潜在伪装成浏览器进程
编辑潜在伪装成浏览器进程
编辑识别可疑的浏览器进程实例,例如未签名或使用不寻常证书签名的进程,这些可能表明试图隐藏恶意活动、绕过诸如允许列表之类的安全功能或诱骗用户执行恶意软件。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 低
风险评分: 21
运行频率: 5 分钟
搜索索引的时间范围: now-9m ( 日期数学格式,另请参阅 额外的回溯时间)
每次执行的最大警报数: 100
参考: 无
标签:
- 域: 端点
- 操作系统: Windows
- 用例: 威胁检测
- 战术: 防御规避
- 战术: 持久化
- 规则类型: BBR
- 数据源: Elastic Defend
版本: 5
规则作者:
- Elastic
规则许可: Elastic License v2
规则查询
编辑process where host.os.type == "windows" and event.type == "start" and
(
/* Chrome Related Processes */
(process.name : (
"chrome.exe", "GoogleUpdate.exe", "GoogleCrashHandler64.exe", "GoogleCrashHandler.exe",
"GoogleUpdateComRegisterShell64.exe", "GoogleUpdateSetup.exe", "GoogleUpdateOnDemand.exe",
"chrome_proxy.exe", "remote_assistance_host.exe", "remoting_native_messaging_host.exe",
"GoogleUpdateBroker.exe"
) and not
(process.code_signature.subject_name : ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
and not
(
process.executable : (
"?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe",
"?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe"
) and
process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true
) and not
(
process.executable : (
"?:\\Program Files\\dynatrace\\synthetic\\Chrome-bin\\chrome.exe"
) and
process.code_signature.subject_name : ("Dynatrace LLC") and process.code_signature.trusted == true
) and
not (
process.executable : (
"?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe",
"*\\node_modules\\puppeteer\\.local-chromium\\win64-*\\chrome-win\\chrome.exe",
"?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe",
"?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe",
"?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe"
) and process.args: (
"--enable-features=NetworkService,NetworkServiceInProcess",
"--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor"
)
)
) or
/* MS Edge Related Processes */
(process.name : (
"msedge.exe", "MicrosoftEdgeUpdate.exe", "identity_helper.exe", "msedgewebview2.exe",
"MicrosoftEdgeWebview2Setup.exe", "MicrosoftEdge_X*.exe", "msedge_proxy.exe",
"MicrosoftEdgeUpdateCore.exe", "MicrosoftEdgeUpdateBroker.exe", "MicrosoftEdgeUpdateSetup_X*.exe",
"MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "msedgewebview2.exe" and
process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC", "Code Systems Corporation") and process.code_signature.trusted == true
)
) or
/* Brave Related Processes */
(process.name : (
"brave.exe", "BraveUpdate.exe", "BraveCrashHandler64.exe", "BraveCrashHandler.exe",
"BraveUpdateOnDemand.exe", "brave_vpn_helper.exe", "BraveUpdateSetup*.exe",
"BraveUpdateComRegisterShell64.exe"
) and not
(process.code_signature.subject_name : "Brave Software, Inc." and process.code_signature.trusted == true)
) or
/* Firefox Related Processes */
(process.name : (
"firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe",
"plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe",
"minidump-analyzer.exe"
) and not
(process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "default-browser-agent.exe" and
process.code_signature.subject_name : ("WATERFOX LIMITED") and process.code_signature.trusted == true
)
) or
/* Island Related Processes */
(process.name : (
"Island.exe", "IslandUpdate.exe", "IslandCrashHandler.exe", "IslandCrashHandler64.exe",
"IslandUpdateBroker.exe", "IslandUpdateOnDemand.exe", "IslandUpdateComRegisterShell64.exe",
"IslandUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Island Technology Inc." and process.code_signature.trusted == true)
) or
/* Opera Related Processes */
(process.name : (
"opera.exe", "opera_*.exe", "browser_assistant.exe"
) and not
(process.code_signature.subject_name : ("Opera Norway AS", "Opera Software AS") and process.code_signature.trusted == true)
) or
/* Whale Related Processes */
(process.name : (
"whale.exe", "whale_update.exe", "wusvc.exe"
) and not
(process.code_signature.subject_name : "NAVER Corp." and process.code_signature.trusted == true)
) or
/* Chromium-based Browsers processes */
(process.name : (
"chrmstp.exe", "notification_helper.exe", "elevation_service.exe"
) and not
(process.code_signature.subject_name : (
"Island Technology Inc.",
"Citrix Systems, Inc.",
"Brave Software, Inc.",
"Google LLC",
"Google Inc",
"Microsoft Corporation",
"NAVER Corp.",
"AVG Technologies USA, LLC",
"Avast Software s.r.o.",
"PIRIFORM SOFTWARE LIMITED",
"NortonLifeLock Inc.",
"Opera Norway AS"
) and process.code_signature.trusted == true
)
)
)
框架: MITRE ATT&CKTM
-
战术
- 名称: 防御规避
- ID: TA0005
- 参考 URL: https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称: 伪装
- ID: T1036
- 参考 URL: https://attack.mitre.org/techniques/T1036/
-
子技术
- 名称: 无效的代码签名
- ID: T1036.001
- 参考 URL: https://attack.mitre.org/techniques/T1036/001/
-
子技术
- 名称: 匹配合法名称或位置
- ID: T1036.005
- 参考 URL: https://attack.mitre.org/techniques/T1036/005/
-
战术
- 名称: 持久化
- ID: TA0003
- 参考 URL: https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称: 破坏主机软件二进制文件
- ID: T1554
- 参考 URL: https://attack.mitre.org/techniques/T1554/