From 2631a8f57736992b6f70b9998d298998c05b0077 Mon Sep 17 00:00:00 2001 From: "Namhyeon, Go" Date: Mon, 12 Aug 2024 13:00:04 +0900 Subject: [PATCH] some fixes --- .../WelsonJS.Service/FileEventMonitor.cs | 37 +++++++++++++------ .../WelsonJS.Service/ScreenMatching.cs | 18 +++++++-- app/assets/yar/MALW_Eicar.yar | 22 ----------- app/assets/yar/eicar.yara | 34 +++++++++++++++++ 4 files changed, 74 insertions(+), 37 deletions(-) delete mode 100644 app/assets/yar/MALW_Eicar.yar create mode 100644 app/assets/yar/eicar.yara diff --git a/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs b/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs index 7ef47d6..57a20d2 100644 --- a/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs +++ b/WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs @@ -19,9 +19,16 @@ namespace WelsonJS.Service public FileEventMonitor(ServiceBase parent, string workingDirectory) { this.parent = (ServiceMain)parent; - this.ruleFolderPath = Path.Combine(workingDirectory, "app/assets/yar"); + ruleFolderPath = Path.Combine(workingDirectory, "app/assets/yar"); - AddYaraRules(new List(Directory.GetFiles(this.ruleFolderPath, "*.yar"))); + try + { + AddYaraRules(new List(Directory.GetFiles(ruleFolderPath, "*.yar"))); + } + catch (Exception ex) + { + this.parent.Log($"Exception (FileEventMonitor): {ex.Message}"); + } } public void AddYaraRulesFromDirectory(string directoryPath) @@ -71,17 +78,25 @@ namespace WelsonJS.Service public void Start() { - string query = @" - - - - "; + try + { + string query = @" + + + + "; - EventLogQuery eventLogQuery = new EventLogQuery("Microsoft-Windows-Sysmon/Operational", PathType.LogName, query); - eventLogWatcher = new EventLogWatcher(eventLogQuery); + EventLogQuery eventLogQuery = new EventLogQuery("Microsoft-Windows-Sysmon/Operational", PathType.LogName, query); + eventLogWatcher = new EventLogWatcher(eventLogQuery); - eventLogWatcher.EventRecordWritten += new EventHandler(OnEventRecordWritten); - eventLogWatcher.Enabled = true; + eventLogWatcher.EventRecordWritten += new EventHandler(OnEventRecordWritten); + eventLogWatcher.Enabled = true; + } + catch (Exception ex) + { + parent.Log($"Exception (FileEventMonitor): {ex.Message}"); + Stop(); + } } public void Stop() diff --git a/WelsonJS.Toolkit/WelsonJS.Service/ScreenMatching.cs b/WelsonJS.Toolkit/WelsonJS.Service/ScreenMatching.cs index 60dc4f1..af620dd 100644 --- a/WelsonJS.Toolkit/WelsonJS.Service/ScreenMatching.cs +++ b/WelsonJS.Toolkit/WelsonJS.Service/ScreenMatching.cs @@ -59,20 +59,30 @@ public class ScreenMatching public ScreenMatching(ServiceBase parent, string workingDirectory) { this.parent = (ServiceMain)parent; - this.templateFolderPath = Path.Combine(workingDirectory, "app/assets/img/_templates"); - this.templateImages = new List(); + templateFolderPath = Path.Combine(workingDirectory, "app/assets/img/_templates"); + templateImages = new List(); LoadTemplateImages(); } public void LoadTemplateImages() { - var files = System.IO.Directory.GetFiles(templateFolderPath, "*.png"); + string[] files; + + try + { + files = Directory.GetFiles(templateFolderPath, "*.png"); + } + catch (Exception ex) + { + files = new string[] { }; + parent.Log($"Exception (ScreenMatching): {ex.Message}"); + } foreach (var file in files) { Bitmap bitmap = new Bitmap(file); - bitmap.Tag = System.IO.Path.GetFileName(file); + bitmap.Tag = Path.GetFileName(file); templateImages.Add(bitmap); } } diff --git a/app/assets/yar/MALW_Eicar.yar b/app/assets/yar/MALW_Eicar.yar deleted file mode 100644 index fab345d..0000000 --- a/app/assets/yar/MALW_Eicar.yar +++ /dev/null @@ -1,22 +0,0 @@ -rule malw_eicar { - - meta: - - description = "Rule to detect the EICAR pattern" - author = "Marc Rivero | McAfee ATR Team" - reference = "https://www.eicar.org/" - rule_version = "v1" - malware_type = "eicar" - malware_family = "W32/Eicar" - actor_type = "Unknown" - actor_group = "Unknown" - hash = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" - - strings: - - $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii - - condition: - - any of them -} diff --git a/app/assets/yar/eicar.yara b/app/assets/yar/eicar.yara new file mode 100644 index 0000000..0c32b59 --- /dev/null +++ b/app/assets/yar/eicar.yara @@ -0,0 +1,34 @@ +rule eicar_av_test { + /* + Per standard, match only if entire file is EICAR string plus optional trailing whitespace. + The raw EICAR string to be matched is: + X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* + */ + + meta: + description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly." + author = "Austin Byers | Airbnb CSIRT" + reference = "http://www.eicar.org/86-0-Intended-use.html" + + strings: + $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/ + + condition: + all of them +} + +rule eicar_substring_test { + /* + More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc) + */ + + meta: + description = "Standard AV test, checking for an EICAR substring" + author = "Austin Byers | Airbnb CSIRT" + + strings: + $eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" + + condition: + all of them +} \ No newline at end of file