{"id":13845207,"url":"https://github.com/RoomaSec/RmEye","last_synced_at":"2025-07-12T01:32:11.555Z","repository":{"id":58297043,"uuid":"527548756","full_name":"RoomaSec/RmEye","owner":"RoomaSec","description":"戎码之眼是一个window上的基于att\u0026ck模型的威胁监控工具.有效检测常见的未知威胁与已知威胁.防守方的利剑","archived":false,"fork":false,"pushed_at":"2023-10-25T07:55:46.000Z","size":9245,"stargazers_count":475,"open_issues_count":0,"forks_count":69,"subscribers_count":14,"default_branch":"main","last_synced_at":"2024-11-21T18:39:11.865Z","etag":null,"topics":["edr","sysmon","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RoomaSec.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-22T12:11:37.000Z","updated_at":"2024-11-12T04:23:08.000Z","dependencies_parsed_at":"2024-11-21T18:43:18.570Z","dependency_job_id":null,"html_url":"https://github.com/RoomaSec/RmEye","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/RoomaSec/RmEye","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RoomaSec%2FRmEye","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RoomaSec%2FRmEye/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RoomaSec%2FRmEye/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RoomaSec%2FRmEye/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RoomaSec","download_url":"https://codeload.github.com/RoomaSec/RmEye/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RoomaSec%2FRmEye/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264923076,"owners_count":23683717,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edr","sysmon","threat-hunting"],"created_at":"2024-08-04T17:03:16.217Z","updated_at":"2025-07-12T01:32:10.079Z","avatar_url":"https://github.com/RoomaSec.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"![image](Image/wx.png) \n\n# RmEye\nRmEye是一个window上的基于att\u0026ck现代EDR设计思想的威胁响应工具.\n不同于EDR,它轻量、高效.自身定位是轻量级威胁检出工具.\n而不是繁重的、需要付费的、效果不明的所谓的EDR\n\n### 功能特点\n1. 基于att\u0026ck设计.所有设计只是为了符合att\u0026ck的攻击路径、攻击链(虽然规则里面没有标注T因为懒惰)\n2. 轻量、高效.为了不适用繁重超占内存的ELK设计思路,而且要保证检出的同时保证不会太重,agent端使用了大量规则过滤,这样才使得后端使用sqlite作为数据库成为可能.单机日志平均一天4M.此外轻量级别的客户端一天只占40-400KB的内存.\n3. 行为检出,让免杀成为过去式.基于att\u0026ck设计,只看行为不看文件.文件类免杀已经成为过去式.\n4. 高扩展性.可随需求定制功能\n\n### RmEye 之所以不是 Edr/Xdr/Mdr/Ndr/XXXXXdr\n1. RmEye没有流量监控\n2. RmEye仅覆盖20%左右的datasource\n3. RmEye没有联动WAF、IPS/IDS\n4. RmEye没有实时拦截功能\n5. 对RPC、COM、ALPC基本无能为力\n6. 不支持更高级的扩展检测,如检测脚本、下发规则,主机链\n7. 受限于Sysmon,很多att\u0026ck的T没有覆盖,也无法覆盖.\n8. 没有响应能力,只能被动记录.\n请牢记,RmEye自身定位是轻量级威胁检出工具\n\n### 最新新闻\n2022/10/11:\n重新设计了一下界面...\n\n2022/9/29:  \n国庆节更新,增加ip与hash的ioc插件,目前Rmeye有能力对ip和hash进行标注,使用时务必换成自己的apikey,其他请看下面的ioc部分    \n\n2022/9/22:  \n增加仪表盘,可视化展示检测结果  \n\n2022/9/21:  \n修复了秋季更新的几个bug,增加了`networkconnect`和`FileCreateTimeChange`的ds,增加了`brc4`的检测\n\n2022/9/20:  \n秋季重大更新,规则部分完全重构,目前检出完全基于attck的software.文档有空了再更新\n\n2022/9/8:\n增加服务端规则指南: \\\n[doc_server_rule_manual.md](./doc_server_rule_manual.md)\n\n2022/9/5:  \n增加规则编写教程:  \nhttps://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md  \n增加`mimikatz`检测\n\n2022/8/31:\n增加进程白名单系统,现在能给进程加白名单了.在打开进程链后,点击某个进程加入白名单即可\n\n2022/8/29:\n增加uac提权检测插件`uac_bypass_detect`,但是受限于sysmon,没有办法获取RPC信息,因此只能检测一部分的UAC提权行为.并且有误报,请酌情考虑\n\n### 检出截图\n\n新dashboard(2022/10/11更新):\n![image](Image/dashboard_new.png)\n新界面(2022/10/11更新):\n![image](Image/18.png)\n\nIOC(2022/10/1更新):\n![image](Image/16.png)\n![image](Image/17.png)\n威胁列表(2022/9/20更新):\n![image](Image/1.png)\n仪表盘(2022/9/22更新):  \n![image](Image/dashboard.png)  \n进程链行为回溯\n![image](Image/8.png)\npowershell恶意执行:\n![image](Image/2.png)\napt样本:\n![image](Image/3.png)\n勒索软件:\n![image](Image/4.png)\n网站入侵提权到执行cobalt strike:\n![image](Image/5.png)\noffic宏钓鱼:\n![image](Image/6.png)\nuac提权检测:\n![image](Image/7.png)\nmimikatz检测:\n![image](Image/14.png)\nbrc4检测:\n![image](Image/15.png)\n### 待做列表\n1. 更好的前端(目前是VUE-CDN模式,不太好,想换成VUE-CLI) 已经完成\n2. 日志回放【目前重点】\n3. 威胁狩猎【目前重点】\n4. att\u0026ck热力图\n5. 在线规则编辑器\n6. 内网横向检测\n7. iis、apache、nginx日志搜集分析(aka: XDR的实现)\n8. 集成反病毒引擎\n9. 完善目前的插件系统【目前重点】\n10. 云日志检测能力【目前重点】\n### 安装\n下载release( https://github.com/RoomaSec/RmEye/releases ),里面有客户端,服务端自行clone本项目  \n服务端是python3编写,安装完依赖库后输入\n```\npython webserver.py\n```\n即可部署  \n服务端部署后,修改config.py里面的  \n```\n# 检出阈值,越高越难检出但是也会越准确  \nMAX_THREAT_SCORE = 170\n\n# 授权访问主站的IP列表.如果不在后台里面则不能访问后台  \nALLOW_ACCESS_IP = ['127.0.0.1']\n```\nMAX_THREAT_SCORE代表报警分数,意思为进程链总分超过此分数则报警,越高越准但是也会漏报\nALLOW_ACCESS_IP代表允许的IP,只有在此名单里面的IP才能访问后台.请增加自己的IP地址  \n\n客户端则编辑config.ini  \n```\n[communication]\nserver = http://192.168.111.189:5000\n```\n其中server改成你的服务端的地址  \n然后分发三个文件给客户端并且放在同一目录:  \nconfig.ini、install.cmd、RmEye.exe、sysmon.xml、Sysmon64.exe  \n之后管理员身份运行install.cmd安装sysmon与RmEye  \n访问 http://服务器ip:5000(flask默认端口) 查看后台  \n当然一开始啥数据也没有,为了确认是否安装成功可以将webserver.py中的  \n```\n    flask_log = logging.getLogger('werkzeug')\n    flask_log.setLevel(logging.ERROR)\n```\n注释掉,检查有没有客户端的请求即可   \n手动安装(cmd脚本其实执行了这些命令):\n```\n//安装sysmon:\nsysmon -i \n//sysmon加载配置项\nsysmon -c sysmon.xml\n//安装RmEye\nRmEye /install\n```\n\n### 卸载\n卸载RmEye:\n在RmEye目录下执行\n```\nSysEye /uninstall\n```\n如果您需要卸载sysmon\n执行\n```\nsysmon /uninstall\n```\n即可干净卫生的卸载掉RmEye\n\n### IOC\n目前RmEye使用的是`https://metadefender.opswat.com/`的免费IOC,目前的apikey仅用于测试,自己部署的时候请务必打开`plugins/ioc_opswat/opswat.py`把`\"apikey\": \"010d4868aef799750e2828fdf17a4d98\"`换成你自己的,否做会不安全(比如其他人能查得到你的请求记录)/有使用量限制(100次一天).所以务必换成你自己注册的账号.这个IOC源是免费的而且好用的,比OTX好用   \n\n### 规则相关的问题\n1. 规则目前仅120条,很多攻击面没有覆盖,其他规则请访问《社区》\n2. 规则目前只支持rule_engine与yara的规则,其中yara的规则支持是以插件的形式支持\n3. 目前的规则字段完全依赖sysmon的字段,sysmon的字段请检查根目录下的provider.json(但是请记住纯小写,自行做大小写转换)\n\n规则目前在`Server/rules`目录规则目前有两种规则:\nrule_engine:\n如检测由CMD启动的ipconfig:\n```\n{\n    'rules': [\n        'originalfilename =~ \".*cmd.exe\" and commandline =~ \".*ipconfig.*\"',\n    ],\n    'score': 80,\n    'name': 'cmd启动ipconfig'\n},\n```\n分数代表的是本次规则给进程链所增加的分数,报警是根据前面的MAX_THREAT_SCORE设置的\n\n规则编写教程请移步:  \nhttps://github.com/RoomaSec/RmEye/blob/main/doc_day0_rule.md  \n\n规则引擎的语法请移步:  \nhttps://github.com/zeroSteiner/rule-engine  \n\nyara,需要安装插件,具体请看交流部分\n\n### 第三方引用库\n1. sysmon\nhttps://docs.microsoft.com/zh-cn/sysinternals/downloads/sysmon\n2. rule_engine\nhttps://github.com/zeroSteiner/rule-engine\n3. yara\nhttps://github.com/VirusTotal/yara\n4. sysmon-config(客户端使用的默认的规则,但是我做了一些修改)\nhttps://github.com/SwiftOnSecurity/sysmon-config  \n请遵守相关库的开源协议.相关法律风险本项目不负任何责任\n\n### 特别感谢\n@Pwn0x01 yara插件  \n@zeroSteiner 规则引擎插件  \n@SwiftOnSecurity 客户端规则  \n@Fplyth0ner-Combie 规则相关文档\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRoomaSec%2FRmEye","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRoomaSec%2FRmEye","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRoomaSec%2FRmEye/lists"}