Feature/create detection framework#28 (#67)

* create framework
separate util function #28

* create SIGMA Rule Read Framework #28

* create framework add ntlm logon sigma rule test
Fixes #28

* fix rule stack #28

* add detection call fix other script call #28

* erase duplicate proceess

* fix add-rule template & erase debug print #28

* add SIGMA Powershell Code(not adjust WELA)

* add SIGMA rule adjust WELA Framwork #28

* add SIGMA rule translated WELA Framework #28

* add SIGMA rule translated WELA Framework #28

* moved categorize folder

* adjust multi rule

* fix detected message

* checked powershell category rules #28

* fix error

* moved dir checked process creation category #28

* checked rules and adjust multi rules #28

* moved SIGMA rule to category directory #28

* fixed  lacked rule copy  #28

* fixed lacked rule copy #28

* fixed lacked rule copy #28

* fixed head comment out

* fixed head comment out

* fixed lacked if case

* fixed lacked rule copy #28

* fixed lacked rule copy #28

* replace sigmac powershell convert result

* fixed lacked rule copy #28

* fixed lackedrule copy #28

* fixed sigmac translate error #28

* fix lacked copy rule #28

* fixed lacked copy rule #28

* fixed lacked copy rule#28

* fixed lacked copy rule #28

* unification detectedMessage variable expresstion

* unification detectedMessage variable expression

* change format to multi detect rules #28

* fixed syntax error #28

* add param and help #28

* erased duplicate file to not execute same detection check

* fix output detail to Rules/SIGMA #21 #28

* erase unnecessary liveanalysys parameter  #28

* erase unnecessary liveanalysys param #28

* due to remove liveanalysys argument from add-rule

* added DeepBlueCLI Util Function #30

* add DeepBlueCLI Rule(4688-ProcessCreate) #30

* add DeepBlueCLI Rule(4672-AdminAccountAccessAllAlert)#30

* add DeepBlueCLI Rule(4720-ProcessCreate) #30

* add providename condition and fix error #30

* fix index to creator and fix func check-command argumentation #30

* fixed multi record process #30

* fixed adjust multi record #30

* fixed adjust multi record in 4688DeepblueRule #30

* add DeepBlueCLI RULE(4728_4732_4756) #30

* remove unnecessary foreach

* add DeepBlueCLI Rule(4625)

* rename 4625

* fixed lacked extension 4625

* erased unnecessary if

* add DeepBlueCLI Rule(4673 Security) #30

* add DeepBlueCLI Rule(4674 Security) #30

* add  4624 and 4628 password spray attack WELA Rule

* fix file name

* fix filename and event ID in passwordsprayattack

* adjust argument dateformat

* add DeepBlueCLI Rule(1102 Security) #30

* fix typo

* fixed where object search providername #30

* add DeepBlueCLI Rule(7045 System) and add argument in util.ps1 #30

* add DeepBlueCLI Rule(104 System) #30

* add DeepBlueCLI Rule(7030 System) #30

* add DeepBlueCLI Rule(7036 System) #30

* add DeepBlueCLI Rule(7040 System) #30

* add DeepBlueCLI Rule(2 Application) #30

* erase omission of copied data

* add DeepBlueCLI Rule(8003 Applocker) #30

* fix detected message

* add DeepBlueCLI Rule(8004 Applocker) #30

* add DeepBlueCLI Rule(4103 PowerShell) #30

* add DeepBlueCLI Rule(4104 PowerShell) #30

* filename changed and add DeepBlueCLI Rule(4104 PowerShell) #30

* add DeepBlueCLI Rule(7 Sysmon) #30

* change scope when execute rule #21 #28 #30

* fix syntax error #21 #28

* erased unnecessary module load #21 #28 #30

* remove duplicate process when resolve conflict merge main

merge log 17f4f13

* fix autoformatter change

* fix autoformat

* remove unnecessary global variable #28

* fix autoformatting

* add parameter to scriptblock

* fix single escape sequence

* fix single escape sequence

* fix single escape sequence

* fix single escape sequence

* fix single escape sequence

* fix single escape sequence

* fix single escape sequence

* fix Wrong Filter WELA-Rules #30
change ProviderName to LogName

* fix single escape sequence

* fix single escape sequence in SIGMA:process_create/sysmon/wmi_event

* fix detect output format

* fix argumentation in detect function on Rules #21 #28 #30

* add contributors accounts

* fix UseDetectRule output color

* fix function call error

* add Get-WinEvent exception warning output #48

* fix if statement condition

* add DeepBlueCLI ResultObject and check-command function add servicecmd and obj #30

* erase test output

* fix error when SaveOutput is Null #49

* fix rulename and detected message in 7045-servicecreated

* comment out output executing rule name

* change scope of detectedMessage and ruleName on WELA-Rule(DeepBlueCLI) and SIGMA #28

WELA-Rule:All Completed
SIGMA :20 Completed

* change scope detectedMessage SIGMA and duplicate detectedMessage on SIGMA and WELA-Rule #21 #28 #30

WELA-Rule:All Completed
SIGMA: All Completed

* lacked DeepBlueCLI Result object #30

* add  recurse property to Logdirectory file search

* add regexes and whitelites and error fix on utils.ps1 #30

- add regexes and whitelist
- fix error check when commandline is null

* fix event variable is wrong #30

* erase debug output

* fix output format & add ruleName and detectedMessage multi detect pattern in rule #21 #28 #30

* fix error

- lacked variable call to set_item method
- lacked converting firstdetecttime to DateTime type

* fixed for loop

* Fixed saveoutput case  #49

* changed no output executerule case of UseDetectRules is 0 #28

* removed debug output

* changed no output executerule case of UseDetectRules is 0 #28

* fix LogonTimeline outputflag lacked initialize  in WELA #51

* fix cmdlet is not verb

* get rid of lint warn #37

* fix case of 0 divine in LogonTimeline #52

* output change no match logon record #53

- add output case of no match in get-winevent

- removed output logon output when LogonEvents count is 0

* output filename in EventIDStatistics mode #54

* removed duplicate filesize output #54

* fix output header evtx files in LogDirectory in EventIDStatistics mode #55

* changed Output Format on DeepBlueCLI Rule #30

* fixed powershell invoke deepbluecli rule logname wrong #30

* fixed lacked count on DeepblueCLI Rule(4625) #30

* erase debug output

* fixed error occuring module import error

* commented converted powershell

* fix rule import argument

* fixed rule singlequote error

* fix double quote lack error

* commented converted powershell

* fixed lacked get-winevent remove

* fixed lack of convert escape sequence in match

* fix result output write-host to write-output

* fix output rule import errror to write-host

* fix lacked arg in write-output when output empty row

* adapt formatter

* Feature/add remote computer live analysis #31 (#56)

* Add_RDP_analysis_#14

* Add RemoteLiveAnalysis function

* Add remote machine analysis

* Add Help Messages

* Update subtitle

* Remove the process of checking the execution-policy.

Co-authored-by: Tanaka Zakku <[email protected]>

* adapt formatter

* fix rule condition

change match to eq

* used  arraylist add method

* remove unnecessary process

* fixed check comand return

* fixed error output condition case of logfile specified and not liveanalysys is false

* fixed detection process due sorted difference from DeepBlueCLI

* fixed lacked argument call check-command

* adapt formatter

* add DeepBlueCLI passspray detection logic

* fixed passwordguess detection logic #28

* moved show-contributors to utils.ps1

* default servicecd value set

* fixed lacked initialize

* fixed null result output

* fixed typo fixed

* AV to read SIGMA mimikatz Rule

* add IDs

* fixed mimikatz detecion check script blocked by AMSI

* fixed  result is null exection case

* fixed not exist registory value error

* fixed read template ps1 file

* fixed process view #28

* fixed null check

* fixed match rule

* fixed match contents #21

* comment out debug write-out statement

Co-authored-by: ogino <[email protected]>
Co-authored-by: Tanaka Zakku <[email protected]>

Config/Language/en.ps1

@@ -77,7 +77,7 @@ $4625 = @{
     TimelineDetect = "Yes"; 
 }
 $4627 = @{
-    EventTitle     = 'Group membership information';
+    EventTitle = 'Group membership information';
 }
 $4634 = @{
     EventTitle     = 'Logoff';
@@ -97,11 +97,11 @@ $4672 = @{
 }
 
 $4673 = @{
-    EventTitle     = 'A privileged service was called';
+    EventTitle = 'A privileged service was called';
 }
 
 $4674 = @{
-    EventTitle     = 'An operation was attempted on a privileged object';
+    EventTitle = 'An operation was attempted on a privileged object';
 }
 
 $4688 = @{
@@ -349,24 +349,28 @@ $Create_LogonTimeline_NoLogoffEvent = "No logoff event"
 $Create_LogonTimeline_Total_Logon_Event_Records = "Total logon event records: "
 $Create_LogonTimeline_Data_Reduction = "Log event data reduction: "
 $Create_LogonTimeline_Total_Filtered_Logons = "Total filtered logons: "
-$Create_LogonTimeline_Type0 =  "Type  0 System Logons (System runtime):"
-$Create_LogonTimeline_Type2 =  "Type  2 Interactive Logons (Ex: Console logon, VNC) (Dangerous: Credentials in memory):"
-$Create_LogonTimeline_Type3 =  "Type  3 Network Logons (Ex: SMB Share, net command, rpcclient, psexec, winrm):"
-$Create_LogonTimeline_Type4 =  "Type  4 Batch Logons (Ex: Scheduled Tasks):"
-$Create_LogonTimeline_Type5 =  "Type  5 Service Logons:"
-$Create_LogonTimeline_Type7 =  "Type  7 Screen Unlock (and RDP reconnect) Logons:"
-$Create_LogonTimeline_Type8 =  "Type  8 NetworkCleartext Logons (Ex: IIS Basic Auth)(Dangerous: plaintext password used for authentication):"
-$Create_LogonTimeline_Type9 =  "Type  9 NewCredentials Logons (Ex: runas /netonly command)(Dangerous: Credentials in memory):"
+$Create_LogonTimeline_Type0 = "Type  0 System Logons (System runtime):"
+$Create_LogonTimeline_Type2 = "Type  2 Interactive Logons (Ex: Console logon, VNC) (Dangerous: Credentials in memory):"
+$Create_LogonTimeline_Type3 = "Type  3 Network Logons (Ex: SMB Share, net command, rpcclient, psexec, winrm):"
+$Create_LogonTimeline_Type4 = "Type  4 Batch Logons (Ex: Scheduled Tasks):"
+$Create_LogonTimeline_Type5 = "Type  5 Service Logons:"
+$Create_LogonTimeline_Type7 = "Type  7 Screen Unlock (and RDP reconnect) Logons:"
+$Create_LogonTimeline_Type8 = "Type  8 NetworkCleartext Logons (Ex: IIS Basic Auth)(Dangerous: plaintext password used for authentication):"
+$Create_LogonTimeline_Type9 = "Type  9 NewCredentials Logons (Ex: runas /netonly command)(Dangerous: Credentials in memory):"
 $Create_LogonTimeline_Type10 = "Type 10 RemoteInteractive Logons (Ex: RDP) (Dangerous: Credentials in memory):"
 $Create_LogonTimeline_Type11 = "Type 11 CachedInteractive/Cached Credentials Logons (Ex: Cannot connect to DC for authentication):"
 $Create_LogonTimeline_Type12 = "Type 12 CachedRemoteInteractive (Ex: RDP with cached credentials, Microsoft Live Accounts):"
 $Create_LogonTimeline_Type13 = "Type 13 CachedUnlocked Logons (Ex: Unlock or RDP reconnect without authenticated to DC):"
 $Create_LogonTimeline_TypeOther = "Other Type Logons:"
 $Create_LogonTimeline_localComputer = "LOCAL"
+$Detect_ProcessingDetectionMessage = "Processing rule-base detection...`n"
 $Create_LogonTimeline_LoadingEVTX = "Loading event logs."
 $Create_LogonTimeline_PleaseWait = "Please be patient."
 $Create_LogonTimeline_AnalyzingLogs = "Analyzing logs..."
 
+$Info_Noload_SIGMAMODULE = "Info:Load of SIGMA Detection Rule is canceled by User Input."
+$Info_GetEventNoMatch = "Info:No events were found that match in Get-WinEvent."
+$Warn_GetEvent = "Warning:Get-WinEvent error record skip."
 $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis."
 $Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile (or -LogDirectory) at the same time"
 $Error_InCompatible_LogDirAndFile = "Error：You cannot specify -LogDirectory and -LogFile at the same time" 
@@ -375,6 +379,16 @@ $Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Admi
 $Error_NoSaveOutputWithCSV = "Error: You need to specify -SaveOutput"
 $Error_NoNeedSaveOutputWithGUI = "Error: You cannot output to GUI with the -SaveOutput parameter"
 $Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "Error: You need to specify -LiveAnalysis or -LogFile"
+$Error_ExecutionPolicy_Bypassed = "ERROR:To use SIGMA Detection Rule, You need change exection policy to bypass. Please execution ""Set-ExectionPolicy bypass -scope Process"""
+
+#Remote live analysis
+$remoteAnalysis_getComputername = "Please enter a remote machine name (IP address or Hostname) "
+$remoteAnalysis_getCredential = "Please enter the remote computer credential."
+$Error_remoteAnalysis_InvalidExecutionPolicy = "Error: ExecutionPolicy must be ""RemoteSigned""."
+$Error_remoteAnalysis_UnregisteredComputername = "Error: you need to registered this remote computer in trustedhosts."
+$Error_remoteAnalysis_FailedTestWSMan = "Error: Failed to run Test-WSMan."
+$Warn_remoteAnalysis_Stopped_WinRMservice = "Warning: WinRM service on the remote computer may be stopped."
+$Warn_remoteAnalysis_wrongRemoteComputerInfo = "Warning: Either ComputerName or Credentials, or both, are wrong."
 $Error_NoEventsFound = "Error: No events found!"
 $Error_ThisFunctionDoesNotSupportOutputGUI = "Error: This function does not support -OutputGUI"
 $Error_ThisFunctionDoesNotSupportOutputCSV = "Error: This function does not support -OutputCSV"
@@ -488,9 +502,9 @@ $Show_Contributors1 = @"
 $Show_Contributors2 =
 "Contributors:
 
-oginoPmP - Developer
-DustInDark - Localization, Japanese Translations
-Tsubokku - Japanese Translations
+ogino(GitHub:@oginoPmP) - Developer
+DustInDark(GitHub:@hitenkoku) - Localization, Japanese Translations
+Tsubokku(twitter: @ytsuboi0322) - Japanese Translations
 秀真（Hotsuma） - Calligraphy
 
 Please contribute to this project for fame and glory!
@@ -517,6 +531,9 @@ function Show-Help {
     Write-Host "   -LogDirectory <path-to-logfiles> (Warning: not fully implemented.)" -NoNewline -ForegroundColor Green
     Write-Host " : Analyze offline .evtx files"
 
+    Write-Host "   -RemoteLiveAnalysis" -NoNewline -ForegroundColor Green
+    Write-Host " : Creates a timeline based on the remote host's log"
+
     Write-Host
     Write-Host "Analysis Type (Specify one):"
 
@@ -550,6 +567,10 @@ function Show-Help {
     Write-Host "   -IsDC" -NoNewline -ForegroundColor Green
     Write-Host " : Specify if the logs are from a DC"
 
+    Write-Host "   -UseDetectRule <preset-rule | path-to-ruledirectory>(Default: preset-rule='0')" -NoNewline -ForegroundColor Green
+    Write-Host "：Specify detected event output on Rule Base"
+    Write-Host "   preset-rule| 0:None 1: DeepBlueCLI 2:SIGMA all:all-preset"
+
     Write-Host 
     Write-Host "Output Types (Default: Standard Output):"
 

Config/Language/ja.ps1

@@ -32,6 +32,8 @@ $Create_SecurityEventIDStatistics_Event = "イベント"
 $Create_SecurityEventIDStatistics_TimelineOutput = "タイムライン出力"
 $Create_SecurityEventIDStatistics_Comment = "コメント"
 
+$Detect_ProcessingDetectionMessage = "ルールベースでの検知中です。`n"
+
 $1100 = @{
     EventTitle = 'イベントログサービスがシャットダウンした';
     Comment    = 'Good for finding signs of anti-forensics but most likely false positives when the system shuts down.';
@@ -84,7 +86,7 @@ $4625 = @{
     TimelineDetect = "Yes"; 
 }
 $4627 = @{
-    EventTitle     = 'グループメンバーシップ情報';
+    EventTitle = 'グループメンバーシップ情報';
 }
 
 $4634 = @{
@@ -106,10 +108,10 @@ $4672 = @{
     TimelineDetect = "Yes";
 }
 $4673 = @{
-    EventTitle     = '特権のあるサービスが呼び出された';
+    EventTitle = '特権のあるサービスが呼び出された';
 }
 $4674 = @{
-    EventTitle     = '特権のあるオブジェクトに対して操作が行われた';
+    EventTitle = '特権のあるオブジェクトに対して操作が行われた';
 }
 $4688 = @{
     EventTitle = '新しいプロセスが起動された';
@@ -373,6 +375,11 @@ $Create_LogonTimeline_LoadingEVTX = "イベントログをロードしていま
 $Create_LogonTimeline_PleaseWait = "少々お待ち下さい。"
 $Create_LogonTimeline_AnalyzingLogs = "ログを解析しています。"
 
+$Confirm_DefConfirm_ExecutionPolicy_Bypassed = "確認:SIGMAの検知ルールを利用するために、PowerShellのExectionPolicyをBypassに設定する必要があります。実行しますか？"
+$Confirm_DefConfirm_DefenderRealTimeScan_enderRealTimeScan_Disabled = ""
+$Info_Noload_SIGMAMODULE = "情報:SIGMAの検知ルールの読み込みがユーザによってキャンセルされました。"
+$Info_GetEventNoMatch = "情報:Get-WinEventで調査対象に合致するイベントレコードはありませんでした。"
+$Warn_GetEvent = "注意:Get-WinEventでエラーが発生しました。エラーが発生したイベントレコードは読み込まれません。"
 $Warn_DC_LiveAnalysis = "注意：ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。"
 $Error_InCompatible_LiveAnalysisAndLogFile = "エラー：「-LiveAnalysis」 と「-LogFile」「-LogDirectory」を同時に指定できません。"
 $Error_InCompatible_LogDirAndFile = "エラー：「-LogDirectory」 と「-LogFile」を同時に指定できません。"
@@ -385,6 +392,15 @@ $Error_NoEventsFound = "エラー: イベントがない！"
 $Error_ThisFunctionDoesNotSupportOutputGUI = "エラー： この機能は-OutputGUIに対応していない。"
 $Error_ThisFunctionDoesNotSupportOutputCSV = "エラー： この機能は-OutputCSVに対応していない。"
 
+#Remote live analysis
+$remoteAnalysis_getComputername = "リモートコンピュータのマシン名（IPアドレス or ホスト名）を入力してください "
+$remoteAnalysis_getCredential = "リモートコンピュータの認証情報を入力してください。"
+$Error_remoteAnalysis_InvalidExecutionPolicy = "エラー： ExecutionPolicyは「RemoteSigned」である必要があります。"
+$Error_remoteAnalysis_UnregisteredComputername = "エラー： リモートコンピュータのマシン名をtrustedhostsに登録する必要があります。"
+$Error_remoteAnalysis_FailedTestWSMan = "エラー： Test-WSManの実行が失敗しました。リモートコンピュータへの接続ができません。"
+$Warn_remoteAnalysis_Stopped_WinRMservice = "注意： リモートコンピュータ上のWinRMサービスが停止している可能性があります。"
+$Warn_remoteAnalysis_wrongRemoteComputerInfo = "注意： 間違ったマシン名または認証情報が入力された可能性があります。"
+
 #function Show-Contributors
 $Show_Contributors1 = @"
 
@@ -496,9 +512,9 @@ $Show_Contributors1 = @"
 $Show_Contributors2 =
 "コントリビューター:
 
-oginoPmP - 開発
-DustInDark - ローカライゼーション、和訳
-つぼっく - 和訳
+ogino(GitHub:@oginoPmP) - 開発
+DustInDark(GitHub:@hitenkoku) - ローカライゼーション、和訳
+つぼっく(twitter: @ytsuboi0322) - 和訳
 秀真（ほつま） - アート
 
 コントリビュータを募集しています！
@@ -522,6 +538,9 @@ function Show-Help {
     Write-Host "   -LogDirectory <ログファイルのディレクトリのパス> (未完成)" -NoNewline -ForegroundColor Green
     Write-Host " : 複数のオフラインの.evtxファイルを解析する"
 
+    Write-Host "   -RemoteLiveAnalysis" -NoNewline -ForegroundColor Green
+    Write-Host " : リモートマシンのログでタイムラインを作成する"
+
     Write-Host
     Write-Host "解析タイプを一つ指定して下さい:"
 
@@ -555,6 +574,11 @@ function Show-Help {
     Write-Host "   -IsDC" -NoNewline -ForegroundColor Green
     Write-Host " : ドメインコントローラーのログの場合は指定して下さい"
 
+    Write-Host "   -UseDetectRule <preset rule | path-to-ruledirectory>(Default:preset rule='0')" -NoNewline -ForegroundColor Green
+    Write-Host "：検知ルールに該当するイベントの出力を行う"
+    Write-Host "   preset rule| 0:None 1: DeepBlueCLI 2:SIGMA all:all-preset"
+
+
     Write-Host 
     Write-Host "出力方法（デフォルト：標準出力）:"
 

Config/regexes.txt

@@ -0,0 +1,27 @@
+# DeepBlueCLI command regex CSV file
+# Include only regex CSV entries or comments beginning with "#"
+#
+# Format: Match type, regex, output string
+# Match types:
+#   0: Image Path - regex
+#   1: Service Name - regex
+#
+Type,regex,string
+0,^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem')
+0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload)
+0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload)
+0,DownloadString\(.http,Download via Net.WebClient DownloadString
+0,mimikatz,Command referencing Mimikatz
+0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1
+0,PowerSploit.*ps1,Use of PowerSploit
+0,User-Agent,User-Agent set via command line
+0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters
+0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command
+# Generic csc.exe alert, comment out if experiencing false positives
+0,\\csc\.exe,Use of C Sharp compiler csc.exe
+0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe
+# Generic cvtres.exe alert, comment out if experiencing false positives
+0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe
+0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe
+1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
+1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]