From 6826a9e5be426402d2f5f6c61bf0aa801ce2b184 Mon Sep 17 00:00:00 2001
From: huoji <root@key08.com>
Date: Tue, 6 Sep 2022 11:31:12 +0800
Subject: [PATCH] Update mimikatz_detect.py

---
 .../mimikazt_detect/mimikatz_detect.py        | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py
index 574280e..9dde0ad 100644
--- a/Server/plugins/mimikazt_detect/mimikatz_detect.py
+++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py
@@ -34,8 +34,9 @@ mimikatz_dll_list = [
 
 def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
     # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文
-    current_process.plugin_var['mimikatz_matched_num'] = 0
-    current_process.plugin_var['mimikatz_detected'] = False
+    if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe':
+        current_process.plugin_var['mimikatz_matched_num'] = 0
+        current_process.plugin_var['mimikatz_detected'] = False
     return global_vars.THREAT_TYPE_NONE
 
 
@@ -45,15 +46,13 @@ def rule_new_process_action(current_process: process.Process, host, raw_log_data
     if 'mimikatz_detected' in current_process.plugin_var and json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False:
         # 把日志中的dll路径取出来
         dll_path = json_log_data['data']['imageloaded']
-        # 排除误报
-        if current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe':
-            # 如果dll的路径在mimikatz的路径里面,进程上下文+1
-            if dll_path in mimikatz_dll_list:
-                current_process.plugin_var['mimikatz_matched_num'] += 1
-            if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
-                current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
-                current_process.plugin_var['mimikatz_detected'] = True
-                return global_vars.THREAT_TYPE_PROCESS
+        # 如果dll的路径在mimikatz的路径里面,进程上下文+1
+        if dll_path in mimikatz_dll_list:
+            current_process.plugin_var['mimikatz_matched_num'] += 1
+        if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
+            current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
+            current_process.plugin_var['mimikatz_detected'] = True
+            return global_vars.THREAT_TYPE_PROCESS
     return global_vars.THREAT_TYPE_NONE