LSASS 加载的可疑模块
编辑LSASS 加载的可疑模块编辑
识别 LSASS 加载未签名或不受信任的 DLL。Windows 安全支持提供程序 (SSP) DLL 在系统启动时加载到 LSSAS 进程中。加载到 LSA 后,SSP DLL 可以访问存储在 Windows 中的加密和明文密码,例如任何已登录用户的域密码或智能卡 PIN。
规则类型: eql
规则索引:
- logs-endpoint.events.library-*
严重性: 中等
风险评分: 47
每隔: 5 分钟运行一次
从以下时间开始搜索索引: now-9m(日期数学格式,另请参见 附加回溯时间)
每次执行的最大警报数: 100
参考:
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 策略:凭据访问
- 数据源:Elastic Defend
版本: 8
规则作者:
- Elastic
规则许可: Elastic License v2
设置编辑
设置
如果在非 elastic-agent 索引(例如 beats)上启用 EQL 规则(适用于版本 <8.2),事件将不会定义 event.ingested,并且在版本 8.2 之前未添加 EQL 规则的默认后备。因此,为了让此规则有效工作,用户需要添加一个自定义摄取管道来填充 event.ingested 到 @timestamp。有关添加自定义摄取管道的更多详细信息,请参阅 - https://elastic.ac.cn/guide/en/fleet/current/data-streams-pipeline-tutorial.html
规则查询编辑
library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and
not (dll.code_signature.subject_name :
("Microsoft Windows",
"Microsoft Corporation",
"Microsoft Windows Publisher",
"Microsoft Windows Software Compatibility Publisher",
"Microsoft Windows Hardware Compatibility Publisher",
"McAfee, Inc.",
"SecMaker AB",
"HID Global Corporation",
"HID Global",
"Apple Inc.",
"Citrix Systems, Inc.",
"Dell Inc",
"Hewlett-Packard Company",
"Symantec Corporation",
"National Instruments Corporation",
"DigitalPersona, Inc.",
"Novell, Inc.",
"gemalto",
"EasyAntiCheat Oy",
"Entrust Datacard Corporation",
"AuriStor, Inc.",
"LogMeIn, Inc.",
"VMware, Inc.",
"Istituto Poligrafico e Zecca dello Stato S.p.A.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"Yubico AB",
"GEMALTO SA",
"Secure Endpoints, Inc.",
"Sophos Ltd",
"Morphisec Information Security 2014 Ltd",
"Entrust, Inc.",
"Nubeva Technologies Ltd",
"Micro Focus (US), Inc.",
"F5 Networks Inc",
"Bit4id",
"Thales DIS CPL USA, Inc.",
"Micro Focus International plc",
"HYPR Corp",
"Intel(R) Software Development Products",
"PGP Corporation",
"Parallels International GmbH",
"FrontRange Solutions Deutschland GmbH",
"SecureLink, Inc.",
"Tidexa OU",
"Amazon Web Services, Inc.",
"SentryBay Limited",
"Audinate Pty Ltd",
"CyberArk Software Ltd.",
"McAfeeSysPrep",
"NVIDIA Corporation PE Sign v2016",
"Trend Micro, Inc.",
"Fortinet Technologies (Canada) Inc.",
"Carbon Black, Inc.") and
dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and
not dll.hash.sha256 :
("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c",
"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1",
"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3",
"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12",
"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa",
"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b",
"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61",
"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb",
"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95")
框架: MITRE ATT&CKTM
-
策略
- 名称:凭证访问
- ID:TA0006
- 参考 URL:https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称:操作系统凭证转储
- ID:T1003
- 参考 URL:https://attack.mitre.org/techniques/T1003/
-
子技术
- 名称:LSASS 内存
- ID:T1003.001
- 参考 URL:https://attack.mitre.org/techniques/T1003/001/