潜在的伪装为浏览器进程
编辑潜在的伪装为浏览器进程编辑
识别浏览器进程的可疑实例,例如未签名或使用异常证书签名的实例,这可能表明试图隐藏恶意活动、绕过允许列表等安全功能或诱骗用户执行恶意软件。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 低
风险评分: 21
每隔: 5m
从以下时间开始搜索索引: now-9m (日期数学格式,另请参阅 其他回溯时间)
每次执行的最大警报数: 100
参考: 无
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:防御规避
- 策略:持久性
- 规则类型:BBR
- 数据源:Elastic Defend
版本: 5
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询编辑
process where host.os.type == "windows" and event.type == "start" and
(
/* Chrome Related Processes */
(process.name : (
"chrome.exe", "GoogleUpdate.exe", "GoogleCrashHandler64.exe", "GoogleCrashHandler.exe",
"GoogleUpdateComRegisterShell64.exe", "GoogleUpdateSetup.exe", "GoogleUpdateOnDemand.exe",
"chrome_proxy.exe", "remote_assistance_host.exe", "remoting_native_messaging_host.exe",
"GoogleUpdateBroker.exe"
) and not
(process.code_signature.subject_name : ("Google LLC", "Google Inc") and process.code_signature.trusted == true)
and not
(
process.executable : (
"?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe",
"?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe"
) and
process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true
) and not
(
process.executable : (
"?:\\Program Files\\dynatrace\\synthetic\\Chrome-bin\\chrome.exe"
) and
process.code_signature.subject_name : ("Dynatrace LLC") and process.code_signature.trusted == true
) and
not (
process.executable : (
"?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe",
"*\\node_modules\\puppeteer\\.local-chromium\\win64-*\\chrome-win\\chrome.exe",
"?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe",
"?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe",
"?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe"
) and process.args: (
"--enable-features=NetworkService,NetworkServiceInProcess",
"--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor"
)
)
) or
/* MS Edge Related Processes */
(process.name : (
"msedge.exe", "MicrosoftEdgeUpdate.exe", "identity_helper.exe", "msedgewebview2.exe",
"MicrosoftEdgeWebview2Setup.exe", "MicrosoftEdge_X*.exe", "msedge_proxy.exe",
"MicrosoftEdgeUpdateCore.exe", "MicrosoftEdgeUpdateBroker.exe", "MicrosoftEdgeUpdateSetup_X*.exe",
"MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "msedgewebview2.exe" and
process.code_signature.subject_name : ("Bromium, Inc.", "Amazon.com Services LLC", "Code Systems Corporation") and process.code_signature.trusted == true
)
) or
/* Brave Related Processes */
(process.name : (
"brave.exe", "BraveUpdate.exe", "BraveCrashHandler64.exe", "BraveCrashHandler.exe",
"BraveUpdateOnDemand.exe", "brave_vpn_helper.exe", "BraveUpdateSetup*.exe",
"BraveUpdateComRegisterShell64.exe"
) and not
(process.code_signature.subject_name : "Brave Software, Inc." and process.code_signature.trusted == true)
) or
/* Firefox Related Processes */
(process.name : (
"firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe",
"plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe",
"minidump-analyzer.exe"
) and not
(process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true)
and not
(
process.name : "default-browser-agent.exe" and
process.code_signature.subject_name : ("WATERFOX LIMITED") and process.code_signature.trusted == true
)
) or
/* Island Related Processes */
(process.name : (
"Island.exe", "IslandUpdate.exe", "IslandCrashHandler.exe", "IslandCrashHandler64.exe",
"IslandUpdateBroker.exe", "IslandUpdateOnDemand.exe", "IslandUpdateComRegisterShell64.exe",
"IslandUpdateSetup.exe"
) and not
(process.code_signature.subject_name : "Island Technology Inc." and process.code_signature.trusted == true)
) or
/* Opera Related Processes */
(process.name : (
"opera.exe", "opera_*.exe", "browser_assistant.exe"
) and not
(process.code_signature.subject_name : ("Opera Norway AS", "Opera Software AS") and process.code_signature.trusted == true)
) or
/* Whale Related Processes */
(process.name : (
"whale.exe", "whale_update.exe", "wusvc.exe"
) and not
(process.code_signature.subject_name : "NAVER Corp." and process.code_signature.trusted == true)
) or
/* Chromium-based Browsers processes */
(process.name : (
"chrmstp.exe", "notification_helper.exe", "elevation_service.exe"
) and not
(process.code_signature.subject_name : (
"Island Technology Inc.",
"Citrix Systems, Inc.",
"Brave Software, Inc.",
"Google LLC",
"Google Inc",
"Microsoft Corporation",
"NAVER Corp.",
"AVG Technologies USA, LLC",
"Avast Software s.r.o.",
"PIRIFORM SOFTWARE LIMITED",
"NortonLifeLock Inc.",
"Opera Norway AS"
) and process.code_signature.trusted == true
)
)
)
框架: MITRE ATT&CKTM
-
策略
- 名称:防御规避
- ID:TA0005
- 参考 URL:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:伪装
- ID:T1036
- 参考网址:https://attack.mitre.org/techniques/T1036/
-
子技术
- 名称:无效代码签名
- ID:T1036.001
- 参考网址:https://attack.mitre.org/techniques/T1036/001/
-
子技术
- 名称:匹配合法名称或位置
- ID:T1036.005
- 参考网址:https://attack.mitre.org/techniques/T1036/005/
-
策略
- 名称:持久性
- ID:TA0003
- 参考网址:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:破坏主机软件二进制文件
- ID:T1554
- 参考网址:https://attack.mitre.org/techniques/T1554/