通过 MSIEXEC 执行可疑操作

编辑

通过 MSIEXEC 执行可疑操作

编辑

识别通过内置 Windows 安装程序 msiexec.exe 从常用路径或父进程安装程序包的可疑执行操作。攻击者可能会滥用 msiexec.exe 来启动恶意的本地 MSI 文件。

规则类型: eql

规则索引:

logs-endpoint.events.process-*
winlogbeat-*
logs-windows.*
endgame-*

严重性: 低

风险评分: 21

每隔: 60m

搜索索引范围: now-119m (日期数学格式，另请参见 额外回溯时间)

每次执行的最大告警数: 100

参考资料:

标签:

领域: 端点
操作系统: Windows
用例: 威胁检测
战术: 防御规避
规则类型: BBR
数据源: Elastic Defend
数据源: Elastic Endgame

版本: 103

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

process where host.os.type == "windows" and event.action == "start" and
  process.name : "msiexec.exe" and user.id : ("S-1-5-21*", "S-1-12-*") and process.parent.executable != null and
  (
    (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and
     process.args : ("?:\\Users\\*", "?:\\ProgramData\\*") and
     not process.parent.executable : ("?:\\Program Files (x86)\\*.exe",
                                      "?:\\Program Files\\*.exe",
                                      "?:\\Windows\\explorer.exe",
                                      "?:\\Users\\*\\Desktop\\*",
                                      "?:\\Users\\*\\Downloads\\*",
                                      "?:\\programdata\\*")) or

    (process.args_count == 1 and not process.parent.executable : ("?:\\Windows\\explorer.exe", "?:\\Windows\\SysWOW64\\explorer.exe")) or

    (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and
     (process.parent.args : "Schedule" or process.parent.name : "wmiprvse.exe" or
     process.parent.executable : "?:\\Users\\*\\AppData\\*" or
     (process.parent.name : ("powershell.exe", "cmd.exe") and length(process.parent.command_line) >= 200))) or

    (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and
     ?process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe"))
  ) and

  /* noisy pattern */
  not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and ?process.parent.args_count >= 2 and
       process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\*\\*.msi") and

  not process.args : ("?:\\Program Files (x86)\\*", "?:\\Program Files\\*")

框架: MITRE ATT&CK^TM

战术
- 名称: 防御规避
- ID: TA0005
- 参考网址: https://attack.mitre.org/tactics/TA0005/
技术
- 名称: 系统二进制代理执行
- ID: T1218
- 参考网址: https://attack.mitre.org/techniques/T1218/
子技术
- 名称: Msiexec
- ID: T1218.007
- 参考网址: https://attack.mitre.org/techniques/T1218/007/