使用父子关系
本主题介绍恶意软件是否会以脚本形式在电子邮件附件或文档中传递。
我们想要创建一条规则来监控源自 Microsoft Office 应用程序(即某些文档或电子邮件)的某种脚本解释器(执行脚本)的执行情况。
规则
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Microsoft Office Application Invoked Script Interpreter [D0807]</name> <guid>4e9047f1-c506-4461-a2f3-a4e1db82ce48</guid> <category>Office</category> <os>Windows</os> <severity>77</severity> <mitreattackid>T1059.005,T1203</mitreattackid> <explanation>Malicious documents are one of the common techniques used for initial access. Adversaries commonly abuse features such as Macros or Add-Ins. For legacy versions of Microsoft Office public exploits are also available. Rule monitors following applications: Excel, Access, Outlook, PowerPoint and Word that are executing Windows Command Prompt, PowerShell, Windows Script Host or Microsoft HTML Application.</explanation> <benignCauses>Custom Office documents usually used for automation of tasks such as internal asset management. Various Legal Management Software suites that integrate with Microsoft Office can trigger this behavior.</benignCauses> <maliciousCauses>Malicious Microsoft Office document.</maliciousCauses> <recommendedActions>1. Investigate the process tree for any additional detections indicating suspicious activity. 2. Check the results of document analysis in ESET LiveGuard if available. 3. Investigate other detections on the same host. 4. Initiate the incident response process based on investigation outcome.</recommendedActions> </description> <definition> <parentprocess> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="excel.exe"/> <condition component="FileItem" property="FileName" condition="is" value="msaccess.exe"/> <condition component="FileItem" property="FileName" condition="is" value="outlook.exe"/> <condition component="FileItem" property="FileName" condition="is" value="powerpnt.exe"/> <condition component="FileItem" property="FileName" condition="is" value="winword.exe"/> </operator> </parentprocess> <process> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="powershell.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="wscript.exe"/> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe"/> <condition component="FileItem" property="FileName" condition="is" value="mshta.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="powershell.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="wscript.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="cmd.exe"/> <condition component="Module" property="OriginalFileName" condition="is" value="mshta.exe"/> </operator> </process> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
上面的规则示例中需要注意的事项:
1.我们使用了 process 来识别脚本解释器的执行,并使用了 parentprocess 来识别 Microsoft Office 应用程序,因此“进程执行者”通过 process – parentprocess 关系建模。