class SearchUserDetail(DetectBase): def __init__(self): super().__init__(code=ALERT_CODE, title=TITLE, desc=DESC_TEMPLATE) self.account_info = AccountInfo() self.account_history = AccountHistory() def run(self, log: Log): self.init(log=log) if log.object_info.type != "SAM_USER": return user_name = log.subject_info.user_name if user_name.endswith("$"): return target_sid = log.object_info.name if not target_sid.startswith("S-1-5-21-"): return # 查询自身也忽略 if log.subject_info.user_sid == target_sid: return # 判断域名是否存在于需要检查的域名中 domain_name = log.subject_info.domain_name if filter_domain(domain_name): return # 如果账号是管理员 直接忽略 if self.account_info.check_target_is_admin_by_sid( sid=log.subject_info.user_sid, domain=domain_name): return # 判断操作者是否为Users if not self.account_info.check_target_is_user_by_name( user_name, domain_name): return # 判断是否为敏感用户 if not self.account_info.user_is_sensitive_by_sid(sid=target_sid, domain=domain_name): return ldap = LDAPSearch(domain_name) target_user_name = str( ldap.search_by_sid(target_sid, attributes=["cn"])["cn"]) return self._generate_alert_doc(target_user_name=target_user_name) def _generate_alert_doc(self, **kwargs) -> dict: source_ip = self._get_source_ip_by_logon_id( self.log.subject_info.logon_id, self.log.subject_info.full_user_name) form_data = { "source_workstation": self._get_workstation_by_source_ip(source_ip), "source_ip": source_ip, "source_user_name": self.log.subject_info.user_name, "source_user_sid": self.log.subject_info.user_sid, "source_logon_id": self.log.subject_info.logon_id, "source_domain": self.log.subject_info.domain_name, **kwargs } doc = self._get_base_doc(level=self._get_level(), unique_id=self._get_unique_id( self.code, self.log.subject_info.user_name), form_data=form_data) return doc def _get_level(self) -> str: return LOW_LEVEL
class PsLoggedOn(DetectBase): def __init__(self): super().__init__(code=ALERT_CODE, title=TITLE, desc=DESC_TEMPLATE) self.es = ElasticHelper() self.account_info = AccountInfo() def run(self, log: Log): self.init(log=log) if log.event_data["ShareName"] != r"\\*\IPC$": return if log.event_data["RelativeTargetName"] != "srvsvc": return # 忽略域管理员的访问 if self.account_info.check_target_is_admin_by_sid( sid=log.subject_info.user_sid, domain=log.subject_info.domain_name): return # 存在向前查找,则延迟确认 if "_delay_info" not in log.record: self.delay_confirm_log() return self.es.wait_log_in_database(log.dc_computer_name, log.record_number) is_match = self._search_forward(log) if is_match: return self._generate_alert_doc() def _generate_alert_doc(self, **kwargs) -> dict: form_data = { "source_workstation": self._get_workstation_by_source_ip( self.log.source_info.ip_address), "source_ip": self.log.source_info.ip_address, "source_user_name": self.log.subject_info.user_name, "source_user_sid": self.log.subject_info.user_sid, "source_logon_id": self.log.subject_info.logon_id, "source_domain": self.log.subject_info.domain_name, "dc_hostname": self.log.dc_host_name, **kwargs } doc = self._get_base_doc(level=self._get_level(), unique_id=self._get_unique_id( self.code, self.log.source_info.ip_address), form_data=form_data) return doc def _get_level(self) -> str: return LOW_LEVEL def _search_forward(self, log: Log): """ """ base = { "index": ElasticConfig.event_log_index, "doc_type": ElasticConfig.event_log_doc_type } # 开始向前查找 msearch_body = [base] body_winreg = self._get_query(log, "winreg") msearch_body.append(body_winreg) msearch_body.append(base) body_lsarpc = self._get_query(log, "lsarpc") msearch_body.append(body_lsarpc) results = self.es.multi_search( body=msearch_body, index=ElasticConfig.event_log_index, doc_type=ElasticConfig.event_log_doc_type) for each in results["responses"]: if each.get("error"): logger.error("PsLoggedOn module - multi search error: " + each.get("error").get("reason")) raise MsearchException() elif each["hits"]["total"] == 0: return False return True def _get_query(self, log: Log, relative_target_name): computer_term = get_term_statement("computer_name", log.dc_computer_name), ago_time = move_n_min(utc_to_datetime(log.utc_log_time), 1) time_str = datetime_to_utc(ago_time) logon_id_term = get_term_statement("event_data.SubjectLogonId.keyword", log.subject_info.logon_id) share_name_term = get_term_statement("event_data.ShareName.keyword", r"\\*\IPC$") time_term = get_time_range("gt", time_str), relative_term = get_term_statement( "event_data.RelativeTargetName.keyword", relative_target_name) query = { "query": get_must_statement(logon_id_term, share_name_term, relative_term, time_term, computer_term), "_source": False, "size": 1 } return query
class UnknownAdminLogin(DetectBase): def __init__(self): super().__init__(code=ALERT_CODE, title=TITLE, desc=DESC_TEMPLATE) self.account_info = AccountInfo() def run(self, log: Log): self.init(log=log) sid = log.subject_info.user_sid user_name = log.subject_info.user_name domain_name = log.subject_info.domain_name if domain_name.lower() == "window manager": return if not self._is_in_domain_list(domain_name): return if len(log.subject_info.user_sid.split("-")) == 4: return # 排除域控计算机账户的本地特权登录 if user_name.endswith("$"): domain = get_netbios_domain(domain_name) if user_name[:-1] in main_config.dc_name_list[domain]: return if self.account_info.check_target_is_admin_by_sid(sid=sid, domain=domain_name): return return self._generate_alert_doc() def _generate_alert_doc(self, **kwargs) -> dict: source_ip = self._get_source_ip_by_logon_id( self.log.subject_info.logon_id, self.log.subject_info.full_user_name) form_data = { "source_workstation": self._get_workstation_by_source_ip(source_ip), "source_ip": source_ip, "target_user_name": self.log.subject_info.user_name, "target_user_sid": self.log.subject_info.user_sid, "target_logon_id": self.log.subject_info.logon_id, "target_domain": self.log.subject_info.domain_name, "dc_hostname": self.log.dc_host_name, **kwargs } doc = self._get_base_doc(level=self._get_level(), unique_id=self._get_unique_id( self.code, self.log.subject_info.user_name), form_data=form_data) return doc def _get_level(self) -> str: return HIGH_LEVEL def _is_in_domain_list(self, domain: str) -> bool: """ 域名是否在已知需要监控的域列表中 """ domain = get_netbios_domain(domain) for each in main_config.domain_list: if domain == get_netbios_domain(each): return True return False
class EnumerateGroup(DetectBase): def __init__(self): super().__init__(code=ALERT_CODE, title=TITLE, desc=DESC_TEMPLATE) self.account_info = AccountInfo() def run(self, log: Log): self.init(log=log) if log.object_info.server != "Security Account Manager": return if log.object_info.type != "SAM_GROUP": return sid = log.object_info.name if not sid.startswith("S-1-5-21-"): return user_name = log.subject_info.user_name if user_name.endswith("$"): return # 如果账号是管理员 直接忽略 if self.account_info.check_target_is_admin_by_sid( sid=sid, domain=log.subject_info.domain_name): return # 判断账号是否为 Users,如果不是,直接退出 if not self.account_info.check_target_is_user_by_name( user_name, log.subject_info.domain_name): return group_name = self._get_group_name(sid, log.subject_info.domain_name) if not group_name: return sensitive_groups = list( map(lambda x: x["name"], main_config.sensitive_groups)) if group_name in sensitive_groups: return self._generate_alert_doc(group_name=group_name) def _get_group_name(self, sid, domain): ldap = LDAPSearch(domain) entry = ldap.search_by_sid(sid, attributes=["cn"]) if entry: return str(entry["cn"]) def _generate_alert_doc(self, **kwargs) -> dict: source_ip = self._get_source_ip_by_logon_id( self.log.subject_info.logon_id, self.log.subject_info.full_user_name) form_data = { "source_workstation": self._get_workstation_by_source_ip(source_ip), "source_ip": source_ip, "source_user_name": self.log.subject_info.user_name, "source_user_sid": self.log.subject_info.user_sid, "source_logon_id": self.log.subject_info.logon_id, "source_domain": self.log.subject_info.domain_name, **kwargs } doc = self._get_base_doc(level=self._get_level(), unique_id=self._get_unique_id( self.code, self.log.subject_info.user_name), form_data=form_data) return doc def _get_level(self) -> str: return LOW_LEVEL
class ACLModify(DetectBase): def __init__(self): super().__init__(code=ALERT_CODE, title=TITLE, desc=DESC_TEMPLATE) self.parser = SDDLParser() self.account_info = AccountInfo() self.watch_object_class = [ "container", "domainDNS", "groupPolicyContainer" ] def run(self, log: Log): self.init(log=log) if log.object_info.class_ not in self.watch_object_class: return if log.event_data["AttributeLDAPDisplayName"] != "nTSecurityDescriptor": return abnormal_ace_list = [] abnormal_users = [] content = self.parser.parse(log.event_data["AttributeValue"]) domain = log.subject_info.domain_name for ace in content["dacl_ace_list"]: trustee = ace["trustee"] # 判断是否为SID,因为这种ACL几乎都是默认的用户,很少特殊指定用户 if trustee.startswith("S-1-5-21-"): # 首先检查 该SID是否为某个用户?(Users),如果不是,则忽略掉 if not self.account_info.check_target_is_user_by_sid( trustee, domain): continue # 获取用户信息 user = self.account_info.get_user_info_by_sid(sid=trustee, domain=domain) # 目标是否为管理员权限 if self.account_info.check_target_is_admin_by_sid( trustee, domain): continue if user.user_name in abnormal_users: continue abnormal_users.append(user.user_name) abnormal_ace = self._get_abnormal_ace(ace, domain) abnormal_ace_list.append(abnormal_ace) if len(abnormal_ace_list) > 0: return self._generate_alert_doc( object_class=log.object_info.class_, abnormal_ace_list=abnormal_ace_list, parsed_sddl=content, abnormal_users=abnormal_users) def _generate_alert_doc(self, **kwargs) -> dict: source_ip = self._get_source_ip_by_logon_id( self.log.subject_info.logon_id, self.log.subject_info.full_user_name) form_data = { "source_workstation": self._get_workstation_by_source_ip(source_ip), "source_ip": source_ip, "source_user_name": self.log.subject_info.user_name, "source_user_sid": self.log.subject_info.user_sid, "source_logon_id": self.log.subject_info.logon_id, "source_domain": self.log.subject_info.domain_name, "object_info": self.log.object_info.get_doc(), **kwargs } doc = self._get_base_doc(level=self._get_level(), unique_id=self._get_unique_id( self.code, self.log.subject_info.user_name), form_data=form_data) return doc def _get_level(self) -> str: return HIGH_LEVEL def _get_abnormal_ace(self, ace, domain) -> dict: trustee = ace["trustee"] ace["user_name"] = "unknown" user_info = self.account_info.get_user_info_by_sid(sid=trustee, domain=domain) if user_info: ace["user_name"] = user_info.user_name return copy.deepcopy(ace)