使用 LiveGrid 和 Safe 属性
该规则监视从 rundll32.exe 中删除的可疑可执行模块。Rundll32 是一个 Microsoft Windows 系统实用程序,它为执行动态加载库提供了一个入口点和最小框架。
规则
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Rundll32 Dropped Suspicious Executable [A0310]</name> <guid>d6359e46-f318-403c-b2b5-7133dd0fd0dd</guid> <category>File system</category> <os>Windows</os> <severity>61</severity> <mitreattackid>T1218.011,T1105</mitreattackid> <explanation>Rundll32 is a Microsoft Windows system utility that provides an entry point and minimal framework for executing dynamic load libraries. The rule monitors suspicious executable modules dropped from rundll32.exe</explanation> <benignCauses>May be part of some installation process.</benignCauses> <maliciousCauses>Rundll32 is commonly misused by malware</maliciousCauses> <recommendedActions>1. Evaluate the dropped module metadata. 2. Evaluate the executable drop reason from rundll32.exe. 3. Evaluate the rundll32.exe command line and loaded modules. 4. Evaluate the parent process, its command line and execution chain.</recommendedActions> </description> <definition> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="rundll32.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="RUNDLL32.exe"/> </operator> </process> <operations> <operation type="ModuleDrop"> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <condition component="LiveGrid" property="Reputation" condition="less" value="8"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="module"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
上面的规则示例中需要注意的事项:
1.我们使用操作 ModuleDrop 检测 rundll32 中已删除的模块。
2.为了过滤掉大多数针对合法操作的不需要的警报,我们使用了三种类型的条件:
a.LiveGrid 组件的 Popularity 和 Reputation 属性,用于消除广泛使用的程序和具有良好声誉的程序。
b.Module 组件的 SignatureType 属性是 Trusted。
c.Enterprise 组件的 Safe 属性设置为 True。您可以在 ESET Inspect 中显式将文件标记为安全。