给插件增加白名单,预留otx的ioc对接插件

给插件增加白名单,预留otx的ioc对接插件

Server/plugins/mimikazt_detect/mimikatz_detect.py

@@ -1,6 +1,6 @@
 import global_vars
 import process
-
+import hash_white_list
 rm_plugs_config = {
     "enable": True,
     "author": "huoji",
@@ -31,7 +31,7 @@ mimikatz_dll_list = [
 
 def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
     # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文
-    if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe':
+    if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe' and hash_white_list.check_in_while_list(current_process) == False:
         current_process.plugin_var['mimikatz_matched_num'] = 0
         current_process.plugin_var['mimikatz_detected'] = False
     return global_vars.THREAT_TYPE_NONE

Server/plugins/uac_bypass_detect/prcoess_chain_detect.py

@@ -1,7 +1,7 @@
 import global_vars
 import process
 #import yara
-
+import hash_white_list
 rm_plugs_config = {
     "enable": True,
     "author": "huoji",
@@ -26,7 +26,7 @@ def rule_new_process_create(current_process: process.Process, host, raw_log_data
 
         if 'uac_flag' not in current_process.chain.root_process.plugin_var:
             current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
-        if integritylevel > current_process.chain.root_process.plugin_var['uac_flag']:
+        if integritylevel > current_process.chain.root_process.plugin_var['uac_flag'] and hash_white_list.check_in_while_list(current_process) == False:
             print('[uac bypass detect] detect uac bypass in process chain {}'.format(
                 current_process.path))
             current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel