Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor/clean root folder #9

Merged
merged 7 commits into from
May 9, 2024
Merged

Refactor/clean root folder #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
daf469c
chore: 🧹 Remove help file
AntwortEinesLebens May 9, 2024
aa48cca
chore: 🧹 Ignore all vscode related stuff
AntwortEinesLebens May 9, 2024
490dc69
chore: 🧹 Remove vscode folder
AntwortEinesLebens May 9, 2024
5ffabbf
chore: 🧹 Move documentation to it's own folder
AntwortEinesLebens May 9, 2024
529ecdf
chore: 🧹 Fix relative links
AntwortEinesLebens May 9, 2024
f37579e
chore: 🧹 Move images to media folder
AntwortEinesLebens May 9, 2024
7087357
refactor: 🔨 Update relative link to ico file
AntwortEinesLebens May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,10 +378,6 @@ FodyWeavers.xsd

# VS Code files for those working on multiple tools
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace

# Local History for Visual Studio Code
Expand All @@ -397,5 +393,5 @@ FodyWeavers.xsd
# JetBrains Rider
*.sln.iml

# Rust ourput
/target
# Rust output
/target
6 changes: 0 additions & 6 deletions .vscode/settings.json
View file
Open in desktop

This file was deleted.

149 changes: 0 additions & 149 deletions Artefacts.md
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ It is not designed to generate IOC like ip, hash ...

# Artefact

See [Artefacts file](Artefacts.md)
See [Artefacts file](./docs/Artefacts.md)


# How Contribute
Expand All @@ -52,4 +52,4 @@ See [Artefacts file](Artefacts.md)
wag.exe <COMMAND>
```

Example can be found here [cli_help](cli_help.md)
Example can be found here [cli_help](./docs/cli_help.md)
2 changes: 1 addition & 1 deletion build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ fn main() {

res.set_language((LANG_NEUTRAL << 10) | SUBLANG_NEUTRAL);

res.set_icon("wag.ico");
res.set_icon("./media/wag.ico");

res.compile().unwrap();
}
Expand Down
172 changes: 172 additions & 0 deletions docs/Artefacts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,172 @@
# Artefact list <!-- omit in toc -->

- [Sysmon V15 Artefact](#sysmon-v15-artefact)
- [Process creation (1)](#process-creation-1)
- [process changed a file creation time (2)](#process-changed-a-file-creation-time-2)
- [Network connection (3)](#network-connection-3)
- [Sysmon service state changed (4)](#sysmon-service-state-changed-4)
- [Process terminated (5)](#process-terminated-5)
- [Driver loaded (6)](#driver-loaded-6)
- [Image loaded (7)](#image-loaded-7)
- [CreateRemoteThread (8)](#createremotethread-8)
- [RawAccessRead (9)](#rawaccessread-9)
- [ProcessAccess (10)](#processaccess-10)
- [FileCreate (11)](#filecreate-11)
- [RegistryEvent (12,13,14)](#registryevent-121314)
- [FileCreateStreamHash (15)](#filecreatestreamhash-15)
- [ServiceConfigurationChange (16)](#serviceconfigurationchange-16)
- [PipeEvent (17,18)](#pipeevent-1718)
- [WmiEvent (19,20,21)](#wmievent-192021)
- [DNSEvent (22)](#dnsevent-22)
- [FileDelete (23)](#filedelete-23)
- [ClipboardChange (24)](#clipboardchange-24)
- [ProcessTampering (25)](#processtampering-25)
- [FileDeleteDetected (26)](#filedeletedetected-26)
- [FileBlockExecutable (27)](#fileblockexecutable-27)
- [FileBlockShredding (28)](#fileblockshredding-28)
- [FileExecutableDetected (29)](#fileexecutabledetected-29)
- [Error (255)](#error-255)
- [Windows builtin Channel](#windows-builtin-channel)

# Sysmon V15 Artefact

- ✔ Wag can create artefact
- ✖ Wag will not create artefact
-❓ Need to be check

| EventID | Description | Cover by wag |
| ------- | ----------------------------------------------------- | ------------ |
| 1 | Process creation | ✖ |
| 2 | process changed a file creation time | ❓ |
| 3 | Network connection | ✖ |
| 4 | Sysmon service state changed | ✖ |
| 5 | Process terminated | ✖ |
| 6 | Driver loaded | ✔ |
| 7 | Image loaded | ❓ |
| 8 | CreateRemoteThread | ❓ |
| 9 | RawAccessRead | ❓ |
| 10 | ProcessAccess | ❓ |
| 11 | FileCreate | ✔ |
| 12 | RegistryEvent (Object create and delete) | ✖ |
| 13 | RegistryEvent (Value Set) | ✖ |
| 14 | RegistryEvent (Key and Value Rename) | ✖ |
| 15 | FileCreateStreamHash | ✔ |
| 16 | ServiceConfigurationChange | ✖ |
| 17 | PipeEvent (Pipe Created) | ✔ |
| 18 | PipeEvent (Pipe Connected) | ❓ |
| 19 | WmiEvent (WmiEventFilter activity detected) | ❓ |
| 20 | WmiEvent (WmiEventConsumer activity detected) | ❓ |
| 21 | WmiEvent (WmiEventConsumerToFilter activity detected) | ❓ |
| 22 | DNSEvent (DNS query) | ✖ |
| 23 | FileDelete (File Delete archived) | ❓ |
| 24 | ClipboardChange (New content in the clipboard) | ❓ |
| 25 | ProcessTampering (Process image change) | ❓ |
| 26 | FileDeleteDetected (File Delete logged) | ❓ |
| 27 | FileBlockExecutable | ❓ |
| 28 | FileBlockShredding | ❓ |
| 29 | FileExecutableDetected | ❓ |
| 255 | Error | ✖ |

## Process creation (1)

Cover by other tools like Atomic RedTeam

## process changed a file creation time (2)

Need to see its usefulness

## Network connection (3)

Cover by other tools like Atomic RedTeam

## Sysmon service state changed (4)

Need to see its usefulness

## Process terminated (5)

Cover by other tools like Atomic RedTeam

## Driver loaded (6)

Done by the option X

## Image loaded (7)

Need to see its usefulness

## CreateRemoteThread (8)

Need to see its usefulness

## RawAccessRead (9)

Need to see its usefulness

## ProcessAccess (10)

Need to see its usefulness

## FileCreate (11)

Done by the option X

## RegistryEvent (12,13,14)

Cover by other tools like Atomic RedTeam

## FileCreateStreamHash (15)

Done but get a bug when in Sysmon to validate

## ServiceConfigurationChange (16)

Need to see its usefulness

## PipeEvent (17,18)

Only Pipe Created , no Pipe Connected

## WmiEvent (19,20,21)

Need to see its usefulness

## DNSEvent (22)

Cover by other tools like Atomic RedTeam

## FileDelete (23)

Need to see its usefulness

## ClipboardChange (24)

Need to see its usefulness

## ProcessTampering (25)

Need to see its usefulness

## FileDeleteDetected (26)

Need to see its usefulness

## FileBlockExecutable (27)

Need to see its usefulness

## FileBlockShredding (28)

Need to see its usefulness

## FileExecutableDetected (29)

Need to see its usefulness

## Error (255)

Need to see its usefulness

# Windows builtin Channel

- code_integrity when use driver option
0 cli_help.md → docs/cli_help.md
View file
Open in desktop
File renamed without changes.
1 change: 0 additions & 1 deletion help
View file
Open in desktop

This file was deleted.

0 wag.ico → media/wag.ico
View file
Open in desktop
File renamed without changes.
Loading