秋季更新

2022-09-20 18:31:15 +08:00
parent 5fcfd6ec02
commit 05aea0a27b
25 changed files with 781 additions and 849 deletions
--- a/Server/rules/py/ioa/action.py
+++ b/Server/rules/py/ioa/action.py
@@ -0,0 +1,50 @@
+rule = [
+    {
+        'rules': [
+            'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知内存加载mimikazt行为'
+    },
+    {
+        'rules': [
+            'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 60,
+        'name': 'office异常进程内存'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*msagent.*"',
+            'action == "pipecreate" and pipename =~ ".*msse.*"',
+            'action == "pipecreate" and pipename =~ ".*postex_.*"',
+            'action == "pipecreate" and pipename =~ ".*postex_ssh.*"',
+            'action == "pipecreate" and pipename =~ ".*status_.*"',
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知CobalStrike'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*paexec.*"',
+            'action == "pipecreate" and pipename =~ ".*remcom.*"',
+            'action == "pipecreate" and pipename =~ ".*csexec.*"'
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知内网横向工具'
+    },
+    {
+        'rules': [
+            'action == "pipecreate" and pipename =~ ".*lsadump.*"',
+            'action == "pipecreate" and pipename =~ ".*cachedump.*"',
+            'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"'
+        ],
+        'attck_hit':['T1003.002'],
+        'score': 100,
+        'name': '已知mimikazt内存dump'
+    },
+]