diff --git a/Image/15.png b/Image/15.png new file mode 100644 index 0000000..4e87d30 Binary files /dev/null and b/Image/15.png differ diff --git a/Server/log.py b/Server/log.py index 8bb4e33..60d6899 100644 --- a/Server/log.py +++ b/Server/log.py @@ -63,7 +63,7 @@ def match_threat(process: process.Process, log, log_type): process, software_score, software_name) hit_name = software_name hit_score = software_score - #print('match_threat', had_threat, is_ioa, hit_name, hit_score) + #print('match_threat', process.path, is_ioa, hit_name, hit_score) # if had_threat != global_vars.THREAT_TYPE_NONE: # print('path: {} hit_name: {} socre: {}'.format( # process.path, hit_name, hit_score)) @@ -180,6 +180,8 @@ def process_log(host, json_log, raw_log): had_threat = had_threat_plugin if current_process is not None: + # if current_process.path.find("f.exe") != -1: + # print(log) if current_process.chain.risk_score >= config.MAX_THREAT_SCORE: if had_threat == global_vars.THREAT_TYPE_PROCESS: current_process.chain.update_process_tree() @@ -240,11 +242,10 @@ def process_log(host, json_log, raw_log): target_hash = target_process.md5 self_hash = current_process.md5 # 以后有其他排除需求再优化 - if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list): - return + # if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list): + # return if json_log['action'] == 'imageload': - print(json_log['data']['imageloaded']) return sql.push_process_raw( diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py index 077f7b7..bc97710 100644 --- a/Server/plugins/mimikazt_detect/mimikatz_detect.py +++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py @@ -14,11 +14,8 @@ mimikatz_dll_list = [ 'c:\\windows\\system32\\cryptdll.dll', 'c:\\windows\\system32\\gdi32.dll', 'c:\\windows\\system32\\imm32.dll', - 'c:\\windows\\system32\\kernel32.dll', - 'c:\\windows\\system32\\kernelbase.dll', 'c:\\windows\\system32\\msasn1.dll', 'c:\\windows\\system32\\msvcrt.dll', - 'c:\\windows\\system32\\ntdll.dll', 'c:\\windows\\system32\\rpcrt4.dll', 'c:\\windows\\system32\\rsaenh.dll', 'c:\\windows\\system32\\samlib.dll', diff --git a/Server/rules/py/attck/action.py b/Server/rules/py/attck/action.py index 9745551..6d49e59 100644 --- a/Server/rules/py/attck/action.py +++ b/Server/rules/py/attck/action.py @@ -1,4 +1,11 @@ rule = [ + { + 'rules': [ + 'action == "registryvalueset" and targetobject =~ ".*proxyenable"', + ], + 'attck_hit':['T1562.001'], + 'name': 'Impair Defenses: Disable or Modify Tools' + }, { 'rules': [ 'action == "processaccess" and targetimage =~ ".*lsass.exe"', @@ -46,6 +53,13 @@ rule = [ 'attck_hit':['T1071.004'], 'name': 'Application Layer Protocol: DNS' }, + { + 'rules': [ + 'action == "filecreatetimechange"', + ], + 'attck_hit':['T1070.006'], + 'name': 'Indicator Removal on Host: Timestomp' + }, { 'rules': [ 'action == "networkconnect"', @@ -102,5 +116,56 @@ rule = [ ], 'attck_hit':['T1003.002'], 'name': 'OS Credential Dumping: Security Account Manager' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*credui.dll"', + ], + 'attck_hit':['T1047'], + 'name': 'Windows Management Instrumentation' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*dbghelp.dll"', + ], + 'attck_hit':['T1622'], + 'name': 'Debugger Evasion' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*winhttp.dll"', + 'action == "imageload" and imageloaded =~ ".*urlmon.dll"', + ], + 'attck_hit':['T1071.001'], + 'name': 'Application Layer Protocol: Web Protocols' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*dnsapi.dll"', + ], + 'attck_hit':['T1071.004'], + 'name': 'Application Layer Protocol: DNS' + }, + # 不应该用dll来当T的,这里应该是api的hook.但是sysmon没这些ds,只能凑合.这非常不专业 + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*rtutils.dll"', + ], + 'attck_hit':['CMT0001'], + 'name': 'Event trace manipulation' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*rasapi32.dll"', + ], + 'attck_hit':['CMT0002'], + 'name': 'rasapi32 manipulation' + }, + { + 'rules': [ + 'action == "imageload" and imageloaded =~ ".*napinsp.dll"', + ], + 'attck_hit':['CMT0003'], + 'name': 'napinsp manipulation' } ] diff --git a/Server/rules/py/attck/attck.py b/Server/rules/py/attck/attck.py index 7e047b3..ea2d119 100644 --- a/Server/rules/py/attck/attck.py +++ b/Server/rules/py/attck/attck.py @@ -1,4 +1,8 @@ rule = [ + {'name': "BRC4", 'rules': ['T1071', 'T1071.001', + 'T1622', 'T1047', 'T1562.001'], 'hit_num': 4, 'score':100}, + {'name': "BRC4#2", 'rules': ['T1071.004', + 'T1071.001', 'T1562.001', 'CMT0001', 'CMT0002', 'CMT0003'], 'hit_num': 6, 'score':100}, {'name': "Ransomware", 'rules': ['T1071', 'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100}, {'name': "APT-System discovery", 'rules': ['T1018', diff --git a/Server/rules/py/attck/process.py b/Server/rules/py/attck/process.py index b2d733a..a1354d5 100644 --- a/Server/rules/py/attck/process.py +++ b/Server/rules/py/attck/process.py @@ -131,7 +131,7 @@ rule = [ }, { 'rules': [ - 'originalfilename =~ ".*at.exe.*"', + 'originalfilename == "at.exe"', ], 'attck_hit':['T1053.002'], 'score': 10, @@ -179,9 +179,9 @@ rule = [ }, { 'rules': [ - 'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"', - 'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"', - 'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"' + 'originalfilename == "net.exe" and commandline =~ ".*domain.*"', + 'originalfilename == "net.exe" and commandline =~ ".*view.*"', + 'originalfilename == "net.exe" and commandline =~ ".*workstation.*"' ], 'attck_hit':['T1087.002'], 'score': 10, @@ -189,7 +189,7 @@ rule = [ }, { 'rules': [ - 'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"', + 'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"', ], 'attck_hit':['T1562.004'], 'score': 10, @@ -289,7 +289,7 @@ rule = [ }, { 'rules': [ - 'originalfilename =~ ".*wmic.exe.*"' + 'originalfilename == "wmic.exe"' ], 'attck_hit':['T1559.001'], 'score': 30, diff --git a/readme.md b/readme.md index 7518e63..e76ec29 100644 --- a/readme.md +++ b/readme.md @@ -25,6 +25,9 @@ https://key08.com/index.php/2022/08/09/1505.html 请牢记,RmEye自身定位是轻量级威胁检出工具 ### 最新新闻 +2022/9/21: +修复了秋季更新的几个bug,增加了`networkconnect`和`FileCreateTimeChange`的ds,增加了`brc4`的检测 + 2022/9/20: 秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新 @@ -62,7 +65,8 @@ uac提权检测: ![image](Image/7.png) mimikatz检测: ![image](Image/14.png) - +brc4检测: +![image](Image/15.png) ### 待做列表 1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成 2. 日志回放【目前重点】