diff --git a/Server/hash_white_list.py b/Server/hash_white_list.py index 64bb17d..dc32abd 100644 --- a/Server/hash_white_list.py +++ b/Server/hash_white_list.py @@ -1,5 +1,27 @@ import sql g_white_list = [] +g_white_dll_load_list = [ + 'c:\\windows\\system32\\advapi32.dll', + 'c:\\windows\\system32\\crypt32.dll', + 'c:\\windows\\system32\\cryptdll.dll', + 'c:\\windows\\system32\\gdi32.dll', + 'c:\\windows\\system32\\imm32.dll', + 'c:\\windows\\system32\\kernel32.dll', + 'c:\\windows\\system32\\kernelbase.dll', + 'c:\\windows\\system32\\msasn1.dll', + 'c:\\windows\\system32\\msvcrt.dll', + 'c:\\windows\\system32\\ntdll.dll', + 'c:\\windows\\system32\\rpcrt4.dll', + 'c:\\windows\\system32\\rsaenh.dll', + 'c:\\windows\\system32\\samlib.dll', + 'c:\\windows\\system32\\sechost.dll', + 'c:\\windows\\system32\\secur32.dll', + 'c:\\windows\\system32\\shell32.dll', + 'c:\\windows\\system32\\shlwapi.dll', + 'c:\\windows\\system32\\sspicli.dll', + 'c:\\windows\\system32\\user32.dll', + 'c:\\windows\\system32\\vaultcli.dll', +] def add_white_list(path, hash, reason): diff --git a/Server/log.py b/Server/log.py index 1cfd59d..19138a5 100644 --- a/Server/log.py +++ b/Server/log.py @@ -178,22 +178,23 @@ def process_log(host, json_log, raw_log): target_image_path = target_process.path target_hash = target_process.md5 self_hash = current_process.md5 - - sql.push_process_raw( - host, - raw_json_log, - rule_hit_name, - score, - chain_hash, - had_threat, - parent_pid, - target_pid, - self_hash, - target_image_path, - target_hash, - params, - user, - ) + # 以后有其他排除需求再优化 + if json_log['action'] == 'imageload' and json_log['data']['imageloaded'] not in hash_white_list.g_white_dll_load_list: + sql.push_process_raw( + host, + raw_json_log, + rule_hit_name, + score, + chain_hash, + had_threat, + parent_pid, + target_pid, + self_hash, + target_image_path, + target_hash, + params, + user, + ) """ for iter in process.g_ProcessChainList: diff --git a/Server/plugins/mimikazt_detect/mimikatz_detect.py b/Server/plugins/mimikazt_detect/mimikatz_detect.py index 5caf8c0..574280e 100644 --- a/Server/plugins/mimikazt_detect/mimikatz_detect.py +++ b/Server/plugins/mimikazt_detect/mimikatz_detect.py @@ -45,14 +45,15 @@ def rule_new_process_action(current_process: process.Process, host, raw_log_data if 'mimikatz_detected' in current_process.plugin_var and json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False: # 把日志中的dll路径取出来 dll_path = json_log_data['data']['imageloaded'] - - # 如果dll的路径在mimikatz的路径里面,进程上下文+1 - if dll_path in mimikatz_dll_list: - current_process.plugin_var['mimikatz_matched_num'] += 1 - if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list): - current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程") - current_process.plugin_var['mimikatz_detected'] = True - return global_vars.THREAT_TYPE_PROCESS + # 排除误报 + if current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe': + # 如果dll的路径在mimikatz的路径里面,进程上下文+1 + if dll_path in mimikatz_dll_list: + current_process.plugin_var['mimikatz_matched_num'] += 1 + if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list): + current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程") + current_process.plugin_var['mimikatz_detected'] = True + return global_vars.THREAT_TYPE_PROCESS return global_vars.THREAT_TYPE_NONE diff --git a/doc_day0_rule.md b/doc_day0_rule.md index e81252e..f531cf4 100644 --- a/doc_day0_rule.md +++ b/doc_day0_rule.md @@ -99,4 +99,6 @@ name: 规则名字 (为了测试,将分数设置高一点准没错) -至此,您就具备的检测mimikatz的一些行为的能力,当然这行为是不全的而且容易产生很多误报的,很多时候为了减少误报或者实现更精准的检测,您需要高级检出能力,这将在下一章插件检测中介绍. \ No newline at end of file +至此,您就具备的检测mimikatz的一些行为的能力,当然这行为是不全的而且容易产生很多误报的,很多时候为了减少误报或者实现更精准的检测,您需要高级检出能力,这将在下一章插件检测中介绍. +下一章: +https://github.com/RoomaSec/RmEye/blob/main/doc_day1_plugin.md