diff --git a/Image/1.png b/Image/1.png index ed06c91..a276525 100644 Binary files a/Image/1.png and b/Image/1.png differ diff --git a/README.md b/README.md deleted file mode 100644 index 4979e77..0000000 --- a/README.md +++ /dev/null @@ -1,179 +0,0 @@ -![image](Image/logo.png) - -# RmEye -RmEye是一个window上的基于att&ck现代EDR设计思想的威胁响应工具. -不同于EDR,它轻量、高效.自身定位是轻量级威胁检出工具. -而不是繁重的、需要付费的、效果不明的所谓的EDR -RmEye基于att&ck模型,如果您对att&ck模型不熟悉,请先阅读相关文章后再使用: -https://key08.com/index.php/2022/08/09/1505.html - -### 功能特点 -1. 基于att&ck设计.所有设计只是为了符合att&ck的攻击路径、攻击链(虽然规则里面没有标注T因为懒惰) -2. 轻量、高效.为了不适用繁重超占内存的ELK设计思路,而且要保证检出的同时保证不会太重,agent端使用了大量规则过滤,这样才使得后端使用sqlite作为数据库成为可能.单机日志平均一天4M.此外轻量级别的客户端一天只占40-400KB的内存. -3. 行为检出,让免杀成为过去式.基于att&ck设计,只看行为不看文件.文件类免杀已经成为过去式. -4. 高扩展性.可随需求定制功能 - -### RmEye 之所以不是 Edr/Xdr/Mdr/Ndr/XXXXXdr -1. RmEye没有流量监控 -2. RmEye仅覆盖20%左右的datasource -3. RmEye没有联动WAF、IPS/IDS -4. RmEye没有实时拦截功能 -5. 对RPC、COM、ALPC基本无能为力 -6. 不支持更高级的扩展检测,如检测脚本、下发规则,主机链 -7. 受限于Sysmon,很多att&ck的T没有覆盖,也无法覆盖. -8. 没有响应能力,只能被动记录. -请牢记,RmEye自身定位是轻量级威胁检出工具 - -### 最新新闻 -2022/9/8: -增加服务端规则指南: \ -[doc_server_rule_manual.md](./doc_server_rule_manual.md) - -2022/9/5: -增加规则编写教程: -https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md -增加`mimikatz`检测 - -2022/8/31: -增加进程白名单系统,现在能给进程加白名单了.在打开进程链后,点击某个进程加入白名单即可 - -2022/8/29: -增加uac提权检测插件`uac_bypass_detect`,但是受限于sysmon,没有办法获取RPC信息,因此只能检测一部分的UAC提权行为.并且有误报,请酌情考虑 - -### 检出截图 -威胁列表: -![image](Image/1.png) -进程链行为回溯 -![image](Image/8.png) -powershell恶意执行: -![image](Image/2.png) -apt样本: -![image](Image/3.png) -勒索软件: -![image](Image/4.png) -网站入侵提权到执行cobalt strike: -![image](Image/5.png) -offic宏钓鱼: -![image](Image/6.png) -uac提权检测: -![image](Image/7.png) -mimikatz检测: -![image](Image/14.png) - -### 待做列表 -1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成 -2. 日志回放【目前重点】 -3. 威胁狩猎【目前重点】 -4. att&ck热力图 -5. 在线规则编辑器 -6. 内网横向检测 -7. iis、apache、nginx日志搜集分析(aka: XDR的实现) -8. 集成反病毒引擎 -9. 完善目前的插件系统【目前重点】 -10. 云日志检测能力【目前重点】 -### 安装 -下载release( https://github.com/RoomaSec/RmEye/releases ),里面有客户端,服务端自行clone本项目 -服务端是python3编写,安装完依赖库后输入 -``` -python webserver.py -``` -即可部署 -服务端部署后,修改config.py里面的 -``` -# 检出阈值,越高越难检出但是也会越准确 -MAX_THREAT_SCORE = 170 - -# 授权访问主站的IP列表.如果不在后台里面则不能访问后台 -ALLOW_ACCESS_IP = ['127.0.0.1'] -``` -MAX_THREAT_SCORE代表报警分数,意思为进程链总分超过此分数则报警,越高越准但是也会漏报 -ALLOW_ACCESS_IP代表允许的IP,只有在此名单里面的IP才能访问后台.请增加自己的IP地址 - -客户端则编辑config.ini -``` -[communication] -server = http://192.168.111.189:5000 -``` -其中server改成你的服务端的地址 -然后分发三个文件给客户端并且放在同一目录: -config.ini、install.cmd、RmEye.exe、sysmon.xml、Sysmon64.exe -之后管理员身份运行install.cmd安装sysmon与RmEye -访问 http://服务器ip:5000(flask默认端口) 查看后台 -当然一开始啥数据也没有,为了确认是否安装成功可以将webserver.py中的 -``` - flask_log = logging.getLogger('werkzeug') - flask_log.setLevel(logging.ERROR) -``` -注释掉,检查有没有客户端的请求即可 -手动安装(cmd脚本其实执行了这些命令): -``` -//安装sysmon: -sysmon -i -//sysmon加载配置项 -sysmon -c sysmon.xml -//安装RmEye -RmEye /install -``` - -### 卸载 -卸载RmEye: -在RmEye目录下执行 -``` -SysEye /uninstall -``` -如果您需要卸载sysmon -执行 -``` -sysmon /uninstall -``` -即可干净卫生的卸载掉RmEye - -### 规则相关的问题 -1. 规则目前仅120条,很多攻击面没有覆盖,其他规则请访问《社区》 -2. 规则目前只支持rule_engine与yara的规则,其中yara的规则支持是以插件的形式支持 -3. 目前的规则字段完全依赖sysmon的字段,sysmon的字段请检查根目录下的provider.json(但是请记住纯小写,自行做大小写转换) - -规则目前在`Server/rules`目录规则目前有两种规则: -rule_engine: -如检测由CMD启动的ipconfig: -``` -{ - 'rules': [ - 'originalfilename =~ ".*cmd.exe" and commandline =~ ".*ipconfig.*"', - ], - 'score': 80, - 'name': 'cmd启动ipconfig' -}, -``` -分数代表的是本次规则给进程链所增加的分数,报警是根据前面的MAX_THREAT_SCORE设置的 - -规则编写教程请移步: -https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md - -规则引擎的语法请移步: -https://github.com/zeroSteiner/rule-engine - -yara,需要安装插件,具体请看交流部分 - -### 第三方引用库 -1. sysmon -https://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon -2. rule_engine -https://github.com/zeroSteiner/rule-engine -3. yara -https://github.com/VirusTotal/yara -4. sysmon-config(客户端使用的默认的规则,但是我做了一些修改) -https://github.com/SwiftOnSecurity/sysmon-config -请遵守相关库的开源协议.相关法律风险本项目不负任何责任 - -### 交流 -开源的目的不是为了免费填鸭式教学,或者被免费拿去发公众号引流、去拿去集成产品方案去赚钱,而是要一起完善这个工具,从而实现共赢. -扫一扫加入这个工具的交流群,这样就能获取实时动态.参与开发、参与交流规则编写等等.欢迎加入 -最近进群的人有点多,所以不活跃的哥们暂时清理掉,但是微信太不好使了.要是t错了或者还想在群待着不发言的重新加群吧 -![image](Image/group2.png) - -### 特别感谢 -@Pwn0x01 yara插件 -@zeroSteiner 规则引擎插件 -@SwiftOnSecurity 客户端规则 -@Fplyth0ner-Combie 规则相关文档 diff --git a/Server/config.py b/Server/config.py index 5efcb30..c5bde2b 100644 --- a/Server/config.py +++ b/Server/config.py @@ -1,4 +1,4 @@ # 检出阈值,越高越难检出但是也会越准确 -MAX_THREAT_SCORE = 170 +MAX_THREAT_SCORE = 45 # 授权访问主站的IP列表.如果不在后台里面则不能访问后台 ALLOW_ACCESS_IP = ['127.0.0.1', '192.168.111.189', '192.168.111.187'] diff --git a/Server/log.py b/Server/log.py index 19138a5..8bb4e33 100644 --- a/Server/log.py +++ b/Server/log.py @@ -1,6 +1,5 @@ import json import time -import operator import process import rule @@ -10,6 +9,66 @@ import config import plugin import hash_white_list +LOG_TYPE_PROCESS_CREATE = 1 +LOG_TYPE_PROCESS_ACTION = 2 + + +def update_att_ck(process: process.Process, score, hit_name, attck_t_list): + if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white: + score = 0 + for t in attck_t_list: + process.set_attck(score, t, hit_name) + # 更新命中的规则 + return global_vars.THREAT_TYPE_PROCESS + + +def update_threat(process: process.Process, score, rule_hit_name): + had_threat = global_vars.THREAT_TYPE_NONE + if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white: + return had_threat + if score > 0: + # 更新命中的规则 + process.set_score(score, rule_hit_name) + had_threat = global_vars.THREAT_TYPE_PROCESS + return had_threat + + +def match_threat(process: process.Process, log, log_type): + had_threat = global_vars.THREAT_TYPE_NONE + success_match = False + hit_name = '' + hit_score = 0 + is_ioa = False + if log_type == LOG_TYPE_PROCESS_CREATE: + success_match, is_ioa, attck_t_list, hit_score, rule_hit_name = rule.calc_score_in_create_process( + log) + elif log_type == LOG_TYPE_PROCESS_ACTION: + success_match, is_ioa, attck_t_list, hit_score, rule_hit_name = rule.calc_score_in_action( + log) + if success_match == False: + return had_threat, is_ioa, hit_name, hit_score + # 匹配到了首先更新att&ck的t + had_threat = update_att_ck( + process, hit_score, rule_hit_name, attck_t_list) + hit_name = rule_hit_name + if is_ioa: + had_threat = update_threat( + process, hit_score, rule_hit_name) + else: + is_match_software, software_name, software_score = rule.match_att_ck_software( + process.chain.attck_hit_list) + if is_match_software: + # 匹配到software了,设置为ioa + had_threat = update_threat( + process, software_score, software_name) + hit_name = software_name + hit_score = software_score + #print('match_threat', had_threat, is_ioa, hit_name, hit_score) + # if had_threat != global_vars.THREAT_TYPE_NONE: + # print('path: {} hit_name: {} socre: {}'.format( + # process.path, hit_name, hit_score)) + return had_threat, is_ioa, hit_name, hit_score + def process_log(host, json_log, raw_log): log = json_log["data"] @@ -20,6 +79,7 @@ def process_log(host, json_log, raw_log): chain_hash = "" params = "" user = "" + is_ioa = False if json_log["action"] == "processcreate": pid = log["processid"] @@ -39,7 +99,7 @@ def process_log(host, json_log, raw_log): if path in process.skip_process_path or path in process.skip_process_path: return parent_process: process.Process = process.get_process_by_pid(ppid) - score, rule_hit_name = rule.calc_score_in_create_process(log) + if hash in process.skip_md5: return if parent_process is None or parent_path in process.root_process_path: @@ -63,9 +123,9 @@ def process_log(host, json_log, raw_log): chain = process.create_chain(parent_process) chain.add_process(child, parent_pid) current_process = child - if score > 0: - child.set_score(score, rule_hit_name) - had_threat = global_vars.THREAT_TYPE_PROCESS + + had_threat, is_ioa, rule_hit_name, score = match_threat( + current_process, log, LOG_TYPE_PROCESS_CREATE) else: is_white_list = hash in hash_white_list.g_white_list child = process.Process( @@ -74,9 +134,9 @@ def process_log(host, json_log, raw_log): child.parent_process = parent_process parent_process.chain.add_process(child, ppid) current_process = child - if score > 0: - child.set_score(score, rule_hit_name) - had_threat = global_vars.THREAT_TYPE_PROCESS + + had_threat, is_ioa, rule_hit_name, score = match_threat( + current_process, log, LOG_TYPE_PROCESS_CREATE) had_threat_plugin = plugin.dispath_rule_new_process_create( host, current_process, raw_log, json_log @@ -100,6 +160,7 @@ def process_log(host, json_log, raw_log): host, current_process.chain.risk_score, json.dumps(current_process.chain.operationlist), + json.dumps(current_process.chain.attck_hit_list), current_process.chain.hash, current_process.chain.get_json(), global_vars.THREAT_TYPE_PROCESS, @@ -110,10 +171,8 @@ def process_log(host, json_log, raw_log): current_process = process.get_process_by_pid(log["processid"]) if current_process is not None: log["action"] = json_log["action"] - score, rule_hit_name = rule.calc_score_in_action(log) - if score > 0: - current_process.set_score(score, rule_hit_name) - had_threat = global_vars.THREAT_TYPE_PROCESS + had_threat, is_ioa, rule_hit_name, score = match_threat( + current_process, log, LOG_TYPE_PROCESS_ACTION) had_threat_plugin = plugin.dispath_rule_new_process_action( host, current_process, raw_log, json_log ) @@ -145,6 +204,7 @@ def process_log(host, json_log, raw_log): host, current_process.chain.risk_score, json.dumps(current_process.chain.operationlist), + json.dumps(current_process.chain.attck_hit_list), current_process.chain.hash, current_process.chain.get_json(), global_vars.THREAT_TYPE_PROCESS, @@ -155,6 +215,7 @@ def process_log(host, json_log, raw_log): host, current_process.chain.risk_score, json.dumps(current_process.chain.operationlist), + json.dumps(current_process.chain.attck_hit_list), current_process.chain.hash, current_process.chain.get_json(), global_vars.THREAT_TYPE_PROCESS, @@ -179,29 +240,34 @@ def process_log(host, json_log, raw_log): target_hash = target_process.md5 self_hash = current_process.md5 # 以后有其他排除需求再优化 - if json_log['action'] == 'imageload' and json_log['data']['imageloaded'] not in hash_white_list.g_white_dll_load_list: - sql.push_process_raw( - host, - raw_json_log, - rule_hit_name, - score, - chain_hash, - had_threat, - parent_pid, - target_pid, - self_hash, - target_image_path, - target_hash, - params, - user, - ) + if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list): + return - """ + if json_log['action'] == 'imageload': + print(json_log['data']['imageloaded']) + return + + sql.push_process_raw( + host, + raw_json_log, + rule_hit_name, + score, + chain_hash, + had_threat, + parent_pid, + target_pid, + self_hash, + target_image_path, + target_hash, + params, + user, + ) + ''' for iter in process.g_ProcessChainList: item: process.Process = iter if item.risk_score >= config.MAX_THREAT_SCORE: item.print_process() - """ + ''' def process_raw_log(raw_logs: list) -> list: diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py index 9dde0ad..077f7b7 100644 --- a/Server/plugins/mimikazt_detect/mimikatz_detect.py +++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py @@ -34,7 +34,7 @@ mimikatz_dll_list = [ def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文 - if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe': + if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe': current_process.plugin_var['mimikatz_matched_num'] = 0 current_process.plugin_var['mimikatz_detected'] = False return global_vars.THREAT_TYPE_NONE diff --git a/Server/process.py b/Server/process.py index 28023b7..0fe81d7 100644 --- a/Server/process.py +++ b/Server/process.py @@ -94,6 +94,8 @@ class Process: self.chain_hash = '' self.active = True self.operationlist = {} + self.attck_hit_list = {} + self.risk_score = 0 self.terminate = False self.rmpid = tools.get_md5( @@ -120,9 +122,16 @@ class Process: def set_rmppid(self, rmppid): self.rmppid = rmppid + def set_attck(self, new_score, t, name): + if t not in self.attck_hit_list: + self.risk_score += new_score + self.attck_hit_list[t] = name + + if t not in self.chain.attck_hit_list: + self.chain.risk_score += new_score + self.chain.attck_hit_list[t] = name + def set_score(self, new_score, opertion): - if self.is_white or self.chain.root_process.is_white or self.parent_process.is_white: - return if opertion not in self.operationlist: self.risk_score += new_score self.operationlist[opertion] = 1 @@ -146,6 +155,7 @@ class ProcessChain: self.terminate_count = 0 self.risk_score = 0 self.operationlist = {} + self.attck_hit_list = {} self.process_list = [] self.json_arrays = [] self.active = True @@ -234,6 +244,7 @@ class ProcessChain: "rmppid": proc_info.rmppid, "params": proc_info.params, "operationlist": proc_info.operationlist, + "attck_hit_list": proc_info.attck_hit_list, "md5": proc_info.md5, "active": proc_info.active, "children": [] diff --git a/Server/rule.py b/Server/rule.py index 35125e6..3eacace 100644 --- a/Server/rule.py +++ b/Server/rule.py @@ -1,82 +1,132 @@ import rule_engine -import rules.py.process as rule_process -import rules.py.action as rule_action +import rules.py.attck.process as attck_process +import rules.py.attck.attck as attack_software +import rules.py.attck.action as attack_action +import rules.py.ioa.action as ioa_action +import rules.py.ioa.process as ioa_process + import plugin g_sample_rule = {} -g_sample_rule['process'] = rule_process.rule -g_sample_rule['action'] = rule_action.rule +g_sample_rule['attack_process'] = attck_process.rule +g_sample_rule['attack_action'] = attack_action.rule +g_sample_rule['attack_software'] = attack_software.rule +g_sample_rule['ioa_action'] = ioa_action.rule +g_sample_rule['ioa_process'] = ioa_process.rule +attck_process_rules = [] +attck_action_rules = [] +ioa_process_rules = [] +ioa_action_rules = [] -base_process_rules = [] -base_action_rules = [] base_host_rules = [] -def calc_score_in_action(log): - global base_action_rules - for iter in base_action_rules: - for rule in iter['rules']: - # 这是or - try: - if rule.matches(log): - return iter['score'], iter['name'] - except: - print("error: {} ".format(log)) +def match_att_ck_software(t_list): + # 返回是否命中,命中命中,分数 - return 0, '' + global g_sample_rule + is_match = False + match_name = '' + match_score = 0 + for iter in g_sample_rule['attack_software']: + rule_list = iter['rules'] + min_match_num = iter['hit_num'] + + match_num = 0 + + for t in t_list.keys(): + if t in rule_list: + match_num += 1 + if match_num >= min_match_num: + is_match = True + match_name = iter['name'] + match_score = iter['score'] + break + if is_match: + break + return is_match, match_name, match_score + + +def calc_score_in_action(log): + # 返回 是否匹配到,是否ioa,attck,分数,名字 + + global attck_action_rules + global ioa_action_rules + for iter in ioa_action_rules: + for rule in iter['rules']: + if rule.matches(log): + return True, True, iter['attck_hit'], iter['score'], iter['name'] + for iter in attck_action_rules: + for rule in iter['rules']: + if rule.matches(log): + return True, False, iter['attck_hit'], iter['score'], iter['name'] + return False, False, [], 0, '' def calc_score_in_create_process(log): - global base_process_rules - for iter in base_process_rules: + # 返回 是否匹配到,是否ioa,attck,分数,名字 + global ioa_process_rules + global attck_process_rules + for iter in ioa_process_rules: for rule in iter['rules']: - # 这是or if rule.matches(log): - return iter['score'], iter['name'] - return 0, '' - - -def calc_score_in_host(log): - global base_host_rules - for iter in base_host_rules: + return True, True, iter['attck_hit'], iter['score'], iter['name'] + for iter in attck_process_rules: for rule in iter['rules']: - # 这是or if rule.matches(log): - return iter['score'], iter['name'] - return 0, '' + return True, False, iter['attck_hit'], iter['score'], iter['name'] + return False, False, [], 0, '' def init_rule(): - global base_process_rules - global base_action_rules - global base_host_rules - for iter in g_sample_rule['process']: + global attck_process_rules + global attck_action_rules + global ioa_process_rules + global ioa_action_rules + for iter in g_sample_rule['attack_process']: temp_process_rules = [] + score = 0 + if 'score' not in iter: + score = 5 + else: + score = iter['score'] for iter_i in iter['rules']: - print(iter_i) + print('rule: {} score: {}'.format(iter_i, score)) temp_process_rules.append(rule_engine.Rule( iter_i )) - base_process_rules.append( - {'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules}) - for iter in g_sample_rule['action']: + attck_process_rules.append( + {'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': score, 'rules': temp_process_rules}) + for iter in g_sample_rule['attack_action']: temp_process_rules = [] + score = 0 + if 'score' not in iter: + score = 5 + else: + score = iter['score'] for iter_i in iter['rules']: - print(iter_i) + print('rule: {} score: {}'.format(iter_i, score)) temp_process_rules.append(rule_engine.Rule( iter_i )) - base_action_rules.append( - {'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules}) - ''' - for iter in g_sample_rule['host']: + attck_action_rules.append( + {'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': score, 'rules': temp_process_rules}) + for iter in g_sample_rule['ioa_action']: temp_process_rules = [] for iter_i in iter['rules']: - print(iter_i) + print('rule: {} score: {}'.format(iter_i, score)) temp_process_rules.append(rule_engine.Rule( iter_i )) - base_host_rules.append( - {'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules}) - ''' + ioa_action_rules.append( + {'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': iter['score'], 'rules': temp_process_rules}) + for iter in g_sample_rule['ioa_process']: + temp_process_rules = [] + for iter_i in iter['rules']: + print('rule: {} score: {}'.format(iter_i, score)) + temp_process_rules.append(rule_engine.Rule( + iter_i + )) + ioa_process_rules.append( + {'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': iter['score'], 'rules': temp_process_rules}) plugin.dispath_rule_init() print('init rule done') diff --git a/Server/rules/py/action.py b/Server/rules/py/action.py deleted file mode 100644 index e534db6..0000000 --- a/Server/rules/py/action.py +++ /dev/null @@ -1,172 +0,0 @@ -rule = [ - { - 'rules': [ - 'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"', - ], - 'score': 300, - 'name': '已知内存加载mimikazt行为' - }, - { - 'rules': [ - 'action == "processaccess" and targetimage =~ ".*lsass.exe"', - ], - 'score': 60, - 'name': 'LSASS高权限访问' - }, - { - 'rules': [ - 'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"', - ], - 'score': 20, - 'name': '异常进程访问' - }, - { - 'rules': [ - 'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"', - ], - 'score': 100, - 'name': 'office异常进程内存' - }, - { - 'rules': [ - 'action == "processaccess" and calltrace =~ ".*wshom\.ocx.*"', - 'action == "processaccess" and calltrace =~ ".*shell32\.dll.*"', - 'action == "processaccess" and calltrace =~ ".*dbgcore\.dll.*"', - 'action == "processaccess" and calltrace =~ ".*kernelbase\.dll\+de67e.*"', - 'action == "processaccess" and calltrace =~ ".*framedynos\.dll.*"', - ], - 'score': 40, - 'name': '不正常的进程访问' - }, - { - 'rules': [ - 'action == "pipecreate" and pipename =~ ".*msagent.*"', - 'action == "pipecreate" and pipename =~ ".*msse.*"', - 'action == "pipecreate" and pipename =~ ".*postex_.*"', - 'action == "pipecreate" and pipename =~ ".*postex_ssh.*"', - 'action == "pipecreate" and pipename =~ ".*status_.*"', - ], - 'score': 300, - 'name': '已知CobalStrike' - }, - { - 'rules': [ - 'action == "pipecreate" and pipename =~ ".*paexec.*"', - 'action == "pipecreate" and pipename =~ ".*remcom.*"', - 'action == "pipecreate" and pipename =~ ".*csexec.*"' - ], - 'score': 300, - 'name': '已知内网横向工具' - }, - { - 'rules': [ - 'action == "pipecreate" and pipename =~ ".*lsadump.*"', - 'action == "pipecreate" and pipename =~ ".*cachedump.*"', - 'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"' - ], - 'score': 300, - 'name': '已知mimikazt内存dump' - }, - # todo 懒得做详细的规则了.加油完善规则吧 - { - 'rules': [ - 'action == "createremotethread"', - ], - 'score': 60, - 'name': '疑似远程线程注入' - }, - { - 'rules': [ - 'action == "filecreatestreamhash"', - ], - 'score': 100, - 'name': '文件流创建' - }, - { - 'rules': [ - 'action == "registryadd"', - 'action == "registryvalueSet"', - 'action == "registryobjectSet"', - ], - 'score': 100, - 'name': '可疑注册表访问' - }, - { - 'rules': [ - 'action == "dnsquery"', - ], - 'score': 30, - 'name': 'DNS解析' - }, - { - 'rules': [ - 'action == "networkconnect"', - ], - 'score': 30, - 'name': '可疑网络链接' - }, - { - 'rules': [ - 'action == "clipboardchange"', - ], - 'score': 30, - 'name': '可疑剪切板访问' - }, - { - 'rules': [ - 'action == "processtampering"', - ], - 'score': 200, - 'name': '进程执行流劫持' - }, - { - 'rules': [ - 'action == "filedeletedetected"', - ], - 'score': 50, - 'name': '删除可执行文件' - }, - { - 'rules': [ - 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"', - 'action == "filecreate" and targetfilename =~ ".*\.exe"', - 'action == "filecreate" and targetfilename =~ ".*\.cmd"', - 'action == "filecreate" and targetfilename =~ ".*\.bat"', - 'action == "filecreate" and targetfilename =~ ".*\.dll"', - ], - 'score': 80, - 'name': '在windows目录创建可执行文件' - }, - { - 'rules': [ - 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"', - ], - 'score': 50, - 'name': '在C盘目录创建文件' - }, - { - 'rules': [ - 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\users\\\\\\\\.*"', - 'action == "filecreate" and targetfilename =~ ".*\.exe"', - 'action == "filecreate" and targetfilename =~ ".*\.cmd"', - 'action == "filecreate" and targetfilename =~ ".*\.bat"', - 'action == "filecreate" and targetfilename =~ ".*\.dll"', - ], - 'score': 30, - 'name': '在appdata目录创建可执行文件' - }, - { - 'rules': [ - 'action == "filecreate"', - ], - 'score': 50, - 'name': '创建可疑文件' - }, - { - 'rules': [ - 'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"', - ], - 'score': 10, - 'name': 'samlib的dll被加载' - } -] diff --git a/Server/rules/py/attck/action.py b/Server/rules/py/attck/action.py new file mode 100644 index 0000000..9745551 --- /dev/null +++ b/Server/rules/py/attck/action.py @@ -0,0 +1,106 @@ +rule = [ + { + 'rules': [ + 'action == "processaccess" and targetimage =~ ".*lsass.exe"', + ], + 'attck_hit':['T1003'], + 'name': 'OS Credential Dumping: LSASS Memory' + }, + { + 'rules': [ + 'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"', + ], + 'attck_hit':['T1620'], + 'name': 'Reflective Code Loading' + }, + { + 'rules': [ + 'action == "processaccess" and calltrace =~ ".*wshom\.ocx.*"', + 'action == "processaccess" and calltrace =~ ".*shell32\.dll.*"', + 'action == "processaccess" and calltrace =~ ".*dbgcore\.dll.*"', + 'action == "processaccess" and calltrace =~ ".*kernelbase\.dll\+de67e.*"', + 'action == "processaccess" and calltrace =~ ".*framedynos\.dll.*"', + ], + 'attck_hit':['T1559.001'], + 'name': 'Inter-Process Communication: Component Object Model' + }, + # todo 懒得做详细的规则了.加油完善规则吧 + { + 'rules': [ + 'action == "createremotethread"', + ], + 'attck_hit':['T1055'], + 'name': 'Process Injection' + }, + { + 'rules': [ + 'action == "filecreatestreamhash"', + ], + 'attck_hit':['T1564.004'], + 'name': 'Hide Artifacts: NTFS File Attributes' + }, + { + 'rules': [ + 'action == "dnsquery"', + ], + 'attck_hit':['T1071.004'], + 'name': 'Application Layer Protocol: DNS' + }, + { + 'rules': [ + 'action == "networkconnect"', + ], + 'attck_hit':['T1071'], + 'name': 'Application Layer Protocol' + }, + { + 'rules': [ + 'action == "clipboardchange"', + ], + 'attck_hit':['T1115'], + 'name': 'Clipboard Data Monitor API' + }, + { + 'rules': [ + 'action == "processtampering"', + ], + 'attck_hit':['T1574'], + 'name': 'Hijack Execution Flow' + }, + { + 'rules': [ + 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"', + 'action == "filecreate" and targetfilename =~ ".*\.exe"', + 'action == "filecreate" and targetfilename =~ ".*\.cmd"', + 'action == "filecreate" and targetfilename =~ ".*\.bat"', + 'action == "filecreate" and targetfilename =~ ".*\.dll"', + ], + 'attck_hit':['T1036.005'], + 'name': 'Masquerading: Match Legitimate Name or Location' + }, + { + 'rules': [ + 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"', + ], + 'attck_hit':['T1036.005'], + 'name': 'Masquerading: Match Legitimate Name or Location' + }, + { + 'rules': [ + 'action == "filecreate" and targetfilename =~ "c:\\\\\\\\users\\\\\\\\.*"', + 'action == "filecreate" and targetfilename =~ ".*\.exe"', + 'action == "filecreate" and targetfilename =~ ".*\.cmd"', + 'action == "filecreate" and targetfilename =~ ".*\.bat"', + 'action == "filecreate" and targetfilename =~ ".*\.dll"', + ], + 'attck_hit':['T1036.005'], + 'name': 'Masquerading: Match Legitimate Name or Location' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"', + ], + 'attck_hit':['T1003.002'], + 'name': 'OS Credential Dumping: Security Account Manager' + } +] diff --git a/Server/rules/py/attck/attck.py b/Server/rules/py/attck/attck.py new file mode 100644 index 0000000..7e047b3 --- /dev/null +++ b/Server/rules/py/attck/attck.py @@ -0,0 +1,8 @@ +rule = [ + {'name': "Ransomware", 'rules': ['T1071', + 'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100}, + {'name': "APT-System discovery", 'rules': ['T1018', + 'T1087.001', 'T1087.001', 'T1082', 'T1016'], 'hit_num': 3, 'score':65}, + {'name': "APT-Hydra", 'rules': ['T1027.004', + 'T1018', 'T1559.001', 'T1218.011', 'T1059.001', 'T1059.005', 'T1570', 'T1087.002', 'T1564', 'T1106', 'T1082', 'T1087.001', 'T1003', 'T1071'], 'hit_num': 10, 'score':100} +] diff --git a/Server/rules/py/attck/process.py b/Server/rules/py/attck/process.py new file mode 100644 index 0000000..b2d733a --- /dev/null +++ b/Server/rules/py/attck/process.py @@ -0,0 +1,314 @@ +rule = [ + { + 'rules': [ + 'originalfilename =~ ".*taskill.exe.*"', + 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"', + 'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"', + ], + 'attck_hit':['T1489'], + 'score': 30, + 'name': 'Service Stop' + }, + { + 'rules': [ + 'originalfilename =~ ".*curl.exe" or originalfilename =~ ".*wget.exe" or originalfilename =~ ".*dget.exe"', + 'originalfilename =~ ".*certutil.exe"', + 'originalfilename =~ ".*powershell.exe" and commandline =~ ".*invoke-webrequest.*"' + ], + 'attck_hit':['T1105'], + 'score': 30, + 'name':'Ingress Tool Transfer' + }, + { + 'rules': [ + 'image =~ ".*\.doc\.exe"', + 'image =~ ".*\.docx\.exe"', + 'image =~ ".*\.ppt\.exe"', + 'image =~ ".*\.pdf\.exe"', + 'image =~ ".*\.html\.exe"', + 'image =~ ".*\.htm\.exe"', + 'image =~ ".*\.zip\.exe"', + 'image =~ ".*\.rar\.exe"' + ], + 'attck_hit':['T1036.007'], + 'score': 60, + 'name':'Masquerading: Double File Extension' + }, + { + 'rules': [ + 'commandline =~ ".*-k dcomlaunch.*"' + ], + 'attck_hit':['T1559.001'], + 'score': 30, + 'name':'Inter-Process Communication: Component Object Model' + }, + { + 'rules': [ + 'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"', + ], + 'attck_hit':['T1003.003'], + 'score': 30, + 'name':'OS Credential Dumping: NTDS' + }, + { + 'rules': [ + 'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"', + 'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"', + 'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"', + 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"', + 'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*shadows.*" and commandline =~ ".*delete.*"', + ], + 'attck_hit':['T1490'], + 'score': 30, + 'name': 'Inhibit System Recovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"', + 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*group.*"', + 'originalfilename =~ ".*ping.exe"', + + ], + 'attck_hit':['T1018'], + 'score': 10, + 'name': 'Remote System Discovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"', + ], + 'attck_hit':['T1070.004'], + 'score': 10, + 'name': 'Indicator Removal on Host' + }, + { + 'rules': [ + 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"', + 'originalfilename =~ ".*whoami.*"', + 'originalfilename =~ ".*query.exe"', + 'originalfilename =~ ".*setspn.exe"', + 'originalfilename =~ ".*cmdkey.exe.*"' + ], + 'attck_hit':['T1087.001'], + 'score': 30, + 'name': 'Account Discovery: Local Account' + }, + { + 'rules': [ + 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*useraccount.*"', + ], + 'attck_hit':['T1087.001', 'T1047'], + 'score': 30, + 'name': 'Account Discovery: Local Account by wmic' + }, + { + 'rules': [ + 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*startup.*"', + 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*share.*"', + + ], + 'attck_hit':['T1082', 'T1047'], + 'score': 30, + 'name': 'System Information Discovery by wmic' + }, + { + 'rules': [ + 'originalfilename =~ ".*systeminfo.exe"', + 'originalfilename =~ ".*chcp.com"' + + ], + 'attck_hit':['T1082'], + 'score': 10, + 'name': 'System Information Discovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*tasklist.exe"', + ], + 'attck_hit':['T1057'], + 'score': 10, + 'name': 'Process Discovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*at.exe.*"', + ], + 'attck_hit':['T1053.002'], + 'score': 10, + 'name': 'Scheduled Task/Job: at' + }, + { + 'rules': [ + 'originalfilename =~ ".*schtasks.exe.*"', + ], + 'attck_hit':['T1053.005'], + 'score': 10, + 'name': 'Scheduled Task/Job: Scheduled Task' + }, + { + 'rules': [ + 'image =~ ".*\\\\\\\\appdata\\\\\\\\local\\\\\\\\temp\\\\\\\\.*" or image =~ ".*\\\\\\\\windows\\\\\\\\temp\\\\\\\\.*"', + ], + 'attck_hit':['T1106'], + 'score': 10, + 'name': 'Execution: Native API' + }, + { + 'rules': [ + 'originalfilename =~ ".*rubeus.*" and commandline =~ ".*domain.*"', + ], + 'attck_hit':['T1558.003'], + 'score': 10, + 'name': 'Steal or Forge Kerberos Tickets: Kerberoasting' + }, + { + 'rules': [ + 'originalfilename =~ ".*\u202e.*"', + ], + 'attck_hit':['T1564'], + 'score': 10, + 'name': 'Hide Artifacts' + }, + { + 'rules': [ + 'parentimage =~ ".*mmc.exe" and commandline =~ ".*eventvwr\.msc.*"', + ], + 'attck_hit':['T1218.014'], + 'score': 10, + 'name': 'System Binary Proxy Execution: MMC' + }, + { + 'rules': [ + 'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"', + 'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"', + 'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"' + ], + 'attck_hit':['T1087.002'], + 'score': 10, + 'name': 'Account Discovery: Domain Account' + }, + { + 'rules': [ + 'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"', + ], + 'attck_hit':['T1562.004'], + 'score': 10, + 'name': 'Impair Defenses: Disable or Modify System Firewall' + }, + { + 'rules': [ + 'originalfilename =~ ".*ipconfig.exe"', + 'originalfilename =~ ".*netstat.exe"' + + ], + 'attck_hit':['T1016'], + 'score': 10, + 'name': 'System Network Configuration Discovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*attrib.exe"', + ], + 'attck_hit':['T1564.001'], + 'score': 10, + 'name': 'Hide Artifacts: Hidden Files and Directories' + }, + { + 'rules': [ + 'originalfilename =~ ".*psexesvc.exe"', + ], + 'attck_hit':['T1570'], + 'score': 10, + 'name': 'Lateral Tool Transfer' + }, + { + 'rules': [ + 'originalfilename =~ "\\\\\\\\.*\\\\\\C\$.*"', + ], + 'attck_hit':['T1080'], + 'score': 10, + 'name': 'Taint Shared Content' + }, + { + 'rules': [ + 'originalfilename =~ ".*icacls.exe"', + ], + 'attck_hit':['T1222.001'], + 'score': 10, + 'name': 'Windows File and Directory Permissions Modification' + }, + { + 'rules': [ + 'parentimage =~ ".*services.exe"', + ], + 'attck_hit':['T1543.003'], + 'score': 10, + 'name': 'Create or Modify System Process: Windows Service' + }, + { + 'rules': [ + 'originalfilename =~ ".*werfault.exe" and parentimage =~ ".*svchost.exe"', + ], + 'attck_hit':['T1218'], + 'score': 10, + 'name': 'System Binary Proxy Execution' + }, + { + 'rules': [ + 'originalfilename =~ ".*wscript.exe"', + 'originalfilename =~ ".*cscript.exe"', + ], + 'attck_hit':['T1059.005'], + 'score': 10, + 'name': 'Command and Scripting Interpreter: Visual Basic' + }, + { + 'rules': [ + 'originalfilename =~ ".*mofcomp.exe.*"' + ], + 'attck_hit':['T1546.015'], + 'score': 10, + 'name':'Event Triggered Execution: Component Object Model Hijacking' + }, + { + 'rules': [ + 'originalfilename =~ ".*csc.exe.*"' + ], + 'attck_hit':['T1027.004'], + 'score': 10, + 'name':'Compile After Delivery' + }, + # https://attack.mitre.org/software/S0552/ + { + 'rules': [ + 'originalfilename =~ ".*adfind.exe.*"' + ], + 'attck_hit':['T1018'], + 'score': 10, + 'name':'Remote System Discovery' + }, + { + 'rules': [ + 'originalfilename =~ ".*wmic.exe.*"' + ], + 'attck_hit':['T1559.001'], + 'score': 30, + 'name':'Windows Management Instrumentation' + }, + { + 'rules': [ + 'originalfilename =~ ".*rundll32.exe.*"' + ], + 'attck_hit':['T1218.011'], + 'score': 10, + 'name':'System Binary Proxy Execution: Rundll32' + }, + { + 'rules': [ + 'originalfilename =~ ".*powershell.exe"' + ], + 'attck_hit':['T1059.001'], + 'score': 10, + 'name':'Command and Scripting Interpreter: PowerShell' + }, +] diff --git a/Server/rules/py/ioa/action.py b/Server/rules/py/ioa/action.py new file mode 100644 index 0000000..134207e --- /dev/null +++ b/Server/rules/py/ioa/action.py @@ -0,0 +1,50 @@ +rule = [ + { + 'rules': [ + 'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"', + ], + 'attck_hit':['T1003.002'], + 'score': 100, + 'name': '已知内存加载mimikazt行为' + }, + { + 'rules': [ + 'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"', + ], + 'attck_hit':['T1003.002'], + 'score': 60, + 'name': 'office异常进程内存' + }, + { + 'rules': [ + 'action == "pipecreate" and pipename =~ ".*msagent.*"', + 'action == "pipecreate" and pipename =~ ".*msse.*"', + 'action == "pipecreate" and pipename =~ ".*postex_.*"', + 'action == "pipecreate" and pipename =~ ".*postex_ssh.*"', + 'action == "pipecreate" and pipename =~ ".*status_.*"', + ], + 'attck_hit':['T1003.002'], + 'score': 100, + 'name': '已知CobalStrike' + }, + { + 'rules': [ + 'action == "pipecreate" and pipename =~ ".*paexec.*"', + 'action == "pipecreate" and pipename =~ ".*remcom.*"', + 'action == "pipecreate" and pipename =~ ".*csexec.*"' + ], + 'attck_hit':['T1003.002'], + 'score': 100, + 'name': '已知内网横向工具' + }, + { + 'rules': [ + 'action == "pipecreate" and pipename =~ ".*lsadump.*"', + 'action == "pipecreate" and pipename =~ ".*cachedump.*"', + 'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"' + ], + 'attck_hit':['T1003.002'], + 'score': 100, + 'name': '已知mimikazt内存dump' + }, +] diff --git a/Server/rules/py/ioa/process.py b/Server/rules/py/ioa/process.py new file mode 100644 index 0000000..07f2554 --- /dev/null +++ b/Server/rules/py/ioa/process.py @@ -0,0 +1,35 @@ +rule = [ + { + 'rules': [ + 'originalfilename =~ ".*todesk_service.*" or originalfilename =~ ".*sunloginclient.*" or originalfilename =~ ".*teamviewer_service.exe.*" or originalfilename =~ ".*logmein.*" or originalfilename =~ ".*dwrcs.*" or originalfilename =~ ".*aa_v3.*" or originalfilename =~ ".*screenconnect.*" or originalfilename =~ ".*tvnserver.*" or originalfilename =~ ".*vncserver.*"', + ], + 'attck_hit':['T1133'], + 'score': 30, + 'name': '已知远程协助程序' + }, + { + 'rules': [ + 'originalfilename =~ ".*phoenixminer.*" or originalfilename =~ ".*ccminer.*" or originalfilename =~ ".*csminer.exe.*" or originalfilename =~ ".*xmrig.*" or originalfilename =~ ".*xmr-stak.*"', + ], + 'attck_hit':['T1496'], + 'score': 100, + 'name': '已知挖矿程序' + }, + { + 'rules': [ + 'originalfilename =~ "\\\\\\.*" and parentimage =~ ".*services.exe"', + ], + 'attck_hit':['T1021.006'], + 'score': 100, + 'name': '远程服务被创建' + }, + { + 'rules': [ + 'commandline =~ ".*__\d{10}\."', + 'originalfilename =~ ".*wmi_share.exe"', + ], + 'attck_hit':['T00000'], + 'score': 100, + 'name': 'wmic内网横向移动被触发' + }, +] diff --git a/Server/rules/py/process.py b/Server/rules/py/process.py deleted file mode 100644 index f8b937b..0000000 --- a/Server/rules/py/process.py +++ /dev/null @@ -1,405 +0,0 @@ -rule = [ - { - 'rules': [ - 'originalfilename =~ ".*taskill.exe.*"', - 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"', - 'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"', - ], - 'score': 40, - 'name': '通过系统程序关闭进程' - }, - { - 'rules': [ - 'originalfilename =~ ".*curl.exe" or originalfilename =~ ".*wget.exe" or originalfilename =~ ".*dget.exe"' - ], - 'score': 40, - 'name':'通过应用下载文件' - }, - { - 'rules': [ - 'image =~ ".*\.doc\.exe"', - 'image =~ ".*\.docx\.exe"', - 'image =~ ".*\.ppt\.exe"', - 'image =~ ".*\.pdf\.exe"', - 'image =~ ".*\.html\.exe"', - 'image =~ ".*\.htm\.exe"', - 'image =~ ".*\.zip\.exe"', - 'image =~ ".*\.rar\.exe"' - ], - 'score': 30, - 'name':'启动双扩展名文件' - }, - { - 'rules': [ - 'commandline =~ ".*-k dcomlaunch.*"' - ], - 'score': 30, - 'name':'通过DCOM启动了进程' - }, - { - 'rules': [ - 'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"', - ], - 'score': 70, - 'name': '通过wbadmin删除备份' - }, - { - 'rules': [ - 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"', - ], - 'score': 70, - 'name': '通过net进行远程系统发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"', - ], - 'score': 70, - 'name': '通过系统工具删除USN' - }, - { - 'rules': [ - 'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"', - ], - 'score': 70, - 'name': '通过net进行系统用户发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*schtasks.exe.*" and commandline =~ ".*create.*"', - ], - 'score': 70, - 'name': '通过系统应用创建计划任务' - }, - { - 'rules': [ - 'originalfilename =~ ".*schtasks.exe.*" and commandline =~ ".*delete.*"', - ], - 'score': 40, - 'name': '通过系统应用删除计划任务' - }, - { - 'rules': [ - 'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"', - ], - 'score': 40, - 'name': '通过系统程序创建卷影备份' - }, - { - 'rules': [ - 'originalfilename =~ ".*todesk_service.*" or originalfilename =~ ".*sunloginclient.*" or originalfilename =~ ".*teamviewer_service.exe.*" or originalfilename =~ ".*logmein.*" or originalfilename =~ ".*dwrcs.*" or originalfilename =~ ".*aa_v3.*" or originalfilename =~ ".*screenconnect.*" or originalfilename =~ ".*tvnserver.*" or originalfilename =~ ".*vncserver.*"', - ], - 'score': 20, - 'name': '已知远程协助程序' - }, - { - 'rules': [ - 'originalfilename =~ ".*phoenixminer.*" or originalfilename =~ ".*ccminer.*" or originalfilename =~ ".*csminer.exe.*" or originalfilename =~ ".*xmrig.*" or originalfilename =~ ".*xmr-stak.*"', - ], - 'score': 300, - 'name': '已知挖矿程序' - }, - { - 'rules': [ - 'image =~ ".*\\\\\\\\appdata\\\\\\\\local\\\\\\\\temp\\\\\\\\.*" or image =~ ".*\\\\\\\\windows\\\\\\\\temp\\\\\\\\.*"', - ], - 'score': 40, - 'name': '从临时文件创建进程' - }, - { - 'rules': [ - 'originalfilename =~ ".*rubeus.*" and commandline =~ ".*domain.*"', - ], - 'score': 100, - 'name': '通过系统工具获取域登陆令牌' - }, - { - 'rules': [ - 'originalfilename =~ ".*whoami.*"', - ], - 'score': 70, - 'name': 'whoami被执行' - }, - { - 'rules': [ - 'originalfilename =~ ".*\u202e.*"', - ], - 'score': 100, - 'name': '伪装名字程序被执行' - }, - { - 'rules': [ - 'parentimage =~ ".*mmc.exe" and commandline =~ ".*eventvwr\.msc.*"', - ], - 'score': 40, - 'name': '高权限进程被创建' - }, - { - 'rules': [ - 'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"', - 'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"', - ], - 'score': 80, - 'name': '通过系统工具关闭系统恢复' - }, - { - 'rules': [ - 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*useraccount.*"', - ], - 'score': 70, - 'name': '通过wmic进行系统用户发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*startup.*"', - ], - 'score': 70, - 'name': '通过wmic查看系统启动项' - }, - { - 'rules': [ - 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*share.*"', - ], - 'score': 70, - 'name': '通过wmic查看系统共享' - }, - { - 'rules': [ - 'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"', - ], - 'score': 70, - 'name': 'wmic删除卷影备份' - }, - { - 'rules': [ - 'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*shadows.*" and commandline =~ ".*delete.*"', - ], - 'score': 70, - 'name': 'vssadmin删除卷影备份' - }, - { - 'rules': [ - 'originalfilename =~ ".*tasklist.exe"', - ], - 'score': 50, - 'name': '通过tasklist查看系统信息' - }, - { - 'rules': [ - 'originalfilename =~ ".*systeminfo.exe"', - ], - 'score': 70, - 'name': '通过systeminfo查看系统信息' - }, - { - 'rules': [ - 'originalfilename =~ ".*query.exe"', - ], - 'score': 70, - 'name': '通过query进行系统用户发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"', - 'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"', - 'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"' - ], - 'score': 70, - 'name': '通过net进行本地系统用户发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*setspn.exe"', - ], - 'score': 70, - 'name': '通过setspn进行本地系统用户发现' - }, - { - 'rules': [ - 'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"', - ], - 'score': 70, - 'name': '通过netsh关闭防火墙' - }, - { - 'rules': [ - 'originalfilename =~ ".*cmd.exe" and commandline =~ ".*ipconfig.*"', - ], - 'score': 80, - 'name': 'cmd启动ipconfig' - }, - { - 'rules': [ - 'originalfilename =~ ".*cmd.exe" and commandline =~ ".*net.*"', - ], - 'score': 60, - 'name': 'cmd启动net' - }, - { - 'rules': [ - 'originalfilename =~ ".*netstat.exe"', - ], - 'score': 40, - 'name': 'netstat被运行' - }, - { - 'rules': [ - 'originalfilename =~ ".*ping.exe"', - ], - 'score': 40, - 'name': 'ping被运行' - }, - { - 'rules': [ - 'originalfilename =~ ".*ipconfig.exe"', - ], - 'score': 40, - 'name': 'ipconfig被运行' - }, - { - 'rules': [ - 'originalfilename =~ ".*attrib.exe"', - ], - 'score': 40, - 'name': 'attrib被运行' - }, - { - 'rules': [ - 'originalfilename =~ ".*PSEXESVC.exe"', - ], - 'score': 100, - 'name': 'PSEXESVC内网横向移动' - }, - { - 'rules': [ - 'originalfilename =~ "\\\\\\\\.*\\\\\\C\$.*"', - ], - 'score': 100, - 'name': 'SMB共享启动进程' - }, - { - 'rules': [ - 'commandline =~ ".*__\d{10}\."', - 'originalfilename =~ ".*wmi_share.exe"', - ], - 'score': 100, - 'name': 'wmic内网横向移动被触发' - }, - { - 'rules': [ - 'originalfilename =~ ".*icacls.exe"', - ], - 'score': 40, - 'name': 'icacls被运行' - }, - { - 'rules': [ - 'originalfilename =~ "\\\\\\.*" and parentimage =~ ".*services.exe"', - ], - 'score': 100, - 'name': '远程服务被创建' - }, - { - 'rules': [ - 'parentimage =~ ".*services.exe"', - ], - 'score': 30, - 'name': '从服务创建的进程' - }, - { - 'rules': [ - 'parentimage =~ ".*svchost.exe"', - 'originalfilename =~ ".*werfault.exe"' - ], - 'score': 60, - 'name': 'svchost.exe启动了werfault' - }, - { - 'rules': [ - 'parentimage =~ ".*werfault.exe"', - ], - 'score': 30, - 'name': '从werfault创建的进程' - }, - { - 'rules': [ - 'originalfilename =~ ".*wscript.exe"', - 'originalfilename =~ ".*cscript.exe"', - ], - 'score': 40, - 'name': '脚本程序被运行' - }, - { - 'rules': [ - 'originalfilename =~ ".*mofcomp.exe.*"' - ], - 'score': 80, - 'name':'注册WMI订阅' - }, - { - 'rules': [ - 'originalfilename =~ ".*csc.exe.*"' - ], - 'score': 80, - 'name':'.NET编译器被启动' - }, - { - 'rules': [ - 'originalfilename =~ ".*cmdkey.exe.*"' - ], - 'score': 100, - 'name':'通过系统应用查询本机账户' - }, - { - 'rules': [ - 'originalfilename =~ ".*adfind.exe.*"' - ], - 'score': 80, - 'name':'通过系统程序发现域信息' - }, - # 这些是保底规则 必须放到最底下才匹配 - { - 'rules': [ - 'originalfilename =~ ".*cmd.exe"' - ], - 'score': 30, - 'name':'执行CMD命令' - }, - { - 'rules': [ - 'originalfilename =~ ".*chcp.com"' - ], - 'score': 30, - 'name':'执行chcp.com' - }, - { - 'rules': [ - 'originalfilename =~ ".*wmic.exe.*"' - ], - 'score': 80, - 'name':'执行wmic' - }, - { - 'rules': [ - 'originalfilename =~ ".*rundll32.exe.*"' - ], - 'score': 20, - 'name':'通过rundll32启动进程' - }, - { - 'rules': [ - 'originalfilename =~ ".*certutil.exe"', - 'originalfilename =~ ".*curl.exe"', - 'originalfilename =~ ".*powershell.exe" and commandline =~ ".*invoke-webrequest.*"' - ], - 'score': 80, - 'name':'通过系统命令下载文件' - }, - { - 'rules': [ - 'originalfilename =~ ".*powershell.exe"' - ], - 'score': 80, - 'name':'Powershell被执行' - }, -] diff --git a/Server/sql.py b/Server/sql.py index 058e870..9aef1d1 100644 --- a/Server/sql.py +++ b/Server/sql.py @@ -87,6 +87,8 @@ class threat_log(g_base): risk_score = Column(Integer) # 命中的规则 hit_rule = Column(String) + # attck命中 + attck_hit_list = Column(String) # json字段 data = Column(String) # 时间戳 @@ -262,7 +264,7 @@ def select_threat_by_chain_id(host, process_chain_hash, type): def update_threat_log( - host, risk_score, hit_rule_json, process_chain_hash, raw_json, type, is_end + host, risk_score, hit_rule_json, attck_hit_list_json, process_chain_hash, raw_json, type, is_end ): global g_threat_table global g_engine @@ -272,6 +274,7 @@ def update_threat_log( .values( risk_score=risk_score, hit_rule=hit_rule_json, + attck_hit_list=attck_hit_list_json, data=raw_json, is_end=int(is_end), ) @@ -335,6 +338,7 @@ def query_all_threat_log(query_type): threat_log.is_end, threat_log.start_process_info, threat_log.handle_type, + threat_log.attck_hit_list, ) .all() ) @@ -353,6 +357,7 @@ def query_all_threat_log(query_type): threat_log.is_end, threat_log.start_process_info, threat_log.handle_type, + threat_log.attck_hit_list ) .filter_by(handle_type=query_type) .all() @@ -365,6 +370,7 @@ def push_threat_log( host, risk_score, hit_rule_json, + attck_hit_list_json, process_chain_hash, raw_json, type, @@ -378,6 +384,7 @@ def push_threat_log( risk_score=risk_score, process_chain_hash=process_chain_hash, hit_rule=hit_rule_json, + attck_hit_list=attck_hit_list_json, type=type, data=raw_json, timestamp=int(round(time.time() * 1000)), diff --git a/Server/templates/index.html b/Server/templates/index.html index ed97024..87d8951 100644 --- a/Server/templates/index.html +++ b/Server/templates/index.html @@ -1 +1 @@ -Duck Sys Eye
\ No newline at end of file +Duck Sys Eye
\ No newline at end of file diff --git a/Server/templates/js/56.dc9e32b8.js b/Server/templates/js/56.dc9e32b8.js new file mode 100644 index 0000000..7f6ce9b --- /dev/null +++ b/Server/templates/js/56.dc9e32b8.js @@ -0,0 +1 @@ +"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[56],{8056:(t,e,a)=>{a.r(e),a.d(e,{default:()=>nt});var i=a(3673),l=a(2323);const s={class:"q-gutter-md q-mb-sm q-pa-lg"},o={class:"row q-col-gutter-sm"},n={class:"row"},r=(0,i._)("div",{class:"col"},null,-1),d={class:"col"},h={class:"row q-gutter-md q-mb-sm q-pa-lg"},c={key:0},u=(0,i._)("div",{class:"bg-red-5"}," ",-1),w=(0,i.Uk)(" 分数: "),p=(0,i.Uk)(" 活动状态: "),m=(0,i.Uk)(" ATTCK命中: "),g=(0,i.Uk)(" 产生的威胁: "),A=(0,i.Uk)(" 机器学习引擎 "),_=(0,i.Uk)(" 查看详情 "),k=(0,i.Uk)(" 在VT上搜索 "),f=(0,i.Uk)(" 确认威胁 "),C=(0,i.Uk)(" 忽略威胁 "),b=(0,i.Uk)(" 删除报警 "),v=(0,i._)("div",{class:"col"},null,-1),D=(0,i._)("div",{class:"text-h6"},"填写缘由",-1),W=(0,i.Uk)("Close"),B={class:"row",style:{width:"100%",height:"100%"}},U={ref:"main_draw",style:{width:"100%",height:"100%","margin-left":"5%"}},q=(0,i.Uk)("进程命中的规则: "),y=(0,i.Uk)(" 无 "),Q=(0,i.Uk)("attck矩阵: "),V=(0,i.Uk)(" 无 ");function S(t,e,a,S,I,x){const Z=(0,i.up)("q-icon"),K=(0,i.up)("q-item-section"),E=(0,i.up)("q-item-label"),Y=(0,i.up)("q-item"),z=(0,i.up)("q-card-section"),H=(0,i.up)("q-card"),j=(0,i.up)("q-chip"),N=(0,i.up)("q-btn"),O=(0,i.up)("q-card-actions"),F=(0,i.up)("q-timeline-entry"),L=(0,i.up)("q-timeline"),T=(0,i.up)("q-input"),X=(0,i.up)("q-dialog"),J=(0,i.up)("q-space"),P=(0,i.up)("q-tooltip"),R=(0,i.up)("q-bar"),G=(0,i.up)("q-separator"),M=(0,i.up)("q-list"),$=(0,i.up)("q-drawer"),tt=(0,i.Q2)("close-popup");return(0,i.wg)(),(0,i.iD)(i.HY,null,[(0,i._)("div",null,[(0,i._)("div",s,[(0,i.Wm)(H,{class:"bg-transparent no-shadow no-border"},{default:(0,i.w5)((()=>[(0,i.Wm)(z,{class:"q-pa-none"},{default:(0,i.w5)((()=>[(0,i._)("div",o,[((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.Threatitems,((t,e)=>((0,i.wg)(),(0,i.iD)("div",{key:e,class:"col-md-3 col-sm-12 col-xs-12"},[(0,i.Wm)(Y,{style:(0,l.j5)(`background-color: ${t.color1}`),class:"q-pa-none"},{default:(0,i.w5)((()=>[(0,i.Wm)(K,{side:"",style:(0,l.j5)(`background-color: ${t.color2}`),class:"q-pa-lg q-mr-none text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(Z,{name:t.icon,color:"white",size:"24px"},null,8,["name"])])),_:2},1032,["style"]),(0,i.Wm)(K,{class:"q-pa-md q-ml-none text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(E,{class:"text-white text-h6 text-weight-bolder"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(t.value),1)])),_:2},1024),(0,i.Wm)(E,null,{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(t.title),1)])),_:2},1024)])),_:2},1024)])),_:2},1032,["style"])])))),128))])])),_:1})])),_:1})]),(0,i._)("div",n,[r,(0,i._)("div",d,[(0,i._)("div",h,[(0,i.Wm)(L,{layout:"dense",side:"right",color:"red"},{default:(0,i.w5)((()=>[t.server_threat.data&&0!=t.server_threat.data.length?(0,i.kq)("",!0):((0,i.wg)(),(0,i.iD)("h4",c,"暂无可用数据,下次刷新时间 "+(0,l.zw)(t.last_refresh)+"...",1)),((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.server_threat.data,((e,a)=>((0,i.wg)(),(0,i.j4)(F,{key:a,subtitle:"主机:"+e.host,side:"left"},{default:(0,i.w5)((()=>[(0,i._)("div",null,[(0,i.Wm)(H,{flat:"",bordered:"",style:{overflow:"auto"},"thumb-style":t.thumbStyle,"bar-style":t.barStyle},{default:(0,i.w5)((()=>[(0,i.Wm)(z,{horizontal:""},{default:(0,i.w5)((()=>[u,(0,i.Wm)(O,{vertical:"",class:"justify-around q-px-md"},{default:(0,i.w5)((()=>[(0,i._)("div",null,"进程链hash: "+(0,l.zw)(e.chain_hash),1),(0,i._)("div",null,"进程: "+(0,l.zw)(e.start_process.path),1),(0,i._)("div",null,"用户: "+(0,l.zw)(e.start_process.user),1),(0,i._)("div",null,[w,(0,i.Wm)(j,{square:"",color:"orange","text-color":"white","icon-right":"visibility"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e.risk_score),1)])),_:2},1024)]),(0,i._)("div",null,[p,(0,i.Wm)(j,{square:"",color:1==e.is_end?"negative":"red","text-color":"white"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(1==e.is_end?"已结束":"进行中"),1)])),_:2},1032,["color"])]),(0,i._)("div",null,[m,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(e.attck_hit_list,((t,e)=>((0,i.wg)(),(0,i.j4)(j,{key:t,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128))]),(0,i._)("div",null,[g,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(e.hit_rule,((t,e)=>((0,i.wg)(),(0,i.j4)(j,{key:t,square:"",color:"red","text-color":"white"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128)),"{}"==JSON.stringify(e.hit_rule)?((0,i.wg)(),(0,i.j4)(j,{key:0,square:"",color:"negative","text-color":"white"},{default:(0,i.w5)((()=>[A])),_:1})):(0,i.kq)("",!0)]),(0,i._)("div",null,[(0,i.Wm)(N,{flat:"",color:"accent",onClick:a=>t.show_details(e.id),icon:"open_in_new"},{default:(0,i.w5)((()=>[_])),_:2},1032,["onClick"]),(0,i.Wm)(N,{flat:"",color:"accent",onClick:a=>t.search_vt(e.start_process.hash),icon:"search"},{default:(0,i.w5)((()=>[k])),_:2},1032,["onClick"]),(0,i.Wm)(N,{flat:"",color:"accent",onClick:a=>t.handle_threat(e.id,1),icon:"done"},{default:(0,i.w5)((()=>[f])),_:2},1032,["onClick"]),(0,i.Wm)(N,{flat:"",color:"accent",onClick:a=>t.handle_threat(e.id,2),icon:"texture"},{default:(0,i.w5)((()=>[C])),_:2},1032,["onClick"]),(0,i.Wm)(N,{flat:"",color:"accent",icon:"close",onClick:a=>t.delete_threat(e.id)},{default:(0,i.w5)((()=>[b])),_:2},1032,["onClick"])])])),_:2},1024)])),_:2},1024)])),_:2},1032,["thumb-style","bar-style"])])])),_:2},1032,["subtitle"])))),128))])),_:1})])]),v])]),(0,i.Wm)(X,{modelValue:t.addwhiteListHash,"onUpdate:modelValue":e[3]||(e[3]=e=>t.addwhiteListHash=e),persistent:"","transition-show":"scale","transition-hide":"scale"},{default:(0,i.w5)((()=>[(0,i.Wm)(H,{style:{"min-width":"350px"}},{default:(0,i.w5)((()=>[(0,i.Wm)(z,null,{default:(0,i.w5)((()=>[D])),_:1}),(0,i.Wm)(z,{class:"q-pt-none"},{default:(0,i.w5)((()=>[(0,i.Wm)(T,{dense:"",modelValue:this.whiteListPostData.reason,"onUpdate:modelValue":e[0]||(e[0]=t=>this.whiteListPostData.reason=t),autofocus:""},null,8,["modelValue"])])),_:1}),(0,i.Wm)(O,{align:"right",class:"text-primary"},{default:(0,i.w5)((()=>[(0,i.wy)((0,i.Wm)(N,{flat:"",label:"取消",onClick:e[1]||(e[1]=e=>t.addwhiteListHash=!1)},null,512),[[tt]]),(0,i.wy)((0,i.Wm)(N,{flat:"",label:"加入白名单",onClick:e[2]||(e[2]=e=>t.add_to_white_hash_post())},null,512),[[tt]])])),_:1})])),_:1})])),_:1},8,["modelValue"]),(0,i.Wm)(X,{modelValue:t.dialog,"onUpdate:modelValue":e[8]||(e[8]=e=>t.dialog=e),persistent:"",maximized:t.maximizedToggle,"transition-show":"slide-up","transition-hide":"slide-down"},{default:(0,i.w5)((()=>[(0,i.Wm)(H,{class:"text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(R,null,{default:(0,i.w5)((()=>[(0,i.Wm)(J),(0,i.wy)(((0,i.wg)(),(0,i.j4)(N,{dense:"",flat:"",icon:"close"},{default:(0,i.w5)((()=>[(0,i.Wm)(P,{"content-class":"bg-white text-primary"},{default:(0,i.w5)((()=>[W])),_:1})])),_:1})),[[tt]])])),_:1}),(0,i._)("div",B,[(0,i._)("div",U," 1 ",512)]),t.processChainShowDetails?((0,i.wg)(),(0,i.j4)($,{key:0,"show-if-above":"",modelValue:t.processChainShowDetails,"onUpdate:modelValue":e[7]||(e[7]=e=>t.processChainShowDetails=e),side:"right",bordered:"",width:"350",class:"text-dark"},{default:(0,i.w5)((()=>[(0,i.Wm)(M,{style:{width:"100%","word-break":"break-all"}},{default:(0,i.w5)((()=>[(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("活跃状态: "+(0,l.zw)(t.processChainDetails.active?"运行中":"已结束"),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程名字: "+(0,l.zw)(t.processChainDetails.name),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程路径: "+(0,l.zw)(t.processChainDetails.path),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程参数: "+(0,l.zw)(t.processChainDetails.params),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程id: "+(0,l.zw)(t.processChainDetails.pid),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("父进程id: "+(0,l.zw)(t.processChainDetails.ppid),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程hash: "+(0,l.zw)(t.processChainDetails.md5),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[(0,i.Uk)("是否在白名单中: "+(0,l.zw)(t.processChainDetails.isWhite?"是":"否"),1)])),_:1})])),_:1}),(0,i.Wm)(G),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[q,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.processChainDetails.hitRules,((t,e)=>((0,i.wg)(),(0,i.j4)(j,{key:t,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128)),"{}"==JSON.stringify(t.processChainDetails.hitRules)?((0,i.wg)(),(0,i.j4)(j,{key:0,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[y])),_:1})):(0,i.kq)("",!0)])),_:1})])),_:1}),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,null,{default:(0,i.w5)((()=>[Q,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.processChainDetails.hitAttck,((t,e)=>((0,i.wg)(),(0,i.j4)(j,{key:t,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128)),"{}"==JSON.stringify(t.processChainDetails.hitAttck)?((0,i.wg)(),(0,i.j4)(j,{key:0,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[V])),_:1})):(0,i.kq)("",!0)])),_:1})])),_:1}),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[(0,i.Wm)(N,{icon:"search",outline:"",style:{color:"grey",width:"100%"},label:"搜索hash",onClick:e[4]||(e[4]=e=>t.search_vt(t.processChainDetails.md5))})])),_:1}),(0,i.Wm)(Y,null,{default:(0,i.w5)((()=>[0==t.processChainDetails.isWhite?((0,i.wg)(),(0,i.j4)(N,{key:0,icon:"texture",outline:"",style:{color:"grey",width:"100%"},label:"加入白名单",onClick:e[5]||(e[5]=e=>t.add_to_white_hash_pre(t.processChainDetails.path,t.processChainDetails.md5))})):((0,i.wg)(),(0,i.j4)(N,{key:1,icon:"clear",outline:"",style:{color:"grey",width:"100%"},label:"从白名单中删除",onClick:e[6]||(e[6]=e=>t.delete_white_hash(t.processChainDetails.md5))}))])),_:1})])),_:1})])),_:1},8,["modelValue"])):(0,i.kq)("",!0)])),_:1})])),_:1},8,["modelValue","maximized"])],64)}var I=a(52),x=a.n(I),Z=a(2256);const K=(0,i.aZ)({name:"PageIndex",data:function(){return{addwhiteListHash:!1,whiteListPostData:{path:"",hash:"",reason:""},processChainShowDetails:!1,last_refresh:360,processChainDetails:{hash:"",prams:"",hitRules:[],hitAttck:[],isWhite:!1,whiteListReason:""},thumbStyle:{right:"4px",borderRadius:"5px",backgroundColor:"#027be3",width:"5px",opacity:.75},barStyle:{right:"2px",borderRadius:"9px",backgroundColor:"#027be3",width:"9px",opacity:.2},threatStatistics:{all:1,confirm:0,ingore:1,working:0},Threatitems:[{title:"发现的威胁",icon:"remove_red_eye",value:"200",color1:"#5064b5",color2:"#3e51b5"},{title:"确认的威胁",icon:"flash_on",value:"500",color1:"#f37169",color2:"#f34636"},{title:"忽略的威胁",icon:"texture",value:"50",color1:"#ea6a7f",color2:"#ea4b64"},{title:"进行中的威胁",icon:"bar_chart",value:"1020",color1:"#a270b1",color2:"#9f52b1"}],dialog:!1,maximizedToggle:!0,server_threat:{},select_chain_data:{}}},methods:{delete_white_hash(t){x().get("/api/v1/del/white_list?hash="+t).then((t=>{this.processChainDetails.isWhite=!1}))},query_white_hash(t){x().get("/api/v1/query/white_list?hash="+t).then((t=>{this.processChainDetails.isWhite=1===t.data.result}))},add_to_white_hash_pre(t,e){this.whiteListPostData={path:t,hash:e,reason:""},this.addwhiteListHash=!0,console.log("addwhiteListHash",this.addwhiteListHash)},add_to_white_hash_post(){x().post("/api/v1/set/white_list",this.whiteListPostData).then((t=>{this.processChainDetails.isWhite=!0}))},set_chain_data(t){if(t.path){const e=t.path.split("\\");t.name=e[e.length-1],console.log(t.name);for(const a in t.children)this.set_chain_data(t.children[a])}},draw_tree(){this.set_chain_data(this.select_chain_data);const t=this.$refs.main_draw,e=Z.S1(t),a={tooltip:{trigger:"item",triggerOn:"mousemove",formatter:function(t){const e=t.data;let a="
参数: "+e.params+"
hash: "+e.md5+"
命名规则列表: ";0===e.operationlist.length&&(a+="无");for(const i in e.operationlist)a+=" "+i+"["+e.operationlist[i]+"] ";return a+="
",a}},series:[{roam:!0,type:"tree",id:0,name:"tree1",data:[this.select_chain_data],top:"5%",left:"15%",bottom:"22%",right:"20%",edgeShape:"polyline",edgeForkPosition:"63%",initialTreeDepth:60,lineStyle:{width:2},label:{backgroundColor:"#fff",position:"left",verticalAlign:"middle",align:"right"},leaves:{label:{position:"right",verticalAlign:"middle",align:"left"}},emphasis:{focus:"descendant"},symbolSize:[30,30],symbol:"image://data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAANXklEQVR4Xu2de6hmVRmHn0mzcUzNwcJKS8roQpdJrayEykYzMkLFcjSiwiLrj8qKhugekU1RFnSVNNDUCiqDbmSMUEnJJBVmVpNaiTmVIGlpIhpv7VPHb873fXvtddnv2uu34HD+OGu9612/dz1n7cu711qHihSQAnMVWCdtpIAUmK+AANHskAILFBAgmh5SQIBoDkiBYQpoBRmmm1o1ooAAaSTQGuYwBQTIMN3UqhEFBEgjgdYwhykgQIbpplaNKCBAGgm0hjlMAQEyTDe1akSBMQB5IvA44GHAxkZ01jDjFLgF+DNwTfcTZy2gdSlA9ge2AluARwb4p6pSYFaBncAlwDbgttzylADkDODDWi1yh7I5+7uAs4CLco48JyB7AxcCJ+UcgGw3r8D5wGuBu3MokQuQfYDLgSNzOC2bUmBGgcuAY3OokgOQPYDvAptzOCybUmCOAnapdXpqdXIAcibw6dSOyp4U6KHAicA3etTrXSU1IHsBfwAO6u2BKkqBdArYY2B7jXBvKpOpAXkVcF4q52RHCgxQ4Djg+wPardkkNSB27/GCVM7JjhQYoMC53VOtAU13b5ISkPXAHUm8khEpMFyBm4CHD29+35YpATkUuD6VY7IjBSIU2JDqn3VKQJ4GXBkxKDWVAqkU2AT8IoWxlIA8F9ge6NTzuheKs83eC7wn0FbKsQR2reprKBD6JOl9gMV9tqScV8GBSjmpUg5EgASH0l0DATITEgHibo6O6pAAESCjTkDvnQsQAeJ9jo7qnwARIKNOQO+dCxAB4n2OjuqfABEgo05A750LEAHifY6O6p8AESCjTkDvnQsQAeJ9jo7qnwARIKNOQO+dC5CJAGL7dVmqft/yk+6b+771F9U7tdtEr6+tm4HP9q28pN5RwPGBts4G7uzZRoBMBJBbAdvYrm/5BPCmvpWX1LPvp18SYMsyVC1TNUWxMXw80NABgOnVpwgQAdJnniysI0D+L4+yedeYKh7S3bWC9OdcK0h/rXarWWs2rwDpH3QB0l8rARKh1UpTXWLpEmvhNNIllm7SVyaI7kF0D7KbAlpBtIJoBVmggAARIAJEgPS6W9Mlli6xdIm1ABUBIkAEiADptZr+r5KeYukplp5iLWBGgAgQASJA5iqgp1h6iqWnWHqK1eu6WzfpuknXTbpu0nv9s9BNeqeALrF0iaVLLF1i9fqvqUssp5dYRwN79grhfyvdCOwMqL+oqh04eWCArduBHQH1F1U9GDgs0NblAfX1ReGMWLV+DxIQc1UNUECACJCA6dJeVQEiQNqb9QEjFiACJGC6tFdVgAiQ9mZ9wIgFiAAJmC7tVRUgAqS9WR8wYgEiQAKmS3tVBYgAaW/WB4xYgAiQgOnSXlUBIkDam/UBIxYgzgCxrxNV/CiwPdAVJSuuIVjKT24D46HqzhQQIALE2ZT05Y4AESC+ZqQzbwSIAHE2JX25I0AEiK8Z6cwbASJAnE1JX+4IEAHia0Y680aACBBnU9KXOwJEgPiakc68ESACxNmU9OWOABEgvmakM28EiABxNiV9uSNAAgA5FLAflXYUuAGwn9mScr+1YDXXBbeY32DUgSQch0z5UmDUeSVAfE0GeaMV5D4KzEt310SRAisKaAXRXJACCxQQIJoeUkCArK2ALrHExjIFtIIsU0h/b1oBAdJ0+DX4ZQoIkGUK6e9NKyBAmg6/Br9MAQGyTCH9vWkFBEhD4d8IPLnQeEMO3Czk0qBuBMgg2epsZJP2OQVcvwTYUqCfEl0IkBIqO+jjjcA5Bfz4HbAJ+GeBvkp0IUBKqDxyH48FfgnsldmPO4EjgV9l7qekeQFSUu0R+jIodgBPKtD364DPFeinZBcCpKTaI/T1EeCtBfr9OnBSgX5KdyFASitesD+7IbdjAFJ+d7OW+/Ylnj0du63g2Ep1JUBKKV24n/2Aa4GHZu73LuAZwM8z9zOWeQEylvKZ+/0KcErmPsy8PR37ZIF+xupCgIylfMZ+Xw5ckNH+iulvAy8q0M+YXQiQMdXP0PchwNWAXWLlLDd2T8ZuzdmJA9sCxEEQUrlgN+NXAEelMjjHzt3As4ErM/fjwbwA8RCFRD5sBT6UyNYiM28HthXox0MXAsRDFBL4YC8CrwL2TGBrkYkfAJsz9+HJvADxFI2BvqzvHrNaSknOcnN33/G3nJ04sy1AnAVkiDufAl4/pGFAm3u6TOAfBbSZQlUBUnkUjwO+V2AM7wY+UKAfb10IEG8RCfDnAOA3wIMD2gypavcdxwL3DmlceRsBUnEAvwm8OLP/dr/xeKCl+47VkgqQzBMsl/nXAJ/PZbyzayuGrRy2grRaBEiFkX9U9wHUPpl9/yDwzsx9eDcvQLxHaMY/e8/xU+DwzH7b0ypLl7enVy0XAVJZ9N8PvCuzz5ZfZfcd9t6j9SJAKpoBlmP1Y+B+mX22DF3L1FUBAVLJLLD7jV8Dlq2bs3wUeFvODiqzLUAqCdgXgFcX8PVbXdqKbd9j71hsh5IpfkrbV0oB0lepEevZuw575zFW+Qvw2w4Yg2bl5/eApb5PuQgQ59G1b8rtv7i9NfdWDI7r1gDHYNrlzdmB/giQgcKValZqu9DU47EnYWutOrb62EYPtRQB4jhSpbYLLSmBvVf546pVZzVEfyrpSM++BEhPoUpXK7VdaOlxzevvUuBlwL+8ONT5IUCcBcTcKbldqIfhfwl4hdO39gLEwwyZ8aHUdqEehv4Z4A2OU+kFiIdZssqHDcDFXR7U/s58S+1ODcmQAiR11BPZs3QSS0i0s9yPAY4GHpjItgczby50XknsWAVIrIKF2lsW79NXAfMswDZrqK3YNyZnAOdV4rgAqSRQs24+AHhmt7rYKmMbSN/f+VjsxeJpwFed+7naPQFSUbAWuWr3LnYZZpdjBswRwB6OxmaPb08EvuPIpz6uCJA+KlVYZ9/uRn8FmKcUOCdknkx/B04AflihjgKkwqANcdmOgLZgGzD2Yx9ElSi3dP3ZGYk1FgFSY9QS+PwQ4PmrbvofncDmrImbOigtdb7WIkBqjVxivw8GTk746NVS4W2lsryrmosAqTl6iX23b93tm/fYck23Mtl3JLUXAVJ7BBP5by8hLZv2QZH2ftbt/j6Vg3UESOSEmErzFGeL2FOqFwL/mIoo3T2UnRQcUuwxu33HE11SHk88KunRSoxrYO/uXuHACDfs/Ya95/CWrh4xpP80HXVeCZDY8KVp/xbAdjMZWuzNuL0hn+L36QJk6KyYSLvY1cN7unpsmARIrIKVt4/5rNfOQ3xH5eNf5r4AWabQhP9uXy7eANjOKaGllnT10HHN1hcgsQpW3N6ObbPj20JKbenqIWNbq64AiVWw0vb2fYm95Q5ZPWpMV48NjwCJVbDS9qEH8NSarh4bHgESq2CF7W31sFypR/T03V782QvAGtPVew5xbjUBEqtghe1fCZzf029LGdkMWApJi0WANBZ12wzCtv88rMe4LdnQ0iYs+bDVIkAai/zpwIU9xnx9972I/W65CJCGom+pPbYX7rLVY0rp6rHhFSCxClbU/qXAl5f4O7V09djwCJBYBStpb6vH1cATFvg7xXT12PAIkFgFK2lvqehfW+DrVNPVY8MjQGIVrKS9nVI1b/WYcrp6bHgESKyCFbRfdMahbQFqW4FajpXK7goIkAZmxVXAU9cY5zmAZeWqzFdAgEx8dhw/Z7tP+47DvudQWayAAJn4DLmi2+R6ZZh2KWUH1tiXgCrLFRAgyzWqtobtnHjZKu9bTFePDZ4AiVXQcfvVR0i3mq4eGx4BEqug0/Z2dohdXllpOV09NjwCJFZBp+3t0sousVpPV48NjwCJVdBh+5XVQ+nq8cERIPEaurNgaSP21tyC23q6emxwBEisgs7a2wtBy9i1wNr5HCpxCgiQOP3ctbazxz8G2MlOKvEKCJB4DV1Z2A+wMwFV0iggQNLoKCsTVUCATDSwGlYaBQRIGh1lZaIKCJCJBlbDSqOAAEmjo6xMVAEBMtHAalhpFBAgaXSUlYkqMBlAjgB2TDRIGlZdCthctM+co0vKQzztnAulVkSHRAYSKHAQsCuBHVICYv7cAaxP4ZhsSIGBCtwO7Duw7W7NUgNiG6PZBmkqUmAsBSxR9NRUnacGZAtwUSrnZEcKDFDg5CU7WAaZTA1I6MlJQc6qshRYosB1wGOAe1IplRoQ88t2CTw3lYOyIwUCFDgNuDig/tKqOQCxE5QuBU5Y2rsqSIF0Cti9h13iJ93CNQcgNuQN3YGTh6cbvyxJgbkKbAeOyaFPLkBWIPkicEoOx2VTCnQKXNBd1t+VQ5GcgKz4eyZwNmBf2qlIgVQK/BU4q+d5j4P7LAGIObcR2No9nz5ksLdqKAVgZ/cqYVu3IV9WTUoBsnoQm7pHcZaaYuCoSIFlCtgGGJbGZIcQXbuscsq/jwFISv9lSwpkVUCAZJVXxmtXQIDUHkH5n1UBAZJVXhmvXQEBUnsE5X9WBQRIVnllvHYFBEjtEZT/WRUQIFnllfHaFRAgtUdQ/mdVQIBklVfGa1dAgNQeQfmfVQEBklVeGa9dgX8DujCRBT7G+XAAAAAASUVORK5CYII=",expandAndCollapse:!1,animationDuration:350,animationDurationUpdate:450}]};e.setOption(a),e.on("click",(t=>{const e=t.data;this.processChainDetails={path:e.path,active:e.active,md5:e.md5,name:e.name,params:e.params,pid:e.pid,ppid:e.ppid,hitRules:void 0===e.operationlist?{}:e.operationlist,hitAttck:void 0===e.attck_hit_list?{}:e.attck_hit_list,isWhite:!1},this.query_white_hash(e.md5),this.processChainShowDetails=!0}))},search_vt(t){window.open("https://www.virustotal.com/gui/search/"+t,"_blank")},delete_threat(t){x().get("/api/v1/get/process_chain/delete?id="+t,{"Content-Type":"application/json"}).then((t=>{this.get_clientids()}))},handle_threat(t,e){x().get("/api/v1/get/process_chain/handle?id="+t+"&handletype="+e,{"Content-Type":"application/json"}).then((t=>{this.get_clientids()}))},show_details(t){x().get("/api/v1/get/process_chain/pull?id="+t,{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.select_chain_data=e.data.chain.process_node,this.dialog=!0,console.log("this.select_chain_data",this.select_chain_data),this.$nextTick((()=>{this.draw_tree()})))}))},get_threatStatistics(){x().get("/api/v1/get/threat_statistics",{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.threatStatistics=e.data,this.Threatitems[0].value=this.threatStatistics.all,this.Threatitems[1].value=this.threatStatistics.confirm,this.Threatitems[2].value=this.threatStatistics.ingore,this.Threatitems[3].value=this.threatStatistics.working)}))},get_clientids(){const t=this.$route.params.queryIndex,e=null===t||void 0===t?0:t;x().get("/api/v1/get/process_chain/all?query_type="+e,{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.server_threat={data:[]},this.server_threat.data=e.data,this.get_threatStatistics())}))}},mounted(){this.get_clientids(),setInterval((()=>{this.last_refresh-=1,this.last_refresh<=0&&(this.get_clientids(),this.last_refresh=360)}),1e3)},watch:{$route(t,e){this.get_clientids()}}});var E=a(4260),Y=a(151),z=a(5589),H=a(3414),j=a(2035),N=a(4554),O=a(2350),F=a(1432),L=a(3424),T=a(9367),X=a(7030),J=a(8240),P=a(6778),R=a(4842),G=a(846),M=a(2025),$=a(8870),tt=a(2901),et=a(7011),at=a(5869),it=a(677),lt=a(7518),st=a.n(lt);const ot=(0,E.Z)(K,[["render",S]]),nt=ot;st()(K,"components",{QCard:Y.Z,QCardSection:z.Z,QItem:H.Z,QItemSection:j.Z,QIcon:N.Z,QItemLabel:O.Z,QTimeline:F.Z,QTimelineEntry:L.Z,QCardActions:T.Z,QChip:X.Z,QBtn:J.Z,QDialog:P.Z,QInput:R.Z,QBar:G.Z,QSpace:M.Z,QTooltip:$.Z,QDrawer:tt.Z,QList:et.Z,QSeparator:at.Z}),st()(K,"directives",{ClosePopup:it.Z})}}]); \ No newline at end of file diff --git a/Server/templates/js/56.dc9e32b8.js.gz b/Server/templates/js/56.dc9e32b8.js.gz new file mode 100644 index 0000000..a1bb863 Binary files /dev/null and b/Server/templates/js/56.dc9e32b8.js.gz differ diff --git a/Server/templates/js/698.7639c919.js b/Server/templates/js/698.7639c919.js deleted file mode 100644 index 70b6bc7..0000000 --- a/Server/templates/js/698.7639c919.js +++ /dev/null @@ -1 +0,0 @@ -"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[698],{698:(t,e,a)=>{a.r(e),a.d(e,{default:()=>at});var i=a(3673),l=a(2323);const s={class:"q-gutter-md q-mb-sm q-pa-lg"},o={class:"row q-col-gutter-sm"},n={class:"row"},d=(0,i._)("div",{class:"col"},null,-1),r={class:"col"},h={class:"row q-gutter-md q-mb-sm q-pa-lg"},c={key:0},u=(0,i._)("div",{class:"bg-red-5"}," ",-1),p=(0,i.Uk)(" 分数: "),w=(0,i.Uk)(" 活动状态: "),m=(0,i.Uk)(" 产生的威胁: "),A=(0,i.Uk)(" 查看详情 "),g=(0,i.Uk)(" 在VT上搜索 "),_=(0,i.Uk)(" 确认威胁 "),C=(0,i.Uk)(" 忽略威胁 "),f=(0,i.Uk)(" 删除报警 "),k=(0,i._)("div",{class:"col"},null,-1),b=(0,i._)("div",{class:"text-h6"},"填写缘由",-1),v=(0,i.Uk)("Close"),W={class:"row",style:{width:"100%",height:"100%"}},B={ref:"main_draw",style:{width:"100%",height:"100%","margin-left":"5%"}},D=(0,i.Uk)("进程命中的规则: ");function Q(t,e,a,Q,U,q){const y=(0,i.up)("q-icon"),V=(0,i.up)("q-item-section"),S=(0,i.up)("q-item-label"),I=(0,i.up)("q-item"),x=(0,i.up)("q-card-section"),Z=(0,i.up)("q-card"),E=(0,i.up)("q-chip"),K=(0,i.up)("q-btn"),Y=(0,i.up)("q-card-actions"),z=(0,i.up)("q-timeline-entry"),H=(0,i.up)("q-timeline"),F=(0,i.up)("q-input"),N=(0,i.up)("q-dialog"),j=(0,i.up)("q-space"),L=(0,i.up)("q-tooltip"),O=(0,i.up)("q-bar"),X=(0,i.up)("q-separator"),T=(0,i.up)("q-list"),P=(0,i.up)("q-drawer"),J=(0,i.Q2)("close-popup");return(0,i.wg)(),(0,i.iD)(i.HY,null,[(0,i._)("div",null,[(0,i._)("div",s,[(0,i.Wm)(Z,{class:"bg-transparent no-shadow no-border"},{default:(0,i.w5)((()=>[(0,i.Wm)(x,{class:"q-pa-none"},{default:(0,i.w5)((()=>[(0,i._)("div",o,[((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.Threatitems,((t,e)=>((0,i.wg)(),(0,i.iD)("div",{key:e,class:"col-md-3 col-sm-12 col-xs-12"},[(0,i.Wm)(I,{style:(0,l.j5)(`background-color: ${t.color1}`),class:"q-pa-none"},{default:(0,i.w5)((()=>[(0,i.Wm)(V,{side:"",style:(0,l.j5)(`background-color: ${t.color2}`),class:"q-pa-lg q-mr-none text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(y,{name:t.icon,color:"white",size:"24px"},null,8,["name"])])),_:2},1032,["style"]),(0,i.Wm)(V,{class:"q-pa-md q-ml-none text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(S,{class:"text-white text-h6 text-weight-bolder"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(t.value),1)])),_:2},1024),(0,i.Wm)(S,null,{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(t.title),1)])),_:2},1024)])),_:2},1024)])),_:2},1032,["style"])])))),128))])])),_:1})])),_:1})]),(0,i._)("div",n,[d,(0,i._)("div",r,[(0,i._)("div",h,[(0,i.Wm)(H,{layout:"dense",side:"right",color:"red"},{default:(0,i.w5)((()=>[t.server_threat.data&&0!=t.server_threat.data.length?(0,i.kq)("",!0):((0,i.wg)(),(0,i.iD)("h4",c,"暂无可用数据,下次刷新时间 "+(0,l.zw)(t.last_refresh)+"...",1)),((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.server_threat.data,((e,a)=>((0,i.wg)(),(0,i.j4)(z,{key:a,subtitle:"主机:"+e.host,side:"left"},{default:(0,i.w5)((()=>[(0,i._)("div",null,[(0,i.Wm)(Z,{flat:"",bordered:"",style:{overflow:"auto"},"thumb-style":t.thumbStyle,"bar-style":t.barStyle},{default:(0,i.w5)((()=>[(0,i.Wm)(x,{horizontal:""},{default:(0,i.w5)((()=>[u,(0,i.Wm)(Y,{vertical:"",class:"justify-around q-px-md"},{default:(0,i.w5)((()=>[(0,i._)("div",null,"进程链hash: "+(0,l.zw)(e.chain_hash),1),(0,i._)("div",null,"进程: "+(0,l.zw)(e.start_process.path),1),(0,i._)("div",null,"用户: "+(0,l.zw)(e.start_process.user),1),(0,i._)("div",null,[p,(0,i.Wm)(E,{square:"",color:"orange","text-color":"white","icon-right":"visibility"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e.risk_score),1)])),_:2},1024)]),(0,i._)("div",null,[w,(0,i.Wm)(E,{square:"",color:1==e.is_end?"negative":"red","text-color":"white"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(1==e.is_end?"已结束":"进行中"),1)])),_:2},1032,["color"])]),(0,i._)("div",null,[m,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(e.hit_rule,((t,e)=>((0,i.wg)(),(0,i.j4)(E,{key:t,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128))]),(0,i._)("div",null,[(0,i.Wm)(K,{flat:"",color:"accent",onClick:a=>t.show_details(e.id),icon:"open_in_new"},{default:(0,i.w5)((()=>[A])),_:2},1032,["onClick"]),(0,i.Wm)(K,{flat:"",color:"accent",onClick:a=>t.search_vt(e.start_process.hash),icon:"search"},{default:(0,i.w5)((()=>[g])),_:2},1032,["onClick"]),(0,i.Wm)(K,{flat:"",color:"accent",onClick:a=>t.handle_threat(e.id,1),icon:"done"},{default:(0,i.w5)((()=>[_])),_:2},1032,["onClick"]),(0,i.Wm)(K,{flat:"",color:"accent",onClick:a=>t.handle_threat(e.id,2),icon:"texture"},{default:(0,i.w5)((()=>[C])),_:2},1032,["onClick"]),(0,i.Wm)(K,{flat:"",color:"accent",icon:"close",onClick:a=>t.delete_threat(e.id)},{default:(0,i.w5)((()=>[f])),_:2},1032,["onClick"])])])),_:2},1024)])),_:2},1024)])),_:2},1032,["thumb-style","bar-style"])])])),_:2},1032,["subtitle"])))),128))])),_:1})])]),k])]),(0,i.Wm)(N,{modelValue:t.addwhiteListHash,"onUpdate:modelValue":e[3]||(e[3]=e=>t.addwhiteListHash=e),persistent:"","transition-show":"scale","transition-hide":"scale"},{default:(0,i.w5)((()=>[(0,i.Wm)(Z,{style:{"min-width":"350px"}},{default:(0,i.w5)((()=>[(0,i.Wm)(x,null,{default:(0,i.w5)((()=>[b])),_:1}),(0,i.Wm)(x,{class:"q-pt-none"},{default:(0,i.w5)((()=>[(0,i.Wm)(F,{dense:"",modelValue:this.whiteListPostData.reason,"onUpdate:modelValue":e[0]||(e[0]=t=>this.whiteListPostData.reason=t),autofocus:""},null,8,["modelValue"])])),_:1}),(0,i.Wm)(Y,{align:"right",class:"text-primary"},{default:(0,i.w5)((()=>[(0,i.wy)((0,i.Wm)(K,{flat:"",label:"取消",onClick:e[1]||(e[1]=e=>t.addwhiteListHash=!1)},null,512),[[J]]),(0,i.wy)((0,i.Wm)(K,{flat:"",label:"加入白名单",onClick:e[2]||(e[2]=e=>t.add_to_white_hash_post())},null,512),[[J]])])),_:1})])),_:1})])),_:1},8,["modelValue"]),(0,i.Wm)(N,{modelValue:t.dialog,"onUpdate:modelValue":e[8]||(e[8]=e=>t.dialog=e),persistent:"",maximized:t.maximizedToggle,"transition-show":"slide-up","transition-hide":"slide-down"},{default:(0,i.w5)((()=>[(0,i.Wm)(Z,{class:"text-white"},{default:(0,i.w5)((()=>[(0,i.Wm)(O,null,{default:(0,i.w5)((()=>[(0,i.Wm)(j),(0,i.wy)(((0,i.wg)(),(0,i.j4)(K,{dense:"",flat:"",icon:"close"},{default:(0,i.w5)((()=>[(0,i.Wm)(L,{"content-class":"bg-white text-primary"},{default:(0,i.w5)((()=>[v])),_:1})])),_:1})),[[J]])])),_:1}),(0,i._)("div",W,[(0,i._)("div",B," 1 ",512)]),t.processChainShowDetails?((0,i.wg)(),(0,i.j4)(P,{key:0,"show-if-above":"",modelValue:t.processChainShowDetails,"onUpdate:modelValue":e[7]||(e[7]=e=>t.processChainShowDetails=e),side:"right",bordered:"",width:"350",class:"text-dark"},{default:(0,i.w5)((()=>[(0,i.Wm)(T,{style:{width:"100%","word-break":"break-all"}},{default:(0,i.w5)((()=>[(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("活跃状态: "+(0,l.zw)(t.processChainDetails.active?"运行中":"已结束"),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程名字: "+(0,l.zw)(t.processChainDetails.name),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程路径: "+(0,l.zw)(t.processChainDetails.path),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程参数: "+(0,l.zw)(t.processChainDetails.params),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程id: "+(0,l.zw)(t.processChainDetails.pid),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("父进程id: "+(0,l.zw)(t.processChainDetails.ppid),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("进程hash: "+(0,l.zw)(t.processChainDetails.md5),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[(0,i.Uk)("是否在白名单中: "+(0,l.zw)(t.processChainDetails.isWhite?"是":"否"),1)])),_:1})])),_:1}),(0,i.Wm)(X),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(V,null,{default:(0,i.w5)((()=>[D,((0,i.wg)(!0),(0,i.iD)(i.HY,null,(0,i.Ko)(t.processChainDetails.hitRules,((t,e)=>((0,i.wg)(),(0,i.j4)(E,{key:t,square:"",color:"rgb(239,243,246)"},{default:(0,i.w5)((()=>[(0,i.Uk)((0,l.zw)(e)+" ("+(0,l.zw)(t)+") ",1)])),_:2},1024)))),128))])),_:1})])),_:1}),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[(0,i.Wm)(K,{icon:"search",outline:"",style:{color:"grey",width:"100%"},label:"搜索hash",onClick:e[4]||(e[4]=e=>t.search_vt(t.processChainDetails.md5))})])),_:1}),(0,i.Wm)(I,null,{default:(0,i.w5)((()=>[0==t.processChainDetails.isWhite?((0,i.wg)(),(0,i.j4)(K,{key:0,icon:"texture",outline:"",style:{color:"grey",width:"100%"},label:"加入白名单",onClick:e[5]||(e[5]=e=>t.add_to_white_hash_pre(t.processChainDetails.path,t.processChainDetails.md5))})):((0,i.wg)(),(0,i.j4)(K,{key:1,icon:"clear",outline:"",style:{color:"grey",width:"100%"},label:"从白名单中删除",onClick:e[6]||(e[6]=e=>t.delete_white_hash(t.processChainDetails.md5))}))])),_:1})])),_:1})])),_:1},8,["modelValue"])):(0,i.kq)("",!0)])),_:1})])),_:1},8,["modelValue","maximized"])],64)}var U=a(52),q=a.n(U),y=a(2256);const V=(0,i.aZ)({name:"PageIndex",data:function(){return{addwhiteListHash:!1,whiteListPostData:{path:"",hash:"",reason:""},processChainShowDetails:!1,last_refresh:360,processChainDetails:{hash:"",prams:"",hitRule:[],isWhite:!1,whiteListReason:""},thumbStyle:{right:"4px",borderRadius:"5px",backgroundColor:"#027be3",width:"5px",opacity:.75},barStyle:{right:"2px",borderRadius:"9px",backgroundColor:"#027be3",width:"9px",opacity:.2},threatStatistics:{all:1,confirm:0,ingore:1,working:0},Threatitems:[{title:"发现的威胁",icon:"remove_red_eye",value:"200",color1:"#5064b5",color2:"#3e51b5"},{title:"确认的威胁",icon:"flash_on",value:"500",color1:"#f37169",color2:"#f34636"},{title:"忽略的威胁",icon:"texture",value:"50",color1:"#ea6a7f",color2:"#ea4b64"},{title:"进行中的威胁",icon:"bar_chart",value:"1020",color1:"#a270b1",color2:"#9f52b1"}],dialog:!1,maximizedToggle:!0,server_threat:{},select_chain_data:{}}},methods:{delete_white_hash(t){q().get("/api/v1/del/white_list?hash="+t).then((t=>{this.processChainDetails.isWhite=!1}))},query_white_hash(t){q().get("/api/v1/query/white_list?hash="+t).then((t=>{this.processChainDetails.isWhite=1===t.data.result}))},add_to_white_hash_pre(t,e){this.whiteListPostData={path:t,hash:e,reason:""},this.addwhiteListHash=!0,console.log("addwhiteListHash",this.addwhiteListHash)},add_to_white_hash_post(){q().post("/api/v1/set/white_list",this.whiteListPostData).then((t=>{this.processChainDetails.isWhite=!0}))},set_chain_data(t){if(t.path){const e=t.path.split("\\");t.name=e[e.length-1],console.log(t.name);for(const a in t.children)this.set_chain_data(t.children[a])}},draw_tree(){this.set_chain_data(this.select_chain_data);const t=this.$refs.main_draw,e=y.S1(t),a={tooltip:{trigger:"item",triggerOn:"mousemove",formatter:function(t){const e=t.data;let a="
参数: "+e.params+"
hash: "+e.md5+"
命名规则列表: ";0===e.operationlist.length&&(a+="无");for(const i in e.operationlist)a+=" "+i+"["+e.operationlist[i]+"] ";return a+="
",a}},series:[{roam:!0,type:"tree",id:0,name:"tree1",data:[this.select_chain_data],top:"5%",left:"15%",bottom:"22%",right:"20%",edgeShape:"polyline",edgeForkPosition:"63%",initialTreeDepth:60,lineStyle:{width:2},label:{backgroundColor:"#fff",position:"left",verticalAlign:"middle",align:"right"},leaves:{label:{position:"right",verticalAlign:"middle",align:"left"}},emphasis:{focus:"descendant"},symbolSize:[30,30],symbol:"image://data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAANXklEQVR4Xu2de6hmVRmHn0mzcUzNwcJKS8roQpdJrayEykYzMkLFcjSiwiLrj8qKhugekU1RFnSVNNDUCiqDbmSMUEnJJBVmVpNaiTmVIGlpIhpv7VPHb873fXvtddnv2uu34HD+OGu9612/dz1n7cu711qHihSQAnMVWCdtpIAUmK+AANHskAILFBAgmh5SQIBoDkiBYQpoBRmmm1o1ooAAaSTQGuYwBQTIMN3UqhEFBEgjgdYwhykgQIbpplaNKCBAGgm0hjlMAQEyTDe1akSBMQB5IvA44GHAxkZ01jDjFLgF+DNwTfcTZy2gdSlA9ge2AluARwb4p6pSYFaBncAlwDbgttzylADkDODDWi1yh7I5+7uAs4CLco48JyB7AxcCJ+UcgGw3r8D5wGuBu3MokQuQfYDLgSNzOC2bUmBGgcuAY3OokgOQPYDvAptzOCybUmCOAnapdXpqdXIAcibw6dSOyp4U6KHAicA3etTrXSU1IHsBfwAO6u2BKkqBdArYY2B7jXBvKpOpAXkVcF4q52RHCgxQ4Djg+wPardkkNSB27/GCVM7JjhQYoMC53VOtAU13b5ISkPXAHUm8khEpMFyBm4CHD29+35YpATkUuD6VY7IjBSIU2JDqn3VKQJ4GXBkxKDWVAqkU2AT8IoWxlIA8F9ge6NTzuheKs83eC7wn0FbKsQR2reprKBD6JOl9gMV9tqScV8GBSjmpUg5EgASH0l0DATITEgHibo6O6pAAESCjTkDvnQsQAeJ9jo7qnwARIKNOQO+dCxAB4n2OjuqfABEgo05A750LEAHifY6O6p8AESCjTkDvnQsQAeJ9jo7qnwARIKNOQO+dC5CJAGL7dVmqft/yk+6b+771F9U7tdtEr6+tm4HP9q28pN5RwPGBts4G7uzZRoBMBJBbAdvYrm/5BPCmvpWX1LPvp18SYMsyVC1TNUWxMXw80NABgOnVpwgQAdJnniysI0D+L4+yedeYKh7S3bWC9OdcK0h/rXarWWs2rwDpH3QB0l8rARKh1UpTXWLpEmvhNNIllm7SVyaI7kF0D7KbAlpBtIJoBVmggAARIAJEgPS6W9Mlli6xdIm1ABUBIkAEiADptZr+r5KeYukplp5iLWBGgAgQASJA5iqgp1h6iqWnWHqK1eu6WzfpuknXTbpu0nv9s9BNeqeALrF0iaVLLF1i9fqvqUssp5dYRwN79grhfyvdCOwMqL+oqh04eWCArduBHQH1F1U9GDgs0NblAfX1ReGMWLV+DxIQc1UNUECACJCA6dJeVQEiQNqb9QEjFiACJGC6tFdVgAiQ9mZ9wIgFiAAJmC7tVRUgAqS9WR8wYgEiQAKmS3tVBYgAaW/WB4xYgAiQgOnSXlUBIkDam/UBIxYgzgCxrxNV/CiwPdAVJSuuIVjKT24D46HqzhQQIALE2ZT05Y4AESC+ZqQzbwSIAHE2JX25I0AEiK8Z6cwbASJAnE1JX+4IEAHia0Y680aACBBnU9KXOwJEgPiakc68ESACxNmU9OWOABEgvmakM28EiABxNiV9uSNAAgA5FLAflXYUuAGwn9mScr+1YDXXBbeY32DUgSQch0z5UmDUeSVAfE0GeaMV5D4KzEt310SRAisKaAXRXJACCxQQIJoeUkCArK2ALrHExjIFtIIsU0h/b1oBAdJ0+DX4ZQoIkGUK6e9NKyBAmg6/Br9MAQGyTCH9vWkFBEhD4d8IPLnQeEMO3Czk0qBuBMgg2epsZJP2OQVcvwTYUqCfEl0IkBIqO+jjjcA5Bfz4HbAJ+GeBvkp0IUBKqDxyH48FfgnsldmPO4EjgV9l7qekeQFSUu0R+jIodgBPKtD364DPFeinZBcCpKTaI/T1EeCtBfr9OnBSgX5KdyFASitesD+7IbdjAFJ+d7OW+/Ylnj0du63g2Ep1JUBKKV24n/2Aa4GHZu73LuAZwM8z9zOWeQEylvKZ+/0KcErmPsy8PR37ZIF+xupCgIylfMZ+Xw5ckNH+iulvAy8q0M+YXQiQMdXP0PchwNWAXWLlLDd2T8ZuzdmJA9sCxEEQUrlgN+NXAEelMjjHzt3As4ErM/fjwbwA8RCFRD5sBT6UyNYiM28HthXox0MXAsRDFBL4YC8CrwL2TGBrkYkfAJsz9+HJvADxFI2BvqzvHrNaSknOcnN33/G3nJ04sy1AnAVkiDufAl4/pGFAm3u6TOAfBbSZQlUBUnkUjwO+V2AM7wY+UKAfb10IEG8RCfDnAOA3wIMD2gypavcdxwL3DmlceRsBUnEAvwm8OLP/dr/xeKCl+47VkgqQzBMsl/nXAJ/PZbyzayuGrRy2grRaBEiFkX9U9wHUPpl9/yDwzsx9eDcvQLxHaMY/e8/xU+DwzH7b0ypLl7enVy0XAVJZ9N8PvCuzz5ZfZfcd9t6j9SJAKpoBlmP1Y+B+mX22DF3L1FUBAVLJLLD7jV8Dlq2bs3wUeFvODiqzLUAqCdgXgFcX8PVbXdqKbd9j71hsh5IpfkrbV0oB0lepEevZuw575zFW+Qvw2w4Yg2bl5/eApb5PuQgQ59G1b8rtv7i9NfdWDI7r1gDHYNrlzdmB/giQgcKValZqu9DU47EnYWutOrb62EYPtRQB4jhSpbYLLSmBvVf546pVZzVEfyrpSM++BEhPoUpXK7VdaOlxzevvUuBlwL+8ONT5IUCcBcTcKbldqIfhfwl4hdO39gLEwwyZ8aHUdqEehv4Z4A2OU+kFiIdZssqHDcDFXR7U/s58S+1ODcmQAiR11BPZs3QSS0i0s9yPAY4GHpjItgczby50XknsWAVIrIKF2lsW79NXAfMswDZrqK3YNyZnAOdV4rgAqSRQs24+AHhmt7rYKmMbSN/f+VjsxeJpwFed+7naPQFSUbAWuWr3LnYZZpdjBswRwB6OxmaPb08EvuPIpz6uCJA+KlVYZ9/uRn8FmKcUOCdknkx/B04AflihjgKkwqANcdmOgLZgGzD2Yx9ElSi3dP3ZGYk1FgFSY9QS+PwQ4PmrbvofncDmrImbOigtdb7WIkBqjVxivw8GTk746NVS4W2lsryrmosAqTl6iX23b93tm/fYck23Mtl3JLUXAVJ7BBP5by8hLZv2QZH2ftbt/j6Vg3UESOSEmErzFGeL2FOqFwL/mIoo3T2UnRQcUuwxu33HE11SHk88KunRSoxrYO/uXuHACDfs/Ya95/CWrh4xpP80HXVeCZDY8KVp/xbAdjMZWuzNuL0hn+L36QJk6KyYSLvY1cN7unpsmARIrIKVt4/5rNfOQ3xH5eNf5r4AWabQhP9uXy7eANjOKaGllnT10HHN1hcgsQpW3N6ObbPj20JKbenqIWNbq64AiVWw0vb2fYm95Q5ZPWpMV48NjwCJVbDS9qEH8NSarh4bHgESq2CF7W31sFypR/T03V782QvAGtPVew5xbjUBEqtghe1fCZzf029LGdkMWApJi0WANBZ12wzCtv88rMe4LdnQ0iYs+bDVIkAai/zpwIU9xnx9972I/W65CJCGom+pPbYX7rLVY0rp6rHhFSCxClbU/qXAl5f4O7V09djwCJBYBStpb6vH1cATFvg7xXT12PAIkFgFK2lvqehfW+DrVNPVY8MjQGIVrKS9nVI1b/WYcrp6bHgESKyCFbRfdMahbQFqW4FajpXK7goIkAZmxVXAU9cY5zmAZeWqzFdAgEx8dhw/Z7tP+47DvudQWayAAJn4DLmi2+R6ZZh2KWUH1tiXgCrLFRAgyzWqtobtnHjZKu9bTFePDZ4AiVXQcfvVR0i3mq4eGx4BEqug0/Z2dohdXllpOV09NjwCJFZBp+3t0sousVpPV48NjwCJVdBh+5XVQ+nq8cERIPEaurNgaSP21tyC23q6emxwBEisgs7a2wtBy9i1wNr5HCpxCgiQOP3ctbazxz8G2MlOKvEKCJB4DV1Z2A+wMwFV0iggQNLoKCsTVUCATDSwGlYaBQRIGh1lZaIKCJCJBlbDSqOAAEmjo6xMVAEBMtHAalhpFBAgaXSUlYkqMBlAjgB2TDRIGlZdCthctM+co0vKQzztnAulVkSHRAYSKHAQsCuBHVICYv7cAaxP4ZhsSIGBCtwO7Duw7W7NUgNiG6PZBmkqUmAsBSxR9NRUnacGZAtwUSrnZEcKDFDg5CU7WAaZTA1I6MlJQc6qshRYosB1wGOAe1IplRoQ88t2CTw3lYOyIwUCFDgNuDig/tKqOQCxE5QuBU5Y2rsqSIF0Cti9h13iJ93CNQcgNuQN3YGTh6cbvyxJgbkKbAeOyaFPLkBWIPkicEoOx2VTCnQKXNBd1t+VQ5GcgKz4eyZwNmBf2qlIgVQK/BU4q+d5j4P7LAGIObcR2No9nz5ksLdqKAVgZ/cqYVu3IV9WTUoBsnoQm7pHcZaaYuCoSIFlCtgGGJbGZIcQXbuscsq/jwFISv9lSwpkVUCAZJVXxmtXQIDUHkH5n1UBAZJVXhmvXQEBUnsE5X9WBQRIVnllvHYFBEjtEZT/WRUQIFnllfHaFRAgtUdQ/mdVQIBklVfGa1dAgNQeQfmfVQEBklVeGa9dgX8DujCRBT7G+XAAAAAASUVORK5CYII=",expandAndCollapse:!1,animationDuration:350,animationDurationUpdate:450}]};e.setOption(a),e.on("click",(t=>{const e=t.data;this.processChainDetails={path:e.path,active:e.active,md5:e.md5,name:e.name,params:e.params,pid:e.pid,ppid:e.ppid,hitRules:e.operationlist,isWhite:!1},this.query_white_hash(e.md5),this.processChainShowDetails=!0}))},search_vt(t){window.open("https://www.virustotal.com/gui/search/"+t,"_blank")},delete_threat(t){q().get("/api/v1/get/process_chain/delete?id="+t,{"Content-Type":"application/json"}).then((t=>{this.get_clientids()}))},handle_threat(t,e){q().get("/api/v1/get/process_chain/handle?id="+t+"&handletype="+e,{"Content-Type":"application/json"}).then((t=>{this.get_clientids()}))},show_details(t){q().get("/api/v1/get/process_chain/pull?id="+t,{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.select_chain_data=e.data.chain.process_node,this.dialog=!0,console.log("this.select_chain_data",this.select_chain_data),this.$nextTick((()=>{this.draw_tree()})))}))},get_threatStatistics(){q().get("/api/v1/get/threat_statistics",{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.threatStatistics=e.data,this.Threatitems[0].value=this.threatStatistics.all,this.Threatitems[1].value=this.threatStatistics.confirm,this.Threatitems[2].value=this.threatStatistics.ingore,this.Threatitems[3].value=this.threatStatistics.working)}))},get_clientids(){const t=this.$route.params.queryIndex,e=null===t||void 0===t?0:t;q().get("/api/v1/get/process_chain/all?query_type="+e,{"Content-Type":"application/json"}).then((t=>{const e=t.data;e.data&&(this.server_threat={data:[]},this.server_threat.data=e.data,this.get_threatStatistics())}))}},mounted(){this.get_clientids(),setInterval((()=>{this.last_refresh-=1,this.last_refresh<=0&&(this.get_clientids(),this.last_refresh=360)}),1e3)},watch:{$route(t,e){this.get_clientids()}}});var S=a(4260),I=a(151),x=a(5589),Z=a(3414),E=a(2035),K=a(4554),Y=a(2350),z=a(1432),H=a(3424),F=a(9367),N=a(7030),j=a(8240),L=a(6778),O=a(4842),X=a(846),T=a(2025),P=a(8870),J=a(2901),R=a(7011),G=a(5869),M=a(677),$=a(7518),tt=a.n($);const et=(0,S.Z)(V,[["render",Q]]),at=et;tt()(V,"components",{QCard:I.Z,QCardSection:x.Z,QItem:Z.Z,QItemSection:E.Z,QIcon:K.Z,QItemLabel:Y.Z,QTimeline:z.Z,QTimelineEntry:H.Z,QCardActions:F.Z,QChip:N.Z,QBtn:j.Z,QDialog:L.Z,QInput:O.Z,QBar:X.Z,QSpace:T.Z,QTooltip:P.Z,QDrawer:J.Z,QList:R.Z,QSeparator:G.Z}),tt()(V,"directives",{ClosePopup:M.Z})}}]); \ No newline at end of file diff --git a/Server/templates/js/698.7639c919.js.gz b/Server/templates/js/698.7639c919.js.gz deleted file mode 100644 index b71265d..0000000 Binary files a/Server/templates/js/698.7639c919.js.gz and /dev/null differ diff --git a/Server/templates/js/app.8fbb593d.js b/Server/templates/js/app.8fbb593d.js deleted file mode 100644 index 329416f..0000000 --- a/Server/templates/js/app.8fbb593d.js +++ /dev/null @@ -1 +0,0 @@ -(()=>{"use strict";var e={9942:(e,t,r)=>{var n=r(8880),o=r(9782),a=r(3673);function i(e,t,r,n,o,i){const s=(0,a.up)("router-view");return(0,a.wg)(),(0,a.j4)(s)}const s=(0,a.aZ)({name:"App"});var l=r(4260);const c=(0,l.Z)(s,[["render",i]]),d=c;var u=r(3340),p=r(8339);r(71);const h=[{path:"/",component:()=>Promise.all([r.e(736),r.e(69)]).then(r.bind(r,2069)),children:[{path:"",component:()=>Promise.all([r.e(736),r.e(698)]).then(r.bind(r,698))}]},{path:"/page",component:()=>Promise.all([r.e(736),r.e(69)]).then(r.bind(r,2069)),children:[{path:"dashboard",component:()=>r.e(904).then(r.bind(r,6904))},{path:"index",name:"index",component:()=>Promise.all([r.e(736),r.e(698)]).then(r.bind(r,698))},{path:"index",name:"whitelist",component:()=>Promise.all([r.e(736),r.e(219)]).then(r.bind(r,4219))}]},{path:"/:catchAll(.*)*",component:()=>Promise.all([r.e(736),r.e(193)]).then(r.bind(r,2193))}],f=h,m=(0,u.BC)((function(){const e=p.r5,t=(0,p.p7)({scrollBehavior:()=>({left:0,top:0}),routes:f,history:e("")});return t}));async function v(e,t){const r="function"===typeof m?await m({}):m,n=e(d);return n.use(o.Z,t),{app:n,router:r}}const b={config:{}};async function g({app:e,router:t}){e.use(t),e.mount("#q-app")}v(n.ri,b).then(g)}},t={};function r(n){var o=t[n];if(void 0!==o)return o.exports;var a=t[n]={exports:{}};return e[n](a,a.exports,r),a.exports}r.m=e,(()=>{var e=[];r.O=(t,n,o,a)=>{if(!n){var i=1/0;for(d=0;d=a)&&Object.keys(r.O).every((e=>r.O[e](n[l])))?n.splice(l--,1):(s=!1,a0&&e[d-1][2]>a;d--)e[d]=e[d-1];e[d]=[n,o,a]}})(),(()=>{r.n=e=>{var t=e&&e.__esModule?()=>e["default"]:()=>e;return r.d(t,{a:t}),t}})(),(()=>{r.d=(e,t)=>{for(var n in t)r.o(t,n)&&!r.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:t[n]})}})(),(()=>{r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((t,n)=>(r.f[n](e,t),t)),[]))})(),(()=>{r.u=e=>"js/"+e+"."+{69:"c1368261",193:"cfdf09ec",219:"1dcc27ca",698:"7639c919",904:"f590aa3d"}[e]+".js"})(),(()=>{r.miniCssF=e=>"css/"+({143:"app",736:"vendor"}[e]||e)+"."+{69:"8be8f613",143:"31d6cfe0",736:"5b8581f0"}[e]+".css"})(),(()=>{r.g=function(){if("object"===typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"===typeof window)return window}}()})(),(()=>{r.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t)})(),(()=>{var e={},t="syseye:";r.l=(n,o,a,i)=>{if(e[n])e[n].push(o);else{var s,l;if(void 0!==a)for(var c=document.getElementsByTagName("script"),d=0;d{s.onerror=s.onload=null,clearTimeout(h);var o=e[n];if(delete e[n],s.parentNode&&s.parentNode.removeChild(s),o&&o.forEach((e=>e(r))),t)return t(r)},h=setTimeout(p.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=p.bind(null,s.onerror),s.onload=p.bind(null,s.onload),l&&document.head.appendChild(s)}}})(),(()=>{r.r=e=>{"undefined"!==typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})}})(),(()=>{r.p=""})(),(()=>{var e=(e,t,r,n)=>{var o=document.createElement("link");o.rel="stylesheet",o.type="text/css";var a=a=>{if(o.onerror=o.onload=null,"load"===a.type)r();else{var i=a&&("load"===a.type?"missing":a.type),s=a&&a.target&&a.target.href||t,l=new Error("Loading CSS chunk "+e+" failed.\n("+s+")");l.code="CSS_CHUNK_LOAD_FAILED",l.type=i,l.request=s,o.parentNode.removeChild(o),n(l)}};return o.onerror=o.onload=a,o.href=t,document.head.appendChild(o),o},t=(e,t)=>{for(var r=document.getElementsByTagName("link"),n=0;nnew Promise(((o,a)=>{var i=r.miniCssF(n),s=r.p+i;if(t(i,s))return o();e(n,s,o,a)})),o={143:0};r.f.miniCss=(e,t)=>{var r={69:1};o[e]?t.push(o[e]):0!==o[e]&&r[e]&&t.push(o[e]=n(e).then((()=>{o[e]=0}),(t=>{throw delete o[e],t})))}})(),(()=>{var e={143:0};r.f.j=(t,n)=>{var o=r.o(e,t)?e[t]:void 0;if(0!==o)if(o)n.push(o[2]);else{var a=new Promise(((r,n)=>o=e[t]=[r,n]));n.push(o[2]=a);var i=r.p+r.u(t),s=new Error,l=n=>{if(r.o(e,t)&&(o=e[t],0!==o&&(e[t]=void 0),o)){var a=n&&("load"===n.type?"missing":n.type),i=n&&n.target&&n.target.src;s.message="Loading chunk "+t+" failed.\n("+a+": "+i+")",s.name="ChunkLoadError",s.type=a,s.request=i,o[1](s)}};r.l(i,l,"chunk-"+t,t)}},r.O.j=t=>0===e[t];var t=(t,n)=>{var o,a,[i,s,l]=n,c=0;if(i.some((t=>0!==e[t]))){for(o in s)r.o(s,o)&&(r.m[o]=s[o]);if(l)var d=l(r)}for(t&&t(n);cr(9942)));n=r.O(n)})(); \ No newline at end of file diff --git a/Server/templates/js/app.b7308b45.js b/Server/templates/js/app.b7308b45.js new file mode 100644 index 0000000..d907371 --- /dev/null +++ b/Server/templates/js/app.b7308b45.js @@ -0,0 +1 @@ +(()=>{"use strict";var e={9942:(e,t,r)=>{var n=r(8880),o=r(9782),a=r(3673);function i(e,t,r,n,o,i){const s=(0,a.up)("router-view");return(0,a.wg)(),(0,a.j4)(s)}const s=(0,a.aZ)({name:"App"});var l=r(4260);const d=(0,l.Z)(s,[["render",i]]),c=d;var u=r(3340),p=r(8339);r(71);const h=[{path:"/",component:()=>Promise.all([r.e(736),r.e(69)]).then(r.bind(r,2069)),children:[{path:"",component:()=>Promise.all([r.e(736),r.e(56)]).then(r.bind(r,8056))}]},{path:"/page",component:()=>Promise.all([r.e(736),r.e(69)]).then(r.bind(r,2069)),children:[{path:"dashboard",component:()=>r.e(904).then(r.bind(r,6904))},{path:"index",name:"index",component:()=>Promise.all([r.e(736),r.e(56)]).then(r.bind(r,8056))},{path:"index",name:"whitelist",component:()=>Promise.all([r.e(736),r.e(219)]).then(r.bind(r,4219))}]},{path:"/:catchAll(.*)*",component:()=>Promise.all([r.e(736),r.e(193)]).then(r.bind(r,2193))}],f=h,m=(0,u.BC)((function(){const e=p.r5,t=(0,p.p7)({scrollBehavior:()=>({left:0,top:0}),routes:f,history:e("")});return t}));async function v(e,t){const r="function"===typeof m?await m({}):m,n=e(c);return n.use(o.Z,t),{app:n,router:r}}const b={config:{}};async function g({app:e,router:t}){e.use(t),e.mount("#q-app")}v(n.ri,b).then(g)}},t={};function r(n){var o=t[n];if(void 0!==o)return o.exports;var a=t[n]={exports:{}};return e[n](a,a.exports,r),a.exports}r.m=e,(()=>{var e=[];r.O=(t,n,o,a)=>{if(!n){var i=1/0;for(c=0;c=a)&&Object.keys(r.O).every((e=>r.O[e](n[l])))?n.splice(l--,1):(s=!1,a0&&e[c-1][2]>a;c--)e[c]=e[c-1];e[c]=[n,o,a]}})(),(()=>{r.n=e=>{var t=e&&e.__esModule?()=>e["default"]:()=>e;return r.d(t,{a:t}),t}})(),(()=>{r.d=(e,t)=>{for(var n in t)r.o(t,n)&&!r.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:t[n]})}})(),(()=>{r.f={},r.e=e=>Promise.all(Object.keys(r.f).reduce(((t,n)=>(r.f[n](e,t),t)),[]))})(),(()=>{r.u=e=>"js/"+e+"."+{56:"dc9e32b8",69:"c1368261",193:"cfdf09ec",219:"1dcc27ca",904:"f590aa3d"}[e]+".js"})(),(()=>{r.miniCssF=e=>"css/"+({143:"app",736:"vendor"}[e]||e)+"."+{69:"8be8f613",143:"31d6cfe0",736:"5b8581f0"}[e]+".css"})(),(()=>{r.g=function(){if("object"===typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"===typeof window)return window}}()})(),(()=>{r.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t)})(),(()=>{var e={},t="syseye:";r.l=(n,o,a,i)=>{if(e[n])e[n].push(o);else{var s,l;if(void 0!==a)for(var d=document.getElementsByTagName("script"),c=0;c{s.onerror=s.onload=null,clearTimeout(h);var o=e[n];if(delete e[n],s.parentNode&&s.parentNode.removeChild(s),o&&o.forEach((e=>e(r))),t)return t(r)},h=setTimeout(p.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=p.bind(null,s.onerror),s.onload=p.bind(null,s.onload),l&&document.head.appendChild(s)}}})(),(()=>{r.r=e=>{"undefined"!==typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})}})(),(()=>{r.p=""})(),(()=>{var e=(e,t,r,n)=>{var o=document.createElement("link");o.rel="stylesheet",o.type="text/css";var a=a=>{if(o.onerror=o.onload=null,"load"===a.type)r();else{var i=a&&("load"===a.type?"missing":a.type),s=a&&a.target&&a.target.href||t,l=new Error("Loading CSS chunk "+e+" failed.\n("+s+")");l.code="CSS_CHUNK_LOAD_FAILED",l.type=i,l.request=s,o.parentNode.removeChild(o),n(l)}};return o.onerror=o.onload=a,o.href=t,document.head.appendChild(o),o},t=(e,t)=>{for(var r=document.getElementsByTagName("link"),n=0;nnew Promise(((o,a)=>{var i=r.miniCssF(n),s=r.p+i;if(t(i,s))return o();e(n,s,o,a)})),o={143:0};r.f.miniCss=(e,t)=>{var r={69:1};o[e]?t.push(o[e]):0!==o[e]&&r[e]&&t.push(o[e]=n(e).then((()=>{o[e]=0}),(t=>{throw delete o[e],t})))}})(),(()=>{var e={143:0};r.f.j=(t,n)=>{var o=r.o(e,t)?e[t]:void 0;if(0!==o)if(o)n.push(o[2]);else{var a=new Promise(((r,n)=>o=e[t]=[r,n]));n.push(o[2]=a);var i=r.p+r.u(t),s=new Error,l=n=>{if(r.o(e,t)&&(o=e[t],0!==o&&(e[t]=void 0),o)){var a=n&&("load"===n.type?"missing":n.type),i=n&&n.target&&n.target.src;s.message="Loading chunk "+t+" failed.\n("+a+": "+i+")",s.name="ChunkLoadError",s.type=a,s.request=i,o[1](s)}};r.l(i,l,"chunk-"+t,t)}},r.O.j=t=>0===e[t];var t=(t,n)=>{var o,a,[i,s,l]=n,d=0;if(i.some((t=>0!==e[t]))){for(o in s)r.o(s,o)&&(r.m[o]=s[o]);if(l)var c=l(r)}for(t&&t(n);dr(9942)));n=r.O(n)})(); \ No newline at end of file diff --git a/Server/webserver.py b/Server/webserver.py index 8135559..d420808 100644 --- a/Server/webserver.py +++ b/Server/webserver.py @@ -155,8 +155,9 @@ def pull_chain_data(): "type": threat_data[3], "risk_score": threat_data[4], "hit_rule": json.loads(threat_data[5]), - "chain": json.loads(threat_data[6]), - "is_end": threat_data[7], + "hit_attck": json.loads(threat_data[6]), + "chain": json.loads(threat_data[7]), + "is_end": threat_data[8], } return {"data": return_data} @@ -181,6 +182,7 @@ def process_chain(): "id": iter[6], "is_end": iter[7], "start_process": json.loads(iter[8]), + "attck_hit_list": json.loads(iter[10]), } ) return {"data": return_data} diff --git a/Web/syseye/src/pages/Index.vue b/Web/syseye/src/pages/Index.vue index 7d4f973..8b55a6e 100644 --- a/Web/syseye/src/pages/Index.vue +++ b/Web/syseye/src/pages/Index.vue @@ -52,13 +52,27 @@
- 产生的威胁: -