通过 MS VisualStudio 预生成/后期生成事件执行
编辑通过 MS VisualStudio 预生成/后期生成事件执行编辑
识别通过 Microsoft Visual Studio 预生成或后期生成事件执行的命令。攻击者可能会在受信任的 Visual Studio 项目中植入后门,以便在项目生成过程中执行恶意命令。
规则类型:eql
规则索引:
- logs-endpoint.events.process-*
严重程度:低
风险评分: 21
运行间隔:60 分钟
搜索索引范围:now-119m(日期数学格式,另请参阅额外回溯时间)
每次执行的最大警报数: 100
参考:
- https://docs.microsoft.com/zh-cn/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html
- https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx
标签:
- 域:终端
- 操作系统:Windows
- 用例:威胁检测
- 战术:防御规避
- 战术:执行
- 规则类型:BBR
- 数据源:Elastic Defend
版本: 2
规则作者:
- Elastic
规则许可证:Elastic 许可证 v2
规则查询编辑
sequence with maxspan=1m
[process where host.os.type == "windows" and event.action == "start" and
process.name : "cmd.exe" and process.parent.name : "MSBuild.exe" and
process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\tmp*.exec.cmd"] by process.entity_id
[process where host.os.type == "windows" and event.action == "start" and
process.name : (
"cmd.exe", "powershell.exe",
"MSHTA.EXE", "CertUtil.exe",
"CertReq.exe", "rundll32.exe",
"regsvr32.exe", "MSbuild.exe",
"cscript.exe", "wscript.exe",
"installutil.exe"
) and
not
(
process.name : ("cmd.exe", "powershell.exe") and
process.args : (
"*\\vcpkg\\scripts\\buildsystems\\msbuild\\applocal.ps1",
"HKLM\\SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS?",
"process.versions.node*",
"?:\\Program Files\\nodejs\\node.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\*",
"*Get-ChildItem*Tipasplus.css*",
"Build\\GenerateResourceScripts.ps1",
"Shared\\Common\\..\\..\\BuildTools\\ConfigBuilder.ps1\"",
"?:\\Projets\\*\\PostBuild\\MediaCache.ps1"
)
) and
not process.executable : "?:\\Program Files*\\Microsoft Visual Studio\\*\\MSBuild.exe" and
not (process.name : "cmd.exe" and
process.command_line :
("*vswhere.exe -property catalog_productSemanticVersion*",
"*git log --pretty=format*", "*\\.nuget\\packages\\vswhere\\*",
"*Common\\..\\..\\BuildTools\\*"))
] by process.parent.entity_id
框架:MITRE ATT&CKTM
-
战术
- 名称:防御规避
- ID:TA0005
- 参考链接:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:受信任开发者实用程序代理执行
- ID:T1127
- 参考链接:https://attack.mitre.org/techniques/T1127/
-
子技术
- 名称:MSBuild
- ID:T1127.001
- 参考链接:https://attack.mitre.org/techniques/T1127/001/
-
战术
- 名称:执行
- ID:TA0002
- 参考链接:https://attack.mitre.org/tactics/TA0002/