diff --git a/.gitignore b/.gitignore index 3cf1980..ff9db11 100644 --- a/.gitignore +++ b/.gitignore @@ -378,10 +378,6 @@ FodyWeavers.xsd # VS Code files for those working on multiple tools .vscode/* -!.vscode/settings.json -!.vscode/tasks.json -!.vscode/launch.json -!.vscode/extensions.json *.code-workspace # Local History for Visual Studio Code @@ -397,5 +393,5 @@ FodyWeavers.xsd # JetBrains Rider *.sln.iml -# Rust ourput -/target \ No newline at end of file +# Rust output +/target diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 5609f60..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "rust-analyzer.linkedProjects": [ - ".\\Cargo.toml" - ], - "rust-analyzer.showUnlinkedFileNotification": false -} \ No newline at end of file diff --git a/Artefacts.md b/Artefacts.md deleted file mode 100644 index cfcbfbb..0000000 --- a/Artefacts.md +++ /dev/null @@ -1,149 +0,0 @@ - -# Artefact list - -- [Sysmon V15 Artefact](#sysmon-v15-artefact) - - [Process creation (1)](#process-creation-1) - - [process changed a file creation time (2)](#process-changed-a-file-creation-time-2) - - [Network connection (3)](#network-connection-3) - - [Sysmon service state changed (4)](#sysmon-service-state-changed-4) - - [Process terminated (5)](#process-terminated-5) - - [Driver loaded (6)](#driver-loaded-6) - - [Image loaded (7)](#image-loaded-7) - - [CreateRemoteThread (8)](#createremotethread-8) - - [RawAccessRead (9)](#rawaccessread-9) - - [ProcessAccess (10)](#processaccess-10) - - [FileCreate (11)](#filecreate-11) - - [RegistryEvent (12,13,14)](#registryevent-121314) - - [FileCreateStreamHash (15)](#filecreatestreamhash-15) - - [ServiceConfigurationChange (16)](#serviceconfigurationchange-16) - - [PipeEvent (17,18)](#pipeevent-1718) - - [WmiEvent (19,20,21)](#wmievent-192021) - - [DNSEvent (22)](#dnsevent-22) - - [FileDelete (23)](#filedelete-23) - - [ClipboardChange (24)](#clipboardchange-24) - - [ProcessTampering (25)](#processtampering-25) - - [FileDeleteDetected (26)](#filedeletedetected-26) - - [FileBlockExecutable (27)](#fileblockexecutable-27) - - [FileBlockShredding (28)](#fileblockshredding-28) - - [FileExecutableDetected (29)](#fileexecutabledetected-29) - - [Error (255)](#error-255) -- [Windows builtin Channel](#windows-builtin-channel) - - -# Sysmon V15 Artefact - -- ✔ Wag can create artefact -- ✖ Wag will not create artefact --❓ Need to be check - -| EventID | Description | Cover by wag -| --- | --- | --- | -| 1 | Process creation | ✖ -| 2 | process changed a file creation time | ❓ -| 3 | Network connection | ✖ -| 4 | Sysmon service state changed | ✖ -| 5 | Process terminated | ✖ -| 6 | Driver loaded | ✔ -| 7 | Image loaded | ❓ -| 8 | CreateRemoteThread | ❓ -| 9 | RawAccessRead | ❓ -| 10 | ProcessAccess | ❓ -| 11 | FileCreate | ✔ -| 12 | RegistryEvent (Object create and delete) | ✖ -| 13 | RegistryEvent (Value Set) | ✖ -| 14 | RegistryEvent (Key and Value Rename) | ✖ -| 15 | FileCreateStreamHash | ✔ -| 16 | ServiceConfigurationChange | ✖ -| 17 | PipeEvent (Pipe Created) | ✔ -| 18 | PipeEvent (Pipe Connected) | ❓ -| 19 | WmiEvent (WmiEventFilter activity detected) | ❓ -| 20 | WmiEvent (WmiEventConsumer activity detected) | ❓ -| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | ❓ -| 22 | DNSEvent (DNS query) | ✖ -| 23 | FileDelete (File Delete archived) | ❓ -| 24 | ClipboardChange (New content in the clipboard) | ❓ -| 25 | ProcessTampering (Process image change) | ❓ -| 26 | FileDeleteDetected (File Delete logged) | ❓ -| 27 | FileBlockExecutable | ❓ -| 28 | FileBlockShredding | ❓ -| 29 | FileExecutableDetected | ❓ -| 255 | Error | ✖ - -## Process creation (1) -Cover by other tools like Atomic RedTeam - -## process changed a file creation time (2) -Need to see its usefulness - -## Network connection (3) -Cover by other tools like Atomic RedTeam - -## Sysmon service state changed (4) -Need to see its usefulness - -## Process terminated (5) -Cover by other tools like Atomic RedTeam - -## Driver loaded (6) -Done by the option X - -## Image loaded (7) -Need to see its usefulness - -## CreateRemoteThread (8) -Need to see its usefulness - -## RawAccessRead (9) -Need to see its usefulness - -## ProcessAccess (10) -Need to see its usefulness - -## FileCreate (11) -Done by the option X - -## RegistryEvent (12,13,14) -Cover by other tools like Atomic RedTeam - -## FileCreateStreamHash (15) -Done but get a bug when in Sysmon to validate - -## ServiceConfigurationChange (16) -Need to see its usefulness - -## PipeEvent (17,18) -Only Pipe Created , no Pipe Connected - -## WmiEvent (19,20,21) -Need to see its usefulness - -## DNSEvent (22) -Cover by other tools like Atomic RedTeam - -## FileDelete (23) -Need to see its usefulness - -## ClipboardChange (24) -Need to see its usefulness - -## ProcessTampering (25) -Need to see its usefulness - -## FileDeleteDetected (26) -Need to see its usefulness - -## FileBlockExecutable (27) -Need to see its usefulness - -## FileBlockShredding (28) -Need to see its usefulness - -## FileExecutableDetected (29) -Need to see its usefulness - -## Error (255) -Need to see its usefulness - - -# Windows builtin Channel -- code_integrity when use driver option \ No newline at end of file diff --git a/README.md b/README.md index 1eb75df..2cc39d4 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ It is not designed to generate IOC like ip, hash ... # Artefact -See [Artefacts file](Artefacts.md) +See [Artefacts file](./docs/Artefacts.md) # How Contribute @@ -52,4 +52,4 @@ See [Artefacts file](Artefacts.md) wag.exe ``` -Example can be found here [cli_help](cli_help.md) \ No newline at end of file +Example can be found here [cli_help](./docs/cli_help.md) diff --git a/build.rs b/build.rs index ff50cd8..78c26b5 100644 --- a/build.rs +++ b/build.rs @@ -26,7 +26,7 @@ fn main() { res.set_language((LANG_NEUTRAL << 10) | SUBLANG_NEUTRAL); - res.set_icon("wag.ico"); + res.set_icon("./media/wag.ico"); res.compile().unwrap(); } diff --git a/docs/Artefacts.md b/docs/Artefacts.md new file mode 100644 index 0000000..4c2f700 --- /dev/null +++ b/docs/Artefacts.md @@ -0,0 +1,172 @@ +# Artefact list + +- [Sysmon V15 Artefact](#sysmon-v15-artefact) + - [Process creation (1)](#process-creation-1) + - [process changed a file creation time (2)](#process-changed-a-file-creation-time-2) + - [Network connection (3)](#network-connection-3) + - [Sysmon service state changed (4)](#sysmon-service-state-changed-4) + - [Process terminated (5)](#process-terminated-5) + - [Driver loaded (6)](#driver-loaded-6) + - [Image loaded (7)](#image-loaded-7) + - [CreateRemoteThread (8)](#createremotethread-8) + - [RawAccessRead (9)](#rawaccessread-9) + - [ProcessAccess (10)](#processaccess-10) + - [FileCreate (11)](#filecreate-11) + - [RegistryEvent (12,13,14)](#registryevent-121314) + - [FileCreateStreamHash (15)](#filecreatestreamhash-15) + - [ServiceConfigurationChange (16)](#serviceconfigurationchange-16) + - [PipeEvent (17,18)](#pipeevent-1718) + - [WmiEvent (19,20,21)](#wmievent-192021) + - [DNSEvent (22)](#dnsevent-22) + - [FileDelete (23)](#filedelete-23) + - [ClipboardChange (24)](#clipboardchange-24) + - [ProcessTampering (25)](#processtampering-25) + - [FileDeleteDetected (26)](#filedeletedetected-26) + - [FileBlockExecutable (27)](#fileblockexecutable-27) + - [FileBlockShredding (28)](#fileblockshredding-28) + - [FileExecutableDetected (29)](#fileexecutabledetected-29) + - [Error (255)](#error-255) +- [Windows builtin Channel](#windows-builtin-channel) + +# Sysmon V15 Artefact + +- ✔ Wag can create artefact +- ✖ Wag will not create artefact + -❓ Need to be check + +| EventID | Description | Cover by wag | +| ------- | ----------------------------------------------------- | ------------ | +| 1 | Process creation | ✖ | +| 2 | process changed a file creation time | ❓ | +| 3 | Network connection | ✖ | +| 4 | Sysmon service state changed | ✖ | +| 5 | Process terminated | ✖ | +| 6 | Driver loaded | ✔ | +| 7 | Image loaded | ❓ | +| 8 | CreateRemoteThread | ❓ | +| 9 | RawAccessRead | ❓ | +| 10 | ProcessAccess | ❓ | +| 11 | FileCreate | ✔ | +| 12 | RegistryEvent (Object create and delete) | ✖ | +| 13 | RegistryEvent (Value Set) | ✖ | +| 14 | RegistryEvent (Key and Value Rename) | ✖ | +| 15 | FileCreateStreamHash | ✔ | +| 16 | ServiceConfigurationChange | ✖ | +| 17 | PipeEvent (Pipe Created) | ✔ | +| 18 | PipeEvent (Pipe Connected) | ❓ | +| 19 | WmiEvent (WmiEventFilter activity detected) | ❓ | +| 20 | WmiEvent (WmiEventConsumer activity detected) | ❓ | +| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | ❓ | +| 22 | DNSEvent (DNS query) | ✖ | +| 23 | FileDelete (File Delete archived) | ❓ | +| 24 | ClipboardChange (New content in the clipboard) | ❓ | +| 25 | ProcessTampering (Process image change) | ❓ | +| 26 | FileDeleteDetected (File Delete logged) | ❓ | +| 27 | FileBlockExecutable | ❓ | +| 28 | FileBlockShredding | ❓ | +| 29 | FileExecutableDetected | ❓ | +| 255 | Error | ✖ | + +## Process creation (1) + +Cover by other tools like Atomic RedTeam + +## process changed a file creation time (2) + +Need to see its usefulness + +## Network connection (3) + +Cover by other tools like Atomic RedTeam + +## Sysmon service state changed (4) + +Need to see its usefulness + +## Process terminated (5) + +Cover by other tools like Atomic RedTeam + +## Driver loaded (6) + +Done by the option X + +## Image loaded (7) + +Need to see its usefulness + +## CreateRemoteThread (8) + +Need to see its usefulness + +## RawAccessRead (9) + +Need to see its usefulness + +## ProcessAccess (10) + +Need to see its usefulness + +## FileCreate (11) + +Done by the option X + +## RegistryEvent (12,13,14) + +Cover by other tools like Atomic RedTeam + +## FileCreateStreamHash (15) + +Done but get a bug when in Sysmon to validate + +## ServiceConfigurationChange (16) + +Need to see its usefulness + +## PipeEvent (17,18) + +Only Pipe Created , no Pipe Connected + +## WmiEvent (19,20,21) + +Need to see its usefulness + +## DNSEvent (22) + +Cover by other tools like Atomic RedTeam + +## FileDelete (23) + +Need to see its usefulness + +## ClipboardChange (24) + +Need to see its usefulness + +## ProcessTampering (25) + +Need to see its usefulness + +## FileDeleteDetected (26) + +Need to see its usefulness + +## FileBlockExecutable (27) + +Need to see its usefulness + +## FileBlockShredding (28) + +Need to see its usefulness + +## FileExecutableDetected (29) + +Need to see its usefulness + +## Error (255) + +Need to see its usefulness + +# Windows builtin Channel + +- code_integrity when use driver option diff --git a/cli_help.md b/docs/cli_help.md similarity index 100% rename from cli_help.md rename to docs/cli_help.md diff --git a/help b/help deleted file mode 100644 index 5c74c96..0000000 --- a/help +++ /dev/null @@ -1 +0,0 @@ -PK \ No newline at end of file diff --git a/wag.ico b/media/wag.ico similarity index 100% rename from wag.ico rename to media/wag.ico