diff --git a/SWELF/SWELF/Compression_Operation.cs b/SWELF/SWELF/Compression_Operation.cs index 70dd920..e6ca98a 100644 --- a/SWELF/SWELF/Compression_Operation.cs +++ b/SWELF/SWELF/Compression_Operation.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Text; using System.IO; diff --git a/SWELF/SWELF/Crypto_Operation.cs b/SWELF/SWELF/Crypto_Operation.cs index 18cc91e..21a7bc0 100644 --- a/SWELF/SWELF/Crypto_Operation.cs +++ b/SWELF/SWELF/Crypto_Operation.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.IO; @@ -68,10 +68,6 @@ internal static void UnSecure_File(string FilePath, int RetryNumber = 0) File.Decrypt(FilePath); } } - if (e.Message.Contains("Padding"))//TODO REMOVE THIS - { - Sec_Checks.CHECK_Reg_vs_File_Config(FilePath); - } else if (e.Message.Contains("The input data is not a complete block.")) { if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) diff --git a/SWELF/SWELF/Error_Operation.cs b/SWELF/SWELF/Error_Operation.cs index 570f953..219bc50 100644 --- a/SWELF/SWELF/Error_Operation.cs +++ b/SWELF/SWELF/Error_Operation.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; @@ -43,29 +43,6 @@ internal static void ErrorLogging_Level() { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); } - else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level))) - { - if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate)) - { - Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); - } - else - { - //error in logic here - } - } - else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]) - { - if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate)) - { - Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); - } - else - { - Data_Store.ErrorsLog.Add("ErrorLogging_Level()"+ "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match."); - Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]); - } - } else { Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level); @@ -94,12 +71,13 @@ internal static void Log_Error(string MethodNameInCode, string Message,string St Message = Message + " Stack_Info=" + StackDetails; } string msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " MethodInCode=" + MethodNameInCode + " Message=" + Message + "\n"; + ErrorLogging_Level(); try { - ErrorLogging_Level(); if (Logging_Level_To_Report <= (int)LogSeverity) { WRITE_Errors_To_Log(msg, LogSeverity, eventID); + Log_Network_Forwarder.SEND_SINGLE_LOG(msg); } } catch (Exception e) @@ -128,7 +106,7 @@ internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSev if (LogSeverity == LogSeverity.Informataion) { - EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID); + EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID); } else if (LogSeverity == LogSeverity.Verbose) { @@ -170,7 +148,7 @@ private static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, Ev if (LogSeverity== LogSeverity.Informataion) { - EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID); + EventLog_SWELF.WRITE_Info_EventLog(msg, eventID); } else if (LogSeverity == LogSeverity.Verbose) { diff --git a/SWELF/SWELF/EventLog_Entry.cs b/SWELF/SWELF/EventLog_Entry.cs index 16ce842..2fa2cf7 100644 --- a/SWELF/SWELF/EventLog_Entry.cs +++ b/SWELF/SWELF/EventLog_Entry.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Linq; using System.Text.RegularExpressions; @@ -284,7 +284,33 @@ internal string GET_Sysmon_Network_Calling_Process_Name } } + internal string GET_Parsed_Sysmon_EventData() + { + string Parsed_Sysmon_String = ""; + + if (LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[18]) && Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[18]].ToLower()=="true")) + { + string[] Data = EventData.Split(new[] { "\r\n" }, StringSplitOptions.None).ToArray(); + for (int x = 0; x < Data.Length; ++x) + { + int index = Data[x].IndexOf(':'); + string first = Data[x].Substring(0, index); + string second = Data[x].Substring(index + 1); + + if (string.IsNullOrEmpty(second)) + { + second=""; + } + if (second.Length>0 && char.IsWhiteSpace(second.ElementAt(0))) + { + second = second.Trim(); + } + Parsed_Sysmon_String += first + "=" +"\""+ second + "\"" + "\t"; + } + } + return Parsed_Sysmon_String.Trim(); + } internal void GET_IP_FromLogFile() { @@ -300,18 +326,14 @@ internal void GET_IP_FromLogFile() { if (Eventdata.Contains("destinationip: ")) { - string[] delm1 = { "destinationip: ", "destinationhostname: " }; - - string[] datA_IP = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA_IP = Eventdata.Split(new[] { "destinationip: ", "destinationhostname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA_IP[1].Length > 0 && (!string.IsNullOrEmpty(datA_IP[1]))) { if (Eventdata.Contains("image: ")) { - string[] delm2= { "image: " }; - string[] delm3 = { "user: " }; - string[] datA_img1 = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray(); - string[] datA_img2 = datA_img1[1].Split(delm3, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA_img1 = Eventdata.Split(new[] { "image: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA_img2 = datA_img1[1].Split(new[] { "user: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA_img2[0].Length > 0 && (!string.IsNullOrEmpty(datA_img2[0]))) { @@ -324,9 +346,7 @@ internal void GET_IP_FromLogFile() { if (Eventdata.Contains("image: ") ) { - string[] delm2 = { "image: " }; - - string[] datA_img = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA_img = Eventdata.Split(new[] { "image: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA_img[1].Length > 0 && (!string.IsNullOrEmpty(datA_img[1]))) { @@ -349,28 +369,22 @@ internal void GET_FileHash() if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 1) { - string[] delm1 = { "hashes: ", "parentprocessguid: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "hashes: ", "parentprocessguid: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1]))) { Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", "")); } - delm1 = null; datA = null; } if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 6) { - string[] delm1 = { "hashes: ", "signed: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "hashes: ", "signed: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1]))) { Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", "")); } - delm1 = null; datA = null; } else if (Settings.SHA256_RegX.Matches(Eventdata).Count > 0) @@ -397,9 +411,7 @@ internal void GET_HostName_FromLogFile() { if (Eventdata.Contains("destinationhostname: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3) { - string[] delm1 = { "destinationhostname: ", "destinationhostname: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "destinationhostname: ", "destinationhostname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1]))) { @@ -435,9 +447,7 @@ private string GET_CMDLineArgs() if (Eventdata.Contains("Creator Process Name: ") && LogName.ToLower().Equals("Security")) { - string[] delm1 = { "Creator Process Name: ", "Token " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "Creator Process Name: ", "Token " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1]))) { @@ -449,9 +459,7 @@ private string GET_CMDLineArgs() { if (Eventdata.Contains("commandline: ")) { - string[] delm1 = { "commandline: ", "currentdirectory: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "commandline: ", "currentdirectory: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1]))) { @@ -461,9 +469,7 @@ private string GET_CMDLineArgs() } if (Eventdata.Contains("parentcommandline: ")) { - string[] delm1 = { "parentcommandline: ", "" }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "parentcommandline: ", "" }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if ((datA[1].Length + "Target-CommandLine: ".Length) > commandLine.Length && (!string.IsNullOrEmpty(datA[1]))) { @@ -474,9 +480,7 @@ private string GET_CMDLineArgs() } else if (Eventdata.Contains("commandline= ") && LogName.ToLower().Equals("windows powershell")) { - string[] delm1 = { "commandline= ", "details: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "commandline= ", "details: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (!string.IsNullOrEmpty(datA[1])) { @@ -489,9 +493,7 @@ private string GET_CMDLineArgs() } else if (Eventdata.Contains("process command line: ") && LogName.ToLower().Equals("microsoft-windows-security-auditing") && EventID==4688) { - string[] delm1 = { "process command line: ", "token elevation type " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "process command line: ", "token elevation type " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (!string.IsNullOrEmpty(datA[1])) { @@ -526,9 +528,7 @@ private string GET_Sysmon_Netwrok_Calling_Process_Name_Dst_Port() if (Eventdata.Contains("destinationport: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID==3) { - string[] delm1 = { "destinationport: ", "destinationportname: "}; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "destinationport: ", "destinationportname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1]))) { @@ -552,9 +552,7 @@ private string GET_Sysmon_Network_Process_Name() if (Eventdata.Contains("image: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3) { - string[] delm1 = { "image: ", "user: " }; - - string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray(); + string[] datA = Eventdata.Split(new[] { "image: ", "user: " }, StringSplitOptions.RemoveEmptyEntries).ToArray(); if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1]))) { string[] filepath = datA[1].Split('\\').ToArray(); diff --git a/SWELF/SWELF/EventLog_SWELF.cs b/SWELF/SWELF/EventLog_SWELF.cs index c60cc2b..f68a251 100644 --- a/SWELF/SWELF/EventLog_SWELF.cs +++ b/SWELF/SWELF/EventLog_SWELF.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Linq; using System.Diagnostics; diff --git a/SWELF/SWELF/File_Operation.cs b/SWELF/SWELF/File_Operation.cs index 851b013..fb39749 100644 --- a/SWELF/SWELF/File_Operation.cs +++ b/SWELF/SWELF/File_Operation.cs @@ -1,7 +1,10 @@ -using System; +//Written by Ceramicskate0 +//Copyright 2020 +using System; using System.Collections.Generic; using System.Linq; using System.IO; +using System.Security.AccessControl; namespace SWELF { @@ -156,7 +159,7 @@ internal static void Write_Hash_Output(List Hashs) } catch (Exception e) { - Error_Operation.WRITE_Errors_To_Log("Write_Hash_Output()", e.Message.ToString(), Error_Operation.LogSeverity.Informataion); + Error_Operation.WRITE_Errors_To_Log("Write_Hash_Output()", e.Message.ToString(), Error_Operation.LogSeverity.Warning); } } CHECK_File_Size(Settings.Hashs_File_Path, .0002); @@ -174,7 +177,7 @@ internal static void Write_IP_Output(List IPs) } catch (Exception e) { - Error_Operation.WRITE_Errors_To_Log("Write_IP_Output()", e.Message.ToString(), Error_Operation.LogSeverity.Informataion); + Error_Operation.WRITE_Errors_To_Log("Write_IP_Output()", e.Message.ToString(), Error_Operation.LogSeverity.Warning); } } CHECK_File_Size(Settings.IPs_File_Path, .0002); @@ -457,43 +460,6 @@ internal static void Turnicate_File(string FilePath, byte[] Contents = null) } } - internal static bool READ_Config_File_For_Value(string valueToFind, string FileToRead) - { - if (CHECK_if_File_Exists(FileToRead)) - { - foreach (string ConfigFileline in READ_File_In_List(FileToRead))//File_Args are read in here 1 by 1 - { - if (!ConfigFileline.Contains(Settings.CommentCharConfigs) && ConfigFileline.Contains(Settings.SplitChar_ConfigVariableEquals[0]) && ConfigFileline.Split(Settings.SplitChar_ConfigVariableEquals, StringSplitOptions.RemoveEmptyEntries).ToList().ElementAt(0).ToLower().Contains(valueToFind.ToLower()))//split the read in arg - { - return true; - } - } - return false; - } - else - { - return false; - } - } - - internal static void APPEND_Data_To_File(string FilePath, string Values) - { - if (CHECK_if_File_Exists(FilePath)) - { - if (CHECK_Data_Encrypted(FilePath)) - { - Crypto_Operation.UnSecure_File(FilePath); - File.AppendAllText(FilePath,Values); - Crypto_Operation.Secure_File(FilePath); - - } - else - { - File.AppendAllText(FilePath, Values); - } - } - } - internal static void DELETE_File(string FilePath) { try @@ -515,5 +481,30 @@ internal static void WRITE_ALLTXT(string FilePath, string Content) { File.WriteAllText(FilePath, Content); } + + private static void Harden_SWELF_Working_Dir(bool SetToOnlySystem=false) + { + DirectorySecurity dirSec = new DirectorySecurity(); + if (SetToOnlySystem == false) + { + dirSec.AddAccessRule(new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)); + } + dirSec.AddAccessRule(new FileSystemAccessRule(@"NT-AUTHORITY\SYSTEM",FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,PropagationFlags.None, AccessControlType.Allow)); + + Directory.CreateDirectory(Settings.SWELF_CWD + "\\" + Settings.SWELF_PROC_Name +"\\"+ Settings.SWELF_PROC_Name+".exe", dirSec); + + File.Copy(Settings.SWELF_CWD + "\\" + Settings.SWELF_PROC_Name + ".exe", Settings.SWELF_CWD + "\\" + Settings.SWELF_PROC_Name + "\\" + Settings.SWELF_PROC_Name + ".exe", true); + + foreach (string newPath in Directory.GetFiles(Settings.SWELF_CWD, "*.*", SearchOption.AllDirectories)) + { + if (newPath.Contains("Config") || newPath.Contains("Log_Searchs") || newPath.Contains("SWELF_Logs") || newPath.Contains("Plugins")) + { + File.Copy(newPath, newPath.Replace(Settings.SWELF_CWD, Settings.SWELF_CWD + "\\" + Settings.SWELF_PROC_Name), true); + } + } + + Console.WriteLine("[*] " + Settings.SWELF_PROC_Name + ".exe" + " was moved to " + Settings.SWELF_CWD + "\\" + Settings.SWELF_PROC_Name + "\\" + ".\nThis Directory was access controlled to only the accounts in the Administrators group and NT-SYSTEM."); + Console.WriteLine("[!] You will have to manually remove the original contents of " + Settings.SWELF_PROC_Name + " located at " + Settings.SWELF_CWD); + } } } diff --git a/SWELF/SWELF/Log_Network_Forwarder.cs b/SWELF/SWELF/Log_Network_Forwarder.cs index 7013cc2..3bceba7 100644 --- a/SWELF/SWELF/Log_Network_Forwarder.cs +++ b/SWELF/SWELF/Log_Network_Forwarder.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright 2018 +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; @@ -36,7 +36,7 @@ internal static void SEND_Logs(Queue Event_logs) catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; - Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x)+" "+ e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); + Error_Operation.Log_Error("SEND_Logs() [transport_protocol] == tcp", Settings.Log_Forwarders_HostNames.ElementAt(x)+" "+ e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; @@ -56,7 +56,7 @@ internal static void SEND_Logs(Queue Event_logs) catch (Exception e) { Settings.Logs_Sent_to_ALL_Collectors = false; - Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Verbose); + Error_Operation.Log_Error("SEND_Logs() else//Default send logs UDP", Settings.Log_Forwarders_HostNames.ElementAt(x) + " " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } } Settings.Logs_Sent_to_ALL_Collectors = true; @@ -111,6 +111,42 @@ internal static bool SEND_Logs(string Log, string FilePath = "", bool DeleteWhen } return Data_Sent; } + internal static void SEND_SINGLE_LOG(string Log) + { + bool Data_Sent = true; + + if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false) + { + if (Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[14]] == "tcp")//If user wants send logs tcp + { + for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) + { + try + { + Socket_Client_TCP(GET_Encoding_to_Return(Log), x); + } + catch (Exception e) + { + } + } + } + else//Default send logs UDP + { + for (int x = 0; x < Settings.Log_Forwarders_HostNames.Count; ++x) + { + try + { + UdpClient client = new UdpClient(Get_IP_from_Socket_string(Settings.Log_Forwarders_HostNames.ElementAt(x)), Settings.Log_Forwarders_Port.ElementAt(x)); + Data_Sent = SEND_Data_from_File_UDP(Log, client); + client.Close(); + } + catch (Exception e) + { + } + } + } + } + } public static void Socket_Client_UDP(byte[] Data,int x) { IPAddress ipAddress = IPAddress.Parse(Settings.Log_Forwarders_HostNames.ElementAt(x)); @@ -162,7 +198,7 @@ private static bool SEND_Data_from_File_UDP(string Log_File_Data, UdpClient clie private static string GET_Log_Output_Format(EventLog_Entry data) { string format=Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[10]]; - string Data; + string Data=""; format=Regex.Replace(format, @"\s+", String.Empty);//remove spaces from value switch (format.ToLower()) { @@ -196,7 +232,7 @@ private static string GET_Log_Output_Format(EventLog_Entry data) { string EventData=""; EventData= data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ",": ").Replace(" \r ",""); - Data = " CreatedTime=\"" + data.CreatedTime +"\"" + "\t" + "SourceComputer=\"" + Settings.ComputerName + "\"" + "\t" + "EventID=\"" + data.EventID.ToString() + "\"" + "\t" + "EventLogName=\"" + data.LogName + "\"" + "\t" + "EventRecordID=\"" + data.EventLog_Seq_num + "\"" + "\t" + "DisplayName=\"" + data.TaskDisplayName + "\"" + "\t" + "Severity=\"" + data.Severity + "\"" + "\t" + "UserID=\"" + data.UserID + "\"" + "\t" + "Search_Rule=\"" + data.SearchRule + "\"" + "\t" + "ParentCommandLine=\"" + data.ParentCMDLine + "\"" + "\t" + "ChildCommandLine=\"" + data.ChildCMDLine + "\"" + "\t" + "EventData=\""+EventData+"\""; + Data = " CreatedTime=\"" + data.CreatedTime +"\"" + "\t" + "SourceComputer=\"" + Settings.ComputerName + "\"" + "\t" + "EventID=\"" + data.EventID.ToString() + "\"" + "\t" + "EventLogName=\"" + data.LogName + "\"" + "\t" + "EventRecordID=\"" + data.EventLog_Seq_num + "\"" + "\t" + "DisplayName=\"" + data.TaskDisplayName + "\"" + "\t" + "Severity=\"" + data.Severity + "\"" + "\t" + "UserID=\"" + data.UserID + "\"" + "\t" + "Search_Rule=\"" + data.SearchRule + "\"" + "\t" + "ParentCommandLine=\"" + data.ParentCMDLine + "\"" + "\t" + "ChildCommandLine=\"" + data.ChildCMDLine + "\"" + "\t" + "EventData=\""+EventData+"\"" + "\t" + data.GET_Parsed_Sysmon_EventData().Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "")+"\t"; break; } default: diff --git a/SWELF/SWELF/Powershell_Plugin.cs b/SWELF/SWELF/Powershell_Plugin.cs index 7fa30f9..8c6b6a6 100644 --- a/SWELF/SWELF/Powershell_Plugin.cs +++ b/SWELF/SWELF/Powershell_Plugin.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright 2018 +//Copyright 2020 using System; using System.Collections.Generic; using System.IO; diff --git a/SWELF/SWELF/Program.cs b/SWELF/SWELF/Program.cs index 067cb5e..22cfbfd 100644 --- a/SWELF/SWELF/Program.cs +++ b/SWELF/SWELF/Program.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.Diagnostics; @@ -29,33 +29,34 @@ internal static void Main(string[] args) { Program_Start_Args.Add(Settings.GET_AppConfigFile_Path); } - //TODO make sure config file passed in is one of the correct file (by location) then update that reg key, then delete the file once read in + //TODO make sure config file passed in is one of the correct file (by location and parsability) then update that reg key, then delete the file once read in if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { if (File_Operation.CHECK_if_File_Exists(Program_Start_Args.ElementAt(2).ToLower())) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Program_Start_Args.ElementAt(2).ToLower())); - //TODO: LOG CONFIG UPDATE VIA THIS METHOD + Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file "+ Program_Start_Args.ElementAt(2).ToLower(), "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } else if (File_Operation.CHECK_if_File_Exists(Settings.GET_AppConfigFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, File_Operation.READ_AllText(Settings.GET_AppConfigFile_Path)); - //TODO: LOG CONFIG UPDATE VIA THIS METHOD + Error_Operation.Log_Error("MAIN()", "Config update. ConsoleAppConfig_Contents reg key from file "+ Settings.GET_AppConfigFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } if (File_Operation.CHECK_if_File_Exists(Settings.GET_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_SearchTermsFile_Path)); - //TODO: LOG CONFIG UPDATE VIA THIS METHOD + Error_Operation.Log_Error("MAIN()", "Config update. SearchTerms_File_Contents reg key from file "+ Settings.GET_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } + if (File_Operation.CHECK_if_File_Exists(Settings.GET_WhiteList_SearchTermsFile_Path)) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, File_Operation.READ_AllText(Settings.GET_WhiteList_SearchTermsFile_Path)); - //TODO: LOG CONFIG UPDATE VIA THIS METHOD + Error_Operation.Log_Error("MAIN()", "Config update. WhiteList_SearchTerms_File_Contents reg key from file " + Settings.GET_WhiteList_SearchTermsFile_Path, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Central_Config_Changed); } Start_Process_Live_Method(); //TODO add option for password in config file to allow updates this way - //if no password allow update + //if no password allow update?? //store password in reg } else @@ -84,7 +85,6 @@ internal static void Main(string[] args) Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_Live_Process()", e.Message.ToString() + ", Also the app halted.", e.StackTrace.ToString()); } } - Environment.Exit(0); } internal static void Start_EVTX_Process() diff --git a/SWELF/SWELF/Read_EventLog.cs b/SWELF/SWELF/Read_EventLog.cs index 37784bf..8268af7 100644 --- a/SWELF/SWELF/Read_EventLog.cs +++ b/SWELF/SWELF/Read_EventLog.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright 2018 +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; @@ -177,6 +177,7 @@ private static void READ_WindowsEventLog_API(string Eventlog_FullName, long Reco SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value;//if this doesnt work we have issues that we cant fix SWELF_Eventlog.EventID = Windows_EventLog_from_API.Id; //if this doesnt work we have issues that we cant fix SWELF_Eventlog.LogName = Windows_EventLog_from_API.LogName; + try { SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName; @@ -263,7 +264,6 @@ private static void READ_WindowsEventLog_API(string Eventlog_FullName, long Reco { //unable to get IP values from log } - //try //{ // EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog); diff --git a/SWELF/SWELF/Read_Local_Files.cs b/SWELF/SWELF/Read_Local_Files.cs index e672aed..47b9e85 100644 --- a/SWELF/SWELF/Read_Local_Files.cs +++ b/SWELF/SWELF/Read_Local_Files.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright 2018 +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; diff --git a/SWELF/SWELF/Reg_Operation.cs b/SWELF/SWELF/Reg_Operation.cs index 2f00080..8422d21 100644 --- a/SWELF/SWELF/Reg_Operation.cs +++ b/SWELF/SWELF/Reg_Operation.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.Diagnostics.Eventing.Reader; @@ -14,7 +14,7 @@ namespace SWELF //Persist Sub Key,Value internal class Reg_Operation { - internal static RegistryKey BASE_SWELF_KEY = Registry.LocalMachine.CreateSubKey("Software\\SWELF"); + internal static RegistryKey BASE_SWELF_KEY = Registry.LocalMachine.CreateSubKey("Software\\"+Settings.SWELF_PROC_Name); internal static RegistryKey EventLog_Base_Key = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services\\Eventlog\\"); private static long Default_Size = EventLogSession.GlobalSession.GetLogInformation("security", PathType.LogName).FileSize.Value; diff --git a/SWELF/SWELF/SWELF.csproj b/SWELF/SWELF/SWELF.csproj index a8eb931..eaaf0e8 100644 --- a/SWELF/SWELF/SWELF.csproj +++ b/SWELF/SWELF/SWELF.csproj @@ -1,5 +1,10 @@  + + + + + Debug @@ -30,10 +35,12 @@ 0.4.0.0 false true - 4 - 0.5.0.%2a + 0 + 0.6.1.%2a false true + + AnyCPU @@ -44,7 +51,8 @@ DEBUG;TRACE prompt 1 - SecurityRules.ruleset + + true true @@ -56,6 +64,8 @@ TRACE prompt 4 + + swelflogo_v002_WCb_icon.ico @@ -125,4 +135,14 @@ + + + This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. + + + + + + + \ No newline at end of file diff --git a/SWELF/SWELF/Search_EventLog.cs b/SWELF/SWELF/Search_EventLog.cs index 983fb37..30fe4b2 100644 --- a/SWELF/SWELF/Search_EventLog.cs +++ b/SWELF/SWELF/Search_EventLog.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Linq; using System.Collections.Generic; diff --git a/SWELF/SWELF/Sec_Checks.cs b/SWELF/SWELF/Sec_Checks.cs index a782d65..8ad2540 100644 --- a/SWELF/SWELF/Sec_Checks.cs +++ b/SWELF/SWELF/Sec_Checks.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; @@ -319,77 +319,6 @@ private static bool Check_Event_Log_Is_Blank(string EVT_Log_Name) } } - internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath) - { - if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig - { - if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)==false) - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)) - { - File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents); - } - else - { - File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents)); - Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path)); - } - } - } - else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents); - } - else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile - { - if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) ==false) - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents); - } - } - else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents); - } - else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents); - } - else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist - { - EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath); - File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path); - File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents); - } - else - { - LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path"); - } - } - - internal static bool CHECK_File_vs_Reg_Contents(string SettingsConfigFilePath,Reg_Operation.REG_KEY RegKey) - { - if (Crypto_Operation.Decrypt_File_Contents(SettingsConfigFilePath).ToLower()==Reg_Operation.READ_SWELF_Reg_Key(RegKey).ToLower()) - { - return true; - } - else - { - return false; - } - } - /// /// Used for SEC_CHeck Fail logging outside of SEC_Check Class /// diff --git a/SWELF/SWELF/Settings.cs b/SWELF/SWELF/Settings.cs index d7c371b..1373232 100644 --- a/SWELF/SWELF/Settings.cs +++ b/SWELF/SWELF/Settings.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright +//Copyright 2020 using System; using System.Collections.Generic; using System.Linq; @@ -33,7 +33,8 @@ internal static List EventLogs_List_Of_Avaliable private static readonly String[] sWELF_AppConfig_Args = new String[]{ "log_collector", "log_collector1","log_collector2","log_collector3","log_collector4","log_collector5", "central_search_config","central_app_config","central_plugin_search_config","central_whitelist_search_config", - "output_format","output_ips","output_hashs","check_service_up","transport_protocol","delete_local_log_files_when_done","debug","logging_level" + "output_format","output_ips","output_hashs","check_service_up","transport_protocol","delete_local_log_files_when_done","debug","logging_level", + "parse_sysmon_logs" }; internal static String[] SWELF_AppConfig_Args { @@ -81,7 +82,6 @@ internal static Process SWELF_PROC_Name internal readonly static string SWELF_Version = fvi.FileVersion; //MultiThread settings - internal static int Max_Thread_Count = 1;//Environment.ProcessorCount / 2; TODO: change this to multi thread. storage structs not thread safe internal static bool PS_PluginDone = false; internal static int Running_Thread_Count = 0; internal static int Total_Threads_Run = 0; @@ -330,7 +330,7 @@ private static void RUN_Setup_AppConfig() if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[7]].ToString())); - //TODO write log central config updated + Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config ConsoleAppConfig_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); } } } @@ -346,7 +346,8 @@ private static void RUN_Setup_AppConfig() if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[6]].ToString())); - //TODO write log central config updated + Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); + } } } @@ -362,7 +363,8 @@ private static void RUN_Setup_AppConfig() if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.WhiteList_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[9]].ToString())); - //TODO write log central config updated + Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config WhiteList_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); + } } } @@ -378,7 +380,8 @@ private static void RUN_Setup_AppConfig() if (Web_Operation.Connection_Successful) { Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.PLUGIN_SearchTerms_File_Contents, Web_Operation.UPDATE_Reg_Config_With_Central_Config(AppConfig_File_Args[SWELF_AppConfig_Args[8]].ToString())); - //TODO write log central config updated + Error_Operation.Log_Error("RUN_Setup_AppConfig()", "Reg key for Central Config PLUGIN_SearchTerms_File_Contents source updated from web source.", "", Error_Operation.LogSeverity.Informataion, Error_Operation.EventID.SWELF_Central_Config_Changed); + } } } diff --git a/SWELF/SWELF/System_Info.cs b/SWELF/SWELF/System_Info.cs index ffb558d..640abbf 100644 --- a/SWELF/SWELF/System_Info.cs +++ b/SWELF/SWELF/System_Info.cs @@ -1,5 +1,5 @@ //Written by Ceramicskate0 -//Copyright 2018 +//Copyright 2020 using System; using System.Collections.Generic; using System.Diagnostics; diff --git a/SWELF/SWELF/Web_Operation.cs b/SWELF/SWELF/Web_Operation.cs index 664265d..deb6224 100644 --- a/SWELF/SWELF/Web_Operation.cs +++ b/SWELF/SWELF/Web_Operation.cs @@ -1,4 +1,6 @@ -using System; +//Written by Ceramicskate0 +//Copyright 2020 +using System; using System.Collections.Generic; using System.Linq; using System.Net; @@ -301,7 +303,7 @@ protected override WebRequest GetWebRequest(Uri uri) { WebRequest w = base.GetWebRequest(uri); w.UseDefaultCredentials = true; - w.Timeout = 2000; + w.Timeout = 5000; return w; } }