伪装成浏览器进程的潜在威胁
编辑伪装成浏览器进程的潜在威胁
编辑识别浏览器进程的可疑实例,例如未签名或使用异常证书签名的进程,这些实例可能表明试图隐藏恶意活动、绕过安全功能(例如允许列表)或诱骗用户执行恶意软件。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 低
风险评分: 21
运行频率: 5 分钟
搜索索引时间范围: now-9m (日期数学格式,另请参见 额外回溯时间)
每次执行的最大告警数: 100
参考资料: 无
标签:
- 领域:终端
- 操作系统:Windows
- 用例:威胁检测
- 战术:防御规避
- 战术:持久性
- 规则类型:BBR
- 数据源:Elastic Defend
版本: 5
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑process where host.os.type == "windows" and event.type == "start" and
(
/* Chrome Related Processes */
(process.name : (
"chrome.exe", "GoogleUpdate.exe", "GoogleCrashHandler64.exe", "GoogleCrashHandler.exe",
"GoogleUpdateComRegisterShell64.exe", "GoogleUpdateSetup.exe", "GoogleUpdateOnDemand.exe",
"chrome_proxy.exe", "remote_assistance_host.exe", "remoting_native_messaging_host.exe",
"GoogleUpdateBroker.exe"
) and not
(process.code_signature.subject_name : ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
and not
(
process.executable : (
"?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe",
"?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe"
) and
process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true
) and not
(
process.executable : (
"?:\\Program Files\\dynatrace\\synthetic\\Chrome-bin\\chrome.exe"
) and
process.code_signature.subject_name : ("Dynatrace LLC") and process.code_signature.trusted == true
) and
not (
process.executable : (
"?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe",
"*\\node_modules\\puppeteer\\.local-chromium\\win64-*\\chrome-win\\chrome.exe",
"?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe",
"?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe",
"?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe"
) and process.args: (
"--enable-features=NetworkService,NetworkServiceInProcess",
"--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor"
)
)
) or
/* MS Edge Related Processes */
(process.name : (
"msedge.exe", "MicrosoftEdgeUpdate.exe", "identity_helper.exe", "msedgewebview2.exe",
"MicrosoftEdgeWebview2Setup.exe", "MicrosoftEdge_X*.exe", "msedge_proxy.exe",
"MicrosoftEdgeUpdateCore.exe", "MicrosoftEdgeUpdateBroker.exe", "MicrosoftEdgeUpdateSetup_X*.exe",
"MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "msedgewebview2.exe" and
process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC", "Code Systems Corporation") and process.code_signature.trusted == true
)
) or
/* Brave Related Processes */
(process.name : (
"brave.exe", "BraveUpdate.exe", "BraveCrashHandler64.exe", "BraveCrashHandler.exe",
"BraveUpdateOnDemand.exe", "brave_vpn_helper.exe", "BraveUpdateSetup*.exe",
"BraveUpdateComRegisterShell64.exe"
) and not
(process.code_signature.subject_name : "Brave Software, Inc." and process.code_signature.trusted == true)
) or
/* Firefox Related Processes */
(process.name : (
"firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe",
"plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe",
"minidump-analyzer.exe"
) and not
(process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "default-browser-agent.exe" and
process.code_signature.subject_name : ("WATERFOX LIMITED") and process.code_signature.trusted == true
)
) or
/* Island Related Processes */
(process.name : (
"Island.exe", "IslandUpdate.exe", "IslandCrashHandler.exe", "IslandCrashHandler64.exe",
"IslandUpdateBroker.exe", "IslandUpdateOnDemand.exe", "IslandUpdateComRegisterShell64.exe",
"IslandUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Island Technology Inc." and process.code_signature.trusted == true)
) or
/* Opera Related Processes */
(process.name : (
"opera.exe", "opera_*.exe", "browser_assistant.exe"
) and not
(process.code_signature.subject_name : ("Opera Norway AS", "Opera Software AS") and process.code_signature.trusted == true)
) or
/* Whale Related Processes */
(process.name : (
"whale.exe", "whale_update.exe", "wusvc.exe"
) and not
(process.code_signature.subject_name : "NAVER Corp." and process.code_signature.trusted == true)
) or
/* Chromium-based Browsers processes */
(process.name : (
"chrmstp.exe", "notification_helper.exe", "elevation_service.exe"
) and not
(process.code_signature.subject_name : (
"Island Technology Inc.",
"Citrix Systems, Inc.",
"Brave Software, Inc.",
"Google LLC",
"Google Inc",
"Microsoft Corporation",
"NAVER Corp.",
"AVG Technologies USA, LLC",
"Avast Software s.r.o.",
"PIRIFORM SOFTWARE LIMITED",
"NortonLifeLock Inc.",
"Opera Norway AS"
) and process.code_signature.trusted == true
)
)
)
框架: MITRE ATT&CKTM
-
战术
- 名称:防御规避
- ID:TA0005
- 参考网址:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:伪装
- ID:T1036
- 参考网址:https://attack.mitre.org/techniques/T1036/
-
子技术
- 名称:无效代码签名
- ID:T1036.001
- 参考网址:https://attack.mitre.org/techniques/T1036/001/
-
子技术
- 名称:匹配合法名称或位置
- ID:T1036.005
- 参考网址:https://attack.mitre.org/techniques/T1036/005/
-
战术
- 名称:持久性
- ID:TA0003
- 参考网址:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:破坏主机软件二进制文件
- ID:T1554
- 参考网址:https://attack.mitre.org/techniques/T1554/