|
|
|
|
@ -746,18 +746,20 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
ObjectProcessName=ObjectProcessName_rex.findall(record['data'])
|
|
|
|
|
|
|
|
|
|
#Detect any log that contain suspicious process name or argument
|
|
|
|
|
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
|
|
|
|
|
for i in all_suspicious:
|
|
|
|
|
# 检测任何包含可疑进程名称或参数的日志
|
|
|
|
|
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":# 检查事件 ID 是否为 4688、4648 或 4673
|
|
|
|
|
for i in all_suspicious:# 遍历所有可疑项
|
|
|
|
|
|
|
|
|
|
if record['data'].lower().find(i.lower())>-1:
|
|
|
|
|
if record['data'].lower().find(i.lower())>-1:# 检查日志数据中是否包含可疑项
|
|
|
|
|
|
|
|
|
|
#print("##### " + record["timestamp"] + " #### ", end='')
|
|
|
|
|
#print("## Found Suspicios Process ", end='')
|
|
|
|
|
#print("User Name : ( %s ) " % Account_Name[0][0].strip(), end='')
|
|
|
|
|
#print("with Command Line : ( " + Process_Command_Line[0][0].strip() + " )")
|
|
|
|
|
# print("###########")
|
|
|
|
|
|
|
|
|
|
# 生成事件描述
|
|
|
|
|
Event_desc ="Found a log contain suspicious command or process ( %s)"%i
|
|
|
|
|
# 将事件信息添加到 Security_events 数据结构中
|
|
|
|
|
Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())))
|
|
|
|
|
Security_events[0]['Computer Name'].append(Computer[0])
|
|
|
|
|
Security_events[0]['Channel'].append(Channel[0])
|
|
|
|
|
@ -768,12 +770,14 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
Security_events[0]['Event Description'].append(Event_desc)
|
|
|
|
|
Security_events[0]['Event ID'].append(EventID[0])
|
|
|
|
|
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
|
|
|
|
|
break
|
|
|
|
|
break # 找到可疑项后退出循环
|
|
|
|
|
#User Creation using Net command
|
|
|
|
|
# 用户创建事件,使用 Net 命令
|
|
|
|
|
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
|
|
|
|
|
try:
|
|
|
|
|
process_name=''
|
|
|
|
|
process_command_line=" "
|
|
|
|
|
# 获取用户名称
|
|
|
|
|
if len(Account_Name[0][0])>0:
|
|
|
|
|
user=Account_Name[0][0].strip()
|
|
|
|
|
|
|
|
|
|
@ -781,7 +785,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
if len(Account_Name[0][1])>0:
|
|
|
|
|
user=Account_Name[0][1].strip()
|
|
|
|
|
process_command_line=Process_Command_Line[0][1].strip()
|
|
|
|
|
|
|
|
|
|
# 获取进程名称
|
|
|
|
|
if len(Process_Command_Line)>0:
|
|
|
|
|
process_command_line=Process_Command_Line[0][0].strip()
|
|
|
|
|
"""
|
|
|
|
|
@ -796,7 +800,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
for i in Process_Name[0]:
|
|
|
|
|
if len(i)>0:
|
|
|
|
|
process_name=i
|
|
|
|
|
|
|
|
|
|
# 检查日志数据中是否包含用户添加的命令
|
|
|
|
|
if len(re.findall('.*user.*/add.*',record['data']))>0:
|
|
|
|
|
#print("test")
|
|
|
|
|
|
|
|
|
|
@ -818,9 +822,11 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
|
|
|
|
|
|
|
|
|
|
#process runing in suspicious location
|
|
|
|
|
# 检查进程是否在可疑位置运行
|
|
|
|
|
found=0
|
|
|
|
|
if process_name.strip() not in Suspicious_process_found:
|
|
|
|
|
if process_name.strip() not in Suspicious_process_found:# 检查日志数据中是否包含可疑路径
|
|
|
|
|
for i in Suspicious_Path:
|
|
|
|
|
# 检查日志数据中是否包含可疑路径
|
|
|
|
|
if str(record['data']).lower().find(i.lower())>-1:#process_name.strip().lower().find(i.lower())>-1 or process_command_line.lower().find(i.lower())>-1 :
|
|
|
|
|
Suspicious_process_found.append(process_name.strip())
|
|
|
|
|
found=1
|
|
|
|
|
@ -844,8 +850,9 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
Security_events[0]['Event Description'].append(Event_desc)
|
|
|
|
|
Security_events[0]['Event ID'].append(EventID[0])
|
|
|
|
|
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
|
|
|
|
|
break
|
|
|
|
|
break# 找到可疑路径后退出循环
|
|
|
|
|
if found!=1:
|
|
|
|
|
# 检查进程是否在常规路径中运行
|
|
|
|
|
#process runing in suspicious location
|
|
|
|
|
found=0
|
|
|
|
|
for i in Usual_Path:
|
|
|
|
|
@ -875,6 +882,8 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
Security_events[0]['Event ID'].append(EventID[0])
|
|
|
|
|
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
|
|
|
|
|
found=0
|
|
|
|
|
|
|
|
|
|
# 检测可疑可执行文件
|
|
|
|
|
if len(Process_Command_Line)>0:
|
|
|
|
|
|
|
|
|
|
#detect suspicious executables
|
|
|
|
|
@ -900,6 +909,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
|
|
|
|
|
|
|
|
|
|
# detect suspicious powershell commands
|
|
|
|
|
# 检测可疑的 PowerShell 命令
|
|
|
|
|
for i in Suspicious_powershell_commands:
|
|
|
|
|
|
|
|
|
|
if process_command_line.lower().find(i.lower())>-1:
|
|
|
|
|
@ -924,6 +934,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#Detecting privielge Escalation using Token Elevation
|
|
|
|
|
# 检测特权提升尝试,使用命名管道
|
|
|
|
|
if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0 or len(re.findall(r"cmd.exe /c echo \w{1,10} .* \\\\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0:
|
|
|
|
|
#print("detected",process_command_line.lower().strip())
|
|
|
|
|
Event_desc ="User Name : ( %s ) " % user+"conducting Named PIPE privilege escalation with Command Line : ( " + process_command_line + " ) "
|
|
|
|
|
@ -943,6 +954,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
#print(process_command_line)
|
|
|
|
|
|
|
|
|
|
#Summary of process Execution
|
|
|
|
|
# 进程执行的总结
|
|
|
|
|
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
|
|
|
|
|
try:
|
|
|
|
|
#process_name=" "
|
|
|
|
|
@ -954,6 +966,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
#print(process_name)
|
|
|
|
|
#print(Executed_Process_Summary[0]['Process Name'])
|
|
|
|
|
#print(process_name not in Executed_Process_Summary[0]['Process Name'])
|
|
|
|
|
# 更新执行进程的总结
|
|
|
|
|
if process_name not in Executed_Process_Summary[0]['Process Name']:
|
|
|
|
|
Executed_Process_Summary[0]['Process Name'].append(process_name.strip())
|
|
|
|
|
Executed_Process_Summary[0]['Number of Execution'].append(1)
|
|
|
|
|
@ -963,6 +976,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
#report of process Execution
|
|
|
|
|
# 进程执行的报告
|
|
|
|
|
if (processexec==True or allreport==True) and EventID[0]=="4688":
|
|
|
|
|
#try:
|
|
|
|
|
|
|
|
|
|
@ -982,6 +996,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
parent_process_name=i
|
|
|
|
|
else:
|
|
|
|
|
parent_process_name="None"
|
|
|
|
|
# 将进程执行事件信息添加到 Executed_Process_Events 数据结构中
|
|
|
|
|
Executed_Process_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())))
|
|
|
|
|
Executed_Process_Events[0]['DateTime'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat())
|
|
|
|
|
Executed_Process_Events[0]['ProcessName'].append(process_name)
|
|
|
|
|
@ -995,6 +1010,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# non-interactive powershell being executed by another application in the background
|
|
|
|
|
# 检测非交互式 PowerShell 进程是否由其他应用程序在后台执行
|
|
|
|
|
if EventID[0]=="4688" :
|
|
|
|
|
try:
|
|
|
|
|
#process_name=" "
|
|
|
|
|
@ -1006,6 +1022,7 @@ def detect_events_security_log(file_name, shared_data):
|
|
|
|
|
if len(i)>0:
|
|
|
|
|
parent_process_name=i
|
|
|
|
|
|
|
|
|
|
# 检查是否为非交互式 PowerShell 进程
|
|
|
|
|
if process_name[0].lower().find("powershell.exe")>-1 and parent_process_name[0].lower().find("explorer.exe")==-1:
|
|
|
|
|
try:
|
|
|
|
|
Event_desc ="User Name : ( %s ) "%user+" executed non-interactive ( " + New_Process_Name[0] + " ) through : ( " + Parent_Process_Name[0] + " ) ."
|
|
|
|
|
|
