private void Add_New_Rule(object sender, RoutedEventArgs e)
{
CommandArgRule rule = new CommandArgRule(RuleName.Text, ProcessName.Text, Arguement.Text);
rule.createRule();
this.Close();
}
public UpdateRule(DetectionRule input_rule)
{
rule = input_rule;
InitializeComponent();
txt_1.Text = rule.GetName();
switch (rule.GetRuleType())
{
case "ProcessSpawn":
ProcessSpawnRule procrule = (ProcessSpawnRule)rule;
Label_2.Content = "Process Name";
txt_2.Text = procrule.GetProcessName();
Label_3.Content = "Parent Processs";
txt_3.Text = procrule.GetParentProcess();
break;
case "DllLoad":
DllLoadRule dllrule = (DllLoadRule)rule;
Label_2.Content = "DLL Name";
txt_2.Text = dllrule.GetDllName();
Label_3.Content = "Allowed Processes";
txt_3.Text = dllrule.GetAllowedProcess();
break;
case "CommandLine":
CommandArgRule cmdrule = (CommandArgRule)rule;
Label_2.Content = "Process Name";
txt_2.Text = cmdrule.GetProcessName();
Label_3.Content = "Arguements";
txt_3.Text = cmdrule.GetArguement();
break;
default:
break;
}
initialvalues = new string[] { txt_1.Text, txt_2.Text, txt_3.Text };
}
public static List <DetectionRule> GetAllRules()
{
List <DetectionRule> AllRules = new List <DetectionRule>();
//Gets all EventFilters for relevant rules
string wmiQuery = "SELECT * FROM __EventFilter WHERE Name LIKE 'XPS_%'";
ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmiQuery);
searcher.Scope = new ManagementScope("\\\\.\\root\\subscription");
ManagementObjectCollection objectCollection = searcher.Get();
foreach (ManagementObject obj in objectCollection)
{
string fullname = (String)obj.GetPropertyValue("Name");
string query = (String)obj.GetPropertyValue("Query");
string[] parts = fullname.Split('_');
DetectionRule rule = null;
string[] query_parts = null;
Regex ScriptPattern = null;
Match ScriptMatch = null;
string[] script;
Boolean add = true;
try
{
script = File.ReadAllLines(string.Format("C:\\ProgramData\\MBDS\\{0}.vbs", parts[1]));
switch (Convert.ToInt32(parts[2]))
{
case 1: //Persitence Rule
rule = new DetectionRule(parts[1], Convert.ToInt32(parts[2]));
break;
case 2: //Process Spawn Rule
query_parts = query.Split(' ');
string process_name = query_parts[13].Substring(1, query_parts[13].Length - 3);
ScriptPattern = new Regex(@".*(Parents =Array)\((?<PROCS>.+)\).*");
ScriptMatch = ScriptPattern.Match(script[4]);
rule = new ProcessSpawnRule(parts[1], process_name, ScriptMatch.Groups["PROCS"].Value.Replace(@"""", String.Empty).Split(','));
break;
case 3: //Dll Load Rule
query_parts = query.Split(' ');
string dll = query_parts[7].Substring(2, query_parts[7].Length - 4);
ScriptPattern = new Regex(@"(Procs=Array)\((?<PROCS>.+)\)");
ScriptMatch = ScriptPattern.Match(script[2]);
rule = new DllLoadRule(parts[1], dll, ScriptMatch.Groups["PROCS"].Value.Replace(@"""", String.Empty).Split(','));
break;
case 4: //Command Line Rule
query_parts = query.Split(' ');
string process = query_parts[13].Substring(1, query_parts[13].Length - 3);
int argIndex = 17;
string args = "";
while (!query_parts[argIndex].EndsWith(@""""))
{
args = string.Format("{0} {1}", args, query_parts[argIndex]);
argIndex++;
}
args = string.Format("{0} {1}", args, query_parts[argIndex]);
args = args.Substring(3, args.Length - 5);
rule = new CommandArgRule(parts[1], process, args);
break;
default:
rule = new DetectionRule("Unknown", 0);
break;
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
if (fullname != "XPS_RegCheckTimer_5_Filter")
{
AllRules.Add(rule);
}
}
return(AllRules);
}