From 1aece69ad538107a71dcb053e31572979768b3ba Mon Sep 17 00:00:00 2001 From: huoji Date: Wed, 28 Sep 2022 13:51:55 +0800 Subject: [PATCH] =?UTF-8?q?=E7=BB=99=E6=8F=92=E4=BB=B6=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95,=E9=A2=84=E7=95=99otx=E7=9A=84ioc?= =?UTF-8?q?=E5=AF=B9=E6=8E=A5=E6=8F=92=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 给插件增加白名单,预留otx的ioc对接插件 --- Server/plugins/mimikazt_detect/mimikatz_detect.py | 4 ++-- Server/plugins/uac_bypass_detect/prcoess_chain_detect.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py index bc97710..13d0f00 100644 --- a/Server/plugins/mimikazt_detect/mimikatz_detect.py +++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py @@ -1,6 +1,6 @@ import global_vars import process - +import hash_white_list rm_plugs_config = { "enable": True, "author": "huoji", @@ -31,7 +31,7 @@ mimikatz_dll_list = [ def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文 - if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe': + if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe' and hash_white_list.check_in_while_list(current_process) == False: current_process.plugin_var['mimikatz_matched_num'] = 0 current_process.plugin_var['mimikatz_detected'] = False return global_vars.THREAT_TYPE_NONE diff --git a/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py b/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py index f1835bb..f53355b 100644 --- a/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py +++ b/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py @@ -1,7 +1,7 @@ import global_vars import process #import yara - +import hash_white_list rm_plugs_config = { "enable": True, "author": "huoji", @@ -26,7 +26,7 @@ def rule_new_process_create(current_process: process.Process, host, raw_log_data if 'uac_flag' not in current_process.chain.root_process.plugin_var: current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel - if integritylevel > current_process.chain.root_process.plugin_var['uac_flag']: + if integritylevel > current_process.chain.root_process.plugin_var['uac_flag'] and hash_white_list.check_in_while_list(current_process) == False: print('[uac bypass detect] detect uac bypass in process chain {}'.format( current_process.path)) current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel