diff --git a/Image/14.png b/Image/14.png new file mode 100644 index 0000000..10b02ee Binary files /dev/null and b/Image/14.png differ diff --git a/README.md b/README.md index e91512f..bb3380e 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,8 @@ https://key08.com/index.php/2022/08/09/1505.html ### 最新新闻 2022/9/5: 增加规则编写教程: -https://github.com/RoomaSec/RmEye/blob/main/doc_rule.md +https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md +增加`mimikatz`检测 2022/8/31: 增加进程白名单系统,现在能给进程加白名单了.在打开进程链后,点击某个进程加入白名单即可 @@ -52,6 +53,8 @@ offic宏钓鱼: ![image](Image/6.png) uac提权检测: ![image](Image/7.png) +mimikatz检测: +![image](Image/14.png) ### 待做列表 1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成 @@ -141,7 +144,7 @@ rule_engine: 分数代表的是本次规则给进程链所增加的分数,报警是根据前面的MAX_THREAT_SCORE设置的 规则编写教程请移步: -https://github.com/RoomaSec/RmEye/blob/main/doc_rule.md +https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md 规则引擎的语法请移步: https://github.com/zeroSteiner/rule-engine diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py new file mode 100644 index 0000000..a14f2e3 --- /dev/null +++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py @@ -0,0 +1,64 @@ +import global_vars +import process + +rm_plugs_config = { + "enable": True, + "author": "huoji", + "description": "检测mimikatz", + "version": "0.0.1" +} + +mimikatz_dll_list = [ + 'c:\\windows\\system32\\advapi32.dll', + 'c:\\windows\\system32\\crypt32.dll', + 'c:\\windows\\system32\\cryptdll.dll', + 'c:\\windows\\system32\\gdi32.dll', + 'c:\\windows\\system32\\imm32.dll', + 'c:\\windows\\system32\\kernel32.dll', + 'c:\\windows\\system32\\kernelbase.dll', + 'c:\\windows\\system32\\msasn1.dll', + 'c:\\windows\\system32\\msvcrt.dll', + 'c:\\windows\\system32\\ntdll.dll', + 'c:\\windows\\system32\\rpcrt4.dll', + 'c:\\windows\\system32\\rsaenh.dll', + 'c:\\windows\\system32\\samlib.dll', + 'c:\\windows\\system32\\sechost.dll', + 'c:\\windows\\system32\\secur32.dll', + 'c:\\windows\\system32\\shell32.dll', + 'c:\\windows\\system32\\shlwapi.dll', + 'c:\\windows\\system32\\sspicli.dll', + 'c:\\windows\\system32\\user32.dll', + 'c:\\windows\\system32\\vaultcli.dll', +] + + +def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): + # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文 + current_process.plugin_var['mimikatz_matched_num'] = 0 + current_process.plugin_var['mimikatz_detected'] = False + return global_vars.THREAT_TYPE_NONE + + +def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data): + global mimikatz_dll_list + # 如果日志的action是imageload(dll加载) + if json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False: + # 把日志中的dll路径取出来 + dll_path = json_log_data['data']['imageloaded'] + + # 如果dll的路径在mimikatz的路径里面,进程上下文+1 + if dll_path in mimikatz_dll_list: + current_process.plugin_var['mimikatz_matched_num'] += 1 + if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list): + current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程") + current_process.plugin_var['mimikatz_detected'] = True + return global_vars.THREAT_TYPE_PROCESS + return global_vars.THREAT_TYPE_NONE + + +def rule_init(): + pass + + +def plugin_init(): + print('mimikatz检测插件 2022/9/5 by huoji') diff --git a/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py b/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py index 1c0cb0d..f1835bb 100644 --- a/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py +++ b/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py @@ -42,8 +42,8 @@ def rule_new_process_action(current_process, host, raw_log_data, json_log_data): def rule_init(): - print('[helloworld plugin] rule init') + pass def plugin_init(): - print('[helloworld plugin] plugin init') + print('uac提权插件 2022/8/15 by huoji') diff --git a/doc_rule.md b/doc_day0_rule.md similarity index 100% rename from doc_rule.md rename to doc_day0_rule.md diff --git a/doc_day1_plugin.md b/doc_day1_plugin.md new file mode 100644 index 0000000..52761c6 --- /dev/null +++ b/doc_day1_plugin.md @@ -0,0 +1,148 @@ +### 编写插件用于检测需要复杂上下文的威胁 + +在本章开始前,请先阅读: + +https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md + +rmeye提供了一个简陋的插件接口,用于检测需要上下文帮助的威胁.本文以检测mimikatz为例,编写一个插件: + +mimikatz一定会加载如下dll: + +```C +C:\Windows\System32\advapi32.dll +C:\Windows\System32\crypt32.dll +C:\Windows\System32\cryptdll.dll +C:\Windows\System32\gdi32.dll +C:\Windows\System32\imm32.dll +C:\Windows\System32\kernel32.dll +C:\Windows\System32\KernelBase.dll +C:\Windows\System32\msasn1.dll +C:\Windows\System32\msvcrt.dll +C:\Windows\System32\ntdll.dll +C:\Windows\System32\rpcrt4.dll +C:\Windows\System32\rsaenh.dll +C:\Windows\System32\samlib.dll +C:\Windows\System32\sechost.dll +C:\Windows\System32\secur32.dll +C:\Windows\System32\shell32.dll +C:\Windows\System32\shlwapi.dll +C:\Windows\System32\sspicli.dll +C:\Windows\System32\user32.dll +C:\Windows\System32\vaultcli.dll +``` + +当有这些的DLL在一个程序被加载的时候,我们就要注意了.但是我们之前的规则是单条的,没有上下文,因此需要通过插件系统实现,本文默认你已经给sysmon增加了以上的datasoruce + +### 插件编写 + +在服务端`plugins`目录下新建文件夹`mimikazt_detect`然后新建一个文件`mimikatz_detect.py`,如下是模板: + +```python +import global_vars +import process + +rm_plugs_config = { + "enable": True, #是否启用插件 + "author": "huoji", + "description": "检测mimikatz", + "version": "0.0.1" +} + +#新进程启动 +def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): + return global_vars.THREAT_TYPE_NONE + +#进程动作 +def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data): + return global_vars.THREAT_TYPE_NONE + +#规则初始化 +def rule_init(): + pass + +#插件初始化 +def plugin_init(): + print('mimikatz检测插件 2022/9/5 by huoji') + +``` + +为了检测,我们需要记录每一个dll加载的行为并且保存到进程上下文中,具体看代码 + +```python +import global_vars +import process + +rm_plugs_config = { + "enable": True, + "author": "huoji", + "description": "检测mimikatz", + "version": "0.0.1" +} + +mimikatz_dll_list = [ + 'c:\\windows\\system32\\advapi32.dll', + 'c:\\windows\\system32\\crypt32.dll', + 'c:\\windows\\system32\\cryptdll.dll', + 'c:\\windows\\system32\\gdi32.dll', + 'c:\\windows\\system32\\imm32.dll', + 'c:\\windows\\system32\\kernel32.dll', + 'c:\\windows\\system32\\kernelbase.dll', + 'c:\\windows\\system32\\msasn1.dll', + 'c:\\windows\\system32\\msvcrt.dll', + 'c:\\windows\\system32\\ntdll.dll', + 'c:\\windows\\system32\\rpcrt4.dll', + 'c:\\windows\\system32\\rsaenh.dll', + 'c:\\windows\\system32\\samlib.dll', + 'c:\\windows\\system32\\sechost.dll', + 'c:\\windows\\system32\\secur32.dll', + 'c:\\windows\\system32\\shell32.dll', + 'c:\\windows\\system32\\shlwapi.dll', + 'c:\\windows\\system32\\sspicli.dll', + 'c:\\windows\\system32\\user32.dll', + 'c:\\windows\\system32\\vaultcli.dll', +] + + +def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): + # 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文 + current_process.plugin_var['mimikatz_matched_num'] = 0 + current_process.plugin_var['mimikatz_detected'] = False + return global_vars.THREAT_TYPE_NONE + + +def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data): + global mimikatz_dll_list + # 如果日志的action是imageload(dll加载) + if json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False: + # 把日志中的dll路径取出来 + dll_path = json_log_data['data']['imageloaded'] + + # 如果dll的路径在mimikatz的路径里面,进程上下文+1 + if dll_path in mimikatz_dll_list: + current_process.plugin_var['mimikatz_matched_num'] += 1 + if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list): + current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程") + current_process.plugin_var['mimikatz_detected'] = True + return global_vars.THREAT_TYPE_PROCESS + return global_vars.THREAT_TYPE_NONE + + +def rule_init(): + pass + + +def plugin_init(): + print('mimikatz检测插件 2022/9/5 by huoji') + +``` + + + +### 测试 + +运行mimikatz: +![](Image/14.png) + +当然还会有其他的情况的误报!这需要你完善插件. + +如果遇到不懂的地方,可以提issue.欢迎提问