可疑的 Windows 命令行参数

编辑

可疑的 Windows 命令行参数

编辑

识别使用可疑参数值的 Windows 命令行进程 (cmd.exe) 的执行。这种行为通常在恶意软件安装过程中观察到。

规则类型: eql

规则索引:

winlogbeat-*
logs-windows.*
logs-system.security*
logs-windows.sysmon_operational-*
logs-sentinel_one_cloud_funnel.*
logs-m365_defender.event-*

严重性: 高

风险评分: 73

每: 5 分钟运行一次

搜索索引自: now-9m (日期数学格式，另见 额外回溯时间)

每次执行的最大告警数: 100

参考资料: 无

标签:

域：终端
操作系统：Windows
用例：威胁检测
策略：执行
数据源：系统
数据源：Sysmon
数据源：SentinelOne
数据源：Microsoft Defender for Endpoint

版本: 201

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

process where host.os.type == "windows" and event.type == "start" and
 process.name : "cmd.exe" and
 (

  process.command_line : ("*).Run(*", "*GetObject*", "* curl*regsvr32*", "*echo*wscript*", "*echo*ZONE.identifier*",
  "*ActiveXObject*", "*dir /s /b *echo*", "*unescape(*",  "*findstr*TVNDRgAAAA*", "*findstr*passw*", "*start*\\\\*\\DavWWWRoot\\*",
  "* explorer*%CD%*", "*%cd%\\*.js*", "*attrib*%CD%*", "*/?cMD<*", "*/AutoIt3ExecuteScript*..*", "*&cls&cls&cls&cls&cls&*",
  "*&#*;&#*;&#*;&#*;*", "* &&s^eT*", "*& ChrW(*", "*&explorer /root*", "*start __ & __\\*", "*findstr /V /L *forfiles*",
  "*=wscri& set *", "*http*!COmpUternaME!*", "*start *.pdf * start /min cmd.exe /c *\\\\*", "*pip install*System.Net.WebClient*",
  "*Invoke-WebReques*Start-Process*", "*-command (Invoke-webrequest*", "*copy /b *\\\\* ping *-n*", "*echo*.ToCharArray*") or

  (process.args : "echo" and process.parent.name : ("wscript.exe", "mshta.exe")) or

  process.args : ("1>?:\\*.vbs", "1>?:\\*.js") or

  (process.args : "explorer.exe" and process.args : "type" and process.args : ">" and process.args : "start") or

  (process.parent.name : "explorer.exe" and
   process.command_line :
           ("*&&S^eT *",
            "*&& set *&& set *&& set *&& set *&& set *&& call*",
            "**\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??\\u00??*")) or

   (process.parent.name : "explorer.exe" and process.args : "copy" and process.args : "&&" and process.args : "\\\\*@*\\*")
  ) and

  /* false positives */
  not (process.args : "%TEMP%\\Spiceworks\\*" and process.parent.name : "wmiprvse.exe") and
  not process.parent.executable :
                ("?:\\Perl64\\bin\\perl.exe",
                 "?:\\Program Files\\nodejs\\node.exe",
                 "?:\\Program Files\\HP\\RS\\pgsql\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\PRTG Network Monitor\\64 bit\\PRTG Server.exe",
                 "?:\\Program Files (x86)\\Spiceworks\\bin\\spiceworks-finder.exe",
                 "?:\\Program Files (x86)\\Zuercher Suite\\production\\leds\\leds.exe",
                 "?:\\Program Files\\Tripwire\\Agent\\Plugins\\twexec\\twexec.exe",
                 "D:\\Agents\\?\\_work\\_tasks\\*\\SonarScanner.MSBuild.exe",
                 "?:\\Program Files\\Microsoft VS Code\\Code.exe",
                 "?:\\programmiweb\\NetBeans-*\\netbeans\\bin\\netbeans64.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files\\NetBeans-*\\netbeans\\bin\\netbeans*.exe",
                 "?:\\Program Files (x86)\\Public Safety Suite Professional\\production\\leds\\leds.exe",
                 "?:\\Program Files (x86)\\Tier2Tickets\\button_gui.exe",
                 "?:\\Program Files (x86)\\Helpdesk Button\\button_gui.exe",
                 "?:\\VTSPortable\\VTS\\jre\\bin\\javaw.exe",
                 "?:\\Program Files\\Bot Framework Composer\\Bot Framework Composer.exe",
                 "?:\\Program Files\\KMSYS Worldwide\\eQuate\\*\\SessionMgr.exe",
                 "?:\\Program Files (x86)\\Craneware\\Pricing Analyzer\\Craneware.Pricing.Shell.exe",
                 "?:\\Program Files (x86)\\jumpcloud-agent-app\\jumpcloud-agent-app.exe",
                 "?:\\Program Files\\PostgreSQL\\*\\bin\\pg_dumpall.exe",
                 "?:\\Program Files (x86)\\Vim\\vim*\\vimrun.exe") and
  not (process.args :  "?:\\Program Files\\Citrix\\Secure Access Client\\nsauto.exe" and process.parent.name : "userinit.exe") and
  not process.args :
            ("?:\\Program Files (x86)\\PCMatic\\PCPitstopScheduleService.exe",
             "?:\\Program Files (x86)\\AllesTechnologyAgent\\*",
             "https://auth.axis.com/oauth2/oauth-authorize*") and
  not process.command_line :
               ("\"cmd\" /c %NETBEANS_MAVEN_COMMAND_LINE%",
                "?:\\Windows\\system32\\cmd.exe /q /d /s /c \"npm.cmd ^\"install^\" ^\"--no-bin-links^\" ^\"--production^\"\"") and
  not (process.name : "cmd.exe" and process.args : "%TEMP%\\Spiceworks\\*" and process.args : "http*/dataloader/persist_netstat_data") and
  not (process.args == "echo" and process.args == "GEQ" and process.args == "1073741824")

框架: MITRE ATT&CK^TM

策略
- 名称：执行
- ID：TA0002
- 参考网址：https://attack.mitre.org/tactics/TA0002/
技术
- 名称：命令和脚本解释器
- ID：T1059
- 参考网址：https://attack.mitre.org/techniques/T1059/
子技术
- 名称：Windows 命令行
- ID：T1059.003
- 参考网址：https://attack.mitre.org/techniques/T1059/003/

« 可疑的 WerFault 子进程可疑的 Windows PowerShell 参数 »