-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
4,942 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
/* | ||
* Author: @n0dec | ||
* License: GNU General Public License v3.0 | ||
* | ||
*/ | ||
|
||
namespace MalwLess | ||
{ | ||
using System; | ||
using Newtonsoft.Json.Linq; | ||
|
||
public static class PowerShellClass | ||
{ | ||
public static void WritePowerShellEvent(string category, JToken payload, JToken config) | ||
{ | ||
switch(category) | ||
{ | ||
case "4103": | ||
writeEventID_4103(payload, config); | ||
break; | ||
case "4104": | ||
writeEventID_4104(payload, config); | ||
break; | ||
default: | ||
Console.WriteLine("Category not supported"); | ||
break; | ||
} | ||
} | ||
|
||
static void writeEventID_4103(JToken payload, JToken config){ | ||
string ContextInfo = payload.Value<string>("ContextInfo") ?? config["ContextInfo"].ToString(); | ||
string UserData = payload.Value<string>("UserData") ?? config["UserData"].ToString(); | ||
string Payload = payload.Value<string>("Payload") ?? config["Payload"].ToString(); | ||
|
||
if(!PowerShell.Namespace.MicrosoftWindowsPowerShell_PROVIDER.EventWriteEventID_4103(ContextInfo, UserData, Payload)) | ||
Console.WriteLine("Error: Writing event"); | ||
|
||
} | ||
|
||
static void writeEventID_4104(JToken payload, JToken config){ | ||
int MessageNumber = payload.Value<int?>("MessageNumber") ?? (int)config["MessageNumber"];; | ||
int MessageTotal = payload.Value<int?>("MessageTotal") ?? (int)config["MessageTotal"];; | ||
string ScriptBlockText = payload.Value<string>("ScriptBlockText") ?? config["ScriptBlockText"].ToString(); | ||
string ScriptBlockId = payload.Value<string>("ScriptBlockId") ?? config["ScriptBlockId"].ToString(); | ||
string Path = payload.Value<string>("Path") ?? config["Path"].ToString(); | ||
|
||
if(!PowerShell.Namespace.MicrosoftWindowsPowerShell_PROVIDER.EventWriteEventID_4104(MessageNumber, MessageTotal, ScriptBlockText, ScriptBlockId, Path)) | ||
Console.WriteLine("Error: Writing event"); | ||
|
||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,170 @@ | ||
/* | ||
* Author: @n0dec | ||
* License: GNU General Public License v3.0 | ||
* | ||
*/ | ||
|
||
namespace PowerShell.Namespace | ||
{ | ||
using System; | ||
using System.Diagnostics.Eventing; | ||
using System.Runtime.InteropServices; | ||
|
||
public static class MicrosoftWindowsPowerShell_PROVIDER | ||
{ | ||
// | ||
// Provider Microsoft-Windows-PowerShell Event Count 2 | ||
// | ||
|
||
internal static EventProviderVersionTwo m_provider = new EventProviderVersionTwo(new Guid("a0c1853b-5c40-4b15-8766-3cf1c58f985a")); | ||
// | ||
// Task : eventGUIDs | ||
// | ||
|
||
// | ||
// Event Descriptors | ||
// | ||
private static EventDescriptor EventID_4103; | ||
private static EventDescriptor EventID_4104; | ||
|
||
|
||
static MicrosoftWindowsPowerShell_PROVIDER() | ||
{ | ||
unchecked | ||
{ | ||
EventID_4103 = new EventDescriptor(0x1007, 0x1, 0x10, 0x4, 0x14, 0x6A, (long)0x0); | ||
EventID_4104 = new EventDescriptor(0x1008, 0x1, 0x10, 0x3, 0xf, 0x2, (long)0x0); | ||
} | ||
} | ||
|
||
|
||
// | ||
// Event method for EventID_4103 | ||
// | ||
public static bool EventWriteEventID_4103(string ContextInfo, string UserData, string Payload) | ||
{ | ||
|
||
if (!m_provider.IsEnabled()) | ||
{ | ||
return true; | ||
} | ||
|
||
return m_provider.TemplateEventID_4103_Template(ref EventID_4103, ContextInfo, UserData, Payload); | ||
} | ||
|
||
// | ||
// Event method for EventID_4104 | ||
// | ||
public static bool EventWriteEventID_4104(int MessageNumber, int MessageTotal, string ScriptBlockText, string ScriptBlockId, string Path) | ||
{ | ||
|
||
if (!m_provider.IsEnabled()) | ||
{ | ||
return true; | ||
} | ||
|
||
return m_provider.TemplateEventID_4104_Template(ref EventID_4104, MessageNumber, MessageTotal, ScriptBlockText, ScriptBlockId, Path); | ||
} | ||
} | ||
|
||
internal class EventProviderVersionTwo : EventProvider | ||
{ | ||
internal EventProviderVersionTwo(Guid id) | ||
: base(id) | ||
{} | ||
|
||
|
||
[StructLayout(LayoutKind.Explicit, Size = 16)] | ||
private struct EventData | ||
{ | ||
[FieldOffset(0)] | ||
internal UInt64 DataPointer; | ||
[FieldOffset(8)] | ||
internal uint Size; | ||
[FieldOffset(12)] | ||
internal int Reserved; | ||
} | ||
|
||
|
||
|
||
internal unsafe bool TemplateEventID_4103_Template( | ||
ref EventDescriptor eventDescriptor, | ||
string ContextInfo, | ||
string UserData, | ||
string Payload | ||
) | ||
{ | ||
int argumentCount = 3; | ||
bool status = true; | ||
|
||
if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords)) | ||
{ | ||
byte* userData = stackalloc byte[sizeof(EventData) * argumentCount]; | ||
EventData* userDataPtr = (EventData*)userData; | ||
|
||
userDataPtr[0].Size = (uint)(ContextInfo.Length + 1)*sizeof(char); | ||
|
||
userDataPtr[1].Size = (uint)(UserData.Length + 1)*sizeof(char); | ||
|
||
userDataPtr[2].Size = (uint)(Payload.Length + 1)*sizeof(char); | ||
|
||
fixed (char* a0 = ContextInfo, a1 = UserData, a2 = Payload) | ||
{ | ||
userDataPtr[0].DataPointer = (ulong)a0; | ||
userDataPtr[1].DataPointer = (ulong)a1; | ||
userDataPtr[2].DataPointer = (ulong)a2; | ||
status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData)); | ||
} | ||
} | ||
|
||
return status; | ||
|
||
} | ||
|
||
|
||
|
||
internal unsafe bool TemplateEventID_4104_Template( | ||
ref EventDescriptor eventDescriptor, | ||
int MessageNumber, | ||
int MessageTotal, | ||
string ScriptBlockText, | ||
string ScriptBlockId, | ||
string Path | ||
) | ||
{ | ||
int argumentCount = 5; | ||
bool status = true; | ||
|
||
if (IsEnabled(eventDescriptor.Level, eventDescriptor.Keywords)) | ||
{ | ||
byte* userData = stackalloc byte[sizeof(EventData) * argumentCount]; | ||
EventData* userDataPtr = (EventData*)userData; | ||
|
||
userDataPtr[0].DataPointer = (UInt64)(&MessageNumber); | ||
userDataPtr[0].Size = (uint)(sizeof(int) ); | ||
|
||
userDataPtr[1].DataPointer = (UInt64)(&MessageTotal); | ||
userDataPtr[1].Size = (uint)(sizeof(int) ); | ||
|
||
userDataPtr[2].Size = (uint)(ScriptBlockText.Length + 1)*sizeof(char); | ||
|
||
userDataPtr[3].Size = (uint)(ScriptBlockId.Length + 1)*sizeof(char); | ||
|
||
userDataPtr[4].Size = (uint)(Path.Length + 1)*sizeof(char); | ||
|
||
fixed (char* a0 = ScriptBlockText, a1 = ScriptBlockId, a2 = Path) | ||
{ | ||
userDataPtr[2].DataPointer = (ulong)a0; | ||
userDataPtr[3].DataPointer = (ulong)a1; | ||
userDataPtr[4].DataPointer = (ulong)a2; | ||
status = WriteEvent(ref eventDescriptor, argumentCount, (IntPtr)(userData)); | ||
} | ||
} | ||
|
||
return status; | ||
|
||
} | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
/* | ||
* Author: @n0dec | ||
* License: GNU General Public License v3.0 | ||
* | ||
*/ | ||
|
||
using System; | ||
using System.IO; | ||
using Newtonsoft.Json; | ||
using Newtonsoft.Json.Linq; | ||
|
||
namespace MalwLess | ||
{ | ||
class Program | ||
{ | ||
public static void Main(string[] args) | ||
{ | ||
string file_name = ""; | ||
string json_file = ""; | ||
|
||
Utils.printHeader(); | ||
|
||
if(!Utils.isElevated()){ | ||
Console.WriteLine("[!] Run it as Administrator."); | ||
Environment.Exit(-1); | ||
} | ||
|
||
try{ | ||
if (args.Length == 0){ | ||
file_name = "rule_test.json"; | ||
}else{ | ||
if(args[0] == "-r"){ | ||
file_name = args[1]; | ||
} | ||
} | ||
if(File.Exists(file_name)){ | ||
json_file = File.ReadAllText(file_name); | ||
}else{ | ||
Console.WriteLine("File not found!"); | ||
Console.WriteLine("Check the MST default rule set on: https://github.com/n0dec/MalwLess/blob/master/rule_test.json"); | ||
Environment.Exit(-1); | ||
} | ||
|
||
JObject rule_test = JObject.Parse(json_file); | ||
JToken sysmon_config = getDefaultConfig("conf\\Sysmon.json"); | ||
JToken powershell_config = getDefaultConfig("conf\\PowerShell.json"); | ||
|
||
Console.WriteLine("[Rule test file]: " + file_name); | ||
Console.WriteLine("[Rule test name]: " + rule_test["name"]); | ||
Console.WriteLine("[Rule test version]: " + rule_test["version"]); | ||
Console.WriteLine("[Rule test author]: " + rule_test["author"]); | ||
Console.WriteLine("[Rule test description]: " + rule_test["description"]); | ||
Console.WriteLine(""); | ||
|
||
if(!rule_test["rules"].HasValues){ | ||
Console.WriteLine("No rules detected. Exiting..."); | ||
Environment.Exit(-1); | ||
} | ||
|
||
foreach(var rule in rule_test["rules"].Children()){ | ||
Console.WriteLine("[>] Detected rule: " + rule.Path); | ||
foreach (var properties in rule.Children()){ | ||
if((bool)properties["enabled"] == true){ | ||
Console.WriteLine("... Source: " + properties["source"]); | ||
Console.WriteLine("... Category: " + properties["category"]); | ||
Console.WriteLine("... Description: " + properties["description"]); | ||
switch (properties["source"].ToString()) | ||
{ | ||
case "Sysmon": | ||
SysmonClass.WriteSysmonEvent(properties["category"].ToString(), properties["payload"], sysmon_config); | ||
break; | ||
case "PowerShell": | ||
PowerShellClass.WritePowerShellEvent(properties["category"].ToString(), properties["payload"], powershell_config); | ||
break; | ||
default: | ||
Console.WriteLine("... Source not supported"); | ||
break; | ||
} | ||
}else{ | ||
Console.WriteLine("... Rule disabled"); | ||
} | ||
} | ||
} | ||
|
||
} | ||
catch(JsonException jsonException){ | ||
Console.WriteLine("Error with json file: " + jsonException.Message); | ||
Environment.Exit(-1); | ||
}catch(Exception e){ | ||
Console.WriteLine("Error: " + e.StackTrace); | ||
Environment.Exit(-1); | ||
} | ||
} | ||
|
||
public static JToken getDefaultConfig(string filename){ | ||
|
||
return JToken.Parse(File.ReadAllText(filename)); | ||
} | ||
|
||
} | ||
} |
Oops, something went wrong.