增加BRC4的检测

2022-09-21 15:28:07 +08:00
parent ee5ae888ce
commit a1c158f8cd
7 changed files with 85 additions and 14 deletions
--- a/Image/15.png
+++ b/Image/15.png
--- a/Server/log.py
+++ b/Server/log.py
@@ -63,7 +63,7 @@ def match_threat(process: process.Process, log, log_type):
                process, software_score, software_name)
            hit_name = software_name
            hit_score = software_score
-    #print('match_threat', had_threat, is_ioa, hit_name, hit_score)
+    #print('match_threat', process.path, is_ioa, hit_name, hit_score)
    # if had_threat != global_vars.THREAT_TYPE_NONE:
    #    print('path: {} hit_name: {} socre: {}'.format(
    #          process.path, hit_name, hit_score))
@@ -180,6 +180,8 @@ def process_log(host, json_log, raw_log):
                had_threat = had_threat_plugin

    if current_process is not None:
+        # if current_process.path.find("f.exe") != -1:
+        #    print(log)
        if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
            if had_threat == global_vars.THREAT_TYPE_PROCESS:
                current_process.chain.update_process_tree()
@@ -240,11 +242,10 @@ def process_log(host, json_log, raw_log):
            target_hash = target_process.md5
        self_hash = current_process.md5
    # 以后有其他排除需求再优化
-    if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list):
-        return
+    # if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list):
+    #    return

    if json_log['action'] == 'imageload':
-        print(json_log['data']['imageloaded'])
        return

    sql.push_process_raw(
--- a/Server/plugins/mimikazt_detect/mimikatz_detect.py
+++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py
@@ -14,11 +14,8 @@ mimikatz_dll_list = [
    'c:\\windows\\system32\\cryptdll.dll',
    'c:\\windows\\system32\\gdi32.dll',
    'c:\\windows\\system32\\imm32.dll',
-    'c:\\windows\\system32\\kernel32.dll',
-    'c:\\windows\\system32\\kernelbase.dll',
    'c:\\windows\\system32\\msasn1.dll',
    'c:\\windows\\system32\\msvcrt.dll',
-    'c:\\windows\\system32\\ntdll.dll',
    'c:\\windows\\system32\\rpcrt4.dll',
    'c:\\windows\\system32\\rsaenh.dll',
    'c:\\windows\\system32\\samlib.dll',
--- a/Server/rules/py/attck/action.py
+++ b/Server/rules/py/attck/action.py
@@ -1,4 +1,11 @@
 rule = [
+    {
+        'rules': [
+            'action == "registryvalueset" and targetobject =~ ".*proxyenable"',
+        ],
+        'attck_hit':['T1562.001'],
+        'name': 'Impair Defenses: Disable or Modify Tools'
+    },
    {
        'rules': [
            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
@@ -46,6 +53,13 @@ rule = [
        'attck_hit':['T1071.004'],
        'name': 'Application Layer Protocol: DNS'
    },
+    {
+        'rules': [
+            'action == "filecreatetimechange"',
+        ],
+        'attck_hit':['T1070.006'],
+        'name': 'Indicator Removal on Host: Timestomp'
+    },
    {
        'rules': [
            'action == "networkconnect"',
@@ -102,5 +116,56 @@ rule = [
        ],
        'attck_hit':['T1003.002'],
        'name': 'OS Credential Dumping: Security Account Manager'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*credui.dll"',
+        ],
+        'attck_hit':['T1047'],
+        'name': 'Windows Management Instrumentation'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*dbghelp.dll"',
+        ],
+        'attck_hit':['T1622'],
+        'name': 'Debugger Evasion'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*winhttp.dll"',
+            'action == "imageload" and imageloaded =~ ".*urlmon.dll"',
+        ],
+        'attck_hit':['T1071.001'],
+        'name': 'Application Layer Protocol: Web Protocols'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*dnsapi.dll"',
+        ],
+        'attck_hit':['T1071.004'],
+        'name': 'Application Layer Protocol: DNS'
+    },
+    # 不应该用dll来当T的,这里应该是api的hook.但是sysmon没这些ds,只能凑合.这非常不专业
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*rtutils.dll"',
+        ],
+        'attck_hit':['CMT0001'],
+        'name': 'Event trace manipulation'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*rasapi32.dll"',
+        ],
+        'attck_hit':['CMT0002'],
+        'name': 'rasapi32 manipulation'
+    },
+    {
+        'rules': [
+            'action == "imageload" and imageloaded =~ ".*napinsp.dll"',
+        ],
+        'attck_hit':['CMT0003'],
+        'name': 'napinsp manipulation'
    }
 ]
--- a/Server/rules/py/attck/attck.py
+++ b/Server/rules/py/attck/attck.py
@@ -1,4 +1,8 @@
 rule = [
+    {'name': "BRC4", 'rules': ['T1071', 'T1071.001',
+                               'T1622', 'T1047', 'T1562.001'], 'hit_num': 4, 'score':100},
+    {'name': "BRC4#2", 'rules': ['T1071.004',
+                                 'T1071.001', 'T1562.001', 'CMT0001', 'CMT0002', 'CMT0003'], 'hit_num': 6, 'score':100},
    {'name': "Ransomware", 'rules': ['T1071',
                                     'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100},
    {'name': "APT-System discovery", 'rules': ['T1018',
--- a/Server/rules/py/attck/process.py
+++ b/Server/rules/py/attck/process.py
@@ -131,7 +131,7 @@ rule = [
    },
    {
        'rules': [
-            'originalfilename =~ ".*at.exe.*"',
+            'originalfilename == "at.exe"',
        ],
        'attck_hit':['T1053.002'],
        'score': 10,
@@ -179,9 +179,9 @@ rule = [
    },
    {
        'rules': [
-            'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"',
-            'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"',
-            'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"'
+            'originalfilename == "net.exe" and commandline =~ ".*domain.*"',
+            'originalfilename == "net.exe" and commandline =~ ".*view.*"',
+            'originalfilename == "net.exe" and commandline =~ ".*workstation.*"'
        ],
        'attck_hit':['T1087.002'],
        'score': 10,
@@ -189,7 +189,7 @@ rule = [
    },
    {
        'rules': [
-            'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"',
+            'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"',
        ],
        'attck_hit':['T1562.004'],
        'score': 10,
@@ -289,7 +289,7 @@ rule = [
    },
    {
        'rules': [
-            'originalfilename =~ ".*wmic.exe.*"'
+            'originalfilename == "wmic.exe"'
        ],
        'attck_hit':['T1559.001'],
        'score': 30,
--- a/readme.md
+++ b/readme.md
@@ -25,6 +25,9 @@ https://key08.com/index.php/2022/08/09/1505.html
 请牢记,RmEye自身定位是轻量级威胁检出工具

 ### 最新新闻
+2022/9/21:  
+修复了秋季更新的几个bug,增加了`networkconnect`和`FileCreateTimeChange`的ds,增加了`brc4`的检测
+
 2022/9/20:  
 秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新

@@ -62,7 +65,8 @@ uac提权检测:
 ![image](Image/7.png)
 mimikatz检测:
 ![image](Image/14.png)
-
+brc4检测:
+![image](Image/15.png)
 ### 待做列表
 1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成
 2. 日志回放【目前重点】