Add files via upload

ceramicskate0 · Apr 6, 2020 · 8991e86 · 8991e86
1 parent 8c4330c
commit 8991e86
Show file tree

Hide file tree

Showing 18 changed files with 175 additions and 222 deletions.
diff --git a/SWELF/SWELF/Compression_Operation.cs b/SWELF/SWELF/Compression_Operation.cs
@@ -1,5 +1,5 @@
 //Written by Ceramicskate0
-//Copyright
+//Copyright 2020
 using System;
 using System.Text;
 using System.IO;

diff --git a/SWELF/SWELF/Crypto_Operation.cs b/SWELF/SWELF/Crypto_Operation.cs
@@ -1,5 +1,5 @@
 //Written by Ceramicskate0
-//Copyright
+//Copyright 2020
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -68,10 +68,6 @@ internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
                         File.Decrypt(FilePath);
                     }
                 }
-                if (e.Message.Contains("Padding"))//TODO REMOVE THIS
-                {
-                    Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
-                }
                 else if (e.Message.Contains("The input data is not a complete block."))
                 {
                     if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))

diff --git a/SWELF/SWELF/Error_Operation.cs b/SWELF/SWELF/Error_Operation.cs
@@ -1,5 +1,5 @@
 //Written by Ceramicskate0
-//Copyright 
+//Copyright 2020
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -43,29 +43,6 @@ internal static void ErrorLogging_Level()
                 {
                     Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
                 }
-                else if (string.IsNullOrEmpty(Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level)))
-                {
-                    if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
-                    {
-                        Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
-                    }
-                    else
-                    {
-                        //error in logic here
-                    }
-                }
-                else if (Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level) != Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]])
-                {
-                    if (File_Operation.CHECK_File_Encrypted(Settings.GET_AppConfigFile_Path) && File_Operation.GET_CreationTime(Settings.GET_AppConfigFile_Path) == Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_CreationDate))
-                    {
-                        Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
-                    }
-                    else
-                    {
-                        Data_Store.ErrorsLog.Add("ErrorLogging_Level()"+ "Possible Tampering (Reg.Reg_Keys_and_Values[\"logging_level\"] != Settings.AppConfig_File_Args[\"logging_level\"] settings changed to match.");
-                        Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level, Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[17]]);
-                    }
-                }
                 else
                 {
                     Settings.Logging_Level_To_Report = Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.logging_level);
@@ -94,12 +71,13 @@ internal static void Log_Error(string MethodNameInCode, string Message,string St
                 Message = Message + " Stack_Info=" + StackDetails; 
             }
             string msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   SourceComputer=" + Settings.ComputerName + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   MethodInCode=" + MethodNameInCode + "   Message=" + Message + "\n";
+            ErrorLogging_Level();
             try
             {
-                ErrorLogging_Level();
                 if (Logging_Level_To_Report <= (int)LogSeverity)
                 {
                     WRITE_Errors_To_Log(msg, LogSeverity, eventID);
+                    Log_Network_Forwarder.SEND_SINGLE_LOG(msg);
                 }
             }
             catch (Exception e)
@@ -128,7 +106,7 @@ internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSev
 
                 if (LogSeverity == LogSeverity.Informataion)
                 {
-                    EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
+                    EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + "   Severity=" + Severity_Levels[(int)LogSeverity] + "   Message=" + err_msg + "\n", eventID);
                 }
                 else if (LogSeverity == LogSeverity.Verbose)
                 {
@@ -170,7 +148,7 @@ private  static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, Ev
 
             if (LogSeverity== LogSeverity.Informataion)
             {
-                EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID);
+                EventLog_SWELF.WRITE_Info_EventLog(msg, eventID);
             }
             else if (LogSeverity == LogSeverity.Verbose)
             {

diff --git a/SWELF/SWELF/EventLog_Entry.cs b/SWELF/SWELF/EventLog_Entry.cs
@@ -1,5 +1,5 @@
 //Written by Ceramicskate0
-//Copyright
+//Copyright 2020
 using System;
 using System.Linq;
 using System.Text.RegularExpressions;
@@ -284,7 +284,33 @@ internal string GET_Sysmon_Network_Calling_Process_Name
             }
         }
 
+        internal string GET_Parsed_Sysmon_EventData()
+        {
+            string Parsed_Sysmon_String = "";
+
+            if (LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[18]) && Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[18]].ToLower()=="true"))
+            {
+                string[] Data = EventData.Split(new[] { "\r\n" }, StringSplitOptions.None).ToArray();
 
+                for (int x = 0; x < Data.Length; ++x)
+                {
+                    int index = Data[x].IndexOf(':');
+                    string first = Data[x].Substring(0, index);
+                    string second = Data[x].Substring(index + 1);
+
+                    if (string.IsNullOrEmpty(second))
+                    {
+                        second="";
+                    }
+                    if (second.Length>0 && char.IsWhiteSpace(second.ElementAt(0)))
+                    {
+                        second = second.Trim();
+                    }
+                    Parsed_Sysmon_String += first + "=" +"\""+ second + "\"" + "\t";
+                }
+            }
+            return Parsed_Sysmon_String.Trim();
+        }
 
         internal void GET_IP_FromLogFile()
         {
@@ -300,18 +326,14 @@ internal void GET_IP_FromLogFile()
                 {
                     if (Eventdata.Contains("destinationip: "))
                     {
-                        string[] delm1 = { "destinationip: ", "destinationhostname: " };
-
-                        string[] datA_IP = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                        string[] datA_IP = Eventdata.Split(new[] { "destinationip: ", "destinationhostname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                         if (datA_IP[1].Length > 0 && (!string.IsNullOrEmpty(datA_IP[1])))
                         {
                             if (Eventdata.Contains("image: "))
                             {
-                                string[] delm2= { "image: " };
-                                string[] delm3 = { "user: " };
-                                string[] datA_img1 = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray();
-                                string[] datA_img2 = datA_img1[1].Split(delm3, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                                string[] datA_img1 = Eventdata.Split(new[] { "image: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                                string[] datA_img2 = datA_img1[1].Split(new[] { "user: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                                 if (datA_img2[0].Length > 0 && (!string.IsNullOrEmpty(datA_img2[0])))
                                 {
@@ -324,9 +346,7 @@ internal void GET_IP_FromLogFile()
                     {
                         if (Eventdata.Contains("image: ") )
                         {
-                            string[] delm2 = { "image: " };
-
-                            string[] datA_img = Eventdata.Split(delm2, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                            string[] datA_img = Eventdata.Split(new[] { "image: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                             if (datA_img[1].Length > 0 && (!string.IsNullOrEmpty(datA_img[1])))
                             {
@@ -349,28 +369,22 @@ internal void GET_FileHash()
 
                 if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 1)
                 {
-                    string[] delm1 = { "hashes: ", "parentprocessguid: " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "hashes: ", "parentprocessguid: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                     {
                         Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
                     }
-                    delm1 = null;
                     datA = null;
                 }
                 if (Eventdata.Contains("hashes: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 6)
                 {
-                    string[] delm1 = { "hashes: ", "signed: " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "hashes: ", "signed: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                     {
                         Settings.Hashs_From_EVT_Logs.Add(datA[1].Replace("\r\n", ""));
                     }
-                    delm1 = null;
                     datA = null;
                 }
                 else if (Settings.SHA256_RegX.Matches(Eventdata).Count > 0)
@@ -397,9 +411,7 @@ internal void GET_HostName_FromLogFile()
                 {
                     if (Eventdata.Contains("destinationhostname: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
                     {
-                        string[] delm1 = { "destinationhostname: ", "destinationhostname: " };
-
-                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                        string[] datA = Eventdata.Split(new[] { "destinationhostname: ", "destinationhostname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                         if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                         {
@@ -435,9 +447,7 @@ private string GET_CMDLineArgs()
 
                 if (Eventdata.Contains("Creator Process Name: ") && LogName.ToLower().Equals("Security"))
                 {
-                    string[] delm1 = { "Creator Process Name: ", "Token " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "Creator Process Name: ", "Token " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                     {
@@ -449,9 +459,7 @@ private string GET_CMDLineArgs()
                 {
                     if (Eventdata.Contains("commandline: "))
                     {
-                        string[] delm1 = { "commandline: ", "currentdirectory: " };
-
-                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                        string[] datA = Eventdata.Split(new[] { "commandline: ", "currentdirectory: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                         if (datA[1].Length > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                         {
@@ -461,9 +469,7 @@ private string GET_CMDLineArgs()
                     }
                     if (Eventdata.Contains("parentcommandline: "))
                     {
-                        string[] delm1 = { "parentcommandline: ", "" };
-
-                        string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                        string[] datA = Eventdata.Split(new[] { "parentcommandline: ", "" }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                         if ((datA[1].Length + "Target-CommandLine: ".Length) > commandLine.Length && (!string.IsNullOrEmpty(datA[1])))
                         {
@@ -474,9 +480,7 @@ private string GET_CMDLineArgs()
                 }
                 else if (Eventdata.Contains("commandline= ") && LogName.ToLower().Equals("windows powershell"))
                 {
-                    string[] delm1 = { "commandline=  ", "details: " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "commandline=  ", "details: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (!string.IsNullOrEmpty(datA[1]))
                         {
@@ -489,9 +493,7 @@ private string GET_CMDLineArgs()
                 }
                 else  if (Eventdata.Contains("process command line: ") && LogName.ToLower().Equals("microsoft-windows-security-auditing") && EventID==4688)
                 {
-                    string[] delm1 = { "process command line:  ", "token elevation type " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "process command line:  ", "token elevation type " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (!string.IsNullOrEmpty(datA[1]))
                     {
@@ -526,9 +528,7 @@ private string GET_Sysmon_Netwrok_Calling_Process_Name_Dst_Port()
 
                 if (Eventdata.Contains("destinationport: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID==3)
                 {
-                    string[] delm1 = { "destinationport: ", "destinationportname: "};
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "destinationport: ", "destinationportname: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
 
                     if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                     {
@@ -552,9 +552,7 @@ private string GET_Sysmon_Network_Process_Name()
 
                 if (Eventdata.Contains("image: ") && LogName.ToLower().Equals("microsoft-windows-sysmon/operational") && EventID == 3)
                 {
-                    string[] delm1 = { "image: ", "user: " };
-
-                    string[] datA = Eventdata.Split(delm1, StringSplitOptions.RemoveEmptyEntries).ToArray();
+                    string[] datA = Eventdata.Split(new[] { "image: ", "user: " }, StringSplitOptions.RemoveEmptyEntries).ToArray();
                     if (datA[1].Length > 0 && (!string.IsNullOrEmpty(datA[1])))
                     {
                         string[] filepath = datA[1].Split('\\').ToArray();

diff --git a/SWELF/SWELF/EventLog_SWELF.cs b/SWELF/SWELF/EventLog_SWELF.cs
@@ -1,5 +1,5 @@
 //Written by Ceramicskate0
-//Copyright 
+//Copyright 2020
 using System;
 using System.Linq;
 using System.Diagnostics;