-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 642a88b
Showing
14 changed files
with
3,460 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Generated by Cargo | ||
| # will have compiled files and executables | ||
| debug/ | ||
| target/ | ||
|
|
||
| .vscode/ | ||
|
|
||
| # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries | ||
| # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html | ||
| Cargo.lock | ||
|
|
||
| # These are backup files generated by rustfmt | ||
| **/*.rs.bk | ||
|
|
||
| # MSVC Windows builds of rustc generate these, which store debugging information | ||
| *.pdb | ||
|
|
||
| # RustRover | ||
| # JetBrains specific template is maintained in a separate JetBrains.gitignore that can | ||
| # be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore | ||
| # and can be added to the global gitignore or merged into this file. For a more nuclear | ||
| # option (not recommended) you can uncomment the following to ignore the entire idea folder. | ||
| #.idea/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| # Changelog | ||
|
|
||
| ## [0.1.0] - 2024-06 | ||
| ### Initial Release | ||
| #### Released with the following auditing policies | ||
| - AuditCredentialValidation (Default of Success and Failure) | ||
| - AuditKerberosAuthenticationService (Default of Success and Failure, Domain Controller Only) | ||
| - AuditKerberosServiceTicketOperation (Default of Success and Failure, Domain Controller Only) | ||
| - AuditDirectoryServiceAccess (Default of Failure, Domain Controller Only) | ||
| - AuditDirectoryServiceChanges (Default of Success, Domain Controller Only) | ||
| - AuditComputerAccountManagement (Default of Success, Domain Controller Only) | ||
| - AuditOtherAccountManagementEvents (Default of Success, Domain Controller Only) | ||
| - AuditSecurityGroupManagement (Default of Success) | ||
| - AuditUserAccountManagement (Default of Success and Failure) | ||
| - AuditProcessCreation (Default of Success) | ||
| - AuditAccountLockout (Default of Failure) | ||
| - AuditLogoff (Default of Success) | ||
| - AuditLogon (Default of Success and Failure) | ||
| - AuditSpecialLogon (Default of Success) | ||
| - AuditAuditPolicyChange (Default of Success) | ||
| - AuditAuthenticationPolicyChange (Default of Success) | ||
| - AuditMpssvcRulelevelPolicyChange (Default of Success) | ||
| - AuditIpsecDriver (Default of Success and Failure) | ||
| - AuditSecurityStateChange (Default of Success) | ||
| - AuditSecuritySystemExtension (Default of Success) | ||
| - AuditSystemIntegrity (Default of Success and Failure) | ||
| - AuditDetailedFileShare (Default of Failure) | ||
| #### The following registries are tracked and set to modify audit behaviors. | ||
| - ProcessCreationIncludeCmdLine_Enabled (Default of 1) | ||
| - scenoapplylegacyauditpolicy (Default of 1) | ||
| #### Functionality also includes tracking of: | ||
| - Sysmon Service Status | ||
| - Sysmon Process | ||
| - Sysmon Config | ||
|
|
||
| ## [0.1.1] - 2024-06-14 | ||
| ### Added Audit Policy | ||
| - The audit policy OtherObjectAccessEvents was added (Default of Success and Failure). | ||
| - This was added for the benefit of tracking Scheduled Tasks and COM. | ||
|
|
||
| ## [0.1.2] - 2024-06-17 | ||
| ### Added Audit Behavior - ScriptBlockLogging | ||
| - The registry value ScriptBlockLogging was added to be set (Default of 1) and audited. | ||
| - This enables Powershell Script Block Logging. | ||
| - This adds the benefit of being able to track Powershell code execution. | ||
|
|
||
| ## [0.1.3] - 2024-06-19 | ||
| ### Added Audit Behavior - ScriptBlockInvocationLogging | ||
| - The registry value ScriptBlockInvocationLogging was added to be set (Default of 0) and audited. | ||
| - This enables control over Powershell Script Block Invocation Logging. | ||
| ### Modified Sysmon Binary Path Identification | ||
| - Instead of assuming the paths `C:\Windows\Sysmon.exe`, `C:\Windows\Sysmon64.exe`, and `C:\windows\Sysmon64a.exe`, query the service for its binary path. | ||
| - It is unclear if this will help with the Service File Version bug where Windows cannot find the service binary sometimes. | ||
| - Sometimes Windows throws an error that the file cannot be found. | ||
| - Allows for the Sysmon Binary path to be logged even if it's not installed where it's expected. | ||
| ### Improved Windows Errors | ||
| - Implemented a function to use the API GetLastError and FormatMessage functions to improve error logging. | ||
|
|
||
| ## [0.1.4] - 2024-06-25 | ||
| ### Added Powershell Module Logging | ||
| - ModuleLogging for Powershell was added to introduce additional Powershell auditing. | ||
| - Defaults to: | ||
| - Microsoft.Powershell.* | ||
| - Microsoft.WSMan.Management | ||
| - ActiveDirectory | ||
| ### Registry Static Values | ||
| - Changed registry values into static values. | ||
| - Avoids repetition and is cleaner to read. | ||
|
|
||
| ## [0.1.5] - 2024-07-01 | ||
| ### Implemented the Missing Audit Policies | ||
| - Implemented an audit policy configuration for "do nothing". | ||
| - No changes will be made to change the existing policy. | ||
| - If a policy is configured to "No Auditing", it is omitted from the log. | ||
| - This is because 59 different policies create an unwieldy log if always generated with that much data. | ||
| - Added the following policies: | ||
| - DC | ||
| - AuditCertificationServices (Default: Success and Failure) | ||
| - AuditDirectoryServiceReplication (Default: Do Nothing) | ||
| - AuditDetailedDirectoryServiceReplication (Default: Do Nothing) | ||
| - AuditOtherAccountLogonEvents (Default: Do Nothing) | ||
| - All | ||
| - AuditOtherSystemEvents (Default: Success and Failure) | ||
| - AuditIpsecMainMode (Default: Do Nothing) | ||
| - AuditIpsecQuickMode (Default: Do Nothing) | ||
| - AuditIpsecExtendedMode (Default: Do Nothing) | ||
| - AuditOtherLogonLogoffEvents (Default: Success and Failure) | ||
| - AuditNetworkPolicyServer (Default: Do Nothing) | ||
| - AuditUserDeviceClaims (Default: Do Nothing) | ||
| - AuditGroupMembership (Default: Success) | ||
| - AuditFileSystem (Default: Do Nothing) | ||
| - AuditRegistry (Default: Do Nothing) | ||
| - AuditKernelObject (Default: Do Nothing) | ||
| - AuditSam (Default: Do Nothing) | ||
| - AuditApplicationGenerated (Default: Do Nothing) | ||
| - AuditHandleManipulation (Default: Do Nothing) | ||
| - AuditFileShare (Default: Do Nothing) | ||
| - AuditFilteringPlatformPacketDrop (Default: Do Nothing) | ||
| - AuditFilteringPlatformConnection (Default: Failure) | ||
| - AuditRemovableStorage (Default: Do Nothing) | ||
| - AuditCentralPolicyStaging (Default: Do Nothing) | ||
| - AuditSensitivePrivilegeUse (Default: Do Nothing) | ||
| - AuditNonSensitivePrivlegeUse (Default: Do Nothing) | ||
| - AuditOtherPrivilegeUseEvents (Default: Do Nothing) | ||
| - AuditProcessTermination (Default: Do Nothing) | ||
| - AuditDpapiActivity (Default: Do Nothing) | ||
| - AuditRpcEvents (Default: Do Nothing) | ||
| - AuditPlugAndPlayEvents (Default: Success) | ||
| - AuditAuthorizationPolicyChange (Default: Do Nothing) | ||
| - AuditFilteringPlatformPolicychange (Default: Do Nothing) | ||
| - AuditOtherPolicyChangeEvents (Default: Do Nothing) | ||
| - AuditDistributionGroupManagement (Default: Do Nothing) | ||
| - AuditApplicationGroupManagement (Default: Do Nothing) | ||
|
|
||
| ## [0.1.6] - 2024-07-10 | ||
| ### Applied GNU GPLv3 License | ||
| - Added license information to source files. | ||
| - Added LICENSE.txt | ||
| - Added README.md | ||
|
|
||
| ## [0.1.7] - 2024-07-22 | ||
| ### Patch: Improve get_service_path | ||
| A new development of Sysmon determining audit inspector as performing process tampering led to "fishing" for what's is the source. | ||
| Several API calls that are commonly associated with process tampering were removed from `get_service_path` in sysmon.rs. | ||
| The code is cleaner and easier to read. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| [package] | ||
| name = "audit-inspector" | ||
| version = "0.1.7" | ||
| edition = "2021" | ||
|
|
||
| [dependencies] | ||
| clap = { version = "4.5.4", features = ["derive"] } | ||
| console = "0.15.8" | ||
| lazy_static = "1.4.0" | ||
| regex = "1.10.4" | ||
| serde_json = "1.0.117" | ||
| sha2 = "0.10.8" | ||
|
|
||
| [dependencies.windows-registry] | ||
| version = "0.1" | ||
|
|
||
| [dependencies.windows] | ||
| version = "0.56.0" | ||
| features = [ | ||
| "Win32_System_Com", | ||
| "Win32_System_Ole", | ||
| "Win32_System_Wmi", | ||
| "Win32_System_Rpc", | ||
| "Win32_System_Services", | ||
| "Win32_System_SystemInformation", | ||
| "Win32_System_EventLog", | ||
| "Win32_System_Threading", | ||
| "Win32_System_TaskScheduler", | ||
| "Win32_Security", | ||
| "Win32_Security_Authorization", | ||
| "Win32_Storage_FileSystem", | ||
| "Win32_System_Variant", | ||
| "Win32_System_SystemServices", | ||
| "Win32_System_Diagnostics_Debug", | ||
| "Win32_System_Memory", | ||
| ] |
Oops, something went wrong.