cuckoo集成sysmon系统监控工具

2023-09-01 15:25:22
1.引入sysmon.exe文件

MD5:6b3a1d07407ae2670154b9ca624f6db9

2.编写调用模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import logging
import os
import time
import subprocess
import threading

from lib.common.abstracts import Auxiliary
from lib.common.results import upload_to_host

log = logging.getLogger(__name__)


class Sysmon(threading.Thread, Auxiliary):

    def clear_log(self):
        try:
            os.system("C:\\Windows\\System32\\wevtutil.exe clear-log microsoft-windows-sysmon/operational")
        except Exception as e:
            log.error("Error clearing Sysmon events - %s" % e)

    def collect_logs(self):
        try:
            os.system("C:\\Windows\\System32\\wevtutil.exe query-events "\
                      "microsoft-windows-sysmon/operational /format:xml /e:Events > C:\\sysmon.xml")
        except Exception as e:
            log.error("Could not create sysmon log file - %s" % e)

        # Give it some time to create the file
        time.sleep(5)

        if os.path.exists("C:\\sysmon.xml"):
            upload_to_host("C:\\sysmon.xml", "sysmon/%s.sysmon.xml" % time.time())
        else:
            log.error("Sysmon log file not found in guest machine")

    def run(self):
        self.clear_log()
        while self.do_run:
            self.collect_logs()
            time.sleep(15)

        return True

    def stop(self):
        self.do_run = False
        self.collect_logs()
        return True

    def __init__(self, options={}, analyzer=None):
        threading.Thread.__init__(self)
        Auxiliary.__init__(self, options, analyzer)
        self.do_run = True
        self.startupinfo = subprocess.STARTUPINFO()
        self.startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW

    def start(self):
        subprocess.call(
            [os.path.join(self.analyzer.path, "bin", "sysmon.exe"),
            "-accepteula",
            "-i"], startupinfo=self.startupinfo)
3.编写解析模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import logging, os, re
import xml.etree.ElementTree as ET
import xmltodict

from cuckoo.common.abstracts import Processing
from cuckoo.common.exceptions import CuckooProcessingError

log = logging.getLogger(__name__)


class Sysmon(Processing):

    def remove_noise(self, data):
        filtered_proc_creations_re = [
            r"C:\\Windows\\System32\\wevtutil\.exe\s+clear-log\s+microsoft-windows-(sysmon|powershell)\/operational",
            r"bin\\is32bit.exe",
            r"bin\\inject-(?:x86|x64).exe",
            r"C:\\Windows\\System32\\wevtutil.exe\s+query-events microsoft-windows-powershell\/operational\s+\/rd:true\s+\/e:root\s+\/format:xml\s+\/uni:true",
            r"C:\\Windows\\System32\\wevtutil.exe\s+query-events\s+microsoft-windows-sysmon\/operational\s+\/format:xml",
        ]

        filtered = []
        for event in data:
            is_filtered = False
            if event["System"]["EventID"] == "1":
                for p in filtered_proc_creations_re:
                    cmdline = event["EventData"]["Data"][9]["#text"]
                    if re.search(p, cmdline):
                        log.info("Supressed %s because it is noisy" % cmdline)
                        is_filtered = True

            if not is_filtered:
                filtered.append(event)

        return filtered

    def run(self):
        self.key = "sysmon"

        # Determine oldest sysmon log and remove the rest
        lastlog = os.listdir("%s/sysmon/" % self.analysis_path)
        lastlog.sort()
        lastlog = lastlog[-1]
        # Leave only the most recent file
        for f in os.listdir("%s/sysmon/" % self.analysis_path):
            if f != lastlog:
                try:
                    os.remove("%s/sysmon/%s" % (self.analysis_path, f))
                except:
                    log.error("Failed to remove sysmon file log %s" % f)

        os.rename(
            "%s/sysmon/%s" % (self.analysis_path, lastlog),
            "%s/sysmon/sysmon.xml" % self.analysis_path
        )

        data = None
        try:
            xml = open("%s/sysmon/sysmon.xml" % self.analysis_path).read()
            xml = xml.decode("latin1").encode("utf8")
            data = xmltodict.parse(xml)["Events"]["Event"]
        except Exception as e:
            raise CuckooProcessingError("Failed parsing sysmon.xml: %s" % e.message)

        return self.remove_noise(data)