親子関係の操作
このトピックでは、マルウェアが電子メールの添付ファイルまたはドキュメント内のスクリプトとして配信される場合に対処します。
Microsoft Officeアプリケーション、つまりドキュメントや電子メールから発信されるある種のスクリプトインタプリタの実行(スクリプトの実行)を監視するルールを作成します。
ルール
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Microsoft Office Application Invoked Script Interpreter [D0807]</name> <guid>4e9047f1-c506-4461-a2f3-a4e1db82ce48</guid> <category>Office</category> <os>Windows</os> <severity>77</severity> <mitreattackid>T1059.005,T1203</mitreattackid> <explanation>Malicious documents are one of the common techniques used for initial access. Adversaries commonly abuse features such as Macros or Add-Ins. For legacy versions of Microsoft Office public exploits are also available. Rule monitors following applications: Excel, Access, Outlook, PowerPoint and Word that are executing Windows Command Prompt, PowerShell, Windows Script Host or Microsoft HTML Application.</explanation> <benignCauses>Custom Office documents usually used for automation of tasks such as internal asset management. Various Legal Management Software suites that integrate with Microsoft Office can trigger this behavior.</benignCauses> <maliciousCauses>Malicious Microsoft Office document.</maliciousCauses> <recommendedActions>1. Investigate the process tree for any additional detections indicating suspicious activity. 2. Check the results of document analysis in ESET LiveGuard if available. 3. Investigate other detections on the same host. 4. Initiate the incident response process based on investigation outcome.</recommendedActions> </description> <definition> <parentprocess> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="excel.exe"/> <condition component="FileItem" property="FileName" condition="is" value="msaccess.exe"/> <condition component="FileItem" property="FileName" condition="is" value="outlook.exe"/> <condition component="FileItem" property="FileName" condition="is" value="powerpnt.exe"/> <condition component="FileItem" property="FileName" condition="is" value="winword.exe"/> </operator> </parentprocess> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="powershell.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="wscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> <condition component="FileItem" property="FileName" condition="is" value="mshta.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="powershell.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="wscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cmd.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="mshta.exe"/> </operator> </process> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
上記のルールの例で注意すべき点:
1.processを使用してスクリプトインタプリタの実行を識別し、parentprocessを使用してMicrosoft Officeアプリケーションを識別したため、「実行元プロセス」はprocess - parentprocess関係によってモデル化されます。