private static void READ_Local_Log_Dirs_for_Powershell_or_IIS(string directory)
{
try
{
if (Directory.Exists(directory))
{
string[] SubDirs = Directory.GetDirectories(directory);
for (int x = 0; x < SubDirs.Length; ++x)
{
string[] FilePaths = Directory.GetFiles(SubDirs[x]);
for (int c = 0; c < FilePaths.Length; ++c)
{
if (FilePaths[c].Contains(".txt") && (FilePaths[c].ToLower().Contains("powershell_transcript.") || FilePaths[c].ToLower().Contains("iis")))
{
string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(c));
File.Delete(FilePaths.ElementAt(c));
FileContents_From_FileReads.Add("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + FileContent);
}
}
}
}
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
internal static void Encrypt_File_Contents(string InputFilePath)
{
byte[] encrypted;
using (Aes AES = Aes.Create())
{
AES.KeySize = AES256KeySize;
AES.BlockSize = 128;
AES.Padding = PaddingMode.PKCS7;
var key = new Rfc2898DeriveBytes(CONVERT_To_UTF8_Bytes(GET_Password()), CONVERT_To_UTF8_Bytes(SALT), 50000);
AES.Key = key.GetBytes(AES.KeySize / 8);
AES.IV = key.GetBytes(AES.BlockSize / 8);
ICryptoTransform encryptor = AES.CreateEncryptor(AES.Key, AES.IV);
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
swEncrypt.Write(File.ReadAllText(InputFilePath));
}
encrypted = msEncrypt.ToArray();
}
}
File_Operation.Turnicate_File(InputFilePath, encrypted);
}
}
internal static bool CHECK_File_Encrypted(string FilePath)
{
try
{
FileInfo fi = new FileInfo(FilePath);
string Check = File.ReadAllText(FilePath);
if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted))
{
return(true);//File Encrypted
}
else
{
if ((Check.Any(s => Crypto_Operation.Common_Encrypted_Chars.Contains(s)) && Check.Any(s => s >= 128)) && fi.Attributes.HasFlag(FileAttributes.Encrypted) == false)
{
File.Encrypt(FilePath);
return(true);//File needed encrypted attrib and was encrypted
}
else
{
return(false);//File not encrypted
}
}
}
catch (Exception e)
{
bool FileExists = File_Operation.CHECK_if_File_Exists(FilePath);
if (FileExists == true && e.Message.Contains("Access to the path") && e.Message.Contains("denied"))
{
//File_Operation.DELETE_File(FilePath);
}
Error_Operation.Log_Error("CHECK_File_Encrypted()", e.Message.ToString() + ". Is file on disk check=" + FileExists.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose);
return(false);//File NOT Encrypted
}
}
internal static void READ_Local_Log_Dirs()
{
try
{
List <string> DirPaths = File_Operation.READ_File_In_List(File_Operation.GET_DirToMonitor_Path()).ToList();
for (int z = 0; z < DirPaths.Count; ++z)
{
if (Directory.Exists(DirPaths.ElementAt(z)))
{
if (DirPaths.ElementAt(z).ToLower().Contains("powershell") || DirPaths.ElementAt(z).ToLower().Contains("iis"))
{
READ_Local_Log_Dirs_for_Powershell_or_IIS(DirPaths.ElementAt(z));
}
else
{
string[] FilePaths = Directory.GetFiles(DirPaths.ElementAt(z));
for (int x = 0; x < FilePaths.Length - 1; ++x)
{
if (File_Operation.CHECK_if_File_Exists(FilePaths.ElementAt(x)) && (FilePaths.ElementAt(x).Contains(".txt") || FilePaths.ElementAt(x).Contains(".log")))
{
string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(x));
File.Delete(FilePaths.ElementAt(x));
FileContents_From_FileReads.Add(FileContent);
}
}
}
}
}
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_Local_Log_Dirs() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
internal static void Start_Output_Post_Run()
{
if (Settings.SWELF_Events_Of_Interest_Matching_EventLogs.Count > 0)
{
try
{
if (Settings.output_csv && Program_Start_Args.Count >= 3 && (Settings.Log_Forwarders_HostNames.Count < 1))
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Log_Network_Forwarder.SEND_Logs(Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Start_Output_Post_Run() Network_Forwarder.SEND_Logs() File_Operation.Write_Ouput_CSV()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
if (Settings.Logs_Sent_to_ALL_Collectors)
{
Start_Write_To_SWELF_EventLogs();
}
Sec_Checks.Post_Run_Sec_Checks();
}
Settings.UPDATE_EventLog_w_PlaceKeeper_File();
}
private static void Start_Send_File_Based_Logs()
{
bool Data_Sent = false;
try
{
if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
{
for (int z = 0; z < Read_Local_Files.FileContents_From_FileReads.Count; ++z)
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
Data_Sent = Log_Network_Forwarder.SEND_Logs(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
if (Data_Sent == true && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) && Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
{
File.Delete(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
File.Create(Read_Local_Files.FileContents_From_FileReads.ElementAt(z)).Close();
}
}
}
}
catch (Exception e)//network resource unavailable. Dont send data and try again next run. No logs will be queued by app only re read
{
Settings.Log_Storage_Location_Unavailable(" Start_Send_File_Based_Logs() " + e.Message.ToString());
}
}
internal static void Start_EVTX_Process()
{
try
{
Read_EventLog EvntLogSearch = new Read_EventLog();
PARSE_Commandline_Input(EvntLogSearch);
Search_EventLog search_Obj = new Search_EventLog(EvntLogSearch.EVTX_File_Logs);
Settings.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.CMDLine_EVTX_File);
if (Settings.output_csv)
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Start_Write_To_SWELF_EventLogs();
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
catch (Exception e)
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_EVTX_Process() ", e.Message.ToString(), e.StackTrace.ToString());
}
}
internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath)
{
if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path));
}
}
}
else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents);
}
}
else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents);
}
else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else
{
LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path");
}
}
internal static string Decrypt_File_Contents(string InputEncryptedFilePath, bool ReWriteDecryptedFile = true)
{
string plaintext = null;
CryptoStream csDecrypt = null;
try
{
using (Aes AES = Aes.Create())
{
AES.KeySize = AES256KeySize;
AES.BlockSize = 128;
AES.Padding = PaddingMode.PKCS7;
var key = new Rfc2898DeriveBytes(CONVERT_To_UTF8_Bytes(GET_Password()), CONVERT_To_UTF8_Bytes(SALT), 50000);
AES.Key = key.GetBytes(AES.KeySize / 8);
AES.IV = key.GetBytes(AES.BlockSize / 8);
ICryptoTransform decryptor = AES.CreateDecryptor(AES.Key, AES.IV);
using (MemoryStream msDecrypt = new MemoryStream(File.ReadAllBytes(InputEncryptedFilePath)))
{
using (csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
try
{
plaintext = srDecrypt.ReadToEnd();
}
catch (Exception e)
{
File_Operation.DELETE_File(InputEncryptedFilePath);
File_Operation.WRITE_Default_Critical_Files();
}
}
csDecrypt = null;
}
}
}
if (ReWriteDecryptedFile)
{
File_Operation.Turnicate_File(InputEncryptedFilePath);
}
}
finally
{
if (csDecrypt != null)
{
csDecrypt.Dispose();
}
}
return(plaintext);
}
internal static void ErrorLogging_Level()
{
try
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level) == false)
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level)))
{
if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else
{
//error in logic here
}
}
else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]])
{
if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
{
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
else
{
ErrorsLog.Add("ErrorLogging_Level()" + "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match.");
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
}
}
else
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
int index = Array.FindIndex(Severity_Levels, row => row == Settings.Logging_Level_To_Report);
Logging_Level_To_Report = Convert.ToInt32(index);
}
catch (Exception e)
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.logging_level))
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
}
else
{
Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
Logging_Level_To_Report = 1;
}
}
}
internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
{
try
{
if (File_Operation.CHECK_File_Encrypted(FilePath) == true)
{
File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath));
}
File.Decrypt(FilePath);
}
catch (Exception e)
{
if (RetryNumber == 0)
{
if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false)
{
Encrypt_File_Contents(FilePath);
File.Encrypt(FilePath);
UnSecure_File(FilePath, 1);
}
else
{
File.Decrypt(FilePath);
}
}
if (e.Message.Contains("Padding"))
{
Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
}
else if (e.Message.Contains("The input data is not a complete block."))
{
if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
}
else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents));
}
else
{
//error is logic
}
}
else
{
Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + " retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit);
}
}
}
internal static void Secure_File(string FilePath)
{
try
{
File.Encrypt(FilePath);
if (File_Operation.CHECK_File_Encrypted(FilePath) == false)
{
Encrypt_File_Contents(FilePath);
}
}
catch (Exception e)
{
File.Decrypt(FilePath);
}
}
internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
ErrorLogging_Level();
if (Logging_Level_To_Report >= (int)LogSeverity)
{
string err_msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " MethodInCode=" + MethodInCode + " Message=" + msg + "\n";
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
}
}
internal static string Run_PS_Script(String PowershellSciptLocation, string PowershellSciptArgs = "")
{
if (File_Operation.CHECK_if_File_Exists(PowershellSciptLocation))
{
ScriptContents = File_Operation.READ_AllText(PowershellSciptLocation);
if (CallAntimalwareScanInterface(Get_SHA256(PowershellSciptLocation), ScriptContents) < 32768)
{
powershellSciptLocation = PowershellSciptLocation;
powershellSciptArgs = PowershellSciptArgs;
ProcessStartInfo startInfo = new ProcessStartInfo("powershell", "-ExecutionPolicy Bypass .\\" + Path.GetFileName(PowershellSciptLocation));
startInfo.WorkingDirectory = Path.GetDirectoryName(PowershellSciptLocation);
startInfo.RedirectStandardOutput = true;
startInfo.RedirectStandardError = true;
startInfo.LoadUserProfile = true;
startInfo.UseShellExecute = false;
startInfo.CreateNoWindow = true;
Process process = new Process();
process.StartInfo = startInfo;
process.Start();
string output = process.StandardOutput.ReadToEnd();
if (string.IsNullOrEmpty(output))
{
output += "\nPS Plugin ERROR: " + process.StandardError.ReadToEnd();
}
if (string.IsNullOrEmpty(ScriptContents) == false || string.IsNullOrWhiteSpace(ScriptContents) == false)
{
Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "microsoft-windows-powershell/operational" + "~");
Settings.WhiteList_Search_Terms_Unparsed.Add(ScriptContents + "~" + "windows powershell" + "~");
}
return(output);
}
else
{
Error_Operation.Log_Error("Run_PS_Script() POSSIBLE MALWARE DETECTED", "Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents), "", Error_Operation.LogSeverity.Critical);
return("POSSIBLE MALWARE DETECTED - Script located at " + powershellSciptLocation + " SHA256=" + Get_SHA256(PowershellSciptLocation) + ". Script is Malware according to AMSI. SWELF converted the contents to Base64 1 time for the purpose of the log size. Malware Script Contents = " + Base64Encode(ScriptContents));
}
}
else
{
Error_Operation.Log_Error("Run_PS_Script()", PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName, "", Error_Operation.LogSeverity.Warning);
return(PowershellSciptLocation + " is not a valid file on " + Settings.ComputerName);
}
}
private static Dictionary <string, int> ReadLocalFiles_Log_File_Tracking = new Dictionary <string, int>();//Filepath,Line Number where it left off
internal static void READ_Local_Log_Files()
{
List <string> FilePaths = File_Operation.READ_File_In_List(File_Operation.GET_FilesToMonitor_Path()).ToList();
for (int z = 0; z < FilePaths.Count; ++z)
{
try
{
string FileContent = File_Operation.READ_AllText(FilePaths.ElementAt(z));
File.Delete(FilePaths.ElementAt(z));
FileContents_From_FileReads.Add("DateTime = " + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + FileContent);
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_Local_Log_Files() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
}
internal static void UPDATE_Local_Config_With_Central_Config(string WebPath, string LocalPath, string FileName)
{
if (string.IsNullOrEmpty(Central_Config_File_Web_Cache))
{
File_Operation.DELETE_File(LocalPath); //remove old config file
Wclient.DownloadFile(WebPath, LocalPath); //if match read local files
}
else
{
File_Operation.DELETE_File(LocalPath);//remove old config file
File_Operation.APPEND_AllTXT(LocalPath, Central_Config_File_Web_Cache);
}
Error_Operation.Log_Error("GET_Central_Config_File()", "Updated " + FileName + " from " + WebPath + ". It was downloaded to " + LocalPath, "", Error_Operation.LogSeverity.Verbose, Error_Operation.EventID.SWELF_Central_Config_Changed);//log change
if (File_Operation.CHECK_File_Encrypted(LocalPath) == false)
{
Crypto_Operation.Secure_File(LocalPath);
}
}
private static void RUN_Thread_Whitelist_SearchFile()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents))//use reg
{
READ_WhiteList_Search_Terms_File(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(GET_WhiteList_SearchTermsFile_Path))//no reg, look for file
{
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
File_Operation.DELETE_File(GET_WhiteList_SearchTermsFile_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
READ_WhiteList_Search_Terms_File(File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_WhiteList_SearchTermsFile_Path));
}
++ThreadsDone_Setup;
}
private static void READ_WhiteList_Search_Terms_File(string Contents)
{
try
{
List <string> ConfigLines = Contents.Split(SplitNewLine, StringSplitOptions.RemoveEmptyEntries).ToList();
for (int x = 0; x < ConfigLines.Count; ++x)
{
if (ConfigLines.ElementAt(x).StartsWith(CommentCharConfigs.ToString()) == false && String.IsNullOrWhiteSpace(ConfigLines.ElementAt(x)) == false)
{
WhiteList_Search_Terms_Unparsed.Add(ConfigLines.ElementAt(x).Replace("\r", String.Empty).ToLower());
}
}
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_WhiteList_Search_Terms_File() ", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Critical);
File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, Search_WhiteList_FileName, "#SearchTerm ~ EventLogName ~ EventID");
}
}
internal static string Hash(string Value)
{
var sha256 = SHA256.Create();
try
{
if (File_Operation.CHECK_if_File_Exists(Value) && (File_Operation.CHECK_File_Encrypted(Value)))
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Decrypt_File_Contents(Value, false)))));
}
else
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
}
}
catch (Exception e)
{
return(BitConverter.ToString(sha256.ComputeHash(CONVERT_To_ASCII_Bytes(Value))));
}
}
internal static void WRITE_Default_Configs_Files_and_Reg()
{
File_Operation.Turnicate_File(GET_AppConfigFile_Path);
File_Operation.Turnicate_File(GET_EventLogID_PlaceHolder_Path);
File_Operation.Turnicate_File(GET_SearchTermsFile_Path);
File_Operation.Turnicate_File(GET_WhiteList_SearchTermsFile_Path);
File_Operation.Turnicate_File(GET_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents, true);
File_Operation.CREATE_NEW_Files_And_Dirs(Config_File_Location, EventLogID_PlaceHolde_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents, true);
File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Logs_Search_File_Contents, true);
File_Operation.CREATE_NEW_Files_And_Dirs(Search_File_Location, Search_WhiteList_FileName, "", true);
File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents, true);
Reg_Operation.WRITE_Default_SWELF_Reg_Keys();
Error_Operation.Log_Error("WRITE_Default_Configs()", "SWELF created new default config files for all settings", "", Error_Operation.LogSeverity.FailureAudit);
}
private static void READ_Powershell_SearchTerms(string Contents)
{
try
{
List <string> ConfigLines = Contents.Split(SplitNewLine, StringSplitOptions.RemoveEmptyEntries).ToList();
for (int x = 0; x < ConfigLines.Count; ++x)
{
if (ConfigLines.ElementAt(x).StartsWith(CommentCharConfigs.ToString()) == false && String.IsNullOrWhiteSpace(ConfigLines.ElementAt(x)) == false)
{
Plugin_Search_Terms_Unparsed.Add(ConfigLines.ElementAt(x).Replace("\r", String.Empty).ToLower());
}
}
}
catch (Exception e)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("READ_Powershell_SearchTerms() " + e.Message.ToString());
File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, "#File Path to Powershell Script~ SearchTerm~ Powershell Script Arguments");
}
}
private static void RUN_Thread_Plugins()
{
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents))//use reg
{
READ_Powershell_SearchTerms(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents));
}
else if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_PLUGIN_Path))//no reg, look for file
{
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
File_Operation.DELETE_File(GET_SearchTermsFile_PLUGIN_Path);
}
else//no file, no reg, Create Default then load it into the reg to use later
{
File_Operation.VERIFY_Search_Default_Files_Ready();
File_Operation.GET_Plugin_Scripts_Ready();
READ_Powershell_SearchTerms(File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, File_Operation.READ_AllText(GET_SearchTermsFile_PLUGIN_Path));
}
++ThreadsDone_Setup;
}
private static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog(msg, eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
}
private static void Write_HashFile_IPsFile()
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]))
{
try
{
if (File_Operation.CHECK_if_File_Exists(Settings.Hashs_File_Path))
{
File_Operation.CHECK_File_Size(Settings.Hashs_File_Path, .0002);
Settings.Hashs_From_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.Hashs_File_Path).Distinct().ToList());
Settings.Hashs_From_EVT_Logs = Settings.Hashs_From_EVT_Logs.Distinct().ToList();
}
File_Operation.Write_Hash_Output(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
}
catch (Exception e)
{
Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[12] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
try
{
if (File_Operation.CHECK_if_File_Exists(Settings.IPs_File_Path))
{
File_Operation.CHECK_File_Size(Settings.IPs_File_Path, .0002);
Settings.IP_List_EVT_Logs.AddRange(File_Operation.READ_File_In_List(Settings.IPs_File_Path).Distinct().ToList());
Settings.IP_List_EVT_Logs = Settings.IP_List_EVT_Logs.Distinct().ToList();
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Write_HashFile_IPsFile()", Settings.SWELF_AppConfig_Args[11] + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
File_Operation.Write_IP_Output(Settings.IP_List_EVT_Logs.Distinct().ToList());
}
}
internal static void SEND_Errors_To_Central_Location()
{
try
{
string[] Errors = File.ReadAllLines(Settings.GET_ErrorLog_Location);
if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
{
for (int x = 0; x < Errors.Length; ++x)
{
Settings.Logs_Sent_to_ALL_Collectors = Log_Network_Forwarder.SEND_Logs(Errors[x], Settings.GET_ErrorLog_Location, true);
}
if (Settings.Logs_Sent_to_ALL_Collectors && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
{
File_Operation.DELETE_File(Settings.GET_ErrorLog_Location);
File.Create(Settings.GET_ErrorLog_Location).Close();
}
}
}
catch (Exception e)
{
Settings.Log_Storage_Location_Unavailable("SEND_Errors_To_Central_Location() " + e.Message.ToString());
}
}
private static void Start_Live_Process()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
Settings.CMDLine_Dissolve = true;
}
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
private static void GET_ErrorLog_Ready()
{
File_Operation.CREATE_NEW_Files_And_Dirs(SWELF_Log_File_Location, ErrorFile_FileName);
}
internal static void Log_Error(string MethodNameInCode, string Message, string StackDetails, LogSeverity LogSeverity, EventID eventID = 0)
{
if (Settings.Logging_Level_To_Report.ToLower() == "verbose")
{
Message = Message + " Stack_Info=" + StackDetails;
}
string msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " Error_MethodInCode=" + MethodNameInCode + " Error_Message=" + Message + "\n";
try//write ALL to local error log 1st
{
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
File_Operation.APPEND_AllTXT(Settings.GET_ErrorLog_Location, msg);
}
catch (Exception e)
{
try
{
File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
}
catch (Exception ex)
{
msg += "\nAdditional_ERROR: " + ex.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
}
}
if (Logging_Level_To_Report <= (int)LogSeverity)
{
try//write to eventlog
{
WRITE_Errors_To_EventLog(MethodNameInCode, Message, LogSeverity, eventID);
}
catch (Exception exc)
{
msg += "\nAdditional_ERROR: " + exc.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to the event log on this system";
try
{
File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
}
catch (Exception execp)
{
msg += "\nAdditional_ERROR: " + execp.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
}
}
try// send eventlog to collector
{
Log_Network_Forwarder.SEND_SINGLE_LOG(msg);
}
catch (Exception p)
{
msg += "\nAdditional_ERROR: " + p.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write error to Event Log";
try//write to eventlog
{
WRITE_Errors_To_EventLog(MethodNameInCode, Message, LogSeverity, eventID);
}
catch (Exception exc)
{
msg += "\nAdditional_ERROR: " + exc.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to the event log on this system";
try
{
File_Operation.APPEND_AllTXT(Settings.SWELF_Log_File_Location + "\\" + Path.GetRandomFileName() + "_" + Settings.ErrorFile_FileName, msg);
}
catch (Exception execp)
{
msg += "\nAdditional_ERROR: " + execp.Message.ToString() + " " + Settings.SWELF_PROC_Name + " was unable to write this error to a local file on this system at " + Settings.GET_ErrorLog_Location;
}
}
}
}
Data_Store.ErrorsLog.Add(msg);
}
internal static bool VERIFY_Central_File_Config_Hash(string HTTP_File_Path, string Local_File_Path)
{
string HTTPFileHash;
string LocalFileHash;
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(HTTP_File_Path);
request.AllowAutoRedirect = false;
request.UnsafeAuthenticatedConnectionSharing = false;
request.Timeout = 150000;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = false;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
using (CustomWebClient response = new CustomWebClient())
{
//string Web_Config_File_Contents = response.DownloadString(HTTP_File_Path);
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == true)//determine if we use cache version
{
HTTPFileHash = Settings.Central_Config_Hashs[HTTP_File_Path];
}
else//no cache version get from network
{
Central_Config_File_Web_Cache = Crypto_Operation.CONVERT_To_String_From_Bytes(response.DownloadData(HTTP_File_Path), 2);//get file has from Network
using (var sha256 = SHA256.Create())
{
HTTPFileHash = BitConverter.ToString(sha256.ComputeHash(Encoding.UTF8.GetBytes(Central_Config_File_Web_Cache)));
}
if (Settings.Central_Config_Hashs.ContainsKey(HTTP_File_Path) == false)
{
Settings.Central_Config_Hashs.Add(HTTP_File_Path, HTTPFileHash);
}
}
using (var sha2562 = SHA256.Create())//Get local file hash
{
if (File_Operation.CHECK_if_File_Exists(Local_File_Path) == false)
{
return(false);//no local file
}
else
{
LocalFileHash = BitConverter.ToString(sha2562.ComputeHash(Encoding.UTF8.GetBytes(File_Operation.READ_AllText(Local_File_Path))));
}
}
if (HTTPFileHash == LocalFileHash)
{
return(true);
}
else
{
return(false);
}
}
}
catch (Exception e)
{
Error_Operation.WRITE_Errors_To_Log("VERIFY_Central_File_Config_Hash()", e.Message.ToString() + " " + HTTP_File_Path + " " + Local_File_Path, Error_Operation.LogSeverity.Informataion);//log change
return(false);
}
finally
{
Wclient.Dispose();
}
}
internal static void WRITE_Default_SWELF_Reg_Keys()
{
Microsoft.Win32.RegistryKey key;
key = Microsoft.Win32.Registry.LocalMachine.CreateSubKey("Software\\SWELF");
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.First_Run].ToString(), Crypto_Operation.Protect_Data_Value("true"));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter].ToString(), Crypto_Operation.Protect_Data_Value("127.0.0.1"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_1].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_2].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_3].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_4].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.LogCollecter_5].ToString(), Encryptions.Protect_Data_Value("127.0.0.1"));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Encryption].ToString(), Crypto_Operation.Protect_Data_Value(Crypto_Operation.Generate_Decrypt()));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.logging_level].ToString(), Crypto_Operation.Protect_Data_Value(Settings.Logging_Level_To_Report));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.output_format].ToString(), Crypto_Operation.Protect_Data_Value("keyvalue"));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_Current_Version].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_Version));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_CWD].ToString(), Crypto_Operation.Protect_Data_Value(Settings.SWELF_CWD));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SWELF_FAILED_SEC_CHECK].ToString(), Crypto_Operation.Protect_Data_Value("false"));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_app_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_plugin_search_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
// BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_search_config].ToString(), Crypto_Operation.Protect_Data_Value(""));
//BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.central_whitelist_search_config].ToString(),Crypto_Operation.Protect_Data_Value(""));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_CreationDate].ToString(), Crypto_Operation.Protect_Data_Value(File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path)));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.ConsoleAppConfig_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path)));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.SearchTerms_File_Contents], Crypto_Operation.Protect_Data_Value(File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path)));
BASE_SWELF_KEY.SetValue(SWELF_Keys[(int)REG_KEY.Logs_Last_Sent], Crypto_Operation.Protect_Data_Value(DateTime.Now.ToString()));
}