pex7hfbnt
/
apt-hunter
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: pex7hfbnt:AizenSousuke
Branches Tags
pex7hfbnt:main
pex7hfbnt:testL
pex7hfbnt:morry
pex7hfbnt:lly
pex7hfbnt:NineLamp
pex7hfbnt:AizenSousuke
pex7hfbnt:Lancymorry
...
pull from: pex7hfbnt:main
Branches Tags
pex7hfbnt:main
pex7hfbnt:testL
pex7hfbnt:morry
pex7hfbnt:lly
pex7hfbnt:NineLamp
pex7hfbnt:AizenSousuke
pex7hfbnt:Lancymorry

32 Commits
AizenSousu ... main

Author SHA1 Message Date
lancymorry f238aeaf05 项目阅读报告和代码注释均已完成,有劳过目
7 months ago
郭吉民 32e37585cd from 郭吉民
7 months ago
DengYanjia 4cbd982f74 from 邓焱嘉
7 months ago
lly 71f46cb052 from 李林原
7 months ago
lly 1f9b203953 from 李林原
7 months ago
lly 3356a0b7bc from 李林原
7 months ago
DengYanjia 2b5e393a58 from 邓焱嘉
7 months ago
林协鸿 4629e94830 from 林协鸿
7 months ago
郭吉民 7e5af04ca5 by 郭吉民
7 months ago
黎星辰 09007270c3 from 黎星辰
7 months ago
lancymorry aadd24d025 重新把所有代码文件清空了
7 months ago
pex7hfbnt 58eb17b849 Merge pull request 'Linn' (#8) from testL into main
7 months ago
linxiehong 8ad48ca390 Fin
7 months ago
pex7hfbnt 340a7f96e3 issue5
7 months ago
郭吉民 fc00532c2d guojimin
7 months ago
pex7hfbnt e222c39967 Delete 'lly.txt'
7 months ago
pex7hfbnt bf5a070658 issue2
7 months ago
pex7hfbnt 8bc3507637 issue4
7 months ago
pex7hfbnt e9cff0e553 Merge pull request '为了方便点击所以不得不取了一个非常长的标题.jpg' (#4) from NineLamp into main
7 months ago
lly 7424167841 finish
7 months ago
unknown 3c0bcacb2d finish
7 months ago
郭吉民 541df41774 到此一游
8 months ago
pex7hfbnt 865d77c51c Merge pull request '1' (#3) from NineLamp into main
8 months ago
unknown 3b9436beef 泛读
8 months ago
pex7hfbnt 61bf150a17 Delete '111.txt'
8 months ago
2813826100@qq.com ca84da7bc3 try
8 months ago
郭吉民 d76bd3e7c2 1111111
8 months ago
lly c32c950dc4 lly first time
8 months ago
linxiehong 19501d4439 123 added
8 months ago
linxiehong 2cb80c58a1 123456
8 months ago
pex7hfbnt 7e9da37e22 Delete 'next.txt'
8 months ago
lancymorry 061029d383 just a test
8 months ago
19 changed files with 2337 additions and 10893 deletions
Show Stats

16
.vscode/settings.json vendored
Unescape View File

@ -0,0 +1,16 @@
{
"workbench.colorCustomizations": {
"sideBar.background": "#1f2329",
"activityBar.background": "#2A2E37",
"titleBar.activeBackground": "#2A2E37",
"editor.background": "#181B20",
"terminal.background": "#181B20",
"panel.background": "#181B20",
"dropdown.background": "#181B20",
"dropdown.listBackground": "#181B20",
"editorGroupHeader.tabsBackground": "#1F2229",
"tab.inactiveBackground": "#23282E",
"menu.background": "#2A2F37",
"menu.selectionBackground": "#0E629D"
}
}

BIN
doc/Apt-hunter_analyse泛读报告.docx
View File

Binary file not shown.

197
src/APT-Hunter.py
Unescape View File

@ -103,15 +103,48 @@ def evtxdetect_auto():
try: try:
#print(Security_path) #print(Security_path)
userprofile=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (UserProfile_path_list,EvtxDetection.detect_events_UserProfileService_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core)) # 创建一个多进程对象用于并行分析用户配置文件UserProfile相关的日志
# target参数指定了新进程要执行的函数args参数传递了执行该函数所需的参数
userprofile = multiprocessing.Process(
target=EvtxDetection.multiprocess, # 要在新进程中执行的函数
args=( # 传递给函数的参数列表
UserProfile_path_list, # 用户配置文件路径的列表
EvtxDetection.detect_events_UserProfileService_log, # 检测事件的函数
input_timezone, # 输入时区信息
timestart, # 分析开始时间
timeend, # 分析结束时间
objectaccess, # 是否分析对象访问事件
processexec, # 是否分析进程执行事件
logons, # 是否分析登录事件
frequencyanalysis, # 是否进行频率分析
allreport, # 是否生成全部报告
Output, # 输出路径或相关配置
CPU_Core # 使用的CPU核心数
)
)#创建多线程分析windows日志其中参数包括用户配置文件的路径列表、一个检测事件的函数、时区信息、时间范围、以及一系列用于分析的选项如对象访问、进程执行、登录、频率分析等
# 启动新进程开始执行multiprocess函数
userprofile.start() userprofile.start()
# 将新创建的进程对象添加到process_list列表中以便后续管理或跟踪
process_list.append(userprofile) process_list.append(userprofile)
# 如果在try块中发生了IOError异常如文件不存在则执行以下代码
except IOError : except IOError :
# 打印错误信息,指出分析用户配置文件日志时出错,文件路径不存在
print("Error Analyzing User Profile logs: ", end='') print("Error Analyzing User Profile logs: ", end='')
print("File Path Does Not Exist") print("File Path Does Not Exist")
# 如果在try块中发生了除IOError之外的其他异常则执行以下代码
except Exception as e: except Exception as e:
# 打印错误信息,指出分析用户配置文件日志时出错
print("Error Analyzing User Profile logs") print("Error Analyzing User Profile logs")
# 使用logging模块记录异常的详细信息包括堆栈跟踪
# traceback.format_exc()会返回一个包含异常堆栈跟踪信息的字符串
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析安全日志
try: try:
#print(Security_path) #print(Security_path)
sec=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (Security_path_list,EvtxDetection.detect_events_security_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) sec=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (Security_path_list,EvtxDetection.detect_events_security_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -123,6 +156,8 @@ def evtxdetect_auto():
except Exception as e: except Exception as e:
print("Error Analyzing Security logs") print("Error Analyzing Security logs")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析系统日志
try: try:
#EvtxDetection.multiprocess(system_path_list,EvtxDetection.detect_events_system_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(system_path_list,EvtxDetection.detect_events_system_log,input_timezone,timestart,timeend)
sys=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (system_path_list,EvtxDetection.detect_events_system_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) sys=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (system_path_list,EvtxDetection.detect_events_system_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -134,6 +169,8 @@ def evtxdetect_auto():
except Exception as e: except Exception as e:
print("Error Analyzing System logs ") print("Error Analyzing System logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析PowerShell操作日志
try : try :
#EvtxDetection.multiprocess(powershellop_path_list,EvtxDetection.detect_events_powershell_operational_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(powershellop_path_list,EvtxDetection.detect_events_powershell_operational_log,input_timezone,timestart,timeend)
pwshop=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (powershellop_path_list,EvtxDetection.detect_events_powershell_operational_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) pwshop=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (powershellop_path_list,EvtxDetection.detect_events_powershell_operational_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -145,6 +182,8 @@ def evtxdetect_auto():
except Exception as e: except Exception as e:
print("Error Analyzing Powershell Operational logs ") print("Error Analyzing Powershell Operational logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析PowerShell日志
try : try :
#EvtxDetection.multiprocess(powershell_path_list,EvtxDetection.detect_events_powershell_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(powershell_path_list,EvtxDetection.detect_events_powershell_log,input_timezone,timestart,timeend)
pwsh=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (powershell_path_list,EvtxDetection.detect_events_powershell_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) pwsh=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (powershell_path_list,EvtxDetection.detect_events_powershell_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -156,6 +195,8 @@ def evtxdetect_auto():
except Exception as e: except Exception as e:
print("Error Analyzing Powershell logs ") print("Error Analyzing Powershell logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析Terminal Services LocalSessionManager日志
try : try :
#EvtxDetection.multiprocess(terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend)
terminal=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) terminal=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -167,6 +208,8 @@ def evtxdetect_auto():
except Exception as e: except Exception as e:
print("Error Analyzing TerminalServices LocalSessionManager logs") print("Error Analyzing TerminalServices LocalSessionManager logs")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析Terminal Services RDP Client远程桌面协议客户端的日志
try : try :
#EvtxDetection.multiprocess(terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(terminal_path_list,EvtxDetection.detect_events_TerminalServices_LocalSessionManager_log,input_timezone,timestart,timeend)
terminal_client=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (terminal_Client_path_list,EvtxDetection.detect_events_TerminalServices_RDPClient_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) terminal_client=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (terminal_Client_path_list,EvtxDetection.detect_events_TerminalServices_RDPClient_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -179,6 +222,7 @@ def evtxdetect_auto():
print("Error Analyzing TerminalServices RDP Client logs") print("Error Analyzing TerminalServices RDP Client logs")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析计划任务Scheduled Task的日志
try: try:
#EvtxDetection.multiprocess(scheduledtask_path_list,EvtxDetection.detect_events_scheduled_task_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(scheduledtask_path_list,EvtxDetection.detect_events_scheduled_task_log,input_timezone,timestart,timeend)
scheduled=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (scheduledtask_path_list,EvtxDetection.detect_events_scheduled_task_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) scheduled=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (scheduledtask_path_list,EvtxDetection.detect_events_scheduled_task_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
@ -191,24 +235,26 @@ def evtxdetect_auto():
print("Error Analyzing Scheduled Task logs ") print("Error Analyzing Scheduled Task logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析Windows Defender的日志
try: try:
#EvtxDetection.multiprocess(defender_path_list,EvtxDetection.detect_events_windows_defender_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(defender_path_list,EvtxDetection.detect_events_windows_defender_log,input_timezone,timestart,timeend)
defen=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (defender_path_list,EvtxDetection.detect_events_windows_defender_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) defen=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (defender_path_list,EvtxDetection.detect_events_windows_defender_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
defen.start() defen.start()
process_list.append(defen) process_list.append(defen)
except IOError : except IOError :
print("Error Analyzing Windows Defender logs : ", end='') print("Error Analyzing Windows Defender logs : ", end='')
print("File Path Does Not Exist") print("File Path Does Not Exist")
except Exception as e: except Exception as e:
print("Error Analyzing Windows Defender logs ") print("Error Analyzing Windows Defender logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析Windows远程管理WinRM的日志
try: try:
#EvtxDetection.multiprocess(winrm_path_list,EvtxDetection.detect_events_Microsoft_Windows_WinRM,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(winrm_path_list,EvtxDetection.detect_events_Microsoft_Windows_WinRM,input_timezone,timestart,timeend)
winrm=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (winrm_path_list,EvtxDetection.detect_events_Microsoft_Windows_WinRM,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) winrm=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (winrm_path_list,EvtxDetection.detect_events_Microsoft_Windows_WinRM,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
winrm.start() winrm.start()
process_list.append(winrm) process_list.append(winrm)
except IOError : except IOError :
print("Error Analyzing WinRM logs : ", end='') print("Error Analyzing WinRM logs : ", end='')
print("File Path Does Not Exist") print("File Path Does Not Exist")
@ -216,12 +262,12 @@ def evtxdetect_auto():
print("Error Analyzing WinRM logs ") print("Error Analyzing WinRM logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析Sysmon系统监控器的日志
try: try:
#EvtxDetection.multiprocess(sysmon_path_list,EvtxDetection.detect_events_Sysmon_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(sysmon_path_list,EvtxDetection.detect_events_Sysmon_log,input_timezone,timestart,timeend)
sysmon=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (sysmon_path_list,EvtxDetection.detect_events_Sysmon_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) sysmon=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (sysmon_path_list,EvtxDetection.detect_events_Sysmon_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
sysmon.start() sysmon.start()
process_list.append(sysmon) process_list.append(sysmon)
except IOError : except IOError :
print("Error Analyzing Sysmon logs ") print("Error Analyzing Sysmon logs ")
print("File Path Does Not Exist") print("File Path Does Not Exist")
@ -229,12 +275,12 @@ def evtxdetect_auto():
print("Error Analyzing Sysmon logs ") print("Error Analyzing Sysmon logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析组策略Group Policy日志
try: try:
#EvtxDetection.multiprocess(group_policy_path_list,EvtxDetection.detect_events_group_policy_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(group_policy_path_list,EvtxDetection.detect_events_group_policy_log,input_timezone,timestart,timeend)
gp=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (group_policy_path_list,EvtxDetection.detect_events_group_policy_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) gp=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (group_policy_path_list,EvtxDetection.detect_events_group_policy_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
gp.start() gp.start()
process_list.append(gp) process_list.append(gp)
except IOError : except IOError :
print("Error Analyzing Group Policy logs ") print("Error Analyzing Group Policy logs ")
print("File Path Does Not Exist") print("File Path Does Not Exist")
@ -242,12 +288,12 @@ def evtxdetect_auto():
# print("Error Analyzing Group Policy logs ") # print("Error Analyzing Group Policy logs ")
# logging.error(traceback.format_exc()) # logging.error(traceback.format_exc())
#类似上一个try块用于并行分析SMBServer Message Block服务器日志
try: try:
#EvtxDetection.multiprocess(SMB_SERVER_path_list,EvtxDetection.detect_events_SMB_Server_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(SMB_SERVER_path_list,EvtxDetection.detect_events_SMB_Server_log,input_timezone,timestart,timeend)
smbserv=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (SMB_SERVER_path_list,EvtxDetection.detect_events_SMB_Server_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) smbserv=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (SMB_SERVER_path_list,EvtxDetection.detect_events_SMB_Server_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
smbserv.start() smbserv.start()
process_list.append(smbserv) process_list.append(smbserv)
except IOError : except IOError :
print("Error Analyzing SMB Server logs ") print("Error Analyzing SMB Server logs ")
print("File Path Does Not Exist") print("File Path Does Not Exist")
@ -255,12 +301,12 @@ def evtxdetect_auto():
print("Error Analyzing Group Policy logs ") print("Error Analyzing Group Policy logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#类似上一个try块用于并行分析SMB客户端日志
try: try:
#EvtxDetection.multiprocess(SMB_CLIENT_path_list,EvtxDetection.detect_events_SMB_Client_log,input_timezone,timestart,timeend) #EvtxDetection.multiprocess(SMB_CLIENT_path_list,EvtxDetection.detect_events_SMB_Client_log,input_timezone,timestart,timeend)
smbcli=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (SMB_CLIENT_path_list,EvtxDetection.detect_events_SMB_Client_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir)) smbcli=multiprocessing.Process(target= EvtxDetection.multiprocess, args = (SMB_CLIENT_path_list,EvtxDetection.detect_events_SMB_Client_log,input_timezone,timestart,timeend,objectaccess,processexec,logons,frequencyanalysis,allreport,Output,CPU_Core,temp_dir))
smbcli.start() smbcli.start()
process_list.append(smbcli) process_list.append(smbcli)
except IOError : except IOError :
print("Error Analyzing SMB Client logs ") print("Error Analyzing SMB Client logs ")
print("File Path Does Not Exist") print("File Path Does Not Exist")
@ -268,6 +314,7 @@ def evtxdetect_auto():
print("Error Analyzing Group Policy logs ") print("Error Analyzing Group Policy logs ")
logging.error(traceback.format_exc()) logging.error(traceback.format_exc())
#使用了process.join()来等待所有子进程完成
for process in process_list: for process in process_list:
process.join() process.join()
print("preparing results") print("preparing results")
@ -305,43 +352,72 @@ def evtxdetect_auto():
Frequency_Analysis_Sysmon=EvtxDetection.Frequency_Analysis_Sysmon Frequency_Analysis_Sysmon=EvtxDetection.Frequency_Analysis_Sysmon
Frequency_Analysis_SMB_Server=EvtxDetection.Frequency_Analysis_SMB_Server Frequency_Analysis_SMB_Server=EvtxDetection.Frequency_Analysis_SMB_Server
Frequency_Analysis_TerminalServices=EvtxDetection.Frequency_Analysis_TerminalServices Frequency_Analysis_TerminalServices=EvtxDetection.Frequency_Analysis_TerminalServices
# 检查临时目录下是否存在名为"_User_SIDs_report.csv"的文件
if os.path.exists(temp_dir + "_User_SIDs_report.csv"): if os.path.exists(temp_dir + "_User_SIDs_report.csv"):
# 如果文件存在则读取该文件到pandas DataFrame中但随后将DataFrame转换为字典格式其中键是列名值是对应列的数据列表
# 注意原注释掉的代码是直接将CSV文件读取为DataFrame而当前代码是读取后转换为字典
#User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv")) #User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv"))
User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv")).to_dict(orient='list') User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv")).to_dict(orient='list')
else: else:
# 如果文件不存在,则打印一条消息说明文件不存在
# 注意这里的f-string用于格式化字符串将变量temp_dir的值插入到字符串中
print(f"{temp_dir + '_User_SIDs_report.csv'} does not exist.") print(f"{temp_dir + '_User_SIDs_report.csv'} does not exist.")
#User_SIDs = pd.DataFrame(User_SIDs) #User_SIDs = pd.DataFrame(User_SIDs)
#User_SIDs=EvtxDetection.User_SIDs #User_SIDs=EvtxDetection.User_SIDs
resolveSID() resolveSID()
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''———————————————————————————————————————————————————————————————————————————————————我是分割线————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
def auto_detect(path): def auto_detect(path):
global input_timezone global input_timezone
# 编译正则表达式用于匹配EventID, Channel, 和 Computer 标签的内容
EventID_rex = re.compile('<EventID.*>(.*)<\/EventID>', re.IGNORECASE) EventID_rex = re.compile('<EventID.*>(.*)<\/EventID>', re.IGNORECASE)
Channel_rex = re.compile('<Channel.*>(.*)<\/Channel>', re.IGNORECASE) Channel_rex = re.compile('<Channel.*>(.*)<\/Channel>', re.IGNORECASE)
Computer_rex = re.compile('<Computer.*>(.*)<\/Computer>', re.IGNORECASE) Computer_rex = re.compile('<Computer.*>(.*)<\/Computer>', re.IGNORECASE)
# 检查提供的路径是目录还是文件
if os.path.isdir(path): if os.path.isdir(path):
# 如果是目录使用libPath函数递归查找所有EVTX文件
files=list(libPath(path).rglob("*.[eE][vV][tT][xX]")) files=list(libPath(path).rglob("*.[eE][vV][tT][xX]"))
#files=glob.glob(path+"/**/"+"*.evtx") #files=glob.glob(path+"/**/"+"*.evtx")
elif os.path.isfile(path): elif os.path.isfile(path):
# 如果是文件,直接匹配该文件的路径
files=glob.glob(path) files=glob.glob(path)
else: else:
# 如果路径既不是目录也不是文件,则打印错误消息并返回
print("Issue with the path" ) print("Issue with the path" )
return return
#print("hunting ( %s ) in files ( %s )"%(str_regex,files)) #print("hunting ( %s ) in files ( %s )"%(str_regex,files))
#user_string = input('please enter a string to convert to regex: ') #user_string = input('please enter a string to convert to regex: ')
# 遍历找到的文件
for file in files: for file in files:
file=str(file) file=str(file)
print("Analyzing "+file) print("Analyzing "+file)
try: try:
# 尝试使用PyEvtxParser解析文件
parser = PyEvtxParser(file) parser = PyEvtxParser(file)
except: except:
# 如果解析文件时出错(例如文件损坏),则打印错误消息并继续下一个文件
print("Issue analyzing "+file +"\nplease check if its not corrupted") print("Issue analyzing "+file +"\nplease check if its not corrupted")
continue continue
try: try:
# 遍历解析器中的事件记录
for record in parser.records(): for record in parser.records():
# 使用正则表达式查找记录数据中的通道信息
Channel = Channel_rex.findall(record['data']) Channel = Channel_rex.findall(record['data'])
# 检查Channel列表是否非空并获取第一个元素通道名然后去除前后的空白字符
# 根据通道名将文件路径添加到相应的列表中
# 注意由于使用了break语句每个文件只会被添加到第一个匹配的列表中
if Channel[0].strip()=="Security": if Channel[0].strip()=="Security":
Security_path_list.append(file) Security_path_list.append(file)
break break
@ -389,8 +465,20 @@ def auto_detect(path):
break break
except: except:
# 捕获异常并打印错误消息
print("issue assigning path") print("issue assigning path")
evtxdetect_auto() evtxdetect_auto()
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''———————————————————————————————————————————————————————————————————————————————————我是分割线————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
def threat_hunt(path,str_regex,eid,hunt_file): def threat_hunt(path,str_regex,eid,hunt_file):
global timestart,timeend,input_timezone, Output global timestart,timeend,input_timezone, Output
import os import os
@ -399,15 +487,17 @@ def threat_hunt(path,str_regex,eid,hunt_file):
if 1==1: if 1==1:
if hunt_file is not None: if hunt_file is not None:
if os.path.isfile(hunt_file): if os.path.isfile(hunt_file):
print(regex_file) print(regex_file) # 这行打印一个空列表,可能是调试用的,可以移除
regex_file=open(hunt_file).read().split("\n") regex_file=open(hunt_file).read().split("\n")
regex_file.remove('') regex_file.remove('')# 读取文件并去除空行和首尾空白
print(regex_file) print(regex_file)
else: else:
print("Issue with the hunt file path" ) print("Issue with the hunt file path" )
return return
# 使用os.path.isdir和os.path.isfile检查路径
if os.path.isdir(path): if os.path.isdir(path):
files=list(libPath(path).rglob("*.[eE][vV][tT][xX]")) files=list(libPath(path).rglob("*.[eE][vV][tT][xX]"))# 确保libPath返回的是一个可以调用rglob的对象
elif os.path.isfile(path): elif os.path.isfile(path):
files=glob.glob(path) files=glob.glob(path)
@ -415,16 +505,29 @@ def threat_hunt(path,str_regex,eid,hunt_file):
print("Issue with the path" ) print("Issue with the path" )
return return
# 确定要使用的正则表达式列表
#user_string = input('please enter a string to convert to regex: ') #user_string = input('please enter a string to convert to regex: ')
if str_regex is not None: if str_regex is not None:
regex=[str_regex] regex=[str_regex]
elif str_regex is None and len(regex_file)>0: elif str_regex is None and len(regex_file)>0:# 如果str_regex为None且regex_file为空可能需要处理这种情况
regex=regex_file regex=regex_file
print("hunting ( %s ) in files ( %s )"%(regex,files)) print("hunting ( %s ) in files ( %s )"%(regex,files))
EvtxHunt.Evtx_hunt(files,regex,eid,input_timezone,Output,timestart,timeend) EvtxHunt.Evtx_hunt(files,regex,eid,input_timezone,Output,timestart,timeend)
#except Exception as e: #except Exception as e:
# print("Error in hunting module ") # print("Error in hunting module ")
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''———————————————————————————————————————————————————————————————————————————————————我是分割线————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
def report(): def report():
# 定义输出文件的名称
global Output,User_SIDs global Output,User_SIDs
timesketch=Output+"_TimeSketch.csv" timesketch=Output+"_TimeSketch.csv"
Report=Output+"_Report.xlsx" Report=Output+"_Report.xlsx"
@ -433,26 +536,32 @@ def report():
ProcessEvents=Output+"_Process_Execution_Events.csv" ProcessEvents=Output+"_Process_Execution_Events.csv"
Collected_SIDs=Output+"_Collected_SIDs.csv" Collected_SIDs=Output+"_Collected_SIDs.csv"
print("preparing report") print("preparing report")
# 读取用户SID报告
if os.path.exists(temp_dir + "_User_SIDs_report.csv"): if os.path.exists(temp_dir + "_User_SIDs_report.csv"):
User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv")) User_SIDs = pd.DataFrame(pd.read_csv(temp_dir + "_User_SIDs_report.csv"))
else: else:
print(f"{temp_dir + '_User_SIDs_report.csv'} does not exist.") print(f"{temp_dir + '_User_SIDs_report.csv'} does not exist.")
User_SIDs = pd.DataFrame(User_SIDs) User_SIDs = pd.DataFrame(User_SIDs)
# 读取Sysmon报告
if os.path.exists(temp_dir + "_Sysmon_report.csv"): if os.path.exists(temp_dir + "_Sysmon_report.csv"):
Sysmon = pd.DataFrame(pd.read_csv(temp_dir + "_Sysmon_report.csv")) Sysmon = pd.DataFrame(pd.read_csv(temp_dir + "_Sysmon_report.csv"))
else: else:
print(f"{temp_dir + '_Sysmon_report.csv'} does not exist.") print(f"{temp_dir + '_Sysmon_report.csv'} does not exist.")
Sysmon = pd.DataFrame(Sysmon_events[0]) Sysmon = pd.DataFrame(Sysmon_events[0])
# 读取系统报告
if os.path.exists(temp_dir + "_System_report.csv"): if os.path.exists(temp_dir + "_System_report.csv"):
System = pd.DataFrame(pd.read_csv(temp_dir + "_System_report.csv")) System = pd.DataFrame(pd.read_csv(temp_dir + "_System_report.csv"))
else: else:
print(f"{temp_dir + '_System_report.csv'} does not exist.") print(f"{temp_dir + '_System_report.csv'} does not exist.")
System = pd.DataFrame(System_events[0]) System = pd.DataFrame(System_events[0])
# 读取Powershell报告
if os.path.exists(temp_dir + "_Powershell_report.csv"): if os.path.exists(temp_dir + "_Powershell_report.csv"):
Powershell = pd.DataFrame(pd.read_csv(temp_dir + "_Powershell_report.csv")) Powershell = pd.DataFrame(pd.read_csv(temp_dir + "_Powershell_report.csv"))
else: else:
print(f"{temp_dir + '_Powershell_report.csv'} does not exist.") print(f"{temp_dir + '_Powershell_report.csv'} does not exist.")
Powershell = pd.DataFrame(Powershell_events[0]) Powershell = pd.DataFrame(Powershell_events[0])
# 以下连续的if-else代码块均实现类似功能读取某指定报告
if os.path.exists(temp_dir + "_Powershell_Operational_report.csv"): if os.path.exists(temp_dir + "_Powershell_Operational_report.csv"):
Powershell_Operational = pd.DataFrame(pd.read_csv(temp_dir + "_Powershell_Operational_report.csv")) Powershell_Operational = pd.DataFrame(pd.read_csv(temp_dir + "_Powershell_Operational_report.csv"))
else: else:
@ -588,33 +697,47 @@ def report():
#Object_Access_Events_pd=pd.DataFrame(Object_Access_Events[0]) #Object_Access_Events_pd=pd.DataFrame(Object_Access_Events[0])
#ExecutedProcess_Events_pd=pd.DataFrame(Executed_Process_Events[0]) #ExecutedProcess_Events_pd=pd.DataFrame(Executed_Process_Events[0])
# allresults=pd.DataFrame([TerminalServices,Powershell_Operational],columns=['Date and Time', 'Detection Rule','Detection Domain','Severity','Event Description','Event ID','Original Event Log']) # allresults=pd.DataFrame([TerminalServices,Powershell_Operational],columns=['Date and Time', 'Detection Rule','Detection Domain','Severity','Event Description','Event ID','Original Event Log'])
# 将多个DataFrameScheduledTask, Powershell_Operational, Sysmon, 等合并为一个DataFrame使用内连接inner join并忽略原索引
allresults = pd.concat( allresults = pd.concat(
[ScheduledTask, Powershell_Operational, Sysmon, System, Powershell, Security,TerminalClient, TerminalServices, WinRM, [ScheduledTask, Powershell_Operational, Sysmon, System, Powershell, Security,TerminalClient, TerminalServices, WinRM,
Windows_Defender,GroupPolicy,SMBServer,SMBClient], join="inner", ignore_index=True) Windows_Defender,GroupPolicy,SMBServer,SMBClient], join="inner", ignore_index=True)
# 重命名DataFrame中的两列将'Date and Time'改为'datetime''Detection Rule'改为'message'
allresults = allresults.rename(columns={'Date and Time': 'datetime', 'Detection Rule': 'message'}) allresults = allresults.rename(columns={'Date and Time': 'datetime', 'Detection Rule': 'message'})
# 在DataFrame中新增一个名为'timestamp_desc'的列,其初始值设为空字符串
allresults['timestamp_desc'] = "" allresults['timestamp_desc'] = ""
# 重新排序DataFrame的列按照指定的顺序排列
allresults = allresults[ allresults = allresults[
['message','timestamp', 'datetime', 'timestamp_desc', 'Detection Domain', 'Severity', 'Event Description', 'Event ID', ['message','timestamp', 'datetime', 'timestamp_desc', 'Detection Domain', 'Severity', 'Event Description', 'Event ID',
'Original Event Log','Computer Name','Channel']] 'Original Event Log','Computer Name','Channel']]
# 计算'Severity'列中每个不同值的出现次数并将结果存储在新的DataFrame中重命名列为'Severity'和'Counts'
Result_Summary_Severity=allresults["Severity"].value_counts().reset_index() Result_Summary_Severity=allresults["Severity"].value_counts().reset_index()
Result_Summary_Severity.columns = ['Severity', 'Counts'] Result_Summary_Severity.columns = ['Severity', 'Counts']
# 计算'message'列中每个不同值的出现次数并将结果存储在新的DataFrame中重命名列为'Detection'和'Counts'
Result_Summary_Detections=allresults["message"].value_counts().reset_index() Result_Summary_Detections=allresults["message"].value_counts().reset_index()
Result_Summary_Detections.columns = ['Detection', 'Counts'] Result_Summary_Detections.columns = ['Detection', 'Counts']
# 将allresults DataFrame保存到CSV文件中文件名由timesketch变量指定不保存索引
allresults.to_csv(timesketch, index=False) allresults.to_csv(timesketch, index=False)
# 将User_SIDs DataFrame保存到CSV文件中文件名由Collected_SIDs变量指定不保存索引
User_SIDs.to_csv(Collected_SIDs, index=False) User_SIDs.to_csv(Collected_SIDs, index=False)
# 打印信息表明Time Sketch报告已保存文件名由timesketch变量指定
print("Time Sketch Report saved as "+timesketch) print("Time Sketch Report saved as "+timesketch)
#Logon_Events_pd.to_csv(LogonEvents, index=False) #Logon_Events_pd.to_csv(LogonEvents, index=False)
# 如果logons为True或者allreport为True则打印信息表明Logon事件报告已保存文件名由LogonEvents变量指定
if (logons==True or allreport==True): if (logons==True or allreport==True):
print("Logon Events Report saved as "+LogonEvents) print("Logon Events Report saved as "+LogonEvents)
#Object_Access_Events_pd.to_csv(ObjectAccess, index=False) #Object_Access_Events_pd.to_csv(ObjectAccess, index=False)
# 如果objectaccess为True或者allreport为True则打印信息表明对象访问事件报告已保存文件名由ObjectAccess变量指定
if (objectaccess==True or allreport==True): if (objectaccess==True or allreport==True):
print("Object Access Events Report saved as "+ObjectAccess) print("Object Access Events Report saved as "+ObjectAccess)
#ExecutedProcess_Events_pd.to_csv(ProcessEvents, index=False) #ExecutedProcess_Events_pd.to_csv(ProcessEvents, index=False)
# 如果processexec为True或者allreport为True则打印信息表明进程执行事件报告已保存文件名由ProcessEvents变量指定
if (processexec==True or allreport==True): if (processexec==True or allreport==True):
print("Process Execution Events Report saved as "+ProcessEvents) print("Process Execution Events Report saved as "+ProcessEvents)
# Sysmon=Sysmon.reset_index() # Sysmon=Sysmon.reset_index()
# Sysmon=Sysmon.drop(['index'],axis=1) # Sysmon=Sysmon.drop(['index'],axis=1)
#写表格
writer = pd.ExcelWriter(Report, engine='xlsxwriter', engine_kwargs={'options':{'encoding': 'utf-8'}}) writer = pd.ExcelWriter(Report, engine='xlsxwriter', engine_kwargs={'options':{'encoding': 'utf-8'}})
Result_Summary_Severity.to_excel(writer, sheet_name='Result Summary', index=False) Result_Summary_Severity.to_excel(writer, sheet_name='Result Summary', index=False)
Result_Summary_Detections.to_excel(writer, sheet_name='Result Summary' , startrow=len(Result_Summary_Severity)+3, index=False) Result_Summary_Detections.to_excel(writer, sheet_name='Result Summary' , startrow=len(Result_Summary_Severity)+3, index=False)
@ -677,37 +800,65 @@ def report():
print("Detection Summary :\n############################################\nNumber of incidents by Severity:\n"+allresults["Severity"].value_counts().to_string()+"\n############################################\nNumber of incidents by Detection Rule:\n"+allresults["message"].value_counts().to_string()+"\n\n") print("Detection Summary :\n############################################\nNumber of incidents by Severity:\n"+allresults["Severity"].value_counts().to_string()+"\n############################################\nNumber of incidents by Detection Rule:\n"+allresults["message"].value_counts().to_string()+"\n\n")
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''———————————————————————————————————————————————————————————————————————————————————我是分割线————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
'''————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————'''
def convert_list(): def convert_list():
# 使用global关键字声明一系列全局变量
global timestart,timeend,User_SIDs,SMB_Server_events,SMB_Client_events,TerminalServices_RDPClient_events,Executed_Process_Events,Group_Policy_events,Object_Access_Events,input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary,Executed_Powershell_Summary global timestart,timeend,User_SIDs,SMB_Server_events,SMB_Client_events,TerminalServices_RDPClient_events,Executed_Process_Events,Group_Policy_events,Object_Access_Events,input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary,Executed_Powershell_Summary
# 创建一个名为Results的列表其中包含了多个全局变量
Results=[Executed_Powershell_Summary,SMB_Server_events,User_SIDs,SMB_Client_events,TerminalServices_RDPClient_events,Executed_Process_Events,Group_Policy_events,Object_Access_Events,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,TerminalServices_Summary,Security_Authentication_Summary Results=[Executed_Powershell_Summary,SMB_Server_events,User_SIDs,SMB_Client_events,TerminalServices_RDPClient_events,Executed_Process_Events,Group_Policy_events,Object_Access_Events,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,TerminalServices_Summary,Security_Authentication_Summary
] ]
# 遍历Results列表中的每个元素
for result in Results: for result in Results:
# 将result[0]的元素中的每个值转换为列表
for i in result[0]: for i in result[0]:
result[0][i]=list(result[0][i]) result[0][i]=list(result[0][i])
def resolveSID(): def resolveSID():
global TerminalServices_RDPClient_events,WinRM_events,User_SIDs,RDPClient_Resolved_User,WinRM_Resolved_User global TerminalServices_RDPClient_events,WinRM_events,User_SIDs,RDPClient_Resolved_User,WinRM_Resolved_User
# 检查名为_WinRM_events_report.csv的文件是否存在于指定的临时目录temp_dir
if os.path.exists(temp_dir + "_WinRM_events_report.csv"): if os.path.exists(temp_dir + "_WinRM_events_report.csv"):
# 如果文件存在读取CSV文件内容到DataFrame然后将DataFrame转换为字典列表形式并赋值给WinRM_events[0]
WinRM_events[0] = pd.DataFrame(pd.read_csv(temp_dir + "_WinRM_events_report.csv")).to_dict(orient='list') WinRM_events[0] = pd.DataFrame(pd.read_csv(temp_dir + "_WinRM_events_report.csv")).to_dict(orient='list')
# 检查名为_TerminalServices_RDPClient_report.csv的文件是否存在于指定的临时目录temp_dir
if os.path.exists(temp_dir + "_TerminalServices_RDPClient_report.csv"): if os.path.exists(temp_dir + "_TerminalServices_RDPClient_report.csv"):
# 如果文件存在读取CSV文件内容到DataFrame然后将DataFrame转换为字典列表形式并赋值给TerminalServices_RDPClient_events[0]
TerminalServices_RDPClient_events[0] = pd.DataFrame(pd.read_csv(temp_dir + "_TerminalServices_RDPClient_report.csv")).to_dict(orient='list') TerminalServices_RDPClient_events[0] = pd.DataFrame(pd.read_csv(temp_dir + "_TerminalServices_RDPClient_report.csv")).to_dict(orient='list')
# 初始化RDPClient_Resolved_User列表用于存储解析后的用户信息
RDPClient_Resolved_User=[] RDPClient_Resolved_User=[]
# 初始化WinRM_Resolved_User列表用于存储解析后的用户信息
WinRM_Resolved_User=[] WinRM_Resolved_User=[]
# 遍历TerminalServices_RDPClient_events[0]字典中"UserID"键对应的值SID列表
for SID in TerminalServices_RDPClient_events[0]["UserID"]: for SID in TerminalServices_RDPClient_events[0]["UserID"]:
# 检查当前SID是否存在于User_SIDs字典的"SID"键对应的值中
if SID in User_SIDs["SID"]: if SID in User_SIDs["SID"]:
# 如果存在找到对应的用户名称并添加到RDPClient_Resolved_User列表中
RDPClient_Resolved_User.append(User_SIDs["User"][User_SIDs["SID"].index(SID)]) RDPClient_Resolved_User.append(User_SIDs["User"][User_SIDs["SID"].index(SID)])
else: else:
# 如果不存在,将"Could not be resolved"添加到RDPClient_Resolved_User列表中
RDPClient_Resolved_User.append("Could not be resolved") RDPClient_Resolved_User.append("Could not be resolved")
# 遍历WinRM_events[0]字典中"UserID"键对应的值SID列表
for SID in WinRM_events[0]["UserID"]: for SID in WinRM_events[0]["UserID"]:
# 检查当前SID是否存在于User_SIDs字典的"SID"键对应的值中
if SID in User_SIDs["SID"]: if SID in User_SIDs["SID"]:
# 如果存在找到对应的用户名称并添加到WinRM_Resolved_User列表中
WinRM_Resolved_User.append(User_SIDs["User"][User_SIDs["SID"].index(SID)]) WinRM_Resolved_User.append(User_SIDs["User"][User_SIDs["SID"].index(SID)])
else: else:
# 如果不存在,将"Could not be resolved"添加到WinRM_Resolved_User列表中
WinRM_Resolved_User.append("Could not be resolved") WinRM_Resolved_User.append("Could not be resolved")
#print("user sid"+str(User_SIDs["SID"])) #print("user sid"+str(User_SIDs["SID"]))
#print("RDPCLient : "+str(RDPClient_Resolved_User)) #print("RDPCLient : "+str(RDPClient_Resolved_User))
#print("WinRM : " + str(WinRM_Resolved_User)) #print("WinRM : " + str(WinRM_Resolved_User))
#创建临时路径
def create_temp_dir(): def create_temp_dir():
global temp_dir global temp_dir
@ -719,6 +870,7 @@ def create_temp_dir():
else: else:
print(f"{temp_dir} already exists") print(f"{temp_dir} already exists")
#创建输出路径
def create_out_dir(output): def create_out_dir(output):
global temp_dir global temp_dir
@ -733,6 +885,7 @@ def create_out_dir(output):
return output+"/"+output return output+"/"+output
#清除临时路径
def clean_temp_dir(): def clean_temp_dir():
global temp_dir global temp_dir
if os.path.exists(temp_dir): if os.path.exists(temp_dir):
@ -743,10 +896,13 @@ def clean_temp_dir():
os.rmdir(os.path.join(root, name)) os.rmdir(os.path.join(root, name))
os.rmdir(temp_dir) os.rmdir(temp_dir)
def main(): def main():
# 记录程序开始执行的时间
tic = time.time() tic = time.time()
print(Banner) print(Banner)
global CPU_Core,timestart,timeend,Output,objectaccess,Path,processexec,logons,frequencyanalysis,Security_path,system_path,scheduledtask_path,defender_path,powershell_path,powershellop_path,terminal_path,winrm_path,sysmon_path,input_timezone,objectaccess,processexec,logons,frequencyanalysis,allreport global CPU_Core,timestart,timeend,Output,objectaccess,Path,processexec,logons,frequencyanalysis,Security_path,system_path,scheduledtask_path,defender_path,powershell_path,powershellop_path,terminal_path,winrm_path,sysmon_path,input_timezone,objectaccess,processexec,logons,frequencyanalysis,allreport
# 创建命令行参数解析器
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("-p","--path", help="path to folder containing windows event logs , APT-Hunter will detect each log type automatically") parser.add_argument("-p","--path", help="path to folder containing windows event logs , APT-Hunter will detect each log type automatically")
parser.add_argument("-o", "--out",help="output file name") parser.add_argument("-o", "--out",help="output file name")
@ -767,10 +923,12 @@ def main():
parser.add_argument("-rules","--rules", help="path to sigma rules in json format") parser.add_argument("-rules","--rules", help="path to sigma rules in json format")
#parser.add_argument("-evtfreq","--evtfreq", help="Produce event ID frequency analysis report",action='store_true') #parser.add_argument("-evtfreq","--evtfreq", help="Produce event ID frequency analysis report",action='store_true')
parser.add_argument("-cores","--cores", help="cpu cores to be used in multiprocessing , default is half the number of availble CPU cores") parser.add_argument("-cores","--cores", help="cpu cores to be used in multiprocessing , default is half the number of availble CPU cores")
# 解析命令行参数
args = parser.parse_args() args = parser.parse_args()
# 如果指定了输出文件名,则创建输出目录
if args.out is not None: if args.out is not None:
Output=create_out_dir(args.out) Output=create_out_dir(args.out)
# 如果没有指定日志路径,则打印错误信息并退出
if (args.path is None ):# and args.security is None and args.system is None and args.scheduledtask is None and args.defender is None and args.powershell is None and args.powershellop is None and args.terminal is None and args.winrm is None and args.sysmon is None): if (args.path is None ):# and args.security is None and args.system is None and args.scheduledtask is None and args.defender is None and args.powershell is None and args.powershellop is None and args.terminal is None and args.winrm is None and args.sysmon is None):
print("You didn't specify a path for the logs \nuse --help to print help message") print("You didn't specify a path for the logs \nuse --help to print help message")
exit() exit()
@ -787,6 +945,7 @@ def main():
allreport=args.allreport allreport=args.allreport
CPU_Core=0 CPU_Core=0
#print(f"all reports value : {allreport}\nlogons value {logons}") #print(f"all reports value : {allreport}\nlogons value {logons}")
# 尝试解析开始和结束时间,如果格式不正确,则打印错误信息并退出
try: try:
if args.start is not None and args.end is not None: if args.start is not None and args.end is not None:
timestart=datetime.timestamp(dateutil.parser.isoparse(args.start)) timestart=datetime.timestamp(dateutil.parser.isoparse(args.start))
@ -794,18 +953,20 @@ def main():
except: except:
print("Error parsing time , please use ISO format with timestart and timeend Ex: (2022-04-03T20:56+04:00 or 2022-04-03T20:56 or 2022-04-03 20:56 or 2022-04-03)") print("Error parsing time , please use ISO format with timestart and timeend Ex: (2022-04-03T20:56+04:00 or 2022-04-03T20:56 or 2022-04-03 20:56 or 2022-04-03)")
exit() exit()
# 根据命令行参数设置时区
if args.timezone is not None: if args.timezone is not None:
if args.timezone.lower()=="local": if args.timezone.lower()=="local":
input_timezone=tz.tzlocal() input_timezone=tz.tzlocal()
else: else:
input_timezone=timezone(args.timezone) input_timezone=timezone(args.timezone)
# 根据命令行参数设置CPU核心数如果格式不正确则打印错误信息并退出
if args.cores is not None: if args.cores is not None:
try: try:
CPU_Core=int(args.cores) CPU_Core=int(args.cores)
except: except:
print(f"Error using supplied CPU cores {args.cores}") print(f"Error using supplied CPU cores {args.cores}")
exit(0) exit(0)
# 如果启用了Sigma模块则执行Sigma分析
if args.sigma is not False: if args.sigma is not False:
if args.rules is not None: if args.rules is not None:
SigmaHunter.Sigma_Analyze(Path,args.rules,Output) SigmaHunter.Sigma_Analyze(Path,args.rules,Output)
@ -814,6 +975,7 @@ def main():
toc = time.time() toc = time.time()
print('Done in {:.4f} seconds'.format(toc-tic)) print('Done in {:.4f} seconds'.format(toc-tic))
return return
# 如果指定了搜索字符串或正则表达式,则执行威胁搜索
if args.hunt is not None: if args.hunt is not None:
if args.eid is not None: if args.eid is not None:
threat_hunt(Path,args.hunt,args.eid,None) threat_hunt(Path,args.hunt,args.eid,None)
@ -822,6 +984,7 @@ def main():
toc = time.time() toc = time.time()
print('Done in {:.4f} seconds'.format(toc-tic)) print('Done in {:.4f} seconds'.format(toc-tic))
return return
# 如果启用了Office 365日志搜索则执行Office 365分析
if args.o365hunt is not False: if args.o365hunt is not False:
if args.o365rules is not None: if args.o365rules is not None:
O365Hunter.analyzeoff365(Path, args.o365rules,Output,input_timezone,args.o365raw) O365Hunter.analyzeoff365(Path, args.o365rules,Output,input_timezone,args.o365raw)
@ -830,6 +993,7 @@ def main():
#toc = time.time() #toc = time.time()
#print('Done in {:.4f} seconds'.format(toc-tic)) #print('Done in {:.4f} seconds'.format(toc-tic))
return return
# 如果指定了搜索文件,则根据文件中的字符串或正则表达式执行威胁搜索
if args.hunt is None and args.huntfile is not None: if args.hunt is None and args.huntfile is not None:
if args.eid is not None: if args.eid is not None:
threat_hunt(Path,None,args.eid,args.huntfile) threat_hunt(Path,None,args.eid,args.huntfile)
@ -839,7 +1003,7 @@ def main():
print('Done in {:.4f} seconds'.format(toc-tic)) print('Done in {:.4f} seconds'.format(toc-tic))
return return
# 如果没有指定特定的搜索或分析类型,则自动检测日志类型并生成报告
#if args.type is None or args.type=="evtx": #if args.type is None or args.type=="evtx":
try: try:
create_temp_dir() create_temp_dir()
@ -852,6 +1016,7 @@ def main():
clean_temp_dir() clean_temp_dir()
toc = time.time() toc = time.time()
# 打印程序执行完毕的时间
print('Analysis finished in {:.4f} seconds'.format(toc-tic)) print('Analysis finished in {:.4f} seconds'.format(toc-tic))
return return

9
src/APT-Hunter_old.py
Unescape View File

@ -58,6 +58,7 @@ Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[
def evtxdetect(): def evtxdetect():
#指定提取各种evtx日志文件
global input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary global input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary
try: try:
print(Security_path) print(Security_path)
@ -152,6 +153,7 @@ def evtxdetect():
Logon_Events =EvtxDetection.Logon_Events Logon_Events =EvtxDetection.Logon_Events
def csvdetect(winevent): def csvdetect(winevent):
#指定提取各种csv日志文件
global Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary global Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary
try: try:
#print(Security_path,winevent) #print(Security_path,winevent)
@ -245,6 +247,7 @@ def csvdetect(winevent):
Security_Authentication_Summary =CSVDetection.Security_Authentication_Summary Security_Authentication_Summary =CSVDetection.Security_Authentication_Summary
def evtxdetect_auto(): def evtxdetect_auto():
#自动提取各种evtx日志文件
global input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary global input_timezone,Logon_Events,Executed_Process_Summary,TerminalServices_Summary,Security_Authentication_Summary,Sysmon_events,WinRM_events,Security_events,System_events,ScheduledTask_events,Powershell_events,Powershell_Operational_events,TerminalServices_events,Windows_Defender_events,Timesketch_events,TerminalServices_Summary,Security_Authentication_Summary
try: try:
#print(Security_path) #print(Security_path)
@ -340,6 +343,7 @@ def evtxdetect_auto():
def auto_detect(path): def auto_detect(path):
#自动提取所有日志文件
global input_timezone global input_timezone
EventID_rex = re.compile('<EventID.*>(.*)<\/EventID>', re.IGNORECASE) EventID_rex = re.compile('<EventID.*>(.*)<\/EventID>', re.IGNORECASE)
Channel_rex = re.compile('<Channel.*>(.*)<\/Channel>', re.IGNORECASE) Channel_rex = re.compile('<Channel.*>(.*)<\/Channel>', re.IGNORECASE)
@ -398,6 +402,7 @@ def auto_detect(path):
print("issue assigning path") print("issue assigning path")
evtxdetect_auto() evtxdetect_auto()
def threat_hunt(path,str_regex): def threat_hunt(path,str_regex):
#威胁分析
global input_timezone, Output global input_timezone, Output
import os import os
@ -414,6 +419,7 @@ def threat_hunt(path,str_regex):
EvtxHunt.Evtx_hunt(files,str_regex,input_timezone,Output) EvtxHunt.Evtx_hunt(files,str_regex,input_timezone,Output)
def report(): def report():
#报告生成
global Output global Output
timesketch=Output+"_TimeSketch.csv" timesketch=Output+"_TimeSketch.csv"
Report=Output+"_Report.xlsx" Report=Output+"_Report.xlsx"
@ -467,6 +473,7 @@ def report():
def main(): def main():
print(Banner) print(Banner)
global Output,Path,Security_path,system_path,scheduledtask_path,defender_path,powershell_path,powershellop_path,terminal_path,winrm_path,sysmon_path,input_timezone global Output,Path,Security_path,system_path,scheduledtask_path,defender_path,powershell_path,powershellop_path,terminal_path,winrm_path,sysmon_path,input_timezone
# 创建命令行参数解析器
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("-p","--path", help="path to folder containing windows event logs generated by the powershell log collector") parser.add_argument("-p","--path", help="path to folder containing windows event logs generated by the powershell log collector")
parser.add_argument("-o", "--out", parser.add_argument("-o", "--out",
@ -552,6 +559,4 @@ def main():
if args.type=="csv": if args.type=="csv":
csvdetect(True) csvdetect(True)
report() report()
main() main()

17
src/Custom-Sigma-Convertor.sh
Unescape View File

@ -1,15 +1,24 @@
#!/bin/bash #!/bin/bash
# 检查脚本是否只有一个参数输入
if [ "$#" -ne 1 ]; then if [ "$#" -ne 1 ]; then
echo "Please enter rules path as argument " echo "Please enter rules path as argument "
exit 1 exit 1
fi fi
# 输出正在克隆Sigma转换工具的信息
echo "Getting Sigma Converter Toot" echo "Getting Sigma Converter Toot"
# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
git clone https://github.com/SigmaHQ/legacy-sigmatools.git git clone https://github.com/SigmaHQ/legacy-sigmatools.git
# 输出正在转换sigma规则的信息
echo "Converting sigma rules " echo "Converting sigma rules "
# 执行Sigma转换工具将sigma规则文件转换为json格式
# --recurse: 递归处理指定目录下的所有规则文件
# --target sqlite: 指定转换的目标格式为sqlite
# --backend-option table=Events: 指定输出的表名为Events
# -d $1: 指定sigma规则文件的目录为脚本的第一个参数
# -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径
# -o rules.json: 指定输出文件名为rules.json
# --output-fields: 指定输出的字段内容
legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d $1 -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d $1 -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status
# 输出转换完成的信息,包括生成的文件名
echo "Rules created with file name : rules.json " echo "Rules created with file name : rules.json "

16
src/Get_Latest_Sigma_Rules.sh
Unescape View File

@ -1,11 +1,23 @@
#!/bin/bash #!/bin/bash
# 输出转换完成的信息,包括生成的文件名
echo "Getting Sigma Converter Toot" echo "Getting Sigma Converter Toot"
# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
git clone https://github.com/SigmaHQ/legacy-sigmatools.git git clone https://github.com/SigmaHQ/legacy-sigmatools.git
# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
echo "Getting Sigma Rules" echo "Getting Sigma Rules"
# 使用git克隆SigmaHQ的legacy-sigmatools仓库到当前目录
git clone https://github.com/SigmaHQ/sigma.git git clone https://github.com/SigmaHQ/sigma.git
# 输出正在转换sigma规则的信息
echo "Converting sigma rules " echo "Converting sigma rules "
# 执行Sigma转换工具将sigma规则文件转换为json格式
# --recurse: 递归处理指定目录下的所有规则文件
# --target sqlite: 指定转换的目标格式为sqlite
# --backend-option table=Events: 指定输出的表名为Events
# -d sigma/rules/windows/: 指定sigma规则文件的目录为sigma仓库中的windows规则目录
# -c lib/config/sigma-converter-rules-config.yml: 指定配置文件路径
# -o rules.json: 指定输出文件名为rules.json
# --output-fields: 指定输出的字段内容
legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d sigma/rules/windows/ -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status legacy-sigmatools/tools/sigmac --recurse --target sqlite --backend-option table=Events --output-format json -d sigma/rules/windows/ -c lib/config/sigma-converter-rules-config.yml -o rules.json --output-fields title,id,description,author,tags,level,falsepositives,filename,status
# 输出转换完成的信息,包括生成的文件名
echo "Rules created with file name : rules.json " echo "Rules created with file name : rules.json "

7
src/O365_detection_rules.json
Unescape View File

@ -1,4 +1,6 @@
[ {
"description": "此 JSON 文件包含与 O365 安全检测相关的规则,每条规则包括名称、严重性等级和查询语句。",
"rules": [
{ {
"name": "Suspicious User Agent", "name": "Suspicious User Agent",
"severity": "High", "severity": "High",
@ -94,6 +96,5 @@
"severity": "High", "severity": "High",
"query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) " "query": "SELECT * FROM events WHERE ( Operation LIKE '%Disable Strong Authentication.%' ) "
} }
] ]
}

355
src/lib/CSVDetection.py
Unescape View File

@ -8,87 +8,134 @@ minlength=1000
account_op={} account_op={}
PasswordSpray={} PasswordSpray={}
# 定义可疑的可执行文件列表
Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe'] Suspicious_executables=['pl.exe','nc.exe','nmap.exe','psexec.exe','plink.exe','mimikatz','procdump.exe',' dcom.exe',' Inveigh.exe',' LockLess.exe',' Logger.exe',' PBind.exe',' PS.exe',' Rubeus.exe',' RunasCs.exe',' RunAs.exe',' SafetyDump.exe',' SafetyKatz.exe',' Seatbelt.exe',' SExec.exe',' SharpApplocker.exe',' SharpChrome.exe',' SharpCOM.exe',' SharpDPAPI.exe',' SharpDump.exe',' SharpEdge.exe',' SharpEDRChecker.exe',' SharPersist.exe',' SharpHound.exe',' SharpLogger.exe',' SharpPrinter.exe',' SharpRoast.exe',' SharpSC.exe',' SharpSniper.exe',' SharpSocks.exe',' SharpSSDP.exe',' SharpTask.exe',' SharpUp.exe',' SharpView.exe',' SharpWeb.exe',' SharpWMI.exe',' Shhmon.exe',' SweetPotato.exe',' Watson.exe',' WExec.exe','7zip.exe']
# 定义可疑的 PowerShell 命令列表
Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden'] Suspicious_powershell_commands=['Get-WMIObject','Get-GPPPassword','Get-Keystrokes','Get-TimedScreenshot','Get-VaultCredential','Get-ServiceUnquoted','Get-ServiceEXEPerms','Get-ServicePerms','Get-RegAlwaysInstallElevated','Get-RegAutoLogon','Get-UnattendedInstallFiles','Get-Webconfig','Get-ApplicationHost','Get-PassHashes','Get-LsaSecret','Get-Information','Get-PSADForestInfo','Get-KerberosPolicy','Get-PSADForestKRBTGTInfo','Get-PSADForestInfo','Get-KerberosPolicy','Invoke-Command','Invoke-Expression','iex','Invoke-Shellcode','Invoke--Shellcode','Invoke-ShellcodeMSIL','Invoke-MimikatzWDigestDowngrade','Invoke-NinjaCopy','Invoke-CredentialInjection','Invoke-TokenManipulation','Invoke-CallbackIEX','Invoke-PSInject','Invoke-DllEncode','Invoke-ServiceUserAdd','Invoke-ServiceCMD','Invoke-ServiceStart','Invoke-ServiceStop','Invoke-ServiceEnable','Invoke-ServiceDisable','Invoke-FindDLLHijack','Invoke-FindPathHijack','Invoke-AllChecks','Invoke-MassCommand','Invoke-MassMimikatz','Invoke-MassSearch','Invoke-MassTemplate','Invoke-MassTokens','Invoke-ADSBackdoor','Invoke-CredentialsPhish','Invoke-BruteForce','Invoke-PowerShellIcmp','Invoke-PowerShellUdp','Invoke-PsGcatAgent','Invoke-PoshRatHttps','Invoke-PowerShellTcp','Invoke-PoshRatHttp','Invoke-PowerShellWmi','Invoke-PSGcat','Invoke-Encode','Invoke-Decode','Invoke-CreateCertificate','Invoke-NetworkRelay','EncodedCommand','New-ElevatedPersistenceOption','wsman','Enter-PSSession','DownloadString','DownloadFile','Out-Word','Out-Excel','Out-Java','Out-Shortcut','Out-CHM','Out-HTA','Out-Minidump','HTTP-Backdoor','Find-AVSignature','DllInjection','ReflectivePEInjection','Base64','System.Reflection','System.Management','Restore-ServiceEXE','Add-ScrnSaveBackdoor','Gupt-Backdoor','Execute-OnTime','DNS_TXT_Pwnage','Write-UserAddServiceBinary','Write-CMDServiceBinary','Write-UserAddMSI','Write-ServiceEXE','Write-ServiceEXECMD','Enable-DuplicateToken','Remove-Update','Execute-DNSTXT-Code','Download-Execute-PS','Execute-Command-MSSQL','Download_Execute','Copy-VSS','Check-VM','Create-MultipleSessions','Run-EXEonRemote','Port-Scan','Remove-PoshRat','TexttoEXE','Base64ToString','StringtoBase64','Do-Exfiltration','Parse_Keys','Add-Exfiltration','Add-Persistence','Remove-Persistence','Find-PSServiceAccounts','Discover-PSMSSQLServers','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Discover-PSMSExchangeServers','Discover-PSInterestingServices','Mimikatz','powercat','powersploit','PowershellEmpire','Payload','GetProcAddress','ICM','.invoke',' -e ','hidden','-w hidden']
# 定义 PowerShell 参数列表
Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"] Suspicious_powershell_Arguments=["-EncodedCommand","-enc","-w hidden","[Convert]::FromBase64String","iex(","New-Object","Net.WebClient","-windowstyle hidden","DownloadFile","DownloadString","Invoke-Expression","Net.WebClient","-Exec bypass" ,"-ExecutionPolicy bypass"]
# 定义终端服务摘要
TerminalServices_Summary=[{'User':[],'Number of Logins':[]}] TerminalServices_Summary=[{'User':[],'Number of Logins':[]}]
# 定义安全认证摘要
Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}] Security_Authentication_Summary=[{'User':[],'Number of Failed Logins':[],'Number of Successful Logins':[]}]
# 定义执行进程摘要
Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}] Executed_Process_Summary=[{'Process Name':[],'Number of Execution':[]}]
# 定义关键服务列表
critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"] critical_services=["Software Protection","Network List Service","Network Location Awareness","Windows Event Log"]
# 定义 Sysmon 事件结构
Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Sysmon_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 WinRM 事件结构
WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] WinRM_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义安全事件结构
Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Security_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义系统事件结构
System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] System_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Service Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义计划任务事件结构
ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] ScheduledTask_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Schedule Task Name':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 事件结构
Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Powershell_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 PowerShell 操作事件结构
Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Powershell_Operational_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义终端服务事件结构
TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] TerminalServices_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Windows Defender 事件结构
Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}] Windows_Defender_events=[{'Date and Time':[],'timestamp':[],'Detection Rule':[],'Severity':[],'Detection Domain':[],'Event Description':[],'Event ID':[],'Original Event Log':[]}]
# 定义 Timesketch 事件结构
Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}] Timesketch_events=[{'message':[],'timestamp':[],'datetime':[],'timestamp_desc':[],'Event Description':[],'Severity':[],'Detection Domain':[],'Event ID':[],'Original Event Log':[]}]
#======================= #=======================
#Regex for security logs #Regex for security logs
# 定义安全日志的正则表达式
Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE) Logon_Type_rex = re.compile('Logon Type:\t{1,15}(\d{1,4})', re.IGNORECASE)
#Account_Name_rex = re.compile('Account Name:\t{1,15}(.*)', re.IGNORECASE) # 定义账户名称的正则表达式
Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE) Account_Name_rex = re.compile('Account Name:(.*)', re.IGNORECASE)
# 定义安全 ID 的正则表达式
Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE) Security_ID_rex = re.compile('Security ID:\t{1,15}(.*)', re.IGNORECASE)
# 定义账户域的正则表达式
Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE) Account_Domain_rex = re.compile('Account Domain:\t{1,15}(.*)', re.IGNORECASE)
# 定义工作站名称的正则表达式
Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE) Workstation_Name_rex = re.compile('Workstation Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义源网络地址的正则表达式
Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE) Source_Network_Address_rex = re.compile('Source Network Address:\t{1,15}(.*)', re.IGNORECASE)
# 定义登录进程的正则表达式
Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE) Logon_Process_rex = re.compile('Logon Process:\t{1,15}(.*)', re.IGNORECASE)
# 定义密钥长度的正则表达式
Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE) Key_Length_rex = re.compile('Key Length:\t{1,15}(\d{1,4})', re.IGNORECASE)
# 定义进程命令行的正则表达式
Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE) Process_Command_Line_rex = re.compile('Process Command Line:\t{1,15}(.*)', re.IGNORECASE)
# 定义组名称的正则表达式
Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE) Group_Name_rex = re.compile('Group Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义任务名称的正则表达式
Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE) Task_Name_rex = re.compile('Task Name: \t{1,10}(.*)', re.IGNORECASE)
# 定义任务命令的正则表达式
Task_Command_rex = re.compile('<Command>(.*)</Command>', re.IGNORECASE) Task_Command_rex = re.compile('<Command>(.*)</Command>', re.IGNORECASE)
# 定义任务参数的正则表达式
Task_args_rex = re.compile('<Arguments>(.*)</Arguments>', re.IGNORECASE) Task_args_rex = re.compile('<Arguments>(.*)</Arguments>', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE) Process_Name_sec_rex = re.compile('Process Name:\t{1,15}(.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE) Category_sec_rex = re.compile('Category:\t{1,15}(.*)', re.IGNORECASE)
# 定义子类别的正则表达式
Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE) Subcategory_rex = re.compile('Subcategory:\t{1,15}(.*)', re.IGNORECASE)
# 定义更改的正则表达式
Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE) Changes_rex = re.compile('Changes:\t{1,15}(.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for windows defender logs # 定义 Windows Defender 日志的正则表达式
Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE) Name_rex = re.compile('\t{1,15}Name: (.*)', re.IGNORECASE)
# 定义严重性级别的正则表达式
Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE) Severity_rex = re.compile('\t{1,15}Severity: (.*)', re.IGNORECASE)
# 定义类别的正则表达式
Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE) Category_rex = re.compile('\t{1,15}Category: (.*)', re.IGNORECASE)
# 定义路径的正则表达式
Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE) Path_rex = re.compile('\t{1,15}Path: (.*)', re.IGNORECASE)
# 定义用户的正则表达式
Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE) Defender_User_rex = re.compile('\t{1,15}User: (.*)', re.IGNORECASE)
# 定义进程名称的正则表达式
Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE) Process_Name_rex = re.compile('\t{1,15}Process Name: (.*)', re.IGNORECASE)
# 定义操作的正则表达式
Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE) Action_rex = re.compile('\t{1,15}Action: (.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for system logs # 定义系统日志的正则表达式
Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE) Service_Name_rex = re.compile('Service Name: (.*)', re.IGNORECASE)
Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE) Service_File_Name_rex = re.compile('Service File Name: (.*)', re.IGNORECASE)
Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE) Service_Type_rex = re.compile('Service Type: (.*)', re.IGNORECASE)
@ -97,16 +144,14 @@ Service_and_state_rex = re.compile('The (.*) service entered the (.*) state\.',
StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE) StartType_rex = re.compile('The start type of the (.*) service was changed', re.IGNORECASE)
Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE) Service_Start_Type_rex = re.compile('Service Start Type: (.*)', re.IGNORECASE)
# ======================= # =======================
#Regex for task scheduler logs # 定义任务调度程序日志的正则表达式
task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE) task_register_rex = re.compile('User \"(.*)\" registered Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE) task_update_rex = re.compile('User \"(.*)\" updated Task Scheduler task \"(.*)\"', re.IGNORECASE)
task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE) task_delete_rex = re.compile('User \"(.*)\" deleted Task Scheduler task \"(.*)\"', re.IGNORECASE)
# =======================
#====================== # 定义 PowerShell 操作日志的正则表达式
#Regex for powershell operational logs
Host_Application_rex = re.compile('Host Application = (.*)') Host_Application_rex = re.compile('Host Application = (.*)')
Command_Name_rex = re.compile('Command Name = (.*)') Command_Name_rex = re.compile('Command Name = (.*)')
Command_Type_rex = re.compile('Command Type = (.*)') Command_Type_rex = re.compile('Command Type = (.*)')
@ -114,27 +159,27 @@ Engine_Version_rex = re.compile('Engine Version = (.*)')
User_rex = re.compile('User = (.*)') User_rex = re.compile('User = (.*)')
Error_Message_rex = re.compile('Error Message = (.*)') Error_Message_rex = re.compile('Error Message = (.*)')
#====================== # =======================
#Regex for powershell logs # 定义 PowerShell 日志的正则表达式
HostApplication_rex = re.compile('HostApplication=(.*)') HostApplication_rex = re.compile('HostApplication=(.*)')
CommandLine_rex = re.compile('CommandLine=(.*)') CommandLine_rex = re.compile('CommandLine=(.*)')
ScriptName_rex = re.compile('ScriptName=(.*)') ScriptName_rex = re.compile('ScriptName=(.*)')
EngineVersion_rex = re.compile('EngineVersion=(.*)') EngineVersion_rex = re.compile('EngineVersion=(.*)')
UserId_rex = re.compile('UserId=(.*)') UserId_rex = re.compile('UserId=(.*)')
ErrorMessage_rex = re.compile('ErrorMessage=(.*)') ErrorMessage_rex = re.compile('ErrorMessage=(.*)')
#======================
#TerminalServices Local Session Manager Logs # =======================
#Source_Network_Address_Terminal_rex= re.compile('Source Network Address: (.*)') # 定义终端服务本地会话管理器日志的正则表达式
Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})') Source_Network_Address_Terminal_rex = re.compile('Source Network Address: ((\d{1,3}\.){3}\d{1,3})')
User_Terminal_rex = re.compile('User: (.*)') User_Terminal_rex = re.compile('User: (.*)')
Session_ID_rex = re.compile('Session ID: (.*)') Session_ID_rex = re.compile('Session ID: (.*)')
#======================
#Microsoft-Windows-WinRM logs # =======================
# 定义 Microsoft-Windows-WinRM 日志的正则表达式
Connection_rex = re.compile("""The connection string is: (.*)""") Connection_rex = re.compile("""The connection string is: (.*)""")
#User_ID_rex=re.compile("""<Security UserID=\'(?<UserID>.*)\'\/><\/System>""")
#src_device_rex=re.compile("""<Computer>(?<src>.*)<\/Computer>""") # =======================
#====================== # 定义 Sysmon 日志的正则表达式
#Sysmon Logs
Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)") Sysmon_CommandLine_rex = re.compile("CommandLine: (.*)")
Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)") Sysmon_ProcessGuid_rex = re.compile("ProcessGuid: (.*)")
Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)") Sysmon_ProcessId_rex = re.compile("ProcessId: (.*)")
@ -155,8 +200,9 @@ Sysmon_ParentCommandLine_rex=re.compile("ParentCommandLine: (.*)")
Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)") Sysmon_CurrentDirectory_rex = re.compile("CurrentDirectory: (.*)")
Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)") Sysmon_OriginalFileName_rex = re.compile("OriginalFileName: (.*)")
Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)") Sysmon_TargetObject_rex = re.compile("TargetObject: (.*)")
#########
#Sysmon event ID 3 # =======================
# Sysmon 事件 ID 3 的正则表达式
Sysmon_Protocol_rex = re.compile("Protocol: (.*)") Sysmon_Protocol_rex = re.compile("Protocol: (.*)")
Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)") Sysmon_SourceIp_rex = re.compile("SourceIp: (.*)")
Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)") Sysmon_SourceHostname_rex = re.compile("SourceHostname: (.*)")
@ -164,8 +210,9 @@ Sysmon_SourcePort_rex=re.compile("SourcePort: (.*)")
Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)") Sysmon_DestinationIp_rex = re.compile("DestinationIp: (.*)")
Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)") Sysmon_DestinationHostname_rex = re.compile("DestinationHostname: (.*)")
Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)") Sysmon_DestinationPort_rex = re.compile("DestinationPort: (.*)")
#########
#Sysmon event ID 8 # =======================
# Sysmon 事件 ID 8 的正则表达式
Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)") Sysmon_StartFunction_rex = re.compile("StartFunction: (.*)")
Sysmon_StartModule_rex = re.compile("StartModule: (.*)") Sysmon_StartModule_rex = re.compile("StartModule: (.*)")
Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)") Sysmon_TargetImage_rex = re.compile("TargetImage: (.*)")
@ -189,53 +236,45 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
""" """
if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0: if open(file_name, "r").read(1000).find("\"InstanceId\",\"TimeGenerated\"") > 0:
# 如果包含,使用包含更多字段的字典读取器
list2 = csv.DictReader(csvfile, list2 = csv.DictReader(csvfile,
fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber", fieldnames=('Event ID', "MachineName", "Data", "Index", "Category", "CategoryNumber",
"EntryType", "Details", "Source", "ReplacementStrings", "InstanceId", "EntryType", "Details", "Source", "ReplacementStrings", "InstanceId",
'Date and Time', "TimeWritten", "UserName", "Site", "Container")) 'Date and Time', "TimeWritten", "UserName", "Site", "Container"))
else: else:
# 如果不包含,使用较少字段的字典读取器
list2 = csv.DictReader(csvfile, fieldnames=( list2 = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',)) 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
# 遍历读取的每一行
for row in list2: for row in list2:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None: if row['Details'] == None:
continue continue
Logon_Type = Logon_Type_rex.findall(row['Details']) # 从 'Details' 字段中提取各种信息
Logon_Type = Logon_Type_rex.findall(row['Details']) # 登录类型
Account_Name = Account_Name_rex.findall(row['Details']) Account_Name = Account_Name_rex.findall(row['Details']) # 账户名称
Account_Domain = Account_Domain_rex.findall(row['Details']) # 账户域
Account_Domain = Account_Domain_rex.findall(row['Details']) Workstation_Name = Workstation_Name_rex.findall(row['Details']) # 工作站名称
Source_IP = Source_Network_Address_rex.findall(row['Details']) # 源网络地址
Workstation_Name = Workstation_Name_rex.findall(row['Details']) Logon_Process = Logon_Process_rex.findall(row['Details']) # 登录进程
Key_Length = Key_Length_rex.findall(row['Details']) # 密钥长度
Source_IP = Source_Network_Address_rex.findall(row['Details']) Security_ID = Security_ID_rex.findall(row['Details']) # 安全 ID
Group_Name = Group_Name_rex.findall(row['Details']) # 组名称
Logon_Process = Logon_Process_rex.findall(row['Details']) Task_Name = Task_Name_rex.findall(row['Details']) # 任务名称
Task_Command = Task_Command_rex.findall(row['Details']) # 任务命令
Key_Length = Key_Length_rex.findall(row['Details']) Task_args = Task_args_rex.findall(row['Details']) # 任务参数
Process_Name = Process_Name_sec_rex.findall(row['Details']) # 进程名称
Security_ID = Security_ID_rex.findall(row['Details']) Category = Category_sec_rex.findall(row['Details']) # 类别
Subcategory = Subcategory_rex.findall(row['Details']) # 子类别
Group_Name = Group_Name_rex.findall(row['Details']) Changes = Changes_rex.findall(row['Details']) # 更改
Process_Command_Line = Process_Command_Line_rex.findall(row['Details']) # 进程命令行
Task_Name=Task_Name_rex.findall(row['Details'])
Task_Command = Task_Command_rex.findall(row['Details'])
Task_args= Task_args_rex.findall(row['Details'])
Process_Name=Process_Name_sec_rex.findall(row['Details'])
Category=Category_sec_rex.findall(row['Details'])
Subcategory=Subcategory_rex.findall(row['Details'])
Changes=Changes_rex.findall(row['Details'])
Process_Command_Line = Process_Command_Line_rex.findall(row['Details'])
#User Cretion using Net command #User Cretion using Net command
# 用户创建事件处理,使用 Net 命令
if row['Event ID']=="4688": if row['Event ID']=="4688":
try: try:
# 检查事件详情中是否包含用户添加的命令
if len(re.findall('.*user.*/add.*',row['Details']))>0: if len(re.findall('.*user.*/add.*',row['Details']))>0:
#print("test") #print("test")
@ -244,7 +283,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
#print("User Name : ( %s ) "%Account_Name[0].strip(),end='') #print("User Name : ( %s ) "%Account_Name[0].strip(),end='')
#print("with Command Line : ( " + Process_Command_Line[0].strip()+" )") #print("with Command Line : ( " + Process_Command_Line[0].strip()+" )")
# 生成事件描述
Event_desc ="User Name : ( %s ) "%Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip()+" )" Event_desc ="User Name : ( %s ) "%Account_Name[0].strip()+"with Command Line : ( " + Process_Command_Line[0].strip()+" )"
# 将事件信息添加到 Security_events 数据结构中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Added using Net Command") Security_events[0]['Detection Rule'].append("User Added using Net Command")
@ -255,6 +296,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
#Detecting privielge Escalation using Token Elevation #Detecting privielge Escalation using Token Elevation
# 检测特权提升尝试,使用命名管道
if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line))>0: if len(re.findall(r"cmd.exe /c echo [a-z]{6} > \\\.\\pipe\\\w{1,10}",process_command_line))>0:
Event_desc ="User Name : ( %s ) " % user+"conducting NAMED PIPE privilege escalation with Command Line : ( " + process_command_line + " ) " Event_desc ="User Name : ( %s ) " % user+"conducting NAMED PIPE privilege escalation with Command Line : ( " + process_command_line + " ) "
@ -267,6 +309,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# 检查进程命令行是否在可疑位置(如 temp、tmp、Program Data
if Process_Command_Line[0].strip().lower().find("\\temp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\tmp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\program data\\")>-1: if Process_Command_Line[0].strip().lower().find("\\temp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\tmp\\")>-1 or Process_Command_Line[0].strip().lower().find("\\program data\\")>-1:
# print("test") # print("test")
@ -285,6 +328,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# 检查是否存在可疑的可执行文件
for i in Suspicious_executables: for i in Suspicious_executables:
if Process_Command_Line[0].strip().lower().find(i.lower())>-1: if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
@ -304,6 +348,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# 检查是否存在可疑的 PowerShell 命令
for i in Suspicious_powershell_commands: for i in Suspicious_powershell_commands:
if Process_Command_Line[0].strip().lower().find(i.lower())>-1: if Process_Command_Line[0].strip().lower().find(i.lower())>-1:
@ -325,20 +370,21 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
except: except:
# 捕获解析事件时的错误并输出错误信息
print("Error parsing below Event \n"+row['Details']) print("Error parsing below Event \n"+row['Details'])
continue continue
# User Created through management interface # User Created through management interface
# 检查事件 ID 是否为 "4720",表示创建用户事件
if row['Event ID']=="4720": if row['Event ID']=="4720":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述,包含用户名称和创建的用户名
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
try: try:
Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )" Event_desc="User Name ( " + Account_Name[0].strip() + " )" + " Created User Name ( " + Account_Name[1].strip()+ " )"
except: except:
# 如果生成描述失败,使用默认描述
Event_desc="User Created a new user " Event_desc="User Created a new user "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Created through management interface") Security_events[0]['Detection Rule'].append("User Created through management interface")
@ -348,13 +394,11 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Windows is shutting down # 检查事件 ID 是否为 "4609" 或 "1100",表示 Windows 关机事件
if row['Event ID']=="4609" or row['Event ID']=="1100": if row['Event ID']=="4609" or row['Event ID']=="1100":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("User Name ( " + Account_Name[0].strip() + " )", end='')
#print(" Created User Name ( " + Account_Name[1].strip()+ " )")
Event_desc="Windows is shutting down " Event_desc="Windows is shutting down "
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Windows is shutting down") Security_events[0]['Detection Rule'].append("Windows is shutting down")
@ -364,24 +408,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# 检查事件 ID 是否为 "4732",表示用户被添加到本地组
# User added to local group
if row['Event ID']=="4732": if row['Event ID']=="4732":
# 生成事件描述,包含用户名称和组名称
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to local group ( " + Group_Name[0].strip() + " )")
try: try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )" Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to local group ( " + Group_Name[0].strip() + " )"
except: except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )" # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to local group") Security_events[0]['Detection Rule'].append("User added to local group")
@ -391,17 +425,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to global group # 检查事件 ID 是否为 "4728",表示用户被添加到全局组
if row['Event ID'] == "4728": if row['Event ID'] == "4728":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
#print(" to Global group ( " + Group_Name[0].strip() + " )")
try: try:
Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )" Event_desc="User ( " + Account_Name[0].strip() + " ) added User ( "+Account_Name[1].strip()+" to Global group ( " + Group_Name[0].strip() + " )"
except: except:
Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[ Event_desc = "User ( " + Account_Name[0].strip() + " ) added User ( " + Security_ID[1].strip() + " to Global group ( " + Group_Name[0].strip() + " )"
1].strip() + " to Global group ( " + Group_Name[0].strip() + " )" # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to global group") Security_events[0]['Detection Rule'].append("User added to global group")
@ -411,20 +442,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#add user to universal group # 检查事件 ID 是否为 "4756",表示用户被添加到通用组
if row['Event ID'] == "4756": if row['Event ID'] == "4756":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) added User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(" to Universal group ( " + Group_Name[0].strip() + " )")
Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )" Event_desc=Event_desc+" to Universal group ( " + Group_Name[0].strip() + " )"
else: else:
Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +" to Universal group ( " + Account_Name[1].strip() + " )"
#print(" to Universal group ( " + Account_Name[1].strip() + " )") # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User added to Universal group") Security_events[0]['Detection Rule'].append("User added to Universal group")
@ -434,20 +460,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from global group # 检查事件 ID 是否为 "4729",表示用户从全局组中移除
if row['Event ID'] == "4729": if row['Event ID'] == "4729":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(") from Global group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )" Event_desc = Event_desc +") from Global group ( " + Group_Name[0].strip() + " )"
else: else:
Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Global group ( " + Account_Name[1].strip() + " )"
#print(") from Global group ( " + Account_Name[1].strip() + " )") # 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Global Group") Security_events[0]['Detection Rule'].append("User Removed from Global Group")
@ -457,18 +478,15 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from universal group # 检查事件 ID 是否为 "4757",表示用户从通用组中移除
if row['Event ID'] == "4757": if row['Event ID'] == "4757":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
if len(Group_Name)>0: if len(Group_Name)>0:
#print(") from Universal group ( " + Group_Name[0].strip() + " )")
Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )" Event_desc = Event_desc+") from Universal group ( " + Group_Name[0].strip() + " )"
else: else:
#print(") from Universal group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Universal group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Universal Group") Security_events[0]['Detection Rule'].append("User Removed from Universal Group")
@ -478,8 +496,9 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
#remove user from local group # 检查事件 ID 是否为 "4733",表示用户从本地组中移除
if row['Event ID'] == "4733": if row['Event ID'] == "4733":
# 生成事件描述
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='') #print("User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip(), end='')
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip() Event_desc ="User ( " + Account_Name[0].strip() + " ) removed User ( "+Security_ID[1].strip()
@ -489,9 +508,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
else: else:
#print(") from Local group ( " + Account_Name[1].strip() + " )") #print(") from Local group ( " + Account_Name[1].strip() + " )")
Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )" Event_desc = Event_desc +") from Local group ( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed from Local Group") Security_events[0]['Detection Rule'].append("User Removed from Local Group")
@ -501,8 +518,8 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user removed group # user removed group
# 用户从组中移除
if row['Event ID'] == "4730": if row['Event ID'] == "4730":
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='') print("User ( " + Account_Name[0].strip() + " ) removed Group ( ", end='')
@ -514,7 +531,7 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )" Event_desc = Event_desc +") from Local group ( " + Account_Name[0].strip() + " )"
#print(") from Local group ( " + Account_Name[0].strip() + " )") #print(") from Local group ( " + Account_Name[0].strip() + " )")
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Removed Group") Security_events[0]['Detection Rule'].append("User Removed Group")
@ -525,12 +542,14 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# user account removed # user account removed
# 用户账户被移除
if row['Event ID'] == "4726": if row['Event ID'] == "4726":
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("User ( " + Account_Name[0].strip() + " ) removed user ", end='') #print("User ( " + Account_Name[0].strip() + " ) removed user ", end='')
#print("( " + Account_Name[1].strip() + " )") #print("( " + Account_Name[1].strip() + " )")
Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )" Event_desc ="User ( " + Account_Name[0].strip() + " ) removed user "+"( " + Account_Name[1].strip() + " )"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("User Account Removed") Security_events[0]['Detection Rule'].append("User Account Removed")
@ -541,24 +560,30 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Summary of process Execution # Summary of process Execution
# 进程执行的总结
if row['Event ID']=="4688": if row['Event ID']=="4688":
try: try:
# 检查进程命令行是否已在执行进程摘要中
if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']: if Process_Command_Line[0] not in Executed_Process_Summary[0]['Process Name']:
Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip()) Executed_Process_Summary[0]['Process Name'].append(Process_Command_Line[0].strip())
Executed_Process_Summary[0]['Number of Execution'].append(1) Executed_Process_Summary[0]['Number of Execution'].append(1)
else : else :
# 如果已存在,则更新执行次数
Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1 Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]=Executed_Process_Summary[0]['Number of Execution'][Executed_Process_Summary[0]['Process Name'].index(Process_Command_Line[0].strip())]+1
except: except:
continue continue
# 检查事件 ID 是否为 "4625",表示登录失败事件
if row['Event ID'] == "4625" : if row['Event ID'] == "4625" :
try: try:
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']: if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip()) Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Failed Logins'].append(1) Security_Authentication_Summary[0]['Number of Failed Logins'].append(1)
Security_Authentication_Summary[0]['Number of Successful Logins'].append(0) Security_Authentication_Summary[0]['Number of Successful Logins'].append(0)
else : else :
try: try:
# 更新失败登录次数
Security_Authentication_Summary[0]['Number of Failed Logins'][ Security_Authentication_Summary[0]['Number of Failed Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Failed Logins'][ Security_Authentication_Summary[0]['Number of Failed Logins'][
@ -568,44 +593,55 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
print(Security_Authentication_Summary[0]) print(Security_Authentication_Summary[0])
except: except:
continue continue
# password spray detection # password spray detection
# 密码喷洒检测
if row['Event ID'] == "4648" : if row['Event ID'] == "4648" :
try: try:
# 检查账户名称是否在 PasswordSpray 字典中
if Account_Name[0].strip() not in PasswordSpray: if Account_Name[0].strip() not in PasswordSpray:
PasswordSpray[Account_Name[0].strip()]=[] PasswordSpray[Account_Name[0].strip()]=[]
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
#else: #else:
# PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) # PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
# 检查第二个账户名称是否已在对应的 PasswordSpray 列表中
if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] : if Account_Name[1].strip() not in PasswordSpray[Account_Name[0].strip()] :
PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip()) PasswordSpray[Account_Name[0].strip()].append(Account_Name[1].strip())
except: except:
continue continue
#and (Logon_Type[0].strip()=="3" or Logon_Type[0].strip()=="10" or Logon_Type[0].strip()=="2" or Logon_Type[0].strip()=="8")
# 检查事件 ID 是否为 "4624",表示成功登录事件
if row['Event ID'] == "4624" : if row['Event ID'] == "4624" :
try: try:
#print(Account_Name[0]) #print(Account_Name[0])
# 检查用户是否已在安全认证摘要中
if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']: if Account_Name[1].strip() not in Security_Authentication_Summary[0]['User']:
Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip()) Security_Authentication_Summary[0]['User'].append(Account_Name[1].strip())
Security_Authentication_Summary[0]['Number of Successful Logins'].append(1) Security_Authentication_Summary[0]['Number of Successful Logins'].append(1)
Security_Authentication_Summary[0]['Number of Failed Logins'].append(0) Security_Authentication_Summary[0]['Number of Failed Logins'].append(0)
else : else :
# 更新成功登录次数
Security_Authentication_Summary[0]['Number of Successful Logins'][ Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \ Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] = \
Security_Authentication_Summary[0]['Number of Successful Logins'][ Security_Authentication_Summary[0]['Number of Successful Logins'][
Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1 Security_Authentication_Summary[0]['User'].index(Account_Name[1].strip())] + 1
except: except:
continue continue
# detect pass the hash # detect pass the hash
# 检测哈希传递攻击
if row['Event ID'] == "4625" or row['Event ID'] == "4624": if row['Event ID'] == "4625" or row['Event ID'] == "4624":
# 检查登录类型和其他条件
if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0": if Logon_Type[0].strip() == "3" and Account_Name[1].strip() != "ANONYMOUS LOGON" and Account_Name[1].strip().find("$")==-1 and Logon_Process[0].strip() == "NtLmSsp" and Key_Length[0].strip() == "0":
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print( #print(
# "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( # "Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
# Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())) # Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()))
# 生成事件描述
Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % ( Event_desc ="Pass the hash attempt Detected : user name ( %s ) domain name ( %s ) from IP ( %s ) and machine name ( %s )" % (
Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip()) Account_Name[1].strip(), Account_Domain[1].strip(), Source_IP[0].strip(), Workstation_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected") Security_events[0]['Detection Rule'].append("Pass the hash attempt Detected")
@ -616,14 +652,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Audit log cleared # Audit log cleared
# 审计日志被清除
if row['Event ID'] == "517" or row['Event ID'] == "1102": if row['Event ID'] == "517" or row['Event ID'] == "1102":
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"Audit log cleared by user ( %s )" % ( "Audit log cleared by user ( %s )" % (
Account_Name[0].strip())) Account_Name[0].strip()))
""" """
# 生成事件描述
Event_desc = "Audit log cleared by user ( %s )" % ( Event_desc = "Audit log cleared by user ( %s )" % (
Account_Name[0].strip()) Account_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Audit log cleared") Security_events[0]['Detection Rule'].append("Audit log cleared")
@ -634,13 +673,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# Suspicious Attempt to enumerate users or groups # Suspicious Attempt to enumerate users or groups
# 可疑的用户或组枚举尝试
if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1: if row['Event ID'] == "4798" or row['Event ID'] == "4799" and row['Details'].find("System32\\svchost.exe")==-1:
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % ( "Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (
Account_Name[0].strip(),Process_Name[0].strip())) Account_Name[0].strip(),Process_Name[0].strip()))
""" """
# 生成事件描述
Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip()) Event_desc ="Suspicious Attempt to enumerate groups by user ( %s ) using process ( %s )" % (Account_Name[0].strip(),Process_Name[0].strip())
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups") Security_events[0]['Detection Rule'].append("Suspicious Attempt to enumerate groups")
@ -651,17 +693,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# System audit policy was changed # System audit policy was changed
# 系统审计策略已更改
if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" : if row['Event ID'] == "4719" and len(Security_ID)>0 and Security_ID[0].strip()!="S-1-5-18" and Security_ID[0].strip()!="SYSTEM" :
"""print("##### " + row['Date and Time'] + " #### ", end='') """print("##### " + row['Date and Time'] + " #### ", end='')
print( print(
"System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % ( "System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (
Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())) Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()))
""" """
try : try :
Event_desc ="System audit policy was changed by user ( %s ) , Audit Poricly category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip()) # 生成事件描述
Event_desc ="System audit policy was changed by user ( %s ) , Audit Policy category ( %s ) , Subcategory ( %s ) with changes ( %s )" % (Account_Name[0].strip(),Category[0].strip(),Subcategory[0].strip(),Changes[0].strip())
except : except :
Event_desc = "System audit policy was changed by user" Event_desc = "System audit policy was changed by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("System audit policy was changed") Security_events[0]['Detection Rule'].append("System audit policy was changed")
@ -672,14 +716,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# scheduled task created # scheduled task created
# 创建计划任务
if row['Event ID']=="4698" : if row['Event ID']=="4698" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try: try:
# 生成事件描述
Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task created by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task created by user" Event_desc = "schedule task created by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task created") Security_events[0]['Detection Rule'].append("schedule task created")
@ -690,14 +736,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# scheduled task deleted # scheduled task deleted
# 删除计划任务
if row['Event ID']=="1699" : if row['Event ID']=="1699" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task deleted by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task deleted by user" Event_desc = "schedule task deleted by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task deleted") Security_events[0]['Detection Rule'].append("schedule task deleted")
@ -708,14 +756,16 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task updated # schedule task updated
# 更新计划任务
if row['Event ID']=="4702" : if row['Event ID']=="4702" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try: try:
# 生成事件描述
Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task updated by user ( %s ) with task name ( %s ) , Command ( %s ) and Argument ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task updated by user" Event_desc = "schedule task updated by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task updated") Security_events[0]['Detection Rule'].append("schedule task updated")
@ -725,15 +775,19 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Event ID'].append(row['Event ID']) Security_events[0]['Event ID'].append(row['Event ID'])
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task enabled # schedule task enabled
# 启用计划任务
if row['Event ID']=="4700" : if row['Event ID']=="4700" :
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task enabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task enabled by user" Event_desc = "schedule task enabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task enabled") Security_events[0]['Detection Rule'].append("schedule task enabled")
@ -744,14 +798,17 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
# schedule task disabled # schedule task disabled
# 禁用计划任务
if row['Event ID']=="4701" : if row['Event ID']=="4701" :
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
#print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])) #print("schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]))
try : try :
# 生成事件描述
Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0]) Event_desc ="schedule task disabled by user ( %s ) with task name ( %s ) " % ( Account_Name[0].strip(),Task_Name[0].strip(),Task_Command[0],Task_args[0])
except: except:
Event_desc = "schedule task disabled by user" Event_desc = "schedule task disabled by user"
# 将事件信息添加到 Security_events 列表中
Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat()) Security_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p').isoformat())
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p'))) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'],'%m/%d/%Y %I:%M:%S %p')))
Security_events[0]['Detection Rule'].append("schedule task disabled") Security_events[0]['Detection Rule'].append("schedule task disabled")
@ -762,16 +819,25 @@ def detect_events_security_log(file_name='deep-blue-secuity.csv',winevent=False)
Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," ")) Security_events[0]['Original Event Log'].append(str(row['Details']).replace("\r"," "))
for user in PasswordSpray: for user in PasswordSpray:
# 检查用户的密码喷洒尝试次数是否超过3次
if len(PasswordSpray[user])>3: if len(PasswordSpray[user])>3:
# 生成事件描述
Event_desc = "Password Spray Detected by user ( "+user+" )" Event_desc = "Password Spray Detected by user ( "+user+" )"
# 将当前时间戳添加到事件列表中
Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now())) Security_events[0]['Date and Time'].append(datetime.timestamp(datetime.now()))
Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now())) Security_events[0]['timestamp'].append(datetime.timestamp(datetime.now()))
# 添加检测规则
Security_events[0]['Detection Rule'].append("Password Spray Detected") Security_events[0]['Detection Rule'].append("Password Spray Detected")
# 添加检测领域
Security_events[0]['Detection Domain'].append("Threat") Security_events[0]['Detection Domain'].append("Threat")
# 添加事件严重性
Security_events[0]['Severity'].append("High") Security_events[0]['Severity'].append("High")
# 添加事件描述
Security_events[0]['Event Description'].append(Event_desc) Security_events[0]['Event Description'].append(Event_desc)
# 添加事件ID
Security_events[0]['Event ID'].append("4648") Security_events[0]['Event ID'].append("4648")
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password sparay attack using usernames ( "+",".join(PasswordSpray[user])+" )") # 添加原始事件日志
Security_events[0]['Original Event Log'].append("User ( "+user+" ) did password spray attack using usernames ( "+",".join(PasswordSpray[user])+" )")
def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False): def detect_events_windows_defender_log(file_name='Defender-logs.csv', winevent=False):
@ -781,20 +847,24 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
else: else:
list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties")) list = csv.DictReader(csvfile,fieldnames=("Details","Event ID","Version","Qualifiers","Level","Task","Opcode","Keywords","RecordId","ProviderName","ProviderId","LogName","ProcessId","ThreadId","MachineName","UserId","Date and Time","ActivityId","RelatedActivityId","ContainerLog","MatchedQueryIds","Bookmark","LevelDisplayName","OpcodeDisplayName","TaskDisplayName","KeywordsDisplayNames","Properties"))
""" """
# 检查文件内容以确定使用的字段名
if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0: if open(file_name, "r").read(1000).find("\"Message\",\"Id\",\"Version\"") > 0:
# 使用较长的字段名列表
list = csv.DictReader(csvfile, fieldnames=( list = csv.DictReader(csvfile, fieldnames=(
"Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId", "Details", "Event ID", "Version", "Qualifiers", "Level", "Task", "Opcode", "Keywords", "RecordId",
"ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time", "ProviderName", "ProviderId", "LogName", "ProcessId", "ThreadId", "MachineName", "UserId", "Date and Time",
"ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName", "ActivityId", "RelatedActivityId", "ContainerLog", "MatchedQueryIds", "Bookmark", "LevelDisplayName",
"OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties")) "OpcodeDisplayName", "TaskDisplayName", "KeywordsDisplayNames", "Properties"))
else: else:
# 使用较短的字段名列表
list = csv.DictReader(csvfile, fieldnames=( list = csv.DictReader(csvfile, fieldnames=(
'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',)) 'Level', 'Date and Time', 'Source', 'Event ID', 'Task Category', 'Details',))
for row in list: for row in list:
# 如果 'Details' 字段为空,则跳过该行
if row['Details'] == None: if row['Details'] == None:
continue continue
# 从 'Details' 字段中提取信息
Name = Name_rex.findall(row['Details']) Name = Name_rex.findall(row['Details'])
Severity = Severity_rex.findall(row['Details']) Severity = Severity_rex.findall(row['Details'])
Category = Category_rex.findall(row['Details']) Category = Category_rex.findall(row['Details'])
@ -803,11 +873,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Process_Name = Process_Name_rex.findall(row['Details']) Process_Name = Process_Name_rex.findall(row['Details'])
Action = Action_rex.findall(row['Details']) Action = Action_rex.findall(row['Details'])
#Windows Defender took action against Malware # Windows Defender 对恶意软件采取了行动
if row['Event ID'] == "1117" or row['Event ID'] == "1007": if row['Event ID'] == "1117" or row['Event ID'] == "1007":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print(" Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])) Event_desc = "Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
Event_desc="Windows Defender took action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0].strip()) # 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender took action against Malware")
@ -817,13 +887,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
#Windows Defender failed to take action against Malware # Windows Defender 未能对恶意软件采取行动
if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119": if row['Event ID'] == "1118" or row['Event ID'] == "1008" or row['Event ID'] == "1119":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print("Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Action[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender failed to take action against Malware - details : Severity ( %s ) , Name ( %s ) , Action ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Action[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender failed to take action against Malware")
@ -833,11 +901,11 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
# Windows Defender 发现恶意软件
if row['Event ID'] == "1116" or row['Event ID'] == "1006": if row['Event ID'] == "1116" or row['Event ID'] == "1006":
#print("##### " + row['Date and Time'] + " #### ", end='') # 生成事件描述
#print(" Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender Found Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
# 将事件信息添加到 Windows_Defender_events 列表中
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware") Windows_Defender_events[0]['Detection Rule'].append("Windows Defender Found Malware")
@ -851,6 +919,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0])) #print(" Windows Defender deleted history of malwares - details : User ( %s ) "%(User[0]))
# Windows Defender 删除了恶意软件的历史记录 - 详细信息:用户
Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0]) Event_desc = " Windows Defender deleted history of malwares - details : User ( %s ) " % (User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -865,6 +934,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0])) #print(" Windows Defender detected suspicious behavious Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) "%(Severity[0].strip(),Name[0].strip(),Category[0].strip(),Path[0].strip(),Process_Name[0].strip(),User[0]))
# Windows Defender 检测到可疑行为的恶意软件 - 详细信息
Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0]) Event_desc = "Windows Defender detected suspicious behavior Malware - details : Severity ( %s ) , Name ( %s ) , Catgeory ( %s ) , Path ( %s ) , Process Name ( %s ) , User ( %s ) " % (Severity[0].strip(), Name[0].strip(), Category[0].strip(), Path[0].strip(), Process_Name[0].strip(), User[0])
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -879,6 +949,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print("Windows Defender real-time protection disabled") #print("Windows Defender real-time protection disabled")
# Windows Defender 实时保护已禁用
Event_desc = "Windows Defender real-time protection disabled" Event_desc = "Windows Defender real-time protection disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -893,6 +964,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender real-time protection configuration changed") #print(" Windows Defender real-time protection configuration changed")
# Windows Defender 实时保护配置已更改
Event_desc = "Windows Defender real-time protection configuration changed" Event_desc = "Windows Defender real-time protection configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -907,6 +979,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender antimalware platform configuration changed") #print(" Windows Defender antimalware platform configuration changed")
# Windows Defender 反恶意软件平台配置已更改
Event_desc = "Windows Defender antimalware platform configuration changed" Event_desc = "Windows Defender antimalware platform configuration changed"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -921,6 +994,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
#print("##### " + row['Date and Time'] + " #### ", end='') #print("##### " + row['Date and Time'] + " #### ", end='')
#print(" Windows Defender scanning for malware is disabled") #print(" Windows Defender scanning for malware is disabled")
# Windows Defender 扫描恶意软件已禁用
Event_desc = "Windows Defender scanning for malware is disabled" Event_desc = "Windows Defender scanning for malware is disabled"
Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat()) Windows_Defender_events[0]['Date and Time'].append(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p').isoformat())
Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p'))) Windows_Defender_events[0]['timestamp'].append(datetime.timestamp(datetime.strptime(row['Date and Time'], '%m/%d/%Y %I:%M:%S %p')))
@ -931,6 +1005,7 @@ def detect_events_windows_defender_log(file_name='Defender-logs.csv',winevent=Fa
Windows_Defender_events[0]['Event ID'].append(row['Event ID']) Windows_Defender_events[0]['Event ID'].append(row['Event ID'])
Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " ")) Windows_Defender_events[0]['Original Event Log'].append(str(row['Details']).replace("\r", " "))
if row['Event ID'] == "5012" : if row['Event ID'] == "5012" :
print("##### " + row['Date and Time'] + " #### ", end='') print("##### " + row['Date and Time'] + " #### ", end='')
print(" Windows Defender scanning for viruses is disabled") print(" Windows Defender scanning for viruses is disabled")

2375
src/lib/EvtxDetection.py
View File

File diff suppressed because one or more lines are too long

91
src/lib/O365Hunter.py
Unescape View File

@ -1,13 +1,13 @@
import json import json # 导入用于处理JSON数据的模块
import sqlite3 import sqlite3 # 导入用于操作SQLite数据库的模块
import tempfile import tempfile # 导入用于创建临时文件和目录的模块
import os import os # 导入用于操作系统功能的模块
import time import time # 导入用于处理时间相关功能的模块
import pandas as pd import pandas as pd # 导入用于数据处理和分析的Pandas库
import geoip2.database import geoip2.database # 导入用于GeoLite2数据库的GeoIP2库
import requests import requests # 导入用于发送HTTP请求的模块
from dateutil import parser, tz from dateutil import parser, tz # 导入用于解析和处理日期时间的模块
from pathlib import Path from pathlib import Path # 导入用于处理文件路径的模块
# 初始化全局变量用于计时 # 初始化全局变量用于计时
start_time = 0 start_time = 0
@ -103,13 +103,22 @@ def convert_csv(input_file, temp):
返回: 返回:
- json_file: 生成的JSON文件路径 - json_file: 生成的JSON文件路径
""" """
# 创建一个新的JSON文件路径结合临时目录和文件名
json_file = os.path.join(temp, 'audit_data.json') json_file = os.path.join(temp, 'audit_data.json')
# 同时打开输入的CSV文件进行读取和新的JSON文件进行写入设置编码为UTF-8
# 使用上下文管理器确保文件正确关闭
with open(input_file, 'r', encoding='utf-8') as csv_file, open(json_file, 'w', encoding='utf-8') as jsonl_file: with open(input_file, 'r', encoding='utf-8') as csv_file, open(json_file, 'w', encoding='utf-8') as jsonl_file:
# 使用csv.DictReader来读取CSV文件每行会转换为字典
reader = csv.DictReader(csv_file) reader = csv.DictReader(csv_file)
# 迭代读取CSV文件的每一行
for row in reader: for row in reader:
# 将CSV文件中'AuditData'字段的字符串解析为JSON对象
json_data = json.loads(row['AuditData']) json_data = json.loads(row['AuditData'])
# 将JSON对象再次转换为字符串
json_string = json.dumps(json_data) json_string = json.dumps(json_data)
# 将转换后的JSON字符串写入json文件每行一个JSON对象以换行符结束
jsonl_file.write(json_string + '\n') jsonl_file.write(json_string + '\n')
# 返回新创建的JSON文件的路径
return json_file return json_file
def flatten_json_file(input_file, timezone, chunk_size=10000): def flatten_json_file(input_file, timezone, chunk_size=10000):
@ -124,18 +133,30 @@ def flatten_json_file(input_file, timezone, chunk_size=10000):
返回: 返回:
- DataFrame: 展平后的数据 - DataFrame: 展平后的数据
""" """
# 初始化一个空列表用于存储数据块
chunks = [] chunks = []
# 打开输入的JSON文件进行读取
with open(input_file, 'r') as file: with open(input_file, 'r') as file:
# 读取所有行到一个列表中
lines = file.readlines() lines = file.readlines()
# 按块大小迭代处理行
for i in range(0, len(lines), chunk_size): for i in range(0, len(lines), chunk_size):
# 将当前块的每一行解析为JSON对象
chunk = [json.loads(line) for line in lines[i:i + chunk_size]] chunk = [json.loads(line) for line in lines[i:i + chunk_size]]
# 处理每个记录
for record in chunk: for record in chunk:
# 如果记录中包含'CreationTime'字段
if 'CreationTime' in record: if 'CreationTime' in record:
# 解析'CreationTime'字段为日期时间对象
creation_time = parser.parse(record['CreationTime']) creation_time = parser.parse(record['CreationTime'])
# 如果日期时间对象没有时区信息设置为UTC
if creation_time.tzinfo is None: if creation_time.tzinfo is None:
creation_time = creation_time.replace(tzinfo=tz.tzutc()) creation_time = creation_time.replace(tzinfo=tz.tzutc())
# 将日期时间对象转换为目标时区并格式化为ISO格式字符串
record['CreationTime'] = creation_time.astimezone(timezone).isoformat() record['CreationTime'] = creation_time.astimezone(timezone).isoformat()
# 将当前块展平并添加到数据块列表中
chunks.append(pd.json_normalize(chunk)) chunks.append(pd.json_normalize(chunk))
# 合并所有数据块为一个DataFrame并返回
return pd.concat(chunks, ignore_index=True) return pd.concat(chunks, ignore_index=True)
def create_sqlite_db_from_dataframe(dataframe, db_name): def create_sqlite_db_from_dataframe(dataframe, db_name):
@ -146,10 +167,14 @@ def create_sqlite_db_from_dataframe(dataframe, db_name):
- dataframe: 包含数据的Pandas DataFrame - dataframe: 包含数据的Pandas DataFrame
- db_name: SQLite数据库文件名 - db_name: SQLite数据库文件名
""" """
# 连接到SQLite数据库如果数据库不存在则会创建
conn = sqlite3.connect(db_name) conn = sqlite3.connect(db_name)
# 将DataFrame中的所有列转换为字符串类型
dataframe = dataframe.astype(str) dataframe = dataframe.astype(str)
# 将DataFrame写入SQLite数据库中的'table'表,如果表已存在则替换
dataframe.to_sql('events', conn, if_exists='replace', index=False, dataframe.to_sql('events', conn, if_exists='replace', index=False,
dtype={col_name: 'TEXT' for col_name in dataframe.columns}) dtype={col_name: 'TEXT' for col_name in dataframe.columns})
# 关闭数据库连接
conn.close() conn.close()
def read_detection_rules(rule_file): def read_detection_rules(rule_file):
@ -176,17 +201,29 @@ def apply_detection_logic_sqlite(db_name, rules):
返回: 返回:
- DataFrame: 检测到的异常事件 - DataFrame: 检测到的异常事件
""" """
# 连接到SQLite数据库
conn = sqlite3.connect(db_name) conn = sqlite3.connect(db_name)
# 初始化一个空列表用于存储所有检测到的事件
all_detected_events = [] all_detected_events = []
# 遍历每个检测规则
for rule in rules: for rule in rules:
# 获取规则名称
rule_name = rule['name'] rule_name = rule['name']
# 获取规则严重性
severity = rule['severity'] severity = rule['severity']
# 获取规则的SQL查询
query = rule['query'] query = rule['query']
# 执行SQL查询并将结果存储到DataFrame中
detected_events = pd.read_sql_query(query, conn) detected_events = pd.read_sql_query(query, conn)
# 添加规则名称列到DataFrame
detected_events['RuleName'] = rule_name detected_events['RuleName'] = rule_name
# 添加严重性列到DataFrame
detected_events['Severity'] = severity detected_events['Severity'] = severity
# 将当前规则检测到的事件添加到列表中
all_detected_events.append(detected_events) all_detected_events.append(detected_events)
# 关闭数据库连接
conn.close() conn.close()
# 合并所有检测到的事件为一个DataFrame并返回如果没有检测到事件则返回空DataFrame
return pd.concat(all_detected_events, ignore_index=True) if all_detected_events else pd.DataFrame() return pd.concat(all_detected_events, ignore_index=True) if all_detected_events else pd.DataFrame()
def download_geolite_db(geolite_db_path): def download_geolite_db(geolite_db_path):
@ -234,26 +271,22 @@ def analyzeoff365(auditfile, rule_file, output, timezone, include_flattened_data
- include_flattened_data: 是否包含展平后的数据 - include_flattened_data: 是否包含展平后的数据
- geolite_db_path: GeoLite2数据库文件路径 - geolite_db_path: GeoLite2数据库文件路径
""" """
global start_time, end_time global start_time, end_time # 声明全局变量start_time和end_time
start_time = time.time() start_time = time.time() # 记录开始时间
temp_dir = ".temp" temp_dir = ".temp" # 设置临时目录路径
if output is None or output == "": if output is None or output == "": # 如果输出目录未指定或为空
output = os.path.splitext(auditfile)[0] output = os.path.splitext(auditfile)[0] # 使用审计文件的基础名称作为输出目录
try: try:
os.makedirs(output, exist_ok=True) os.makedirs(output, exist_ok=True) # 创建输出目录,如果不存在则创建
os.makedirs(temp_dir, exist_ok=True) os.makedirs(temp_dir, exist_ok=True) # 创建临时目录,如果不存在则创建
if not os.path.exists(geolite_db_path): # 如果GeoLite2数据库文件不存在
if not os.path.exists(geolite_db_path): download_geolite_db(geolite_db_path) # 下载GeoLite2数据库
download_geolite_db(geolite_db_path) json_file = convert_csv(auditfile, temp_dir) # 将CSV文件转换为JSON文件
input_file = json_file # 设置输入文件路径为转换后的JSON文件
json_file = convert_csv(auditfile, temp_dir) db_name = os.path.join(temp_dir, 'audit_data.db') # 设置SQLite数据库文件路径
input_file = json_file if rule_file is None: # 如果规则文件未指定
db_name = os.path.join(temp_dir, 'audit_data.db') rule_file = 'O365_detection_rules.json' # 使用默认的规则文件名
output_file = f"{output}_o365_report.xlsx" # 设置输出的Excel报告文件路径
if rule_file is None:
rule_file = 'O365_detection_rules.json'
output_file = f"{output}_o365_report.xlsx"
# 展平JSON数据并处理时间戳 # 展平JSON数据并处理时间戳
flattened_df = flatten_json_file(input_file, timezone) flattened_df = flatten_json_file(input_file, timezone)

109
src/lib/SigmaHunter.py
View File

File diff suppressed because one or more lines are too long

9154
src/rules.json
View File

File diff suppressed because one or more lines are too long

BIN
src/screenshot/APTHunter-Allreport.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 10 KiB

BIN
src/screenshot/APTHunter-Excel.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 236 KiB

BIN
src/screenshot/APTHunter-Help.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 86 KiB

BIN
src/screenshot/APTHunter-Timeline-Explorer.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 70 KiB

BIN
src/screenshot/APTHunter-output.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 222 KiB

72
src/windows-log-collector-full-v3-CSV.ps1
Unescape View File

@ -1,101 +1,107 @@
# 尝试创建一个名为 "wineventlog" 的目录
try { try {
New-Item -ItemType "directory" -Path "wineventlog" New-Item -ItemType "directory" -Path "wineventlog"
} }
catch catch {
{ # 如果创建目录失败,输出错误信息
echo "can't create a new directory" echo "can't create a new directory"
} }
# 尝试获取安全日志并导出为 CSV 文件
try { try {
get-eventlog -log Security | export-csv wineventlog/Security.csv get-eventlog -log Security | export-csv wineventlog/Security.csv
} }
catch catch {
{ # 如果获取安全日志失败,输出错误信息
echo "Can't retrieve Security Logs" echo "Can't retrieve Security Logs"
} }
try # 尝试获取系统日志并导出为 CSV 文件
{ try {
Get-WinEvent -LogName System | export-csv wineventlog/System.csv Get-WinEvent -LogName System | export-csv wineventlog/System.csv
} }
catch catch {
{ # 如果获取系统日志失败,输出错误信息
echo "Can't retrieve System Logs" echo "Can't retrieve System Logs"
} }
# 尝试获取应用程序日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv Get-WinEvent -LogName Application | export-csv wineventlog/Application.csv
} }
catch catch {
{ # 如果获取应用程序日志失败,输出错误信息
echo "Can't retrieve Application Logs" echo "Can't retrieve Application Logs"
} }
# 尝试获取 Windows PowerShell 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv Get-WinEvent -LogName "Windows PowerShell" | export-csv wineventlog/Windows_PowerShell.csv
} }
catch catch {
{ # 如果获取 Windows PowerShell 日志失败,输出错误信息
echo "Can't retrieve Windows PowerShell Logs" echo "Can't retrieve Windows PowerShell Logs"
} }
# 尝试获取 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | export-csv wineventlog/LocalSessionManager.csv
} }
catch catch {
{ # 如果获取 LocalSessionManager 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
} }
# 尝试获取 Microsoft-Windows-Windows Defender/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | export-csv wineventlog/Windows_Defender.csv
} }
catch catch {
{ # 如果获取 Windows Defender 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
} }
# 尝试获取 Microsoft-Windows-TaskScheduler/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational | export-csv wineventlog/TaskScheduler.csv
} }
catch catch {
{ # 如果获取 TaskScheduler 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
} }
# 尝试获取 Microsoft-Windows-WinRM/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv Get-WinEvent -LogName Microsoft-Windows-WinRM/Operational | export-csv wineventlog/WinRM.csv
} }
catch catch {
{ # 如果获取 WinRM 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
} }
# 尝试获取 Microsoft-Windows-Sysmon/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | export-csv wineventlog/Sysmon.csv
} }
catch catch {
{ # 如果获取 Sysmon 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
} }
# 尝试获取 Microsoft-Windows-PowerShell/Operational 日志并导出为 CSV 文件
try { try {
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | export-csv wineventlog/Powershell_Operational.csv
} }
catch catch {
{ # 如果获取 PowerShell Operational 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
} }
# 尝试压缩 "wineventlog" 目录为 logs.zip
try try {
{
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
} }
catch catch {
{ # 如果压缩失败,输出错误信息
echo "couldn't compress the the log folder " echo "couldn't compress the log folder"
} }

72
src/windows-log-collector-full-v3-EVTX.ps1
Unescape View File

@ -1,101 +1,107 @@
# 尝试创建一个名为 "wineventlog" 的目录
try { try {
New-Item -ItemType "directory" -Path "wineventlog" New-Item -ItemType "directory" -Path "wineventlog"
} }
catch catch {
{ # 如果创建目录失败,输出错误信息
echo "can't create a new directory" echo "can't create a new directory"
} }
# 尝试导出安全日志到指定的 EVTX 文件
try { try {
wevtutil epl Security wineventlog/Security.evtx wevtutil epl Security wineventlog/Security.evtx
} }
catch catch {
{ # 如果导出安全日志失败,输出错误信息
echo "Can't retrieve Security Logs" echo "Can't retrieve Security Logs"
} }
try # 尝试导出系统日志到指定的 EVTX 文件
{ try {
wevtutil epl System wineventlog/System.evtx wevtutil epl System wineventlog/System.evtx
} }
catch catch {
{ # 如果导出系统日志失败,输出错误信息
echo "Can't retrieve System Logs" echo "Can't retrieve System Logs"
} }
# 尝试导出应用程序日志到指定的 EVTX 文件
try { try {
wevtutil epl Application wineventlog/Application.evtx wevtutil epl Application wineventlog/Application.evtx
} }
catch catch {
{ # 如果导出应用程序日志失败,输出错误信息
echo "Can't retrieve Application Logs" echo "Can't retrieve Application Logs"
} }
# 尝试导出 Windows PowerShell 日志到指定的 EVTX 文件
try { try {
wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx wevtutil epl "Windows PowerShell" wineventlog/Windows_PowerShell.evtx
} }
catch catch {
{ # 如果导出 Windows PowerShell 日志失败,输出错误信息
echo "Can't retrieve Windows PowerShell Logs" echo "Can't retrieve Windows PowerShell Logs"
} }
# 尝试导出 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx wevtutil epl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" wineventlog/LocalSessionManager.evtx
} }
catch catch {
{ # 如果导出 LocalSessionManager 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs" echo "Can't retrieve Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Logs"
} }
# 尝试导出 Microsoft-Windows-Windows Defender/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx wevtutil epl "Microsoft-Windows-Windows Defender/Operational" wineventlog/Windows_Defender.evtx
} }
catch catch {
{ # 如果导出 Windows Defender 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs" echo "Can't retrieve Microsoft-Windows-Windows Defender/Operational Logs"
} }
# 尝试导出 Microsoft-Windows-TaskScheduler/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx wevtutil epl Microsoft-Windows-TaskScheduler/Operational wineventlog/TaskScheduler.evtx
} }
catch catch {
{ # 如果导出 TaskScheduler 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs" echo "Can't retrieve Microsoft-Windows-TaskScheduler/Operational Logs"
} }
# 尝试导出 Microsoft-Windows-WinRM/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx wevtutil epl Microsoft-Windows-WinRM/Operational wineventlog/WinRM.evtx
} }
catch catch {
{ # 如果导出 WinRM 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs" echo "Can't retrieve Microsoft-Windows-WinRM/Operational Logs"
} }
# 尝试导出 Microsoft-Windows-Sysmon/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx wevtutil epl Microsoft-Windows-Sysmon/Operational wineventlog/Sysmon.evtx
} }
catch catch {
{ # 如果导出 Sysmon 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs" echo "Can't retrieve Microsoft-Windows-Sysmon/Operational Logs"
} }
# 尝试导出 Microsoft-Windows-PowerShell/Operational 日志到指定的 EVTX 文件
try { try {
wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx wevtutil epl Microsoft-Windows-PowerShell/Operational wineventlog/Powershell_Operational.evtx
} }
catch catch {
{ # 如果导出 PowerShell Operational 日志失败,输出错误信息
echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs" echo "Can't retrieve Microsoft-Windows-PowerShell/Operational Logs"
} }
# 尝试压缩 "wineventlog" 目录为 logs.zip
try try {
{
Compress-Archive -Path wineventlog -DestinationPath ./logs.zip Compress-Archive -Path wineventlog -DestinationPath ./logs.zip
} }
catch catch {
{ # 如果压缩失败,输出错误信息
echo "couldn't compress the the log folder " echo "couldn't compress the log folder"
} }
Write Preview
Loading…
Cancel
Save