admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/RoomaSec/RmEye

Browse Source
This commit is contained in:
huoji
2022-09-20 18:31:32 +08:00
parent 05aea0a27b 1ec37eae02
commit 1ef79280fc
3 changed files with 180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Image/group2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 134 KiB

After

Width:  |  Height:  |  Size: 134 KiB

179
Server/rules/py/action.py Normal file
View File

@@ -0,0 +1,179 @@
rule = [
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\users\\.*\\appdata\\roaming\\microsoft\\outlook\\vbaproject.otm"'
],
'score': 300,
'name': '已知Outlook模板宏持久化行为'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
],
'score': 300,
'name': '已知内存加载mimikazt行为'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe"',
],
'score': 60,
'name': 'LSASS高权限访问'
},
{
'rules': [
'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',
],
'score': 20,
'name': '异常进程访问'
},
{
'rules': [
'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"',
],
'score': 100,
'name': 'office异常进程内存'
},
{
'rules': [
'action == "processaccess" and calltrace =~ ".*wshom\.ocx.*"',
'action == "processaccess" and calltrace =~ ".*shell32\.dll.*"',
'action == "processaccess" and calltrace =~ ".*dbgcore\.dll.*"',
'action == "processaccess" and calltrace =~ ".*kernelbase\.dll\+de67e.*"',
'action == "processaccess" and calltrace =~ ".*framedynos\.dll.*"',
],
'score': 40,
'name': '不正常的进程访问'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*msagent.*"',
'action == "pipecreate" and pipename =~ ".*msse.*"',
'action == "pipecreate" and pipename =~ ".*postex_.*"',
'action == "pipecreate" and pipename =~ ".*postex_ssh.*"',
'action == "pipecreate" and pipename =~ ".*status_.*"',
],
'score': 300,
'name': '已知CobalStrike'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*paexec.*"',
'action == "pipecreate" and pipename =~ ".*remcom.*"',
'action == "pipecreate" and pipename =~ ".*csexec.*"'
],
'score': 300,
'name': '已知内网横向工具'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*lsadump.*"',
'action == "pipecreate" and pipename =~ ".*cachedump.*"',
'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"'
],
'score': 300,
'name': '已知mimikazt内存dump'
},
# todo 懒得做详细的规则了.加油完善规则吧
{
'rules': [
'action == "createremotethread"',
],
'score': 60,
'name': '疑似远程线程注入'
},
{
'rules': [
'action == "filecreatestreamhash"',
],
'score': 100,
'name': '文件流创建'
},
{
'rules': [
'action == "registryadd"',
'action == "registryvalueSet"',
'action == "registryobjectSet"',
],
'score': 100,
'name': '可疑注册表访问'
},
{
'rules': [
'action == "dnsquery"',
],
'score': 30,
'name': 'DNS解析'
},
{
'rules': [
'action == "networkconnect"',
],
'score': 30,
'name': '可疑网络链接'
},
{
'rules': [
'action == "clipboardchange"',
],
'score': 30,
'name': '可疑剪切板访问'
},
{
'rules': [
'action == "processtampering"',
],
'score': 200,
'name': '进程执行流劫持'
},
{
'rules': [
'action == "filedeletedetected"',
],
'score': 50,
'name': '删除可执行文件'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"',
'action == "filecreate" and targetfilename =~ ".*\.exe"',
'action == "filecreate" and targetfilename =~ ".*\.cmd"',
'action == "filecreate" and targetfilename =~ ".*\.bat"',
'action == "filecreate" and targetfilename =~ ".*\.dll"',
],
'score': 80,
'name': '在windows目录创建可执行文件'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"',
],
'score': 50,
'name': '在C盘目录创建文件'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\users\\\\\\\\.*"',
'action == "filecreate" and targetfilename =~ ".*\.exe"',
'action == "filecreate" and targetfilename =~ ".*\.cmd"',
'action == "filecreate" and targetfilename =~ ".*\.bat"',
'action == "filecreate" and targetfilename =~ ".*\.dll"',
],
'score': 30,
'name': '在appdata目录创建可执行文件'
},
{
'rules': [
'action == "filecreate"',
],
'score': 50,
'name': '创建可疑文件'
},
{
'rules': [
'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"',
],
'score': 10,
'name': 'samlib的dll被加载'
}
]

1
sysmon.xml
View File

@@ -585,6 +585,7 @@
<TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
<TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.otm</TargetFilename> <!--Microsoft:Office:VBS: Macro-->
<TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] -->