Merge pull request #153 from Yamato-Security/152-add-failed-logon-sum…

…mary feat: added `failedLogons` option `stack-logons`
Yamato-Security · Apr 16, 2024 · 03171d7 · 03171d7
2 parents 18cb513 + 8664852
commit 03171d7
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 13 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -1,5 +1,11 @@
 # 変更点
 
+## x.x.x [xxxx/xx/xx]
+
+**改善:**
+
+- `stack-logons`コマンドに`-f, --failedLogons`オプションを追加して、`automagic`コマンドで失敗したログイン集計を出力するようにした。 (#152) (@fukusuket)
+
 ## 2.5.0 [2024/03/30] - BSides Tokyo Release
 
 **新機能:**

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changes
 
+## x.x.x [xxxx/xx/xx]
+
+**Enhancements:**
+
+- Added `-f, --failedLogons` to the `stack-logons` command and added stacked failed logon information to the `automagic` command output. (#152) (@fukusuket)
+
 ## 2.5.0 [2024/03/30] - BSides Tokyo Release
 
 **New Features:**

diff --git a/src/takajo.nim b/src/takajo.nim
@@ -58,7 +58,7 @@ include takajopkg/automagic
 
 
 when isMainModule:
-    clCfg.version = "2.5.0"
+    clCfg.version = "2.5.1-dev"
     const examples = "Examples:\p"
     const example_automagic = "  automagic -t ../hayabusa/timeline.jsonl [--level low] [--displayTable] -o case-1\p"
     const example_extract_scriptblocks = "  extract-scriptblocks -t ../hayabusa/timeline.jsonl [--level low] -o scriptblock-logs\p"
@@ -73,7 +73,7 @@ when isMainModule:
     const example_stack_computers = "  stack-computers -t ../hayabusa/timeline.jsonl [--level informational] [--sourceComputers] [--skipProgressBar] -o computers.csv\p"
     const example_stack_dns = "  stack-dns -t ../hayabusa/timeline.jsonl [--level infomational] [--skipProgressBar] -o dns.csv\p"
     const example_stack_ip_addresses = "  stack-ip-addresses -t ../hayabusa/timeline.jsonl [--level infomational] [--targetIpAddresses] [--skipProgressBar] -o ipAddresses.csv\p"
-    const example_stack_logons = "  stack-logons -t ../hayabusa/timeline.jsonl [--skipProgressBar] -o logons.csv\p"
+    const example_stack_logons = "  stack-logons -t ../hayabusa/timeline.jsonl [--skipProgressBar] [--failedLogons] -o logons.csv\p"
     const example_stack_processes = "  stack-processes -t ../hayabusa/timeline.jsonl [--level low] [--skipProgressBar] -o processes.csv\p"
     const example_stack_services  = "  stack-services -t ../hayabusa/timeline.jsonl [--level infomational] [--skipProgressBar] -o services.csv\p"
     const example_stack_tasks = "  stack-tasks -t ../hayabusa/timeline.jsonl [--level infomational] [--skipProgressBar] -o tasks.csv\p"
@@ -276,6 +276,7 @@ when isMainModule:
             doc = "stack logons by target user, target computer, source IP address and source computer",
             help = {
                 "localSrcIpAddresses": "include results when the source IP address is local",
+                "failedLogons": "stack failed logons instead of successful logons",
                 "output": "save results to a CSV file (default: stdout)",
                 "quiet": "do not display the launch banner (default: false)",
                 "skipProgressBar": "do not display the progress bar (default: false)",

diff --git a/src/takajopkg/automagic.nim b/src/takajopkg/automagic.nim
@@ -68,9 +68,13 @@ proc autoMagic(level: string = "informational", skipProgressBar: bool = false,
     output: output & "/StackTargetIP-Addresses.csv",
     targetIpAddresses: true)
 
-  # stack-logons -t ../hayabusa/timeline.jsonl -o case-1/Logons.csv
-  let cmd12 = StackLogonsCmd(name: "stack-logons", displayTable: displayTable,
-    timeline: timeline, output: output & "/StackLogons.csv")
+  # stack-logons -t ../hayabusa/timeline.jsonl -o case-1/StackLogons.csv
+  let cmd12 = StackLogonsCmd(name: "stack-logons(successful)", displayTable: displayTable,
+    timeline: timeline, output: output & "/StackSuccessfulLogons.csv")
+
+  # stack-logons -t ../hayabusa/timeline.jsonl --failedLogons -o case-1/StackFailedLogons.csv
+  let cmd122 = StackLogonsCmd(name: "stack-logons(failed)", displayTable: displayTable,
+    timeline: timeline, output: output & "/StackFailedLogons.csv", failedLogons:true)
 
   # stack-processes -t ../hayabusa/timeline.jsonl --level <level> -o case-1/Processes.csv
   let cmd13 = StackProcessesCmd(name: "stack-processes", level: level,
@@ -137,10 +141,10 @@ proc autoMagic(level: string = "informational", skipProgressBar: bool = false,
 
   # execute all command
   let cmds = @[cmd1, cmd2, cmd3, cmd4, cmd5, cmd6, cmd7, cmd8, cmd9, cmd10,
-        cmd11, cmd12, cmd13, cmd14, cmd15, cmd16, cmd17, cmd18, cmd19,
+        cmd11, cmd12, cmd122, cmd13, cmd14, cmd15, cmd16, cmd17, cmd18, cmd19,
         cmd20,
         cmd21, cmd22, cmd23, cmd24, cmd25]
   let cmd = AutoMagicCmd(level: level, skipProgressBar: skipProgressBar,
     displayTable: displayTable, output: output, timeline: timeline,
     name: "automagic", msg: AutoMagicMsg)
-  cmd.analyzeJSONLFile(cmds)
+  cmd.analyzeJSONLFile(cmds)
diff --git a/src/takajopkg/stackLogons.nim b/src/takajopkg/stackLogons.nim
@@ -1,15 +1,18 @@
 # TODO
 # Output to stdout in tables (Target User, Target Computer, Logon Type, Source Computer)
 # Remove local logins
-const StackLogonsMsg = "This command will stack logons based on target user, target computer, source IP address and source computer from Security 4624 events.\nLocal source IP addresses are not included by default but can be enabled with -l, --localSrcIpAddresses."
+const StackLogonsMsg = "This command will stack logons based on target user, target computer, source IP address and source computer from Security 4624/4625 events.\nLocal source IP addresses are not included by default but can be enabled with -l, --localSrcIpAddresses."
 
 type
   StackLogonsCmd* = ref object of AbstractCmd
     seqOfStrings*: seq[string]
     uniqueLogons = 0
     localSrcIpAddresses: bool
+    failedLogons: bool
 
 method filter*(self: StackLogonsCmd, x: HayabusaJson): bool =
+  if self.failedLogons:
+      return isEID_4625(x.RuleTitle)
   return isEID_4624(x.RuleTitle)
 
 method analyze*(self: StackLogonsCmd, x: HayabusaJson) =
@@ -48,7 +51,7 @@ method resultOutput*(self: StackLogonsCmd) =
   if self.output == "":
     # Print the sorted counts with unique strings
     for (string, count) in seqOfPairs:
-      inc self.uniqueLogons
+      self.uniqueLogons += count
       var commaDelimitedStr = $count & "," & string
       commaDelimitedStr = replace(commaDelimitedStr, ",", " | ")
       echo commaDelimitedStr
@@ -60,7 +63,7 @@ method resultOutput*(self: StackLogonsCmd) =
 
     # Write results
     for (string, count) in seqOfPairs:
-      inc self.uniqueLogons
+      self.uniqueLogons += count
       writeLine(outputFile, $count & "," & string)
     outputFileSize = getFileSize(outputFile)
     close(outputFile)
@@ -72,7 +75,7 @@ method resultOutput*(self: StackLogonsCmd) =
     echo "Saved file: " & savedFiles
   self.cmdResult = CmdResult(results: results, savedFiles: savedFiles)
 
-proc stackLogons(localSrcIpAddresses = false, skipProgressBar: bool = false,
+proc stackLogons(localSrcIpAddresses = false, failedLogons = false, skipProgressBar: bool = false,
     output: string = "", quiet: bool = false, timeline: string) =
   checkArgs(quiet, timeline, "informational")
   var filePaths = getTargetExtFileLists(timeline, ".jsonl", true)
@@ -83,5 +86,6 @@ proc stackLogons(localSrcIpAddresses = false, skipProgressBar: bool = false,
                 output: output,
                 name: "stack-logons",
                 msg: StackLogonsMsg,
-                localSrcIpAddresses: localSrcIpAddresses)
-    cmd.analyzeJSONLFile()
+                localSrcIpAddresses: localSrcIpAddresses,
+                failedLogons: failedLogons)
+    cmd.analyzeJSONLFile()