pex7hfbnt
/
apt-hunter
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

from 郭吉民

Browse Source
main
郭吉民 7 months ago
parent 4cbd982f74
commit 32e37585cd
1 changed files with 331 additions and 265 deletions
Show Stats Download Patch File Download Diff File

346
src/lib/CSVDetection.py
Unescape View File

@ -8,87 +8,134 @@ minlength=1000
account_op={}
PasswordSpray={}
# 定义可疑的可执行文件列表
Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe']
# 定义可疑的 PowerShell 命令列表
Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden']
# 定义 PowerShell 参数列表
Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"]
# 定义终端服务摘要
TerminalServices_Summary=[{'User':[],'Number of Logins':[]}]
# 定义安全认证摘要
Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}]
# 定义执行进程摘要
Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}]
# 定义关键服务列表
critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"]
# 定义 Sysmon 事件结构
Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 WinRM 事件结构
WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义安全事件结构
Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义系统事件结构
System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义计划任务事件结构
ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 事件结构
Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 操作事件结构
Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义终端服务事件结构
TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Windows Defender 事件结构
Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Timesketch 事件结构
Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}]
#=======================
#Regex for security logs
# 定义安全日志的正则表达式
Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE)
#Account_Name_rex = re.compile('Account Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义账户名称的正则表达式
Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE)
# 定义安全 ID 的正则表达式
Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE)
# 定义账户域的正则表达式
Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE)
# 定义工作站名称的正则表达式
Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义源网络地址的正则表达式
Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE)
# 定义登录进程的正则表达式
Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE)
# 定义密钥长度的正则表达式
Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE)
# 定义进程命令行的正则表达式
Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
# 定义组名称的正则表达式
Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义任务名称的正则表达式
Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
# 定义任务命令的正则表达式
Task_Command_rex = re.compile('<Command>(.*)</Command>', re.IGNORECASE)
# 定义任务参数的正则表达式
Task_args_rex = re.compile('<Arguments>(.*)</Arguments>', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
# 定义子类别的正则表达式
Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
# 定义更改的正则表达式
Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
# =======================
#Regex for windows defender logs
# 定义 Windows Defender 日志的正则表达式
Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE)
# 定义严重性级别的正则表达式
Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE)
# 定义路径的正则表达式
Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE)
# 定义用户的正则表达式
Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE)
# 定义操作的正则表达式
Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE)
# =======================
#Regex for system logs
# 定义系统日志的正则表达式
Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE)
Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE)
Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE)
@ -97,16 +144,14 @@ Service_and_state_rex = re.compile('The (.*) service entered the (.*) state\.',
StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE)
Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE)
# =======================
#Regex for task scheduler logs
# 定义任务调度程序日志的正则表达式
task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE)
#======================
#Regex for powershell operational logs
# =======================
# 定义 PowerShell 操作日志的正则表达式
Host_Application_rex = re.compile('Host Application = (.*)')
Command_Name_rex = re.compile('Command Name = (.*)')
Command_Type_rex = re.compile('Command Type = (.*)')
@ -114,27 +159,27 @@ Engine_Version_rex = re.compile('Engine Version = (.*)')
User_rex = re.compile('User = (.*)')
Error_Message_rex = re.compile('Error Message = (.*)')
#======================
#Regex for powershell logs
# =======================
# 定义 PowerShell 日志的正则表达式
HostApplication_rex = re.compile('HostApplication=(.*)')
CommandLine_rex = re.compile('CommandLine=(.*)')
ScriptName_rex = re.compile('ScriptName=(.*)')
EngineVersion_rex = re.compile('EngineVersion=(.*)')
UserId_rex = re.compile('UserId=(.*)')
ErrorMessage_rex = re.compile('ErrorMessage=(.*)')
#======================
#TerminalServices Local Session Manager Logs
#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)')
# =======================
# 定义终端服务本地会话管理器日志的正则表达式
Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
User_Terminal_rex = re.compile('User: (.*)')
Session_ID_rex = re.compile('Session ID: (.*)')
#======================
#Microsoft-Windows-WinRM logs
# =======================
# 定义 Microsoft-Windows-WinRM 日志的正则表达式
Connection_rex = re.compile("""The connection string is: (.*)""")
#User_ID_rex=re.compile("""<Security UserID=\'(?<UserID>.*)\'\/><\/System>""")
#src_device_rex=re.compile("""<Computer>(?<src>.*)<\/Computer>""")
#======================
#Sysmon Logs
# =======================
# 定义 Sysmon 日志的正则表达式
Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)")
Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)")
Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)")
@ -155,8 +200,9 @@ Sysmon_ParentCommandLine_rex=re.compile("ParentCommandLine: (.*)")
Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)")
Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)")
Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)")
#########
#Sysmon event ID 3
# =======================
# Sysmon 事件 ID 3 的正则表达式
Sysmon_Protocol_rex = re.compile("Protocol: (.*)")
Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)")
Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)")
@ -164,8 +210,9 @@ Sysmon_SourcePort_rex=re.compile("SourcePort: (.*)")
Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)")
Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)")
Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)")
#########
#Sysmon event ID 8
# =======================
# Sysmon 事件 ID 8 的正则表达式
Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)")
Sysmon_StartModule_rex = re.compile("StartModule: (.*)")
Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)")
@ -189,50 +236,40 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
"""
if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0:
# 如果包含,使用包含更多字段的字典读取器
list2 = csv.DictReader(csvfile,
fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
"EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
else:
# 如果不包含,使用较少字段的字典读取器
list2 = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
# 遍历读取的每一行
for row in list2:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None:
continue
Logon_Type = Logon_Type_rex.findall(row['Details'])
Account_Name = Account_Name_rex.findall(row['Details'])
Account_Domain = Account_Domain_rex.findall(row['Details'])
Workstation_Name = Workstation_Name_rex.findall(row['Details'])
Source_IP = Source_Network_Address_rex.findall(row['Details'])
Logon_Process = Logon_Process_rex.findall(row['Details'])
Key_Length = Key_Length_rex.findall(row['Details'])
Security_ID = Security_ID_rex.findall(row['Details'])
Group_Name = Group_Name_rex.findall(row['Details'])
Task_Name=Task_Name_rex.findall(row['Details'])
Task_Command = Task_Command_rex.findall(row['Details'])
Task_args= Task_args_rex.findall(row['Details'])
Process_Name=Process_Name_sec_rex.findall(row['Details'])
Category=Category_sec_rex.findall(row['Details'])
Subcategory=Subcategory_rex.findall(row['Details'])
Changes=Changes_rex.findall(row['Details'])
Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
# 从 'Details' 字段中提取各种信息
Logon_Type = Logon_Type_rex.findall(row['Details']) # 登录类型
Account_Name = Account_Name_rex.findall(row['Details']) # 账户名称
Account_Domain = Account_Domain_rex.findall(row['Details']) # 账户域
Workstation_Name = Workstation_Name_rex.findall(row['Details']) # 工作站名称
Source_IP = Source_Network_Address_rex.findall(row['Details']) # 源网络地址
Logon_Process = Logon_Process_rex.findall(row['Details']) # 登录进程
Key_Length = Key_Length_rex.findall(row['Details']) # 密钥长度
Security_ID = Security_ID_rex.findall(row['Details']) # 安全 ID
Group_Name = Group_Name_rex.findall(row['Details']) # 组名称
Task_Name = Task_Name_rex.findall(row['Details']) # 任务名称
Task_Command = Task_Command_rex.findall(row['Details']) # 任务命令
Task_args = Task_args_rex.findall(row['Details']) # 任务参数
Process_Name = Process_Name_sec_rex.findall(row['Details']) # 进程名称
Category = Category_sec_rex.findall(row['Details']) # 类别
Subcategory = Subcategory_rex.findall(row['Details']) # 子类别
Changes = Changes_rex.findall(row['Details']) # 更改
Process_Command_Line = Process_Command_Line_rex.findall(row['Details']) # 进程命令行
#User Cretion using Net command
# 用户创建事件处理,使用 Net 命令
if row['Event ID']=="4688":
@ -339,15 +376,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
continue
# User Created through management interface
# 检查事件 ID 是否为 "4720",表示创建用户事件
if row['Event ID']=="4720":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
# 生成事件描述,包含用户名称和创建的用户名
try:
Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )"
except:
# 如果生成描述失败,使用默认描述
Event_desc="User Created a new user "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Created through management interface")
@ -357,13 +394,11 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Windows is shutting down
# 检查事件 ID 是否为 "4609" 或 "1100",表示 Windows 关机事件
if row['Event ID']=="4609" or row['Event ID']=="1100":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
# 生成事件描述
Event_desc="Windows is shutting down "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Windows is shutting down")
@ -373,24 +408,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# User added to local group
# 检查事件 ID 是否为 "4732",表示用户被添加到本地组
if row['Event ID']=="4732":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to local group ( " + Group_Name[0].strip() + " )")
# 生成事件描述,包含用户名称和组名称
try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )"
except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to local group")
@ -400,17 +425,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to global group
# 检查事件 ID 是否为 "4728",表示用户被添加到全局组
if row['Event ID'] == "4728":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to Global group ( " + Group_Name[0].strip() + " )")
# 生成事件描述
try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )"
except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to global group")
@ -420,20 +442,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to universal group
# 检查事件 ID 是否为 "4756",表示用户被添加到通用组
if row['Event ID'] == "4756":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
# 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
#print(" to Universal group ( " + Group_Name[0].strip() + " )")
Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )"
else:
Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )"
#print(" to Universal group ( " + Account_Name[1].strip() + " )")
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to Universal group")
@ -443,20 +460,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from global group
# 检查事件 ID 是否为 "4729",表示用户从全局组中移除
if row['Event ID'] == "4729":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
# 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
#print(") from Global group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )"
else:
Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )"
#print(") from Global group ( " + Account_Name[1].strip() + " )")
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Global Group")
@ -466,18 +478,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from universal group
# 检查事件 ID 是否为 "4757",表示用户从通用组中移除
if row['Event ID'] == "4757":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
# 生成事件描述
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0:
#print(") from Universal group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )"
else:
#print(") from Universal group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Universal Group")
@ -487,8 +496,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from local group
# 检查事件 ID 是否为 "4733",表示用户从本地组中移除
if row['Event ID'] == "4733":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
@ -498,9 +508,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
else:
#print(") from Local group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Local Group")
@ -510,8 +518,8 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user removed group
# 用户从组中移除
if row['Event ID'] == "4730":
print("##### " + row['Date and Time'] + " #### ", end='')
print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='')
@ -523,7 +531,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )"
#print(") from Local group ( " + Account_Name[0].strip() + " )")
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed Group")
@ -534,12 +542,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user account removed
# 用户账户被移除
if row['Event ID'] == "4726":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed user ", end='')
#print("( " + Account_Name[1].strip() + " )")
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Account Removed")
@ -550,24 +560,30 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Summary of process Execution
# 进程执行的总结
if row['Event ID']=="4688":
try:
# 检查进程命令行是否已在执行进程摘要中
if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']:
Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip())
Executed_Process_Summary[0]['Number of Execution'].append(1)
else :
# 如果已存在,则更新执行次数
Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1
except:
continue
# 检查事件 ID 是否为 "4625",表示登录失败事件
if row['Event ID'] == "4625" :
try:
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Failed Logins'].append(1)
Security_Authentication_Summary[0]['Number of Successful Logins'].append(0)
else :
try:
# 更新失败登录次数
Security_Authentication_Summary[0]['Number of Failed Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Failed Logins'][
@ -577,44 +593,55 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
print(Security_Authentication_Summary[0])
except:
continue
# password spray detection
# 密码喷洒检测
if row['Event ID'] == "4648" :
try:
# 检查账户名称是否在 PasswordSpray 字典中
if Account_Name[0].strip() not in PasswordSpray:
PasswordSpray[Account_Name[0].strip()]=[]
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
#else:
# PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
# 检查第二个账户名称是否已在对应的 PasswordSpray 列表中
if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] :
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
except:
continue
#and (Logon_Type[0].strip()=="3" or Logon_Type[0].strip()=="10" or Logon_Type[0].strip()=="2" or Logon_Type[0].strip()=="8")
# 检查事件 ID 是否为 "4624",表示成功登录事件
if row['Event ID'] == "4624" :
try:
#print(Account_Name[0])
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Successful Logins'].append(1)
Security_Authentication_Summary[0]['Number of Failed Logins'].append(0)
else :
# 更新成功登录次数
Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
except:
continue
# detect pass the hash
# 检测哈希传递攻击
if row['Event ID'] == "4625" or row['Event ID'] == "4624":
# 检查登录类型和其他条件
if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(
# "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
# Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()))
# 生成事件描述
Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected")
@ -625,14 +652,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Audit log cleared
# 审计日志被清除
if row['Event ID'] == "517" or row['Event ID'] == "1102":
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
"Audit log cleared by user ( %s )" % (
Account_Name[0].strip()))
"""
# 生成事件描述
Event_desc = "Audit log cleared by user ( %s )" % (
Account_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Audit log cleared")
@ -643,13 +673,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Suspicious Attempt to enumerate users or groups
# 可疑的用户或组枚举尝试
if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1:
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
"Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (
Account_Name[0].strip(),Process_Name[0].strip()))
"""
# 生成事件描述
Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups")
@ -660,17 +693,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# System audit policy was changed
# 系统审计策略已更改
if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" :
"""print("##### " + row['Date and Time'] + " #### ", end='')
print(
"System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
"System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()))
"""
try :
Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
# 生成事件描述
Event_desc ="System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
except :
Event_desc = "System audit policy was changed by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("System audit policy was changed")
@ -681,14 +716,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# scheduled task created
# 创建计划任务
if row['Event ID']=="4698" :
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try:
# 生成事件描述
Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task created by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task created")
@ -699,14 +736,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# scheduled task deleted
# 删除计划任务
if row['Event ID']=="1699" :
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
# 生成事件描述
Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task deleted by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task deleted")
@ -717,14 +756,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task updated
# 更新计划任务
if row['Event ID']=="4702" :
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try:
# 生成事件描述
Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task updated by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task updated")
@ -734,15 +775,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task enabled
# 启用计划任务
if row['Event ID']=="4700" :
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
# 生成事件描述
Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task enabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task enabled")
@ -753,14 +798,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task disabled
# 禁用计划任务
if row['Event ID']=="4701" :
print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try :
# 生成事件描述
Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except:
Event_desc = "schedule task disabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task disabled")
@ -771,16 +819,25 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
for user in PasswordSpray:
# 检查用户的密码喷洒尝试次数是否超过3次
if len(PasswordSpray[user])>3:
# 生成事件描述
Event_desc = "Password Spray Detected by user ( "+user+" )"
# 将当前时间戳添加到事件列表中
Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now()))
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now()))
# 添加检测规则
Security_events[0]['Detection Rule'].append("Password Spray Detected")
# 添加检测领域
Security_events[0]['Detection Domain'].append("Threat")
# 添加事件严重性
Security_events[0]['Severity'].append("High")
# 添加事件描述
Security_events[0]['Event Description'].append(Event_desc)
# 添加事件ID
Security_events[0]['Event ID'].append("4648")
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password sparay attack using usernames ( "+",".join(PasswordSpray[user])+" )")
# 添加原始事件日志
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password spray attack using usernames ( "+",".join(PasswordSpray[user])+" )")
def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False):
@ -790,20 +847,24 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
else:
list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"))
"""
# 检查文件内容以确定使用的字段名
if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0:
# 使用较长的字段名列表
list = csv.DictReader(csvfile, fieldnames=(
"Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
"ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
"ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
"OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
else:
# 使用较短的字段名列表
list = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
for row in list:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None:
continue
# 从 'Details' 字段中提取信息
Name = Name_rex.findall(row['Details'])
Severity = Severity_rex.findall(row['Details'])
Category = Category_rex.findall(row['Details'])
@ -812,11 +873,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Process_Name = Process_Name_rex.findall(row['Details'])
Action = Action_rex.findall(row['Details'])
#Windows Defender took action against Malware
# Windows Defender 对恶意软件采取了行动
if row['Event ID'] == "1117" or row['Event ID'] == "1007":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
Event_desc="Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0].strip())
# 生成事件描述
Event_desc = "Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware")
@ -826,13 +887,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
#Windows Defender failed to take action against Malware
# Windows Defender 未能对恶意软件采取行动
if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
# 生成事件描述
Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware")
@ -842,11 +901,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# Windows Defender 发现恶意软件
if row['Event ID'] == "1116" or row['Event ID'] == "1006":
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
# 生成事件描述
Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware")
@ -860,6 +919,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0]))
# Windows Defender 删除了恶意软件的历史记录 - 详细信息:用户
Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -874,6 +934,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
# Windows Defender 检测到可疑行为的恶意软件 - 详细信息
Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -888,6 +949,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("Windows Defender real-time protection disabled")
# Windows Defender 实时保护已禁用
Event_desc = "Windows Defender real-time protection disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -902,6 +964,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender real-time protection configuration changed")
# Windows Defender 实时保护配置已更改
Event_desc = "Windows Defender real-time protection configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -916,6 +979,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender antimalware platform configuration changed")
# Windows Defender 反恶意软件平台配置已更改
Event_desc = "Windows Defender antimalware platform configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -930,6 +994,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender scanning for malware is disabled")
# Windows Defender 扫描恶意软件已禁用
Event_desc = "Windows Defender scanning for malware is disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -940,6 +1005,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
if row['Event ID'] == "5012" :
print("##### " + row['Date and Time'] + " #### ", end='')
print(" Windows Defender scanning for viruses is disabled")

Write Preview
Loading…
Cancel
Save