秋季更新

2022-09-20 18:31:15 +08:00
parent 5fcfd6ec02
commit 05aea0a27b
25 changed files with 781 additions and 849 deletions
--- a/Server/rules/py/ioa/action.py
+++ b/Server/rules/py/ioa/action.py
@@ -0,0 +1,50 @@
+rule = [
+    {
+        'rules': [
+            'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知内存加载mimikazt行为'
+    },
+    {
+        'rules': [
+            'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 60,
+        'name': 'office异常进程内存'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*msagent.*"',
+            'action == "pipecreate" and pipename =~ ".*msse.*"',
+            'action == "pipecreate" and pipename =~ ".*postex_.*"',
+            'action == "pipecreate" and pipename =~ ".*postex_ssh.*"',
+            'action == "pipecreate" and pipename =~ ".*status_.*"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知CobalStrike'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*paexec.*"',
+            'action == "pipecreate" and pipename =~ ".*remcom.*"',
+            'action == "pipecreate" and pipename =~ ".*csexec.*"'
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知内网横向工具'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*lsadump.*"',
+            'action == "pipecreate" and pipename =~ ".*cachedump.*"',
+            'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"'
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知mimikazt内存dump'
+    },
+]
--- a/Server/rules/py/ioa/process.py
+++ b/Server/rules/py/ioa/process.py
@@ -0,0 +1,35 @@
+rule = [
+    {
+        'rules': [
+            'originalfilename =~ ".*todesk_service.*" or originalfilename =~ ".*sunloginclient.*" or originalfilename =~ ".*teamviewer_service.exe.*" or originalfilename =~ ".*logmein.*" or originalfilename =~ ".*dwrcs.*" or originalfilename =~ ".*aa_v3.*" or originalfilename =~ ".*screenconnect.*" or originalfilename =~ ".*tvnserver.*" or originalfilename =~ ".*vncserver.*"',
+        ],
+        'attck_hit':['T1133'],
+        'score': 30,
+        'name': '已知远程协助程序'
+    },
+    {
+        'rules': [
+            'originalfilename =~ ".*phoenixminer.*" or originalfilename =~ ".*ccminer.*" or originalfilename =~ ".*csminer.exe.*" or originalfilename =~ ".*xmrig.*" or originalfilename =~ ".*xmr-stak.*"',
+        ],
+        'attck_hit':['T1496'],
+        'score': 100,
+        'name': '已知挖矿程序'
+    },
+    {
+        'rules': [
+            'originalfilename =~ "\\\\\\.*" and parentimage =~ ".*services.exe"',
+        ],
+        'attck_hit':['T1021.006'],
+        'score': 100,
+        'name': '远程服务被创建'
+    },
+    {
+        'rules': [
+            'commandline =~ ".*__\d{10}\."',
+            'originalfilename =~ ".*wmi_share.exe"',
+        ],
+        'attck_hit':['T00000'],
+        'score': 100,
+        'name': 'wmic内网横向移动被触发'
+    },
+]