使用“有害”标记
有时,攻击者可以将恶意代码注入合法运行的进程中。不幸的是,许多合法软件也使用类似的代码注入技术,例如供视障人士使用的屏幕阅读器。
为每个 CodeInjection 事件创建检测将生成过多误报。为解决此问题,我们可以在 ESET Inspect 中使用 Compromised 标记。
规则
首先,我们创建一个规则,其中包含 TriggerDetection 操作,但不包含 MarkAsCompromised 操作。MarkAsCompromised 将向位于代码注入接收端的进程添加一个标记。
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Common Injection Targets</name> <category>Special</category> <os>Windows</os> <severity>90</severity> </description> <definition> <operations> <operation type="CodeInjection"> <operator type="AND"> <condition component="CodeInjectionType" condition="is" property="CodeInjectionType" value="SetThreadContext"/> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="msedge.exe"/> <condition component="FileItem" property="FileName" condition="is" value="ComSvcConfig.exe"/> <condition component="FileItem" property="FileName" condition="is" value="explorer.exe"/> <condition component="FileItem" property="FileName" condition="is" value="DevicePairingWizard.exe"/> <condition component="FileItem" property="FileName" condition="is" value="EhStorAuthn.exe"/> <condition component="FileItem" property="FileName" condition="is" value="Locator.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WUAUCLT.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WWAHost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="WerFault.exe"/> <condition component="FileItem" property="FileName" condition="is" value="bootcfg.exe"/> <condition component="FileItem" property="FileName" condition="is" value="conhost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="dllhost.exe"/> <condition component="FileItem" property="FileName" condition="is" value="getmac.exe"/> <condition component="FileItem" property="FileName" condition="is" value="systray.exe"/> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="none"/> <actions> <action name="StoreEvent"/> <action name="MarkAsCompromised"/> </actions> </rule> |
现已设置了 compromised 标记,当发生其他可疑操作(例如访问 LSASS 进程)时,我们便可在另一个规则中引用它。
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Credential Dumping From Compromised Process</name> <category>Suspicious process creation and process manipulation</category> <os>Windows</os> <severity>90</severity> <mitreattackid>T1003.001</mitreattackid> <explanation>A process has accessed the LSASS process in a way that is typical for Mimikatz. LSASS contains sensitive information such as credentials.</explanation> <benignCauses>Legitimate applications that access other running processes in an improper way (e.g., certain installers).</benignCauses> <maliciousCauses>Adversary may access LSASS process in order to retrieve credentials - passwords and hashes.</maliciousCauses> <recommendedActions>1. Initiate Incident Response procedure.</recommendedActions> </description> <definition> <process> <condition component="ProcessInfo" condition="is" property="Compromised" value="1"/> </process> <operations> <operation type="OpenProcess"> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="lsass.exe"/> <condition component="FileItem" property="Path" condition="is" value="%SYSTEM%"/> <condition component="OpenProcess" property="AccessRight" condition="is" value="4112"/> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |