private void Add_New_Rule(object sender, RoutedEventArgs e)
        {
            CommandArgRule rule = new CommandArgRule(RuleName.Text, ProcessName.Text, Arguement.Text);

            rule.createRule();

            this.Close();
        }
Beispiel #2
0
        public UpdateRule(DetectionRule input_rule)
        {
            rule = input_rule;

            InitializeComponent();

            txt_1.Text = rule.GetName();

            switch (rule.GetRuleType())
            {
            case "ProcessSpawn":
                ProcessSpawnRule procrule = (ProcessSpawnRule)rule;
                Label_2.Content = "Process Name";
                txt_2.Text      = procrule.GetProcessName();
                Label_3.Content = "Parent Processs";
                txt_3.Text      = procrule.GetParentProcess();
                break;

            case "DllLoad":
                DllLoadRule dllrule = (DllLoadRule)rule;
                Label_2.Content = "DLL Name";
                txt_2.Text      = dllrule.GetDllName();
                Label_3.Content = "Allowed Processes";
                txt_3.Text      = dllrule.GetAllowedProcess();
                break;

            case "CommandLine":
                CommandArgRule cmdrule = (CommandArgRule)rule;
                Label_2.Content = "Process Name";
                txt_2.Text      = cmdrule.GetProcessName();
                Label_3.Content = "Arguements";
                txt_3.Text      = cmdrule.GetArguement();

                break;

            default:
                break;
            }
            initialvalues = new string[] { txt_1.Text, txt_2.Text, txt_3.Text };
        }
Beispiel #3
0
        public static List <DetectionRule> GetAllRules()
        {
            List <DetectionRule> AllRules = new List <DetectionRule>();

            //Gets all EventFilters for relevant rules
            string wmiQuery = "SELECT * FROM __EventFilter WHERE Name LIKE 'XPS_%'";
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmiQuery);

            searcher.Scope = new ManagementScope("\\\\.\\root\\subscription");

            ManagementObjectCollection objectCollection = searcher.Get();

            foreach (ManagementObject obj in objectCollection)
            {
                string        fullname      = (String)obj.GetPropertyValue("Name");
                string        query         = (String)obj.GetPropertyValue("Query");
                string[]      parts         = fullname.Split('_');
                DetectionRule rule          = null;
                string[]      query_parts   = null;
                Regex         ScriptPattern = null;
                Match         ScriptMatch   = null;
                string[]      script;
                Boolean       add = true;
                try
                {
                    script = File.ReadAllLines(string.Format("C:\\ProgramData\\MBDS\\{0}.vbs", parts[1]));


                    switch (Convert.ToInt32(parts[2]))
                    {
                    case 1:     //Persitence Rule
                        rule = new DetectionRule(parts[1], Convert.ToInt32(parts[2]));
                        break;

                    case 2:     //Process Spawn Rule
                        query_parts = query.Split(' ');
                        string process_name = query_parts[13].Substring(1, query_parts[13].Length - 3);
                        ScriptPattern = new Regex(@".*(Parents =Array)\((?<PROCS>.+)\).*");
                        ScriptMatch   = ScriptPattern.Match(script[4]);
                        rule          = new ProcessSpawnRule(parts[1], process_name, ScriptMatch.Groups["PROCS"].Value.Replace(@"""", String.Empty).Split(','));
                        break;

                    case 3:     //Dll Load Rule
                        query_parts = query.Split(' ');
                        string dll = query_parts[7].Substring(2, query_parts[7].Length - 4);
                        ScriptPattern = new Regex(@"(Procs=Array)\((?<PROCS>.+)\)");
                        ScriptMatch   = ScriptPattern.Match(script[2]);
                        rule          = new DllLoadRule(parts[1], dll, ScriptMatch.Groups["PROCS"].Value.Replace(@"""", String.Empty).Split(','));
                        break;

                    case 4:     //Command Line Rule
                        query_parts = query.Split(' ');
                        string process  = query_parts[13].Substring(1, query_parts[13].Length - 3);
                        int    argIndex = 17;
                        string args     = "";
                        while (!query_parts[argIndex].EndsWith(@""""))
                        {
                            args = string.Format("{0} {1}", args, query_parts[argIndex]);
                            argIndex++;
                        }
                        args = string.Format("{0} {1}", args, query_parts[argIndex]);
                        args = args.Substring(3, args.Length - 5);
                        rule = new CommandArgRule(parts[1], process, args);
                        break;

                    default:
                        rule = new DetectionRule("Unknown", 0);
                        break;
                    }
                }
                catch (Exception e)
                {
                    Console.WriteLine(e.Message);
                }
                if (fullname != "XPS_RegCheckTimer_5_Filter")
                {
                    AllRules.Add(rule);
                }
            }

            return(AllRules);
        }