增加uac提权检测

2022-08-29 18:46:56 +08:00
parent fd360c9995
commit d3907bb427
6 changed files with 77 additions and 7 deletions
--- a/Server/plugins/helloworld/helloworld.py
+++ b/Server/plugins/helloworld/helloworld.py
@@ -1,7 +1,5 @@
 import global_vars
-import yara
-import glob
-from pathlib import Path
+#import yara

 rm_plugs_config = {
    "enable": False,
--- a/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py
+++ b/Server/plugins/uac_bypass_detect/prcoess_chain_detect.py
@@ -0,0 +1,49 @@
+import global_vars
+import process
+#import yara
+
+rm_plugs_config = {
+    "enable": True,
+    "author": "huoji",
+    "description": "基于进程链的uac提权检测",
+    "version": "0.0.1"
+}
+
+
+def intergritylevel_to_int(str_name):
+    if str_name == 'high':
+        return 3
+    elif str_name == 'medium':
+        return 2
+    return 1
+
+
+def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
+    if 'integritylevel' in json_log_data['data']:
+        integritylevel = intergritylevel_to_int(
+            json_log_data['data']['integritylevel'])
+        current_process.plugin_var['uac_flag'] = integritylevel
+
+        if 'uac_flag' not in current_process.chain.root_process.plugin_var:
+            current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
+        if integritylevel > current_process.chain.root_process.plugin_var['uac_flag']:
+            print('[uac bypass detect] detect uac bypass in process chain {}'.format(
+                current_process.path))
+            current_process.chain.root_process.plugin_var['uac_flag'] = integritylevel
+            current_process.set_score(300, "[UAC提权]进程权限等级变动")
+            return global_vars.THREAT_TYPE_PROCESS
+        # print('process chain: {} path: {} level: {} log level: {}'.format(
+        #    current_process.chain_hash, current_process.path, integritylevel, current_process.chain.root_process.plugin_var['uac_flag']))
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_new_process_action(current_process, host, raw_log_data, json_log_data):
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_init():
+    print('[helloworld plugin] rule init')
+
+
+def plugin_init():
+    print('[helloworld plugin] plugin init')
--- a/Server/process.py
+++ b/Server/process.py
@@ -1,8 +1,6 @@

 import json
-from sqlalchemy import false
 import tools
-import time

 skip_process_path = ['c:\\program files\\rivet networks\\smartbyte\\raps.exe',
                     'c:\\program files (x86)\\sogouinput\\11.5.0.5352\\pinyinup.exe',
@@ -102,6 +100,7 @@ class Process:
        self.time = time
        self.rmppid = ""
        self.root_rmpid = ""
+        self.plugin_var = {}
        self.md5 = md5
        self.user = user
        self.chain: ProcessChain = None
@@ -150,6 +149,7 @@ class ProcessChain:
        self.rpc_process_chain = ""
        self.time = root_process.time
        self.host = root_process.host
+        self.plugin_var = {}
        self.add_root_process(root_process)

    def get_operationlist(self):
--- a/Server/rules/py/process.py
+++ b/Server/rules/py/process.py
@@ -306,6 +306,21 @@ rule = [
        'score': 30,
        'name': '从服务创建的进程'
    },
+    {
+        'rules': [
+            'parentimage =~ ".*svchost.exe"',
+            'originalfilename =~ ".*werfault.exe"'
+        ],
+        'score': 60,
+        'name': 'svchost.exe启动了werfault'
+    },
+    {
+        'rules': [
+            'parentimage =~ ".*werfault.exe"',
+        ],
+        'score': 30,
+        'name': '从werfault创建的进程'
+    },
    {
        'rules': [
            'originalfilename =~ ".*wscript.exe"',