diff --git a/Server/hash_white_list.py b/Server/hash_white_list.py
index dc32abd..4fff18f 100644
--- a/Server/hash_white_list.py
+++ b/Server/hash_white_list.py
@@ -1,3 +1,4 @@
+import process
 import sql
 g_white_list = []
 g_white_dll_load_list = [
@@ -24,6 +25,20 @@ g_white_dll_load_list = [
 ]
 
 
+def check_in_while_list(process: process.Process):
+    parent_process = process.parent_process
+    is_white = process.is_white or process.chain.root_process.is_white or process.parent_process.is_white
+    if is_white == False:
+        while parent_process:
+            if parent_process is None or parent_process == process.chain.root_process:
+                break
+            if parent_process.is_white:
+                is_white = True
+                break
+            parent_process = parent_process.parent_process
+    return is_white
+
+
 def add_white_list(path, hash, reason):
     global g_white_list
     if hash in g_white_list:
diff --git a/Server/log.py b/Server/log.py
index 60d6899..c3239e5 100644
--- a/Server/log.py
+++ b/Server/log.py
@@ -14,7 +14,7 @@ LOG_TYPE_PROCESS_ACTION = 2
 
 
 def update_att_ck(process: process.Process, score, hit_name, attck_t_list):
-    if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
+    if hash_white_list.check_in_while_list(process):
         score = 0
     for t in attck_t_list:
         process.set_attck(score, t, hit_name)
@@ -24,8 +24,8 @@ def update_att_ck(process: process.Process, score, hit_name, attck_t_list):
 
 def update_threat(process: process.Process, score, rule_hit_name):
     had_threat = global_vars.THREAT_TYPE_NONE
-    if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
-        return had_threat
+    if hash_white_list.check_in_while_list(process):
+        score = 0
     if score > 0:
         # 更新命中的规则
         process.set_score(score, rule_hit_name)
diff --git a/Server/plugin.py b/Server/plugin.py
index a68edc3..b1cf545 100644
--- a/Server/plugin.py
+++ b/Server/plugin.py
@@ -97,8 +97,8 @@ def dispath_html_menu():
     plugin_menu = []
     for index in range(len(global_vars.g_plugs)):
         _, plug_obj = global_vars.g_plugs[index]
-    if hasattr(plug_obj, "html_menu"):
-        plugin_menu.append(plug_obj.html_menu())
+        if hasattr(plug_obj, "html_menu"):
+            plugin_menu.append(plug_obj.html_menu())
     return plugin_menu
 
 
diff --git a/Server/plugins/otx_alienvault/otx.py b/Server/plugins/otx_alienvault/otx.py
new file mode 100644
index 0000000..4b59379
--- /dev/null
+++ b/Server/plugins/otx_alienvault/otx.py
@@ -0,0 +1,25 @@
+import global_vars
+import process
+
+rm_plugs_config = {
+    "enable": True,
+    "author": "huoji",
+    "description": "otx alienvault ioc检测扩展插件",
+    "version": "0.0.1"
+}
+
+
+def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data):
+    return global_vars.THREAT_TYPE_NONE
+
+
+def rule_init():
+    pass
+
+
+def plugin_init():
+    print('otx alienvault ioc检测扩展插件 2022/9/23 by huoji')
diff --git a/Server/rules/py/attck/action.py b/Server/rules/py/attck/action.py
index 6d49e59..674370d 100644
--- a/Server/rules/py/attck/action.py
+++ b/Server/rules/py/attck/action.py
@@ -6,13 +6,6 @@ rule = [
         'attck_hit':['T1562.001'],
         'name': 'Impair Defenses: Disable or Modify Tools'
     },
-    {
-        'rules': [
-            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
-        ],
-        'attck_hit':['T1003'],
-        'name': 'OS Credential Dumping: LSASS Memory'
-    },
     {
         'rules': [
             'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',
diff --git a/Server/rules/py/ioa/action.py b/Server/rules/py/ioa/action.py
index 134207e..7082199 100644
--- a/Server/rules/py/ioa/action.py
+++ b/Server/rules/py/ioa/action.py
@@ -1,4 +1,12 @@
 rule = [
+    {
+        'rules': [
+            'action == "processaccess" and targetimage =~ ".*lsass.exe"',
+        ],
+        'attck_hit':['T1003'],
+        'score': 100,
+        'name': 'OS Credential Dumping: LSASS Memory'
+    },
     {
         'rules': [
             'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
diff --git a/Web/syseye/src/css/light.css b/Web/syseye/src/css/light.css
new file mode 100644
index 0000000..e69de29
diff --git a/Web/syseye/src/layouts/MainLayout.vue b/Web/syseye/src/layouts/MainLayout.vue
index 4d3a346..55a9285 100644
--- a/Web/syseye/src/layouts/MainLayout.vue
+++ b/Web/syseye/src/layouts/MainLayout.vue
@@ -3,7 +3,7 @@
     <q-header elevated height-hint="98">
       <q-toolbar class="text-primary bg-white">
         <q-toolbar-title> RmEye内部测试版本v0.0.0.1 </q-toolbar-title>
-        <q-btn flat round dense icon="more_vert"></q-btn>
+        <q-btn flat round dense icon="lightbulb"></q-btn>
       </q-toolbar>
     </q-header>
     <q-drawer