コード例 #1
0
        private string GET_Sysmon_Network_Process_Name()
        {
            try
            {
                string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);

                if (Eventdata.Contains("image: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
                {
                    string[] delm1 = { "image: ", "user: "******"\r\n", "");
                    }
                }
                Eventdata = null;
                return(Sysmon_Src_Process);
            }
            catch (Exception e)
            {
                return(Sysmon_Src_Process = "");
            }
        }
コード例 #2
0
        private string GET_Sysmon_Netwrok_Calling_Process_Name_Dst_Port()
        {
            try
            {
                string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);

                if (Eventdata.Contains("destinationport: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
                {
                    string[] delm1 = { "destinationport: ", "destinationportname: " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                    {
                        Sysmon_DST_Port = datA[1].Replace("\r\n", "");
                    }
                }
                Eventdata = null;
                return(Sysmon_DST_Port);
            }
            catch (Exception e)
            {
                return(Sysmon_DST_Port = "");
            }
        }
コード例 #3
0
        internal void GET_HostName_FromLogFile()
        {
            string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);

            List <string> EventlogDataSegment = Eventdata.Split(Settings.EventLogEntry_splitter, StringSplitOptions.RemoveEmptyEntries).ToList();

            EventlogDataSegment = EventlogDataSegment.Distinct().ToList();
            EventlogDataSegment.Sort();
            if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
            {
                foreach (string line in EventlogDataSegment)
                {
                    if (Eventdata.Contains("destinationhostname: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
                    {
                        string[] delm1 = { "destinationhostname: ", "destinationhostname: " };

                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                        if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                        {
                            //add hostname
                        }
                    }
                    else if (Settings.Hostname_RegX.IsMatch(line) && line.Contains('.') && line.Contains('\\') == false && string.IsNullOrEmpty(line) == false)
                    {
                        //add hostname
                    }
                }
            }
            EventlogDataSegment.Clear();
            Eventdata = null;
        }
コード例 #4
0
        internal void GET_IP_FromLogFile()
        {
            if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]) && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
            {
                string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);

                List <string> EventlogDataSegment = Eventdata.Split(Settings.EventLogEntry_splitter, StringSplitOptions.RemoveEmptyEntries).ToList();
                EventlogDataSegment = EventlogDataSegment.Distinct().ToList();
                EventlogDataSegment.Sort();

                foreach (string line in EventlogDataSegment)
                {
                    if (Eventdata.Contains("destinationip: "))
                    {
                        string[] delm1 = { "destinationip: ", "destinationhostname: " };

                        string[] datA_IP = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                        if (datA_IP[1].Length > 0 && (!string.IsNullOrEmpty(datA_IP[1])))
                        {
                            if (Eventdata.Contains("image: "))
                            {
                                string[] delm2     = { "image: " };
                                string[] delm3     = { "user: "******"\r\n", "") + "," + datA_IP[1].Replace("\r\n", ""));
                                }
                            }
                        }
                    }
                    else if (Settings.IP_RegX.IsMatch(line) && line.Contains('.') && line.Contains('\\') == false && string.IsNullOrEmpty(line) == false)
                    {
                        if (Eventdata.Contains("image: "))
                        {
                            string[] delm2 = { "image: " };

                            string[] datA_img = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray();

                            if (datA_img[1].Length > 0 && (!string.IsNullOrEmpty(datA_img[1])))
                            {
                                Settings.IP_List_EVT_Logs.Add(datA_img[1].Replace("\r\n", ""));
                            }
                        }
                        Settings.IP_List_EVT_Logs.Add(line);
                    }
                }
                EventlogDataSegment.Clear();
                Eventdata = null;
            }
        }
コード例 #5
0
        internal void GET_FileHash()
        {
            if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]))
            {
                string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);

                if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 1)
                {
                    string[] delm1 = { "hashes: ", "parentprocessguid: " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                    {
                        Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
                    }
                    delm1 = null;
                    datA  = null;
                }
                if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 6)
                {
                    string[] delm1 = { "hashes: ", "signed: " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                    {
                        Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
                    }
                    delm1 = null;
                    datA  = null;
                }
                else if (Settings.SHA256_RegX.Matches(Eventdata).Count > 0)
                {
                    foreach (MatchCollection MatchedHash in Settings.SHA256_RegX.Matches(Eventdata))
                    {
                        Settings.Hashs_From_EVT_Logs.Add(MatchedHash.ToString());
                    }
                }
                Eventdata = null;
            }
        }
コード例 #6
0
        private string GET_CMDLineArgs()
        {
            string commandLine = "";

            try
            {
                string Eventdata = "";

                if (EVT_Data_Size <= 0 || EVT_Data_Compressed == null)
                {
                    Eventdata = evntdata;
                }
                else
                {
                    Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
                }

                if (Eventdata.Contains("Creator Process Name: ") && LogName.ToLower().Equals("Security"))
                {
                    string[] delm1 = { "Creator Process Name: ", "Token " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                    {
                        commandLine  = "\nTarget-CommandLine: " + datA[1];
                        ChildCMDLine = datA[1];
                    }
                }
                else if (LogName.ToLower().Equals("microsoft-windows-sysmon/operational"))
                {
                    if (Eventdata.Contains("commandline: "))
                    {
                        string[] delm1 = { "commandline: ", "currentdirectory: " };

                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                        if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                        {
                            commandLine  = "\nTarget-CommandLine: " + datA[1];
                            ChildCMDLine = datA[1];
                        }
                    }
                    if (Eventdata.Contains("parentcommandline: "))
                    {
                        string[] delm1 = { "parentcommandline: ", "" };

                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                        if ((datA[1].Length + "Target-CommandLine: ".Length) > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                        {
                            commandLine  += "\nParent-CommandLine: " + datA[1];
                            ParentCMDLine = datA[1];
                        }
                    }
                }
                else if (Eventdata.Contains("commandline= ") && LogName.ToLower().Equals("windows powershell"))
                {
                    string[] delm1 = { "commandline=  ", "details: " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (!string.IsNullOrEmpty(datA[1]))
                    {
                        if (datA[1].Length > commandLine.Length)
                        {
                            commandLine  = "\nTarget-CommandLine: " + datA[1];
                            ChildCMDLine = datA[1];
                        }
                    }
                }
                else if (Eventdata.Contains("process command line: ") && LogName.ToLower().Equals("microsoft-windows-security-auditing") && EventID == 4688)
                {
                    string[] delm1 = { "process command line:  ", "token elevation type " };

                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();

                    if (!string.IsNullOrEmpty(datA[1]))
                    {
                        if (datA[1].Length > commandLine.Length)
                        {
                            commandLine   = "\nTarget-CommandLine: " + datA[1];
                            ParentCMDLine = datA[1];
                        }
                    }
                }

                if (commandLine.Length > 1)
                {
                    commandLine += "\nParent-CommandLine: ";
                }
                CommandLineArgLength = commandLine.Length;
                CommandLineArgs      = commandLine;
                Eventdata            = null;
                return(commandLine);
            }
            catch (Exception e)
            {
                return(commandLine);
            }
        }