admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加BRC4的检测

Browse Source 
增加BRC4的检测
This commit is contained in:
huoji
2022-09-21 15:28:07 +08:00
parent ee5ae888ce
commit a1c158f8cd
7 changed files with 85 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Image/15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

9
Server/log.py
View File

@@ -63,7 +63,7 @@ def match_threat(process: process.Process, log, log_type):
process, software_score, software_name) process, software_score, software_name)
hit_name = software_name hit_name = software_name
hit_score = software_score hit_score = software_score
#print('match_threat', had_threat, is_ioa, hit_name, hit_score) #print('match_threat', process.path, is_ioa, hit_name, hit_score)
# if had_threat != global_vars.THREAT_TYPE_NONE: # if had_threat != global_vars.THREAT_TYPE_NONE:
# print('path: {} hit_name: {} socre: {}'.format( # print('path: {} hit_name: {} socre: {}'.format(
# process.path, hit_name, hit_score)) # process.path, hit_name, hit_score))
@@ -180,6 +180,8 @@ def process_log(host, json_log, raw_log):
had_threat = had_threat_plugin had_threat = had_threat_plugin
if current_process is not None: if current_process is not None:
# if current_process.path.find("f.exe") != -1:
# print(log)
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE: if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
if had_threat == global_vars.THREAT_TYPE_PROCESS: if had_threat == global_vars.THREAT_TYPE_PROCESS:
current_process.chain.update_process_tree() current_process.chain.update_process_tree()
@@ -240,11 +242,10 @@ def process_log(host, json_log, raw_log):
target_hash = target_process.md5 target_hash = target_process.md5
self_hash = current_process.md5 self_hash = current_process.md5
# 以后有其他排除需求再优化 # 以后有其他排除需求再优化
if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list): # if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list):
return # return
if json_log['action'] == 'imageload': if json_log['action'] == 'imageload':
print(json_log['data']['imageloaded'])
return return
sql.push_process_raw( sql.push_process_raw(

3
Server/plugins/mimikazt_detect/mimikatz_detect.py
View File

@@ -14,11 +14,8 @@ mimikatz_dll_list = [
'c:\\windows\\system32\\cryptdll.dll', 'c:\\windows\\system32\\cryptdll.dll',
'c:\\windows\\system32\\gdi32.dll', 'c:\\windows\\system32\\gdi32.dll',
'c:\\windows\\system32\\imm32.dll', 'c:\\windows\\system32\\imm32.dll',
'c:\\windows\\system32\\kernel32.dll',
'c:\\windows\\system32\\kernelbase.dll',
'c:\\windows\\system32\\msasn1.dll', 'c:\\windows\\system32\\msasn1.dll',
'c:\\windows\\system32\\msvcrt.dll', 'c:\\windows\\system32\\msvcrt.dll',
'c:\\windows\\system32\\ntdll.dll',
'c:\\windows\\system32\\rpcrt4.dll', 'c:\\windows\\system32\\rpcrt4.dll',
'c:\\windows\\system32\\rsaenh.dll', 'c:\\windows\\system32\\rsaenh.dll',
'c:\\windows\\system32\\samlib.dll', 'c:\\windows\\system32\\samlib.dll',

65
Server/rules/py/attck/action.py
View File

@@ -1,4 +1,11 @@
rule = [ rule = [
{
'rules': [
'action == "registryvalueset" and targetobject =~ ".*proxyenable"',
],
'attck_hit':['T1562.001'],
'name': 'Impair Defenses: Disable or Modify Tools'
},
{ {
'rules': [ 'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe"', 'action == "processaccess" and targetimage =~ ".*lsass.exe"',
@@ -46,6 +53,13 @@ rule = [
'attck_hit':['T1071.004'], 'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS' 'name': 'Application Layer Protocol: DNS'
}, },
{
'rules': [
'action == "filecreatetimechange"',
],
'attck_hit':['T1070.006'],
'name': 'Indicator Removal on Host: Timestomp'
},
{ {
'rules': [ 'rules': [
'action == "networkconnect"', 'action == "networkconnect"',
@@ -102,5 +116,56 @@ rule = [
], ],
'attck_hit':['T1003.002'], 'attck_hit':['T1003.002'],
'name': 'OS Credential Dumping: Security Account Manager' 'name': 'OS Credential Dumping: Security Account Manager'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*credui.dll"',
],
'attck_hit':['T1047'],
'name': 'Windows Management Instrumentation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dbghelp.dll"',
],
'attck_hit':['T1622'],
'name': 'Debugger Evasion'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*winhttp.dll"',
'action == "imageload" and imageloaded =~ ".*urlmon.dll"',
],
'attck_hit':['T1071.001'],
'name': 'Application Layer Protocol: Web Protocols'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dnsapi.dll"',
],
'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS'
},
# 不应该用dll来当T的,这里应该是api的hook.但是sysmon没这些ds,只能凑合.这非常不专业
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rtutils.dll"',
],
'attck_hit':['CMT0001'],
'name': 'Event trace manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rasapi32.dll"',
],
'attck_hit':['CMT0002'],
'name': 'rasapi32 manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*napinsp.dll"',
],
'attck_hit':['CMT0003'],
'name': 'napinsp manipulation'
} }
] ]

4
Server/rules/py/attck/attck.py
View File

@@ -1,4 +1,8 @@
rule = [ rule = [
{'name': "BRC4", 'rules': ['T1071', 'T1071.001',
'T1622', 'T1047', 'T1562.001'], 'hit_num': 4, 'score':100},
{'name': "BRC4#2", 'rules': ['T1071.004',
'T1071.001', 'T1562.001', 'CMT0001', 'CMT0002', 'CMT0003'], 'hit_num': 6, 'score':100},
{'name': "Ransomware", 'rules': ['T1071', {'name': "Ransomware", 'rules': ['T1071',
'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100}, 'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100},
{'name': "APT-System discovery", 'rules': ['T1018', {'name': "APT-System discovery", 'rules': ['T1018',

12
Server/rules/py/attck/process.py
View File

@@ -131,7 +131,7 @@ rule = [
}, },
{ {
'rules': [ 'rules': [
'originalfilename =~ ".*at.exe.*"', 'originalfilename == "at.exe"',
], ],
'attck_hit':['T1053.002'], 'attck_hit':['T1053.002'],
'score': 10, 'score': 10,
@@ -179,9 +179,9 @@ rule = [
}, },
{ {
'rules': [ 'rules': [
'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"', 'originalfilename == "net.exe" and commandline =~ ".*domain.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"', 'originalfilename == "net.exe" and commandline =~ ".*view.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"' 'originalfilename == "net.exe" and commandline =~ ".*workstation.*"'
], ],
'attck_hit':['T1087.002'], 'attck_hit':['T1087.002'],
'score': 10, 'score': 10,
@@ -189,7 +189,7 @@ rule = [
}, },
{ {
'rules': [ 'rules': [
'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"', 'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"',
], ],
'attck_hit':['T1562.004'], 'attck_hit':['T1562.004'],
'score': 10, 'score': 10,
@@ -289,7 +289,7 @@ rule = [
}, },
{ {
'rules': [ 'rules': [
'originalfilename =~ ".*wmic.exe.*"' 'originalfilename == "wmic.exe"'
], ],
'attck_hit':['T1559.001'], 'attck_hit':['T1559.001'],
'score': 30, 'score': 30,

6
readme.md
View File

@@ -25,6 +25,9 @@ https://key08.com/index.php/2022/08/09/1505.html
请牢记,RmEye自身定位是轻量级威胁检出工具 请牢记,RmEye自身定位是轻量级威胁检出工具
### 最新新闻 ### 最新新闻
2022/9/21:
修复了秋季更新的几个bug,增加了`networkconnect``FileCreateTimeChange`的ds,增加了`brc4`的检测
2022/9/20: 2022/9/20:
秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新 秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新
@@ -62,7 +65,8 @@ uac提权检测:
![image](Image/7.png) ![image](Image/7.png)
mimikatz检测: mimikatz检测:
![image](Image/14.png) ![image](Image/14.png)
brc4检测:
![image](Image/15.png)
### 待做列表 ### 待做列表
1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成 1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成
2. 日志回放【目前重点】 2. 日志回放【目前重点】