = "0.17", features = ["serialize"] } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0"} +serde_derive = "1.0" clap = "*" regex = "1" csv = "1.1" base64 = "*" -flate2 = "1.0" \ No newline at end of file +flate2 = "1.0" +toml = "0.5" diff --git a/rules/test.toml b/rules/test.toml new file mode 100644 index 00000000..08260f64 --- /dev/null +++ b/rules/test.toml @@ -0,0 +1,2 @@ +[rule] +severity = "high" diff --git a/src/lib.rs b/src/lib.rs index 2579ad53..3c230589 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,2 +1,3 @@ pub mod detections; pub mod models; +pub mod toml; \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index e099bf0a..6aa1b3fd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,7 @@ use evtx::EvtxParser; use quick_xml::de::DeError; use std::{path::PathBuf, process}; use yamato_event_analyzer::detections::detection; +use yamato_event_analyzer::toml; fn build_app() -> clap::App<'static, 'static> { let program = std::env::args() @@ -58,3 +59,4 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } + diff --git a/src/models/mod.rs b/src/models/mod.rs index 53f11265..e8d63f0a 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1 +1,2 @@ pub mod event; +pub mod rule; \ No newline at end of file diff --git a/src/models/rule.rs b/src/models/rule.rs new file mode 100644 index 00000000..6efd403c --- /dev/null +++ b/src/models/rule.rs @@ -0,0 +1,14 @@ +extern crate serde; +use serde::Deserialize; + +#[derive(Debug, Deserialize)] +pub struct Rule { + pub severity: Option, + +} + +#[derive(Debug, Deserialize)] +pub struct Toml { + pub rule: Rule, + +} diff --git a/src/toml.rs b/src/toml.rs new file mode 100644 index 00000000..484e3abd --- /dev/null +++ b/src/toml.rs @@ -0,0 +1,76 @@ +extern crate serde_derive; +extern crate toml; + +use std::fs; +use std::io; +use std::io::{BufReader, Read}; +use std::path::{Path, PathBuf}; +use crate::models::rule; + + +pub struct ParseToml { + pub rules: Vec>, +} + +impl ParseToml { + + pub fn new() -> ParseToml { + ParseToml { + rules: Vec::new(), + } + } + + fn read_file(&self, path: PathBuf) -> Result { + let mut file_content = String::new(); + + let mut fr = fs::File::open(path) + .map(|f| BufReader::new(f)) + .map_err(|e| e.to_string())?; + + fr.read_to_string(&mut file_content) + .map_err(|e| e.to_string())?; + + Ok(file_content) + } + + fn read_dir>(&mut self, path: P) -> io::Result { + Ok(fs::read_dir(path)? + .filter_map(|entry| { + let entry = entry.ok()?; + if entry.file_type().ok()?.is_file() { + match self.read_file(entry.path()) { + Ok(s) => &self.rules.push(toml::from_str(&s)), + Err(e) => panic!("fail to read file: {}", e), + }; + } + Some("") + }) + .collect()) + } + +} + +#[cfg(test)] +mod tests { + + use crate::toml; + + #[test] + fn test_read_toml() { + let mut toml = toml::ParseToml::new(); + &toml.read_dir("rules".to_string()); + + for rule in toml.rules { + match rule { + Ok(_rule) => { + if let Some(severity) = _rule.rule.severity { + assert_eq!("high", severity); + } + }, + Err(_) => (), + } + } + + } +} + From f2f3a7e99a2a32506d70567c2d3884caee5f6e5c Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 09:59:08 +0900 Subject: [PATCH 2/6] =?UTF-8?q?Toml=E8=AA=AD=E3=81=BF=E8=BE=BC=E3=81=BF?= =?UTF-8?q?=E6=A9=9F=E8=83=BD=E5=AE=9F=E8=A3=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Cargo.lock | 11 +++++++ Cargo.toml | 4 ++- rules/test.toml | 2 ++ src/lib.rs | 1 + src/main.rs | 2 ++ src/models/mod.rs | 1 + src/models/rule.rs | 14 +++++++++ src/toml.rs | 76 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 rules/test.toml create mode 100644 src/models/rule.rs create mode 100644 src/toml.rs diff --git a/Cargo.lock b/Cargo.lock index 6b63ca2e..ab932e6f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1071,6 +1071,15 @@ dependencies = [ "winapi", ] +[[package]] +name = "toml" +version = "0.5.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a" +dependencies = [ + "serde", +] + [[package]] name = "unicode-width" version = "0.1.8" @@ -1185,5 +1194,7 @@ dependencies = [ "quick-xml 0.17.2", "regex", "serde", + "serde_derive", "serde_json", + "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 863e7911..b28772bf 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -11,8 +11,10 @@ evtx = { git = "https://github.com/omerbenamram/evtx.git" } quick-xml = {version = "0.17", features = ["serialize"] } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0"} +serde_derive = "1.0" clap = "*" regex = "1" csv = "1.1" base64 = "*" -flate2 = "1.0" \ No newline at end of file +flate2 = "1.0" +toml = "0.5" diff --git a/rules/test.toml b/rules/test.toml new file mode 100644 index 00000000..08260f64 --- /dev/null +++ b/rules/test.toml @@ -0,0 +1,2 @@ +[rule] +severity = "high" diff --git a/src/lib.rs b/src/lib.rs index 2579ad53..3c230589 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,2 +1,3 @@ pub mod detections; pub mod models; +pub mod toml; \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index e099bf0a..6aa1b3fd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -6,6 +6,7 @@ use evtx::EvtxParser; use quick_xml::de::DeError; use std::{path::PathBuf, process}; use yamato_event_analyzer::detections::detection; +use yamato_event_analyzer::toml; fn build_app() -> clap::App<'static, 'static> { let program = std::env::args() @@ -58,3 +59,4 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } + diff --git a/src/models/mod.rs b/src/models/mod.rs index 53f11265..e8d63f0a 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1 +1,2 @@ pub mod event; +pub mod rule; \ No newline at end of file diff --git a/src/models/rule.rs b/src/models/rule.rs new file mode 100644 index 00000000..6efd403c --- /dev/null +++ b/src/models/rule.rs @@ -0,0 +1,14 @@ +extern crate serde; +use serde::Deserialize; + +#[derive(Debug, Deserialize)] +pub struct Rule { + pub severity: Option, + +} + +#[derive(Debug, Deserialize)] +pub struct Toml { + pub rule: Rule, + +} diff --git a/src/toml.rs b/src/toml.rs new file mode 100644 index 00000000..484e3abd --- /dev/null +++ b/src/toml.rs @@ -0,0 +1,76 @@ +extern crate serde_derive; +extern crate toml; + +use std::fs; +use std::io; +use std::io::{BufReader, Read}; +use std::path::{Path, PathBuf}; +use crate::models::rule; + + +pub struct ParseToml { + pub rules: Vec>, +} + +impl ParseToml { + + pub fn new() -> ParseToml { + ParseToml { + rules: Vec::new(), + } + } + + fn read_file(&self, path: PathBuf) -> Result { + let mut file_content = String::new(); + + let mut fr = fs::File::open(path) + .map(|f| BufReader::new(f)) + .map_err(|e| e.to_string())?; + + fr.read_to_string(&mut file_content) + .map_err(|e| e.to_string())?; + + Ok(file_content) + } + + fn read_dir>(&mut self, path: P) -> io::Result { + Ok(fs::read_dir(path)? + .filter_map(|entry| { + let entry = entry.ok()?; + if entry.file_type().ok()?.is_file() { + match self.read_file(entry.path()) { + Ok(s) => &self.rules.push(toml::from_str(&s)), + Err(e) => panic!("fail to read file: {}", e), + }; + } + Some("") + }) + .collect()) + } + +} + +#[cfg(test)] +mod tests { + + use crate::toml; + + #[test] + fn test_read_toml() { + let mut toml = toml::ParseToml::new(); + &toml.read_dir("rules".to_string()); + + for rule in toml.rules { + match rule { + Ok(_rule) => { + if let Some(severity) = _rule.rule.severity { + assert_eq!("high", severity); + } + }, + Err(_) => (), + } + } + + } +} + From a8536d78a0bfd83a3b063a220011f070aa255a81 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 11:12:32 +0900 Subject: [PATCH 3/6] =?UTF-8?q?=E3=83=86=E3=82=B9=E3=83=88=E3=83=95?= =?UTF-8?q?=E3=82=A1=E3=82=A4=E3=83=AB=E3=83=87=E3=82=A3=E3=83=AC=E3=82=AF?= =?UTF-8?q?=E3=83=88=E3=83=AA=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/models/rule.rs | 2 +- src/toml.rs | 3 ++- {rules => test_files/rules}/test.toml | 0 test_files/rules/test2.toml | 3 +++ 4 files changed, 6 insertions(+), 2 deletions(-) rename {rules => test_files/rules}/test.toml (100%) create mode 100644 test_files/rules/test2.toml diff --git a/src/models/rule.rs b/src/models/rule.rs index 6efd403c..bff8bdc1 100644 --- a/src/models/rule.rs +++ b/src/models/rule.rs @@ -4,7 +4,7 @@ use serde::Deserialize; #[derive(Debug, Deserialize)] pub struct Rule { pub severity: Option, - + pub name: Option, } #[derive(Debug, Deserialize)] diff --git a/src/toml.rs b/src/toml.rs index 484e3abd..b7131b35 100644 --- a/src/toml.rs +++ b/src/toml.rs @@ -58,11 +58,12 @@ mod tests { #[test] fn test_read_toml() { let mut toml = toml::ParseToml::new(); - &toml.read_dir("rules".to_string()); + &toml.read_dir("test_files/rules".to_string()); for rule in toml.rules { match rule { Ok(_rule) => { + println!("{:?}", _rule); if let Some(severity) = _rule.rule.severity { assert_eq!("high", severity); } diff --git a/rules/test.toml b/test_files/rules/test.toml similarity index 100% rename from rules/test.toml rename to test_files/rules/test.toml diff --git a/test_files/rules/test2.toml b/test_files/rules/test2.toml new file mode 100644 index 00000000..9cebf717 --- /dev/null +++ b/test_files/rules/test2.toml @@ -0,0 +1,3 @@ +[rule] +severity = "high" +name = "test2" From 03be1dad34e885168ad57a1af03f642c0ae4c153 Mon Sep 17 00:00:00 2001 From: akiranishikawa Date: Sat, 10 Oct 2020 11:14:39 +0900 Subject: [PATCH 4/6] cargo fmt --all --- src/detections/security.rs | 192 +++++++++++++++++++++++++------------ src/lib.rs | 2 +- src/main.rs | 1 - src/models/mod.rs | 2 +- src/models/rule.rs | 1 - src/toml.rs | 13 +-- 6 files changed, 136 insertions(+), 75 deletions(-) diff --git a/src/detections/security.rs b/src/detections/security.rs index 97a30ce5..7818e7c2 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -261,7 +261,10 @@ impl Security { } msges.push("Sensititive Privilege Use Exceeds Threshold".to_string()); - msges.push("Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made".to_string()); + msges.push( + "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made" + .to_string(), + ); let username = event_data.get("SubjectUserName").unwrap_or(&self.empty_str); msges.push(format!("Username: {}", username)); @@ -335,7 +338,9 @@ impl Security { // let v_username = Vec::new(); let mut v_username = Vec::new(); - self.passspray_2_user.keys().for_each(|u| v_username.push(u)); + self.passspray_2_user + .keys() + .for_each(|u| v_username.push(u)); v_username.sort(); let usernames: String = v_username.iter().fold( self.empty_str.to_string(), @@ -665,7 +670,8 @@ mod tests { // eventidが異なりヒットしないパターン #[test] fn test_add_member_security_group_noteq_eventid() { - let xml_str = get_add_member_security_group_xml().replace(r"4732", r"4757"); + let xml_str = get_add_member_security_group_xml() + .replace(r"4732", r"4757"); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -683,7 +689,10 @@ mod tests { // グループがAdministratorsじゃなくてHitしないパターン #[test] fn test_add_member_security_not_administrators() { - let xml_str = get_add_member_security_group_xml().replace(r"Administrators", r"local"); + let xml_str = get_add_member_security_group_xml().replace( + r"Administrators", + r"local", + ); let event: event::Evtx = quick_xml::de::from_str(&xml_str) .map_err(|e| { println!("{}", e.to_string()); @@ -746,10 +755,7 @@ mod tests { &"Username: ".to_string(), ite.next().unwrap_or(&"".to_string()) ); - assert_eq!( - &"User SID: ", - ite.next().unwrap_or(&"".to_string()) - ); + assert_eq!(&"User SID: ", ite.next().unwrap_or(&"".to_string())); assert_eq!(Option::None, ite.next()); } @@ -795,10 +801,10 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - + sec.max_failed_logons = 5; - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event.system.event_id.to_string(), &event.parse_event_data(), @@ -813,9 +819,13 @@ mod tests { fn test_failed_logon_hit() { let xml_str = get_failed_logon_xml(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"Administrator", r"localuser")).unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"Administrator", + r"localuser", + )) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -825,13 +835,13 @@ mod tests { ); assert_eq!(1, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); - let fail_cnt = i +1; + let fail_cnt = i + 1; assert_eq!(fail_cnt, sec.total_failed_logons); if fail_cnt > 5 { let v = sec.disp_login_failed().unwrap(); @@ -848,7 +858,7 @@ mod tests { &format!("Total logon failures: {}", fail_cnt), ite.next().unwrap_or(&"".to_string()) ); - // assert_eq!(Option::None, ite.next()); + // assert_eq!(Option::None, ite.next()); } else { assert_eq!(Option::None, sec.disp_login_failed()); } @@ -870,14 +880,25 @@ mod tests { ); } - // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 - #[test] - fn test_failed_logon_noteq_eventid() { + // 失敗回数を増やしていき、境界値でメッセージが表示されることのテスト。 + #[test] + fn test_failed_logon_noteq_eventid() { let xml_str = get_failed_logon_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626")).unwrap(); - let event_another: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4625",r"4626").replace(r"Administrator", r"localuser")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4625", r"4626"), + ) + .unwrap(); + let event_another: event::Evtx = quick_xml::de::from_str( + &xml_str + .replace(r"4625", r"4626") + .replace( + r"Administrator", + r"localuser", + ), + ) + .unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_failed_logons = 5; // メッセージが表示されるには2ユーザー以上失敗している必要がある。まず一人目 @@ -887,16 +908,16 @@ mod tests { ); assert_eq!(0, sec.total_failed_logons); - let ite = [1,2,3,4,5,6,7].iter(); - ite.for_each(|_i|{ + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); + ite.for_each(|_i| { sec.failed_logon( &event_another.system.event_id.to_string(), &event_another.parse_event_data(), ); assert_eq!(0, sec.total_failed_logons); assert_eq!(Option::None, sec.disp_login_failed()); - }); - } + }); + } fn get_failed_logon_xml() -> String { return r#" @@ -940,7 +961,8 @@ mod tests { 192.168.198.149 33083 - "#.to_string(); + "# + .to_string(); } // Hitするパターンとしないパターンをまとめてテスト @@ -949,10 +971,10 @@ mod tests { let xml_str = get_sensitive_prividedge_hit(); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|i| { let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); // i == 7ときにHitしない @@ -984,15 +1006,19 @@ mod tests { // eventidが異なるので、Hitしないテスト #[test] fn test_sensitive_priviledge_noteq_eventid() { - let xml_str = get_sensitive_prividedge_hit().replace(r"4673", r"4674"); + let xml_str = get_sensitive_prividedge_hit() + .replace(r"4673", r"4674"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); - let mut sec = security::Security::new(); + let mut sec = security::Security::new(); sec.max_total_sensitive_privuse = 6; - let ite = [1,2,3,4,5,6,7].iter(); + let ite = [1, 2, 3, 4, 5, 6, 7].iter(); ite.for_each(|_i| { - let msg = sec.sensitive_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); + let msg = sec.sensitive_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); assert_eq!(Option::None, msg); }); } @@ -1037,16 +1063,31 @@ mod tests { let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Possible Hidden Service Attempt".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Possible Hidden Service Attempt".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(&"User requested to modify the Dynamic Access Control (DAC) permissions of a sevice, possibly to hide it from view".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"User: Sec504".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Target service: nginx".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"WRITE_DAC".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"User: Sec504".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Target service: nginx".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"WRITE_DAC".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } @@ -1054,11 +1095,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_accessmask() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"%%1539",r"%%1538")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"%%1539", + r"%%1538", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1066,11 +1114,18 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_service() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"C:\Windows\System32\services.exe",r"C:\Windows\System32\lsass.exe")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace( + r"C:\Windows\System32\services.exe", + r"C:\Windows\System32\lsass.exe", + )) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1078,11 +1133,17 @@ mod tests { #[test] fn test_attempt_priviledge_noteq_eventid() { let xml_str = get_attempt_priviledge_xml(); - let event: event::Evtx = quick_xml::de::from_str(&xml_str.replace(r"4674",r"4675")).unwrap(); + let event: event::Evtx = quick_xml::de::from_str( + &xml_str.replace(r"4674", r"4675"), + ) + .unwrap(); let mut sec = security::Security::new(); - let msg = sec.attempt_priviledge(&event.system.event_id.to_string(), &event.parse_event_data()); - + let msg = sec.attempt_priviledge( + &event.system.event_id.to_string(), + &event.parse_event_data(), + ); + assert_eq!(Option::None, msg); } @@ -1130,12 +1191,11 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4648".to_string(), true); + test_pass_spray_hit_1cycle(&mut sec, "4648".to_string(), true); } - // eventid異なるので、Hitしないはず #[test] fn test_pass_spray_noteq_eventid() { @@ -1144,12 +1204,12 @@ mod tests { sec.max_passspray_login = 6; sec.max_passspray_uniquser = 6; - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); // counterがreset確認のため、2回実行 - test_pass_spray_hit_1cycle(&mut sec,"4649".to_string(), false); + test_pass_spray_hit_1cycle(&mut sec, "4649".to_string(), false); } - fn test_pass_spray_hit_1cycle( sec: &mut security::Security, event_id:String, is_eq:bool ) { + fn test_pass_spray_hit_1cycle(sec: &mut security::Security, event_id: String, is_eq: bool) { [1,2,3,4,5,6,7].iter().for_each(|i| { let rep_str = format!(r#"smisenar{}"#,i); let event_id_tag = format!("{}", event_id); @@ -1173,7 +1233,7 @@ mod tests { }); }); } - + fn get_passs_pray_hit() -> String { return r#" @@ -1224,22 +1284,32 @@ mod tests { assert_ne!(Option::None, msg); let v = msg.unwrap(); let mut ite = v.iter(); - assert_eq!(&"Audit Log Clear".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"The Audit log was cleared".to_string(), ite.next().unwrap_or(&"".to_string())); - assert_eq!(&"Security ID: jwrig".to_string(), ite.next().unwrap_or(&"".to_string())); + assert_eq!( + &"Audit Log Clear".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"The Audit log was cleared".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); + assert_eq!( + &"Security ID: jwrig".to_string(), + ite.next().unwrap_or(&"".to_string()) + ); assert_eq!(Option::None, ite.next()); } // eventid違うのでHitしないはず #[test] fn test_audit_log_cleared_noteq_eventid() { - let xml_str = get_audit_log_cleared_xml().replace(r"1102", r"1103"); + let xml_str = get_audit_log_cleared_xml() + .replace(r"1102", r"1103"); let event: event::Evtx = quick_xml::de::from_str(&xml_str).unwrap(); let mut sec = security::Security::new(); let msg = sec.audit_log_cleared(&event.system.event_id.to_string(), &event.user_data); assert_eq!(Option::None, msg); - } + } fn get_audit_log_cleared_xml() -> String { return r#" diff --git a/src/lib.rs b/src/lib.rs index 3c230589..72434c62 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,3 +1,3 @@ pub mod detections; pub mod models; -pub mod toml; \ No newline at end of file +pub mod toml; diff --git a/src/main.rs b/src/main.rs index 6aa1b3fd..96239b23 100644 --- a/src/main.rs +++ b/src/main.rs @@ -59,4 +59,3 @@ fn parse_file(filepath: &str) { let mut detection = detection::Detection::new(); &detection.start(parser); } - diff --git a/src/models/mod.rs b/src/models/mod.rs index e8d63f0a..ee089cbc 100644 --- a/src/models/mod.rs +++ b/src/models/mod.rs @@ -1,2 +1,2 @@ pub mod event; -pub mod rule; \ No newline at end of file +pub mod rule; diff --git a/src/models/rule.rs b/src/models/rule.rs index bff8bdc1..550bdc65 100644 --- a/src/models/rule.rs +++ b/src/models/rule.rs @@ -10,5 +10,4 @@ pub struct Rule { #[derive(Debug, Deserialize)] pub struct Toml { pub rule: Rule, - } diff --git a/src/toml.rs b/src/toml.rs index b7131b35..04211623 100644 --- a/src/toml.rs +++ b/src/toml.rs @@ -1,23 +1,19 @@ extern crate serde_derive; extern crate toml; +use crate::models::rule; use std::fs; use std::io; use std::io::{BufReader, Read}; use std::path::{Path, PathBuf}; -use crate::models::rule; - pub struct ParseToml { pub rules: Vec>, } impl ParseToml { - pub fn new() -> ParseToml { - ParseToml { - rules: Vec::new(), - } + ParseToml { rules: Vec::new() } } fn read_file(&self, path: PathBuf) -> Result { @@ -47,7 +43,6 @@ impl ParseToml { }) .collect()) } - } #[cfg(test)] @@ -67,11 +62,9 @@ mod tests { if let Some(severity) = _rule.rule.severity { assert_eq!("high", severity); } - }, + } Err(_) => (), } } - } } - From 261676574a4e31e0759ac7538c140f9fe83d2209 Mon Sep 17 00:00:00 2001 From: ichiichi11 Date: Sun, 11 Oct 2020 23:40:08 +0900 Subject: [PATCH 5/6] create configs --- src/detections/configs.rs | 50 +++++++++++++++++++++++ src/detections/detection.rs | 10 +---- src/detections/mod.rs | 1 + src/detections/powershell.rs | 21 +++------- src/detections/utils.rs | 79 +++++++++++++++++------------------- 5 files changed, 95 insertions(+), 66 deletions(-) create mode 100644 src/detections/configs.rs diff --git a/src/detections/configs.rs b/src/detections/configs.rs new file mode 100644 index 00000000..82c273de --- /dev/null +++ b/src/detections/configs.rs @@ -0,0 +1,50 @@ +use std::fs::File; +use std::io::prelude::*; +use std::sync::Once; + +#[derive(Clone)] +pub struct SingletonReader { + pub regex: Vec>, + pub whitelist: Vec>, +} + +pub fn get_instance() -> Box { + static mut SINGLETON: Option> = Option::None; + static ONCE: Once = Once::new(); + + unsafe { + ONCE.call_once(|| { + let singleton = SingletonReader { + regex: read_csv("regexes.txt"), + whitelist: read_csv("whitelist.txt"), + }; + + SINGLETON = Some(Box::new(singleton)); + }); + + return SINGLETON.clone().unwrap(); + } +} + +fn read_csv(filename: &str) -> Vec> { + let mut f = File::open(filename).expect("file not found!!!"); + let mut contents: String = String::new(); + let mut ret = vec![]; + if f.read_to_string(&mut contents).is_err() { + return ret; + } + + let mut rdr = csv::Reader::from_reader(contents.as_bytes()); + rdr.records().for_each(|r| { + if r.is_err() { + return; + } + + let line = r.unwrap(); + let mut v = vec![]; + line.iter().for_each(|s| v.push(s.to_string())); + ret.push(v); + }); + + return ret; +} diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 90d9cc25..fbb6e111 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -11,8 +11,6 @@ use crate::models::event; use evtx::EvtxParser; use quick_xml::de::DeError; use std::collections::BTreeMap; -use std::fs::File; -use std::io::prelude::*; #[derive(Debug)] pub struct Detection { @@ -34,12 +32,6 @@ impl Detection { let mut sysmon = sysmon::Sysmon::new(); let mut powershell = powershell::PowerShell::new(); - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - let _ = f.read_to_string(&mut contents); - - let mut rdr = csv::Reader::from_reader(contents.as_bytes()); - for record in parser.records() { match record { Ok(r) => { @@ -57,7 +49,7 @@ impl Detection { } else if channel == "Application" { &application.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-PowerShell/Operational" { - &powershell.detection(event_id, &event.system, event_data, &mut rdr); + &powershell.detection(event_id, &event.system, event_data); } else if channel == "Microsoft-Windows-Sysmon/Operational" { &sysmon.detection(event_id, &event.system, event_data); } else { diff --git a/src/detections/mod.rs b/src/detections/mod.rs index d2012ac3..11454f71 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -1,5 +1,6 @@ mod application; mod common; +mod configs; pub mod detection; mod powershell; mod security; diff --git a/src/detections/powershell.rs b/src/detections/powershell.rs index df9edf53..50bee2f3 100644 --- a/src/detections/powershell.rs +++ b/src/detections/powershell.rs @@ -16,20 +16,15 @@ impl PowerShell { event_id: String, _system: &event::System, event_data: HashMap, - rdr: &mut csv::Reader<&[u8]>, ) { if event_id == "4103" { - &self.execute_pipeline(&event_data, rdr); + &self.execute_pipeline(&event_data); } else if event_id == "4104" { - &self.execute_remote_command(&event_data, rdr); + &self.execute_remote_command(&event_data); } } - fn execute_pipeline( - &mut self, - event_data: &HashMap, - rdr: &mut csv::Reader<&[u8]>, - ) { + fn execute_pipeline(&mut self, event_data: &HashMap) { // パイプライン実行をしています let default = String::from(""); let commandline = event_data.get("ContextInfo").unwrap_or(&default); @@ -45,23 +40,19 @@ impl PowerShell { let command = rm_after.replace_all(&temp_command_with_extra, ""); if command != "" { - utils::check_command(4103, &command, 1000, 0, &default, &default, rdr); + utils::check_command(4103, &command, 1000, 0, &default, &default); } } } - fn execute_remote_command( - &mut self, - event_data: &HashMap, - rdr: &mut csv::Reader<&[u8]>, - ) { + fn execute_remote_command(&mut self, event_data: &HashMap) { // リモートコマンドを実行します let default = String::from(""); let message_num = event_data.get("MessageNumber"); let commandline = event_data.get("ScriptBlockText").unwrap_or(&default); if let Some(_) = message_num { - utils::check_command(4104, &commandline, 1000, 0, &default, &default, rdr); + utils::check_command(4104, &commandline, 1000, 0, &default, &default); } } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index ba9aaf39..daf68bbb 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -2,9 +2,9 @@ extern crate base64; extern crate csv; extern crate regex; +use crate::detections::configs; use flate2::read::GzDecoder; use regex::Regex; -use std::fs::File; use std::io::prelude::*; use std::str; use std::string::String; @@ -16,20 +16,23 @@ pub fn check_command( servicecmd: usize, servicename: &str, creator: &str, - rdr: &mut csv::Reader<&[u8]>, ) { let mut text = "".to_string(); let mut base64 = "".to_string(); - for entry in rdr.records() { - if let Ok(_data) = entry { - if let Ok(_re) = Regex::new(&_data[0]) { - if _re.is_match(commandline) { - return; - } - } + let empty = "".to_string(); + for line in configs::get_instance().whitelist { + let r_str = line.get(0).unwrap_or(&empty); + if r_str.is_empty() { + continue; + } + + let r = Regex::new(r_str); + if r.is_ok() && r.unwrap().is_match(commandline) { + return; } } + if commandline.len() > minlength { text.push_str("Long Command Line: greater than "); text.push_str(&minlength.to_string()); @@ -146,33 +149,33 @@ fn check_obfu(string: &str) -> std::string::String { } fn check_regex(string: &str, r#type: usize) -> std::string::String { - let mut f = File::open("regexes.txt").expect("file not found"); - let mut contents = String::new(); - let ret = f.read_to_string(&mut contents); - if let Err(_) = ret { - return "".to_string(); - } - - let mut rdr = csv::Reader::from_reader(contents.as_bytes()); - + let empty = "".to_string(); let mut regextext = "".to_string(); - for regex in rdr.records() { - if let Ok(_data) = regex { - /* - data[0] is type in csv. - data[1] is regex in csv. - data[2] is string in csv. - */ - if &_data[0] == r#type.to_string() { - if let Ok(_re) = Regex::new(&_data[1]) { - if _re.is_match(string) { - regextext.push_str(&_data[2]); - regextext.push_str("\n"); - } - } - } + for line in configs::get_instance().regex { + let type_str = line.get(0).unwrap_or(&empty); + if type_str != &r#type.to_string() { + continue; } + + let regex_str = line.get(1).unwrap_or(&empty); + if regex_str.is_empty() { + continue; + } + + let re = Regex::new(regex_str); + if re.is_err() || re.unwrap().is_match(string) == false { + continue; + } + + let text = line.get(2).unwrap_or(&empty); + if text.is_empty() { + continue; + } + + regextext.push_str(text); + regextext.push_str("\n"); } + return regextext; } @@ -197,8 +200,6 @@ fn check_creator(command: &str, creator: &str) -> std::string::String { #[cfg(test)] mod tests { use crate::detections::utils; - use std::fs::File; - use std::io::Read; #[test] fn test_check_regex() { let regextext = utils::check_regex("\\cvtres.exe", 0); @@ -221,12 +222,7 @@ mod tests { #[test] fn test_check_command() { - let mut f = File::open("whitelist.txt").expect("file not found"); - let mut contents = String::new(); - f.read_to_string(&mut contents); - - let mut rdr = csv::Reader::from_reader(contents.as_bytes()); - utils::check_command(1, "dir", 100, 100, "dir", "dir", &mut rdr); + utils::check_command(1, "dir", 100, 100, "dir", "dir"); //test return with whitelist. utils::check_command( @@ -236,7 +232,6 @@ mod tests { 100, "dir", "dir", - &mut rdr, ); } } From 03a4e973c59420786798c007d3be25cb7292c053 Mon Sep 17 00:00:00 2001 From: ichiichi11 Date: Mon, 12 Oct 2020 16:12:55 +0900 Subject: [PATCH 6/6] refactoring: change function name --- src/detections/configs.rs | 2 +- src/detections/utils.rs | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 82c273de..1862e2d4 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -8,7 +8,7 @@ pub struct SingletonReader { pub whitelist: Vec>, } -pub fn get_instance() -> Box { +pub fn singleton() -> Box { static mut SINGLETON: Option> = Option::None; static ONCE: Once = Once::new(); diff --git a/src/detections/utils.rs b/src/detections/utils.rs index daf68bbb..ef888f52 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -21,7 +21,7 @@ pub fn check_command( let mut base64 = "".to_string(); let empty = "".to_string(); - for line in configs::get_instance().whitelist { + for line in configs::singleton().whitelist { let r_str = line.get(0).unwrap_or(&empty); if r_str.is_empty() { continue; @@ -151,7 +151,7 @@ fn check_obfu(string: &str) -> std::string::String { fn check_regex(string: &str, r#type: usize) -> std::string::String { let empty = "".to_string(); let mut regextext = "".to_string(); - for line in configs::get_instance().regex { + for line in configs::singleton().regex { let type_str = line.get(0).unwrap_or(&empty); if type_str != &r#type.to_string() { continue;