伪装成通信应用程序的潜在威胁

编辑

伪装成通信应用程序的潜在威胁

编辑

识别可疑的通信应用程序实例（包括未签名和重命名的应用程序），这些实例可能表明试图隐藏恶意活动、绕过安全功能（例如允许列表）或诱骗用户执行恶意软件。

规则类型: eql

规则索引:

logs-endpoint.events.process-*

严重性: 中等

风险评分: 47

运行频率: 5 分钟

搜索索引时间范围: now-9m (日期数学格式，另见 额外回溯时间)

每次执行的最大告警数: 100

参考: 无

标签:

领域：端点
操作系统：Windows
用例：威胁检测
战术：防御规避
数据源：Elastic Defend

版本: 6

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

process where host.os.type == "windows" and
  event.type == "start" and
  (
    /* Slack */
    (process.name : "slack.exe" and not
      (process.code_signature.subject_name in (
        "Slack Technologies, Inc.",
        "Slack Technologies, LLC"
       ) and process.code_signature.trusted == true)
    ) or

    /* WebEx */
    (process.name : "WebexHost.exe" and not
      (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
    ) or

    /* Teams */
    (process.name : "Teams.exe" and not
      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
    ) or

    /* Discord */
    (process.name : "Discord.exe" and not
      (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
    ) or

    /* RocketChat */
    (process.name : "Rocket.Chat.exe" and not
      (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
    ) or

    /* Mattermost */
    (process.name : "Mattermost.exe" and not
      (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
    ) or

    /* WhatsApp */
    (process.name : "WhatsApp.exe" and not
      (process.code_signature.subject_name in (
        "WhatsApp LLC",
        "WhatsApp, Inc",
        "24803D75-212C-471A-BC57-9EF86AB91435"
       ) and process.code_signature.trusted == true)
    ) or

    /* Zoom */
    (process.name : "Zoom.exe" and not
      (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
    ) or

    /* Outlook */
    (process.name : "outlook.exe" and not
      (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
    ) or

    /* Thunderbird */
    (process.name : "thunderbird.exe" and not
      (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
    )
  )

框架: MITRE ATT&CK^TM

战术
- 名称：防御规避
- ID：TA0005
- 参考网址：https://attack.mitre.org/tactics/TA0005/
技术
- 名称：伪装
- ID：T1036
- 参考网址：https://attack.mitre.org/techniques/T1036/
子技术
- 名称：无效代码签名
- ID：T1036.001
- 参考网址：https://attack.mitre.org/techniques/T1036/001/
子技术
- 名称：匹配合法名称或位置
- ID：T1036.005
- 参考网址：https://attack.mitre.org/techniques/T1036/005/
战术
- 名称：持久性
- ID：TA0003
- 参考网址：https://attack.mitre.org/tactics/TA0003/
技术
- 名称：破坏主机软件二进制文件
- ID：T1554
- 参考网址：https://attack.mitre.org/techniques/T1554/

« 伪装成商业应用程序安装程序的潜在威胁伪装成 System32 DLL 的潜在威胁 »