From 32e37585cdca9ac8c50febd42ba2af59d53ea2da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=83=AD=E5=90=89=E6=B0=91?= <1287473711@qq.com>
Date: Wed, 8 Jan 2025 21:45:08 +0800
Subject: [PATCH] =?UTF-8?q?from=20=E9=83=AD=E5=90=89=E6=B0=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
src/lib/CSVDetection.py | 596 ++++++++++++++++++++++------------------
1 file changed, 331 insertions(+), 265 deletions(-)
diff --git a/src/lib/CSVDetection.py b/src/lib/CSVDetection.py
index cca2b39..938a8fd 100644
--- a/src/lib/CSVDetection.py
+++ b/src/lib/CSVDetection.py
@@ -8,87 +8,134 @@ minlength=1000
account_op={}
PasswordSpray={}
+# 定义可疑的可执行文件列表
Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe']
+# 定义可疑的 PowerShell 命令列表
Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden']
+# 定义 PowerShell 参数列表
Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"]
+# 定义终端服务摘要
TerminalServices_Summary=[{'User':[],'Number of Logins':[]}]
+
+# 定义安全认证摘要
Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}]
+
+# 定义执行进程摘要
Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}]
+# 定义关键服务列表
critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"]
+# 定义 Sysmon 事件结构
Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义 WinRM 事件结构
WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义安全事件结构
Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义系统事件结构
System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义计划任务事件结构
ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义 PowerShell 事件结构
Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义 PowerShell 操作事件结构
Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义终端服务事件结构
TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义 Windows Defender 事件结构
Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
+
+# 定义 Timesketch 事件结构
Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}]
#=======================
#Regex for security logs
+# 定义安全日志的正则表达式
Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE)
-#Account_Name_rex = re.compile('Account Name:\t{1,15}(.*)', re.IGNORECASE)
+# 定义账户名称的正则表达式
Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE)
+# 定义安全 ID 的正则表达式
Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE)
+# 定义账户域的正则表达式
Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE)
+# 定义工作站名称的正则表达式
Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE)
+# 定义源网络地址的正则表达式
Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE)
+# 定义登录进程的正则表达式
Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE)
+# 定义密钥长度的正则表达式
Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE)
-Process_Command_Line_rex=re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
+# 定义进程命令行的正则表达式
+Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
-Group_Name_rex=re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
+# 定义组名称的正则表达式
+Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
-Task_Name_rex=re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
+# 定义任务名称的正则表达式
+Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
-Task_Command_rex=re.compile('(.*)', re.IGNORECASE)
+# 定义任务命令的正则表达式
+Task_Command_rex = re.compile('(.*)', re.IGNORECASE)
-Task_args_rex=re.compile('(.*)', re.IGNORECASE)
+# 定义任务参数的正则表达式
+Task_args_rex = re.compile('(.*)', re.IGNORECASE)
+# 定义进程名称的正则表达式
Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE)
-Category_sec_rex= re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
-
-Subcategory_rex= re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
-
-Changes_rex= re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
+# 定义类别的正则表达式
+Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
+# 定义子类别的正则表达式
+Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
-#=======================
-#Regex for windows defender logs
+# 定义更改的正则表达式
+Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
+# =======================
+# 定义 Windows Defender 日志的正则表达式
Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE)
+# 定义严重性级别的正则表达式
Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE)
+# 定义类别的正则表达式
Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE)
+# 定义路径的正则表达式
Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE)
+# 定义用户的正则表达式
Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE)
+# 定义进程名称的正则表达式
Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE)
+# 定义操作的正则表达式
Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE)
-#=======================
-#Regex for system logs
-
+# =======================
+# 定义系统日志的正则表达式
Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE)
Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE)
Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE)
@@ -97,16 +144,14 @@ Service_and_state_rex = re.compile('The (.*) service entered the (.*) state\.',
StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE)
Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE)
-
-#=======================
-#Regex for task scheduler logs
+# =======================
+# 定义任务调度程序日志的正则表达式
task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE)
-
-#======================
-#Regex for powershell operational logs
+# =======================
+# 定义 PowerShell 操作日志的正则表达式
Host_Application_rex = re.compile('Host Application = (.*)')
Command_Name_rex = re.compile('Command Name = (.*)')
Command_Type_rex = re.compile('Command Type = (.*)')
@@ -114,66 +159,68 @@ Engine_Version_rex = re.compile('Engine Version = (.*)')
User_rex = re.compile('User = (.*)')
Error_Message_rex = re.compile('Error Message = (.*)')
-#======================
-#Regex for powershell logs
+# =======================
+# 定义 PowerShell 日志的正则表达式
HostApplication_rex = re.compile('HostApplication=(.*)')
CommandLine_rex = re.compile('CommandLine=(.*)')
ScriptName_rex = re.compile('ScriptName=(.*)')
EngineVersion_rex = re.compile('EngineVersion=(.*)')
UserId_rex = re.compile('UserId=(.*)')
ErrorMessage_rex = re.compile('ErrorMessage=(.*)')
-#======================
-#TerminalServices Local Session Manager Logs
-#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)')
-Source_Network_Address_Terminal_rex= re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
-User_Terminal_rex=re.compile('User: (.*)')
-Session_ID_rex=re.compile('Session ID: (.*)')
-#======================
-#Microsoft-Windows-WinRM logs
-Connection_rex=re.compile("""The connection string is: (.*)""")
-#User_ID_rex=re.compile(""".*)\'\/><\/System>""")
-#src_device_rex=re.compile("""(?.*)<\/Computer>""")
-#======================
-#Sysmon Logs
-Sysmon_CommandLine_rex=re.compile("CommandLine: (.*)")
-Sysmon_ProcessGuid_rex=re.compile("ProcessGuid: (.*)")
-Sysmon_ProcessId_rex=re.compile("ProcessId: (.*)")
-Sysmon_Image_rex=re.compile("Image: (.*)")
-Sysmon_FileVersion_rex=re.compile("FileVersion: (.*)")
-Sysmon_Company_rex=re.compile("Company: (.*)")
-Sysmon_Product_rex=re.compile("Product: (.*)")
-Sysmon_Description_rex=re.compile("Description: (.*)")
-Sysmon_User_rex=re.compile("User: (.*)")
-Sysmon_LogonGuid_rex=re.compile("LogonGuid: (.*)")
-Sysmon_TerminalSessionId_rex=re.compile("TerminalSessionId: (.*)")
-Sysmon_Hashes_MD5_rex=re.compile("MD5=(.*),")
-Sysmon_Hashes_SHA256_rex=re.compile("SHA256=(.*)")
-Sysmon_ParentProcessGuid_rex=re.compile("ParentProcessGuid: (.*)")
-Sysmon_ParentProcessId_rex=re.compile("ParentProcessId: (.*)")
-Sysmon_ParentImage_rex=re.compile("ParentImage: (.*)")
-Sysmon_ParentCommandLine_rex=re.compile("ParentCommandLine: (.*)")
-Sysmon_CurrentDirectory_rex=re.compile("CurrentDirectory: (.*)")
-Sysmon_OriginalFileName_rex=re.compile("OriginalFileName: (.*)")
-Sysmon_TargetObject_rex=re.compile("TargetObject: (.*)")
-#########
-#Sysmon event ID 3
-Sysmon_Protocol_rex=re.compile("Protocol: (.*)")
-Sysmon_SourceIp_rex=re.compile("SourceIp: (.*)")
-Sysmon_SourceHostname_rex=re.compile("SourceHostname: (.*)")
-Sysmon_SourcePort_rex=re.compile("SourcePort: (.*)")
-Sysmon_DestinationIp_rex=re.compile("DestinationIp: (.*)")
-Sysmon_DestinationHostname_rex=re.compile("DestinationHostname: (.*)")
-Sysmon_DestinationPort_rex=re.compile("DestinationPort: (.*)")
-#########
-#Sysmon event ID 8
-Sysmon_StartFunction_rex=re.compile("StartFunction: (.*)")
-Sysmon_StartModule_rex=re.compile("StartModule: (.*)")
-Sysmon_TargetImage_rex=re.compile("TargetImage: (.*)")
-Sysmon_SourceImage_rex=re.compile("SourceImage: (.*)")
-Sysmon_SourceProcessId_rex=re.compile("SourceProcessId: (.*)")
-Sysmon_SourceProcessGuid_rex=re.compile("SourceProcessGuid: (.*)")
-Sysmon_TargetProcessGuid_rex=re.compile("TargetProcessGuid: (.*)")
-Sysmon_TargetProcessId_rex=re.compile("TargetProcessId: (.*)")
+
+# =======================
+# 定义终端服务本地会话管理器日志的正则表达式
+Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
+User_Terminal_rex = re.compile('User: (.*)')
+Session_ID_rex = re.compile('Session ID: (.*)')
+
+# =======================
+# 定义 Microsoft-Windows-WinRM 日志的正则表达式
+Connection_rex = re.compile("""The connection string is: (.*)""")
+
+# =======================
+# 定义 Sysmon 日志的正则表达式
+Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)")
+Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)")
+Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)")
+Sysmon_Image_rex = re.compile("Image: (.*)")
+Sysmon_FileVersion_rex = re.compile("FileVersion: (.*)")
+Sysmon_Company_rex = re.compile("Company: (.*)")
+Sysmon_Product_rex = re.compile("Product: (.*)")
+Sysmon_Description_rex = re.compile("Description: (.*)")
+Sysmon_User_rex = re.compile("User: (.*)")
+Sysmon_LogonGuid_rex = re.compile("LogonGuid: (.*)")
+Sysmon_TerminalSessionId_rex = re.compile("TerminalSessionId: (.*)")
+Sysmon_Hashes_MD5_rex = re.compile("MD5=(.*),")
+Sysmon_Hashes_SHA256_rex = re.compile("SHA256=(.*)")
+Sysmon_ParentProcessGuid_rex = re.compile("ParentProcessGuid: (.*)")
+Sysmon_ParentProcessId_rex = re.compile("ParentProcessId: (.*)")
+Sysmon_ParentImage_rex = re.compile("ParentImage: (.*)")
+Sysmon_ParentCommandLine_rex = re.compile("ParentCommandLine: (.*)")
+Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)")
+Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)")
+Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)")
+
+# =======================
+# Sysmon 事件 ID 3 的正则表达式
+Sysmon_Protocol_rex = re.compile("Protocol: (.*)")
+Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)")
+Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)")
+Sysmon_SourcePort_rex = re.compile("SourcePort: (.*)")
+Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)")
+Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)")
+Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)")
+
+# =======================
+# Sysmon 事件 ID 8 的正则表达式
+Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)")
+Sysmon_StartModule_rex = re.compile("StartModule: (.*)")
+Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)")
+Sysmon_SourceImage_rex = re.compile("SourceImage: (.*)")
+Sysmon_SourceProcessId_rex = re.compile("SourceProcessId: (.*)")
+Sysmon_SourceProcessGuid_rex = re.compile("SourceProcessGuid: (.*)")
+Sysmon_TargetProcessGuid_rex = re.compile("TargetProcessGuid: (.*)")
+Sysmon_TargetProcessId_rex = re.compile("TargetProcessId: (.*)")
def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False):
@@ -188,51 +235,41 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
fieldnames=('Event ID',"MachineName","Data","Index","Category","CategoryNumber","EntryType","Details","Source","ReplacementStrings","InstanceId", 'Date and Time',"TimeWritten","UserName","Site","Container"))
"""
- if open(file_name,"r").read(1000).find("\"InstanceId\",\"TimeGenerated\"")>0:
+ if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0:
+ # 如果包含,使用包含更多字段的字典读取器
list2 = csv.DictReader(csvfile,
- fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
- "EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
- 'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
+ fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
+ "EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
+ 'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
else:
+ # 如果不包含,使用较少字段的字典读取器
list2 = csv.DictReader(csvfile, fieldnames=(
- 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+
+ # 遍历读取的每一行
for row in list2:
- if row['Details']==None:
+ # 如果 'Details' 字段为空,则跳过该行
+ if row['Details'] == None:
continue
- Logon_Type = Logon_Type_rex.findall(row['Details'])
-
- Account_Name = Account_Name_rex.findall(row['Details'])
-
- Account_Domain = Account_Domain_rex.findall(row['Details'])
-
- Workstation_Name = Workstation_Name_rex.findall(row['Details'])
-
- Source_IP = Source_Network_Address_rex.findall(row['Details'])
-
- Logon_Process = Logon_Process_rex.findall(row['Details'])
-
- Key_Length = Key_Length_rex.findall(row['Details'])
-
- Security_ID = Security_ID_rex.findall(row['Details'])
-
- Group_Name = Group_Name_rex.findall(row['Details'])
-
- Task_Name=Task_Name_rex.findall(row['Details'])
-
- Task_Command = Task_Command_rex.findall(row['Details'])
-
- Task_args= Task_args_rex.findall(row['Details'])
-
- Process_Name=Process_Name_sec_rex.findall(row['Details'])
-
- Category=Category_sec_rex.findall(row['Details'])
-
- Subcategory=Subcategory_rex.findall(row['Details'])
-
- Changes=Changes_rex.findall(row['Details'])
-
- Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
+ # 从 'Details' 字段中提取各种信息
+ Logon_Type = Logon_Type_rex.findall(row['Details']) # 登录类型
+ Account_Name = Account_Name_rex.findall(row['Details']) # 账户名称
+ Account_Domain = Account_Domain_rex.findall(row['Details']) # 账户域
+ Workstation_Name = Workstation_Name_rex.findall(row['Details']) # 工作站名称
+ Source_IP = Source_Network_Address_rex.findall(row['Details']) # 源网络地址
+ Logon_Process = Logon_Process_rex.findall(row['Details']) # 登录进程
+ Key_Length = Key_Length_rex.findall(row['Details']) # 密钥长度
+ Security_ID = Security_ID_rex.findall(row['Details']) # 安全 ID
+ Group_Name = Group_Name_rex.findall(row['Details']) # 组名称
+ Task_Name = Task_Name_rex.findall(row['Details']) # 任务名称
+ Task_Command = Task_Command_rex.findall(row['Details']) # 任务命令
+ Task_args = Task_args_rex.findall(row['Details']) # 任务参数
+ Process_Name = Process_Name_sec_rex.findall(row['Details']) # 进程名称
+ Category = Category_sec_rex.findall(row['Details']) # 类别
+ Subcategory = Subcategory_rex.findall(row['Details']) # 子类别
+ Changes = Changes_rex.findall(row['Details']) # 更改
+ Process_Command_Line = Process_Command_Line_rex.findall(row['Details']) # 进程命令行
#User Cretion using Net command
# 用户创建事件处理,使用 Net 命令
if row['Event ID']=="4688":
@@ -339,15 +376,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
continue
# User Created through management interface
+ # 检查事件 ID 是否为 "4720",表示创建用户事件
if row['Event ID']=="4720":
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User Name ( " + Account_Name[0].strip() + " )", end='')
- #print(" Created User Name ( " + Account_Name[1].strip()+ " )")
+ # 生成事件描述,包含用户名称和创建的用户名
try:
Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )"
-
except:
+ # 如果生成描述失败,使用默认描述
Event_desc="User Created a new user "
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Created through management interface")
@@ -357,13 +394,11 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- # Windows is shutting down
+ # 检查事件 ID 是否为 "4609" 或 "1100",表示 Windows 关机事件
if row['Event ID']=="4609" or row['Event ID']=="1100":
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User Name ( " + Account_Name[0].strip() + " )", end='')
- #print(" Created User Name ( " + Account_Name[1].strip()+ " )")
-
+ # 生成事件描述
Event_desc="Windows is shutting down "
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Windows is shutting down")
@@ -373,24 +408,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
-
-
-
- # User added to local group
+ # 检查事件 ID 是否为 "4732",表示用户被添加到本地组
if row['Event ID']=="4732":
-
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
- #print(" to local group ( " + Group_Name[0].strip() + " )")
-
-
- try :
+ # 生成事件描述,包含用户名称和组名称
+ try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )"
except:
- Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
- 1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
-
-
+ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to local group")
@@ -400,17 +425,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #add user to global group
+ # 检查事件 ID 是否为 "4728",表示用户被添加到全局组
if row['Event ID'] == "4728":
-
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
- #print(" to Global group ( " + Group_Name[0].strip() + " )")
- try :
+ # 生成事件描述
+ try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )"
except:
- Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
- 1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
+ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to global group")
@@ -420,20 +442,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #add user to universal group
+ # 检查事件 ID 是否为 "4756",表示用户被添加到通用组
if row['Event ID'] == "4756":
-
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
+ # 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
- #print(" to Universal group ( " + Group_Name[0].strip() + " )")
Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )"
else:
Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )"
- #print(" to Universal group ( " + Account_Name[1].strip() + " )")
-
-
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to Universal group")
@@ -443,20 +460,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #remove user from global group
+ # 检查事件 ID 是否为 "4729",表示用户从全局组中移除
if row['Event ID'] == "4729":
-
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
+ # 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
- #print(") from Global group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )"
else:
Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )"
- #print(") from Global group ( " + Account_Name[1].strip() + " )")
-
-
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Global Group")
@@ -466,18 +478,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #remove user from universal group
+ # 检查事件 ID 是否为 "4757",表示用户从通用组中移除
if row['Event ID'] == "4757":
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
+ # 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
- #print(") from Universal group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )"
else:
- #print(") from Universal group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )"
-
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Universal Group")
@@ -487,8 +496,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #remove user from local group
+ # 检查事件 ID 是否为 "4733",表示用户从本地组中移除
if row['Event ID'] == "4733":
+ # 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
@@ -498,9 +508,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
else:
#print(") from Local group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )"
-
-
-
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Local Group")
@@ -510,8 +518,8 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
-
- #user removed group
+ # user removed group
+ # 用户从组中移除
if row['Event ID'] == "4730":
print("##### " + row['Date and Time'] + " #### ", end='')
print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='')
@@ -523,7 +531,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )"
#print(") from Local group ( " + Account_Name[0].strip() + " )")
-
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed Group")
@@ -533,13 +541,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #user account removed
+ # user account removed
+ # 用户账户被移除
if row['Event ID'] == "4726":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed user ", end='')
#print("( " + Account_Name[1].strip() + " )")
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Account Removed")
@@ -549,25 +559,31 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #Summary of process Execution
+ # Summary of process Execution
+ # 进程执行的总结
if row['Event ID']=="4688":
try:
-
+ # 检查进程命令行是否已在执行进程摘要中
if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']:
Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip())
Executed_Process_Summary[0]['Number of Execution'].append(1)
else :
+ # 如果已存在,则更新执行次数
Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1
except:
continue
+
+ # 检查事件 ID 是否为 "4625",表示登录失败事件
if row['Event ID'] == "4625" :
try:
+ # 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Failed Logins'].append(1)
Security_Authentication_Summary[0]['Number of Successful Logins'].append(0)
else :
try:
+ # 更新失败登录次数
Security_Authentication_Summary[0]['Number of Failed Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Failed Logins'][
@@ -577,44 +593,55 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
print(Security_Authentication_Summary[0])
except:
continue
- #password spray detection
+
+ # password spray detection
+ # 密码喷洒检测
if row['Event ID'] == "4648" :
try:
-
+ # 检查账户名称是否在 PasswordSpray 字典中
if Account_Name[0].strip() not in PasswordSpray:
PasswordSpray[Account_Name[0].strip()]=[]
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
#else:
# PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
+ # 检查第二个账户名称是否已在对应的 PasswordSpray 列表中
if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] :
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
except:
continue
-#and (Logon_Type[0].strip()=="3" or Logon_Type[0].strip()=="10" or Logon_Type[0].strip()=="2" or Logon_Type[0].strip()=="8")
+
+ # 检查事件 ID 是否为 "4624",表示成功登录事件
if row['Event ID'] == "4624" :
try:
#print(Account_Name[0])
+ # 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Successful Logins'].append(1)
Security_Authentication_Summary[0]['Number of Failed Logins'].append(0)
else :
+ # 更新成功登录次数
Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
except:
continue
- #detect pass the hash
+
+ # detect pass the hash
+ # 检测哈希传递攻击
if row['Event ID'] == "4625" or row['Event ID'] == "4624":
+ # 检查登录类型和其他条件
if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(
# "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
# Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()))
+ # 生成事件描述
Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected")
@@ -624,15 +651,18 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #Audit log cleared
+ # Audit log cleared
+ # 审计日志被清除
if row['Event ID'] == "517" or row['Event ID'] == "1102":
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
"Audit log cleared by user ( %s )" % (
Account_Name[0].strip()))
"""
+ # 生成事件描述
Event_desc = "Audit log cleared by user ( %s )" % (
Account_Name[0].strip())
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Audit log cleared")
@@ -642,14 +672,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #Suspicious Attempt to enumerate users or groups
+ # Suspicious Attempt to enumerate users or groups
+ # 可疑的用户或组枚举尝试
if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1:
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
"Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (
Account_Name[0].strip(),Process_Name[0].strip()))
"""
+ # 生成事件描述
Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip())
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups")
@@ -659,18 +692,20 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #System audit policy was changed
-
+ # System audit policy was changed
+ # 系统审计策略已更改
if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" :
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
- "System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
+ "System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()))
"""
try :
- Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
+ # 生成事件描述
+ Event_desc ="System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
except :
Event_desc = "System audit policy was changed by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("System audit policy was changed")
@@ -680,15 +715,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- #scheduled task created
+ # scheduled task created
+ # 创建计划任务
if row['Event ID']=="4698" :
#print("##### " + row['Date and Time'] + " #### ", end='')
-
#print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try:
+ # 生成事件描述
Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task created by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task created")
@@ -698,15 +735,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #scheduled task deleted
+ # scheduled task deleted
+ # 删除计划任务
if row['Event ID']=="1699" :
#print("##### " + row['Date and Time'] + " #### ", end='')
-
#print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
+ # 生成事件描述
Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task deleted by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task deleted")
@@ -716,15 +755,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #schedule task updated
+ # schedule task updated
+ # 更新计划任务
if row['Event ID']=="4702" :
#print("##### " + row['Date and Time'] + " #### ", end='')
-
#print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try:
+ # 生成事件描述
Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task updated by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task updated")
@@ -734,15 +775,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #schedule task enabled
+
+ # schedule task enabled
+ # 启用计划任务
if row['Event ID']=="4700" :
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
+ # 生成事件描述
Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task enabled by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task enabled")
@@ -752,15 +797,18 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
- #schedule task disabled
+ # schedule task disabled
+ # 禁用计划任务
if row['Event ID']=="4701" :
print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
+ # 生成事件描述
Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task disabled by user"
+ # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task disabled")
@@ -771,39 +819,52 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
for user in PasswordSpray:
+ # 检查用户的密码喷洒尝试次数是否超过3次
if len(PasswordSpray[user])>3:
+ # 生成事件描述
Event_desc = "Password Spray Detected by user ( "+user+" )"
+ # 将当前时间戳添加到事件列表中
Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now()))
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now()))
+ # 添加检测规则
Security_events[0]['Detection Rule'].append("Password Spray Detected")
+ # 添加检测领域
Security_events[0]['Detection Domain'].append("Threat")
+ # 添加事件严重性
Security_events[0]['Severity'].append("High")
+ # 添加事件描述
Security_events[0]['Event Description'].append(Event_desc)
+ # 添加事件ID
Security_events[0]['Event ID'].append("4648")
- Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password sparay attack using usernames ( "+",".join(PasswordSpray[user])+" )")
+ # 添加原始事件日志
+ Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password spray attack using usernames ( "+",".join(PasswordSpray[user])+" )")
-def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=False):
+def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False):
with open(file_name, newline='') as csvfile:
"""if winevent == True:
list = csv.DictReader(csvfile, fieldnames=('Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
else:
list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"))
"""
- if open(file_name,"r").read(1000).find("\"Message\",\"Id\",\"Version\"")>0:
+ # 检查文件内容以确定使用的字段名
+ if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0:
+ # 使用较长的字段名列表
list = csv.DictReader(csvfile, fieldnames=(
- "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
- "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
- "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
- "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
-
+ "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
+ "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
+ "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
+ "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
else:
+ # 使用较短的字段名列表
list = csv.DictReader(csvfile, fieldnames=(
- 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
+ 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
for row in list:
- if row['Details']==None:
+ # 如果 'Details' 字段为空,则跳过该行
+ if row['Details'] == None:
continue
+ # 从 'Details' 字段中提取信息
Name = Name_rex.findall(row['Details'])
Severity = Severity_rex.findall(row['Details'])
Category = Category_rex.findall(row['Details'])
@@ -812,133 +873,138 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Process_Name = Process_Name_rex.findall(row['Details'])
Action = Action_rex.findall(row['Details'])
- #Windows Defender took action against Malware
- if row['Event ID']=="1117" or row['Event ID']=="1007" :
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print(" Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
- Event_desc="Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0].strip())
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 对恶意软件采取了行动
+ if row['Event ID'] == "1117" or row['Event ID'] == "1007":
+ # 生成事件描述
+ Event_desc = "Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
+ # 将事件信息添加到 Windows_Defender_events 列表中
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware")
Windows_Defender_events[0]['Detection Domain'].append("Threat")
Windows_Defender_events[0]['Severity'].append("High")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
-
- #Windows Defender failed to take action against Malware
- if row['Event ID']=="1118" or row['Event ID']=="1008" or row['Event ID']=="1119":
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print("Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
-
- Event_desc="Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
-
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ # Windows Defender 未能对恶意软件采取行动
+ if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119":
+ # 生成事件描述
+ Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
+ # 将事件信息添加到 Windows_Defender_events 列表中
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware")
Windows_Defender_events[0]['Detection Domain'].append("Threat")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
-
- if row['Event ID'] == "1116" or row['Event ID']=="1006":
- #print("##### " + row['Date and Time'] + " #### ", end='')
- #print(" Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
-
- Event_desc="Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
+ # Windows Defender 发现恶意软件
+ if row['Event ID'] == "1116" or row['Event ID'] == "1006":
+ # 生成事件描述
+ Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
+ # 将事件信息添加到 Windows_Defender_events 列表中
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware")
Windows_Defender_events[0]['Detection Domain'].append("Threat")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID']=="1013":
+ if row['Event ID'] == "1013":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0]))
- Event_desc=" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0])
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 删除了恶意软件的历史记录 - 详细信息:用户
+ Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0])
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender deleted history of malwares")
Windows_Defender_events[0]['Detection Domain'].append("Audit")
Windows_Defender_events[0]['Severity'].append("High")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID'] == "1015" :
+ if row['Event ID'] == "1015":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
- Event_desc="Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 检测到可疑行为的恶意软件 - 详细信息
+ Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender detected suspicious behavior Malware")
Windows_Defender_events[0]['Detection Domain'].append("Threat")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID'] == "5001" :
+ if row['Event ID'] == "5001":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("Windows Defender real-time protection disabled")
- Event_desc="Windows Defender real-time protection disabled"
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 实时保护已禁用
+ Event_desc = "Windows Defender real-time protection disabled"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender real-time protection disabled")
Windows_Defender_events[0]['Detection Domain'].append("Audit")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID'] == "5004" :
+ if row['Event ID'] == "5004":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender real-time protection configuration changed")
- Event_desc="Windows Defender real-time protection configuration changed"
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 实时保护配置已更改
+ Event_desc = "Windows Defender real-time protection configuration changed"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender real-time protection configuration changed")
Windows_Defender_events[0]['Detection Domain'].append("Audit")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID'] == "5007" :
+ if row['Event ID'] == "5007":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender antimalware platform configuration changed")
- Event_desc="Windows Defender antimalware platform configuration changed"
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 反恶意软件平台配置已更改
+ Event_desc = "Windows Defender antimalware platform configuration changed"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender antimalware platform configuration changed")
Windows_Defender_events[0]['Detection Domain'].append("Audit")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
- if row['Event ID'] == "5010" :
+ if row['Event ID'] == "5010":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender scanning for malware is disabled")
- Event_desc="Windows Defender scanning for malware is disabled"
- Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
- Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
+ # Windows Defender 扫描恶意软件已禁用
+ Event_desc = "Windows Defender scanning for malware is disabled"
+ Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
+ Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender scanning for malware is disabled")
Windows_Defender_events[0]['Detection Domain'].append("Audit")
Windows_Defender_events[0]['Severity'].append("Critical")
Windows_Defender_events[0]['Event Description'].append(Event_desc)
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
- Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
+ Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+
if row['Event ID'] == "5012" :
print("##### " + row['Date and Time'] + " #### ", end='')