admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: admin:v0.0.3
Branches Tags
admin:main
admin:v0.0.4 admin:v0.0.3 admin:release admin:pre-release
...
compare: admin:v0.0.4
Branches Tags
admin:main
admin:v0.0.4 admin:v0.0.3 admin:release admin:pre-release

23 Commits
v0.0.3 ... v0.0.4

Author SHA1 Message Date
huoji
a1c158f8cd 增加BRC4的检测 
增加BRC4的检测
 2022-09-21 15:28:07 +08:00
huoji
ee5ae888ce 更新readme 
更新readme
 2022-09-20 18:40:06 +08:00
huoji
1ef79280fc Merge branch 'main' of https://github.com/RoomaSec/RmEye 2022-09-20 18:31:32 +08:00
huoji
05aea0a27b 秋季更新 
秋季更新
 2022-09-20 18:31:15 +08:00
Huoji's
1ec37eae02 增加微信群 2022-09-13 21:42:51 +08:00
Huoji's
83d1d97e57 Merge pull request #2 from Fplyth0ner-Combie/main 
Add: New detection rule about microsoft outlook
 2022-09-11 15:23:01 +08:00
Fplyth0ner
343e50a39d Update action.py 
Add a new detect rule is named “已知Outlook模板宏持久化行为”.
 2022-09-11 00:20:55 +08:00
Fplyth0ner
2ac1b425c7 Update sysmon.xml 
Add Microsoft Outlook Tamplate Macro file creation event.
 2022-09-11 00:07:39 +08:00
huoji
5fcfd6ec02 删除白名单的东西应该要刷新 
删除白名单的东西应该要刷新
 2022-09-09 11:44:19 +08:00
huoji
57994f9100 update 2022-09-08 16:29:04 +08:00
huoji
61835326ef update 2022-09-08 16:27:37 +08:00
Huoji's
363a2baf17 Merge pull request #1 from Fplyth0ner-Combie/main 
Docs: 新增服务端规则指南
 2022-09-08 16:26:09 +08:00
Fplyth0ner
80d3964320 Docs: 新增服务端规则指南 2022-09-08 15:42:44 +08:00
huoji
451bca454c Merge branch 'main' of https://github.com/RoomaSec/RmEye 2022-09-06 11:31:15 +08:00
huoji
6826a9e5be Update mimikatz_detect.py 2022-09-06 11:31:12 +08:00
Huoji's
a40885683c Update README.md 2022-09-05 22:31:13 +08:00
huoji
b33043f8b6 优化一下 
优化一下
 2022-09-05 17:50:44 +08:00
huoji
c2f44adc2e 修复点bug 
修复点bug
 2022-09-05 17:36:46 +08:00
huoji
30880f8aa9 Update log.py 2022-09-05 17:35:17 +08:00
huoji
9124f617f5 增加mimikatz检测 
增加mimikatz检测
 2022-09-05 17:33:00 +08:00
huoji
cde86d8b6c Update group2.png 2022-09-05 17:01:09 +08:00
huoji
642ca43cdc Update README.md 2022-09-05 16:47:31 +08:00
huoji
d503827ad0 增加规则编写教程 2022-09-05 16:46:47 +08:00
43 changed files with 1437 additions and 555 deletions
Expand all files Collapse all files

BIN
Image/1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 320 KiB

After

Width:  |  Height:  |  Size: 224 KiB

BIN
Image/10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 131 KiB

BIN
Image/11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
Image/12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
Image/13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
Image/14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 77 KiB

BIN
Image/15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
Image/8.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 154 KiB

After

Width:  |  Height:  |  Size: 127 KiB

BIN
Image/9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 378 KiB

BIN
Image/group.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 148 KiB

BIN
Image/group2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 141 KiB

2
Server/config.py
View File

@@ -1,4 +1,4 @@
# 检出阈值,越高越难检出但是也会越准确
MAX_THREAT_SCORE = 170
MAX_THREAT_SCORE = 45
# 授权访问主站的IP列表.如果不在后台里面则不能访问后台
ALLOW_ACCESS_IP = ['127.0.0.1', '192.168.111.189', '192.168.111.187']

22
Server/hash_white_list.py
View File

@@ -1,5 +1,27 @@
import sql
g_white_list = []
g_white_dll_load_list = [
'c:\\windows\\system32\\advapi32.dll',
'c:\\windows\\system32\\crypt32.dll',
'c:\\windows\\system32\\cryptdll.dll',
'c:\\windows\\system32\\gdi32.dll',
'c:\\windows\\system32\\imm32.dll',
'c:\\windows\\system32\\kernel32.dll',
'c:\\windows\\system32\\kernelbase.dll',
'c:\\windows\\system32\\msasn1.dll',
'c:\\windows\\system32\\msvcrt.dll',
'c:\\windows\\system32\\ntdll.dll',
'c:\\windows\\system32\\rpcrt4.dll',
'c:\\windows\\system32\\rsaenh.dll',
'c:\\windows\\system32\\samlib.dll',
'c:\\windows\\system32\\sechost.dll',
'c:\\windows\\system32\\secur32.dll',
'c:\\windows\\system32\\shell32.dll',
'c:\\windows\\system32\\shlwapi.dll',
'c:\\windows\\system32\\sspicli.dll',
'c:\\windows\\system32\\user32.dll',
'c:\\windows\\system32\\vaultcli.dll',
]
def add_white_list(path, hash, reason):

98
Server/log.py
View File

@@ -1,6 +1,5 @@
import json
import time
import operator
import process
import rule
@@ -10,6 +9,66 @@ import config
import plugin
import hash_white_list
LOG_TYPE_PROCESS_CREATE = 1
LOG_TYPE_PROCESS_ACTION = 2
def update_att_ck(process: process.Process, score, hit_name, attck_t_list):
if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
score = 0
for t in attck_t_list:
process.set_attck(score, t, hit_name)
# 更新命中的规则
return global_vars.THREAT_TYPE_PROCESS
def update_threat(process: process.Process, score, rule_hit_name):
had_threat = global_vars.THREAT_TYPE_NONE
if process.is_white or process.chain.root_process.is_white or process.parent_process.is_white:
return had_threat
if score > 0:
# 更新命中的规则
process.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
return had_threat
def match_threat(process: process.Process, log, log_type):
had_threat = global_vars.THREAT_TYPE_NONE
success_match = False
hit_name = ''
hit_score = 0
is_ioa = False
if log_type == LOG_TYPE_PROCESS_CREATE:
success_match, is_ioa, attck_t_list, hit_score, rule_hit_name = rule.calc_score_in_create_process(
log)
elif log_type == LOG_TYPE_PROCESS_ACTION:
success_match, is_ioa, attck_t_list, hit_score, rule_hit_name = rule.calc_score_in_action(
log)
if success_match == False:
return had_threat, is_ioa, hit_name, hit_score
# 匹配到了首先更新att&ck的t
had_threat = update_att_ck(
process, hit_score, rule_hit_name, attck_t_list)
hit_name = rule_hit_name
if is_ioa:
had_threat = update_threat(
process, hit_score, rule_hit_name)
else:
is_match_software, software_name, software_score = rule.match_att_ck_software(
process.chain.attck_hit_list)
if is_match_software:
# 匹配到software了,设置为ioa
had_threat = update_threat(
process, software_score, software_name)
hit_name = software_name
hit_score = software_score
#print('match_threat', process.path, is_ioa, hit_name, hit_score)
# if had_threat != global_vars.THREAT_TYPE_NONE:
# print('path: {} hit_name: {} socre: {}'.format(
# process.path, hit_name, hit_score))
return had_threat, is_ioa, hit_name, hit_score
def process_log(host, json_log, raw_log):
log = json_log["data"]
@@ -20,6 +79,7 @@ def process_log(host, json_log, raw_log):
chain_hash = ""
params = ""
user = ""
is_ioa = False
if json_log["action"] == "processcreate":
pid = log["processid"]
@@ -39,7 +99,7 @@ def process_log(host, json_log, raw_log):
if path in process.skip_process_path or path in process.skip_process_path:
return
parent_process: process.Process = process.get_process_by_pid(ppid)
score, rule_hit_name = rule.calc_score_in_create_process(log)
if hash in process.skip_md5:
return
if parent_process is None or parent_path in process.root_process_path:
@@ -63,9 +123,9 @@ def process_log(host, json_log, raw_log):
chain = process.create_chain(parent_process)
chain.add_process(child, parent_pid)
current_process = child
if score > 0:
child.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
had_threat, is_ioa, rule_hit_name, score = match_threat(
current_process, log, LOG_TYPE_PROCESS_CREATE)
else:
is_white_list = hash in hash_white_list.g_white_list
child = process.Process(
@@ -74,9 +134,9 @@ def process_log(host, json_log, raw_log):
child.parent_process = parent_process
parent_process.chain.add_process(child, ppid)
current_process = child
if score > 0:
child.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
had_threat, is_ioa, rule_hit_name, score = match_threat(
current_process, log, LOG_TYPE_PROCESS_CREATE)
had_threat_plugin = plugin.dispath_rule_new_process_create(
host, current_process, raw_log, json_log
@@ -100,6 +160,7 @@ def process_log(host, json_log, raw_log):
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
json.dumps(current_process.chain.attck_hit_list),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
@@ -110,10 +171,8 @@ def process_log(host, json_log, raw_log):
current_process = process.get_process_by_pid(log["processid"])
if current_process is not None:
log["action"] = json_log["action"]
score, rule_hit_name = rule.calc_score_in_action(log)
if score > 0:
current_process.set_score(score, rule_hit_name)
had_threat = global_vars.THREAT_TYPE_PROCESS
had_threat, is_ioa, rule_hit_name, score = match_threat(
current_process, log, LOG_TYPE_PROCESS_ACTION)
had_threat_plugin = plugin.dispath_rule_new_process_action(
host, current_process, raw_log, json_log
)
@@ -121,6 +180,8 @@ def process_log(host, json_log, raw_log):
had_threat = had_threat_plugin
if current_process is not None:
# if current_process.path.find("f.exe") != -1:
# print(log)
if current_process.chain.risk_score >= config.MAX_THREAT_SCORE:
if had_threat == global_vars.THREAT_TYPE_PROCESS:
current_process.chain.update_process_tree()
@@ -145,6 +206,7 @@ def process_log(host, json_log, raw_log):
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
json.dumps(current_process.chain.attck_hit_list),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
@@ -155,6 +217,7 @@ def process_log(host, json_log, raw_log):
host,
current_process.chain.risk_score,
json.dumps(current_process.chain.operationlist),
json.dumps(current_process.chain.attck_hit_list),
current_process.chain.hash,
current_process.chain.get_json(),
global_vars.THREAT_TYPE_PROCESS,
@@ -178,6 +241,12 @@ def process_log(host, json_log, raw_log):
target_image_path = target_process.path
target_hash = target_process.md5
self_hash = current_process.md5
# 以后有其他排除需求再优化
# if json_log['action'] == 'imageload' and (json_log['data']['imageloaded'][len(json_log['data']['imageloaded']) - 4:] == '.exe' or json_log['data']['imageloaded'] in hash_white_list.g_white_dll_load_list):
# return
if json_log['action'] == 'imageload':
return
sql.push_process_raw(
host,
@@ -194,13 +263,12 @@ def process_log(host, json_log, raw_log):
params,
user,
)
"""
'''
for iter in process.g_ProcessChainList:
item: process.Process = iter
if item.risk_score >= config.MAX_THREAT_SCORE:
item.print_process()
"""
'''
def process_raw_log(raw_logs: list) -> list:

61
Server/plugins/mimikazt_detect/mimikatz_detect.py Normal file
View File

@@ -0,0 +1,61 @@
import global_vars
import process
rm_plugs_config = {
"enable": True,
"author": "huoji",
"description": "检测mimikatz",
"version": "0.0.1"
}
mimikatz_dll_list = [
'c:\\windows\\system32\\advapi32.dll',
'c:\\windows\\system32\\crypt32.dll',
'c:\\windows\\system32\\cryptdll.dll',
'c:\\windows\\system32\\gdi32.dll',
'c:\\windows\\system32\\imm32.dll',
'c:\\windows\\system32\\msasn1.dll',
'c:\\windows\\system32\\msvcrt.dll',
'c:\\windows\\system32\\rpcrt4.dll',
'c:\\windows\\system32\\rsaenh.dll',
'c:\\windows\\system32\\samlib.dll',
'c:\\windows\\system32\\sechost.dll',
'c:\\windows\\system32\\secur32.dll',
'c:\\windows\\system32\\shell32.dll',
'c:\\windows\\system32\\shlwapi.dll',
'c:\\windows\\system32\\sspicli.dll',
'c:\\windows\\system32\\user32.dll',
'c:\\windows\\system32\\vaultcli.dll',
]
def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
# 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文
if current_process.path != 'c:\\windows\\system32\\wbem\\wmic.exe' and current_process.parent_process.path != 'c:\\windows\\system32\\svchost.exe' and current_process.path != 'c:\\windows\\system32\\svchost.exe':
current_process.plugin_var['mimikatz_matched_num'] = 0
current_process.plugin_var['mimikatz_detected'] = False
return global_vars.THREAT_TYPE_NONE
def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data):
global mimikatz_dll_list
# 如果日志的action是imageload(dll加载)
if 'mimikatz_detected' in current_process.plugin_var and json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False:
# 把日志中的dll路径取出来
dll_path = json_log_data['data']['imageloaded']
# 如果dll的路径在mimikatz的路径里面,进程上下文+1
if dll_path in mimikatz_dll_list:
current_process.plugin_var['mimikatz_matched_num'] += 1
if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
current_process.plugin_var['mimikatz_detected'] = True
return global_vars.THREAT_TYPE_PROCESS
return global_vars.THREAT_TYPE_NONE
def rule_init():
pass
def plugin_init():
print('mimikatz检测插件 2022/9/5 by huoji')

4
Server/plugins/uac_bypass_detect/prcoess_chain_detect.py
View File

@@ -42,8 +42,8 @@ def rule_new_process_action(current_process, host, raw_log_data, json_log_data):
def rule_init():
print('[helloworld plugin] rule init')
pass
def plugin_init():
print('[helloworld plugin] plugin init')
print('uac提权插件 2022/8/15 by huoji')

15
Server/process.py
View File

@@ -94,6 +94,8 @@ class Process:
self.chain_hash = ''
self.active = True
self.operationlist = {}
self.attck_hit_list = {}
self.risk_score = 0
self.terminate = False
self.rmpid = tools.get_md5(
@@ -120,9 +122,16 @@ class Process:
def set_rmppid(self, rmppid):
self.rmppid = rmppid
def set_attck(self, new_score, t, name):
if t not in self.attck_hit_list:
self.risk_score += new_score
self.attck_hit_list[t] = name
if t not in self.chain.attck_hit_list:
self.chain.risk_score += new_score
self.chain.attck_hit_list[t] = name
def set_score(self, new_score, opertion):
if self.is_white or self.chain.root_process.is_white or self.parent_process.is_white:
return
if opertion not in self.operationlist:
self.risk_score += new_score
self.operationlist[opertion] = 1
@@ -146,6 +155,7 @@ class ProcessChain:
self.terminate_count = 0
self.risk_score = 0
self.operationlist = {}
self.attck_hit_list = {}
self.process_list = []
self.json_arrays = []
self.active = True
@@ -234,6 +244,7 @@ class ProcessChain:
"rmppid": proc_info.rmppid,
"params": proc_info.params,
"operationlist": proc_info.operationlist,
"attck_hit_list": proc_info.attck_hit_list,
"md5": proc_info.md5,
"active": proc_info.active,
"children": []

144
Server/rule.py
View File

@@ -1,82 +1,132 @@
import rule_engine
import rules.py.process as rule_process
import rules.py.action as rule_action
import rules.py.attck.process as attck_process
import rules.py.attck.attck as attack_software
import rules.py.attck.action as attack_action
import rules.py.ioa.action as ioa_action
import rules.py.ioa.process as ioa_process
import plugin
g_sample_rule = {}
g_sample_rule['process'] = rule_process.rule
g_sample_rule['action'] = rule_action.rule
g_sample_rule['attack_process'] = attck_process.rule
g_sample_rule['attack_action'] = attack_action.rule
g_sample_rule['attack_software'] = attack_software.rule
g_sample_rule['ioa_action'] = ioa_action.rule
g_sample_rule['ioa_process'] = ioa_process.rule
attck_process_rules = []
attck_action_rules = []
ioa_process_rules = []
ioa_action_rules = []
base_process_rules = []
base_action_rules = []
base_host_rules = []
def calc_score_in_action(log):
global base_action_rules
for iter in base_action_rules:
for rule in iter['rules']:
# 这是or
try:
if rule.matches(log):
return iter['score'], iter['name']
except:
print("error: {} ".format(log))
def match_att_ck_software(t_list):
# 返回是否命中,命中命中,分数
return 0, ''
global g_sample_rule
is_match = False
match_name = ''
match_score = 0
for iter in g_sample_rule['attack_software']:
rule_list = iter['rules']
min_match_num = iter['hit_num']
match_num = 0
for t in t_list.keys():
if t in rule_list:
match_num += 1
if match_num >= min_match_num:
is_match = True
match_name = iter['name']
match_score = iter['score']
break
if is_match:
break
return is_match, match_name, match_score
def calc_score_in_action(log):
# 返回 是否匹配到,是否ioa,attck,分数,名字
global attck_action_rules
global ioa_action_rules
for iter in ioa_action_rules:
for rule in iter['rules']:
if rule.matches(log):
return True, True, iter['attck_hit'], iter['score'], iter['name']
for iter in attck_action_rules:
for rule in iter['rules']:
if rule.matches(log):
return True, False, iter['attck_hit'], iter['score'], iter['name']
return False, False, [], 0, ''
def calc_score_in_create_process(log):
global base_process_rules
for iter in base_process_rules:
# 返回 是否匹配到,是否ioa,attck,分数,名字
global ioa_process_rules
global attck_process_rules
for iter in ioa_process_rules:
for rule in iter['rules']:
# 这是or
if rule.matches(log):
return iter['score'], iter['name']
return 0, ''
def calc_score_in_host(log):
global base_host_rules
for iter in base_host_rules:
return True, True, iter['attck_hit'], iter['score'], iter['name']
for iter in attck_process_rules:
for rule in iter['rules']:
# 这是or
if rule.matches(log):
return iter['score'], iter['name']
return 0, ''
return True, False, iter['attck_hit'], iter['score'], iter['name']
return False, False, [], 0, ''
def init_rule():
global base_process_rules
global base_action_rules
global base_host_rules
for iter in g_sample_rule['process']:
global attck_process_rules
global attck_action_rules
global ioa_process_rules
global ioa_action_rules
for iter in g_sample_rule['attack_process']:
temp_process_rules = []
score = 0
if 'score' not in iter:
score = 5
else:
score = iter['score']
for iter_i in iter['rules']:
print(iter_i)
print('rule: {} score: {}'.format(iter_i, score))
temp_process_rules.append(rule_engine.Rule(
iter_i
))
base_process_rules.append(
{'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules})
for iter in g_sample_rule['action']:
attck_process_rules.append(
{'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': score, 'rules': temp_process_rules})
for iter in g_sample_rule['attack_action']:
temp_process_rules = []
score = 0
if 'score' not in iter:
score = 5
else:
score = iter['score']
for iter_i in iter['rules']:
print(iter_i)
print('rule: {} score: {}'.format(iter_i, score))
temp_process_rules.append(rule_engine.Rule(
iter_i
))
base_action_rules.append(
{'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules})
'''
for iter in g_sample_rule['host']:
attck_action_rules.append(
{'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': score, 'rules': temp_process_rules})
for iter in g_sample_rule['ioa_action']:
temp_process_rules = []
for iter_i in iter['rules']:
print(iter_i)
print('rule: {} score: {}'.format(iter_i, score))
temp_process_rules.append(rule_engine.Rule(
iter_i
))
base_host_rules.append(
{'name': iter['name'], 'score': iter['score'], 'rules': temp_process_rules})
'''
ioa_action_rules.append(
{'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': iter['score'], 'rules': temp_process_rules})
for iter in g_sample_rule['ioa_process']:
temp_process_rules = []
for iter_i in iter['rules']:
print('rule: {} score: {}'.format(iter_i, score))
temp_process_rules.append(rule_engine.Rule(
iter_i
))
ioa_process_rules.append(
{'name': iter['name'], 'attck_hit': iter['attck_hit'], 'score': iter['score'], 'rules': temp_process_rules})
plugin.dispath_rule_init()
print('init rule done')

14
Server/rules/py/action.py
View File

@@ -1,4 +1,11 @@
rule = [
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\users\\.*\\appdata\\roaming\\microsoft\\outlook\\vbaproject.otm"'
],
'score': 300,
'name': '已知Outlook模板宏持久化行为'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
@@ -161,5 +168,12 @@ rule = [
],
'score': 50,
'name': '创建可疑文件'
},
{
'rules': [
'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"',
],
'score': 10,
'name': 'samlib的dll被加载'
}
]

171
Server/rules/py/attck/action.py Normal file
View File

@@ -0,0 +1,171 @@
rule = [
{
'rules': [
'action == "registryvalueset" and targetobject =~ ".*proxyenable"',
],
'attck_hit':['T1562.001'],
'name': 'Impair Defenses: Disable or Modify Tools'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe"',
],
'attck_hit':['T1003'],
'name': 'OS Credential Dumping: LSASS Memory'
},
{
'rules': [
'action == "processaccess" and calltrace =~ ".*unknown.*" and not calltrace =~ ".*conpty\.node.*" and not calltrace =~ ".*java\.dll.*" and not calltrace =~ ".*appvisvsubsystems64\.dll.*" and not calltrace =~ ".*twinui\.dll.*" and not calltrace =~ ".*nativeimages.*" and not targetimage == "c:\\windows\\system32\\cmd.exe"',
],
'attck_hit':['T1620'],
'name': 'Reflective Code Loading'
},
{
'rules': [
'action == "processaccess" and calltrace =~ ".*wshom\.ocx.*"',
'action == "processaccess" and calltrace =~ ".*shell32\.dll.*"',
'action == "processaccess" and calltrace =~ ".*dbgcore\.dll.*"',
'action == "processaccess" and calltrace =~ ".*kernelbase\.dll\+de67e.*"',
'action == "processaccess" and calltrace =~ ".*framedynos\.dll.*"',
],
'attck_hit':['T1559.001'],
'name': 'Inter-Process Communication: Component Object Model'
},
# todo 懒得做详细的规则了.加油完善规则吧
{
'rules': [
'action == "createremotethread"',
],
'attck_hit':['T1055'],
'name': 'Process Injection'
},
{
'rules': [
'action == "filecreatestreamhash"',
],
'attck_hit':['T1564.004'],
'name': 'Hide Artifacts: NTFS File Attributes'
},
{
'rules': [
'action == "dnsquery"',
],
'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS'
},
{
'rules': [
'action == "filecreatetimechange"',
],
'attck_hit':['T1070.006'],
'name': 'Indicator Removal on Host: Timestomp'
},
{
'rules': [
'action == "networkconnect"',
],
'attck_hit':['T1071'],
'name': 'Application Layer Protocol'
},
{
'rules': [
'action == "clipboardchange"',
],
'attck_hit':['T1115'],
'name': 'Clipboard Data Monitor API'
},
{
'rules': [
'action == "processtampering"',
],
'attck_hit':['T1574'],
'name': 'Hijack Execution Flow'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"',
'action == "filecreate" and targetfilename =~ ".*\.exe"',
'action == "filecreate" and targetfilename =~ ".*\.cmd"',
'action == "filecreate" and targetfilename =~ ".*\.bat"',
'action == "filecreate" and targetfilename =~ ".*\.dll"',
],
'attck_hit':['T1036.005'],
'name': 'Masquerading: Match Legitimate Name or Location'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\windows\\\\\\\\.*"',
],
'attck_hit':['T1036.005'],
'name': 'Masquerading: Match Legitimate Name or Location'
},
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\\\\\\\users\\\\\\\\.*"',
'action == "filecreate" and targetfilename =~ ".*\.exe"',
'action == "filecreate" and targetfilename =~ ".*\.cmd"',
'action == "filecreate" and targetfilename =~ ".*\.bat"',
'action == "filecreate" and targetfilename =~ ".*\.dll"',
],
'attck_hit':['T1036.005'],
'name': 'Masquerading: Match Legitimate Name or Location'
},
{
'rules': [
'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"',
],
'attck_hit':['T1003.002'],
'name': 'OS Credential Dumping: Security Account Manager'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*credui.dll"',
],
'attck_hit':['T1047'],
'name': 'Windows Management Instrumentation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dbghelp.dll"',
],
'attck_hit':['T1622'],
'name': 'Debugger Evasion'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*winhttp.dll"',
'action == "imageload" and imageloaded =~ ".*urlmon.dll"',
],
'attck_hit':['T1071.001'],
'name': 'Application Layer Protocol: Web Protocols'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*dnsapi.dll"',
],
'attck_hit':['T1071.004'],
'name': 'Application Layer Protocol: DNS'
},
# 不应该用dll来当T的,这里应该是api的hook.但是sysmon没这些ds,只能凑合.这非常不专业
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rtutils.dll"',
],
'attck_hit':['CMT0001'],
'name': 'Event trace manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*rasapi32.dll"',
],
'attck_hit':['CMT0002'],
'name': 'rasapi32 manipulation'
},
{
'rules': [
'action == "imageload" and imageloaded =~ ".*napinsp.dll"',
],
'attck_hit':['CMT0003'],
'name': 'napinsp manipulation'
}
]

12
Server/rules/py/attck/attck.py Normal file
View File

@@ -0,0 +1,12 @@
rule = [
{'name': "BRC4", 'rules': ['T1071', 'T1071.001',
'T1622', 'T1047', 'T1562.001'], 'hit_num': 4, 'score':100},
{'name': "BRC4#2", 'rules': ['T1071.004',
'T1071.001', 'T1562.001', 'CMT0001', 'CMT0002', 'CMT0003'], 'hit_num': 6, 'score':100},
{'name': "Ransomware", 'rules': ['T1071',
'T1036.005', 'T1620', 'T1564.001', 'T1222.001', 'T1059.005', 'T1543.003', 'T1490'], 'hit_num': 7, 'score':100},
{'name': "APT-System discovery", 'rules': ['T1018',
'T1087.001', 'T1087.001', 'T1082', 'T1016'], 'hit_num': 3, 'score':65},
{'name': "APT-Hydra", 'rules': ['T1027.004',
'T1018', 'T1559.001', 'T1218.011', 'T1059.001', 'T1059.005', 'T1570', 'T1087.002', 'T1564', 'T1106', 'T1082', 'T1087.001', 'T1003', 'T1071'], 'hit_num': 10, 'score':100}
]

314
Server/rules/py/attck/process.py Normal file
View File

@@ -0,0 +1,314 @@
rule = [
{
'rules': [
'originalfilename =~ ".*taskill.exe.*"',
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"',
'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
],
'attck_hit':['T1489'],
'score': 30,
'name': 'Service Stop'
},
{
'rules': [
'originalfilename =~ ".*curl.exe" or originalfilename =~ ".*wget.exe" or originalfilename =~ ".*dget.exe"',
'originalfilename =~ ".*certutil.exe"',
'originalfilename =~ ".*powershell.exe" and commandline =~ ".*invoke-webrequest.*"'
],
'attck_hit':['T1105'],
'score': 30,
'name':'Ingress Tool Transfer'
},
{
'rules': [
'image =~ ".*\.doc\.exe"',
'image =~ ".*\.docx\.exe"',
'image =~ ".*\.ppt\.exe"',
'image =~ ".*\.pdf\.exe"',
'image =~ ".*\.html\.exe"',
'image =~ ".*\.htm\.exe"',
'image =~ ".*\.zip\.exe"',
'image =~ ".*\.rar\.exe"'
],
'attck_hit':['T1036.007'],
'score': 60,
'name':'Masquerading: Double File Extension'
},
{
'rules': [
'commandline =~ ".*-k dcomlaunch.*"'
],
'attck_hit':['T1559.001'],
'score': 30,
'name':'Inter-Process Communication: Component Object Model'
},
{
'rules': [
'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"',
],
'attck_hit':['T1003.003'],
'score': 30,
'name':'OS Credential Dumping: NTDS'
},
{
'rules': [
'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"',
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"',
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"',
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"',
'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*shadows.*" and commandline =~ ".*delete.*"',
],
'attck_hit':['T1490'],
'score': 30,
'name': 'Inhibit System Recovery'
},
{
'rules': [
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"',
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*group.*"',
'originalfilename =~ ".*ping.exe"',
],
'attck_hit':['T1018'],
'score': 10,
'name': 'Remote System Discovery'
},
{
'rules': [
'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"',
],
'attck_hit':['T1070.004'],
'score': 10,
'name': 'Indicator Removal on Host'
},
{
'rules': [
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"',
'originalfilename =~ ".*whoami.*"',
'originalfilename =~ ".*query.exe"',
'originalfilename =~ ".*setspn.exe"',
'originalfilename =~ ".*cmdkey.exe.*"'
],
'attck_hit':['T1087.001'],
'score': 30,
'name': 'Account Discovery: Local Account'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*useraccount.*"',
],
'attck_hit':['T1087.001', 'T1047'],
'score': 30,
'name': 'Account Discovery: Local Account by wmic'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*startup.*"',
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*share.*"',
],
'attck_hit':['T1082', 'T1047'],
'score': 30,
'name': 'System Information Discovery by wmic'
},
{
'rules': [
'originalfilename =~ ".*systeminfo.exe"',
'originalfilename =~ ".*chcp.com"'
],
'attck_hit':['T1082'],
'score': 10,
'name': 'System Information Discovery'
},
{
'rules': [
'originalfilename =~ ".*tasklist.exe"',
],
'attck_hit':['T1057'],
'score': 10,
'name': 'Process Discovery'
},
{
'rules': [
'originalfilename == "at.exe"',
],
'attck_hit':['T1053.002'],
'score': 10,
'name': 'Scheduled Task/Job: at'
},
{
'rules': [
'originalfilename =~ ".*schtasks.exe.*"',
],
'attck_hit':['T1053.005'],
'score': 10,
'name': 'Scheduled Task/Job: Scheduled Task'
},
{
'rules': [
'image =~ ".*\\\\\\\\appdata\\\\\\\\local\\\\\\\\temp\\\\\\\\.*" or image =~ ".*\\\\\\\\windows\\\\\\\\temp\\\\\\\\.*"',
],
'attck_hit':['T1106'],
'score': 10,
'name': 'Execution: Native API'
},
{
'rules': [
'originalfilename =~ ".*rubeus.*" and commandline =~ ".*domain.*"',
],
'attck_hit':['T1558.003'],
'score': 10,
'name': 'Steal or Forge Kerberos Tickets: Kerberoasting'
},
{
'rules': [
'originalfilename =~ ".*\u202e.*"',
],
'attck_hit':['T1564'],
'score': 10,
'name': 'Hide Artifacts'
},
{
'rules': [
'parentimage =~ ".*mmc.exe" and commandline =~ ".*eventvwr\.msc.*"',
],
'attck_hit':['T1218.014'],
'score': 10,
'name': 'System Binary Proxy Execution: MMC'
},
{
'rules': [
'originalfilename == "net.exe" and commandline =~ ".*domain.*"',
'originalfilename == "net.exe" and commandline =~ ".*view.*"',
'originalfilename == "net.exe" and commandline =~ ".*workstation.*"'
],
'attck_hit':['T1087.002'],
'score': 10,
'name': 'Account Discovery: Domain Account'
},
{
'rules': [
'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"',
],
'attck_hit':['T1562.004'],
'score': 10,
'name': 'Impair Defenses: Disable or Modify System Firewall'
},
{
'rules': [
'originalfilename =~ ".*ipconfig.exe"',
'originalfilename =~ ".*netstat.exe"'
],
'attck_hit':['T1016'],
'score': 10,
'name': 'System Network Configuration Discovery'
},
{
'rules': [
'originalfilename =~ ".*attrib.exe"',
],
'attck_hit':['T1564.001'],
'score': 10,
'name': 'Hide Artifacts: Hidden Files and Directories'
},
{
'rules': [
'originalfilename =~ ".*psexesvc.exe"',
],
'attck_hit':['T1570'],
'score': 10,
'name': 'Lateral Tool Transfer'
},
{
'rules': [
'originalfilename =~ "\\\\\\\\.*\\\\\\C\$.*"',
],
'attck_hit':['T1080'],
'score': 10,
'name': 'Taint Shared Content'
},
{
'rules': [
'originalfilename =~ ".*icacls.exe"',
],
'attck_hit':['T1222.001'],
'score': 10,
'name': 'Windows File and Directory Permissions Modification'
},
{
'rules': [
'parentimage =~ ".*services.exe"',
],
'attck_hit':['T1543.003'],
'score': 10,
'name': 'Create or Modify System Process: Windows Service'
},
{
'rules': [
'originalfilename =~ ".*werfault.exe" and parentimage =~ ".*svchost.exe"',
],
'attck_hit':['T1218'],
'score': 10,
'name': 'System Binary Proxy Execution'
},
{
'rules': [
'originalfilename =~ ".*wscript.exe"',
'originalfilename =~ ".*cscript.exe"',
],
'attck_hit':['T1059.005'],
'score': 10,
'name': 'Command and Scripting Interpreter: Visual Basic'
},
{
'rules': [
'originalfilename =~ ".*mofcomp.exe.*"'
],
'attck_hit':['T1546.015'],
'score': 10,
'name':'Event Triggered Execution: Component Object Model Hijacking'
},
{
'rules': [
'originalfilename =~ ".*csc.exe.*"'
],
'attck_hit':['T1027.004'],
'score': 10,
'name':'Compile After Delivery'
},
# https://attack.mitre.org/software/S0552/
{
'rules': [
'originalfilename =~ ".*adfind.exe.*"'
],
'attck_hit':['T1018'],
'score': 10,
'name':'Remote System Discovery'
},
{
'rules': [
'originalfilename == "wmic.exe"'
],
'attck_hit':['T1559.001'],
'score': 30,
'name':'Windows Management Instrumentation'
},
{
'rules': [
'originalfilename =~ ".*rundll32.exe.*"'
],
'attck_hit':['T1218.011'],
'score': 10,
'name':'System Binary Proxy Execution: Rundll32'
},
{
'rules': [
'originalfilename =~ ".*powershell.exe"'
],
'attck_hit':['T1059.001'],
'score': 10,
'name':'Command and Scripting Interpreter: PowerShell'
},
]

50
Server/rules/py/ioa/action.py Normal file
View File

@@ -0,0 +1,50 @@
rule = [
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',
],
'attck_hit':['T1003.002'],
'score': 100,
'name': '已知内存加载mimikazt行为'
},
{
'rules': [
'action == "processaccess" and sourceimage =~ ".*office16.*" and calltrace =~ ".*kernelbase\.dll.*"',
],
'attck_hit':['T1003.002'],
'score': 60,
'name': 'office异常进程内存'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*msagent.*"',
'action == "pipecreate" and pipename =~ ".*msse.*"',
'action == "pipecreate" and pipename =~ ".*postex_.*"',
'action == "pipecreate" and pipename =~ ".*postex_ssh.*"',
'action == "pipecreate" and pipename =~ ".*status_.*"',
],
'attck_hit':['T1003.002'],
'score': 100,
'name': '已知CobalStrike'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*paexec.*"',
'action == "pipecreate" and pipename =~ ".*remcom.*"',
'action == "pipecreate" and pipename =~ ".*csexec.*"'
],
'attck_hit':['T1003.002'],
'score': 100,
'name': '已知内网横向工具'
},
{
'rules': [
'action == "pipecreate" and pipename =~ ".*lsadump.*"',
'action == "pipecreate" and pipename =~ ".*cachedump.*"',
'action == "pipecreate" and pipename =~ ".*wceservicepipe.*"'
],
'attck_hit':['T1003.002'],
'score': 100,
'name': '已知mimikazt内存dump'
},
]

35
Server/rules/py/ioa/process.py Normal file
View File

@@ -0,0 +1,35 @@
rule = [
{
'rules': [
'originalfilename =~ ".*todesk_service.*" or originalfilename =~ ".*sunloginclient.*" or originalfilename =~ ".*teamviewer_service.exe.*" or originalfilename =~ ".*logmein.*" or originalfilename =~ ".*dwrcs.*" or originalfilename =~ ".*aa_v3.*" or originalfilename =~ ".*screenconnect.*" or originalfilename =~ ".*tvnserver.*" or originalfilename =~ ".*vncserver.*"',
],
'attck_hit':['T1133'],
'score': 30,
'name': '已知远程协助程序'
},
{
'rules': [
'originalfilename =~ ".*phoenixminer.*" or originalfilename =~ ".*ccminer.*" or originalfilename =~ ".*csminer.exe.*" or originalfilename =~ ".*xmrig.*" or originalfilename =~ ".*xmr-stak.*"',
],
'attck_hit':['T1496'],
'score': 100,
'name': '已知挖矿程序'
},
{
'rules': [
'originalfilename =~ "\\\\\\.*" and parentimage =~ ".*services.exe"',
],
'attck_hit':['T1021.006'],
'score': 100,
'name': '远程服务被创建'
},
{
'rules': [
'commandline =~ ".*__\d{10}\."',
'originalfilename =~ ".*wmi_share.exe"',
],
'attck_hit':['T00000'],
'score': 100,
'name': 'wmic内网横向移动被触发'
},
]

405
Server/rules/py/process.py
View File

@@ -1,405 +0,0 @@
rule = [
{
'rules': [
'originalfilename =~ ".*taskill.exe.*"',
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*stop.*"',
'originalfilename =~ ".*sc.exe.*" and commandline =~ ".*config.*" and commandline =~ ".*disabled.*"',
],
'score': 40,
'name': '通过系统程序关闭进程'
},
{
'rules': [
'originalfilename =~ ".*curl.exe" or originalfilename =~ ".*wget.exe" or originalfilename =~ ".*dget.exe"'
],
'score': 40,
'name':'通过应用下载文件'
},
{
'rules': [
'image =~ ".*\.doc\.exe"',
'image =~ ".*\.docx\.exe"',
'image =~ ".*\.ppt\.exe"',
'image =~ ".*\.pdf\.exe"',
'image =~ ".*\.html\.exe"',
'image =~ ".*\.htm\.exe"',
'image =~ ".*\.zip\.exe"',
'image =~ ".*\.rar\.exe"'
],
'score': 30,
'name':'启动双扩展名文件'
},
{
'rules': [
'commandline =~ ".*-k dcomlaunch.*"'
],
'score': 30,
'name':'通过DCOM启动了进程'
},
{
'rules': [
'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"',
],
'score': 70,
'name': '通过wbadmin删除备份'
},
{
'rules': [
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*view.*"',
],
'score': 70,
'name': '通过net进行远程系统发现'
},
{
'rules': [
'originalfilename =~ ".*fsutil.exe.*" and commandline =~ ".*deletejournal.*"',
],
'score': 70,
'name': '通过系统工具删除USN'
},
{
'rules': [
'originalfilename =~ ".*net.exe.*" and commandline =~ ".*user.*"',
],
'score': 70,
'name': '通过net进行系统用户发现'
},
{
'rules': [
'originalfilename =~ ".*schtasks.exe.*" and commandline =~ ".*create.*"',
],
'score': 70,
'name': '通过系统应用创建计划任务'
},
{
'rules': [
'originalfilename =~ ".*schtasks.exe.*" and commandline =~ ".*delete.*"',
],
'score': 40,
'name': '通过系统应用删除计划任务'
},
{
'rules': [
'originalfilename =~ ".*vssadmin.exe.*" and commandline =~ ".*create.*"',
],
'score': 40,
'name': '通过系统程序创建卷影备份'
},
{
'rules': [
'originalfilename =~ ".*todesk_service.*" or originalfilename =~ ".*sunloginclient.*" or originalfilename =~ ".*teamviewer_service.exe.*" or originalfilename =~ ".*logmein.*" or originalfilename =~ ".*dwrcs.*" or originalfilename =~ ".*aa_v3.*" or originalfilename =~ ".*screenconnect.*" or originalfilename =~ ".*tvnserver.*" or originalfilename =~ ".*vncserver.*"',
],
'score': 20,
'name': '已知远程协助程序'
},
{
'rules': [
'originalfilename =~ ".*phoenixminer.*" or originalfilename =~ ".*ccminer.*" or originalfilename =~ ".*csminer.exe.*" or originalfilename =~ ".*xmrig.*" or originalfilename =~ ".*xmr-stak.*"',
],
'score': 300,
'name': '已知挖矿程序'
},
{
'rules': [
'image =~ ".*\\\\\\\\appdata\\\\\\\\local\\\\\\\\temp\\\\\\\\.*" or image =~ ".*\\\\\\\\windows\\\\\\\\temp\\\\\\\\.*"',
],
'score': 40,
'name': '从临时文件创建进程'
},
{
'rules': [
'originalfilename =~ ".*rubeus.*" and commandline =~ ".*domain.*"',
],
'score': 100,
'name': '通过系统工具获取域登陆令牌'
},
{
'rules': [
'originalfilename =~ ".*whoami.*"',
],
'score': 70,
'name': 'whoami被执行'
},
{
'rules': [
'originalfilename =~ ".*\u202e.*"',
],
'score': 100,
'name': '伪装名字程序被执行'
},
{
'rules': [
'parentimage =~ ".*mmc.exe" and commandline =~ ".*eventvwr\.msc.*"',
],
'score': 40,
'name': '高权限进程被创建'
},
{
'rules': [
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*recoveryenabled.*no.*"',
'originalfilename =~ ".*bcdedit.exe" and commandline =~ ".*bootstatuspolicy.*ignoreallfailures.*"',
],
'score': 80,
'name': '通过系统工具关闭系统恢复'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*useraccount.*"',
],
'score': 70,
'name': '通过wmic进行系统用户发现'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*startup.*"',
],
'score': 70,
'name': '通过wmic查看系统启动项'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*share.*"',
],
'score': 70,
'name': '通过wmic查看系统共享'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe" and commandline =~ ".*shadowcopy.*" and commandline =~ ".*delete.*"',
],
'score': 70,
'name': 'wmic删除卷影备份'
},
{
'rules': [
'originalfilename =~ ".*vssadmin.exe" and commandline =~ ".*shadows.*" and commandline =~ ".*delete.*"',
],
'score': 70,
'name': 'vssadmin删除卷影备份'
},
{
'rules': [
'originalfilename =~ ".*tasklist.exe"',
],
'score': 50,
'name': '通过tasklist查看系统信息'
},
{
'rules': [
'originalfilename =~ ".*systeminfo.exe"',
],
'score': 70,
'name': '通过systeminfo查看系统信息'
},
{
'rules': [
'originalfilename =~ ".*query.exe"',
],
'score': 70,
'name': '通过query进行系统用户发现'
},
{
'rules': [
'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"'
],
'score': 70,
'name': '通过net进行本地系统用户发现'
},
{
'rules': [
'originalfilename =~ ".*setspn.exe"',
],
'score': 70,
'name': '通过setspn进行本地系统用户发现'
},
{
'rules': [
'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"',
],
'score': 70,
'name': '通过netsh关闭防火墙'
},
{
'rules': [
'originalfilename =~ ".*cmd.exe" and commandline =~ ".*ipconfig.*"',
],
'score': 80,
'name': 'cmd启动ipconfig'
},
{
'rules': [
'originalfilename =~ ".*cmd.exe" and commandline =~ ".*net.*"',
],
'score': 60,
'name': 'cmd启动net'
},
{
'rules': [
'originalfilename =~ ".*netstat.exe"',
],
'score': 40,
'name': 'netstat被运行'
},
{
'rules': [
'originalfilename =~ ".*ping.exe"',
],
'score': 40,
'name': 'ping被运行'
},
{
'rules': [
'originalfilename =~ ".*ipconfig.exe"',
],
'score': 40,
'name': 'ipconfig被运行'
},
{
'rules': [
'originalfilename =~ ".*attrib.exe"',
],
'score': 40,
'name': 'attrib被运行'
},
{
'rules': [
'originalfilename =~ ".*PSEXESVC.exe"',
],
'score': 100,
'name': 'PSEXESVC内网横向移动'
},
{
'rules': [
'originalfilename =~ "\\\\\\\\.*\\\\\\C\$.*"',
],
'score': 100,
'name': 'SMB共享启动进程'
},
{
'rules': [
'commandline =~ ".*__\d{10}\."',
'originalfilename =~ ".*wmi_share.exe"',
],
'score': 100,
'name': 'wmic内网横向移动被触发'
},
{
'rules': [
'originalfilename =~ ".*icacls.exe"',
],
'score': 40,
'name': 'icacls被运行'
},
{
'rules': [
'originalfilename =~ "\\\\\\.*" and parentimage =~ ".*services.exe"',
],
'score': 100,
'name': '远程服务被创建'
},
{
'rules': [
'parentimage =~ ".*services.exe"',
],
'score': 30,
'name': '从服务创建的进程'
},
{
'rules': [
'parentimage =~ ".*svchost.exe"',
'originalfilename =~ ".*werfault.exe"'
],
'score': 60,
'name': 'svchost.exe启动了werfault'
},
{
'rules': [
'parentimage =~ ".*werfault.exe"',
],
'score': 30,
'name': '从werfault创建的进程'
},
{
'rules': [
'originalfilename =~ ".*wscript.exe"',
'originalfilename =~ ".*cscript.exe"',
],
'score': 40,
'name': '脚本程序被运行'
},
{
'rules': [
'originalfilename =~ ".*mofcomp.exe.*"'
],
'score': 80,
'name':'注册WMI订阅'
},
{
'rules': [
'originalfilename =~ ".*csc.exe.*"'
],
'score': 80,
'name':'.NET编译器被启动'
},
{
'rules': [
'originalfilename =~ ".*cmdkey.exe.*"'
],
'score': 100,
'name':'通过系统应用查询本机账户'
},
{
'rules': [
'originalfilename =~ ".*adfind.exe.*"'
],
'score': 80,
'name':'通过系统程序发现域信息'
},
# 这些是保底规则 必须放到最底下才匹配
{
'rules': [
'originalfilename =~ ".*cmd.exe"'
],
'score': 30,
'name':'执行CMD命令'
},
{
'rules': [
'originalfilename =~ ".*chcp.com"'
],
'score': 30,
'name':'执行chcp.com'
},
{
'rules': [
'originalfilename =~ ".*wmic.exe.*"'
],
'score': 80,
'name':'执行wmic'
},
{
'rules': [
'originalfilename =~ ".*rundll32.exe.*"'
],
'score': 20,
'name':'通过rundll32启动进程'
},
{
'rules': [
'originalfilename =~ ".*certutil.exe"',
'originalfilename =~ ".*curl.exe"',
'originalfilename =~ ".*powershell.exe" and commandline =~ ".*invoke-webrequest.*"'
],
'score': 80,
'name':'通过系统命令下载文件'
},
{
'rules': [
'originalfilename =~ ".*powershell.exe"'
],
'score': 80,
'name':'Powershell被执行'
},
]

9
Server/sql.py
View File

@@ -87,6 +87,8 @@ class threat_log(g_base):
risk_score = Column(Integer)
# 命中的规则
hit_rule = Column(String)
# attck命中
attck_hit_list = Column(String)
# json字段
data = Column(String)
# 时间戳
@@ -262,7 +264,7 @@ def select_threat_by_chain_id(host, process_chain_hash, type):
def update_threat_log(
host, risk_score, hit_rule_json, process_chain_hash, raw_json, type, is_end
host, risk_score, hit_rule_json, attck_hit_list_json, process_chain_hash, raw_json, type, is_end
):
global g_threat_table
global g_engine
@@ -272,6 +274,7 @@ def update_threat_log(
.values(
risk_score=risk_score,
hit_rule=hit_rule_json,
attck_hit_list=attck_hit_list_json,
data=raw_json,
is_end=int(is_end),
)
@@ -335,6 +338,7 @@ def query_all_threat_log(query_type):
threat_log.is_end,
threat_log.start_process_info,
threat_log.handle_type,
threat_log.attck_hit_list,
)
.all()
)
@@ -353,6 +357,7 @@ def query_all_threat_log(query_type):
threat_log.is_end,
threat_log.start_process_info,
threat_log.handle_type,
threat_log.attck_hit_list
)
.filter_by(handle_type=query_type)
.all()
@@ -365,6 +370,7 @@ def push_threat_log(
host,
risk_score,
hit_rule_json,
attck_hit_list_json,
process_chain_hash,
raw_json,
type,
@@ -378,6 +384,7 @@ def push_threat_log(
risk_score=risk_score,
process_chain_hash=process_chain_hash,
hit_rule=hit_rule_json,
attck_hit_list=attck_hit_list_json,
type=type,
data=raw_json,
timestamp=int(round(time.time() * 1000)),

2
Server/templates/index.html
View File

@@ -1 +1 @@
<!DOCTYPE html><html><head><title>Duck Sys Eye</title><meta charset=utf-8><meta name=description content=syseye><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=icons/favicon-16x16.png><link rel=icon type=image/ico href=favicon.ico><script defer src=js/vendor.8b656787.js></script><script defer src=js/app.3ff22fb9.js></script><link href=css/vendor.5b8581f0.css rel=stylesheet><link href=css/app.31d6cfe0.css rel=stylesheet></head><body><div id=q-app></div></body></html>
<!DOCTYPE html><html><head><title>Duck Sys Eye</title><meta charset=utf-8><meta name=description content=syseye><meta name=format-detection content="telephone=no"><meta name=msapplication-tap-highlight content=no><meta name=viewport content="user-scalable=no,initial-scale=1,maximum-scale=1,minimum-scale=1,width=device-width"><link rel=icon type=image/png sizes=128x128 href=icons/favicon-128x128.png><link rel=icon type=image/png sizes=96x96 href=icons/favicon-96x96.png><link rel=icon type=image/png sizes=32x32 href=icons/favicon-32x32.png><link rel=icon type=image/png sizes=16x16 href=icons/favicon-16x16.png><link rel=icon type=image/ico href=favicon.ico><script defer src=js/vendor.8b656787.js></script><script defer src=js/app.b7308b45.js></script><link href=css/vendor.5b8581f0.css rel=stylesheet><link href=css/app.31d6cfe0.css rel=stylesheet></head><body><div id=q-app></div></body></html>

1
Server/templates/js/219.1dcc27ca.js Normal file
View File

@@ -0,0 +1 @@
"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[219],{4219:(a,e,t)=>{t.r(e),t.d(e,{default:()=>_});var n=t(3673),s=t(2323);function o(a,e,t,o,i,l){const r=(0,n.up)("q-td"),p=(0,n.up)("q-btn"),d=(0,n.up)("q-tr"),h=(0,n.up)("q-table");return(0,n.wg)(),(0,n.j4)(h,{class:"q-pa-lg",dense:a.$q.screen.lt.md,title:"白名单列表",columns:a.data_columns,rows:a.data_columns_data,loading:a.loading,pagination:a.pagination,"onUpdate:pagination":e[0]||(e[0]=e=>a.pagination=e),onRequest:a.onRequest},{body:(0,n.w5)((e=>[(0,n.Wm)(d,{props:e},{default:(0,n.w5)((()=>[(0,n.Wm)(r,{key:"path",props:e},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(e.row.path),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"hash",props:e},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(e.row.hash),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"reason",props:e},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(e.row.reason),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"timestamp",props:e},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.time_parase(e.row.timestamp)),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"action",props:e},{default:(0,n.w5)((()=>[(0,n.Wm)(p,{color:"red",label:"移除白名单",onClick:t=>a.delete_white_hash(e.row.hash)},null,8,["onClick"])])),_:2},1032,["props"])])),_:2},1032,["props"])])),_:1},8,["dense","columns","rows","loading","pagination","onRequest"])}var i=t(52),l=t.n(i);const r=(0,n.aZ)({name:"WhiteList",data:function(){return{data_columns:[{name:"path",align:"center",label:"路径",field:"path"},{name:"hash",align:"center",label:"hash",field:"hash"},{name:"reason",align:"center",label:"原因",field:"reason"},{name:"timestamp",align:"center",label:"时间",field:"timestamp"},{name:"action",align:"center",label:"操作",field:"steamid"}],data_columns_data:[],loading:!1,pagination:{sortBy:"desc",descending:!1,page:1,rowsPerPage:10,rowsNumber:10}}},mounted(){this.onRequest({pagination:this.pagination,filter:void 0})},methods:{delete_white_hash(a){l().get("/api/v1/del/white_list?hash="+a).then((a=>{this.onRequest({pagination:this.pagination,filter:void 0})}))},time_parase(a){const e=a=>a<10?"0"+a:a,t=new Date(Number(a));console.log("time",a);const n=t.getFullYear(),s=t.getMonth()+1,o=t.getDate(),i=t.getHours(),l=t.getMinutes(),r=t.getSeconds();return n+"-"+e(s)+"-"+e(o)+" "+e(i)+":"+e(l)+":"+e(r)},onRequest(a){this.data_columns_data=[],this.loading=!0;const{page:e}=a.pagination;l().get("/api/v1/query/white_list_all").then((a=>{const t=a.data.result;console.log(t);for(let e=0;e<t.length;e++){const a=t[e];this.data_columns_data.push(a)}this.pagination.page=e,this.pagination.rowsNumber=this.data_columns_data.length,this.pagination.rowsPerPage=this.data_columns_data.length,this.loading=!1}))}}});var p=t(4260),d=t(1779),h=t(8186),g=t(3884),u=t(8240),m=t(7518),c=t.n(m);const w=(0,p.Z)(r,[["render",o]]),_=w;c()(r,"components",{QTable:d.Z,QTr:h.Z,QTd:g.Z,QBtn:u.Z})}}]);

1
Server/templates/js/315.6ad8e4ee.js
View File

@@ -1 +0,0 @@
"use strict";(globalThis["webpackChunksyseye"]=globalThis["webpackChunksyseye"]||[]).push([[315],{7315:(e,a,t)=>{t.r(a),t.d(a,{default:()=>_});var n=t(3673),s=t(2323);function o(e,a,t,o,i,l){const r=(0,n.up)("q-td"),p=(0,n.up)("q-btn"),d=(0,n.up)("q-tr"),h=(0,n.up)("q-table");return(0,n.wg)(),(0,n.j4)(h,{class:"q-pa-lg",dense:e.$q.screen.lt.md,title:"白名单列表",columns:e.data_columns,rows:e.data_columns_data,loading:e.loading,pagination:e.pagination,"onUpdate:pagination":a[0]||(a[0]=a=>e.pagination=a),onRequest:e.onRequest},{body:(0,n.w5)((a=>[(0,n.Wm)(d,{props:a},{default:(0,n.w5)((()=>[(0,n.Wm)(r,{key:"path",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.path),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"hash",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.hash),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"reason",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(a.row.reason),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"timestamp",props:a},{default:(0,n.w5)((()=>[(0,n.Uk)((0,s.zw)(e.time_parase(a.row.timestamp)),1)])),_:2},1032,["props"]),(0,n.Wm)(r,{key:"action",props:a},{default:(0,n.w5)((()=>[(0,n.Wm)(p,{color:"red",label:"移除白名单",onClick:t=>e.delete_white_hash(a.row.hash)},null,8,["onClick"])])),_:2},1032,["props"])])),_:2},1032,["props"])])),_:1},8,["dense","columns","rows","loading","pagination","onRequest"])}var i=t(52),l=t.n(i);const r=(0,n.aZ)({name:"WhiteList",data:function(){return{data_columns:[{name:"path",align:"center",label:"路径",field:"path"},{name:"hash",align:"center",label:"hash",field:"hash"},{name:"reason",align:"center",label:"原因",field:"reason"},{name:"timestamp",align:"center",label:"时间",field:"timestamp"},{name:"action",align:"center",label:"操作",field:"steamid"}],data_columns_data:[],loading:!1,pagination:{sortBy:"desc",descending:!1,page:1,rowsPerPage:10,rowsNumber:10}}},mounted(){this.onRequest({pagination:this.pagination,filter:void 0})},methods:{delete_white_hash(e){l().get("/api/v1/del/white_list?hash="+e).then((e=>{console.log("duck was gone")}))},time_parase(e){const a=e=>e<10?"0"+e:e,t=new Date(Number(e));console.log("time",e);const n=t.getFullYear(),s=t.getMonth()+1,o=t.getDate(),i=t.getHours(),l=t.getMinutes(),r=t.getSeconds();return n+"-"+a(s)+"-"+a(o)+" "+a(i)+":"+a(l)+":"+a(r)},onRequest(e){this.data_columns_data=[],this.loading=!0;const{page:a}=e.pagination;l().get("/api/v1/query/white_list_all").then((e=>{const t=e.data.result;console.log(t);for(let a=0;a<t.length;a++){const e=t[a];this.data_columns_data.push(e)}this.pagination.page=a,this.pagination.rowsNumber=this.data_columns_data.length,this.pagination.rowsPerPage=this.data_columns_data.length,this.loading=!1}))}}});var p=t(4260),d=t(1779),h=t(8186),g=t(3884),u=t(8240),c=t(7518),m=t.n(c);const w=(0,p.Z)(r,[["render",o]]),_=w;m()(r,"components",{QTable:d.Z,QTr:h.Z,QTd:g.Z,QBtn:u.Z})}}]);

1
Server/templates/js/56.dc9e32b8.js Normal file
View File

File diff suppressed because one or more lines are too long

BIN
Server/templates/js/56.dc9e32b8.js.gz Normal file
View File

Binary file not shown.

1
Server/templates/js/698.7639c919.js
View File

File diff suppressed because one or more lines are too long

BIN
Server/templates/js/698.7639c919.js.gz
View File

Binary file not shown.

1
Server/templates/js/app.3ff22fb9.js
View File

File diff suppressed because one or more lines are too long

1
Server/templates/js/app.b7308b45.js Normal file
View File

File diff suppressed because one or more lines are too long

8
Server/webserver.py
View File

@@ -155,8 +155,9 @@ def pull_chain_data():
"type": threat_data[3],
"risk_score": threat_data[4],
"hit_rule": json.loads(threat_data[5]),
"chain": json.loads(threat_data[6]),
"is_end": threat_data[7],
"hit_attck": json.loads(threat_data[6]),
"chain": json.loads(threat_data[7]),
"is_end": threat_data[8],
}
return {"data": return_data}
@@ -181,6 +182,7 @@ def process_chain():
"id": iter[6],
"is_end": iter[7],
"start_process": json.loads(iter[8]),
"attck_hit_list": json.loads(iter[10]),
}
)
return {"data": return_data}
@@ -219,4 +221,6 @@ if __name__ == "__main__":
# 如果你觉得日志太多了,去掉这个注释...
flask_log = logging.getLogger("werkzeug")
flask_log.setLevel(logging.ERROR)
print("注意,你正在使用测试版,请随时关注github以获取最新版本:")
print("https://github.com/RoomaSec/RmEye")
app.run(debug=True, host="0.0.0.0")

49
Web/syseye/src/pages/Index.vue
View File

@@ -52,13 +52,27 @@
</q-chip>
</div>
<div>
产生的威胁:
<template v-for="(index, operation) in threat.hit_rule" :key="index">
ATTCK命中:
<template v-for="(index, operation) in threat.attck_hit_list" :key="index">
<q-chip square color="rgb(239,243,246)">
{{ operation }}&nbsp;({{ index }})
</q-chip>
</template>
</div>
<div>
产生的威胁:
<template v-for="(index, operation) in threat.hit_rule" :key="index">
<q-chip square color="red" text-color="white">
{{ operation }}&nbsp;({{ index }})
</q-chip>
</template>
<template v-if="JSON.stringify(threat.hit_rule) == '{}'">
<q-chip square color="negative" text-color="white">
<!--crowdstrike: 这活我熟-->
机器学习引擎
</q-chip>
</template>
</div>
<div>
<q-btn flat color="accent" @click="show_details(threat.id)" icon="open_in_new">
查看详情
@@ -152,11 +166,32 @@
</q-item>
<q-separator />
<q-item>
<q-item-section>进程命中的规则: <template v-for="(index, operation) in processChainDetails.hitRules" :key="index">
<q-item-section>进程命中的规则:
<template v-for="(index, operation) in processChainDetails.hitRules" :key="index">
<q-chip square color="rgb(239,243,246)">
{{ operation }}&nbsp;({{ index }})
</q-chip>
</template></q-item-section>
</template>
<template v-if="JSON.stringify(processChainDetails.hitRules) == '{}'">
<q-chip square color="rgb(239,243,246)">
</q-chip>
</template>
</q-item-section>
</q-item>
<q-item>
<q-item-section>attck矩阵:
<template v-for="(index, operation) in processChainDetails.hitAttck" :key="index">
<q-chip square color="rgb(239,243,246)">
{{ operation }}&nbsp;({{ index }})
</q-chip>
</template>
<template v-if="JSON.stringify(processChainDetails.hitAttck) == '{}'">
<q-chip square color="rgb(239,243,246)">
</q-chip>
</template>
</q-item-section>
</q-item>
<q-item>
<q-btn icon="search" outline style="color: grey;width: 100%;" label="搜索hash" @click="search_vt(processChainDetails.md5)" />
@@ -197,7 +232,8 @@ export default defineComponent({
processChainDetails: {
hash: '',
prams: '',
hitRule: [],
hitRules: [],
hitAttck: [],
isWhite: false,
whiteListReason: ''
},
@@ -371,7 +407,8 @@ export default defineComponent({
params: data.params,
pid: data.pid,
ppid: data.ppid,
hitRules: data.operationlist,
hitRules: data.operationlist === undefined ? {} : data.operationlist,
hitAttck: data.attck_hit_list === undefined ? {} : data.attck_hit_list,
isWhite: false
}
this.query_white_hash(data.md5)

121
Web/syseye/src/pages/Whitelist.vue
View File

@@ -1,26 +1,17 @@
<template>
<q-table
class="q-pa-lg"
:dense="$q.screen.lt.md"
title="白名单列表"
:columns="data_columns"
:rows="data_columns_data"
:loading="loading"
v-model:pagination="pagination"
@request="onRequest"
>
<template v-slot:body="props">
<q-table class="q-pa-lg" :dense="$q.screen.lt.md" title="白名单列表" :columns="data_columns" :rows="data_columns_data" :loading="loading" v-model:pagination="pagination" @request="onRequest">
<template v-slot:body="props">
<q-tr :props="props">
<q-td key="path" :props="props">{{ props.row.path }}</q-td>
<q-td key="hash" :props="props">{{ props.row.hash }}</q-td>
<q-td key="reason" :props="props">{{ props.row.reason }}</q-td>
<q-td key="timestamp" :props="props">{{ time_parase(props.row.timestamp) }}</q-td>
<q-td key="action" :props="props">
<q-btn color="red" label="移除白名单" @click="delete_white_hash(props.row.hash)"/>
</q-td>
<q-td key="path" :props="props">{{ props.row.path }}</q-td>
<q-td key="hash" :props="props">{{ props.row.hash }}</q-td>
<q-td key="reason" :props="props">{{ props.row.reason }}</q-td>
<q-td key="timestamp" :props="props">{{ time_parase(props.row.timestamp) }}</q-td>
<q-td key="action" :props="props">
<q-btn color="red" label="移除白名单" @click="delete_white_hash(props.row.hash)" />
</q-td>
</q-tr>
</template>
</q-table>
</template>
</q-table>
</template>
<script>
@@ -33,37 +24,36 @@ export default defineComponent({
name: 'WhiteList',
data: function () {
return {
data_columns: [
{
name: 'path',
align: 'center',
label: '路径',
field: 'path'
},
{
name: 'hash',
align: 'center',
label: 'hash',
field: 'hash'
},
{
name: 'reason',
align: 'center',
label: '原因',
field: 'reason'
},
{
name: 'timestamp',
align: 'center',
label: '时间',
field: 'timestamp'
},
{
name: 'action',
align: 'center',
label: '操作',
field: 'steamid'
}
data_columns: [{
name: 'path',
align: 'center',
label: '路径',
field: 'path'
},
{
name: 'hash',
align: 'center',
label: 'hash',
field: 'hash'
},
{
name: 'reason',
align: 'center',
label: '原因',
field: 'reason'
},
{
name: 'timestamp',
align: 'center',
label: '时间',
field: 'timestamp'
},
{
name: 'action',
align: 'center',
label: '操作',
field: 'steamid'
}
],
data_columns_data: [],
loading: false,
@@ -85,7 +75,10 @@ export default defineComponent({
methods: {
delete_white_hash (hash) {
axios.get('/api/v1/del/white_list?hash=' + hash).then(res => {
console.log('duck was gone')
this.onRequest({
pagination: this.pagination,
filter: undefined
})
})
},
time_parase (pTime) {
@@ -103,22 +96,24 @@ export default defineComponent({
const s = time.getSeconds()
return (
y +
'-' +
add0(m) +
'-' +
add0(d) +
' ' +
add0(h) +
':' +
add0(mm) +
':' +
add0(s)
'-' +
add0(m) +
'-' +
add0(d) +
' ' +
add0(h) +
':' +
add0(mm) +
':' +
add0(s)
)
},
onRequest (props) {
this.data_columns_data = []
this.loading = true
const { page } = props.pagination
const {
page
} = props.pagination
axios.get('/api/v1/query/white_list_all').then(response => {
const data = response.data.result
console.log(data)

106
doc_day0_rule.md Normal file
View File

@@ -0,0 +1,106 @@
### 规则编写教程
首先明确一点,rmeye有绝大部分威胁的检出能力,但是受限于规则,这些能力相当于只记录但是没生效.因此编写规则是一件重要的事情.在一切的开始,请您阅读ATT&CK的思想:
https://key08.com/index.php/2022/08/09/1505.html
本文以检测`mimikatz的关键dll加载`为例
`mimikatz`会加载: `C:\\Windows\\System32\\samlib.dll` 本文以他为例
### sysmon客户端规则
在编写服务端规则之前,请确保`sysmon`有相关配置.因为`rmeye`依赖于`sysmon`,得有客户端规则,才有服务端规则:
打开客户端安装目录下的`sysmon.xml`:
![9](Image/9.png)
我们需要检测`dll`加载,所以请把目光看到`ImageLoad`
其他的`sysmon`字段请自行谷歌或者百度了解.本项目有个`provider.json`那个是`sysmon`的所有字段.可以参考,打开`provider.json` ,找到`ImageLoad`
![10](Image/10.png)
可以看到`sysmon`记录了非常多有用的字段,对于我们来说,我们只需要`ImageLoaded`
`sysmon.xml`找到`Imageload`这个block,
```c
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<!--NOTE: Using "include" with no rules means nothing in this section will be logged-->
</ImageLoad>
</RuleGroup>
```
我们给他增加一个,接受加载`C:\\Windows\\System32\\samlib.dll`的日志:
```c
<RuleGroup name="" groupRelation="or">
<ImageLoad onmatch="include">
<ImageLoaded condition="is">C:\Windows\System32\samlib.dll</ImageLoaded>
</ImageLoad>
</RuleGroup>
```
保存,更新`sysmon`的配置文件,在`rmeye`的安装目录或者在`sysmon`的安装目录执行:
```
sysmon -c sysmon.xml
```
![11](Image/11.png)
看到这个,说明你成功了,其他的说明规则有错误,检查一下你写的规则.
### 服务端规则编写
客户端有了搜集日志能力后,是时候编写服务端的了:
打开服务端目录下的`server/rules/action.py`
在末尾添加:
```
{
'rules': [
'action == "imageload" and imageloaded == "c:\\windows\\system32\\samlib.dll"',
],
'score': 50,
'name': 'samlib的dll被加载'
}
```
其中
```
rules: 规则的列表,可以是多个规则,是and关系
score: 是分数,跟config.py里面的报警分数有关系
name: 规则名字
规则全部小写,==代表正常匹配,如果是=~代表使用python正则
```
保存,重启服务端,如果不出意外您应该看得到最新的刚刚增加的规则:
![](Image/12.png)
**完整的 `服务端规则指南`**
[doc_server_rule_manual.md](./doc_server_rule_manual.md)
### 测试
找个mimikatz运行一下看看:
![](Image/13.png)
(为了测试,将分数设置高一点准没错)
至此,您就具备的检测mimikatz的一些行为的能力,当然这行为是不全的而且容易产生很多误报的,很多时候为了减少误报或者实现更精准的检测,您需要高级检出能力,这将在下一章插件检测中介绍.
下一章:
https://github.com/RoomaSec/RmEye/blob/main/doc_day1_plugin.md

148
doc_day1_plugin.md Normal file
View File

@@ -0,0 +1,148 @@
### 编写插件用于检测需要复杂上下文的威胁
在本章开始前,请先阅读:
https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md
rmeye提供了一个简陋的插件接口,用于检测需要上下文帮助的威胁.本文以检测mimikatz为例,编写一个插件:
mimikatz一定会加载如下dll:
```C
C:\Windows\System32\advapi32.dll
C:\Windows\System32\crypt32.dll
C:\Windows\System32\cryptdll.dll
C:\Windows\System32\gdi32.dll
C:\Windows\System32\imm32.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\KernelBase.dll
C:\Windows\System32\msasn1.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\System32\ntdll.dll
C:\Windows\System32\rpcrt4.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\samlib.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\secur32.dll
C:\Windows\System32\shell32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\sspicli.dll
C:\Windows\System32\user32.dll
C:\Windows\System32\vaultcli.dll
```
当有这些的DLL在一个程序被加载的时候,我们就要注意了.但是我们之前的规则是单条的,没有上下文,因此需要通过插件系统实现,本文默认你已经给sysmon增加了以上的datasoruce
### 插件编写
在服务端`plugins`目录下新建文件夹`mimikazt_detect`然后新建一个文件`mimikatz_detect.py`,如下是模板:
```python
import global_vars
import process
rm_plugs_config = {
"enable": True, #是否启用插件
"author": "huoji",
"description": "检测mimikatz",
"version": "0.0.1"
}
#新进程启动
def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
return global_vars.THREAT_TYPE_NONE
#进程动作
def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data):
return global_vars.THREAT_TYPE_NONE
#规则初始化
def rule_init():
pass
#插件初始化
def plugin_init():
print('mimikatz检测插件 2022/9/5 by huoji')
```
为了检测,我们需要记录每一个dll加载的行为并且保存到进程上下文中,具体看代码
```python
import global_vars
import process
rm_plugs_config = {
"enable": True,
"author": "huoji",
"description": "检测mimikatz",
"version": "0.0.1"
}
mimikatz_dll_list = [
'c:\\windows\\system32\\advapi32.dll',
'c:\\windows\\system32\\crypt32.dll',
'c:\\windows\\system32\\cryptdll.dll',
'c:\\windows\\system32\\gdi32.dll',
'c:\\windows\\system32\\imm32.dll',
'c:\\windows\\system32\\kernel32.dll',
'c:\\windows\\system32\\kernelbase.dll',
'c:\\windows\\system32\\msasn1.dll',
'c:\\windows\\system32\\msvcrt.dll',
'c:\\windows\\system32\\ntdll.dll',
'c:\\windows\\system32\\rpcrt4.dll',
'c:\\windows\\system32\\rsaenh.dll',
'c:\\windows\\system32\\samlib.dll',
'c:\\windows\\system32\\sechost.dll',
'c:\\windows\\system32\\secur32.dll',
'c:\\windows\\system32\\shell32.dll',
'c:\\windows\\system32\\shlwapi.dll',
'c:\\windows\\system32\\sspicli.dll',
'c:\\windows\\system32\\user32.dll',
'c:\\windows\\system32\\vaultcli.dll',
]
def rule_new_process_create(current_process: process.Process, host, raw_log_data, json_log_data):
# 服务端提供了一个 plugin_var 变量用于存放当前进程插件的上下文
current_process.plugin_var['mimikatz_matched_num'] = 0
current_process.plugin_var['mimikatz_detected'] = False
return global_vars.THREAT_TYPE_NONE
def rule_new_process_action(current_process: process.Process, host, raw_log_data, json_log_data):
global mimikatz_dll_list
# 如果日志的action是imageload(dll加载)
if json_log_data['action'] == 'imageload' and current_process.plugin_var['mimikatz_detected'] == False:
# 把日志中的dll路径取出来
dll_path = json_log_data['data']['imageloaded']
# 如果dll的路径在mimikatz的路径里面,进程上下文+1
if dll_path in mimikatz_dll_list:
current_process.plugin_var['mimikatz_matched_num'] += 1
if current_process.plugin_var['mimikatz_matched_num'] >= len(mimikatz_dll_list):
current_process.set_score(300, "[mimikatz]检测到疑似mimikatz进程")
current_process.plugin_var['mimikatz_detected'] = True
return global_vars.THREAT_TYPE_PROCESS
return global_vars.THREAT_TYPE_NONE
def rule_init():
pass
def plugin_init():
print('mimikatz检测插件 2022/9/5 by huoji')
```
### 测试
运行mimikatz:
![](Image/14.png)
当然还会有其他的情况的误报!这需要你完善插件.
如果遇到不懂的地方,可以提issue.欢迎提问

156
doc_server_rule_manual.md Normal file
View File

@@ -0,0 +1,156 @@
# 服务端规则指南
编写服务端规则前,请您详细阅读本文,以便了解规则背后的故事,并帮助您更好的编写 RmEye 规则。
# 规则在何时被应用
RmEye 通过本地部署的客户端,向服务器传输行为事件。 \
服务器在收集并解析了行为事件日志后,会立即调用规则匹配函数检测该行为是否被某条规则命中。
# 规则分类
基于 RmEye 的设计思想,一切动作都基于其进程载体,所以,规则被分为 动作action和 进程process两种类型。
- [`进程规则`]
用于在进程启动事件日志中,检测新进程的启动上下文,判断其是否为可疑行为。
- [`动作规则`]
用于在非进程启动事件日志中,检测其特定行为上下文,判断其是否为可疑行为。
RmEye 动作规则列表编写于 `/Server/rules/py/action.py` 文件中;进程规则列表编写于 `/Server/rules/py/process.py` 文件中。
# 规则单元数据结构
```json
{
'rules': [
'originalfilename =~ ".*wbadmin.exe.*" and commandline =~ ".*delete.*"',
],
'score': 70,
'name': 'wbadmin'
}
```
这是一个 进程process类型的示例规则单元它是一个 dict 数据,包含有三个 item\
分别是:`rules`, `score`, `name`
- [`rules`]-> `list`:
其中包含一个或多个使用 `rule_engine` 语法的规则匹配表达式,每个表达式间的关系为 `或`,即任何一个表达式被匹配,都认为该规则已命中。
- [`score`]-> `int`:
由一个整数表示的规则匹配分值
- [`name`]-> `str`:
规则名称
# 适用于 RmEye 的 `rule_engine` 规则匹配表达式
`rule_engine` 表达式是服务端规则的核心,它允许用户定义一个 key-value 类型的 Query 表达式,以匹配一个 dict 数据;\
表达式的左值匹配 dict 数据中的特定键名key\
右值允许适用通配符、数字、字符串等进行完全匹配或模糊匹配 dict 数据中对应左值键名的值value。\
需要特别注意的是,必须定义 RmEye 数据源事件日志中存在的左值,才可以使规则完全按照预期工作。
# 进程规则已支持的通用左值定义
- `processid`
进程 PID
- `image`
进程文件路径
- `originalfilename`
进程原始文件名
- `hashes`
进程 MD5 哈希
- `commandline`
进程命令行
- `user`
进程用户名
- `integritylevel`
进程权限等级
- `parentprocessid`
父进程 PID
- `parentimage`
父进程文件路径
- `parentcommandline`
父进程命令行
- `parentuser`
父进程用户
# 动作规则已支持的特有左值定义
- `action`
动作类型,包括:
| action | 描述 |
| ---- | ---- |
| processaccess | 进程句柄访问 |
| pipecreate | 命名管道创建 |
| createremotethread | 远程线程创建 |
| filecreatestreamhash | 文件流创建 |
| registryadd | 注册表项新建 |
| registryvalueSet | 注册表值项设置 |
| registryobjectSet | 注册表对象设置 |
| dnsquery | DNS 查询 |
| networkconnect | 网络连接建立 |
| clipboardchange | 剪贴板访问 |
| processtampering | 进程执行流劫持 |
| filedeletedetected | 可执行文件删除 |
| filecreate | 文件创建 |
| imageload | DLL 加载 |
| processcreate | 进程创建(已分离为进程规则)|
| processterminal | 进程退出(内部保留)|
- `sourceimage` - 仅适用于动作 `processaccess`
源进程文件路径
- `targetimage` - 仅适用于动作 `processaccess`
目标进程文件路径
- `grantedaccess` - 仅适用于动作 `processaccess`
访问权限
- `calltrace` - 仅适用于动作 `processaccess`
调用栈Call Stack
- `pipename` - 仅适用于动作 `pipecreate`
管道名称
- `targetfilename` - 仅适用于动作 `filecreate`
目标文件名
- `imageloaded` - 仅适用于动作 `imageload`
已加载的映像名

37
README.md → readme.md
View File

@@ -25,6 +25,20 @@ https://key08.com/index.php/2022/08/09/1505.html
请牢记,RmEye自身定位是轻量级威胁检出工具
### 最新新闻
2022/9/21:
修复了秋季更新的几个bug,增加了`networkconnect``FileCreateTimeChange`的ds,增加了`brc4`的检测
2022/9/20:
秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新
2022/9/8:
增加服务端规则指南: \
[doc_server_rule_manual.md](./doc_server_rule_manual.md)
2022/9/5:
增加规则编写教程:
https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md
增加`mimikatz`检测
2022/8/31:
增加进程白名单系统,现在能给进程加白名单了.在打开进程链后,点击某个进程加入白名单即可
@@ -33,7 +47,7 @@ https://key08.com/index.php/2022/08/09/1505.html
增加uac提权检测插件`uac_bypass_detect`,但是受限于sysmon,没有办法获取RPC信息,因此只能检测一部分的UAC提权行为.并且有误报,请酌情考虑
### 检出截图
威胁列表:
威胁列表(2022/9/20更新):
![image](Image/1.png)
进程链行为回溯
![image](Image/8.png)
@@ -49,7 +63,10 @@ offic宏钓鱼:
![image](Image/6.png)
uac提权检测:
![image](Image/7.png)
mimikatz检测:
![image](Image/14.png)
brc4检测:
![image](Image/15.png)
### 待做列表
1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成
2. 日志回放【目前重点】
@@ -137,8 +154,11 @@ rule_engine:
```
分数代表的是本次规则给进程链所增加的分数,报警是根据前面的MAX_THREAT_SCORE设置的
具体编写方法请移步:
https://github.com/zeroSteiner/rule-engine
规则编写教程请移步:
https://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md
规则引擎的语法请移步:
https://github.com/zeroSteiner/rule-engine
yara,需要安装插件,具体请看交流部分
@@ -155,10 +175,13 @@ https://github.com/SwiftOnSecurity/sysmon-config
### 交流
开源的目的不是为了免费填鸭式教学,或者被免费拿去发公众号引流、去拿去集成产品方案去赚钱,而是要一起完善这个工具,从而实现共赢.
扫一扫加入这个工具的交流群,这样就能获取实时动态.参与开发、参与交流规则编写等等.欢迎加入
![image](Image/group2.png)
扫一扫加入这个工具的交流群,这样就能获取实时动态.参与开发、参与交流规则编写等等.欢迎加入
最近进群的人有点多,所以不活跃的哥们暂时清理掉,但是微信太不好使了.要是t错了或者还想在群待着不发言的重新加群吧
![image](Image/group.png)
### 特别感谢
@Pwn0x01 yara插件
@zeroSteiner 规则引擎插件
@SwiftOnSecurity 客户端规则
@SwiftOnSecurity 客户端规则
@Fplyth0ner-Combie 规则相关文档

3
sysmon.xml
View File

@@ -353,6 +353,8 @@
<Image condition="image">nmap.exe</Image>
<Image condition="image">psinfo.exe</Image>
<!--Ports: Suspicious-->
<DestinationPort name="HTTP" condition="is">80</DestinationPort> <!--SSH protocol, monitor admin connections-->
<DestinationPort name="HTTPS" condition="is">443</DestinationPort> <!--SSH protocol, monitor admin connections-->
<DestinationPort name="SSH" condition="is">22</DestinationPort> <!--SSH protocol, monitor admin connections-->
<DestinationPort name="Telnet" condition="is">23</DestinationPort> <!--Telnet protocol, monitor admin connections, insecure-->
<DestinationPort name="SMTP" condition="is">25</DestinationPort> <!--SMTP mail protocol port, insecure, used by threats-->
@@ -583,6 +585,7 @@
<TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
<TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.otm</TargetFilename> <!--Microsoft:Office:VBS: Macro-->
<TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] -->