fixed

2022-09-23 15:21:33 +08:00
parent 011496349a
commit d5b88c7a01
8 changed files with 54 additions and 13 deletions
--- a/Server/hash_white_list.py
+++ b/Server/hash_white_list.py
@@ -1,3 +1,4 @@
+import process
 import sql
 g_white_list = []
 g_white_dll_load_list = [
@@ -24,6 +25,20 @@ g_white_dll_load_list = [
 ]


+def check_in_while_list(process: process.Process):
+    parent_process = process.parent_process
+    is_white = process.is_white or process.chain.root_process.is_white or process.parent_process.is_white
+    if is_white == False:
+        while parent_process:
+            if parent_process is None or parent_process == process.chain.root_process:
+                break
+            if parent_process.is_white:
+                is_white = True
+                break
+            parent_process = parent_process.parent_process
+    return is_white
+
+
 def add_white_list(path, hash, reason):
    global g_white_list
    if hash in g_white_list:
--- a/Server/log.py
+++ b/Server/log.py
@@ -14,7 +14,7 @@ LOG_TYPE_PROCESS_ACTION = 2


 def update_att_ck(process: process.Process, score, hit_name, attck_t_list):
-    if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
+    if hash_white_list.check_in_while_list(process):
        score = 0
    for t in attck_t_list:
        process.set_attck(score, t, hit_name)
@@ -24,8 +24,8 @@ def update_att_ck(process: process.Process, score, hit_name, attck_t_list):

 def update_threat(process: process.Process, score, rule_hit_name):
    had_threat = global_vars.THREAT_TYPE_NONE
-    if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
-        return had_threat
+    if hash_white_list.check_in_while_list(process):
+        score = 0
    if score > 0:
        # 更新命中的规则
        process.set_score(score, rule_hit_name)
--- a/Server/plugin.py
+++ b/Server/plugin.py
@@ -97,8 +97,8 @@ def dispath_html_menu():
    plugin_menu = []
    for index in range(len(global_vars.g_plugs)):
        _, plug_obj = global_vars.g_plugs[index]
-    if hasattr(plug_obj, "html_menu"):
-        plugin_menu.append(plug_obj.html_menu())
+        if hasattr(plug_obj, "html_menu"):
+            plugin_menu.append(plug_obj.html_menu())
    return plugin_menu


--- a/Server/plugins/otx_alienvault/otx.py
+++ b/Server/plugins/otx_alienvault/otx.py
@@ -0,0 +1,25 @@
+import global_vars
+import process
+
+rm_plugs_config = {
+    "enable": True,
+    "author": "huoji",
+    "description": "otx alienvault ioc检测扩展插件",
+    "version": "0.0.1"
+}
+
+
+def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data):
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_init():
+    pass
+
+
+def plugin_init():
+    print('otx alienvault ioc检测扩展插件 2022/9/23 by huoji')
--- a/Server/rules/py/attck/action.py
+++ b/Server/rules/py/attck/action.py
@@ -6,13 +6,6 @@ rule = [
        'attck_hit':['T1562.001'],
        'name': 'Impair Defenses: Disable or Modify Tools'
    },
-    {
-        'rules': [
-            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
-        ],
-        'attck_hit':['T1003'],
-        'name': 'OS Credential Dumping: LSASS Memory'
-    },
    {
        'rules': [
            'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',
--- a/Server/rules/py/ioa/action.py
+++ b/Server/rules/py/ioa/action.py
@@ -1,4 +1,12 @@
 rule = [
+    {
+        'rules': [
+            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
+        ],
+        'attck_hit':['T1003'],
+        'score': 100,
+        'name': 'OS Credential Dumping: LSASS Memory'
+    },
    {
        'rules': [
            'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
--- a/Web/syseye/src/css/light.css
+++ b/Web/syseye/src/css/light.css
--- a/Web/syseye/src/layouts/MainLayout.vue
+++ b/Web/syseye/src/layouts/MainLayout.vue
@@ -3,7 +3,7 @@
    <q-header elevated height-hint="98">
      <q-toolbar class="text-primary bg-white">
        <q-toolbar-title> RmEye内部测试版本v0.0.0.1 </q-toolbar-title>
-        <q-btn flat round dense icon="more_vert"></q-btn>
+        <q-btn flat round dense icon="lightbulb"></q-btn>
      </q-toolbar>
    </q-header>
    <q-drawer