From d5b88c7a0178b51329751afe50f8476b773db994 Mon Sep 17 00:00:00 2001 From: huoji Date: Fri, 23 Sep 2022 15:21:33 +0800 Subject: [PATCH] fixed fixed --- Server/hash_white_list.py | 15 +++++++++++++++ Server/log.py | 6 +++--- Server/plugin.py | 4 ++-- Server/plugins/otx_alienvault/otx.py | 25 +++++++++++++++++++++++++ Server/rules/py/attck/action.py | 7 ------- Server/rules/py/ioa/action.py | 8 ++++++++ Web/syseye/src/css/light.css | 0 Web/syseye/src/layouts/MainLayout.vue | 2 +- 8 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 Server/plugins/otx_alienvault/otx.py create mode 100644 Web/syseye/src/css/light.css diff --git a/Server/hash_white_list.py b/Server/hash_white_list.py index dc32abd..4fff18f 100644 --- a/Server/hash_white_list.py +++ b/Server/hash_white_list.py @@ -1,3 +1,4 @@ +import process import sql g_white_list = [] g_white_dll_load_list = [ @@ -24,6 +25,20 @@ g_white_dll_load_list = [ ] +def check_in_while_list(process: process.Process): + parent_process = process.parent_process + is_white = process.is_white or process.chain.root_process.is_white or process.parent_process.is_white + if is_white == False: + while parent_process: + if parent_process is None or parent_process == process.chain.root_process: + break + if parent_process.is_white: + is_white = True + break + parent_process = parent_process.parent_process + return is_white + + def add_white_list(path, hash, reason): global g_white_list if hash in g_white_list: diff --git a/Server/log.py b/Server/log.py index 60d6899..c3239e5 100644 --- a/Server/log.py +++ b/Server/log.py @@ -14,7 +14,7 @@ LOG_TYPE_PROCESS_ACTION = 2 def update_att_ck(process: process.Process, score, hit_name, attck_t_list): - if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white: + if hash_white_list.check_in_while_list(process): score = 0 for t in attck_t_list: process.set_attck(score, t, hit_name) @@ -24,8 +24,8 @@ def update_att_ck(process: process.Process, score, hit_name, attck_t_list): def update_threat(process: process.Process, score, rule_hit_name): had_threat = global_vars.THREAT_TYPE_NONE - if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white: - return had_threat + if hash_white_list.check_in_while_list(process): + score = 0 if score > 0: # 更新命中的规则 process.set_score(score, rule_hit_name) diff --git a/Server/plugin.py b/Server/plugin.py index a68edc3..b1cf545 100644 --- a/Server/plugin.py +++ b/Server/plugin.py @@ -97,8 +97,8 @@ def dispath_html_menu(): plugin_menu = [] for index in range(len(global_vars.g_plugs)): _, plug_obj = global_vars.g_plugs[index] - if hasattr(plug_obj, "html_menu"): - plugin_menu.append(plug_obj.html_menu()) + if hasattr(plug_obj, "html_menu"): + plugin_menu.append(plug_obj.html_menu()) return plugin_menu diff --git a/Server/plugins/otx_alienvault/otx.py b/Server/plugins/otx_alienvault/otx.py new file mode 100644 index 0000000..4b59379 --- /dev/null +++ b/Server/plugins/otx_alienvault/otx.py @@ -0,0 +1,25 @@ +import global_vars +import process + +rm_plugs_config = { + "enable": True, + "author": "huoji", + "description": "otx alienvault ioc检测扩展插件", + "version": "0.0.1" +} + + +def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data): + return global_vars.THREAT_TYPE_NONE + + +def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data): + return global_vars.THREAT_TYPE_NONE + + +def rule_init(): + pass + + +def plugin_init(): + print('otx alienvault ioc检测扩展插件 2022/9/23 by huoji') diff --git a/Server/rules/py/attck/action.py b/Server/rules/py/attck/action.py index 6d49e59..674370d 100644 --- a/Server/rules/py/attck/action.py +++ b/Server/rules/py/attck/action.py @@ -6,13 +6,6 @@ rule = [ 'attck_hit':['T1562.001'], 'name': 'Impair Defenses: Disable or Modify Tools' }, - { - 'rules': [ - 'action == "processaccess" and targetimage =~ ".*lsass.exe"', - ], - 'attck_hit':['T1003'], - 'name': 'OS Credential Dumping: LSASS Memory' - }, { 'rules': [ 'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"', diff --git a/Server/rules/py/ioa/action.py b/Server/rules/py/ioa/action.py index 134207e..7082199 100644 --- a/Server/rules/py/ioa/action.py +++ b/Server/rules/py/ioa/action.py @@ -1,4 +1,12 @@ rule = [ + { + 'rules': [ + 'action == "processaccess" and targetimage =~ ".*lsass.exe"', + ], + 'attck_hit':['T1003'], + 'score': 100, + 'name': 'OS Credential Dumping: LSASS Memory' + }, { 'rules': [ 'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"', diff --git a/Web/syseye/src/css/light.css b/Web/syseye/src/css/light.css new file mode 100644 index 0000000..e69de29 diff --git a/Web/syseye/src/layouts/MainLayout.vue b/Web/syseye/src/layouts/MainLayout.vue index 4d3a346..55a9285 100644 --- a/Web/syseye/src/layouts/MainLayout.vue +++ b/Web/syseye/src/layouts/MainLayout.vue @@ -3,7 +3,7 @@ RmEye内部测试版本v0.0.0.1 - +