admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加BRC4的检测

Browse Source 
增加BRC4的检测
This commit is contained in:
huoji
2022-09-21 15:28:07 +08:00
parent ee5ae888ce
commit a1c158f8cd
7 changed files with 85 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
Server/rules/py/attck/action.py
View File

@@ -1,4 +1,11 @@
rule = [
{
'rules': [
'action == "registryvalueset" and targetobject =~ ".*proxyenable"',
],
'attck_hit':['T1562.001'],
'name': 'Impair Defenses: Disable or Modify Tools'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe"',
@@ -46,6 +53,13 @@ rule = [
'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS'
},
{
'rules': [
'action == "filecreatetimechange"',
],
'attck_hit':['T1070.006'],
'name': 'Indicator Removal on Host: Timestomp'
},
{
'rules': [
'action == "networkconnect"',
@@ -102,5 +116,56 @@ rule = [
],
'attck_hit':['T1003.002'],
'name': 'OS Credential Dumping: Security Account Manager'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*credui.dll"',
],
'attck_hit':['T1047'],
'name': 'Windows Management Instrumentation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dbghelp.dll"',
],
'attck_hit':['T1622'],
'name': 'Debugger Evasion'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*winhttp.dll"',
'action == "imageload" and imageloaded =~ ".*urlmon.dll"',
],
'attck_hit':['T1071.001'],
'name': 'Application Layer Protocol: Web Protocols'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dnsapi.dll"',
],
'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS'
},
# 不应该用dll来当T的,这里应该是api的hook.但是sysmon没这些ds,只能凑合.这非常不专业
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rtutils.dll"',
],
'attck_hit':['CMT0001'],
'name': 'Event trace manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rasapi32.dll"',
],
'attck_hit':['CMT0002'],
'name': 'rasapi32 manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*napinsp.dll"',
],
'attck_hit':['CMT0003'],
'name': 'napinsp manipulation'
}
]

4
Server/rules/py/attck/attck.py
View File

@@ -1,4 +1,8 @@
rule = [
{'name': "BRC4", 'rules': ['T1071', 'T1071.001',
'T1622', 'T1047', 'T1562.001'], 'hit_num': 4, 'score':100},
{'name': "BRC4#2", 'rules': ['T1071.004',
'T1071.001', 'T1562.001', 'CMT0001', 'CMT0002', 'CMT0003'], 'hit_num': 6, 'score':100},
{'name': "Ransomware", 'rules': ['T1071',
'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100},
{'name': "APT-System discovery", 'rules': ['T1018',

12
Server/rules/py/attck/process.py
View File

@@ -131,7 +131,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*at.exe.*"',
'originalfilename == "at.exe"',
],
'attck_hit':['T1053.002'],
'score': 10,
@@ -179,9 +179,9 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"'
'originalfilename == "net.exe" and commandline =~ ".*domain.*"',
'originalfilename == "net.exe" and commandline =~ ".*view.*"',
'originalfilename == "net.exe" and commandline =~ ".*workstation.*"'
],
'attck_hit':['T1087.002'],
'score': 10,
@@ -189,7 +189,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"',
'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"',
],
'attck_hit':['T1562.004'],
'score': 10,
@@ -289,7 +289,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*wmic.exe.*"'
'originalfilename == "wmic.exe"'
],
'attck_hit':['T1559.001'],
'score': 30,