diff --git a/doc/Apt-hunter_analyse泛读报告.docx b/doc/Apt-hunter_analyse泛读报告.docx index 7fb65e2..31dc998 100644 Binary files a/doc/Apt-hunter_analyse泛读报告.docx and b/doc/Apt-hunter_analyse泛读报告.docx differ diff --git a/src/lib/EvtxDetection.py b/src/lib/EvtxDetection.py index acdea50..2a93407 100644 --- a/src/lib/EvtxDetection.py +++ b/src/lib/EvtxDetection.py @@ -49,6 +49,7 @@ frequencyanalysis=False allreport=False output='' temp_dir='temp/' +# 定义可疑的可执行文件列表 Suspicious_executables = ["\\mshta.exe", "\\csc.exe", 'whoami.exe', '\\pl.exe', '\\nc.exe', 'nmap.exe', 'psexec.exe', 'plink.exe', 'mimikatz', 'procdump.exe', ' dcom.exe', ' Inveigh.exe', ' LockLess.exe', ' Logger.exe', ' PBind.exe', ' PS.exe', ' Rubeus.exe', @@ -60,6 +61,7 @@ Suspicious_executables = ["\\mshta.exe", "\\csc.exe", 'whoami.exe', '\\pl.exe', ' SharpView.exe', ' SharpWeb.exe', ' SharpWMI.exe', ' Shhmon.exe', ' SweetPotato.exe', ' Watson.exe', ' WExec.exe', '7zip.exe'] +# 定义可疑的 PowerShell 命令列表 Suspicious_powershell_commands = ['FromBase64String', 'DomainPasswordSpray', 'PasswordSpray', 'Password', 'Get-WMIObject', 'Get-GPPPassword', 'Get-Keystrokes', 'Get-TimedScreenshot', 'Get-VaultCredential', 'Get-ServiceUnquoted', 'Get-ServiceEXEPerms', @@ -113,7 +115,7 @@ Suspicious_powershell_commands = ['FromBase64String', 'DomainPasswordSpray', 'Pa file=open("./lib/Powershell-detection.data","r") Suspicious_powershell_Arguments=file.read().split("\n") """ - +# 定义可疑的 PowerShell 参数列表 Suspicious_powershell_Arguments =['""','&&','|','$DoIt','$env:ComSpec','$env:COR_ENABLE_PROFILING','$env:COR_PROFILER','$env:COR_PROFILER_PATH','> $env:TEMP\\','$env:TEMP\\','$env:UserName','$profile','0x11','0xdeadbeef',' 443 ',' 80 ','AAAAYInlM','AcceptTcpClient',' active_users ','add','Add-ConstrainedDelegationBackdoor','add-content','Add-Content','Add-DnsClientNrptRule','Add-DomainGroupMember','Add-DomainObjectAcl','Add-Exfiltration','Add-ObjectAcl','Add-Persistence','Add-RegBackdoor','Add-RemoteConnection','Add-ScrnSaveBackdoor','AddSecurityPackage','AdjustTokenPrivileges','ADRecon-Report.xlsx','Advapi32','-All ','Allow','-AnswerFile','\AppData\\Roaming\\Code\\','-append','.application','-ArgumentList ','-AttackSurfaceReductionRules_Actions ','-AttackSurfaceReductionRules_Ids ','.AuthenticateAsClient','-band',' basic_info ','.bat','bxor','bypass',' -c ','"carbonblack"','Cert:\\LocalMachine\\Root',' change_user ','char','-CheckForSignaturesBeforeRunningScan ','Check-VM','-ClassName ','-ClassName','-ClassName CommandLineEventConsumer ','-ClassName __EventFilter ','Clear-EventLog ','Clear-History','Clear-WinEvent ','ClientAccessible','CL_Invocation.ps1','CL_Mutexverifiers.ps1','CloseHandle','.cmd','CmdletsToExport','Collections.ArrayList',' command_exec ','-ComObject ','-ComObject','-comobject outlook.application','Compress-Archive ','Compress-Archive',' -ComputerName ','-ComputerName ','comspec','ConsoleHost_history.txt','-ControlledFolderAccessProtectedFolders ','Convert-ADName','[Convert]::FromBase64String','ConvertFrom-UACValue','Convert-NameToSid','ConvertTo-SID','.CopyFromScreen','Copy-Item ','Copy-Item','# Copyright 2016 Amazon.com, Inc. or its affiliates. All','Copy-VSS','C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\',').Create(','Create-MultipleSessions','CreateProcessWithToken','CreateRemoteThread','CreateThread','CreateUserThread','.CreationTime =','curl ','CurrentVersion\\Winlogon','C:\\Windows\\Diagnostics\\System\\PCW','"cylance"',' -d ','DangerousGetHandle','DataToEncode','"defender"','del','.Delete()','Delete()','.Description','-Destination ','-Destination',' -DestinationPath ','DisableArchiveScanning $true','DisableArchiveScanning 1','DisableBehaviorMonitoring $true','DisableBehaviorMonitoring 1','DisableBlockAtFirstSeen $true','DisableBlockAtFirstSeen 1','DisableIntrusionPreventionSystem $true','DisableIntrusionPreventionSystem 1','DisableIOAVProtection $true','DisableIOAVProtection 1','Disable-LocalUser','DisableRealtimeMonitoring $true','DisableRealtimeMonitoring 1','DisableRemovableDriveScanning $true','DisableRemovableDriveScanning 1','DisableScanningMappedNetworkDrivesForFullScan $true','DisableScanningMappedNetworkDrivesForFullScan 1','DisableScanningNetworkFiles $true','DisableScanningNetworkFiles 1','DisableScriptScanning $true','DisableScriptScanning 1',' disable_wdigest ','Disable-WindowsOptionalFeature',' disable_winrm ','DNS_TXT_Pwnage','.doc','.docx','DoesNotRequirePreAuth','Do-Exfiltration',' -doh ','.download','.Download','Download_Execute','Download-Execute-PS','.DownloadFile(','.DownloadString(','.DriveLetter','DumpCerts','DumpCreds','DuplicateTokenEx','-Enabled','Enabled-DuplicateToken','Enable-Duplication','Enable-LocalUser','Enable-PSRemoting ','EnableSmartScreen',' enable_wdigest ','Enable-WindowsOptionalFeature',' enable_winrm ',' -enc ','-Enc',' -EncodedCommand ','EnumerateSecurityPackages','-ep','-ErrorAction ',' -ErrorAction SilentlyContinue','Execute-Command-MSSQL','Execute-DNSTXT-Code','Execute-OnTime','ExetoText','exfill','ExfilOption','Exploit-Jboss','Export-PfxCertificate','Export-PowerViewCSV','-f ','Failed to update Help for the module','FakeDC','False','-FeatureName','-FilePath ','-FilePath "$env:comspec" ','-Filter',' -Filter Bookmarks','.findall()','Find-DomainLocalGroupMember','Find-DomainObjectPropertyOutlier','Find-DomainProcess','Find-DomainShare','Find-DomainUserEvent','Find-DomainUserLocation','Find-ForeignGroup','Find-ForeignUser','Find-Fruit','Find-GPOComputerAdmin','Find-GPOLocation','Find-InterestingDomainAcl','Find-InterestingDomainShareFile','Find-InterestingFile','Find-LocalAdminAccess','Find-ManagedSecurityGroups','Find-TrustedDocuments','FireBuster','FireListener',' -Force','foreach','format-table','FreeHGlobal','FreeLibrary','Function Get-ADRExcelComOb','gci',' gen_cli ','get-acl','Get-AdComputer ','Get-AdDefaultDomainPasswordPolicy','Get-AdGroup ','Get-ADObject','get-ADPrincipalGroupMembership','Get-ADRDomainController','Get-ADReplAccount','Get-ADRGPO','get-aduser','Get-ADUser','Get-ApplicationHost','Get-CachedRDPConnection','get-childitem','Get-ChildItem ','Get-ChildItem','Get-ChromeDump','Get-ClipboardContents','Get-CredManCreds','GetDelegateForFunctionPointer','Get-DFSshare','Get-DNSRecord','Get-DNSZone','Get-Domain','Get-DomainComputer','Get-DomainController','Get-DomainDFSShare','Get-DomainDNSRecord','Get-DomainDNSZone','Get-DomainFileServer','Get-DomainForeignGroupMember','Get-DomainForeignUser','Get-DomainGPO','Get-DomainGPOComputerLocalGroupMapping','Get-DomainGPOLocalGroup','Get-DomainGPOUserLocalGroupMapping','Get-DomainGroup','Get-DomainGroupMember','Get-DomainManagedSecurityGroup','Get-DomainObject','Get-DomainObjectAcl','Get-DomainOU','Get-DomainPolicy','Get-DomainSID','Get-DomainSite','Get-DomainSPNTicket','Get-DomainSubnet','Get-DomainTrust','Get-DomainTrustMapping','Get-DomainUser','Get-DomainUserEvent','Get-Forest','Get-ForestDomain','Get-ForestGlobalCatalog','Get-ForestTrust','Get-FoxDump','Get-GPO','Get-GPPPassword','Get-Inbox.ps1','Get-IndexedItem','Get-Information','Get-IPAddress','get-itemProperty','Get-ItemProperty','Get-Keystrokes','Get-LastLoggedOn','get-localgroup','Get-LocalGroupMember','Get-LocalUser','Get-LoggedOnLocal','GetLogonSessionData','Get-LSASecret','GetModuleHandle','Get-NetComputer','Get-NetComputerSiteName','Get-NetDomain','Get-NetDomainController','Get-NetDomainTrust','Get-NetFileServer','Get-NetForest','Get-NetForestCatalog','Get-NetForestDomain','Get-NetForestTrust','Get-NetGPO','Get-NetGPOGroup','Get-NetGroup','Get-NetGroupMember','Get-NetLocalGroup','Get-NetLocalGroupMember','Get-NetLoggedon','Get-NetOU','Get-NetProcess','Get-NetRDPSession','Get-NetSession','Get-NetShare','Get-NetSite','Get-NetSubnet','Get-NetUser','Get-ObjectAcl','Get-PassHashes','Get-PassHints','Get-PasswordVaultCredentials','Get-PathAcl','GetProcAddress','Get-ProcAddress user32.dll GetAsyncKeyState','Get-ProcAddress user32.dll GetForegroundWindow','get-process','Get-Process ','Get-Process','GetProcessHandle','Get-Process lsass','Get-Proxy','(Get-PSReadlineOption).HistorySavePath','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-RegistryMountedDrive','Get-RegLoggedOn','Get-RickAstley','Get-Screenshot','Get-SecurityPackages','Get-Service ','Get-ServiceFilePermission','Get-ServicePermission','Get-ServiceUnquoted','Get-SiteListPassword','Get-SiteName','get-smbshare','Get-StorageDiagnosticInfo','Get-System','Get-SystemDriveInfo','Get-TimedScreenshot','GetTokenInformation','::GetTypeFromCLSID(','Get-UnattendedInstallFile','Get-Unconstrained','Get-USBKeystrokes','Get-UserEvent','Get-VaultCredential','Get-Volume','Get-VulnAutoRun','Get-VulnSchTask','Get-Web-Credentials','Get-WLAN-Keys','Get-WmiObject','Get-WMIObject','Get-WMIProcess','Get-WMIRegCachedRDPConnection','Get-WMIRegLastLoggedOn','Get-WMIRegMountedDrive','Get-WMIRegProxy','\Google\\Chrome\\User Data\\Default\\Login Data','\\Google\\Chrome\\User Data\Default\Login Data For Account','GroupPolicyRefreshTime','GroupPolicyRefreshTimeDC','GroupPolicyRefreshTimeOffset','GroupPolicyRefreshTimeOffsetDC','Gupt-Backdoor','gwmi','harmj0y','hidden','Hidden','HighThreatDefaultAction','-HistorySaveStyle','HKCU:\\','HKCU\\software\\microsoft\\windows\\currentversion\\run','HKEY_CURRENT_USER\Control Panel\Desktop\\','HKLM:\\','HotFixID','http://127.0.0.1','HTTP-Backdoor','HTTP-Login',' -i ','-Identity ','iex(','IMAGE_NT_OPTIONAL_HDR64_MAGIC','-ImagePath ','ImpersonateLoggedOnUser','Import-Certificate','Import-Module "$Env:Appdata\\','Import-Module ''$Env:Appdata\\','Import-Module $Env:Appdata\\','Import-Module','$Env:Temp\\','Import-Module ''$Env:Temp\\','Import-Module $Env:Temp\\','Import-Module C:\\Users\\Public\\',' -Include ','-IncludeLiveDump','Install-ServiceBinary','Install-SSP','Internet-Explorer-Optional-amd64','invoke','Invoke-ACLScanner','Invoke-ADSBackdoor','Invoke-AllChecks','Invoke-AmsiBypass','Invoke-ARPScan','Invoke-AzureHound','Invoke-BackdoorLNK','Invoke-BadPotato','Invoke-BetterSafetyKatz','Invoke-BruteForce','Invoke-BypassUAC','Invoke-Carbuncle','Invoke-Certify','Invoke-CheckLocalAdminAccess','Invoke-CimMethod ','Invoke-CimMethod','invoke-command ','Invoke-CredentialInjection','Invoke-CredentialsPhish','Invoke-DAFT','Invoke-DCSync','Invoke-Decode','Invoke-DinvokeKatz','Invoke-DllInjection','Invoke-DNSExfiltrator','Invoke-DowngradeAccount','Invoke-EgressCheck','Invoke-Encode','Invoke-EnumerateLocalAdmin','Invoke-EventHunter','Invoke-Eyewitness','Invoke-FakeLogonScreen','Invoke-Farmer','Invoke-FileFinder','Invoke-Get-RBCD-Threaded','Invoke-Gopher','Invoke-GPOLinks','Invoke-Grouper2','Invoke-HandleKatz','Invoke-Interceptor','Invoke-Internalmonologue','Invoke-Inveigh','Invoke-InveighRelay','invoke-item ','Invoke-JSRatRegsvr','Invoke-JSRatRundll','Invoke-Kerberoast','Invoke-KrbRelayUp','Invoke-LdapSignCheck','Invoke-Lockless','Invoke-MapDomainTrust','Invoke-Mimikatz','Invoke-MimikatzWDigestDowngrade','Invoke-Mimikittenz','Invoke-MITM6','Invoke-NanoDump','Invoke-NetRipper','Invoke-NetworkRelay','Invoke-Nightmare','Invoke-NinjaCopy','Invoke-OxidResolver','Invoke-P0wnedshell','Invoke-Paranoia','Invoke-PortScan','Invoke-PoshRatHttp','Invoke-PoshRatHttps','Invoke-PostExfil','Invoke-Potato','Invoke-PowerDump','Invoke-PowerShellIcmp','Invoke-PowerShellTCP','Invoke-PowerShellUdp','Invoke-PowerShellWMI','Invoke-PPLDump','Invoke-Prasadhak','Invoke-ProcessHunter','Invoke-PsExec','Invoke-PSGcat','Invoke-PsGcatAgent','Invoke-PSInject','Invoke-PsUaCme','Invoke-ReflectivePEInjection','Invoke-ReverseDNSLookup','Invoke-RevertToSelf','Invoke-Rubeus','Invoke-RunAs','Invoke-SafetyKatz','Invoke-SauronEye','Invoke-SCShell','Invoke-Seatbelt','Invoke-ServiceAbuse','Invoke-SessionGopher','Invoke-ShareFinder','Invoke-SharpAllowedToAct','Invoke-SharpBlock','Invoke-SharpBypassUAC','Invoke-SharpChromium','Invoke-SharpClipboard','Invoke-SharpCloud','Invoke-SharpDPAPI','Invoke-SharpDump','Invoke-SharPersist','Invoke-SharpGPOAbuse','Invoke-SharpGPO-RemoteAccessPolicies','Invoke-SharpHandler','Invoke-SharpHide','Invoke-Sharphound2','Invoke-Sharphound3','Invoke-SharpHound4','Invoke-SharpImpersonation','Invoke-SharpImpersonationNoSpace','Invoke-SharpKatz','Invoke-SharpLdapRelayScan','Invoke-Sharplocker','Invoke-SharpLoginPrompt','Invoke-SharpMove','Invoke-SharpPrinter','Invoke-SharpPrintNightmare','Invoke-SharpRDP','Invoke-SharpSecDump','Invoke-Sharpshares','Invoke-SharpSniper','Invoke-SharpSploit','Invoke-SharpSpray','Invoke-SharpSSDP','Invoke-SharpStay','Invoke-SharpUp','Invoke-Sharpview','Invoke-SharpWatson','Invoke-Sharpweb','Invoke-Shellcode','Invoke-SMBAutoBrute','Invoke-SMBScanner','Invoke-Snaffler','Invoke-Spoolsample','Invoke-SSHCommand','Invoke-SSIDExfil','Invoke-StandIn','Invoke-StickyNotesExtract','Invoke-Tater','Invoke-Thunderfox','Invoke-ThunderStruck','Invoke-TokenManipulation','Invoke-Tokenvator','Invoke-TroubleshootingPack','Invoke-UrbanBishop','Invoke-UserHunter','Invoke-UserImpersonation','Invoke-VoiceTroll','Invoke-WebRequest','Invoke-Whisker','Invoke-WinEnum','Invoke-winPEAS','Invoke-WireTap','Invoke-WmiCommand','Invoke-WMIMethod','Invoke-WScriptBypassUAC','Invoke-Zerologon','[IO.File]::SetCreationTime','[IO.File]::SetLastAccessTime','[IO.File]::SetLastWriteTime','IO.FileStream','ipmo "$Env:Appdata\\','ipmo ''$Env:Appdata\\','ipmo $Env:Appdata\\','ipmo "$Env:Temp\\','ipmo ''$Env:Temp\\','ipmo $Env:Temp\\','ipmo C:\\Users\\Public\\','iwr ','join','.kdb','.kdbx','kernel32','Keylogger','.LastAccessTime =','.LastWriteTime =','-like','Limit-EventLog ','/listcreds:','.Load','LoadLibrary','LoggedKeys',' logon_events ','LowThreatDefaultAction','ls','LSA_UNICODE_STRING','MailRaider','mattifestation','-Members ','memcpy','Metasploit','-Method ','-MethodName ','Microsoft.CSharp.CSharpCodeProvider','\Microsoft\\Edge\\User Data\Default','Microsoft.Office.Interop.Outlook','Microsoft.Office.Interop.Outlook.olDefaultFolders','Microsoft.Win32.UnsafeNativeMethods','Mimikatz','MiniDumpWriteDump','ModerateThreatDefaultAction','-ModuleName ','-ModulePath ','Mount-DiskImage ','Move-Item','\Mozilla\Firefox\Profiles','MSAcpi_ThermalZoneTemperature','mshta','.msi','msvcrt','MsXml2.','-NameSe','-Namesp','-NameSpace','-Namespace root/subscription ','Net.Security.RemoteCertificateValidationCallback','Net.WebClient','New-CimInstance ','New-DomainGroup','New-DomainUser','New-HoneyHash','New-Item','New-LocalUser','new-object','(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')','(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1','(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')','New-PSDrive','New-PSSession','New-ScheduledTask','New-ScheduledTaskAction','New-ScheduledTaskPrincipal','New-ScheduledTaskSettingsSet','New-ScheduledTaskTrigger','New-VM','Nishang',' -noni ','-noni',' -noninteractive ','-nop','-noprofile','NotAllNameSpaces','ntdll','OiCAAAAYInlM','OiJAAAAYInlM','-Online','OpenDesktop','OpenProcess','OpenProcessToken','OpenThreadToken','OpenWindowStation','\Opera Software\\Opera Stable\\Login Data','Out-CHM','OUT-DNSTXT','Out-File ','Out-HTA','Out-Minidump','Out-RundllCommand','Out-SCF','Out-SCT','Out-Shortcut','Out-WebQuery','Out-Word',' -p ','PAGE_EXECUTE_READ','Parse_Keys','.pass','-PassThru ','Password-List',' -Path ','-Path ','-Pattern ','.pdf','-port ','Port-Scan','- Post ','PowerBreach','powercat ','powercat.ps1',' power_off ','Powerpreter','powershell','PowerUp','PowerView','.ppt','.pptx','-pr ',' process_kill ','-Profile','PromptForCredential','Properties.name','.PropertiesToLoad.Add','-Property ','PS ATTACK!!!','-psprovider ','psreadline','PS_ScheduledTask','PtrToString',' Put ','QueueUserApc',' -R','_RastaMouse','-RawData ','ReadProcessMemory','ReadProcessMemory.Invoke','readtoend','-recurse',' -Recurse ','-Recurse','[Reflection.Assembly]::Load($','Reflection.Emit.AssemblyBuilderAccess','reg','Register-ScheduledTask','.RegisterXLL','Registry::','REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\',' registry_mod ','-RemoteFXvGPUDisablementFilePath',' remote_posh ','RemoteSigned','Remove-ADGroupMember','Remove-EtwTraceProvider ','Remove-EventLog ','Remove-FileShare','Remove-Item','Remove-LocalUser','Remove-Module','Remove-MpPreference','Remove-Persistence','Remove-PoshRat','Remove-RemoteConnection','Remove-SmbShare','Remove-Update','Remove-WmiObject','Rename-LocalUser','Request-SPNTicket','Resolve-IPAddress','RevertToSelf','rm','-root ','Root\\\Microsoft\\\Windows\\\TaskScheduler','.rtf','RtlCreateUserThread','.run','runAfterCancelProcess','rundll32','rundll32.exe','Run-EXEonRemote','Runtime.InteropServices.DllImportAttribute','SaveNothing',' sched_job ','-ScriptBlock ','secur32','SECURITY_DELEGATION','select-object','select-string ','.Send(','Send-MailMessage','SE_PRIVILEGE_ENABLED','-Server ',' service_mod ','set','Set-ADObject','set-content','Set-DCShadowPermissions','Set-DomainObject','Set-DomainUserPassword','Set-EtwTraceProvider ','Set-ExecutionPolicy','-ExecutionPolicy bypass','Set-ItemProperty','Set-LocalUser','Set-MacAttribute','Set-MpPreference','Set-NetFirewallProfile','Set-PSReadlineOption','Set-RemotePSRemoting','Set-RemoteWMI','SetThreadToken','Set-VMFirmware','Set-Wallpaper','shell32.dll','Shellcode32','Shellcode64','shellexec_rundll','.ShellExecute(','ShellSmartScreenLevel','Show-TargetScreen','SilentlyContinue','SMB1Protocol','\software\\','\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','Start-BitsTransfer','Start-CaptureServer','Start-Dnscat2','Start-Process','Start-VM','Start-WebcamRecorder','-stream','StringtoBase64','SuspendThread','SyncAppvPublishingServer.exe','SyncInvoke','System.CodeDom.Compiler.CompilerParameters','System.DirectoryServices.AccountManagement','System.DirectoryServices.DirectorySearcher','System.DirectoryServices.Protocols.LdapConnection','System.DirectoryServices.Protocols.LdapDirectoryIdentifier','[System.Environment]::UserName','System.IdentityModel.Tokens.KerberosRequestorSecurityToken','system.io.compression.deflatestream','system.io.streamreader','[System.Net.HttpWebRequest]','System.Net.NetworkCredential','System.Net.NetworkInformation.Ping','System.Net.Security.SslStream','System.Net.Sockets.TcpListener','system.net.webclient','System.Net.WebClient','SystemParametersInfo(20,0,,3)','[System.Reflection.Assembly]::Load($','System.Reflection.Assembly.Load($','System.Reflection.AssemblyName','[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())','[System.Security.Principal.WindowsIdentity]::GetCurrent()','System.Xml.XmlDocument',' -t ','TelnetServer','Test-AdminAccess','Test-NetConnection','text.encoding]::ascii','TexttoExe','TFTP','tifkin_','-Exec bypass','TOKEN_ADJUST_PRIVILEGES','TOKEN_ALL_ACCESS','TOKEN_ASSIGN_PRIMARY','TOKEN_DUPLICATE','TOKEN_ELEVATION','TOKEN_IMPERSONATE','TOKEN_INFORMATION_CLASS','TOKEN_PRIVILEGES','TOKEN_QUERY','.txt',"2013HistorySaveStyle",'-Unattended','Unblock-File ','Unrestricted','Update-Help','useraccountcontrol','-UserAgent ',' vacant_system ','value','-Value','vaultcmd','vbscript:createobject','VirtualAlloc','VirtualFree','VirtualProtect','"virus"','VolumeShadowCopyTools',' -w ','WaitForSingleObject','WallPaper','Web Credentials','wget ',' -w hidden ','Win32_ComputerSystem','Win32_Group','Win32_PnPEntity','Win32_Product ','Win32_QuickFixEngineering','win32_shadowcopy','Win32_Shadowcopy','(window.close)',' -window hidden ','Windows Credentials','Windows-Defender','Windows-Defender-ApplicationGuard','Windows-Defender-Features','Windows-Defender-Gui','Windows.Security.Credentials.PasswordVault','\Windows\\System32','\Windows\\SysWOW64','-windowstyle','WindowStyle',' -windowstyle hidden ','WMImplant','Write-ChocolateyWarning','Write-EventLog','WriteInt32','WriteProcessMemory','.xls','.xlsx','XmlHttp','ZeroFreeGlobalAllocUnicode','UploadData'] """ @@ -163,7 +165,7 @@ all_suspicious = ["%comspec%", "wscript.exe", "regsvr32.exe", "mshta.exe", "\\cs "DownloadFile", "DownloadString", "Invoke-Expression", "Net.WebClient", "-Exec bypass", "-ExecutionPolicy bypass",'Remove-Item'] """ - +# 定义所有可以文件列表 all_suspicious = ["%comspec%", "wscript.exe", "regsvr32.exe", "mshta.exe", "\\csc.exe", 'whoami.exe', '\\pl.exe', '\\nc.exe', 'nmap.exe', 'psexec.exe', 'psexesvc.exe', 'plink.exe', 'kali', 'mimikatz', 'procdump.exe', 'dcom.exe', 'Inveigh.exe', 'LockLess.exe', 'Logger.exe', 'PBind.exe', 'PS.exe', 'Rubeus.exe', @@ -256,6 +258,7 @@ all_suspicious = ["%comspec%", "wscript.exe", "regsvr32.exe", "mshta.exe", "\\cs # "DownloadFile", "DownloadString", "Invoke-Expression", "Net.WebClient", "-Exec bypass", # "-ExecutionPolicy",'Remove-Item','""','&&','$DoIt','$env:ComSpec','$env:COR_ENABLE_PROFILING','$env:COR_PROFILER','$env:COR_PROFILER_PATH','> $env:TEMP\\','$env:TEMP\\','$env:UserName','$profile','0x11','0xdeadbeef',' 443 ',' 80 ','AAAAYInlM','AcceptTcpClient',' active_users ','Add-ConstrainedDelegationBackdoor','add-content','Add-Content','Add-DnsClientNrptRule','Add-DomainGroupMember','Add-DomainObjectAcl','Add-Exfiltration','Add-ObjectAcl','Add-Persistence','Add-RegBackdoor','Add-RemoteConnection','Add-ScrnSaveBackdoor','AddSecurityPackage','AdjustTokenPrivileges','ADRecon-Report.xlsx','Advapi32','-All ','Allow','-AnswerFile','\AppData\\Roaming\\Code\\','-append','.application','-ArgumentList ','-AttackSurfaceReductionRules_Actions ','-AttackSurfaceReductionRules_Ids ','.AuthenticateAsClient','-band',' basic_info ','.bat','bxor','bypass',' -c ','"carbonblack"','Cert:\\LocalMachine\\Root',' change_user ','char','-CheckForSignaturesBeforeRunningScan ','Check-VM','-ClassName ','-ClassName','-ClassName CommandLineEventConsumer ','-ClassName __EventFilter ','Clear-EventLog ','Clear-History','Clear-WinEvent ','ClientAccessible','CL_Invocation.ps1','CL_Mutexverifiers.ps1','CloseHandle','.cmd','CmdletsToExport','Collections.ArrayList',' command_exec ','-ComObject ','-ComObject','-comobject outlook.application','Compress-Archive ','Compress-Archive',' -ComputerName ','-ComputerName ','comspec','ConsoleHost_history.txt','-ControlledFolderAccessProtectedFolders ','Convert-ADName','[Convert]::FromBase64String','ConvertFrom-UACValue','Convert-NameToSid','ConvertTo-SID','.CopyFromScreen','Copy-Item ','Copy-Item','# Copyright 2016 Amazon.com, Inc. or its affiliates. All','Copy-VSS','C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\',').Create(','Create-MultipleSessions','CreateProcessWithToken','CreateRemoteThread','CreateThread','CreateUserThread','.CreationTime =','curl ','CurrentVersion\\Winlogon','C:\\Windows\\Diagnostics\\System\\PCW','"cylance"',' -d ','DangerousGetHandle','DataToEncode','"defender"','del','.Delete()','Delete()','.Description','-Destination ','-Destination',' -DestinationPath ','DisableArchiveScanning $true','DisableArchiveScanning 1','DisableBehaviorMonitoring $true','DisableBehaviorMonitoring 1','DisableBlockAtFirstSeen $true','DisableBlockAtFirstSeen 1','DisableIntrusionPreventionSystem $true','DisableIntrusionPreventionSystem 1','DisableIOAVProtection $true','DisableIOAVProtection 1','Disable-LocalUser','DisableRealtimeMonitoring $true','DisableRealtimeMonitoring 1','DisableRemovableDriveScanning $true','DisableRemovableDriveScanning 1','DisableScanningMappedNetworkDrivesForFullScan $true','DisableScanningMappedNetworkDrivesForFullScan 1','DisableScanningNetworkFiles $true','DisableScanningNetworkFiles 1','DisableScriptScanning $true','DisableScriptScanning 1',' disable_wdigest ','Disable-WindowsOptionalFeature',' disable_winrm ','DNS_TXT_Pwnage','.doc','.docx','DoesNotRequirePreAuth','Do-Exfiltration',' -doh ','.download','.Download','Download_Execute','Download-Execute-PS','.DownloadFile(','.DownloadString(','.DriveLetter','DumpCerts','DumpCreds','DuplicateTokenEx','-Enabled','Enabled-DuplicateToken','Enable-Duplication','Enable-LocalUser','Enable-PSRemoting ','EnableSmartScreen',' enable_wdigest ','Enable-WindowsOptionalFeature',' enable_winrm ',' -enc ','-Enc',' -EncodedCommand ','EnumerateSecurityPackages','-ep','-ErrorAction ',' -ErrorAction SilentlyContinue','Execute-Command-MSSQL','Execute-DNSTXT-Code','Execute-OnTime','ExetoText','exfill','ExfilOption','Exploit-Jboss','Export-PfxCertificate','Export-PowerViewCSV','-f ','Failed to update Help for the module','FakeDC','False','-FeatureName','-FilePath ','-FilePath "$env:comspec" ','filesystem','-Filter',' -Filter Bookmarks','.findall()','Find-DomainLocalGroupMember','Find-DomainObjectPropertyOutlier','Find-DomainProcess','Find-DomainShare','Find-DomainUserEvent','Find-DomainUserLocation','Find-ForeignGroup','Find-ForeignUser','Find-Fruit','Find-GPOComputerAdmin','Find-GPOLocation','Find-InterestingDomainAcl','Find-InterestingDomainShareFile','Find-InterestingFile','Find-LocalAdminAccess','Find-ManagedSecurityGroups','Find-TrustedDocuments','FireBuster','FireListener',' -Force','foreach','format-table','FreeHGlobal','FreeLibrary','Function Get-ADRExcelComOb','gci',' gen_cli ','get-acl','Get-AdComputer ','Get-AdDefaultDomainPasswordPolicy','Get-AdGroup ','Get-ADObject','get-ADPrincipalGroupMembership','Get-ADRDomainController','Get-ADReplAccount','Get-ADRGPO','get-aduser','Get-ADUser','Get-ApplicationHost','Get-CachedRDPConnection','get-childitem','Get-ChildItem ','Get-ChildItem','Get-ChromeDump','Get-ClipboardContents','Get-CredManCreds','GetDelegateForFunctionPointer','Get-DFSshare','Get-DNSRecord','Get-DNSZone','Get-Domain','Get-DomainComputer','Get-DomainController','Get-DomainDFSShare','Get-DomainDNSRecord','Get-DomainDNSZone','Get-DomainFileServer','Get-DomainForeignGroupMember','Get-DomainForeignUser','Get-DomainGPO','Get-DomainGPOComputerLocalGroupMapping','Get-DomainGPOLocalGroup','Get-DomainGPOUserLocalGroupMapping','Get-DomainGroup','Get-DomainGroupMember','Get-DomainManagedSecurityGroup','Get-DomainObject','Get-DomainObjectAcl','Get-DomainOU','Get-DomainPolicy','Get-DomainSID','Get-DomainSite','Get-DomainSPNTicket','Get-DomainSubnet','Get-DomainTrust','Get-DomainTrustMapping','Get-DomainUser','Get-DomainUserEvent','Get-Forest','Get-ForestDomain','Get-ForestGlobalCatalog','Get-ForestTrust','Get-FoxDump','Get-GPO','Get-GPPPassword','Get-Inbox.ps1','Get-IndexedItem','Get-Information','Get-IPAddress','get-itemProperty','Get-ItemProperty','Get-Keystrokes','Get-LastLoggedOn','get-localgroup','Get-LocalGroupMember','Get-LocalUser','Get-LoggedOnLocal','GetLogonSessionData','Get-LSASecret','GetModuleHandle','Get-NetComputer','Get-NetComputerSiteName','Get-NetDomain','Get-NetDomainController','Get-NetDomainTrust','Get-NetFileServer','Get-NetForest','Get-NetForestCatalog','Get-NetForestDomain','Get-NetForestTrust','Get-NetGPO','Get-NetGPOGroup','Get-NetGroup','Get-NetGroupMember','Get-NetLocalGroup','Get-NetLocalGroupMember','Get-NetLoggedon','Get-NetOU','Get-NetProcess','Get-NetRDPSession','Get-NetSession','Get-NetShare','Get-NetSite','Get-NetSubnet','Get-NetUser','Get-ObjectAcl','Get-PassHashes','Get-PassHints','Get-PasswordVaultCredentials','Get-PathAcl','GetProcAddress','Get-ProcAddress user32.dll GetAsyncKeyState','Get-ProcAddress user32.dll GetForegroundWindow','get-process','Get-Process ','Get-Process','GetProcessHandle','Get-Process lsass','Get-Proxy','(Get-PSReadlineOption).HistorySavePath','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-RegistryMountedDrive','Get-RegLoggedOn','Get-RickAstley','Get-Screenshot','Get-SecurityPackages','Get-Service ','Get-ServiceFilePermission','Get-ServicePermission','Get-ServiceUnquoted','Get-SiteListPassword','Get-SiteName','get-smbshare','Get-StorageDiagnosticInfo','Get-System','Get-SystemDriveInfo','Get-TimedScreenshot','GetTokenInformation','::GetTypeFromCLSID(','Get-UnattendedInstallFile','Get-Unconstrained','Get-USBKeystrokes','Get-UserEvent','Get-VaultCredential','Get-Volume','Get-VulnAutoRun','Get-VulnSchTask','Get-Web-Credentials','Get-WLAN-Keys','Get-WmiObject','Get-WMIObject','Get-WMIProcess','Get-WMIRegCachedRDPConnection','Get-WMIRegLastLoggedOn','Get-WMIRegMountedDrive','Get-WMIRegProxy','\Google\\Chrome\\User Data\\Default\\Login Data','\\Google\\Chrome\\User Data\Default\Login Data For Account','GroupPolicyRefreshTime','GroupPolicyRefreshTimeDC','GroupPolicyRefreshTimeOffset','GroupPolicyRefreshTimeOffsetDC','Gupt-Backdoor','gwmi','harmj0y','hidden','Hidden','HighThreatDefaultAction','-HistorySaveStyle','HKCU:\\','HKCU\\software\\microsoft\\windows\\currentversion\\run','HKEY_CURRENT_USER\Control Panel\Desktop\\','HKLM:\\','HotFixID','http://127.0.0.1','HTTP-Backdoor','HTTP-Login',' -i ','-Identity ','iex(','IMAGE_NT_OPTIONAL_HDR64_MAGIC','-ImagePath ','ImpersonateLoggedOnUser','Import-Certificate','Import-Module "$Env:Appdata\\','Import-Module','$Env:Temp\\','Import-Module ''$Env:Temp\\','Import-Module C:\\Users\\Public\\',' -Include ','-IncludeLiveDump','Install-ServiceBinary','Install-SSP','Internet-Explorer-Optional-amd64','invoke','Invoke-ACLScanner','Invoke-ADSBackdoor','Invoke-AllChecks','Invoke-AmsiBypass','Invoke-ARPScan','Invoke-AzureHound','Invoke-BackdoorLNK','Invoke-BadPotato','Invoke-BetterSafetyKatz','Invoke-BruteForce','Invoke-BypassUAC','Invoke-Carbuncle','Invoke-Certify','Invoke-CheckLocalAdminAccess','Invoke-CimMethod ','Invoke-CimMethod','invoke-command ','Invoke-CredentialInjection','Invoke-CredentialsPhish','Invoke-DAFT','Invoke-DCSync','Invoke-Decode','Invoke-DinvokeKatz','Invoke-DllInjection','Invoke-DNSExfiltrator','Invoke-DowngradeAccount','Invoke-EgressCheck','Invoke-Encode','Invoke-EnumerateLocalAdmin','Invoke-EventHunter','Invoke-Eyewitness','Invoke-FakeLogonScreen','Invoke-Farmer','Invoke-FileFinder','Invoke-Get-RBCD-Threaded','Invoke-Gopher','Invoke-GPOLinks','Invoke-Grouper2','Invoke-HandleKatz','Invoke-Interceptor','Invoke-Internalmonologue','Invoke-Inveigh','Invoke-InveighRelay','invoke-item ','Invoke-JSRatRegsvr','Invoke-JSRatRundll','Invoke-Kerberoast','Invoke-KrbRelayUp','Invoke-LdapSignCheck','Invoke-Lockless','Invoke-MapDomainTrust','Invoke-Mimikatz','Invoke-MimikatzWDigestDowngrade','Invoke-Mimikittenz','Invoke-MITM6','Invoke-NanoDump','Invoke-NetRipper','Invoke-NetworkRelay','Invoke-Nightmare','Invoke-NinjaCopy','Invoke-OxidResolver','Invoke-P0wnedshell','Invoke-Paranoia','Invoke-PortScan','Invoke-PoshRatHttp','Invoke-PoshRatHttps','Invoke-PostExfil','Invoke-Potato','Invoke-PowerDump','Invoke-PowerShellIcmp','Invoke-PowerShellTCP','Invoke-PowerShellUdp','Invoke-PowerShellWMI','Invoke-PPLDump','Invoke-Prasadhak','Invoke-ProcessHunter','Invoke-PsExec','Invoke-PSGcat','Invoke-PsGcatAgent','Invoke-PSInject','Invoke-PsUaCme','Invoke-ReflectivePEInjection','Invoke-ReverseDNSLookup','Invoke-RevertToSelf','Invoke-Rubeus','Invoke-RunAs','Invoke-SafetyKatz','Invoke-SauronEye','Invoke-SCShell','Invoke-Seatbelt','Invoke-ServiceAbuse','Invoke-SessionGopher','Invoke-ShareFinder','Invoke-SharpAllowedToAct','Invoke-SharpBlock','Invoke-SharpBypassUAC','Invoke-SharpChromium','Invoke-SharpClipboard','Invoke-SharpCloud','Invoke-SharpDPAPI','Invoke-SharpDump','Invoke-SharPersist','Invoke-SharpGPOAbuse','Invoke-SharpGPO-RemoteAccessPolicies','Invoke-SharpHandler','Invoke-SharpHide','Invoke-Sharphound2','Invoke-Sharphound3','Invoke-SharpHound4','Invoke-SharpImpersonation','Invoke-SharpImpersonationNoSpace','Invoke-SharpKatz','Invoke-SharpLdapRelayScan','Invoke-Sharplocker','Invoke-SharpLoginPrompt','Invoke-SharpMove','Invoke-SharpPrinter','Invoke-SharpPrintNightmare','Invoke-SharpRDP','Invoke-SharpSecDump','Invoke-Sharpshares','Invoke-SharpSniper','Invoke-SharpSploit','Invoke-SharpSpray','Invoke-SharpSSDP','Invoke-SharpStay','Invoke-SharpUp','Invoke-Sharpview','Invoke-SharpWatson','Invoke-Sharpweb','Invoke-Shellcode','Invoke-SMBAutoBrute','Invoke-SMBScanner','Invoke-Snaffler','Invoke-Spoolsample','Invoke-SSHCommand','Invoke-SSIDExfil','Invoke-StandIn','Invoke-StickyNotesExtract','Invoke-Tater','Invoke-Thunderfox','Invoke-ThunderStruck','Invoke-TokenManipulation','Invoke-Tokenvator','Invoke-TroubleshootingPack','Invoke-UrbanBishop','Invoke-UserHunter','Invoke-UserImpersonation','Invoke-VoiceTroll','Invoke-WebRequest','Invoke-Whisker','Invoke-WinEnum','Invoke-winPEAS','Invoke-WireTap','Invoke-WmiCommand','Invoke-WMIMethod','Invoke-WScriptBypassUAC','Invoke-Zerologon','[IO.File]::SetCreationTime','[IO.File]::SetLastAccessTime','[IO.File]::SetLastWriteTime','IO.FileStream','ipmo "$Env:Appdata\\','ipmo ''$Env:Appdata\\','ipmo $Env:Appdata\\','ipmo "$Env:Temp\\','ipmo ''$Env:Temp\\','ipmo $Env:Temp\\','ipmo C:\\Users\\Public\\','iwr ','join','.kdb','.kdbx','kernel32','Keylogger','.LastAccessTime =','.LastWriteTime =','-like','Limit-EventLog ','/listcreds:','.Load','LoadLibrary','LoggedKeys',' logon_events ','LowThreatDefaultAction','LSA_UNICODE_STRING','MailRaider','mattifestation','-Members ','memcpy','Metasploit','-Method ','-MethodName ','Microsoft.CSharp.CSharpCodeProvider','\Microsoft\\Edge\\User Data\Default','Microsoft.Office.Interop.Outlook','Microsoft.Office.Interop.Outlook.olDefaultFolders','Microsoft.Win32.UnsafeNativeMethods','Mimikatz','MiniDumpWriteDump','ModerateThreatDefaultAction','-ModuleName ','-ModulePath ','Mount-DiskImage ','Move-Item','\Mozilla\Firefox\Profiles','MSAcpi_ThermalZoneTemperature','mshta','.msi','msvcrt','MsXml2.','-NameSe','-Namesp','-NameSpace','-Namespace root/subscription ','Net.Security.RemoteCertificateValidationCallback','Net.WebClient','New-CimInstance ','New-DomainGroup','New-DomainUser','New-HoneyHash','New-Item','New-LocalUser','new-object','(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')','(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1','(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')','New-PSDrive','New-PSSession','New-ScheduledTask','New-ScheduledTaskAction','New-ScheduledTaskPrincipal','New-ScheduledTaskSettingsSet','New-ScheduledTaskTrigger','New-VM','Nishang',' -noni ','-noni',' -noninteractive ','-nop','-noprofile','NotAllNameSpaces','ntdll','OiCAAAAYInlM','OiJAAAAYInlM','-Online','OpenDesktop','OpenProcess','OpenProcessToken','OpenThreadToken','OpenWindowStation','\Opera Software\\Opera Stable\\Login Data','Out-CHM','OUT-DNSTXT','Out-File ','Out-HTA','Out-Minidump','Out-RundllCommand','Out-SCF','Out-SCT','Out-Shortcut','Out-WebQuery','Out-Word',' -p ','PAGE_EXECUTE_READ','Parse_Keys','.pass','-PassThru ','Password-List','-Pattern ','.pdf','-port ','Port-Scan','-Post ','PowerBreach','powercat ','powercat.ps1',' power_off ','Powerpreter','PowerUp','PowerView','.ppt','.pptx','-pr ',' process_kill ','-Profile','PromptForCredential','Properties.name','.PropertiesToLoad.Add','-Property ','PS ATTACK!!!','-psprovider ','psreadline','PS_ScheduledTask','PtrToString',' Put ','QueueUserApc',' -R','_RastaMouse','-RawData ','ReadProcessMemory','ReadProcessMemory.Invoke','readtoend','-recurse',' -Recurse ','-Recurse','[Reflection.Assembly]::Load($','Reflection.Emit.AssemblyBuilderAccess','Register-ScheduledTask','.RegisterXLL','Registry::','REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\',' registry_mod ','-RemoteFXvGPUDisablementFilePath',' remote_posh ','RemoteSigned','Remove-ADGroupMember','Remove-EtwTraceProvider ','Remove-EventLog ','Remove-FileShare','Remove-Item','Remove-LocalUser','Remove-Module','Remove-MpPreference','Remove-Persistence','Remove-PoshRat','Remove-RemoteConnection','Remove-SmbShare','Remove-Update','Remove-WmiObject','Rename-LocalUser','Request-SPNTicket','Resolve-IPAddress','RevertToSelf','-root ','Root\\\Microsoft\\\Windows\\\TaskScheduler','.rtf','RtlCreateUserThread','.run','runAfterCancelProcess','rundll32','rundll32.exe','Run-EXEonRemote','Runtime.InteropServices.DllImportAttribute','SaveNothing',' sched_job ','-ScriptBlock ','secur32','SECURITY_DELEGATION','select-object','select-string ','.Send(','Send-MailMessage','SE_PRIVILEGE_ENABLED','-Server ',' service_mod ','set','Set-ADObject','set-content','Set-DCShadowPermissions','Set-DomainObject','Set-DomainUserPassword','Set-EtwTraceProvider ','Set-ExecutionPolicy','-ExecutionPolicy bypass','Set-ItemProperty','Set-LocalUser','Set-MacAttribute','Set-MpPreference','Set-NetFirewallProfile','Set-PSReadlineOption','Set-RemotePSRemoting','Set-RemoteWMI','SetThreadToken','Set-VMFirmware','Set-Wallpaper','shell32.dll','Shellcode32','Shellcode64','shellexec_rundll','.ShellExecute(','ShellSmartScreenLevel','Show-TargetScreen','SilentlyContinue','SMB1Protocol','\software\\','\\SOFTWARE\\Policies\\Microsoft\\Windows\\System','Start-BitsTransfer','Start-CaptureServer','Start-Dnscat2','Start-Process','Start-VM','Start-WebcamRecorder','-stream','StringtoBase64','SuspendThread','SyncAppvPublishingServer.exe','SyncInvoke','System.CodeDom.Compiler.CompilerParameters','System.DirectoryServices.AccountManagement','System.DirectoryServices.DirectorySearcher','System.DirectoryServices.Protocols.LdapConnection','System.DirectoryServices.Protocols.LdapDirectoryIdentifier','[System.Environment]::UserName','System.IdentityModel.Tokens.KerberosRequestorSecurityToken','system.io.compression.deflatestream','system.io.streamreader','[System.Net.HttpWebRequest]','System.Net.NetworkCredential','System.Net.NetworkInformation.Ping','System.Net.Security.SslStream','System.Net.Sockets.TcpListener','system.net.webclient','System.Net.WebClient','SystemParametersInfo(20,0,,3)','[System.Reflection.Assembly]::Load($','System.Reflection.Assembly.Load($','System.Reflection.AssemblyName','[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())','[System.Security.Principal.WindowsIdentity]::GetCurrent()','System.Xml.XmlDocument','TelnetServer','Test-AdminAccess','Test-NetConnection','text.encoding]::ascii','TexttoExe','TFTP','tifkin_','-Exec bypass','TOKEN_ADJUST_PRIVILEGES','TOKEN_ALL_ACCESS','TOKEN_ASSIGN_PRIMARY','TOKEN_DUPLICATE','TOKEN_ELEVATION','TOKEN_IMPERSONATE','TOKEN_INFORMATION_CLASS','TOKEN_PRIVILEGES','TOKEN_QUERY','.txt',"2013HistorySaveStyle",'-Unattended','Unblock-File ','Unrestricted','Update-Help','useraccountcontrol','-UserAgent ',' vacant_system ','-Value','vaultcmd','vbscript:createobject','VirtualAlloc','VirtualFree','VirtualProtect','"virus"','VolumeShadowCopyTools',' -w ','WaitForSingleObject','WallPaper','Web Credentials','wget ',' -w hidden ','Win32_ComputerSystem','Win32_Group','Win32_PnPEntity','Win32_Product ','Win32_QuickFixEngineering','win32_shadowcopy','Win32_Shadowcopy','(window.close)',' -window hidden ','Windows Credentials','Windows-Defender','Windows-Defender-ApplicationGuard','Windows-Defender-Features','import-module ActiveDirectory','Windows-Defender-Gui','Windows.Security.Credentials.PasswordVault','\Windows\\System32','\Windows\\SysWOW64','-windowstyle','WindowStyle',' -windowstyle hidden ','WMImplant','Write-ChocolateyWarning','Write-EventLog','WriteInt32','WriteProcessMemory','.xls','.xlsx','XmlHttp','ZeroFreeGlobalAllocUnicode','UploadData'] +# 定义PowerShell 相关的可疑列表 all_suspicious_powershell = ["%comspec%", "wscript.exe", "regsvr32.exe", "mshta.exe", "\\csc.exe", 'whoami.exe', '\\pl.exe', '\\nc.exe', 'nmap.exe', 'psexec.exe', 'psexesvc.exe', 'plink.exe', 'kali', 'mimikatz', 'procdump.exe', 'dcom.exe', 'Inveigh.exe', 'LockLess.exe', 'Logger.exe', 'PBind.exe', 'Rubeus.exe', @@ -305,445 +308,444 @@ Medium_powershell={'select-object','-Property ','bypass','get-itemProperty','Get -Suspicious_process_found = [] -User_SIDs = [{'User': [], 'SID': []}] +Suspicious_process_found = [] # 可疑进程列表 +User_SIDs = [{'User': [], 'SID': []}] # 用户及其安全标识符(SID)列表 Suspicious_Path = ['\\temp\\', '//temp//', '/temp/', '//windows//temp//', '/windows/temp/', '\\windows\\temp\\', - '\\appdata\\', '/appdata/', '//appdata//', '//programdata//', '\\programdata\\', '/programdata/'] + '\\appdata\\', '/appdata/', '//appdata//', '//programdata//', '\\programdata\\', '/programdata/'] # 可疑路径列表 Usual_Path = ['\\Windows\\System32\\', '/Windows/System32/', '//Windows//System32//', '\\Windows\\', '/Windows/', '//Windows//', 'Program Files', '\\Windows\\SysWOW64\\', '/Windows/SysWOW64/', '//Windows//SysWOW64//', - '\\Windows\\Cluster\\', '/Windows/Cluster/', '//Windows//Cluster//'] -Pass_the_hash_users = [{'User': [], 'Number of Logins': [], 'Reached': []}] -Logon_Events = [ + '\\Windows\\Cluster\\', '/Windows/Cluster/', '//Windows//Cluster//'] # 常见路径列表 +Pass_the_hash_users = [{'User': [], 'Number of Logins': [], 'Reached': []}] # 通过哈希值登录的用户信息 +Logon_Events = [ # 登录事件列表 {'Date and Time': [], 'timestamp': [], 'Event ID': [], 'Account Name': [], 'Account Domain': [], 'Logon Type': [], 'Logon Process': [], 'Source IP': [], 'Workstation Name': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Executed_Process_Events = [ - {'DateTime': [], 'timestamp': [], 'EventID': [], 'ProcessName': [], 'User': [], 'ParentProcessName':[], +Executed_Process_Events = [ # 执行的进程事件列表 + {'DateTime': [], 'timestamp': [], 'EventID': [], 'ProcessName': [], 'User': [], 'ParentProcessName': [], 'RawLog': []}] -Object_Access_Events = [ +Object_Access_Events = [ # 对象访问事件列表 {'Date and Time': [], 'timestamp': [], 'Event ID': [], 'Account Name': [], 'Object Name': [], 'Object Type': [], 'Process Name': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -TerminalServices_Summary = [{'User': [], 'Number of Logins': []}] -Security_Authentication_Summary = [{'User': [], 'Number of Failed Logins': [], 'Number of Successful Logins': []}] -Executed_Process_Summary = [{'Process Name': [], 'Number of Execution': []}] -Executed_Powershell_Summary=[{'Command': [], 'Number of Execution': []}] -critical_services = ["Software Protection", "Network List Service", "Network Location Awareness", "Windows Event Log"] +TerminalServices_Summary = [{'User': [], 'Number of Logins': []}] # 终端服务摘要 +Security_Authentication_Summary = [{'User': [], 'Number of Failed Logins': [], 'Number of Successful Logins': []}] # 安全认证摘要 +Executed_Process_Summary = [{'Process Name': [], 'Number of Execution': []}] # 执行进程摘要 +Executed_Powershell_Summary = [{'Command': [], 'Number of Execution': []}] # 执行的 PowerShell 命令摘要 +critical_services = ["Software Protection", "Network List Service", "Network Location Awareness", "Windows Event Log"] # 关键服务列表 -whitelisted = ['MpKslDrv', 'CreateExplorerShellUnelevatedTask'] +whitelisted = ['MpKslDrv', 'CreateExplorerShellUnelevatedTask'] # 白名单中的进程 Sysmon_events = [{'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], - 'Original Event Log': []}] + 'Original Event Log': []}] # Sysmon 事件列表 WinRM_events = [{'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], - 'Event Description': [],'UserID': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] - - -Security_events = [{'Date and Time': [] -, 'timestamp': [] -, 'Detection Rule': [] -, 'Severity': [] -, 'Detection Domain': [] -, - 'Event Description': [] -, 'Event ID': [] -, 'Computer Name': [] -, 'Channel': [] -, + 'Event Description': [], 'UserID': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] # WinRM 事件列表 + +Security_events = [{'Date and Time': [], # 安全事件列表 + 'timestamp': [], + 'Detection Rule': [], + 'Severity': [], + 'Detection Domain': [], + 'Event Description': [], + 'Event ID': [], + 'Computer Name': [], + 'Channel': [], 'Original Event Log': [] }] -#Security_events =manager.dict({'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}) +# Security_events = manager.dict({'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}) System_events = [{'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Service Name': [], 'Image Path': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], - 'Channel': [], 'Original Event Log': []}] -ScheduledTask_events = [ + 'Channel': [], 'Original Event Log': []}] # 系统事件列表 +ScheduledTask_events = [ # 计划任务事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Schedule Task Name': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Powershell_events = [ +Powershell_events = [ # PowerShell 事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Powershell_Operational_events = [ +Powershell_Operational_events = [ # PowerShell 操作事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -TerminalServices_events = [ +TerminalServices_events = [ # 终端服务事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'User': [], 'Source IP': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -TerminalServices_RDPClient_events = [ +TerminalServices_RDPClient_events = [ # 终端服务 RDP 客户端事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'UserID': [], 'Source IP': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Windows_Defender_events = [ +Windows_Defender_events = [ # Windows Defender 事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Group_Policy_events = [ +Group_Policy_events = [ # 组策略事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Group Policy Name': [], 'Policy Extension Name': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -SMB_Server_events = [ +SMB_Server_events = [ # SMB 服务器事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Client Address': [], 'UserName': [], 'Share Name': [], 'File Name': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -SMB_Client_events = [ +SMB_Client_events = [ # SMB 客户端事件列表 {'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Share Name': [], 'File Name': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -Timesketch_events = [ +Timesketch_events = [ # Timesketch 事件列表 {'message': [], 'timestamp': [], 'datetime': [], 'timestamp_desc': [], 'Event Description': [], 'Severity': [], 'Detection Domain': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}] -#Group_Policy_events = manager.dict({'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Group Policy Name': [], 'Policy Extension Name': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}) -Frequency_Analysis_Security={} -Frequency_Analysis_Windows_Defender={} -Frequency_Analysis_SMB_Client={} -Frequency_Analysis_Group_Policy={} -Frequency_Analysis_Powershell_Operational={} -Frequency_Analysis_Powershell={} -Frequency_Analysis_ScheduledTask={} -Frequency_Analysis_WinRM={} -Frequency_Analysis_System={} -Frequency_Analysis_Sysmon={} -Frequency_Analysis_SMB_Server={} -Frequency_Analysis_TerminalServices={} -#======================= -#Regex for security logs +# Group_Policy_events = manager.dict({'Date and Time': [], 'timestamp': [], 'Detection Rule': [], 'Severity': [], 'Detection Domain': [], 'Event Description': [], 'Group Policy Name': [], 'Policy Extension Name': [], 'Event ID': [], 'Computer Name': [], 'Channel': [], 'Original Event Log': []}) # 组策略事件的管理字典 +Frequency_Analysis_Security = {} # 安全事件频率分析字典 +Frequency_Analysis_Windows_Defender = {} # Windows Defender 事件频率分析字典 +Frequency_Analysis_SMB_Client = {} # SMB 客户端事件频率分析字典 +Frequency_Analysis_Group_Policy = {} # 组策略事件频率分析字典 +Frequency_Analysis_Powershell_Operational = {} # PowerShell 操作事件频率分析字典 +Frequency_Analysis_Powershell = {} # PowerShell 事件频率分析字典 +Frequency_Analysis_ScheduledTask = {} # 计划任务事件频率分析字典 +Frequency_Analysis_WinRM = {} # WinRM 事件频率分析字典 +Frequency_Analysis_System = {} # 系统事件频率分析字典 +Frequency_Analysis_Sysmon = {} # Sysmon 事件频率分析字典 +Frequency_Analysis_SMB_Server = {} # SMB 服务器事件频率分析字典 +Frequency_Analysis_TerminalServices = {} # 终端服务事件频率分析字典 -EventID_rex = re.compile('(.*)<\/EventID>', re.IGNORECASE) +# ======================= +# Regex for security logs # 安全日志的正则表达式 -Logon_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +EventID_rex = re.compile('(.*)<\/EventID>', re.IGNORECASE) # 匹配事件 ID 的正则表达式 +Logon_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配登录类型的正则表达式 -Account_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Account_Name_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Account_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配账户名称的正则表达式 +Account_Name_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配目标账户名称的正则表达式 +Security_ID_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配安全 ID 的正则表达式 +Security_ID_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配目标安全 ID 的正则表达式 -Security_ID_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Security_ID_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Account_Domain_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配账户域的正则表达式 +Account_Domain_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配目标账户域的正则表达式 -Account_Domain_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Account_Domain_Target_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Workstation_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配工作站名称的正则表达式 -Workstation_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Source_Network_Address_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配源网络地址的正则表达式 -Source_Network_Address_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Logon_Process_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配登录进程名称的正则表达式 -Logon_Process_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Key_Length_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配密钥长度的正则表达式 -Key_Length_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +AccessMask_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配访问掩码的正则表达式 -AccessMask_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Process_Command_Line_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配进程命令行的正则表达式 -Process_Command_Line_rex=re.compile('(.*)|(.*)', re.IGNORECASE) +New_Process_Name_rex = re.compile('(.*)', re.IGNORECASE) # 匹配新进程名称的正则表达式 -New_Process_Name_rex=re.compile('(.*)', re.IGNORECASE) +TicketOptions_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配票据选项的正则表达式 +TicketEncryptionType_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配票据加密类型的正则表达式 +ServiceName_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务名称的正则表达式 -TicketOptions_rex=re.compile('(.*)|(.*)', re.IGNORECASE) -TicketEncryptionType_rex=re.compile('(.*)|(.*)', re.IGNORECASE) -ServiceName_rex=re.compile('(.*)|(.*)', re.IGNORECASE) +Group_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配组名称的正则表达式 -Group_Name_rex=re.compile('(.*)|(.*)', re.IGNORECASE) +Task_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配任务名称的正则表达式 -Task_Name_rex=re.compile('(.*)|(.*)', re.IGNORECASE) +Task_Command_rex = re.compile('(.*)', re.IGNORECASE) # 匹配任务命令的正则表达式 -Task_Command_rex=re.compile('(.*)', re.IGNORECASE) +Task_args_rex = re.compile('(.*)', re.IGNORECASE) # 匹配任务参数的正则表达式 -Task_args_rex=re.compile('(.*)', re.IGNORECASE) +Process_Name_sec_rex = re.compile('(.*)|(.*)|(.*)|(.*)', re.IGNORECASE) # 匹配进程名称的正则表达式 -Process_Name_sec_rex = re.compile('(.*)|(.*)|(.*)|(.*)', re.IGNORECASE) +Parent_Process_Name_sec_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配父进程名称的正则表达式 -Parent_Process_Name_sec_rex=re.compile('(.*)|(.*)', re.IGNORECASE) +Category_sec_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配类别 ID 的正则表达式 +Subcategory_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配子类别 ID 的正则表达式 -Category_sec_rex= re.compile('(.*)|(.*)', re.IGNORECASE) +Changes_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配审计策略更改的正则表达式 -Subcategory_rex= re.compile('(.*)|(.*)', re.IGNORECASE) +Member_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配成员名称的正则表达式 +Member_Sid_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配成员 SID 的正则表达式 -Changes_rex= re.compile('(.*)|(.*)', re.IGNORECASE) +ShareName_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配共享名称的正则表达式 -Member_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Member_Sid_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +ShareLocalPath_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配共享本地路径的正则表达式 +Object_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配对象名称的正则表达式 -ShareName_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +ObjectType_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配对象类型的正则表达式 -ShareLocalPath_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Object_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +ObjectServer_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配对象服务器的正则表达式 +ObjectProcessName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配对象进程名称的正则表达式 -ObjectType_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +# ======================= +# Regex for windows defender logs # Windows Defender 日志的正则表达式 -ObjectServer_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -ObjectProcessName_rex = re.compile('(.*)', re.IGNORECASE) +Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配威胁名称的正则表达式 +Severity_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配严重程度名称的正则表达式 -#======================= -#Regex for windows defender logs +Category_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配类别名称的正则表达式 -Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Path_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配路径的正则表达式 -Severity_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Defender_Remediation_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配修复用户的正则表达式 -Category_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Defender_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配用户的正则表达式 -Path_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Process_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配进程名称的正则表达式 -Defender_Remediation_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Action_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配操作 ID 的正则表达式 -Defender_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Process_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +# ======================= +# Regex for system logs # 系统日志的正则表达式 -Action_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +Service_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务名称的正则表达式 +Service_File_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务文件路径的正则表达式 +Service_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务类型的正则表达式 +Service_Account_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务账户名称的正则表达式 +State_Service_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务状态名称的正则表达式 +State_Service_Old_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务状态旧值的正则表达式 +State_Service_New_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务状态新值的正则表达式 +Service_Start_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配服务启动类型的正则表达式 -#======================= -#Regex for system logs -Service_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Service_File_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Service_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Service_Account_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -State_Service_Name_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -State_Service_Old_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -State_Service_New_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Service_Start_Type_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +# ======================= +# Regex for task scheduler logs # 任务调度器日志的正则表达式 +Task_Name = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配任务名称的正则表达式 +Task_Registered_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配注册用户上下文的正则表达式 +Task_Deleted_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配删除用户的正则表达式 +Task_Image_Path_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配任务图像路径的正则表达式 -#======================= -#Regex for task scheduler logs -Task_Name = re.compile('(.*)|(.*)', re.IGNORECASE) -Task_Registered_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Task_Deleted_User_rex = re.compile('(.*)|(.*)', re.IGNORECASE) -Task_Image_Path_rex = re.compile('(.*)|(.*)', re.IGNORECASE) +# ======================= +# Regex for powershell operational logs # PowerShell 操作日志的正则表达式 +Powershell_ContextInfo = re.compile('(.*)', re.IGNORECASE) # 匹配上下文信息的正则表达式 +Powershell_Payload = re.compile('(.*)', re.IGNORECASE) # 匹配有效负载的正则表达式 +Powershell_ScriptBlockText = re.compile('(.*)', re.IGNORECASE) # 匹配脚本块文本的正则表达式 +Powershell_Path = re.compile('(.*)', re.IGNORECASE) # 匹配路径的正则表达式 +Host_Application_rex = re.compile('Host Application = (.*)') # 匹配主机应用程序的正则表达式 +Command_Name_rex = re.compile('Command Name = (.*)') # 匹配命令名称的正则表达式 +Command_Type_rex = re.compile('Command Type = (.*)') # 匹配命令类型的正则表达式 +Engine_Version_rex = re.compile('Engine Version = (.*)') # 匹配引擎版本的正则表达式 +User_rex = re.compile('User = (.*)') # 匹配用户的正则表达式 +Error_Message_rex = re.compile('Error Message = (.*)') # 匹配错误消息的正则表达式 -#====================== -#Regex for powershell operational logs -Powershell_ContextInfo= re.compile('(.*)', re.IGNORECASE) -Powershell_Payload= re.compile('(.*)', re.IGNORECASE) -Powershell_ScriptBlockText= re.compile('(.*)', re.IGNORECASE) -Powershell_Path= re.compile('(.*)', re.IGNORECASE) +# ======================= +# Regex for powershell logs # PowerShell 日志的正则表达式 +HostApplication_rex = re.compile('HostApplication=(.*)') # 匹配主机应用程序的正则表达式 +CommandLine_rex = re.compile('CommandLine=(.*)') # 匹配命令行的正则表达式 +ScriptName_rex = re.compile('ScriptName=(.*)') # 匹配脚本名称的正则表达式 +EngineVersion_rex = re.compile('EngineVersion=(.*)') # 匹配引擎版本的正则表达式 +UserId_rex = re.compile('UserId=(.*)') # 匹配用户 ID 的正则表达式 +ErrorMessage_rex = re.compile('ErrorMessage=(.*)') # 匹配错误消息的正则表达式 -Host_Application_rex = re.compile('Host Application = (.*)') -Command_Name_rex = re.compile('Command Name = (.*)') -Command_Type_rex = re.compile('Command Type = (.*)') -Engine_Version_rex = re.compile('Engine Version = (.*)') -User_rex = re.compile('User = (.*)') -Error_Message_rex = re.compile('Error Message = (.*)') +# ======================= +# TerminalServices Local Session Manager Logs # 终端服务本地会话管理器日志 +# Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)') # 匹配源网络地址的正则表达式 +# Source_Network_Address_Terminal_rex= re.compile('
(.*)
') # 匹配地址的正则表达式 +Source_Network_Address_Terminal_rex = re.compile('
((\d{1,3}\.){3}\d{1,3})
') # 匹配源网络地址的正则表达式 +Source_Network_Address_Terminal_NotIP_rex = re.compile('
(.*)
') # 匹配非 IP 地址的正则表达式 +User_Terminal_rex = re.compile('User>(.*)') # 匹配用户的正则表达式 +Session_ID_rex = re.compile('(.*)') # 匹配会话 ID 的正则表达式 -#====================== -#Regex for powershell logs -HostApplication_rex = re.compile('HostApplication=(.*)') -CommandLine_rex = re.compile('CommandLine=(.*)') -ScriptName_rex = re.compile('ScriptName=(.*)') -EngineVersion_rex = re.compile('EngineVersion=(.*)') -UserId_rex = re.compile('UserId=(.*)') -ErrorMessage_rex = re.compile('ErrorMessage=(.*)') -#====================== -#TerminalServices Local Session Manager Logs -#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)') -#Source_Network_Address_Terminal_rex= re.compile('
(.*)
') -Source_Network_Address_Terminal_rex= re.compile('
((\d{1,3}\.){3}\d{1,3})
') -Source_Network_Address_Terminal_NotIP_rex= re.compile('
(.*)
') -User_Terminal_rex=re.compile('User>(.*)') -Session_ID_rex=re.compile('(.*)') -#====================== -#TerminalServices RDP Client Logs -UserID_RDPCLIENT_rex= re.compile('(.*)') -ServerName_RDPCLIENT_rex= re.compile('(.*)') -IP_RDPCLIENT_rex= re.compile('(.*)') -#====================== -#Microsoft-Windows-WinRM logs -Connection_rex=re.compile('(.*)|(.*)', re.IGNORECASE) -Winrm_UserID_rex=re.compile('.*)\'\/><\/System>""") -#src_device_rex=re.compile("""(?.*)<\/Computer>""") -#====================== -#Sysmon Logs -Sysmon_CommandLine_rex=re.compile("(.*)") -Sysmon_ProcessGuid_rex=re.compile("(.*)") -Sysmon_ProcessId_rex=re.compile("(.*)") -Sysmon_Image_rex=re.compile("(.*)") -Sysmon_FileVersion_rex=re.compile("(.*)") -Sysmon_Company_rex=re.compile("(.*)") -Sysmon_Product_rex=re.compile("(.*)") -Sysmon_Description_rex=re.compile("(.*)") -Sysmon_User_rex=re.compile("(.*)") -Sysmon_LogonGuid_rex=re.compile("(.*)") -Sysmon_TerminalSessionId_rex=re.compile("(.*)") -Sysmon_Hashes_MD5_rex=re.compile("(.*)") -Sysmon_ParentProcessId_rex=re.compile("(.*)") -Sysmon_ParentImage_rex=re.compile("(.*)") -Sysmon_ParentCommandLine_rex=re.compile("(.*)") -Sysmon_CurrentDirectory_rex=re.compile("(.*)") -Sysmon_OriginalFileName_rex=re.compile("(.*)") -Sysmon_TargetObject_rex=re.compile("(.*)") +# ======================= +# TerminalServices RDP Client Logs # 终端服务 RDP 客户端日志 +UserID_RDPCLIENT_rex = re.compile('(.*)') # 匹配跟踪消息的正则表达式 +ServerName_RDPCLIENT_rex = re.compile('(.*)') # 匹配服务器名称的正则表达式 +IP_RDPCLIENT_rex = re.compile('(.*)') # 匹配 IP 地址的正则表达式 + +# ======================= +# Microsoft-Windows-WinRM logs # Microsoft-Windows-WinRM 日志 +Connection_rex = re.compile('(.*)|(.*)', re.IGNORECASE) # 匹配连接的正则表达式 +Winrm_UserID_rex = re.compile('.*)\'\/><\/System>""") # 匹配用户 ID 的正则表达式 +# src_device_rex = re.compile("""(?.*)<\/Computer>""") # 匹配源设备的正则表达式 +# ======================= +# Sysmon Logs # Sysmon 日志 +Sysmon_CommandLine_rex = re.compile("(.*)") # 匹配命令行的正则表达式 +Sysmon_ProcessGuid_rex = re.compile("(.*)") # 匹配进程 GUID 的正则表达式 +Sysmon_ProcessId_rex = re.compile("(.*)") # 匹配进程 ID 的正则表达式 +Sysmon_Image_rex = re.compile("(.*)") # 匹配图像的正则表达式 +Sysmon_FileVersion_rex = re.compile("(.*)") # 匹配文件版本的正则表达式 +Sysmon_Company_rex = re.compile("(.*)") # 匹配公司名称的正则表达式 +Sysmon_Product_rex = re.compile("(.*)") # 匹配产品名称的正则表达式 +Sysmon_Description_rex = re.compile("(.*)") # 匹配描述的正则表达式 +Sysmon_User_rex = re.compile("(.*)") # 匹配用户的正则表达式 +Sysmon_LogonGuid_rex = re.compile("(.*)") # 匹配登录 GUID 的正则表达式 +Sysmon_TerminalSessionId_rex = re.compile("(.*)") # 匹配终端会话 ID 的正则表达式 +Sysmon_Hashes_MD5_rex = re.compile("(.*)") # 匹配父进程 GUID 的正则表达式 +Sysmon_ParentProcessId_rex = re.compile("(.*)") # 匹配父进程 ID 的正则表达式 +Sysmon_ParentImage_rex = re.compile("(.*)") # 匹配父图像的正则表达式 +Sysmon_ParentCommandLine_rex = re.compile("(.*)") # 匹配父命令行的正则表达式 +Sysmon_CurrentDirectory_rex = re.compile("(.*)") # 匹配当前目录的正则表达式 +Sysmon_OriginalFileName_rex = re.compile("(.*)") # 匹配原始文件名的正则表达式 +Sysmon_TargetObject_rex = re.compile("(.*)") # 匹配目标对象的正则表达式 ######### -#Sysmon event ID 3 -Sysmon_Protocol_rex=re.compile("(.*)") -Sysmon_SourceIp_rex=re.compile("(.*)") -Sysmon_SourceHostname_rex=re.compile("(.*)") -Sysmon_SourcePort_rex=re.compile("(.*)") -Sysmon_DestinationIp_rex=re.compile("(.*)") -Sysmon_DestinationHostname_rex=re.compile("(.*)") -Sysmon_DestinationPort_rex=re.compile("(.*)") +# Sysmon event ID 3 # Sysmon 事件 ID 3 +Sysmon_Protocol_rex = re.compile("(.*)") # 匹配协议的正则表达式 +Sysmon_SourceIp_rex = re.compile("(.*)") # 匹配源 IP 的正则表达式 +Sysmon_SourceHostname_rex = re.compile("(.*)") # 匹配源主机名的正则表达式 +Sysmon_SourcePort_rex = re.compile("(.*)") # 匹配源端口的正则表达式 +Sysmon_DestinationIp_rex = re.compile("(.*)") # 匹配目标 IP 的正则表达式 +Sysmon_DestinationHostname_rex = re.compile("(.*)") # 匹配目标主机名的正则表达式 +Sysmon_DestinationPort_rex = re.compile("(.*)") # 匹配目标端口的正则表达式 ######### -#Sysmon event ID 8 -Sysmon_StartFunction_rex=re.compile("(.*)") -Sysmon_StartModule_rex=re.compile("(.*)") -Sysmon_TargetImage_rex=re.compile("(.*)") -Sysmon_SourceImage_rex=re.compile("(.*)") -Sysmon_SourceProcessId_rex=re.compile("(.*)") -Sysmon_SourceProcessGuid_rex=re.compile("(.*)") -Sysmon_TargetProcessGuid_rex=re.compile("(.*)") -Sysmon_TargetProcessId_rex=re.compile("(.*)") +# Sysmon event ID 8 # Sysmon 事件 ID 8 +Sysmon_StartFunction_rex = re.compile("(.*)") # 匹配启动函数的正则表达式 +Sysmon_StartModule_rex = re.compile("(.*)") # 匹配启动模块的正则表达式 +Sysmon_TargetImage_rex = re.compile("(.*)") # 匹配目标图像的正则表达式 +Sysmon_SourceImage_rex = re.compile("(.*)") # 匹配源图像的正则表达式 +Sysmon_SourceProcessId_rex = re.compile("(.*)") # 匹配源进程 ID 的正则表达式 +Sysmon_SourceProcessGuid_rex = re.compile("(.*)") # 匹配源进程 GUID 的正则表达式 +Sysmon_TargetProcessGuid_rex = re.compile("(.*)") # 匹配目标进程 GUID 的正则表达式 +Sysmon_TargetProcessId_rex = re.compile("(.*)") # 匹配目标进程 ID 的正则表达式 + ######### -Sysmon_ImageLoaded_rex=re.compile("(.*)") -Sysmon_GrantedAccess_rex=re.compile("(.*)") -Sysmon_CallTrace_rex=re.compile("(.*)") -Sysmon_Details_rex=re.compile("(.*)") -Sysmon_PipeName_rex=re.compile("(.*)") - -Sysmon_ImageLoaded_rex=re.compile("(.*)") -Sysmon_GrantedAccess_rex=re.compile("(.*)") -Sysmon_CallTrace_rex=re.compile("(.*)") -Sysmon_Details_rex=re.compile("(.*)") -Sysmon_PipeName_rex=re.compile("(.*)") +Sysmon_ImageLoaded_rex = re.compile("(.*)") # 匹配加载的图像的正则表达式 +Sysmon_GrantedAccess_rex = re.compile("(.*)") # 匹配授予的访问权限的正则表达式 +Sysmon_CallTrace_rex = re.compile("(.*)") # 匹配调用跟踪的正则表达式 +Sysmon_Details_rex = re.compile("(.*)") # 匹配详细信息的正则表达式 +Sysmon_PipeName_rex = re.compile("(.*)") # 匹配管道名称的正则表达式 + +Sysmon_ImageLoaded_rex = re.compile("(.*)") # 匹配加载的图像的正则表达式 +Sysmon_GrantedAccess_rex = re.compile("(.*)") # 匹配授予的访问权限的正则表达式 +Sysmon_CallTrace_rex = re.compile("(.*)") # 匹配调用跟踪的正则表达式 +Sysmon_Details_rex = re.compile("(.*)") # 匹配详细信息的正则表达式 +Sysmon_PipeName_rex = re.compile("(.*)") # 匹配管道名称的正则表达式 ########## -Channel_rex = re.compile('(.*)<\/Channel>', re.IGNORECASE) -Computer_rex = re.compile('(.*)<\/Computer>', re.IGNORECASE) +Channel_rex = re.compile('(.*)<\/Channel>', re.IGNORECASE) # 匹配通道的正则表达式 +Computer_rex = re.compile('(.*)<\/Computer>', re.IGNORECASE) # 匹配计算机名称的正则表达式 ########## -Extension_ID_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) -Extension_Name_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) -Polcies_Name_rex = re.compile('((.*)\n){1,5}', re.IGNORECASE) -GPO_List_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) +Extension_ID_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) # 匹配扩展 ID 的正则表达式 +Extension_Name_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) # 匹配扩展名称的正则表达式 +Polcies_Name_rex = re.compile('((.*)\n){1,5}', re.IGNORECASE) # 匹配策略名称的正则表达式 +GPO_List_rex = re.compile('(.*)<\/Data>', re.IGNORECASE) # 匹配适用的 GPO 列表的正则表达式 ########### -#SMB Server Regex -SMB_Server_Username_rex = re.compile('(.*)', re.IGNORECASE) -SMB_Server_ClientName_rex = re.compile('(.*)', re.IGNORECASE) -SMB_Server_ShareName_rex = re.compile('(.*)', re.IGNORECASE) -SMB_Server_FileName_rex = re.compile('(.*)', re.IGNORECASE) +# SMB Server Regex # SMB 服务器的正则表达式 +SMB_Server_Username_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 服务器用户名的正则表达式 +SMB_Server_ClientName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 服务器客户端名称的正则表达式 +SMB_Server_ShareName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 服务器共享名称的正则表达式 +SMB_Server_FileName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 服务器文件名称的正则表达式 ########## -#SMB Client Regex -SMB_Client_ShareName_rex = re.compile('(.*)', re.IGNORECASE) -SMB_Client_ObjectName_rex = re.compile('(.*)', re.IGNORECASE) +# SMB Client Regex # SMB 客户端的正则表达式 +SMB_Client_ShareName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 客户端共享名称的正则表达式 +SMB_Client_ObjectName_rex = re.compile('(.*)', re.IGNORECASE) # 匹配 SMB 客户端对象名称的正则表达式 ############# -#SMB Client Regex +# SMB Client Regex # SMB 客户端的正则表达式 +UserProfile_SID_rex = re.compile('(.*)', re.IGNORECASE) # 匹配用户配置文件 SID 的正则表达式 +UserProfile_File_rex = re.compile('(.*)', re.IGNORECASE) # 匹配用户配置文件文件的正则表达式 -UserProfile_SID_rex = re.compile('(.*)', re.IGNORECASE) -UserProfile_File_rex = re.compile('(.*)', re.IGNORECASE) +input_timzone = timezone("UTC") # 设置输入时区为 UTC +timestart = None # 初始化开始时间 +timeend = None # 初始化结束时间 -input_timzone=timezone("UTC") -timestart=None -timeend=None -def detect_events_security_log(file_name, shared_data): +def detect_events_security_log(file_name, shared_data): # 定义检测安全日志事件的函数 - global input_timzone, timestart, timeend,Security_events,initial,output,logons - tic = time.time() - input_timzone = shared_data["input_timezone"] - timestart = shared_data["timestart"] - timeend = shared_data["timeend"] - objectaccess = shared_data["objectaccess"] - processexec = shared_data["processexec"] - logons = shared_data["logons"] - frequencyanalysis = shared_data["frequencyanalysis"] - allreport = shared_data["allreport"] - output = shared_data["output"] + global input_timzone, timestart, timeend, Security_events, initial, output, logons # 声明全局变量 + tic = time.time() # 记录当前时间 + input_timzone = shared_data["input_timezone"] # 从共享数据中获取输入时区 + timestart = shared_data["timestart"] # 从共享数据中获取开始时间 + timeend = shared_data["timeend"] # 从共享数据中获取结束时间 + objectaccess = shared_data["objectaccess"] # 从共享数据中获取对象访问信息 + processexec = shared_data["processexec"] # 从共享数据中获取进程执行信息 + logons = shared_data["logons"] # 从共享数据中获取登录信息 + frequencyanalysis = shared_data["frequencyanalysis"] # 从共享数据中获取频率分析信息 + allreport = shared_data["allreport"] # 从共享数据中获取所有报告信息 + output = shared_data["output"] # 从共享数据中获取输出信息 + if 1 == 1: # 这是一个始终为真的条件 + # print("in") + # print(file_name) - if 1==1: - #print("in") - #print(file_name) + parser = PyEvtxParser(file_name) # 创建事件日志解析器 + for record in parser.records(): # 遍历解析的每一条记录 - parser = PyEvtxParser(file_name) - for record in parser.records(): + EventID = EventID_rex.findall(record['data']) # 查找事件 ID + Computer = Computer_rex.findall(record['data']) # 查找计算机名称 + Channel = Channel_rex.findall(record['data']) # 查找通道信息 + # print(EventID[0]) + # print(f'Event Record ID: {record["event_record_id"]}') + # print(f'Event Timestamp: {record["timestamp"]}') - EventID = EventID_rex.findall(record['data']) - Computer = Computer_rex.findall(record['data']) - Channel = Channel_rex.findall(record['data']) - #print(EventID[0]) - #print(f'Event Record ID: {record["event_record_id"]}') - #print(f'Event Timestamp: {record["timestamp"]}') + if timestart is not None and timeend is not None: # 检查开始和结束时间是否已设置 + timestamp = datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())) # 转换时间戳 + if not (timestamp > timestart and timestamp < timeend): # 检查时间戳是否在范围内 + continue # 如果不在范围内,跳过该记录 - if timestart is not None and timeend is not None : - timestamp=datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())) - if not (timestamp>timestart and timestamp 0: + if len(EventID) > 0: # 如果找到事件 ID - # if frequencyanalysis==True and EventID[0] in Frequency_Analysis_Security: - # Frequency_Analysis_Security[EventID[0]]=Frequency_Analysis_Security[EventID[0]]+1 + # if frequencyanalysis == True and EventID[0] in Frequency_Analysis_Security: + # Frequency_Analysis_Security[EventID[0]] = Frequency_Analysis_Security[EventID[0]] + 1 # else: - # Frequency_Analysis_Security[EventID[0]]=1 - Logon_Type = Logon_Type_rex.findall(record['data']) + # Frequency_Analysis_Security[EventID[0]] = 1 - Account_Name = Account_Name_rex.findall(record['data']) - Target_Account_Name = Account_Name_Target_rex.findall(record['data']) + Logon_Type = Logon_Type_rex.findall(record['data']) # 查找登录类型 + Account_Name = Account_Name_rex.findall(record['data']) # 查找账户名称 + Target_Account_Name = Account_Name_Target_rex.findall(record['data']) # 查找目标账户名称 - Account_Domain = Account_Domain_rex.findall(record['data']) - Target_Account_Domain=Account_Domain_Target_rex.findall(record['data']) + Account_Domain = Account_Domain_rex.findall(record['data']) # 查找账户域 + Target_Account_Domain = Account_Domain_Target_rex.findall(record['data']) # 查找目标账户域 - Workstation_Name = Workstation_Name_rex.findall(record['data']) + Workstation_Name = Workstation_Name_rex.findall(record['data']) # 查找工作站名称 - Source_IP = Source_Network_Address_rex.findall(record['data']) + Source_IP = Source_Network_Address_rex.findall(record['data']) # 查找源 IP 地址 - Logon_Process = Logon_Process_rex.findall(record['data']) + Logon_Process = Logon_Process_rex.findall(record['data']) # 查找登录进程 - Key_Length = Key_Length_rex.findall(record['data']) + Key_Length = Key_Length_rex.findall(record['data']) # 查找密钥长度 - Security_ID = Security_ID_rex.findall(record['data']) + Security_ID = Security_ID_rex.findall(record['data']) # 查找安全 ID - Security_ID_Target=Security_ID_Target_rex.findall(record['data']) + Security_ID_Target = Security_ID_Target_rex.findall(record['data']) # 查找目标安全 ID - Group_Name = Group_Name_rex.findall(record['data']) - Member_Name = Member_Name_rex.findall(record['data']) - Member_Sid =Member_Sid_rex.findall(record['data']) + Group_Name = Group_Name_rex.findall(record['data']) # 查找组名称 + Member_Name = Member_Name_rex.findall(record['data']) # 查找成员名称 + Member_Sid = Member_Sid_rex.findall(record['data']) # 查找成员 SID - Task_Name=Task_Name_rex.findall(record['data']) + Task_Name = Task_Name_rex.findall(record['data']) # 查找任务名称 - Task_Command = Task_Command_rex.findall(record['data']) + Task_Command = Task_Command_rex.findall(record['data']) # 查找任务命令 - Task_args= Task_args_rex.findall(record['data']) + Task_args = Task_args_rex.findall(record['data']) # 查找任务参数 - New_Process_Name=New_Process_Name_rex.findall(record['data']) - Process_Name=Process_Name_sec_rex.findall(record['data']) - Parent_Process_Name = Parent_Process_Name_sec_rex.findall(record['data']) + New_Process_Name = New_Process_Name_rex.findall(record['data']) # 查找新进程名称 + Process_Name = Process_Name_sec_rex.findall(record['data']) # 查找进程名称 + Parent_Process_Name = Parent_Process_Name_sec_rex.findall(record['data']) # 查找父进程名称 - Category=Category_sec_rex.findall(record['data']) + Category = Category_sec_rex.findall(record['data']) # 查找类别 - Subcategory=Subcategory_rex.findall(record['data']) + Subcategory = Subcategory_rex.findall(record['data']) # 查找子类别 - Changes=Changes_rex.findall(record['data']) + Changes = Changes_rex.findall(record['data']) # 查找更改信息 - Process_Command_Line = Process_Command_Line_rex.findall(record['data']) + Process_Command_Line = Process_Command_Line_rex.findall(record['data']) # 查找进程命令行 - ShareName = ShareName_rex.findall(record['data']) + ShareName = ShareName_rex.findall(record['data']) # 查找共享名称 - ShareLocalPath = ShareLocalPath_rex.findall(record['data']) + ShareLocalPath = ShareLocalPath_rex.findall(record['data']) # 查找共享本地路径 - Object_Name = Object_Name_rex.findall(record['data']) + Object_Name = Object_Name_rex.findall(record['data']) # 查找对象名称 - Object_Type = ObjectType_rex.findall(record['data']) - ObjectServer = ObjectServer_rex.findall(record['data']) - AccessMask = AccessMask_rex.findall(record['data']) - ObjectProcessName=ObjectProcessName_rex.findall(record['data']) + Object_Type = ObjectType_rex.findall(record['data']) # 查找对象类型 + ObjectServer = ObjectServer_rex.findall(record['data']) # 查找对象服务器 + AccessMask = AccessMask_rex.findall(record['data']) # 查找访问掩码 + ObjectProcessName = ObjectProcessName_rex.findall(record['data']) # 查找对象进程名称 #Detect any log that contain suspicious process name or argument # 检测任何包含可疑进程名称或参数的日志 @@ -1039,1071 +1041,1087 @@ def detect_events_security_log(file_name, shared_data): except: pass - # User Created through management interface - if EventID[0]=="4720": + # User Created through management interface # 通过管理界面创建用户 + if EventID[0] == "4720": # 检查事件 ID 是否为 4720 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User Name ( " + Account_Name[0][0].strip() + " )", end='') - #print(" Created User Name ( " + Account_Name[1].strip()+ " )") - - Event_desc="User Name ( " + user + " )" + " Created User Name ( " + target_account_name+ " )" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Created through management interface") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User Name ( " + Account_Name[0][0].strip() + " )", end='') + # print(" Created User Name ( " + Account_Name[1].strip() + " )") + + Event_desc = "User Name ( " + user + " )" + " Created User Name ( " + target_account_name + " )" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Created through management interface") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Medium") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc="User Created through management interface" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Created through management interface") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - # Detect Dcsync attack - if EventID[0]=="5136" or EventID[0]=="4662": + Event_desc = "User Created through management interface" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Created through management interface") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Medium") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # Detect Dcsync attack # 检测 Dcsync 攻击 + if EventID[0] == "5136" or EventID[0] == "4662": # 检查事件 ID 是否为 5136 或 4662 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 else: - user="" - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User Name ( " + Account_Name[0][0].strip() + " )", end='') - #print(" Created User Name ( " + Account_Name[1].strip()+ " )") - if user.find("$")<0 and ( str(record['data']).find("Replicating Directory Changes all")>0 or str(record['data']).find("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")>0 or str(record['data']).find("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")>0 or str(record['data']).find("9923a32a-3607-11d2-b9be-0000f87a36b2")>0): - Event_desc="User Name ( " + user + " ) is suspected doing dcsync attack " - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Dcsync Attack detected") - Security_events[0]['Detection Domain'].append("Threat") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + user = "" # 如果不存在,设置用户为空字符串 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User Name ( " + Account_Name[0][0].strip() + " )", end='') + # print(" Created User Name ( " + Account_Name[1].strip() + " )") + if user.find("$") < 0 and (str(record['data']).find("Replicating Directory Changes all") > 0 or str(record['data']).find("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") > 0 or str(record['data']).find("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") > 0 or str(record['data']).find("9923a32a-3607-11d2-b9be-0000f87a36b2") > 0): # 检查是否为 Dcsync 攻击 + Event_desc = "User Name ( " + user + " ) is suspected doing dcsync attack " # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Dcsync Attack detected") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - print("issue parsing log : "+str(record['data'])) - + print("issue parsing log : " + str(record['data'])) # 打印解析日志时出现的问题 - # Detect Dcshadow attack - if EventID[0]=="4742": + # Detect Dcshadow attack # 检测 Dcshadow 攻击 + if EventID[0] == "4742": # 检查事件 ID 是否为 4742 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 else: - user="" - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User Name ( " + Account_Name[0][0].strip() + " )", end='') - #print(" Created User Name ( " + Account_Name[1].strip()+ " )") - if user.find("$")<0 and str(record['data']).find("E3514235-4B06-11D1-AB04-00C04FC2DCD2")>0 and str(record['data']).find(r"GC/.*/.*")>0: - Event_desc="User Name ( " + user + " ) is suspected doing dcshadow attack " - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("dcshadow Attack detected") - Security_events[0]['Detection Domain'].append("Threat") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + user = "" # 如果不存在,设置用户为空字符串 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User Name ( " + Account_Name[0][0].strip() + " )", end='') + # print(" Created User Name ( " + Account_Name[1].strip() + " )") + if user.find("$") < 0 and str(record['data']).find("E3514235-4B06-11D1-AB04-00C04FC2DCD2") > 0 and str(record['data']).find(r"GC/.*/.*") > 0: # 检查是否为 Dcshadow 攻击 + Event_desc = "User Name ( " + user + " ) is suspected doing dcshadow attack " # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("dcshadow Attack detected") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - print("issue parsing log : "+str(record['data'])) + print("issue parsing log : " + str(record['data'])) # 打印解析日志时出现的问题 + - # Detect A network share object was added. - if EventID[0]=="5142": + # Detect A network share object was added. # 检测网络共享对象被添加 + if EventID[0] == "5142": # 检查事件 ID 是否为 5142 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 else: - user="" - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User Name ( " + Account_Name[0][0].strip() + " )", end='') - #print(" Created User Name ( " + Account_Name[1].strip()+ " )") - Event_desc="User Name ( " + user + " ) add new share ( "+ShareName[0][0].strip()+" ) with path ( "+ShareLocalPath+" )" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("network share object was added") - Security_events[0]['Detection Domain'].append("Threat") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + user = "" # 如果不存在,设置用户为空字符串 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User Name ( " + Account_Name[0][0].strip() + " )", end='') + # print(" Created User Name ( " + Account_Name[1].strip() + " )") + Event_desc = "User Name ( " + user + " ) add new share ( " + ShareName[0][0].strip() + " ) with path ( " + ShareLocalPath + " )" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("network share object was added") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc="network share object was added" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("network share object was added") - Security_events[0]['Detection Domain'].append("Threat") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - # Windows is shutting down - if EventID[0]=="4609" or EventID[0]=="1100": - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User Name ( " + Account_Name[0][0].strip() + " )", end='') - #print(" Created User Name ( " + Account_Name[1].strip()+ " )") - - Event_desc="Windows is shutting down )" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Windows is shutting down") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - - - # User added to local group - if EventID[0]=="4732": + Event_desc = "network share object was added" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("network share object was added") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + + # Windows is shutting down # Windows 正在关机 + if EventID[0] == "4609" or EventID[0] == "1100": # 检查事件 ID 是否为 4609 或 1100 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User Name ( " + Account_Name[0][0].strip() + " )", end='') + # print(" Created User Name ( " + Account_Name[1].strip() + " )") + + Event_desc = "Windows is shutting down" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Windows is shutting down") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Medium") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + + # User added to local group # 用户被添加到本地组 + if EventID[0] == "4732": # 检查事件 ID 是否为 4732 try: - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) added User ( "+Security_ID[1].strip(), end='') - #print(" to local group ( " + Group_Name[0][0].strip() + " )") - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - member_sid=Member_Sid[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - member_sid=Member_Sid[0][1].strip() + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) added User ( " + Security_ID[1].strip(), end='') + # print(" to local group ( " + Group_Name[0][0].strip() + " )") + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + member_sid = Member_Sid[0][0].strip() # 获取成员 SID 并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + member_sid = Member_Sid[0][1].strip() # 获取成员 SID 并去除空格 - try : - if member_name!="-": - Event_desc="User ( " + user + " ) added User ( "+member_name+" ) to local group ( " + group_name + " )" + try: + if member_name != "-": # 检查成员名称是否有效 + Event_desc = "User ( " + user + " ) added User ( " + member_name + " ) to local group ( " + group_name + " )" # 事件描述 else: - Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to local group ( " + group_name + " )" + Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to local group ( " + group_name + " )" # 事件描述 except: - Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to local group ( " + group_name + " )" - - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to local group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to local group ( " + group_name + " )" # 事件描述 + + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to local group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc="User added to local group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to local group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #add user to global group - if EventID[0] == "4728": + Event_desc = "User added to local group" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to local group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # add user to global group # 将用户添加到全局组 + if EventID[0] == "4728": # 检查事件 ID 是否为 4728 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) added User ( "+Security_ID[1].strip(), end='') - #print(" to Global group ( " + Group_Name[0][0].strip() + " )") - try : - if member_name!="-": - Event_desc="User ( " + user + " ) added User ( "+member_name+" ) to Global group ( " + group_name + " )" + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) added User ( " + Security_ID[1].strip(), end='') + # print(" to Global group ( " + Group_Name[0][0].strip() + " )") + try: + if member_name != "-": # 检查成员名称是否有效 + Event_desc = "User ( " + user + " ) added User ( " + member_name + " ) to Global group ( " + group_name + " )" # 事件描述 else: - Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to Global group ( " + group_name + " )" + Event_desc = "User ( " + user + " ) added User ( " + member_sid + " ) to Global group ( " + group_name + " )" # 事件描述 except: - Event_desc = "User ( " + user + " ) added User ( " + member_name + " ) to Global group ( " + group_name + " )" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to global group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Event_desc = "User ( " + user + " ) added User ( " + member_name + " ) to Global group ( " + group_name + " )" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to global group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc="User added to global group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to global group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - #add user to universal group - if EventID[0] == "4756": + Event_desc = "User added to global group" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to global group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + + # add user to universal group # 将用户添加到通用组 + if EventID[0] == "4756": # 检查事件 ID 是否为 4756 try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) added User ( "+Security_ID[1].strip(), end='') - Event_desc ="User ( " + user + " ) added User ( "+member_name - if len(group_name)>0: - #print(" to Universal group ( " + Group_Name[0][0].strip() + " )") - Event_desc=Event_desc+" to Universal group ( " + group_name + " )" + if len(Account_Name[0][0]) > 0: # 检查账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) added User ( " + Security_ID[1].strip(), end='') + Event_desc = "User ( " + user + " ) added User ( " + member_name # 事件描述 + if len(group_name) > 0: # 检查组名称是否存在 + # print(" to Universal group ( " + Group_Name[0][0].strip() + " )") + Event_desc = Event_desc + " to Universal group ( " + group_name + " )" # 添加组名称到事件描述 else: - Event_desc = Event_desc +" to Universal group ( " + target_account_name + " )" - #print(" to Universal group ( " + Account_Name[1].strip() + " )") - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to Universal group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Event_desc = Event_desc + " to Universal group ( " + target_account_name + " )" # 添加目标账户名称到事件描述 + # print(" to Universal group ( " + Account_Name[1].strip() + " )") + + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to Universal group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User added to Universal group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User added to Universal group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #remove user from global group + Event_desc = "User added to Universal group" # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User added to Universal group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # remove user from global group # 从全局组中移除用户 if EventID[0] == "4729": try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') - Event_desc ="User ( " +user + " ) removed User ( "+member_name - if len(group_name)>0: - #print(") from Global group ( " + Group_Name[0][0].strip() + " )") - Event_desc = Event_desc +") from Global group ( " + group_name + " )" + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') + Event_desc = "User ( " + user + " ) removed User ( " + member_name # 事件描述 + if len(group_name) > 0: # 检查组名称是否存在 + # print(") from Global group ( " + Group_Name[0][0].strip() + " )") + Event_desc = Event_desc + ") from Global group ( " + group_name + " )" # 更新事件描述 else: - Event_desc = Event_desc +") from Global group ( " + target_account_name + " )" - #print(") from Global group ( " + Account_Name[1].strip() + " )") - - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Global Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Event_desc = Event_desc + ") from Global group ( " + target_account_name + " )" # 更新事件描述 + # print(") from Global group ( " + Account_Name[1].strip() + " )") + + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Global Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User Removed from Global Group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Global Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #remove user from universal group + Event_desc = "User Removed from Global Group" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Global Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # remove user from universal group # 从通用组中移除用户 if EventID[0] == "4757": try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') - Event_desc ="User ( " + user + " ) removed User ( "+member_name - if len(group_name)>0: - #print(") from Universal group ( " + Group_Name[0][0].strip() + " )") - Event_desc = Event_desc+") from Universal group ( " + group_name + " )" + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') + Event_desc = "User ( " + user + " ) removed User ( " + member_name # 事件描述 + if len(group_name) > 0: # 检查组名称是否存在 + # print(") from Universal group ( " + Group_Name[0][0].strip() + " )") + Event_desc = Event_desc + ") from Universal group ( " + group_name + " )" # 更新事件描述 else: - #print(") from Universal group ( " + Account_Name[1].strip() + " )") - Event_desc = Event_desc +") from Universal group ( " + target_account_name + " )" - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Universal Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + # print(") from Universal group ( " + Account_Name[1].strip() + " )") + Event_desc = Event_desc + ") from Universal group ( " + target_account_name + " )" # 更新事件描述 + + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Universal Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User Removed from Universal Group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Universal Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #remove user from local group + Event_desc = "User Removed from Universal Group" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Universal Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # remove user from local group # 从本地组中移除用户 if EventID[0] == "4733": - try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') - Event_desc ="User ( " + user + " ) removed User ( "+member_name - if len(group_name)>0: - #print(") from Local group ( " + Group_Name[0][0].strip() + " )") - Event_desc = Event_desc +") from Local group ( " + group_name + " )" + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') + Event_desc = "User ( " + user + " ) removed User ( " + member_name # 事件描述 + if len(group_name) > 0: # 检查组名称是否存在 + # print(") from Local group ( " + Group_Name[0][0].strip() + " )") + Event_desc = Event_desc + ") from Local group ( " + group_name + " )" # 更新事件描述 else: - #print(") from Local group ( " + Account_Name[1].strip() + " )") - Event_desc = Event_desc +") from Local group ( " + target_account_name + " )" - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Local Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + # print(") from Local group ( " + Account_Name[1].strip() + " )") + Event_desc = Event_desc + ") from Local group ( " + target_account_name + " )" # 更新事件描述 + + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Local Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User Removed from Local Group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed from Local Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - #user removed group from global + Event_desc = "User Removed from Local Group" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed from Local Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # user removed group from global # 用户从全局中移除组 if EventID[0] == "4730": try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - member_name=Member_Name[0][0].strip() - group_name=Group_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - member_name=Member_Name[0][1].strip() - group_name=Group_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) removed Group ( ", end='') - - Event_desc ="User ( " + user + " ) removed Group ( "+target_account_name+ " )" - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][0].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][0].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + member_name = Member_Name[0][1].strip() # 获取成员名称并去除空格 + group_name = Group_Name[0][1].strip() # 获取组名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) removed Group ( ", end='') + + Event_desc = "User ( " + user + " ) removed Group ( " + target_account_name + " )" # 事件描述 + + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User Removed Group" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Removed Group") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - #user account removed + Event_desc = "User Removed Group" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Removed Group") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + + # user account removed # 用户账户被移除 if EventID[0] == "4726": - #print("##### " + record["timestamp"] + " #### ", end='') - #print("User ( " + Account_Name[0][0].strip() + " ) removed user ", end='') - #print("( " + Account_Name[1].strip() + " )") + # print("##### " + record["timestamp"] + " #### ", end='') + # print("User ( " + Account_Name[0][0].strip() + " ) removed user ", end='') + # print("( " + Account_Name[1].strip() + " )") try: - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - - Event_desc ="User ( " + user + " ) removed user "+"( " + target_account_name + " )" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Account Removed") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + + Event_desc = "User ( " + user + " ) removed user " + "( " + target_account_name + " )" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Account Removed") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="User Account Removed" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("User Account Removed") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - if EventID[0] == "4625" : + Event_desc = "User Account Removed" # 事件描述 + # 添加事件信息到 Security_events + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("User Account Removed") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 添加严重性 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + if EventID[0] == "4625": # 登录失败事件 try: - if len(Target_Account_Name[0][0])>0: - target_user=Target_Account_Name[0][0].strip() - if len(Target_Account_Name[0][1])>0: - target_user=Target_Account_Name[0][1].strip() - - if target_user not in Security_Authentication_Summary[0]['User']: - Security_Authentication_Summary[0]['User'].append(target_user) - Security_Authentication_Summary[0]['Number of Failed Logins'].append(1) - Security_Authentication_Summary[0]['Number of Successful Logins'].append(0) - else : + if len(Target_Account_Name[0][0]) > 0: # 检查第一个目标账户名称是否存在 + target_user = Target_Account_Name[0][0].strip() # 获取目标用户名称并去除空格 + if len(Target_Account_Name[0][1]) > 0: # 检查第二个目标账户名称是否存在 + target_user = Target_Account_Name[0][1].strip() # 获取目标用户名称并去除空格 + + if target_user not in Security_Authentication_Summary[0]['User']: # 如果目标用户不在认证摘要中 + Security_Authentication_Summary[0]['User'].append(target_user) # 添加目标用户 + Security_Authentication_Summary[0]['Number of Failed Logins'].append(1) # 失败登录次数加1 + Security_Authentication_Summary[0]['Number of Successful Logins'].append(0) # 成功登录次数为0 + else: try: Security_Authentication_Summary[0]['Number of Failed Logins'][ Security_Authentication_Summary[0]['User'].index(target_user)] = \ Security_Authentication_Summary[0]['Number of Failed Logins'][ - Security_Authentication_Summary[0]['User'].index(target_user)] + 1 + Security_Authentication_Summary[0]['User'].index(target_user)] + 1 # 失败登录次数加1 except: - print("User : "+target_user + " array : ") - print(Security_Authentication_Summary[0]) + print("User : " + target_user + " array : ") # 打印用户和数组信息 + print(Security_Authentication_Summary[0]) # 打印认证摘要 except: - print("error in analyzing event 4625 summary loging") + print("error in analyzing event 4625 summary loging") # 打印错误信息 - if EventID[0] == "4624" : - #print(EventID[0]) + if EventID[0] == "4624": # 登录成功事件 + # print(EventID[0]) try: - if len(Target_Account_Name[0][0])>0: - target_user=Target_Account_Name[0][0].strip() - if not Security_ID_Target[0][0].strip() in User_SIDs[0]['SID']: - User_SIDs[0]['User'].append(Target_Account_Name[0][0].strip()) - User_SIDs[0]['SID'].append(Security_ID_Target[0][0].strip()) - if len(Target_Account_Name[0][1])>0: - target_user=Target_Account_Name[0][1].strip() - if not Security_ID_Target[0][1].strip() in User_SIDs[0]['SID']: - User_SIDs[0]['User'].append(Target_Account_Name[0][1].strip()) - User_SIDs[0]['SID'].append(Security_ID_Target[0][1].strip()) - - if target_user.strip() not in Security_Authentication_Summary[0]['User']: - Security_Authentication_Summary[0]['User'].append(target_user) - Security_Authentication_Summary[0]['Number of Successful Logins'].append(1) - Security_Authentication_Summary[0]['Number of Failed Logins'].append(0) - else : + if len(Target_Account_Name[0][0]) > 0: # 检查第一个目标账户名称是否存在 + target_user = Target_Account_Name[0][0].strip() # 获取目标用户名称并去除空格 + if not Security_ID_Target[0][0].strip() in User_SIDs[0]['SID']: # 检查安全 ID 是否已存在 + User_SIDs[0]['User'].append(Target_Account_Name[0][0].strip()) # 添加用户到 SID 列表 + User_SIDs[0]['SID'].append(Security_ID_Target[0][0].strip()) # 添加安全 ID 到列表 + if len(Target_Account_Name[0][1]) > 0: # 检查第二个目标账户名称是否存在 + target_user = Target_Account_Name[0][1].strip() # 获取目标用户名称并去除空格 + if not Security_ID_Target[0][1].strip() in User_SIDs[0]['SID']: # 检查安全 ID 是否已存在 + User_SIDs[0]['User'].append(Target_Account_Name[0][1].strip()) # 添加用户到 SID 列表 + User_SIDs[0]['SID'].append(Security_ID_Target[0][1].strip()) # 添加安全 ID 到列表 + + if target_user.strip() not in Security_Authentication_Summary[0]['User']: # 如果目标用户不在认证摘要中 + Security_Authentication_Summary[0]['User'].append(target_user) # 添加目标用户 + Security_Authentication_Summary[0]['Number of Successful Logins'].append(1) # 成功登录次数加1 + Security_Authentication_Summary[0]['Number of Failed Logins'].append(0) # 失败登录次数为0 + else: Security_Authentication_Summary[0]['Number of Successful Logins'][ Security_Authentication_Summary[0]['User'].index(target_user)] = \ Security_Authentication_Summary[0]['Number of Successful Logins'][ - Security_Authentication_Summary[0]['User'].index(target_user)] + 1 + Security_Authentication_Summary[0]['User'].index(target_user)] + 1 # 成功登录次数加1 except: - print("error in analyzing event 4624 summary loging") + print("error in analyzing event 4624 summary loging") # 打印错误信息 - #password spray detection - if EventID[0] == "4648" : + # password spray detection # 密码喷洒检测 + if EventID[0] == "4648": # 检查事件 ID try: - user='' - target_user='' - if len(Account_Name[0][0])>0: - user=Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - user=Account_Name[0][1].strip() - if len(Target_Account_Name[0][0])>0: - target_user=Target_Account_Name[0][0].strip() - if len(Target_Account_Name[0][1])>0: - target_user=Target_Account_Name[0][1].strip() - - - if user not in PasswordSpray: - PasswordSpray[user]=[] - PasswordSpray[user].append(target_user) - if target_user not in PasswordSpray[user] : - PasswordSpray[user].append(target_user) + user = '' # 初始化用户变量 + target_user = '' # 初始化目标用户变量 + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + if len(Target_Account_Name[0][0]) > 0: # 检查第一个目标账户名称是否存在 + target_user = Target_Account_Name[0][0].strip() # 获取目标用户名称并去除空格 + if len(Target_Account_Name[0][1]) > 0: # 检查第二个目标账户名称是否存在 + target_user = Target_Account_Name[0][1].strip() # 获取目标用户名称并去除空格 + + if user not in PasswordSpray: # 如果用户不在密码喷洒字典中 + PasswordSpray[user] = [] # 初始化用户的密码喷洒列表 + PasswordSpray[user].append(target_user) # 添加目标用户到列表 + if target_user not in PasswordSpray[user]: # 如果目标用户不在用户的密码喷洒列表中 + PasswordSpray[user].append(target_user) # 添加目标用户到列表 except: - continue - - + continue # 继续下一个循环 - #detect pass the hash - if (logons==True or allreport==True) and EventID[0] == "4625" or EventID[0] == "4624": - #print(Logon_Events,str(record['data'])) + # detect pass the hash # 检测哈希传递攻击 + if (logons == True or allreport == True) and EventID[0] == "4625" or EventID[0] == "4624": # 检查是否为登录失败或成功事件 + # print(Logon_Events) try: - #print(Logon_Events) - if len(Account_Name[0][0])>0: - logon_type=Logon_Type[0][0].strip() - user=Account_Name[0][0].strip() - target_account_name=Target_Account_Name[0][0].strip() - logon_process=Logon_Process[0][0].strip() - key_length=Key_Length[0][0].strip() - target_account_domain=Target_Account_Domain[0][0].strip() - source_ip=Source_IP[0][0].strip() - workstation_name=Workstation_Name[0][0].strip() - if len(Account_Name[0][1])>0: - logon_type=Logon_Type[0][1].strip() - target_account_name=Target_Account_Name[0][1].strip() - logon_process=Logon_Process[0][1].strip() - key_length=Key_Length[0][1].strip() - target_account_domain=Target_Account_Domain[0][1].strip() - source_ip=Source_IP[0][1].strip() - workstation_name=Workstation_Name[0][1].strip() - - #print(Logon_Events) - #record every authentication - Logon_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Logon_Events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Logon_Events[0]['Event ID'].append(EventID[0]) - Logon_Events[0]['Computer Name'].append(Computer[0]) - Logon_Events[0]['Channel'].append(Channel[0]) - Logon_Events[0]['Account Name'].append(target_account_name) - Logon_Events[0]['Account Domain'].append(target_account_domain) - Logon_Events[0]['Logon Type'].append(logon_type) - Logon_Events[0]['Logon Process'].append(logon_process) - Logon_Events[0]['Source IP'].append(source_ip) - Logon_Events[0]['Workstation Name'].append(workstation_name) - Logon_Events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - if logon_type == "3" and target_account_name != "ANONYMOUS LOGON" and target_account_name.find("$")==-1 and logon_process == "NtLmSsp" and key_length == "0": - #print("##### " + record["timestamp"] + " #### ", end='') - #print( + # print(Logon_Events) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + logon_type = Logon_Type[0][0].strip() # 获取登录类型并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + target_account_name = Target_Account_Name[0][0].strip() # 获取目标账户名称并去除空格 + logon_process = Logon_Process[0][0].strip() # 获取登录进程并去除空格 + key_length = Key_Length[0][0].strip() # 获取密钥长度并去除空格 + target_account_domain = Target_Account_Domain[0][0].strip() # 获取目标账户域并去除空格 + source_ip = Source_IP[0][0].strip() # 获取源 IP 地址并去除空格 + workstation_name = Workstation_Name[0][0].strip() # 获取工作站名称并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + logon_type = Logon_Type[0][1].strip() # 获取登录类型并去除空格 + target_account_name = Target_Account_Name[0][1].strip() # 获取目标账户名称并去除空格 + logon_process = Logon_Process[0][1].strip() # 获取登录进程并去除空格 + key_length = Key_Length[0][1].strip() # 获取密钥长度并去除空格 + target_account_domain = Target_Account_Domain[0][1].strip() # 获取目标账户域并去除空格 + source_ip = Source_IP[0][1].strip() # 获取源 IP 地址并去除空格 + workstation_name = Workstation_Name[0][1].strip() # 获取工作站名称并去除空格 + + # print(Logon_Events) + # record every authentication # 记录每次认证 + Logon_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Logon_Events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Logon_Events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Logon_Events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Logon_Events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Logon_Events[0]['Account Name'].append(target_account_name) # 添加目标账户名称 + Logon_Events[0]['Account Domain'].append(target_account_domain) # 添加目标账户域 + Logon_Events[0]['Logon Type'].append(logon_type) # 添加登录类型 + Logon_Events[0]['Logon Process'].append(logon_process) # 添加登录进程 + Logon_Events[0]['Source IP'].append(source_ip) # 添加源 IP 地址 + Logon_Events[0]['Workstation Name'].append(workstation_name) # 添加工作站名称 + Logon_Events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + if logon_type == "3" and target_account_name != "ANONYMOUS LOGON" and target_account_name.find("$") == -1 and logon_process == "NtLmSsp" and key_length == "0": # 检查是否为可疑的登录类型 + # print("##### " + record["timestamp"] + " #### ", end='') + # print( # "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( # Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0][0].strip(), Workstation_Name[0][0].strip())) try: - #print(Pass_the_hash_users) + # print(Pass_the_hash_users) # - #print(target_account_name) - if target_account_name.strip() not in Pass_the_hash_users[0]['User']: - #print("user not in pass the hash observed") - Pass_the_hash_users[0]['User'].append(target_account_name) - Pass_the_hash_users[0]['Number of Logins'].append(1) - Pass_the_hash_users[0]['Reached'].append(0) - elif Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)]<1 : + # print(target_account_name) + if target_account_name.strip() not in Pass_the_hash_users[0]['User']: # 如果目标账户不在哈希传递用户列表中 + # print("user not in pass the hash observed") + Pass_the_hash_users[0]['User'].append(target_account_name) # 添加用户到哈希传递用户列表 + Pass_the_hash_users[0]['Number of Logins'].append(1) # 登录次数加1 + Pass_the_hash_users[0]['Reached'].append(0) # 初始化达到标志 + elif Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)] < 1: # 如果用户达到标志小于1 Pass_the_hash_users[0]['Number of Logins'][ Pass_the_hash_users[0]['User'].index(target_account_name)] = \ Pass_the_hash_users[0]['Number of Logins'][ - Pass_the_hash_users[0]['User'].index(target_account_name)] + 1 - #print(Pass_the_hash_users[0]['Number of Logins'][Pass_the_hash_users[0]['User'].index(target_account_name)]) - if Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)]>0: - #print("True observed") - continue - if Pass_the_hash_users[0]['Number of Logins'][Pass_the_hash_users[0]['User'].index(target_account_name)]>200: - Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)]=1 - Event_desc ="High number of Pass the hash attempt Detected from user name ( %s ) domain name ( %s ) . detection will be paused for this user to not flood the detection list" % ( - target_account_name, target_account_domain) - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("High number of Pass the hash attempt Detected . detection will be paused for this user to not flood the detection list") - Security_events[0]['Detection Domain'].append("Threat") - if EventID[0].find("4624") > -1: - Security_events[0]['Severity'].append("Critical") + Pass_the_hash_users[0]['User'].index(target_account_name)] + 1 # 登录次数加1 + # print(Pass_the_hash_users[0]['Number of Logins'][Pass_the_hash_users[0]['User'].index(target_account_name)]) + if Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)] > 0: # 如果达到标志大于0 + # print("True observed") + continue # 继续下一个循环 + if Pass_the_hash_users[0]['Number of Logins'][Pass_the_hash_users[0]['User'].index(target_account_name)] > 200: # 如果登录次数超过200 + Pass_the_hash_users[0]['Reached'][Pass_the_hash_users[0]['User'].index(target_account_name)] = 1 # 设置达到标志为1 + Event_desc = "High number of Pass the hash attempt Detected from user name ( %s ) domain name ( %s ) . detection will be paused for this user to not flood the detection list" % ( + target_account_name, target_account_domain) # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("High number of Pass the hash attempt Detected . detection will be paused for this user to not flood the detection list") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + if EventID[0].find("4624") > -1: # 如果事件 ID 包含4624 + Security_events[0]['Severity'].append("Critical") # 设置严重性为关键 else: - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - continue - - Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( - target_account_name, target_account_domain, source_ip, workstation_name) - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") - Security_events[0]['Detection Domain'].append("Threat") - if EventID[0].find("4624") > -1: - Security_events[0]['Severity'].append("Critical") + Security_events[0]['Severity'].append("Medium") # 设置严重性为中等 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + continue # 继续下一个循环 + + Event_desc = "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( + target_account_name, target_account_domain, source_ip, workstation_name) # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + if EventID[0].find("4624") > -1: # 如果事件 ID 包含4624 + Security_events[0]['Severity'].append("Critical") # 设置严重性为关键 else: - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - #print(Event_desc) + Security_events[0]['Severity'].append("Medium") # 设置严重性为中等 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + # print(Event_desc) except: - Event_desc ="Pass the hash attempt Detected " - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") - Security_events[0]['Detection Domain'].append("Threat") - if EventID[0].find("4624") > -1: - Security_events[0]['Severity'].append("Critical") + Event_desc = "Pass the hash attempt Detected " # 事件描述 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Threat") # 添加检测域 + if EventID[0].find("4624") > -1: # 如果事件 ID 包含4624 + Security_events[0]['Severity'].append("Critical") # 设置严重性为关键 else: - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Security_events[0]['Severity'].append("Medium") # 设置严重性为中等 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - print("Error parsing Event") + print("Error parsing Event") # 打印解析事件时的错误信息 - #Audit log cleared - if EventID[0] == "517" or EventID[0] == "1102": + # Audit log cleared # 审计日志已清除 + if EventID[0] == "517" or EventID[0] == "1102": # 检查事件 ID 是否为 517 或 1102 """print("##### " + record["timestamp"] + " #### ", end='') print( "Audit log cleared by user ( %s )" % ( Account_Name[0][0].strip())) """ try: - if (len(Account_Name[0][0].strip())>1): + if (len(Account_Name[0][0].strip()) > 1): # 检查第一个账户名称的长度是否大于1 Event_desc = "Audit log cleared by user ( %s )" % ( - Account_Name[0][0].strip()) + Account_Name[0][0].strip()) # 设置事件描述为清除日志的用户 else: Event_desc = "Audit log cleared by user ( %s )" % ( - Account_Name[0][1].strip()) + Account_Name[0][1].strip()) # 如果第一个账户名称不合适,使用第二个账户名称 except: - Event_desc = "Audit log cleared by user" - - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Audit log cleared") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Critical") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #Suspicious Attempt to enumerate users or groups - """if EventID[0] == "4798" or EventID[0] == "4799" and record['data'].find("System32\\svchost.exe")==-1: + Event_desc = "Audit log cleared by user" # 捕获异常时的默认事件描述 + + # 记录安全事件信息 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Audit log cleared") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Critical") # 设置严重性为关键 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # Suspicious Attempt to enumerate users or groups # 可疑的用户或组枚举尝试 + """if EventID[0] == "4798" or EventID[0] == "4799" and record['data'].find("System32\\svchost.exe") == -1: #print("##### " + record["timestamp"] + " #### ", end='') #print( # "Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % ( - # Account_Name[0][0].strip(),Process_Name[0][0].strip())) + # Account_Name[0][0].strip(), Process_Name[0][0].strip())) try: - if len(Account_Name[0][0])>0: - process_name=Process_Name[0][0].strip() - user=Account_Name[0][0].strip() - if len(Account_Name[0][1])>0: - process_name=Process_Name[0][1].strip() - user=Account_Name[0][1].strip() - - Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (user,process_name) - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + process_name = Process_Name[0][0].strip() # 获取进程名称 + user = Account_Name[0][0].strip() # 获取用户名称 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + process_name = Process_Name[0][1].strip() # 获取进程名称 + user = Account_Name[0][1].strip() # 获取用户名称 + + Event_desc = "Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (user, process_name) # 设置事件描述 + # 记录安全事件信息 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Medium") # 设置严重性为中等 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 except: - Event_desc ="Suspicious Attempt to enumerate groups by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) + Event_desc = "Suspicious Attempt to enumerate groups by user" # 捕获异常时的默认事件描述 + # 记录安全事件信息 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 """ - #System audit policy was changed - if EventID[0] == "4719" and Security_ID[0][0].strip()!="S-1-5-18" and Security_ID[0][0].strip()!="SYSTEM" : + + # System audit policy was changed # 系统审计策略已更改 + if EventID[0] == "4719" and Security_ID[0][0].strip() != "S-1-5-18" and Security_ID[0][0].strip() != "SYSTEM": """print("##### " + record["timestamp"] + " #### ", end='') print( - "System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % ( - Account_Name[0][0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())) + "System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % ( + Account_Name[0][0].strip(), Category[0].strip(), Subcategory[0].strip(), Changes[0].strip())) """ - try : - if len(Account_Name[0][0])>0: - category=Category[0][0].strip() - user=Account_Name[0][0].strip() - subcategory=Subcategory[0][0].strip() - changes=Changes[0][0].strip() - if len(Account_Name[0][1])>0: - category=Category[0][1].strip() - subcategory=Subcategory[0][1].strip() - changes=Changes[0][1].strip() - user=Account_Name[0][1].strip() - - Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (user,category,subcategory,changes) - except : - Event_desc = "System audit policy was changed by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("System audit policy was changed") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) - - #scheduled task created - if EventID[0]=="4698" : - #print("##### " + record["timestamp"] + " #### ", end='') - - #print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(),Task_Name[0][0].strip(),Task_Command[0][0],Task_args[0][0])) - try: - if len(Account_Name[0][0])>0: - task_command=Task_Command[0][0].strip() - user=Account_Name[0][0].strip() - task_name=Task_Name[0][0].strip() - task_args=Task_args[0][0].strip() - if len(Account_Name[0][1])>0: - task_command=Task_Command[0][1].strip() - user=Account_Name[0][1].strip() - task_name=Task_Name[0][1].strip() - task_args=Task_args[0][1].strip() - - Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( user,task_name,task_command,task_args) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + category = Category[0][0].strip() # 获取审计类别并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + subcategory = Subcategory[0][0].strip() # 获取子类别并去除空格 + changes = Changes[0][0].strip() # 获取更改内容并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + category = Category[0][1].strip() # 获取审计类别并去除空格 + subcategory = Subcategory[0][1].strip() # 获取子类别并去除空格 + changes = Changes[0][1].strip() # 获取更改内容并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + + Event_desc = "System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (user, category, subcategory, changes) # 事件描述 except: - Event_desc = "schedule task created by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("schedule task created") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #scheduled task deleted - if EventID[0]=="1699" : - #print("##### " + record["timestamp"] + " #### ", end='') + Event_desc = "System audit policy was changed by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("System audit policy was changed") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # scheduled task created # 创建计划任务 + if EventID[0] == "4698": + # print("##### " + record["timestamp"] + " #### ", end='') + # print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(), Task_Name[0][0].strip(), Task_Command[0][0], Task_args[0][0])) - #print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(),Task_Name[0][0].strip(),Task_Command[0][0],Task_args[0][0])) - try : - if len(Account_Name[0][0])>0: - task_command=Task_Command[0][0].strip() - user=Account_Name[0][0].strip() - task_name=Task_Name[0][0].strip() - task_args=Task_args[0][0].strip() - if len(Account_Name[0][1])>0: - task_command=Task_Command[0][1].strip() - user=Account_Name[0][1].strip() - task_name=Task_Name[0][1].strip() - task_args=Task_args[0][1].strip() - Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( user,task_name,task_command,task_args) + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + task_command = Task_Command[0][0].strip() # 获取任务命令并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][0].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][0].strip() # 获取任务参数并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + task_command = Task_Command[0][1].strip() # 获取任务命令并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][1].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][1].strip() # 获取任务参数并去除空格 + + Event_desc = "schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % (user, task_name, task_command, task_args) # 事件描述 except: - Event_desc = "schedule task deleted by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("schedule task deleted") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #schedule task updated - if EventID[0]=="4702" : - #print("##### " + record["timestamp"] + " #### ", end='') + Event_desc = "schedule task created by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("schedule task created") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # scheduled task deleted # 删除计划任务 + if EventID[0] == "1699": + # print("##### " + record["timestamp"] + " #### ", end='') + # print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(), Task_Name[0][0].strip(), Task_Command[0][0], Task_args[0][0])) - #print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(),Task_Name[0][0].strip(),Task_Command[0][0],Task_args[0][0])) try: - if len(Account_Name[0][0])>0: - task_command=Task_Command[0][0].strip() - user=Account_Name[0][0].strip() - task_name=Task_Name[0][0].strip() - task_args=Task_args[0][0].strip() - if len(Account_Name[0][1])>0: - task_command=Task_Command[0][1].strip() - user=Account_Name[0][1].strip() - task_name=Task_Name[0][1].strip() - task_args=Task_args[0][1].strip() - Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( user,task_name,task_command,task_args) + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + task_command = Task_Command[0][0].strip() # 获取任务命令并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][0].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][0].strip() # 获取任务参数并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + task_command = Task_Command[0][1].strip() # 获取任务命令并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][1].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][1].strip() # 获取任务参数并去除空格 + + Event_desc = "schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % (user, task_name, task_command, task_args) # 事件描述 except: - Event_desc = "schedule task updated by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("schedule task updated") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Low") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #schedule task enabled - if EventID[0]=="4700" : - #print("##### " + record["timestamp"] + " #### ", end='') - - #print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0][0].strip(),Task_Name[0][0].strip(),Task_Command[0][0],Task_args[0][0])) - try : - if len(Account_Name[0][0])>0: - task_command=Task_Command[0][0].strip() - user=Account_Name[0][0].strip() - task_name=Task_Name[0][0].strip() - task_args=Task_args[0][0].strip() - if len(Account_Name[0][1])>0: - task_command=Task_Command[0][1].strip() - user=Account_Name[0][1].strip() - task_name=Task_Name[0][1].strip() - task_args=Task_args[0][1].strip() - Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( user,task_name,task_command,task_args) + Event_desc = "schedule task deleted by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("schedule task deleted") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # schedule task updated # 更新计划任务 + if EventID[0] == "4702": + # print("##### " + record["timestamp"] + " #### ", end='') + + # print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0][0].strip(), Task_Name[0][0].strip(), Task_Command[0][0], Task_args[0][0])) + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + task_command = Task_Command[0][0].strip() # 获取任务命令并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][0].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][0].strip() # 获取任务参数并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + task_command = Task_Command[0][1].strip() # 获取任务命令并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][1].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][1].strip() # 获取任务参数并去除空格 + Event_desc = "schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % (user, task_name, task_command, task_args) # 事件描述 except: - Event_desc = "schedule task enabled by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("schedule task enabled") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #schedule task disabled - if EventID[0]=="4701" : - #print("##### " + record["timestamp"] + " #### ", end='') - - #print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0][0].strip(),Task_Name[0][0].strip(),Task_Command[0][0],Task_args[0][0])) - try : - if len(Account_Name[0][0])>0: - task_command=Task_Command[0][0].strip() - user=Account_Name[0][0].strip() - task_name=Task_Name[0][0].strip() - task_args=Task_args[0][0].strip() - if len(Account_Name[0][1])>0: - task_command=Task_Command[0][1].strip() - user=Account_Name[0][1].strip() - task_name=Task_Name[0][1].strip() - task_args=Task_args[0][1].strip() - Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( user,task_name,task_command,task_args) + Event_desc = "schedule task updated by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("schedule task updated") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Low") # 设置严重性为低 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # schedule task enabled # 启用计划任务 + if EventID[0] == "4700": + # print("##### " + record["timestamp"] + " #### ", end='') + + # print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0][0].strip(), Task_Name[0][0].strip(), Task_Command[0][0], Task_args[0][0])) + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + task_command = Task_Command[0][0].strip() # 获取任务命令并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][0].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][0].strip() # 获取任务参数并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + task_command = Task_Command[0][1].strip() # 获取任务命令并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][1].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][1].strip() # 获取任务参数并去除空格 + Event_desc = "schedule task enabled by user ( %s ) with task name ( %s ) " % (user, task_name) # 事件描述 except: - Event_desc = "schedule task disabled by user" - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("schedule task disabled") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("Medium") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - - # user accessing directory service objects with replication permissions - if EventID[0]=="4662" : - try : - - - - if len(Account_Name[0][0])>0: - user = Account_Name[0][0].strip() - processname = Process_Name[0][0].strip() - objectname = Object_Name[0][0].strip() - objecttype = Object_Type[0][0].strip() - objectserver = ObjectServer[0][1].strip() - AccessMask = AccessMask[0][1].strip() - if len(Account_Name[0][1])>0: - user = Account_Name[0][1].strip() - processname = Process_Name[0][1].strip() - objectname = Object_Name[0][1].strip() - objecttype = Object_Type[0][1].strip() - objectserver = ObjectServer[0][1].strip() - accessmask = AccessMask[0][1].strip() - - if ( objectserver.lower().find("DS")>-1 and accessmask.lower().find("0x40000")>-1 and objecttype.lower().find("19195a5b_6da0_11d0_afd3_00c04fd930c9")>-1 ) : + Event_desc = "schedule task enabled by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("schedule task enabled") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # schedule task disabled # 禁用计划任务 + if EventID[0] == "4701": + # print("##### " + record["timestamp"] + " #### ", end='') + + # print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0][0].strip(), Task_Name[0][0].strip(), Task_Command[0][0], Task_args[0][0])) + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + task_command = Task_Command[0][0].strip() # 获取任务命令并去除空格 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][0].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][0].strip() # 获取任务参数并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + task_command = Task_Command[0][1].strip() # 获取任务命令并去除空格 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + task_name = Task_Name[0][1].strip() # 获取任务名称并去除空格 + task_args = Task_args[0][1].strip() # 获取任务参数并去除空格 + Event_desc = "schedule task disabled by user ( %s ) with task name ( %s ) " % (user, task_name) # 事件描述 + except: + Event_desc = "schedule task disabled by user" # 事件描述 + + # 记录安全事件 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("schedule task disabled") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("Medium") # 设置严重性为中 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # user accessing directory service objects with replication permissions # 用户访问具有复制权限的目录服务对象 + if EventID[0] == "4662": + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + processname = Process_Name[0][0].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][0].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][0].strip() # 获取对象类型并去除空格 + objectserver = ObjectServer[0][1].strip() # 获取对象服务器并去除空格 + AccessMask = AccessMask[0][1].strip() # 获取访问掩码并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + processname = Process_Name[0][1].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][1].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][1].strip() # 获取对象类型并去除空格 + objectserver = ObjectServer[0][1].strip() # 获取对象服务器并去除空格 + accessmask = AccessMask[0][1].strip() # 获取访问掩码并去除空格 + + # 检查条件以确定是否记录事件 + if (objectserver.lower().find("ds") > -1 and accessmask.lower().find("0x40000") > -1 and objecttype.lower().find("19195a5b_6da0_11d0_afd3_00c04fd930c9") > -1): try: - Event_desc = "Non-system account ( %s ) with process ( %s ) got access to object ( %s ) of type ( %s )" % (user,processname,objectname,objecttype) + Event_desc = "Non-system account ( %s ) with process ( %s ) got access to object ( %s ) of type ( %s )" % (user, processname, objectname, objecttype) # 事件描述 except: - Event_desc = "Non-system account with process got access to object" - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("non-system accounts getting a handle to and accessing lsass") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - except : - pass - - # Object Access Statistics - if (objectaccess==True or allreport==True) and EventID[0]=="4663" : - #print("in") - #try : - if 1==1: - if len(Account_Name[0][0])>0: - user = Account_Name[0][0].strip() - #processname = Process_Name[0][0].strip() - objectname = Object_Name[0][0].strip() - objecttype = Object_Type[0][0].strip() - if len(Account_Name[0][1])>0: - user = Account_Name[0][1].strip() - #processname = Process_Name[0][1].strip() - objectname = Object_Name[0][1].strip() - objecttype = Object_Type[0][1].strip() - - Object_Access_Events[0]['Computer Name'].append(Computer[0]) - Object_Access_Events[0]['Channel'].append(Channel[0]) - Object_Access_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Object_Access_Events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Object_Access_Events[0]['Account Name'].append(user) - Object_Access_Events[0]['Object Name'].append(objectname) - Object_Access_Events[0]['Object Type'].append(objecttype) - Object_Access_Events[0]['Process Name'].append(ObjectProcessName[0]) - Object_Access_Events[0]['Event ID'].append(EventID[0]) - Object_Access_Events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - - #except Exception as e : - # print("error parsing fields for "+str(record['data'])) - - # non-system accounts with process requested accessing to object 4656 - if EventID[0]=="4656" or EventID[0]=="4663" : - try : - - if len(Account_Name[0][0])>0: - user = Account_Name[0][0].strip() - #processname = Process_Name[0][0].strip() - objectname = Object_Name[0][0].strip() - objecttype = Object_Type[0][0].strip() - if len(Account_Name[0][1])>0: - user = Account_Name[0][1].strip() - #processname = Process_Name[0][1].strip() - objectname = Object_Name[0][1].strip() - objecttype = Object_Type[0][1].strip() - - - if len(Security_ID[0][0])>30 and objectname.lower().find("lsass.exe")>-1: + Event_desc = "Non-system account with process got access to object" # 事件描述 + # 记录安全事件 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("non-system accounts getting a handle to and accessing lsass") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + except: + pass # 忽略异常 + + # Object Access Statistics # 对象访问统计 + if (objectaccess == True or allreport == True) and EventID[0] == "4663": + # print("in") + # try: + if 1 == 1: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + # processname = Process_Name[0][0].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][0].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][0].strip() # 获取对象类型并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + # processname = Process_Name[0][1].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][1].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][1].strip() # 获取对象类型并去除空格 + + # 记录对象访问事件 + Object_Access_Events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Object_Access_Events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Object_Access_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Object_Access_Events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Object_Access_Events[0]['Account Name'].append(user) # 添加账户名称 + Object_Access_Events[0]['Object Name'].append(objectname) # 添加对象名称 + Object_Access_Events[0]['Object Type'].append(objecttype) # 添加对象类型 + Object_Access_Events[0]['Process Name'].append(ObjectProcessName[0]) # 添加进程名称 + Object_Access_Events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Object_Access_Events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + + # except Exception as e: + # print("error parsing fields for " + str(record['data'])) + + # non-system accounts with process requested accessing to object 4656 # 非系统账户请求访问对象 4656 + if EventID[0] == "4656" or EventID[0] == "4663": + try: + if len(Account_Name[0][0]) > 0: # 检查第一个账户名称是否存在 + user = Account_Name[0][0].strip() # 获取用户名称并去除空格 + # processname = Process_Name[0][0].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][0].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][0].strip() # 获取对象类型并去除空格 + if len(Account_Name[0][1]) > 0: # 检查第二个账户名称是否存在 + user = Account_Name[0][1].strip() # 获取用户名称并去除空格 + # processname = Process_Name[0][1].strip() # 获取进程名称并去除空格 + objectname = Object_Name[0][1].strip() # 获取对象名称并去除空格 + objecttype = Object_Type[0][1].strip() # 获取对象类型并去除空格 + + # 检查安全 ID 和对象名称 + if len(Security_ID[0][0]) > 30 and objectname.lower().find("lsass.exe") > -1: try: - Event_desc ="Non-system account ( %s ) with process ( %s ) got access to object ( %s ) of type ( %s )" % (user,ObjectProcessName[0],objectname,objecttype) + Event_desc = "Non-system account ( %s ) with process ( %s ) got access to object ( %s ) of type ( %s )" % (user, ObjectProcessName[0], objectname, objecttype) # 事件描述 except: - Event_desc = "Non-system account with process got access to object" - Security_events[0]['Computer Name'].append(Computer[0]) - Security_events[0]['Channel'].append(Channel[0]) - Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) - Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) - Security_events[0]['Detection Rule'].append("non-system accounts getting a handle to and accessing lsass") - Security_events[0]['Detection Domain'].append("Audit") - Security_events[0]['Severity'].append("High") - Security_events[0]['Event Description'].append(Event_desc) - Security_events[0]['Event ID'].append(EventID[0]) - Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r"," ")) - except Exception as e : - print("error parsing fields for "+str(record['data'])) + Event_desc = "Non-system account with process got access to object" # 事件描述 + # 记录安全事件 + Security_events[0]['Computer Name'].append(Computer[0]) # 添加计算机名称 + Security_events[0]['Channel'].append(Channel[0]) # 添加通道信息 + Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat()))) # 添加时间戳 + Security_events[0]['Date and Time'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat()) # 添加日期和时间 + Security_events[0]['Detection Rule'].append("non-system accounts getting a handle to and accessing lsass") # 添加检测规则 + Security_events[0]['Detection Domain'].append("Audit") # 添加检测域 + Security_events[0]['Severity'].append("High") # 设置严重性为高 + Security_events[0]['Event Description'].append(Event_desc) # 添加事件描述 + Security_events[0]['Event ID'].append(EventID[0]) # 添加事件 ID + Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " ")) # 添加原始事件日志 + except Exception as e: + print("error parsing fields for " + str(record['data'])) # 打印解析字段时的错误 else: print(record['data']) diff --git a/test.txt b/test.txt deleted file mode 100644 index 5bd5b2c..0000000 --- a/test.txt +++ /dev/null @@ -1 +0,0 @@ - 不会搞 \ No newline at end of file diff --git a/项目泛读.txt b/项目泛读.txt deleted file mode 100644 index 453b556..0000000 --- a/项目泛读.txt +++ /dev/null @@ -1,39 +0,0 @@ -一、源代码结构与功能 -APT-Hunter的源代码主要由Python编写,包含多个模块和脚本,用于实现日志收集、解析、分析以及结果输出等功能。 - -日志收集: -源代码中包含了用于收集Windows事件日志的PowerShell脚本(windows-log-collector-full-v3-CSV && windows-log-collector-full-v3-EVTX)脚本能够提取CSV和EVTX格式的日志。 -用户可以通过运行这些脚本来自动收集所需的日志,而无需手动查找和提取。 -日志解析: -APT-Hunter使用内置库(如csv库)来解析CSV日志文件,使用外部库(如evtx库)来解析EVTX日志文件。 -解析过程中,APT-Hunter会使用正则表达式(Regex)为每个事件提取字段,以便后续分析。 -日志分析: -源代码中包含了用于分析日志的逻辑,这些逻辑基于Mitre ATT&CK战术和技术,将攻击指标映射到Windows事件日志中。 -分析过程中,APT-Hunter会检测各种可疑活动,如恶意软件的安装、未授权的网络连接等,并生成相应的报告。 -结果输出: -分析结果可以以Excel工作表和CSV文件的形式输出,便于用户查看和分析。 -其中,Excel工作表包含了从每个Windows日志中检测到的所有事件,而CSV文件则可以用于时间线分析。 -二、关键模块与代码分析 -日志收集模块: -该模块主要包含PowerShell脚本,用于从Windows系统中提取日志。 -脚本中使用了Windows事件日志API或PowerShell命令来获取日志数据,并将其保存为CSV或EVTX格式。 -日志解析模块: -该模块使用Python编写,包含了用于解析CSV和EVTX日志文件的函数。 -在解析CSV文件时,使用了Python的csv库来读取文件并提取字段。 -在解析EVTX文件时,使用了外部库(如pyevtx)来读取文件并解析事件。 -日志分析模块: -该模块是APT-Hunter的核心部分,包含了用于检测可疑活动的逻辑。 -逻辑中定义了多个检测规则,这些规则基于Mitre ATT&CK战术和技术,用于识别各种APT攻击指标。 -分析过程中,APT-Hunter会遍历日志文件中的事件,并根据检测规则进行判断和分类。 -结果输出模块: -该模块负责将分析结果输出为用户可读的格式。 -在输出Excel工作表时,使用了Python的pandas库来创建和填充工作表。 -在输出CSV文件时,则直接使用了Python的文件操作函数来写入数据。 -三、技术亮点与优势 -高效性:APT-Hunter能够快速地收集、解析和分析大量的Windows事件日志,提高了威胁检测的效率和准确性。 -易用性:该工具提供了友好的用户界面和简洁的操作流程,使得用户能够轻松上手并快速掌握其使用方法。 -兼容性:APT-Hunter支持多种格式的日志解析和输出配置,使得用户能够灵活地将其集成到现有的安全监控系统中。 -开源性:作为一款开源工具,APT-Hunter的源代码是公开的,用户可以根据需要进行二次开发或定制。 -四、结论与展望 -通过对APT-Hunter源代码的分析,可以看出该工具在Windows事件日志的威胁搜寻方面具有较高的效率和准确性。其友好的用户界面、简洁的操作流程以及灵活的日志解析和输出配置,使得用户能够轻松地使用该工具进行威胁检测和分析。然而,随着APT攻击的不断发展和变化,APT-Hunter也需要不断更新和完善其检测规则和功能,以应对新的威胁和挑战。未来,可以进一步优化APT-Hunter的性能和效率,提高其适用性和易用性,并探索与其他安全监控系统的集成和联动,以实现更加全面和高效的安全防护。 -到此一游 \ No newline at end of file