private string GET_Sysmon_Network_Process_Name()
{
try
{
string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
if (Eventdata.Contains("image: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
{
string[] delm1 = { "image: ", "user: "******"\r\n", "");
}
}
Eventdata = null;
return(Sysmon_Src_Process);
}
catch (Exception e)
{
return(Sysmon_Src_Process = "");
}
}
private string GET_Sysmon_Netwrok_Calling_Process_Name_Dst_Port()
{
try
{
string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
if (Eventdata.Contains("destinationport: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
{
string[] delm1 = { "destinationport: ", "destinationportname: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
{
Sysmon_DST_Port = datA[1].Replace("\r\n", "");
}
}
Eventdata = null;
return(Sysmon_DST_Port);
}
catch (Exception e)
{
return(Sysmon_DST_Port = "");
}
}
internal void GET_HostName_FromLogFile()
{
string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
List <string> EventlogDataSegment = Eventdata.Split(Settings.EventLogEntry_splitter, StringSplitOptions.RemoveEmptyEntries).ToList();
EventlogDataSegment = EventlogDataSegment.Distinct().ToList();
EventlogDataSegment.Sort();
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
foreach (string line in EventlogDataSegment)
{
if (Eventdata.Contains("destinationhostname: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
{
string[] delm1 = { "destinationhostname: ", "destinationhostname: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
{
//add hostname
}
}
else if (Settings.Hostname_RegX.IsMatch(line) && line.Contains('.') && line.Contains('\\') == false && string.IsNullOrEmpty(line) == false)
{
//add hostname
}
}
}
EventlogDataSegment.Clear();
Eventdata = null;
}
internal void GET_IP_FromLogFile()
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]) && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
{
string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
List <string> EventlogDataSegment = Eventdata.Split(Settings.EventLogEntry_splitter, StringSplitOptions.RemoveEmptyEntries).ToList();
EventlogDataSegment = EventlogDataSegment.Distinct().ToList();
EventlogDataSegment.Sort();
foreach (string line in EventlogDataSegment)
{
if (Eventdata.Contains("destinationip: "))
{
string[] delm1 = { "destinationip: ", "destinationhostname: " };
string[] datA_IP = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA_IP[1].Length > 0 && (!string.IsNullOrEmpty(datA_IP[1])))
{
if (Eventdata.Contains("image: "))
{
string[] delm2 = { "image: " };
string[] delm3 = { "user: "******"\r\n", "") + "," + datA_IP[1].Replace("\r\n", ""));
}
}
}
}
else if (Settings.IP_RegX.IsMatch(line) && line.Contains('.') && line.Contains('\\') == false && string.IsNullOrEmpty(line) == false)
{
if (Eventdata.Contains("image: "))
{
string[] delm2 = { "image: " };
string[] datA_img = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA_img[1].Length > 0 && (!string.IsNullOrEmpty(datA_img[1])))
{
Settings.IP_List_EVT_Logs.Add(datA_img[1].Replace("\r\n", ""));
}
}
Settings.IP_List_EVT_Logs.Add(line);
}
}
EventlogDataSegment.Clear();
Eventdata = null;
}
}
internal void GET_FileHash()
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]))
{
string Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 1)
{
string[] delm1 = { "hashes: ", "parentprocessguid: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
{
Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
}
delm1 = null;
datA = null;
}
if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 6)
{
string[] delm1 = { "hashes: ", "signed: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
{
Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
}
delm1 = null;
datA = null;
}
else if (Settings.SHA256_RegX.Matches(Eventdata).Count > 0)
{
foreach (MatchCollection MatchedHash in Settings.SHA256_RegX.Matches(Eventdata))
{
Settings.Hashs_From_EVT_Logs.Add(MatchedHash.ToString());
}
}
Eventdata = null;
}
}
private string GET_CMDLineArgs()
{
string commandLine = "";
try
{
string Eventdata = "";
if (EVT_Data_Size <= 0 || EVT_Data_Compressed == null)
{
Eventdata = evntdata;
}
else
{
Eventdata = Compression_Operation.DeCompress_Contents_String(EVT_Data_Compressed, EVT_Data_Size);
}
if (Eventdata.Contains("Creator Process Name: ") && LogName.ToLower().Equals("Security"))
{
string[] delm1 = { "Creator Process Name: ", "Token " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
{
commandLine = "\nTarget-CommandLine: " + datA[1];
ChildCMDLine = datA[1];
}
}
else if (LogName.ToLower().Equals("microsoft-windows-sysmon/operational"))
{
if (Eventdata.Contains("commandline: "))
{
string[] delm1 = { "commandline: ", "currentdirectory: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
{
commandLine = "\nTarget-CommandLine: " + datA[1];
ChildCMDLine = datA[1];
}
}
if (Eventdata.Contains("parentcommandline: "))
{
string[] delm1 = { "parentcommandline: ", "" };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if ((datA[1].Length + "Target-CommandLine: ".Length) > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
{
commandLine += "\nParent-CommandLine: " + datA[1];
ParentCMDLine = datA[1];
}
}
}
else if (Eventdata.Contains("commandline= ") && LogName.ToLower().Equals("windows powershell"))
{
string[] delm1 = { "commandline= ", "details: " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (!string.IsNullOrEmpty(datA[1]))
{
if (datA[1].Length > commandLine.Length)
{
commandLine = "\nTarget-CommandLine: " + datA[1];
ChildCMDLine = datA[1];
}
}
}
else if (Eventdata.Contains("process command line: ") && LogName.ToLower().Equals("microsoft-windows-security-auditing") && EventID == 4688)
{
string[] delm1 = { "process command line: ", "token elevation type " };
string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
if (!string.IsNullOrEmpty(datA[1]))
{
if (datA[1].Length > commandLine.Length)
{
commandLine = "\nTarget-CommandLine: " + datA[1];
ParentCMDLine = datA[1];
}
}
}
if (commandLine.Length > 1)
{
commandLine += "\nParent-CommandLine: ";
}
CommandLineArgLength = commandLine.Length;
CommandLineArgs = commandLine;
Eventdata = null;
return(commandLine);
}
catch (Exception e)
{
return(commandLine);
}
}
