internal static void Stop(int error_code, string ErrorMethod, string Message, string StackInfo) { EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("ALERT: SWELF MAIN UNSALVAGEABLE ERROR: " + ErrorMethod + " " + Message + " " + StackInfo, Error_Operation.EventID.SWELF_MAIN_APP_ERROR); Error_Operation.WRITE_Stored_Errors(); Error_Operation.SEND_Errors_To_Central_Location(); Environment.Exit(error_code); }
private static void READ_Local_Log_Dirs_for_Powershell_or_IIS(string directory) { try { if (Directory.Exists(directory)) { string[] SubDirs = Directory.GetDirectories(directory); for (int x = 0; x < SubDirs.Length; ++x) { string[] FilePaths = Directory.GetFiles(SubDirs[x]); for (int c = 0; c < FilePaths.Length; ++c) { if (FilePaths[c].Contains(".txt") && (FilePaths[c].ToLower().Contains("powershell_transcript.") || FilePaths[c].ToLower().Contains("iis"))) { string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(c)); File.Delete(FilePaths.ElementAt(c)); FileContents_From_FileReads.Add("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + FileContent); } } } } } catch (Exception e) { Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } }
internal static void READ_ALL_SWELF_Reg_Keys() { foreach (string RegKeyValue in BASE_SWELF_KEY.GetValueNames()) { try { if (String.IsNullOrEmpty(BASE_SWELF_KEY.GetValue(RegKeyValue).ToString()) == false) { Settings.REG_Keys.Add(RegKeyValue, READ_SWELF_Reg_Key(RegKeyValue)); } } catch (Exception e) { if (e.Message.Contains("An item with the same key has already been added.") == false) { Error_Operation.Log_Error("READ_ALL_SWELF_Reg_Keys()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose); } } } if (CHECK_SWELF_Reg_Key_Exists(REG_KEY.Logs_Last_Sent) == false) { string Date = DateTime.Now.ToString(); BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Logs_Last_Sent], Crypto_Operation.Protect_Data_Value(Date)); Settings.REG_Keys.Add(SWELF_Keys[20], Date); } }
internal static void READ_Local_Log_Dirs() { try { List <string> DirPaths = File_Operation.READ_File_In_List(File_Operation.GET_DirToMonitor_Path()).ToList(); for (int z = 0; z < DirPaths.Count; ++z) { if (Directory.Exists(DirPaths.ElementAt(z))) { if (DirPaths.ElementAt(z).ToLower().Contains("powershell") || DirPaths.ElementAt(z).ToLower().Contains("iis")) { READ_Local_Log_Dirs_for_Powershell_or_IIS(DirPaths.ElementAt(z)); } else { string[] FilePaths = Directory.GetFiles(DirPaths.ElementAt(z)); for (int x = 0; x < FilePaths.Length - 1; ++x) { if (File_Operation.CHECK_if_File_Exists(FilePaths.ElementAt(x)) && (FilePaths.ElementAt(x).Contains(".txt") || FilePaths.ElementAt(x).Contains(".log"))) { string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(x)); File.Delete(FilePaths.ElementAt(x)); FileContents_From_FileReads.Add(FileContent); } } } } } } catch (Exception e) { Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } }
internal void READ_EventLog(string Eventlog_FullName, long PlaceKeeper_EventRecordID = 1) { long EVTlog_PlaceHolder = PlaceKeeper_EventRecordID; try { if (EVTlog_PlaceHolder <= 1) { EVTlog_PlaceHolder = Settings.EventLog_w_PlaceKeeper[Eventlog_FullName]; } } catch (Exception e) { EVTlog_PlaceHolder = 1; } if (Settings.CHECK_If_EventLog_Exsits(Eventlog_FullName)) { EventLog_Log_API = new EventLog_File(Eventlog_FullName, PlaceKeeper_EventRecordID); long First_EventID = EventLog_Log_API.First_EventLogID_From_Check; long Last_EventID = EventLog_Log_API.Last_EventLogID_From_Check; if (PlaceKeeper_EventRecordID > First_EventID && PlaceKeeper_EventRecordID < Last_EventID)//Normal operation placekkeeper in middle of log file { EVTlog_PlaceHolder = PlaceKeeper_EventRecordID; READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API); Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID; } else if (Last_EventID == PlaceKeeper_EventRecordID)//no logs added { EVTlog_PlaceHolder = PlaceKeeper_EventRecordID; } else if (PlaceKeeper_EventRecordID <= 1) { EVTlog_PlaceHolder = First_EventID; READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API); EventLog_SWELF.WRITE_Warning_EventLog("Logging as EventLog Source 1st run for Eventlog named '" + Eventlog_FullName + "' on machine named '" + Settings.ComputerName + "' due to PlaceKeeper_EventRecordID<=1"); Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID; } else if (First_EventID > PlaceKeeper_EventRecordID)//missed all logs and missing log files send alert for missing log files { EVTlog_PlaceHolder = First_EventID; READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API); EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("Missed " + (First_EventID - PlaceKeeper_EventRecordID) + " logs from '" + Eventlog_FullName + "' on machine '" + Settings.ComputerName + "' the first eventlog id was older than where app left off. Possible log file cycle/overwrite between runs. First event log id number in the log is " + First_EventID + " SWELF left off from last run at " + PlaceKeeper_EventRecordID); Settings.EventLog_w_PlaceKeeper[Eventlog_FullName.ToLower()] = Last_EventID; } else//unknown/catch condition assume 1st run { EVTlog_PlaceHolder = First_EventID; READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API); EventLog_SWELF.WRITE_Warning_EventLog("ERROR: App unable to determine app reading state in event log. App starting over. App not told to reset. '" + Eventlog_FullName + "' '" + Settings.ComputerName + "'. unknown/catch condition assume 1st run"); Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID; } } else { Error_Operation.Log_Error("READ_EventLog() if (Settings.FIND_EventLog_Exsits())", Eventlog_FullName + " EventLog does not exist.", "", Error_Operation.LogSeverity.Informataion); } }
internal static object READ_Eventlog_SWELF_Reg_Key(string Key) { if (Settings.REG_Keys.Count > 1) { if (Settings.REG_Keys.ContainsKey(Key)) { return(Settings.REG_Keys[Key]); } } else { if (CHECK_Eventlog_SWELF_Reg_Key_Exists(Key)) { if (Crypto_Operation.CHECK_Value_Encrypted(Crypto_Operation.ObjectToByteArray(BASE_SWELF_KEY.GetValue(Key)))) { return(Crypto_Operation.UnProtect_Data_Value(Crypto_Operation.ObjectToByteArray(BASE_SWELF_KEY.GetValue(Key)))); } else { ADD_or_CHANGE_SWELF_Reg_Key(Key, Crypto_Operation.CONVERT_To_String_From_Bytes(Crypto_Operation.Protect_Data_Value(Crypto_Operation.ObjectToByteArray(BASE_SWELF_KEY.GetValue(Key))), 1)); return(Crypto_Operation.UnProtect_Data_Value(Crypto_Operation.ObjectToByteArray(BASE_SWELF_KEY.GetValue(Key)))); } } else { Error_Operation.Log_Error("CHANGE_Reg_Key()", "Reg Key does not exist. RegKey=" + Key, "", Error_Operation.LogSeverity.Warning); return(""); } } return(""); }
private static void Start_Searching_Logs(int Index) { try { Read_EventLog EVNT_Log = new Read_EventLog(); Sec_Checks.Live_Run_Sec_Checks(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)); EVNT_Log.READ_EventLog(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)]); if (Data_Store.contents_of_EventLog.Count > 0) { Search_EventLog search_Obj = new Search_EventLog(); Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)); } Data_Store.contents_of_EventLog.Clear(); } catch (Exception e) { if (e.Message == "Object reference not set to an instance of an object.") { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index) + " " + e.Message.ToString() + " This error means the EventLog was not read or searched. \n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } else if (e.Message.ToString().Contains("The process cannot access the file")) { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", e.Message.ToString() + " OS File lock of vital resource at runtime." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } else { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", " " + Settings.EventLog_w_PlaceKeeper_List.ElementAt(Settings.Total_Threads_Run) + " x=" + (Settings.Total_Threads_Run).ToString() + " " + e.Message.ToString() + ". Check search Syntx." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } GC.Collect(); }
internal static bool VERIFY_String_Hashs(string String1, string string2) { string File1Hash; string File2Hash; try { using (var sha256 = SHA256.Create()) { File1Hash = BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(String1.Trim().Replace('\n', ' ').ToCharArray().ToString()))).ToLowerInvariant(); } using (var sha2562 = SHA256.Create()) { File2Hash = BitConverter.ToString(sha2562.ComputeHash(CONVERT_To_ASCII_Bytes(string2.Trim().Replace('\n', ' ').ToCharArray().ToString()))).ToLowerInvariant(); } if (File1Hash == File2Hash) { return(true); } else { return(false); } } catch (Exception e) { Error_Operation.WRITE_Errors_To_Log("VERIFY_File_Hashs()", "Error " + e.Message.ToString() + e.StackTrace, Error_Operation.LogSeverity.Warning);//log change return(false); } }
private static void Run_Live_Process_Workflow() { if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()) { Start_Setup(); Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins()); PS_Plugins_Thread.IsBackground = true; PS_Plugins_Thread.Priority = ThreadPriority.Lowest; PS_Plugins_Thread.Start(); Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles()); READ_Local_LogFiles_Thread.IsBackground = true; READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest; READ_Local_LogFiles_Thread.Start(); while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive) { Thread.Sleep(10000); } PS_Plugins_Thread.Abort(); READ_Local_LogFiles_Thread.Abort(); Start_Read_Search_Write_Forward_EventLogs(); Start_Send_File_Based_Logs(); Write_HashFile_IPsFile(); } else { Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", ""); } Error_Operation.WRITE_Stored_Errors(); }
private static void SET_WindowsEventLog_Location() { try { if (!EventLog.SourceExists(SWELF_EventLog_Name)) { EventLog.CreateEventSource(SWELF_PROC_Name.ProcessName, SWELF_EventLog_Name); SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; if (Reg_Operation.CHECK_Eventlog_SWELF_Reg_Key_Exists(Reg_Operation.EventLog_Base_Key + "\\" + SWELF_EventLog_Name)) { Reg_Operation.SET_Event_Log_MaxSize(SWELF_EventLog_Name); } } else { SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; } } catch (Exception e) { EventLog.CreateEventSource(SWELF_PROC_Name.ProcessName, SWELF_EventLog_Name); Error_Operation.Log_Error("SET_WindowsEventLog_Loc() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Critical); SWELF_EvtLog_OBJ.Source = SWELF_EventLog_Name; } }
private static bool SEND_Data_from_File_UDP(string Log_File_Data, UdpClient client) { bool Data_Sent = true; try { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { byte[] sendBytes = GET_Encoding_to_Return(Log_File_Data); client.Send(sendBytes, sendBytes.Length); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Data_from_File_UDP(Log_File_Data)", "SWELF NETWORK ERROR: " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Data_from_File(string Log_File_Data)", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } return(Data_Sent); }
internal static void SEND_Logs(Queue <EventLog_Entry> Event_logs) { if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { TcpClient client = new TcpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); NetworkStream stream = client.GetStream(); var data = GET_Encoding_to_Return(Event_logs.ElementAt(y)); stream.Write(data, 0, data.Length); stream.Close(); client.Close(); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { UdpClient client = new UdpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); var data = GET_Encoding_to_Return(Event_logs.ElementAt(y)); client.Send(data, data.Length); client.Close(); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } }
internal static bool SEND_Logs(string Log, string FilePath = "", bool DeleteWhenDone = false) { bool Data_Sent = true; if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { TcpClient client = new TcpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); NetworkStream stream = client.GetStream(); Byte[] data = GET_Encoding_to_Return(Log); stream.Write(data, 0, data.Length); stream.Close(); client.Close(); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() transport_protocol tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { UdpClient client = new UdpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); Data_Sent = SEND_Data_from_File_UDP(Log, client); client.Close(); } catch (Exception e) { Data_Sent = false; Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } return(Data_Sent); }
internal static bool CHECK_If_Running_as_Admin() { if (new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator)) { return(true); } else { LOG_SEC_CHECK_Fail("Settings.CHECK_If_Running_as_Admin() " + Settings.ComputerName + " SWELF not running as admin and was unable to read eventlogs."); Error_Operation.SEND_Errors_To_Central_Location(); return(false); } }
internal static void SEND_Logs(Queue <EventLog_Entry> Event_logs) { if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) { if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[14]) == false) { Settings.AppConfig_File_Args.Add(Settings.SWELF_AppConfig_Args[14], "udp"); } if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { Socket_Client_TCP(Crypto_Operation.CONVERT_To_ASCII_Bytes(GET_Log_Output_Format(Event_logs.ElementAt(y))), x); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } else//Default send logs UDP { for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) { try { for (int y = 0; y < Event_logs.Count; ++y) { Socket_Client_UDP(Crypto_Operation.CONVERT_To_ASCII_Bytes(GET_Log_Output_Format(Event_logs.ElementAt(y))), x); } } catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.Logs_Last_Sent, DateTime.Now.ToString()); } } }
internal static void UnSecure_File(string FilePath, int RetryNumber = 0) { try { if (File_Operation.CHECK_File_Encrypted(FilePath) == true) { File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath)); } File.Decrypt(FilePath); } catch (Exception e) { if (RetryNumber == 0) { if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false) { Encrypt_File_Contents(FilePath); File.Encrypt(FilePath); UnSecure_File(FilePath, 1); } else { File.Decrypt(FilePath); } } if (e.Message.Contains("Padding")) { Sec_Checks.CHECK_Reg_vs_File_Config(FilePath); } else if (e.Message.Contains("The input data is not a complete block.")) { if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) { File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); } else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents)) { File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents)); } else { //error is logic } } else { Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + " retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit); } } }
internal static string[] READ_File_In_StringArray(string FilePath) { if (CHECK_if_File_Exists(FilePath)) { Crypto_Operation.UnSecure_File(FilePath); string[] Contents = File.ReadAllLines(FilePath); Crypto_Operation.Secure_File(FilePath); return(Contents); } else { Error_Operation.Log_Error("READ_File_In_StringArray()", "File not found " + FilePath, "", Error_Operation.LogSeverity.Informataion); return(File.ReadAllLines(FilePath)); } }
private static void CHECK_If_App_Has_Run_To_Long() { var watch = System.Diagnostics.Stopwatch.StartNew(); while (watch.Elapsed.Hours < 1) { Thread.Sleep(600000); } watch.Stop(); var elapsedTime = watch.Elapsed; RanToLongTiner = true; Start_Output_Post_Run(); Error_Operation.Log_Error("CHECK_If_App_Has_Run_To_Long()", "SWELF's time running on machine timer says that SWELF to long (" + elapsedTime.ToString() + ") this could be for many reasons. Most likely is that there are to many log sources your trying to read into SWELF or that some of the logs files are to large to be read in with all the other searchs. Try running SWELF in sequence. ", "", Error_Operation.LogSeverity.Critical); Environment.Exit((int)Error_Operation.EventID.SWELF_MAIN_APP_ERROR); }
internal static void Write_Hash_Output(List <string> Hashs) { File.Delete(Settings.Hashs_File_Path); File.Create(Settings.Hashs_File_Path).Close(); for (int x = 0; x < Hashs.Count; ++x) { try { File.AppendAllText(Settings.Hashs_File_Path, Hashs.ElementAt(x) + "\n"); } catch (Exception e) { Error_Operation.Log_Error("Write_Hash_Output()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } CHECK_File_Size(Settings.Hashs_File_Path, .0002); }
internal static string Run_PS_Script(String PowershellSciptLocation, string PowershellSciptArgs = "") { if (File_Operation.CHECK_if_File_Exists(PowershellSciptLocation)) { ScriptContents = File_Operation.READ_AllText(PowershellSciptLocation); if (CallAntimalwareScanInterface(Get_SHA256(PowershellSciptLocation), ScriptContents) < 32768) { powershellSciptLocation = PowershellSciptLocation; powershellSciptArgs = PowershellSciptArgs; ProcessStartInfo startInfo = new ProcessStartInfo("powershell", "-ExecutionPolicy Bypass .\\" + Path.GetFileName(PowershellSciptLocation)); startInfo.WorkingDirectory = Path.GetDirectoryName(PowershellSciptLocation); startInfo.RedirectStandardOutput = true; startInfo.RedirectStandardError = true; startInfo.LoadUserProfile = true; startInfo.UseShellExecute = false; startInfo.CreateNoWindow = true; Process process = new Process(); process.StartInfo = startInfo; process.Start(); string output = process.StandardOutput.ReadToEnd(); if (string.IsNullOrEmpty(output)) { output += "\nPS Plugin ERROR: " + process.StandardError.ReadToEnd(); } if (string.IsNullOrEmpty(ScriptContents) == false || string.IsNullOrWhiteSpace(ScriptContents) == false) { Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "microsoft-windows-powershell/operational" + "~"); Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "windows powershell" + "~"); } return(output); } else { Error_Operation.Log_Error("Run_PS_Script() POSSIBLE MALWARE DETECTED", "Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents), "", Error_Operation.LogSeverity.Critical); return("POSSIBLE MALWARE DETECTED - Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents)); } } else { Error_Operation.Log_Error("Run_PS_Script()", PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName, "", Error_Operation.LogSeverity.Warning); return(PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName); } }