From 541df417743a3bac469b806dc303ee69e89822cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=83=AD=E5=90=89=E6=B0=91?= <1287473711@qq.com> Date: Mon, 16 Dec 2024 23:56:27 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E5=88=B0=E6=AD=A4=E4=B8=80=E6=B8=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 项目泛读.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/项目泛读.txt b/项目泛读.txt index b6f8e9e..453b556 100644 --- a/项目泛读.txt +++ b/项目泛读.txt @@ -35,4 +35,5 @@ APT-Hunter使用内置库(如csv库)来解析CSV日志文件,使用外部 兼容性:APT-Hunter支持多种格式的日志解析和输出配置,使得用户能够灵活地将其集成到现有的安全监控系统中。 开源性:作为一款开源工具,APT-Hunter的源代码是公开的,用户可以根据需要进行二次开发或定制。 四、结论与展望 -通过对APT-Hunter源代码的分析,可以看出该工具在Windows事件日志的威胁搜寻方面具有较高的效率和准确性。其友好的用户界面、简洁的操作流程以及灵活的日志解析和输出配置,使得用户能够轻松地使用该工具进行威胁检测和分析。然而,随着APT攻击的不断发展和变化,APT-Hunter也需要不断更新和完善其检测规则和功能,以应对新的威胁和挑战。未来,可以进一步优化APT-Hunter的性能和效率,提高其适用性和易用性,并探索与其他安全监控系统的集成和联动,以实现更加全面和高效的安全防护。 \ No newline at end of file +通过对APT-Hunter源代码的分析,可以看出该工具在Windows事件日志的威胁搜寻方面具有较高的效率和准确性。其友好的用户界面、简洁的操作流程以及灵活的日志解析和输出配置,使得用户能够轻松地使用该工具进行威胁检测和分析。然而,随着APT攻击的不断发展和变化,APT-Hunter也需要不断更新和完善其检测规则和功能,以应对新的威胁和挑战。未来,可以进一步优化APT-Hunter的性能和效率,提高其适用性和易用性,并探索与其他安全监控系统的集成和联动,以实现更加全面和高效的安全防护。 +到此一游 \ No newline at end of file From fc00532c2d4d5eecb4c04e8451d6312d07dace18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=83=AD=E5=90=89=E6=B0=91?= <1287473711@qq.com> Date: Wed, 25 Dec 2024 20:45:54 +0800 Subject: [PATCH 2/2] guojimin --- src/lib/CSVDetection.py | 9 +++++++++ src/lib/EvtxDetection.py | 35 ++++++++++++++++++++++++++--------- 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/src/lib/CSVDetection.py b/src/lib/CSVDetection.py index 180ab9f..cca2b39 100644 --- a/src/lib/CSVDetection.py +++ b/src/lib/CSVDetection.py @@ -234,8 +234,10 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) Process_Command_Line = Process_Command_Line_rex.findall(row['Details']) #User Cretion using Net command + # 用户创建事件处理,使用 Net 命令 if row['Event ID']=="4688": try: + # 检查事件详情中是否包含用户添加的命令 if len(re.findall('.*user.*/add.*',row['Details']))>0: #print("test") @@ -244,7 +246,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) #print("User Name : ( %s ) "%Account_Name[0].strip(),end='') #print("with Command Line : ( " + Process_Command_Line[0].strip()+" )") + # 生成事件描述 Event_desc ="User Name : ( %s ) "%Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip()+" )" + # 将事件信息添加到 Security_events 数据结构中 Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['Detection Rule'].append("User Added using Net Command") @@ -255,6 +259,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) #Detecting privielge Escalation using Token Elevation + # 检测特权提升尝试,使用命名管道 if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line))>0: Event_desc ="User Name : ( %s ) " % user+"conducting NAMED PIPE privilege escalation with Command Line : ( " + process_command_line + " ) " @@ -267,6 +272,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) + # 检查进程命令行是否在可疑位置(如 temp、tmp、Program Data) if Process_Command_Line[0].strip().lower().find("\\temp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\tmp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\program data\\")>-1: # print("test") @@ -285,6 +291,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) + # 检查是否存在可疑的可执行文件 for i in Suspicious_executables: if Process_Command_Line[0].strip().lower().find(i.lower())>-1: @@ -304,6 +311,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) + # 检查是否存在可疑的 PowerShell 命令 for i in Suspicious_powershell_commands: if Process_Command_Line[0].strip().lower().find(i.lower())>-1: @@ -325,6 +333,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False) except: + # 捕获解析事件时的错误并输出错误信息 print("Error parsing below Event \n"+row['Details']) continue diff --git a/src/lib/EvtxDetection.py b/src/lib/EvtxDetection.py index 0777f89..acdea50 100644 --- a/src/lib/EvtxDetection.py +++ b/src/lib/EvtxDetection.py @@ -746,18 +746,20 @@ def detect_events_security_log(file_name, shared_data): ObjectProcessName=ObjectProcessName_rex.findall(record['data']) #Detect any log that contain suspicious process name or argument - if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673": - for i in all_suspicious: + # 检测任何包含可疑进程名称或参数的日志 + if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":# 检查事件 ID 是否为 4688、4648 或 4673 + for i in all_suspicious:# 遍历所有可疑项 - if record['data'].lower().find(i.lower())>-1: + if record['data'].lower().find(i.lower())>-1:# 检查日志数据中是否包含可疑项 #print("##### " + record["timestamp"] + " #### ", end='') #print("## Found Suspicios Process ", end='') #print("User Name : ( %s ) " % Account_Name[0][0].strip(), end='') #print("with Command Line : ( " + Process_Command_Line[0][0].strip() + " )") # print("###########") - + # 生成事件描述 Event_desc ="Found a log contain suspicious command or process ( %s)"%i + # 将事件信息添加到 Security_events 数据结构中 Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) Security_events[0]['Computer Name'].append(Computer[0]) Security_events[0]['Channel'].append(Channel[0]) @@ -768,12 +770,14 @@ def detect_events_security_log(file_name, shared_data): Security_events[0]['Event Description'].append(Event_desc) Security_events[0]['Event ID'].append(EventID[0]) Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) - break + break # 找到可疑项后退出循环 #User Creation using Net command + # 用户创建事件,使用 Net 命令 if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673": try: process_name='' process_command_line=" " + # 获取用户名称 if len(Account_Name[0][0])>0: user=Account_Name[0][0].strip() @@ -781,7 +785,7 @@ def detect_events_security_log(file_name, shared_data): if len(Account_Name[0][1])>0: user=Account_Name[0][1].strip() process_command_line=Process_Command_Line[0][1].strip() - + # 获取进程名称 if len(Process_Command_Line)>0: process_command_line=Process_Command_Line[0][0].strip() """ @@ -796,7 +800,7 @@ def detect_events_security_log(file_name, shared_data): for i in Process_Name[0]: if len(i)>0: process_name=i - + # 检查日志数据中是否包含用户添加的命令 if len(re.findall('.*user.*/add.*',record['data']))>0: #print("test") @@ -818,9 +822,11 @@ def detect_events_security_log(file_name, shared_data): Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) #process runing in suspicious location + # 检查进程是否在可疑位置运行 found=0 - if process_name.strip() not in Suspicious_process_found: + if process_name.strip() not in Suspicious_process_found:# 检查日志数据中是否包含可疑路径 for i in Suspicious_Path: + # 检查日志数据中是否包含可疑路径 if str(record['data']).lower().find(i.lower())>-1:#process_name.strip().lower().find(i.lower())>-1 or process_command_line.lower().find(i.lower())>-1 : Suspicious_process_found.append(process_name.strip()) found=1 @@ -844,8 +850,9 @@ def detect_events_security_log(file_name, shared_data): Security_events[0]['Event Description'].append(Event_desc) Security_events[0]['Event ID'].append(EventID[0]) Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) - break + break# 找到可疑路径后退出循环 if found!=1: + # 检查进程是否在常规路径中运行 #process runing in suspicious location found=0 for i in Usual_Path: @@ -875,6 +882,8 @@ def detect_events_security_log(file_name, shared_data): Security_events[0]['Event ID'].append(EventID[0]) Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) found=0 + + # 检测可疑可执行文件 if len(Process_Command_Line)>0: #detect suspicious executables @@ -900,6 +909,7 @@ def detect_events_security_log(file_name, shared_data): Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # detect suspicious powershell commands + # 检测可疑的 PowerShell 命令 for i in Suspicious_powershell_commands: if process_command_line.lower().find(i.lower())>-1: @@ -924,6 +934,7 @@ def detect_events_security_log(file_name, shared_data): #Detecting privielge Escalation using Token Elevation + # 检测特权提升尝试,使用命名管道 if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0 or len(re.findall(r"cmd.exe /c echo \w{1,10} .* \\\\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0: #print("detected",process_command_line.lower().strip()) Event_desc ="User Name : ( %s ) " % user+"conducting Named PIPE privilege escalation with Command Line : ( " + process_command_line + " ) " @@ -943,6 +954,7 @@ def detect_events_security_log(file_name, shared_data): #print(process_command_line) #Summary of process Execution + # 进程执行的总结 if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673": try: #process_name=" " @@ -954,6 +966,7 @@ def detect_events_security_log(file_name, shared_data): #print(process_name) #print(Executed_Process_Summary[0]['Process Name']) #print(process_name not in Executed_Process_Summary[0]['Process Name']) + # 更新执行进程的总结 if process_name not in Executed_Process_Summary[0]['Process Name']: Executed_Process_Summary[0]['Process Name'].append(process_name.strip()) Executed_Process_Summary[0]['Number of Execution'].append(1) @@ -963,6 +976,7 @@ def detect_events_security_log(file_name, shared_data): pass #report of process Execution + # 进程执行的报告 if (processexec==True or allreport==True) and EventID[0]=="4688": #try: @@ -982,6 +996,7 @@ def detect_events_security_log(file_name, shared_data): parent_process_name=i else: parent_process_name="None" + # 将进程执行事件信息添加到 Executed_Process_Events 数据结构中 Executed_Process_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) Executed_Process_Events[0]['DateTime'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) Executed_Process_Events[0]['ProcessName'].append(process_name) @@ -995,6 +1010,7 @@ def detect_events_security_log(file_name, shared_data): # non-interactive powershell being executed by another application in the background + # 检测非交互式 PowerShell 进程是否由其他应用程序在后台执行 if EventID[0]=="4688" : try: #process_name=" " @@ -1006,6 +1022,7 @@ def detect_events_security_log(file_name, shared_data): if len(i)>0: parent_process_name=i + # 检查是否为非交互式 PowerShell 进程 if process_name[0].lower().find("powershell.exe")>-1 and parent_process_name[0].lower().find("explorer.exe")==-1: try: Event_desc ="User Name : ( %s ) "%user+" executed non-interactive ( " + New_Process_Name[0] + " ) through : ( " + Parent_Process_Name[0] + " ) ."