监控网络连接
Rundll32 是一个 Microsoft Windows 系统实用程序,它为执行动态链接库 (DLL) 提供了一个入口点和最小框架。我们需要监控此实用程序建立的任何网络连接。
规则
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>External Network Connection from rundll32.exe with Unpopular Parent [A0504b]</name> <category>Communication</category> <os>Windows</os> <severity>48</severity> <mitreattackid>T1218.011</mitreattackid> <explanation>Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic load libraries. The rule monitors network connections to public range IP addresses from Rundll32 that was started from an unpopular process.</explanation> <benignCauses>This usually happens when benign less popular software prints on the network printer.</benignCauses> <maliciousCauses>Often used by script malware for downloading or reporting</maliciousCauses> <recommendedActions>1. Evaluate the parent process, its command line and execution chain. 2. Evaluate the target IP, check events for creating, modifying and executing files by the script interpreter. 3. If a suspicious activity is detected, start the incident response process (for example, disconnect the computer from the internet, update your antivirus product and scan the computer for malware, send samples for analysis, block module, etc.).</recommendedActions> </description> <definition> <parentprocess> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </parentprocess> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="rundll32.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="RUNDLL32.exe"/> </operator> </process> <operations> <operation type="TcpIpConnect"> <operator type="OR"> <operator type="NOT"> <operator type="OR"> <condition component="Network" property="IpAddressV4" condition="is" value="10.0.0.0/8"/> <condition component="Network" property="IpAddressV4" condition="is" value="172.16.0.0/12"/> <condition component="Network" property="IpAddressV4" condition="is" value="192.168.0.0/16"/> <condition component="Network" property="IpAddressV4" condition="is" value="127.0.0.0/8"/> </operator> </operator> <operator type="NOT"> <operator type="OR"> <condition component="Network" property="IpAddressV6" condition="is" value="fc00::/7"/> <condition component="Network" property="IpAddressV6" condition="is" value="::1/128"/> </operator> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
上面的规则示例中需要注意的事项:
1.在测试规则时,我们注意到该规则是通过在 Rundll32 内部处理的网络打印机上进行打印触发的。由于这种情况是误报,我们决定过滤掉从热门进程启动(使用 Rundll32)的 <parentprocess> 实用程序。我们还可以使用其他过滤器,例如 Trusted 或 Marked as Safe。
2.Rundll32 按其常用名称匹配,因为进程可执行文件可以进行重命名。我们还可以使用可执行文件 OriginalFileName 属性来匹配 Rundll32。
3.由于我们需要监视网络连接,因此我们使用 TcpIpConnect 操作。