Feature/pass spray #29 (#37)

* edit credit * edit credit * add help * remove warning * fix typo * add config file * add config file * High number of logon failures for one account * completed * cargo fmt --all * fix * merge
Yamato-Security · Jul 20, 2021 · 29cdae6 · 29cdae6
1 parent 83e6d35
commit 29cdae6
Show file tree

Hide file tree

Showing 14 changed files with 588 additions and 54 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -18,6 +18,7 @@ csv = "1.1"
 base64 = "*"
 flate2 = "1.0"
 lazy_static = "1.4.0"
+yaml-rust = "0.4.5"
 
 [target.x86_64-pc-windows-gnu]
 linker = "x86_64-w64-mingw32-gcc"

diff --git a/config.yml b/config.yml
@@ -0,0 +1,22 @@
+{
+    # Minimum length of command line to alert
+    "minlength": 1000,
+    # Set to 1 to alert every admin logon (set to 0 disable this)
+    "alert_all_admin": 0,
+    # Set to 1 to show total admin logon (set to 0 disable this)
+    "show_total_admin_logons": 0,
+    # if failed logon count exceed this value, Rusty Blue show message, "High number of total logon failures for multiple accounts".
+    "max_total_failed_logons": 5,
+    # if failed logon count for specified user exceed this value, Rusty Blue show message, "High number of logon failures for one account".
+    "max_failed_logons": 5,
+    # if logon count by specified user exceed this value, Rusty Blue count the user as passspray uniqe user. 
+    "max_passspray_login": 6,
+    # if passspray uniq user count exceed this value, Rusty Blue show message, "Sensitive Privilege Use Exceeds Threshold".
+    "max_passspray_uniquser": 6,
+    # if Sensitive Privilege Use count exceed this value, Rusty Blue show message "Sensitive Privilege Use Exceeds Threshold".
+    "max_total_sensitive_privuse": 4,
+    # if rate of non-ascii data exceed this value, Rusty Blue show message Possible command obfuscation
+    "obfuscation_minpercent": 0.65,
+    # if rate of binary format data exceed this value, Rusty Blue show message Possible command obfuscation
+    "obfuscation_maxbinary": 0.50
+}
diff --git a/credits.txt b/credits.txt
@@ -6,9 +6,9 @@ hachiyone (twitter:@hach1yone) Developer
 DustInDark (Github: @hitenkoku) Developer
 garigariganzy (twitter:@garigariganzy31) Developer
 7itoh (twitter:@yNitocrypto22) Developer
-dai (twitter: @@__da13__) Developer
+dai (twitter: @__da13__) Developer
 siam(GitHun: @siamease) Developer
-mimura (twitter: @@mimura1133) Developer
+mimura (twitter: @mimura1133) Developer
 apt773 (twitter: @apt773) Rule testing and supporter
 TAKIZAWA Hiroki (twitter:@hr_zwtk) Rule testing and supporter
 su (GitHub: @su-10) supporter

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -1,10 +1,12 @@
 use crate::detections::print::MessageNotation;
+use crate::detections::yaml::ParseYaml;
 use clap::{App, AppSettings, ArgMatches};
 use lazy_static::lazy_static;
 use regex::Regex;
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::prelude::*;
+use std::path::PathBuf;
 
 lazy_static! {
     pub static ref CONFIG: ConfigReader = ConfigReader::new();
@@ -28,6 +30,7 @@ pub struct ConfigReader {
     pub nobinary_regex: Regex,
     pub regexes: HashMap<String, Regex>,
     pub compress_regex: Regex,
+    pub configs: yaml_rust::Yaml,
 }
 
 impl ConfigReader {
@@ -52,6 +55,7 @@ impl ConfigReader {
             nobinary_regex: Regex::new(r"[01]").unwrap(),
             regexes: get_regexes(read_csv("regexes.txt")),
             compress_regex: Regex::new(r"Compression.GzipStream.*Decompress").unwrap(),
+            configs: load_config_file(),
         }
     }
 }
@@ -83,6 +87,18 @@ fn build_app<'a>() -> ArgMatches<'a> {
         .get_matches()
 }
 
+// config.ymlを読み込みます
+fn load_config_file() -> yaml_rust::Yaml {
+    // read file
+    let mut parser = ParseYaml::new();
+    let result = parser.read_yaml_file(PathBuf::from("./config.yml"));
+    if result.is_err() {
+        panic!("canot read config file(config.yml).");
+    }
+
+    return parser.files.into_iter().next().unwrap();
+}
+
 fn is_test_mode() -> bool {
     for i in std::env::args() {
         if i == "--test" {

diff --git a/src/detections/mod.rs b/src/detections/mod.rs
@@ -9,3 +9,4 @@ mod security;
 mod sysmon;
 mod system;
 mod utils;
+mod yaml;
diff --git a/src/detections/powershell.rs b/src/detections/powershell.rs
@@ -2,6 +2,7 @@ use crate::detections::configs;
 use crate::detections::utils;
 use crate::models::event;
 use std::collections::HashMap;
+use std::usize;
 
 pub struct PowerShell {}
 
@@ -44,7 +45,17 @@ impl PowerShell {
                 .replace_all(&temp_command_with_extra, "");
 
             if command != "" {
-                utils::check_command(4103, &command, 1000, 0, &default, &default, &system_time);
+                let configs: &yaml_rust::Yaml = &configs::CONFIG.configs;
+                let value = configs["minlength"].as_i64().unwrap_or(1000).clone();
+                utils::check_command(
+                    4103,
+                    &command,
+                    value as usize,
+                    0,
+                    &default,
+                    &default,
+                    &system_time,
+                );
             }
         }
     }
@@ -64,10 +75,13 @@ impl PowerShell {
         if path == "".to_string() {
             let commandline = event_data.get("ScriptBlockText").unwrap_or(&default);
             if commandline.to_string() != default {
+                let configs: &yaml_rust::Yaml = &configs::CONFIG.configs;
+                let value = configs["minlength"].as_i64().unwrap_or(1000).clone();
+
                 utils::check_command(
                     4104,
                     &commandline,
-                    1000,
+                    value as usize,
                     0,
                     &default,
                     &default,