admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加BRC4的检测

Browse Source 
增加BRC4的检测
This commit is contained in:
huoji
2022-09-21 15:28:07 +08:00
parent ee5ae888ce
commit a1c158f8cd
7 changed files with 85 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Server/rules/py/attck/process.py
View File

@@ -131,7 +131,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*at.exe.*"',
'originalfilename == "at.exe"',
],
'attck_hit':['T1053.002'],
'score': 10,
@@ -179,9 +179,9 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*net.exe" and commandline =~ ".*domain.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*view.*"',
'originalfilename =~ ".*net.exe" and commandline =~ ".*workstation.*"'
'originalfilename == "net.exe" and commandline =~ ".*domain.*"',
'originalfilename == "net.exe" and commandline =~ ".*view.*"',
'originalfilename == "net.exe" and commandline =~ ".*workstation.*"'
],
'attck_hit':['T1087.002'],
'score': 10,
@@ -189,7 +189,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*netsh.exe" and commandline =~ ".*firewall.*"',
'originalfilename == "netsh.exe" and commandline =~ ".*firewall.*"',
],
'attck_hit':['T1562.004'],
'score': 10,
@@ -289,7 +289,7 @@ rule = [
},
{
'rules': [
'originalfilename =~ ".*wmic.exe.*"'
'originalfilename == "wmic.exe"'
],
'attck_hit':['T1559.001'],
'score': 30,