使用注册表
我们想要监控对注册表值 AppInit_DLLs 所做的更改,该值允许将动态链接库 (DLL) 自动加载到系统上的某些进程。具有类似功能的相关注册表值为 AppCertDlls。整个注册表值路径为:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SYSTEM\CurrentControlSet\Control\SESSION MANAGER\ AppCertDlls
规则
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>AppInit DLL Registry Creation [A0101]</name> <category>Persistence</category> <os>Windows</os> <severity>80</severity> <mitreattackid>T1218.011</mitreattackid> <explanation>AppInit DLL is a mechanism that allows an arbitrary list of DLLs to be loaded into each user-mode process on the system. DLLs that are specified in the `AppInit_DLLs` value in the Registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into (almost) every process that loads user32.dll. The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.</explanation> <benignCauses>AppInit_DLLs are rarely used by specific software, such as graphic card support dlls or virtual machine software.</benignCauses> <maliciousCauses>AppInit_DLLs are sometimes used by malware to achieve persistence on the target machine.</maliciousCauses> <recommendedActions>1. Evaluate if the change to the Applnit_DLLs correlates with known software, a software update, patch cycles, etc. 2. Evaluate the process/module that made the change. 3. Check for presence of new/non-standard DLLs on the computer. 4. If a suspicious process/module or DLL is detected, start the incident response process (for example, disconnect the computer from the internet, update your antivirus product and scan the computer for malware, send samples for analysis, block modules, etc.).</recommendedActions> </description> <definition> <operations> <operation type="RegSetValue"> <operator type="OR"> <operator type="AND"> <operator type="OR"> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"/> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"/> </operator> <condition component="RegistryItem" property="Key" condition="ends" value="Appinit_Dlls"/> </operator> <operator type="AND"> <condition component="RegistryItem" property="Key" condition="starts" value="HKLM\SYSTEM\ControlSet"/> <condition component="RegistryItem" property="Key" condition="ends" value="Control\SESSION MANAGER\AppCertDlls"/> </operator> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> </actions> </rule> |
上面的规则示例中需要注意的事项:
1.之所以使用简写的 HKEY 值而不是完整值,因为完整的 HKEY 值不匹配。
2.包含 AppInit_DLLs 的 Wow6432Node。此值和许多其他值在此注册表项中重复,以便在 x64 系统上获得 x86 支持。我们还需要监控此值。
3.通过 ends 条件匹配注册表值。首先,我们决定匹配注册表值名称“AppInit_DLLs”,并检查注册表值的路径是否是所需的路径。从理论上讲,由于对条件的短路求值,这种方法应该会降低服务器的工作负载。使用整个注册表值路径进行匹配(“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs”)也是可接受的。
4.CurrentControlSet 注册表值是一个备用符号链接,由操作系统动态评估并且指向 ControlSet%number%。当 Enterprise Inspector 接收到带有 ControlSet%number% 值的注册表路径时,我们将注册表值路径拆分为两个部分。