diff --git a/src/lib/CSVDetection.py b/src/lib/CSVDetection.py
index 180ab9f..cca2b39 100644
--- a/src/lib/CSVDetection.py
+++ b/src/lib/CSVDetection.py
@@ -234,8 +234,10 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
#User Cretion using Net command
+ # 用户创建事件处理,使用 Net 命令
if row['Event ID']=="4688":
try:
+ # 检查事件详情中是否包含用户添加的命令
if len(re.findall('.*user.*/add.*',row['Details']))>0:
#print("test")
@@ -244,7 +246,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
#print("User Name : ( %s ) "%Account_Name[0].strip(),end='')
#print("with Command Line : ( " + Process_Command_Line[0].strip()+" )")
+ # 生成事件描述
Event_desc ="User Name : ( %s ) "%Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip()+" )"
+ # 将事件信息添加到 Security_events 数据结构中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Added using Net Command")
@@ -255,6 +259,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
#Detecting privielge Escalation using Token Elevation
+ # 检测特权提升尝试,使用命名管道
if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line))>0:
Event_desc ="User Name : ( %s ) " % user+"conducting NAMED PIPE privilege escalation with Command Line : ( " + process_command_line + " ) "
@@ -267,6 +272,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ # 检查进程命令行是否在可疑位置(如 temp、tmp、Program Data)
if Process_Command_Line[0].strip().lower().find("\\temp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\tmp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\program data\\")>-1:
# print("test")
@@ -285,6 +291,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ # 检查是否存在可疑的可执行文件
for i in Suspicious_executables:
if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
@@ -304,6 +311,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
+ # 检查是否存在可疑的 PowerShell 命令
for i in Suspicious_powershell_commands:
if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
@@ -325,6 +333,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
except:
+ # 捕获解析事件时的错误并输出错误信息
print("Error parsing below Event \n"+row['Details'])
continue
diff --git a/src/lib/EvtxDetection.py b/src/lib/EvtxDetection.py
index 0777f89..acdea50 100644
--- a/src/lib/EvtxDetection.py
+++ b/src/lib/EvtxDetection.py
@@ -746,18 +746,20 @@ def detect_events_security_log(file_name, shared_data):
ObjectProcessName=ObjectProcessName_rex.findall(record['data'])
#Detect any log that contain suspicious process name or argument
- if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
- for i in all_suspicious:
+ # 检测任何包含可疑进程名称或参数的日志
+ if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":# 检查事件 ID 是否为 4688、4648 或 4673
+ for i in all_suspicious:# 遍历所有可疑项
- if record['data'].lower().find(i.lower())>-1:
+ if record['data'].lower().find(i.lower())>-1:# 检查日志数据中是否包含可疑项
#print("##### " + record["timestamp"] + " #### ", end='')
#print("## Found Suspicios Process ", end='')
#print("User Name : ( %s ) " % Account_Name[0][0].strip(), end='')
#print("with Command Line : ( " + Process_Command_Line[0][0].strip() + " )")
# print("###########")
-
+ # 生成事件描述
Event_desc ="Found a log contain suspicious command or process ( %s)"%i
+ # 将事件信息添加到 Security_events 数据结构中
Security_events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())))
Security_events[0]['Computer Name'].append(Computer[0])
Security_events[0]['Channel'].append(Channel[0])
@@ -768,12 +770,14 @@ def detect_events_security_log(file_name, shared_data):
Security_events[0]['Event Description'].append(Event_desc)
Security_events[0]['Event ID'].append(EventID[0])
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
- break
+ break # 找到可疑项后退出循环
#User Creation using Net command
+ # 用户创建事件,使用 Net 命令
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
try:
process_name=''
process_command_line=" "
+ # 获取用户名称
if len(Account_Name[0][0])>0:
user=Account_Name[0][0].strip()
@@ -781,7 +785,7 @@ def detect_events_security_log(file_name, shared_data):
if len(Account_Name[0][1])>0:
user=Account_Name[0][1].strip()
process_command_line=Process_Command_Line[0][1].strip()
-
+ # 获取进程名称
if len(Process_Command_Line)>0:
process_command_line=Process_Command_Line[0][0].strip()
"""
@@ -796,7 +800,7 @@ def detect_events_security_log(file_name, shared_data):
for i in Process_Name[0]:
if len(i)>0:
process_name=i
-
+ # 检查日志数据中是否包含用户添加的命令
if len(re.findall('.*user.*/add.*',record['data']))>0:
#print("test")
@@ -818,9 +822,11 @@ def detect_events_security_log(file_name, shared_data):
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
#process runing in suspicious location
+ # 检查进程是否在可疑位置运行
found=0
- if process_name.strip() not in Suspicious_process_found:
+ if process_name.strip() not in Suspicious_process_found:# 检查日志数据中是否包含可疑路径
for i in Suspicious_Path:
+ # 检查日志数据中是否包含可疑路径
if str(record['data']).lower().find(i.lower())>-1:#process_name.strip().lower().find(i.lower())>-1 or process_command_line.lower().find(i.lower())>-1 :
Suspicious_process_found.append(process_name.strip())
found=1
@@ -844,8 +850,9 @@ def detect_events_security_log(file_name, shared_data):
Security_events[0]['Event Description'].append(Event_desc)
Security_events[0]['Event ID'].append(EventID[0])
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
- break
+ break# 找到可疑路径后退出循环
if found!=1:
+ # 检查进程是否在常规路径中运行
#process runing in suspicious location
found=0
for i in Usual_Path:
@@ -875,6 +882,8 @@ def detect_events_security_log(file_name, shared_data):
Security_events[0]['Event ID'].append(EventID[0])
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
found=0
+
+ # 检测可疑可执行文件
if len(Process_Command_Line)>0:
#detect suspicious executables
@@ -900,6 +909,7 @@ def detect_events_security_log(file_name, shared_data):
Security_events[0]['Original Event Log'].append(str(record['data']).replace("\r", " "))
# detect suspicious powershell commands
+ # 检测可疑的 PowerShell 命令
for i in Suspicious_powershell_commands:
if process_command_line.lower().find(i.lower())>-1:
@@ -924,6 +934,7 @@ def detect_events_security_log(file_name, shared_data):
#Detecting privielge Escalation using Token Elevation
+ # 检测特权提升尝试,使用命名管道
if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0 or len(re.findall(r"cmd.exe /c echo \w{1,10} .* \\\\\.\\pipe\\\w{1,10}",process_command_line.lower().strip()))>0:
#print("detected",process_command_line.lower().strip())
Event_desc ="User Name : ( %s ) " % user+"conducting Named PIPE privilege escalation with Command Line : ( " + process_command_line + " ) "
@@ -943,6 +954,7 @@ def detect_events_security_log(file_name, shared_data):
#print(process_command_line)
#Summary of process Execution
+ # 进程执行的总结
if EventID[0]=="4688" or EventID[0]=="4648" or EventID[0]=="4673":
try:
#process_name=" "
@@ -954,6 +966,7 @@ def detect_events_security_log(file_name, shared_data):
#print(process_name)
#print(Executed_Process_Summary[0]['Process Name'])
#print(process_name not in Executed_Process_Summary[0]['Process Name'])
+ # 更新执行进程的总结
if process_name not in Executed_Process_Summary[0]['Process Name']:
Executed_Process_Summary[0]['Process Name'].append(process_name.strip())
Executed_Process_Summary[0]['Number of Execution'].append(1)
@@ -963,6 +976,7 @@ def detect_events_security_log(file_name, shared_data):
pass
#report of process Execution
+ # 进程执行的报告
if (processexec==True or allreport==True) and EventID[0]=="4688":
#try:
@@ -982,6 +996,7 @@ def detect_events_security_log(file_name, shared_data):
parent_process_name=i
else:
parent_process_name="None"
+ # 将进程执行事件信息添加到 Executed_Process_Events 数据结构中
Executed_Process_Events[0]['timestamp'].append(datetime.timestamp(isoparse(parse(record["timestamp"]).astimezone(input_timzone).isoformat())))
Executed_Process_Events[0]['DateTime'].append(parse(record["timestamp"]).astimezone(input_timzone).isoformat())
Executed_Process_Events[0]['ProcessName'].append(process_name)
@@ -995,6 +1010,7 @@ def detect_events_security_log(file_name, shared_data):
# non-interactive powershell being executed by another application in the background
+ # 检测非交互式 PowerShell 进程是否由其他应用程序在后台执行
if EventID[0]=="4688" :
try:
#process_name=" "
@@ -1006,6 +1022,7 @@ def detect_events_security_log(file_name, shared_data):
if len(i)>0:
parent_process_name=i
+ # 检查是否为非交互式 PowerShell 进程
if process_name[0].lower().find("powershell.exe")>-1 and parent_process_name[0].lower().find("explorer.exe")==-1:
try:
Event_desc ="User Name : ( %s ) "%user+" executed non-interactive ( " + New_Process_Name[0] + " ) through : ( " + Parent_Process_Name[0] + " ) ."