Feature/add remote computer live analysis #31 #56

oginoPmP · 2021-10-05T18:20:53Z

RemoteLiveAnalysisの機能を追加しました。
「-RemoteAnalysis」を指定するとGet-RemoteComputerInfoを利用して以下のフローで必要情報の取得および接続テストが行われます。

リモートマシン名（IP or ホスト名）の入力（Read-Host）
認証情報の入力（Get-Credential）
接続テスト（Test-WSMan）

…b.com/oginoPmP/WELA-1 into Feature/Add_RemoteLiveAnalysis_#31

oginoPmP · 2021-10-05T18:29:43Z

リモートマシン（Windows10）を指定してLogonTimelineを作成した際の実行結果を添付します。
LiveAnalysis同様、下記イベントログファイルが解析対象になります。

Security.evtx
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

hitenkoku

確認しました。Execution-Policyのところの条件が少し気になりましたのでご確認をお願いいたします。

Config/util.ps1

…veAnalysis_#31

…github.com/oginoPmP/WELA-1 into Feature/Add_RemoteComputerLiveAnalysis_#31

oginoPmP · 2021-10-12T16:50:10Z

closed #31
ホスト端末のExecution-Policyの設定状況は本ツールの動作に影響を与えないため確認処理を削除しました。

hitenkoku

確認しました。問題ないと思います。

* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

* create framework separate util function #28 * create SIGMA Rule Read Framework #28 * create framework add ntlm logon sigma rule test Fixes #28 * fix rule stack #28 * add detection call fix other script call #28 * erase duplicate proceess * fix add-rule template & erase debug print #28 * add SIGMA Powershell Code(not adjust WELA) * add SIGMA rule adjust WELA Framwork #28 * add SIGMA rule translated WELA Framework #28 * add SIGMA rule translated WELA Framework #28 * moved categorize folder * adjust multi rule * fix detected message * checked powershell category rules #28 * fix error * moved dir checked process creation category #28 * checked rules and adjust multi rules #28 * moved SIGMA rule to category directory #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed lacked rule copy #28 * fixed head comment out * fixed head comment out * fixed lacked if case * fixed lacked rule copy #28 * fixed lacked rule copy #28 * replace sigmac powershell convert result * fixed lacked rule copy #28 * fixed lackedrule copy #28 * fixed sigmac translate error #28 * fix lacked copy rule #28 * fixed lacked copy rule #28 * fixed lacked copy rule#28 * fixed lacked copy rule #28 * unification detectedMessage variable expresstion * unification detectedMessage variable expression * change format to multi detect rules #28 * fixed syntax error #28 * add param and help #28 * erased duplicate file to not execute same detection check * fix output detail to Rules/SIGMA #21 #28 * erase unnecessary liveanalysys parameter #28 * erase unnecessary liveanalysys param #28 * due to remove liveanalysys argument from add-rule * added DeepBlueCLI Util Function #30 * add DeepBlueCLI Rule(4688-ProcessCreate) #30 * add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30 * add DeepBlueCLI Rule(4720-ProcessCreate) #30 * add providename condition and fix error #30 * fix index to creator and fix func check-command argumentation #30 * fixed multi record process #30 * fixed adjust multi record #30 * fixed adjust multi record in 4688DeepblueRule #30 * add DeepBlueCLI RULE(4728_4732_4756) #30 * remove unnecessary foreach * add DeepBlueCLI Rule(4625) * rename 4625 * fixed lacked extension 4625 * erased unnecessary if * add DeepBlueCLI Rule(4673 Security) #30 * add DeepBlueCLI Rule(4674 Security) #30 * add 4624 and 4628 password spray attack WELA Rule * fix file name * fix filename and event ID in passwordsprayattack * adjust argument dateformat * add DeepBlueCLI Rule(1102 Security) #30 * fix typo * fixed where object search providername #30 * add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30 * add DeepBlueCLI Rule(104 System) #30 * add DeepBlueCLI Rule(7030 System) #30 * add DeepBlueCLI Rule(7036 System) #30 * add DeepBlueCLI Rule(7040 System) #30 * add DeepBlueCLI Rule(2 Application) #30 * erase omission of copied data * add DeepBlueCLI Rule(8003 Applocker) #30 * fix detected message * add DeepBlueCLI Rule(8004 Applocker) #30 * add DeepBlueCLI Rule(4103 PowerShell) #30 * add DeepBlueCLI Rule(4104 PowerShell) #30 * filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30 * add DeepBlueCLI Rule(7 Sysmon) #30 * change scope when execute rule #21 #28 #30 * fix syntax error #21 #28 * erased unnecessary module load #21 #28 #30 * remove duplicate process when resolve conflict merge main merge log 17f4f13 * fix autoformatter change * fix autoformat * remove unnecessary global variable #28 * fix autoformatting * add parameter to scriptblock * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix single escape sequence * fix Wrong Filter WELA-Rules #30 change ProviderName to LogName * fix single escape sequence * fix single escape sequence in SIGMA:process_create/sysmon/wmi_event * fix detect output format * fix argumentation in detect function on Rules #21 #28 #30 * add contributors accounts * fix UseDetectRule output color * fix function call error * add Get-WinEvent exception warning output #48 * fix if statement condition * add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30 * erase test output * fix error when SaveOutput is Null #49 * fix rulename and detected message in 7045-servicecreated * comment out output executing rule name * change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28 WELA-Rule:All Completed SIGMA :20 Completed * change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30 WELA-Rule:All Completed SIGMA: All Completed * lacked DeepBlueCLI Result object #30 * add recurse property to Logdirectory file search * add regexes and whitelites and error fix on utils.ps1 #30 - add regexes and whitelist - fix error check when commandline is null * fix event variable is wrong #30 * erase debug output * fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30 * fix error - lacked variable call to set_item method - lacked converting firstdetecttime to DateTime type * fixed for loop * Fixed saveoutput case #49 * changed no output executerule case of UseDetectRules is 0 #28 * removed debug output * changed no output executerule case of UseDetectRules is 0 #28 * fix LogonTimeline outputflag lacked initialize in WELA #51 * fix cmdlet is not verb * get rid of lint warn #37 * fix case of 0 divine in LogonTimeline #52 * output change no match logon record #53 - add output case of no match in get-winevent - removed output logon output when LogonEvents count is 0 * output filename in EventIDStatistics mode #54 * removed duplicate filesize output #54 * fix output header evtx files in LogDirectory in EventIDStatistics mode #55 * changed Output Format on DeepBlueCLI Rule #30 * fixed powershell invoke deepbluecli rule logname wrong #30 * fixed lacked count on DeepblueCLI Rule(4625) #30 * erase debug output * fixed error occuring module import error * commented converted powershell * fix rule import argument * fixed rule singlequote error * fix double quote lack error * commented converted powershell * fixed lacked get-winevent remove * fixed lack of convert escape sequence in match * fix result output write-host to write-output * fix output rule import errror to write-host * fix lacked arg in write-output when output empty row * adapt formatter * Feature/add remote computer live analysis #31 (#56) * Add_RDP_analysis_#14 * Add RemoteLiveAnalysis function * Add remote machine analysis * Add Help Messages * Update subtitle * Remove the process of checking the execution-policy. Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> * adapt formatter * fix rule condition change match to eq * used arraylist add method * remove unnecessary process * fixed check comand return * fixed error output condition case of logfile specified and not liveanalysys is false * fixed detection process due sorted difference from DeepBlueCLI * fixed lacked argument call check-command * adapt formatter * add DeepBlueCLI passspray detection logic * fixed passwordguess detection logic #28 * moved show-contributors to utils.ps1 * default servicecd value set * fixed lacked initialize * fixed null result output * fixed typo fixed * AV to read SIGMA mimikatz Rule * add IDs * fixed mimikatz detecion check script blocked by AMSI * fixed result is null exection case * fixed not exist registory value error * fixed read template ps1 file * fixed process view #28 * fixed null check * fixed match rule * fixed match contents #21 * comment out debug write-out statement Co-authored-by: ogino <59769602+oginoPmP@users.noreply.github.com> Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>

oginoPmP and others added 8 commits September 14, 2021 02:04

Add_RDP_analysis_#14

069444c

Merge branch 'Yamato-Security:main' into main

60a270f

Merge branch 'Yamato-Security:main' into main

598af27

Add RemoteLiveAnalysis function

3fb2d15

Merge branch 'feature/create-detection-framework#28' of https://githu…

102f653

…b.com/oginoPmP/WELA-1 into Feature/Add_RemoteLiveAnalysis_#31

Add remote machine analysis

99f0283

Merge branch 'Feature/Add_RemoteLiveAnalysis_#31'

b762b30

Add Help Messages

b793580

oginoPmP changed the title ~~Feature/add remote computer live analysis_#31~~ Feature/add remote computer live analysis #31 Oct 5, 2021

hitenkoku self-assigned this Oct 6, 2021

hitenkoku requested changes Oct 6, 2021

View reviewed changes

Config/util.ps1 Outdated Show resolved Hide resolved

hitenkoku self-requested a review October 10, 2021 14:12

YamatoSecurity and others added 4 commits October 12, 2021 09:35

Update subtitle

c79cfb3

Merge branch 'Yamato-Security:main' into Feature/Add_RemoteComputerLi…

a0f3e5f

…veAnalysis_#31

Remove the process of checking the execution-policy.

3da2e7a

Merge branch 'Feature/Add_RemoteComputerLiveAnalysis_#31' of https://…

ab68720

…github.com/oginoPmP/WELA-1 into Feature/Add_RemoteComputerLiveAnalysis_#31

oginoPmP closed this Oct 12, 2021

oginoPmP deleted the Feature/Add_RemoteComputerLiveAnalysis_#31 branch October 12, 2021 16:23

oginoPmP restored the Feature/Add_RemoteComputerLiveAnalysis_#31 branch October 12, 2021 16:46

oginoPmP reopened this Oct 12, 2021

hitenkoku approved these changes Oct 13, 2021

View reviewed changes

hitenkoku merged commit 7603652 into Yamato-Security:feature/create-detection-framework#28 Oct 13, 2021

hitenkoku deleted the Feature/Add_RemoteComputerLiveAnalysis_#31 branch October 13, 2021 14:25

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature/add remote computer live analysis #31 #56

Feature/add remote computer live analysis #31 #56

oginoPmP commented Oct 5, 2021

oginoPmP commented Oct 5, 2021

hitenkoku left a comment

oginoPmP commented Oct 12, 2021

hitenkoku left a comment

Feature/add remote computer live analysis #31 #56

Feature/add remote computer live analysis #31 #56

Conversation

oginoPmP commented Oct 5, 2021

oginoPmP commented Oct 5, 2021

hitenkoku left a comment

Choose a reason for hiding this comment

oginoPmP commented Oct 12, 2021

hitenkoku left a comment

Choose a reason for hiding this comment