潜在伪装成通信应用程序
编辑潜在伪装成通信应用程序编辑
识别可疑的通信应用程序实例(包括未签名和已重命名的应用程序),这可能表明试图隐藏恶意活动、绕过允许列表等安全功能或诱骗用户执行恶意软件。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
严重性: 中等
风险评分: 47
每隔: 5 分钟运行一次
从以下时间开始搜索索引: now-9m(日期数学格式,另请参见 其他回溯时间)
每次执行的最大警报数: 100
参考: 无
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:防御规避
- 数据源:Elastic Defend
版本: 6
规则作者:
- Elastic
规则许可证: Elastic 许可证 v2
规则查询编辑
process where host.os.type == "windows" and
event.type == "start" and
(
/* Slack */
(process.name : "slack.exe" and not
(process.code_signature.subject_name in (
"Slack Technologies, Inc.",
"Slack Technologies, LLC"
) and process.code_signature.trusted == true)
) or
/* WebEx */
(process.name : "WebexHost.exe" and not
(process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true)
) or
/* Teams */
(process.name : "Teams.exe" and not
(process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
) or
/* Discord */
(process.name : "Discord.exe" and not
(process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true)
) or
/* RocketChat */
(process.name : "Rocket.Chat.exe" and not
(process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true)
) or
/* Mattermost */
(process.name : "Mattermost.exe" and not
(process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true)
) or
/* WhatsApp */
(process.name : "WhatsApp.exe" and not
(process.code_signature.subject_name in (
"WhatsApp LLC",
"WhatsApp, Inc",
"24803D75-212C-471A-BC57-9EF86AB91435"
) and process.code_signature.trusted == true)
) or
/* Zoom */
(process.name : "Zoom.exe" and not
(process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true)
) or
/* Outlook */
(process.name : "outlook.exe" and not
(process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true)
) or
/* Thunderbird */
(process.name : "thunderbird.exe" and not
(process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true)
)
)
框架: MITRE ATT&CKTM
-
策略
- 名称:防御规避
- ID:TA0005
- 参考 URL:https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称:伪装
- ID:T1036
- 参考网址:https://attack.mitre.org/techniques/T1036/
-
子技术
- 名称:无效代码签名
- ID:T1036.001
- 参考网址:https://attack.mitre.org/techniques/T1036/001/
-
子技术
- 名称:匹配合法名称或位置
- ID:T1036.005
- 参考网址:https://attack.mitre.org/techniques/T1036/005/
-
策略
- 名称:持久性
- ID:TA0003
- 参考网址:https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称:破坏主机软件二进制文件
- ID:T1554
- 参考网址:https://attack.mitre.org/techniques/T1554/