admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

给插件增加白名单,预留otx的ioc对接插件

Browse Source 
给插件增加白名单,预留otx的ioc对接插件
This commit is contained in:
huoji
2022-09-28 13:51:55 +08:00
parent d6ca9d7273
commit 1aece69ad5
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Server/plugins/uac_bypass_detect/prcoess_chain_detect.py
View File

@@ -1,7 +1,7 @@
import global_vars
import process
#import yara
import hash_white_list
rm_plugs_config = {
"enable": True,
"author": "huoji",
@@ -26,7 +26,7 @@ def rule_new_process_create(current_process: process.Process, host, raw_log_data
if 'uac_flag' not in current_process.chain.root_process.plugin_var:
current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
if integritylevel > current_process.chain.root_process.plugin_var['uac_flag']:
if integritylevel > current_process.chain.root_process.plugin_var['uac_flag'] and hash_white_list.check_in_while_list(current_process) == False:
print('[uac bypass detect] detect uac bypass in process chain {}'.format(
current_process.path))
current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel