通过 MS VisualStudio 预/构建后事件执行
编辑通过 MS VisualStudio 预/构建后事件执行
编辑识别通过 Microsoft Visual Studio 预构建或构建后事件执行命令的行为。攻击者可能会在受信任的 Visual Studio 项目中植入后门,以便在项目构建过程中执行恶意命令。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 低
风险评分: 21
每: 60 分钟运行
搜索索引自: now-119m (日期数学格式,另见 额外回溯时间)
每次执行的最大告警数: 100
参考资料:
- https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html
- https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx
标签:
- 领域:端点
- 操作系统:Windows
- 用例:威胁检测
- 战术:防御规避
- 战术:执行
- 规则类型:BBR
- 数据源:Elastic Defend
版本: 2
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑sequence with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
process.name : "cmd.exe" and process.parent.name : "MSBuild.exe" and
process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\tmp*.exec.cmd"] by process.entity_id
[process where host.os.type == "windows" and event.action == "start" and
process.name : (
"cmd.exe", "powershell.exe",
"MSHTA.EXE", "CertUtil.exe",
"CertReq.exe", "rundll32.exe",
"regsvr32.exe", "MSbuild.exe",
"cscript.exe", "wscript.exe",
"installutil.exe"
) and
not
(
process.name : ("cmd.exe", "powershell.exe") and
process.args : (
"*\\vcpkg\\scripts\\buildsystems\\msbuild\\applocal.ps1",
"HKLM\\SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS?",
"process.versions.node*",
"?:\\Program Files\\nodejs\\node.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\*",
"*Get-ChildItem*Tipasplus.css*",
"Build\\GenerateResourceScripts.ps1",
"Shared\\Common\\..\\..\\BuildTools\\ConfigBuilder.ps1\"",
"?:\\Projets\\*\\PostBuild\\MediaCache.ps1"
)
) and
not process.executable : "?:\\Program Files*\\Microsoft Visual Studio\\*\\MSBuild.exe" and
not (process.name : "cmd.exe" and
process.command_line :
("*vswhere.exe -property catalog_productSemanticVersion*",
"*git log --pretty=format*", "*\\.nuget\\packages\\vswhere\\*",
"*Common\\..\\..\\BuildTools\\*"))
] by process.parent.entity_id
框架: MITRE ATT&CKTM
-
战术
- 名称:防御规避
- ID:TA0005
- 参考网址:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:受信任的开发人员实用程序代理执行
- ID:T1127
- 参考网址:https://attack.mitre.org/techniques/T1127/
-
子技术
- 名称:MSBuild
- ID:T1127.001
- 参考网址:https://attack.mitre.org/techniques/T1127/001/
-
战术
- 名称:执行
- ID:TA0002
- 参考网址:https://attack.mitre.org/tactics/TA0002/