Робота з URL-адресами
Досить поширена практика, коли шкідливе програмне забезпечення завантажує додаткові частини або дані конфігурації із загальнодоступних служб обміну даними (наприклад, pastebin.com). Нам потрібно відстежувати всі сеанси доступу до домену pastebin.com. Для цього ми відфільтровуємо випадки, які не становлять загрози (наприклад, користувач переглядає сторінки в Інтернеті); ми можемо використовувати властивість popularity.
Правило
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Unpopular Process Makes HTTP Request to a PasteBin-like Site [E0505]</name> <category>Communication</category> <os>Windows</os> <severity>80</severity> <mitreattackid>T1102.001</mitreattackid> <explanation>Public Web services, including ones like pastebin.com(and similar), are typically accessed via web browser applications. The aim of this rule is to try catch instances where pastebin-like sites are accessed by unpopular processes that would likely be considered suspicious in the hopes it may highlight instances worth investigating amongst other pastebin-like activity. This rule may generate a number of initial false positives before being tuned</explanation> <benignCauses>Legit, unpopular executable is used to contact one of these domains; this still warrants investigation to verify.</benignCauses> <maliciousCauses>Process making a HTTP request to a PasteBin-like URL that contains: - C&C infrastructure information (domains, IPs, commands/instructions, etc.), - further malicious payload stages. The process could also be exfiltrating data to this site.</maliciousCauses> <recommendedActions>1. Evaluate the process tree lineage, its command line and surounding events. 2. Evaluate the local host, check events for the creation, modification, and execution of suspicious files. 3. Evaluate the other detections from this host to identify related activity. 4. If malicious activity is detected, start your incident response procedures (for example, isolate the computer from the internet, update your antivirus signatures and scan the computer for malware, send samples for analysis, block module, etc.).</recommendedActions> </description> <definition> <process> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </process> <operations> <operation type="HttpRequest"> <operator type="OR"> <condition component="Network" property="Url" condition="contains" value="pastebin.com"/> <condition component="Network" property="Url" condition="contains" value="0bin.net"/> <condition component="Network" property="Url" condition="contains" value="pastie.org"/> <condition component="Network" property="Url" condition="contains" value="pastebin.pl"/> <condition component="Network" property="Url" condition="contains" value="hastebin.com"/> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> <action name="SubmitParentToLiveGuard"/> </actions> </rule> |
На що слід звернути увагу в наведеному вище прикладі правила:
1.Оскільки з pastebin.com можуть бути пов’язані різні IP-адреси, ми безпосередньо зіставляємо URL-адреси pastebin.com.