优化一下

优化一下

Server/hash_white_list.py

@@ -1,5 +1,27 @@
 import sql
 g_white_list = []
+g_white_dll_load_list = [
+    'c:\\windows\\system32\\advapi32.dll',
+    'c:\\windows\\system32\\crypt32.dll',
+    'c:\\windows\\system32\\cryptdll.dll',
+    'c:\\windows\\system32\\gdi32.dll',
+    'c:\\windows\\system32\\imm32.dll',
+    'c:\\windows\\system32\\kernel32.dll',
+    'c:\\windows\\system32\\kernelbase.dll',
+    'c:\\windows\\system32\\msasn1.dll',
+    'c:\\windows\\system32\\msvcrt.dll',
+    'c:\\windows\\system32\\ntdll.dll',
+    'c:\\windows\\system32\\rpcrt4.dll',
+    'c:\\windows\\system32\\rsaenh.dll',
+    'c:\\windows\\system32\\samlib.dll',
+    'c:\\windows\\system32\\sechost.dll',
+    'c:\\windows\\system32\\secur32.dll',
+    'c:\\windows\\system32\\shell32.dll',
+    'c:\\windows\\system32\\shlwapi.dll',
+    'c:\\windows\\system32\\sspicli.dll',
+    'c:\\windows\\system32\\user32.dll',
+    'c:\\windows\\system32\\vaultcli.dll',
+]
 
 
 def add_white_list(path, hash, reason):

Server/log.py

@@ -178,22 +178,23 @@ def process_log(host, json_log, raw_log):
             target_image_path = target_process.path
             target_hash = target_process.md5
         self_hash = current_process.md5
-
+    # 以后有其他排除需求再优化
-    sql.push_process_raw(
+    if json_log['action'] == 'imageload' and json_log['data']['imageloaded'] not in hash_white_list.g_white_dll_load_list:
-        host,
+        sql.push_process_raw(
-        raw_json_log,
+            host,
-        rule_hit_name,
+            raw_json_log,
-        score,
+            rule_hit_name,
-        chain_hash,
+            score,
-        had_threat,
+            chain_hash,
-        parent_pid,
+            had_threat,
-        target_pid,
+            parent_pid,
-        self_hash,
+            target_pid,
-        target_image_path,
+            self_hash,
-        target_hash,
+            target_image_path,
-        params,
+            target_hash,
-        user,
+            params,
-    )
+            user,
+        )
 
     """
     for iter in process.g_ProcessChainList:

Server/plugins/mimikazt_detect/mimikatz_detect.py

@@ -45,14 +45,15 @@ def rule_new_process_action(current_process: process.Process, host, raw_log_data
     if 'mimikatz_detected' in current_process.plugin_var and json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False:
         # 把日志中的dll路径取出来
         dll_path = json_log_data['data']['imageloaded']
-
+        # 排除误报
-        # 如果dll的路径在mimikatz的路径里面,进程上下文+1
+        if current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe':
-        if dll_path in mimikatz_dll_list:
+            # 如果dll的路径在mimikatz的路径里面,进程上下文+1
-            current_process.plugin_var['mimikatz_matched_num'] += 1
+            if dll_path in mimikatz_dll_list:
-        if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
+                current_process.plugin_var['mimikatz_matched_num'] += 1
-            current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
+            if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
-            current_process.plugin_var['mimikatz_detected'] = True
+                current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
-            return global_vars.THREAT_TYPE_PROCESS
+                current_process.plugin_var['mimikatz_detected'] = True
+                return global_vars.THREAT_TYPE_PROCESS
     return global_vars.THREAT_TYPE_NONE
 
 

doc_day0_rule.md

@@ -99,4 +99,6 @@ name: 规则名字
 
 (为了测试,将分数设置高一点准没错)
 
-至此,您就具备的检测mimikatz的一些行为的能力,当然这行为是不全的而且容易产生很多误报的,很多时候为了减少误报或者实现更精准的检测,您需要高级检出能力,这将在下一章插件检测中介绍.
+至此,您就具备的检测mimikatz的一些行为的能力,当然这行为是不全的而且容易产生很多误报的,很多时候为了减少误报或者实现更精准的检测,您需要高级检出能力,这将在下一章插件检测中介绍.  
+下一章:  
+https://github.com/RoomaSec/RmEye/blob/main/doc_day1_plugin.md