pex7hfbnt
/
apt-hunter
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

from 郭吉民

Browse Source
main
郭吉民 7 months ago
parent 4cbd982f74
commit 32e37585cd
1 changed files with 331 additions and 265 deletions
Show Stats Download Patch File Download Diff File

346
src/lib/CSVDetection.py
Unescape View File

@ -8,87 +8,134 @@ minlength=1000
account_op={} account_op={}
PasswordSpray={} PasswordSpray={}
# 定义可疑的可执行文件列表
Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe'] Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe']
# 定义可疑的 PowerShell 命令列表
Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden'] Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden']
# 定义 PowerShell 参数列表
Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"] Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"]
# 定义终端服务摘要
TerminalServices_Summary=[{'User':[],'Number of Logins':[]}] TerminalServices_Summary=[{'User':[],'Number of Logins':[]}]
# 定义安全认证摘要
Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}] Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}]
# 定义执行进程摘要
Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}] Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}]
# 定义关键服务列表
critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"] critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"]
# 定义 Sysmon 事件结构
Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 WinRM 事件结构
WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义安全事件结构
Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义系统事件结构
System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义计划任务事件结构
ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 事件结构
Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 操作事件结构
Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义终端服务事件结构
TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Windows Defender 事件结构
Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Timesketch 事件结构
Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}] Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}]
#======================= #=======================
#Regex for security logs #Regex for security logs
# 定义安全日志的正则表达式
Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE) Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE)
#Account_Name_rex = re.compile('Account Name:\t{1,15}(.*)', re.IGNORECASE) # 定义账户名称的正则表达式
Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE) Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE)
# 定义安全 ID 的正则表达式
Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE) Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE)
# 定义账户域的正则表达式
Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE) Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE)
# 定义工作站名称的正则表达式
Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE) Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义源网络地址的正则表达式
Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE) Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE)
# 定义登录进程的正则表达式
Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE) Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE)
# 定义密钥长度的正则表达式
Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE) Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE)
# 定义进程命令行的正则表达式
Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE) Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
# 定义组名称的正则表达式
Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE) Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义任务名称的正则表达式
Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE) Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
# 定义任务命令的正则表达式
Task_Command_rex = re.compile('<Command>(.*)</Command>', re.IGNORECASE) Task_Command_rex = re.compile('<Command>(.*)</Command>', re.IGNORECASE)
# 定义任务参数的正则表达式
Task_args_rex = re.compile('<Arguments>(.*)</Arguments>', re.IGNORECASE) Task_args_rex = re.compile('<Arguments>(.*)</Arguments>', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE) Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE) Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
# 定义子类别的正则表达式
Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE) Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
# 定义更改的正则表达式
Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE) Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for windows defender logs # 定义 Windows Defender 日志的正则表达式
Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE) Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE)
# 定义严重性级别的正则表达式
Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE) Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE) Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE)
# 定义路径的正则表达式
Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE) Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE)
# 定义用户的正则表达式
Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE) Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE) Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE)
# 定义操作的正则表达式
Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE) Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for system logs # 定义系统日志的正则表达式
Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE) Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE)
Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE) Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE)
Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE) Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE)
@ -97,16 +144,14 @@ Service_and_state_rex = re.compile('The (.*) service entered the (.*) state\.',
StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE) StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE)
Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE) Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for task scheduler logs # 定义任务调度程序日志的正则表达式
task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE) task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE) task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE) task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE)
# =======================
#====================== # 定义 PowerShell 操作日志的正则表达式
#Regex for powershell operational logs
Host_Application_rex = re.compile('Host Application = (.*)') Host_Application_rex = re.compile('Host Application = (.*)')
Command_Name_rex = re.compile('Command Name = (.*)') Command_Name_rex = re.compile('Command Name = (.*)')
Command_Type_rex = re.compile('Command Type = (.*)') Command_Type_rex = re.compile('Command Type = (.*)')
@ -114,27 +159,27 @@ Engine_Version_rex = re.compile('Engine Version = (.*)')
User_rex = re.compile('User = (.*)') User_rex = re.compile('User = (.*)')
Error_Message_rex = re.compile('Error Message = (.*)') Error_Message_rex = re.compile('Error Message = (.*)')
#====================== # =======================
#Regex for powershell logs # 定义 PowerShell 日志的正则表达式
HostApplication_rex = re.compile('HostApplication=(.*)') HostApplication_rex = re.compile('HostApplication=(.*)')
CommandLine_rex = re.compile('CommandLine=(.*)') CommandLine_rex = re.compile('CommandLine=(.*)')
ScriptName_rex = re.compile('ScriptName=(.*)') ScriptName_rex = re.compile('ScriptName=(.*)')
EngineVersion_rex = re.compile('EngineVersion=(.*)') EngineVersion_rex = re.compile('EngineVersion=(.*)')
UserId_rex = re.compile('UserId=(.*)') UserId_rex = re.compile('UserId=(.*)')
ErrorMessage_rex = re.compile('ErrorMessage=(.*)') ErrorMessage_rex = re.compile('ErrorMessage=(.*)')
#======================
#TerminalServices Local Session Manager Logs # =======================
#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)') # 定义终端服务本地会话管理器日志的正则表达式
Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})') Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
User_Terminal_rex = re.compile('User: (.*)') User_Terminal_rex = re.compile('User: (.*)')
Session_ID_rex = re.compile('Session ID: (.*)') Session_ID_rex = re.compile('Session ID: (.*)')
#======================
#Microsoft-Windows-WinRM logs # =======================
# 定义 Microsoft-Windows-WinRM 日志的正则表达式
Connection_rex = re.compile("""The connection string is: (.*)""") Connection_rex = re.compile("""The connection string is: (.*)""")
#User_ID_rex=re.compile("""<Security UserID=\'(?<UserID>.*)\'\/><\/System>""")
#src_device_rex=re.compile("""<Computer>(?<src>.*)<\/Computer>""") # =======================
#====================== # 定义 Sysmon 日志的正则表达式
#Sysmon Logs
Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)") Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)")
Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)") Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)")
Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)") Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)")
@ -155,8 +200,9 @@ Sysmon_ParentCommandLine_rex=re.compile("ParentCommandLine: (.*)")
Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)") Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)")
Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)") Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)")
Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)") Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)")
#########
#Sysmon event ID 3 # =======================
# Sysmon 事件 ID 3 的正则表达式
Sysmon_Protocol_rex = re.compile("Protocol: (.*)") Sysmon_Protocol_rex = re.compile("Protocol: (.*)")
Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)") Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)")
Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)") Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)")
@ -164,8 +210,9 @@ Sysmon_SourcePort_rex=re.compile("SourcePort: (.*)")
Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)") Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)")
Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)") Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)")
Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)") Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)")
#########
#Sysmon event ID 8 # =======================
# Sysmon 事件 ID 8 的正则表达式
Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)") Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)")
Sysmon_StartModule_rex = re.compile("StartModule: (.*)") Sysmon_StartModule_rex = re.compile("StartModule: (.*)")
Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)") Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)")
@ -189,50 +236,40 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
""" """
if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0: if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0:
# 如果包含,使用包含更多字段的字典读取器
list2 = csv.DictReader(csvfile, list2 = csv.DictReader(csvfile,
fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber", fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
"EntryType", "Details", "Source", "ReplacementStrings", "InstanceId", "EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
'Date and Time', "TimeWritten", "UserName", "Site", "Container")) 'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
else: else:
# 如果不包含,使用较少字段的字典读取器
list2 = csv.DictReader(csvfile, fieldnames=( list2 = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',)) 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
# 遍历读取的每一行
for row in list2: for row in list2:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None: if row['Details'] == None:
continue continue
Logon_Type = Logon_Type_rex.findall(row['Details']) # 从 'Details' 字段中提取各种信息
Logon_Type = Logon_Type_rex.findall(row['Details']) # 登录类型
Account_Name = Account_Name_rex.findall(row['Details']) Account_Name = Account_Name_rex.findall(row['Details']) # 账户名称
Account_Domain = Account_Domain_rex.findall(row['Details']) # 账户域
Account_Domain = Account_Domain_rex.findall(row['Details']) Workstation_Name = Workstation_Name_rex.findall(row['Details']) # 工作站名称
Source_IP = Source_Network_Address_rex.findall(row['Details']) # 源网络地址
Workstation_Name = Workstation_Name_rex.findall(row['Details']) Logon_Process = Logon_Process_rex.findall(row['Details']) # 登录进程
Key_Length = Key_Length_rex.findall(row['Details']) # 密钥长度
Source_IP = Source_Network_Address_rex.findall(row['Details']) Security_ID = Security_ID_rex.findall(row['Details']) # 安全 ID
Group_Name = Group_Name_rex.findall(row['Details']) # 组名称
Logon_Process = Logon_Process_rex.findall(row['Details']) Task_Name = Task_Name_rex.findall(row['Details']) # 任务名称
Task_Command = Task_Command_rex.findall(row['Details']) # 任务命令
Key_Length = Key_Length_rex.findall(row['Details']) Task_args = Task_args_rex.findall(row['Details']) # 任务参数
Process_Name = Process_Name_sec_rex.findall(row['Details']) # 进程名称
Security_ID = Security_ID_rex.findall(row['Details']) Category = Category_sec_rex.findall(row['Details']) # 类别
Subcategory = Subcategory_rex.findall(row['Details']) # 子类别
Group_Name = Group_Name_rex.findall(row['Details']) Changes = Changes_rex.findall(row['Details']) # 更改
Process_Command_Line = Process_Command_Line_rex.findall(row['Details']) # 进程命令行
Task_Name=Task_Name_rex.findall(row['Details'])
Task_Command = Task_Command_rex.findall(row['Details'])
Task_args= Task_args_rex.findall(row['Details'])
Process_Name=Process_Name_sec_rex.findall(row['Details'])
Category=Category_sec_rex.findall(row['Details'])
Subcategory=Subcategory_rex.findall(row['Details'])
Changes=Changes_rex.findall(row['Details'])
Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
#User Cretion using Net command #User Cretion using Net command
# 用户创建事件处理,使用 Net 命令 # 用户创建事件处理,使用 Net 命令
if row['Event ID']=="4688": if row['Event ID']=="4688":
@ -339,15 +376,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
continue continue
# User Created through management interface # User Created through management interface
# 检查事件 ID 是否为 "4720",表示创建用户事件
if row['Event ID']=="4720": if row['Event ID']=="4720":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述,包含用户名称和创建的用户名
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
try: try:
Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )" Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )"
except: except:
# 如果生成描述失败,使用默认描述
Event_desc="User Created a new user " Event_desc="User Created a new user "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Created through management interface") Security_events[0]['Detection Rule'].append("User Created through management interface")
@ -357,13 +394,11 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Windows is shutting down # 检查事件 ID 是否为 "4609" 或 "1100",表示 Windows 关机事件
if row['Event ID']=="4609" or row['Event ID']=="1100": if row['Event ID']=="4609" or row['Event ID']=="1100":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
Event_desc="Windows is shutting down " Event_desc="Windows is shutting down "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Windows is shutting down") Security_events[0]['Detection Rule'].append("Windows is shutting down")
@ -373,24 +408,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# 检查事件 ID 是否为 "4732",表示用户被添加到本地组
# User added to local group
if row['Event ID']=="4732": if row['Event ID']=="4732":
# 生成事件描述,包含用户名称和组名称
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to local group ( " + Group_Name[0].strip() + " )")
try: try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )" Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )"
except: except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )" # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to local group") Security_events[0]['Detection Rule'].append("User added to local group")
@ -400,17 +425,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to global group # 检查事件 ID 是否为 "4728",表示用户被添加到全局组
if row['Event ID'] == "4728": if row['Event ID'] == "4728":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to Global group ( " + Group_Name[0].strip() + " )")
try: try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )" Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )"
except: except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )" # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to global group") Security_events[0]['Detection Rule'].append("User added to global group")
@ -420,20 +442,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to universal group # 检查事件 ID 是否为 "4756",表示用户被添加到通用组
if row['Event ID'] == "4756": if row['Event ID'] == "4756":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(" to Universal group ( " + Group_Name[0].strip() + " )")
Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )" Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )"
else: else:
Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )"
#print(" to Universal group ( " + Account_Name[1].strip() + " )") # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to Universal group") Security_events[0]['Detection Rule'].append("User added to Universal group")
@ -443,20 +460,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from global group # 检查事件 ID 是否为 "4729",表示用户从全局组中移除
if row['Event ID'] == "4729": if row['Event ID'] == "4729":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(") from Global group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )" Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )"
else: else:
Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )"
#print(") from Global group ( " + Account_Name[1].strip() + " )") # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Global Group") Security_events[0]['Detection Rule'].append("User Removed from Global Group")
@ -466,18 +478,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from universal group # 检查事件 ID 是否为 "4757",表示用户从通用组中移除
if row['Event ID'] == "4757": if row['Event ID'] == "4757":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(") from Universal group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )" Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )"
else: else:
#print(") from Universal group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Universal Group") Security_events[0]['Detection Rule'].append("User Removed from Universal Group")
@ -487,8 +496,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from local group # 检查事件 ID 是否为 "4733",表示用户从本地组中移除
if row['Event ID'] == "4733": if row['Event ID'] == "4733":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
@ -498,9 +508,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
else: else:
#print(") from Local group ( " + Account_Name[1].strip() + " )") #print(") from Local group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Local Group") Security_events[0]['Detection Rule'].append("User Removed from Local Group")
@ -510,8 +518,8 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user removed group # user removed group
# 用户从组中移除
if row['Event ID'] == "4730": if row['Event ID'] == "4730":
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='') print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='')
@ -523,7 +531,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )" Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )"
#print(") from Local group ( " + Account_Name[0].strip() + " )") #print(") from Local group ( " + Account_Name[0].strip() + " )")
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed Group") Security_events[0]['Detection Rule'].append("User Removed Group")
@ -534,12 +542,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user account removed # user account removed
# 用户账户被移除
if row['Event ID'] == "4726": if row['Event ID'] == "4726":
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed user ", end='') #print("User ( " + Account_Name[0].strip() + " ) removed user ", end='')
#print("( " + Account_Name[1].strip() + " )") #print("( " + Account_Name[1].strip() + " )")
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )" Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Account Removed") Security_events[0]['Detection Rule'].append("User Account Removed")
@ -550,24 +560,30 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Summary of process Execution # Summary of process Execution
# 进程执行的总结
if row['Event ID']=="4688": if row['Event ID']=="4688":
try: try:
# 检查进程命令行是否已在执行进程摘要中
if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']: if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']:
Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip()) Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip())
Executed_Process_Summary[0]['Number of Execution'].append(1) Executed_Process_Summary[0]['Number of Execution'].append(1)
else : else :
# 如果已存在,则更新执行次数
Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1 Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1
except: except:
continue continue
# 检查事件 ID 是否为 "4625",表示登录失败事件
if row['Event ID'] == "4625" : if row['Event ID'] == "4625" :
try: try:
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']: if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip()) Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Failed Logins'].append(1) Security_Authentication_Summary[0]['Number of Failed Logins'].append(1)
Security_Authentication_Summary[0]['Number of Successful Logins'].append(0) Security_Authentication_Summary[0]['Number of Successful Logins'].append(0)
else : else :
try: try:
# 更新失败登录次数
Security_Authentication_Summary[0]['Number of Failed Logins'][ Security_Authentication_Summary[0]['Number of Failed Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Failed Logins'][ Security_Authentication_Summary[0]['Number of Failed Logins'][
@ -577,44 +593,55 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
print(Security_Authentication_Summary[0]) print(Security_Authentication_Summary[0])
except: except:
continue continue
# password spray detection # password spray detection
# 密码喷洒检测
if row['Event ID'] == "4648" : if row['Event ID'] == "4648" :
try: try:
# 检查账户名称是否在 PasswordSpray 字典中
if Account_Name[0].strip() not in PasswordSpray: if Account_Name[0].strip() not in PasswordSpray:
PasswordSpray[Account_Name[0].strip()]=[] PasswordSpray[Account_Name[0].strip()]=[]
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
#else: #else:
# PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) # PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
# 检查第二个账户名称是否已在对应的 PasswordSpray 列表中
if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] : if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] :
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
except: except:
continue continue
#and (Logon_Type[0].strip()=="3" or Logon_Type[0].strip()=="10" or Logon_Type[0].strip()=="2" or Logon_Type[0].strip()=="8")
# 检查事件 ID 是否为 "4624",表示成功登录事件
if row['Event ID'] == "4624" : if row['Event ID'] == "4624" :
try: try:
#print(Account_Name[0]) #print(Account_Name[0])
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']: if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip()) Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Successful Logins'].append(1) Security_Authentication_Summary[0]['Number of Successful Logins'].append(1)
Security_Authentication_Summary[0]['Number of Failed Logins'].append(0) Security_Authentication_Summary[0]['Number of Failed Logins'].append(0)
else : else :
# 更新成功登录次数
Security_Authentication_Summary[0]['Number of Successful Logins'][ Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Successful Logins'][ Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1 Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
except: except:
continue continue
# detect pass the hash # detect pass the hash
# 检测哈希传递攻击
if row['Event ID'] == "4625" or row['Event ID'] == "4624": if row['Event ID'] == "4625" or row['Event ID'] == "4624":
# 检查登录类型和其他条件
if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0": if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0":
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print( #print(
# "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( # "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
# Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())) # Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()))
# 生成事件描述
Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()) Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected")
@ -625,14 +652,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Audit log cleared # Audit log cleared
# 审计日志被清除
if row['Event ID'] == "517" or row['Event ID'] == "1102": if row['Event ID'] == "517" or row['Event ID'] == "1102":
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"Audit log cleared by user ( %s )" % ( "Audit log cleared by user ( %s )" % (
Account_Name[0].strip())) Account_Name[0].strip()))
""" """
# 生成事件描述
Event_desc = "Audit log cleared by user ( %s )" % ( Event_desc = "Audit log cleared by user ( %s )" % (
Account_Name[0].strip()) Account_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Audit log cleared") Security_events[0]['Detection Rule'].append("Audit log cleared")
@ -643,13 +673,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Suspicious Attempt to enumerate users or groups # Suspicious Attempt to enumerate users or groups
# 可疑的用户或组枚举尝试
if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1: if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1:
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % ( "Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (
Account_Name[0].strip(),Process_Name[0].strip())) Account_Name[0].strip(),Process_Name[0].strip()))
""" """
# 生成事件描述
Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip()) Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups")
@ -660,17 +693,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# System audit policy was changed # System audit policy was changed
# 系统审计策略已更改
if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" : if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" :
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % ( "System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())) Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()))
""" """
try : try :
Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()) # 生成事件描述
Event_desc ="System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
except : except :
Event_desc = "System audit policy was changed by user" Event_desc = "System audit policy was changed by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("System audit policy was changed") Security_events[0]['Detection Rule'].append("System audit policy was changed")
@ -681,14 +716,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# scheduled task created # scheduled task created
# 创建计划任务
if row['Event ID']=="4698" : if row['Event ID']=="4698" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try: try:
# 生成事件描述
Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task created by user" Event_desc = "schedule task created by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task created") Security_events[0]['Detection Rule'].append("schedule task created")
@ -699,14 +736,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# scheduled task deleted # scheduled task deleted
# 删除计划任务
if row['Event ID']=="1699" : if row['Event ID']=="1699" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task deleted by user" Event_desc = "schedule task deleted by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task deleted") Security_events[0]['Detection Rule'].append("schedule task deleted")
@ -717,14 +756,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task updated # schedule task updated
# 更新计划任务
if row['Event ID']=="4702" : if row['Event ID']=="4702" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try: try:
# 生成事件描述
Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task updated by user" Event_desc = "schedule task updated by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task updated") Security_events[0]['Detection Rule'].append("schedule task updated")
@ -734,15 +775,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task enabled # schedule task enabled
# 启用计划任务
if row['Event ID']=="4700" : if row['Event ID']=="4700" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task enabled by user" Event_desc = "schedule task enabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task enabled") Security_events[0]['Detection Rule'].append("schedule task enabled")
@ -753,14 +798,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task disabled # schedule task disabled
# 禁用计划任务
if row['Event ID']=="4701" : if row['Event ID']=="4701" :
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task disabled by user" Event_desc = "schedule task disabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task disabled") Security_events[0]['Detection Rule'].append("schedule task disabled")
@ -771,16 +819,25 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
for user in PasswordSpray: for user in PasswordSpray:
# 检查用户的密码喷洒尝试次数是否超过3次
if len(PasswordSpray[user])>3: if len(PasswordSpray[user])>3:
# 生成事件描述
Event_desc = "Password Spray Detected by user ( "+user+" )" Event_desc = "Password Spray Detected by user ( "+user+" )"
# 将当前时间戳添加到事件列表中
Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now())) Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now()))
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now())) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now()))
# 添加检测规则
Security_events[0]['Detection Rule'].append("Password Spray Detected") Security_events[0]['Detection Rule'].append("Password Spray Detected")
# 添加检测领域
Security_events[0]['Detection Domain'].append("Threat") Security_events[0]['Detection Domain'].append("Threat")
# 添加事件严重性
Security_events[0]['Severity'].append("High") Security_events[0]['Severity'].append("High")
# 添加事件描述
Security_events[0]['Event Description'].append(Event_desc) Security_events[0]['Event Description'].append(Event_desc)
# 添加事件ID
Security_events[0]['Event ID'].append("4648") Security_events[0]['Event ID'].append("4648")
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password sparay attack using usernames ( "+",".join(PasswordSpray[user])+" )") # 添加原始事件日志
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password spray attack using usernames ( "+",".join(PasswordSpray[user])+" )")
def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False): def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False):
@ -790,20 +847,24 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
else: else:
list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties")) list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"))
""" """
# 检查文件内容以确定使用的字段名
if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0: if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0:
# 使用较长的字段名列表
list = csv.DictReader(csvfile, fieldnames=( list = csv.DictReader(csvfile, fieldnames=(
"Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId", "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
"ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
"ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
"OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties")) "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
else: else:
# 使用较短的字段名列表
list = csv.DictReader(csvfile, fieldnames=( list = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',)) 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
for row in list: for row in list:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None: if row['Details'] == None:
continue continue
# 从 'Details' 字段中提取信息
Name = Name_rex.findall(row['Details']) Name = Name_rex.findall(row['Details'])
Severity = Severity_rex.findall(row['Details']) Severity = Severity_rex.findall(row['Details'])
Category = Category_rex.findall(row['Details']) Category = Category_rex.findall(row['Details'])
@ -812,11 +873,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Process_Name = Process_Name_rex.findall(row['Details']) Process_Name = Process_Name_rex.findall(row['Details'])
Action = Action_rex.findall(row['Details']) Action = Action_rex.findall(row['Details'])
#Windows Defender took action against Malware # Windows Defender 对恶意软件采取了行动
if row['Event ID'] == "1117" or row['Event ID'] == "1007": if row['Event ID'] == "1117" or row['Event ID'] == "1007":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print(" Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])) Event_desc = "Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
Event_desc="Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0].strip()) # 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware")
@ -826,13 +887,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
#Windows Defender failed to take action against Malware # Windows Defender 未能对恶意软件采取行动
if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119": if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware")
@ -842,11 +901,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# Windows Defender 发现恶意软件
if row['Event ID'] == "1116" or row['Event ID'] == "1006": if row['Event ID'] == "1116" or row['Event ID'] == "1006":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print(" Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware")
@ -860,6 +919,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0])) #print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0]))
# Windows Defender 删除了恶意软件的历史记录 - 详细信息:用户
Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0]) Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -874,6 +934,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])) #print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
# Windows Defender 检测到可疑行为的恶意软件 - 详细信息
Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -888,6 +949,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("Windows Defender real-time protection disabled") #print("Windows Defender real-time protection disabled")
# Windows Defender 实时保护已禁用
Event_desc = "Windows Defender real-time protection disabled" Event_desc = "Windows Defender real-time protection disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -902,6 +964,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender real-time protection configuration changed") #print(" Windows Defender real-time protection configuration changed")
# Windows Defender 实时保护配置已更改
Event_desc = "Windows Defender real-time protection configuration changed" Event_desc = "Windows Defender real-time protection configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -916,6 +979,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender antimalware platform configuration changed") #print(" Windows Defender antimalware platform configuration changed")
# Windows Defender 反恶意软件平台配置已更改
Event_desc = "Windows Defender antimalware platform configuration changed" Event_desc = "Windows Defender antimalware platform configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -930,6 +994,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender scanning for malware is disabled") #print(" Windows Defender scanning for malware is disabled")
# Windows Defender 扫描恶意软件已禁用
Event_desc = "Windows Defender scanning for malware is disabled" Event_desc = "Windows Defender scanning for malware is disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -940,6 +1005,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
if row['Event ID'] == "5012" : if row['Event ID'] == "5012" :
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
print(" Windows Defender scanning for viruses is disabled") print(" Windows Defender scanning for viruses is disabled")

Write Preview
Loading…
Cancel
Save