WPAD 服务利用
编辑WPAD 服务利用编辑
识别可能对 Web 代理自动发现协议 (WPAD) 服务的利用。攻击者如果可以访问本地网络或上游 DNS 流量,则可以将恶意 JavaScript 注入 WPAD 服务,从而导致系统完全被入侵。
规则类型: eql
规则索引:
- logs-endpoint.events.process-*
- logs-endpoint.events.network-*
- logs-endpoint.events.library-*
严重程度: 高
风险评分: 73
每: 5m
从: now-9m (日期数学格式,另请参见 其他回溯时间)
每次执行的最大警报数: 100
参考资料: 无
标签:
- 域:端点
- 操作系统:Windows
- 用例:威胁检测
- 战术:特权提升
- 数据源:Elastic Defend
版本: 1
规则作者:
- Elastic
规则许可证: Elastic 许可证 v2
规则查询编辑
/* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
/* didn't trigger successfully during testing */
sequence with maxspan=5s
[process where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and
user.domain : "NT AUTHORITY" and user.name : "LOCAL SERVICE"] by process.entity_id
[network where host.os.type == "windows" and network.protocol : "dns" and process.name : "svchost.exe" and
dns.question.name : "wpad" and process.name : "svchost.exe"] by process.entity_id
[network where host.os.type == "windows" and process.name : "svchost.exe"
and network.direction : ("outgoing", "egress") and destination.port == 80] by process.entity_id
[library where host.os.type == "windows" and event.type : "start" and process.name : "svchost.exe" and
dll.name : "jscript.dll" and process.name : "svchost.exe"] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "svchost.exe"] by process.parent.entity_id
框架: MITRE ATT&CKTM
-
战术
- 名称:特权提升
- ID:TA0004
- 参考 URL:https://attack.mitre.org/tactics/TA0004/
-
技术
- 名称:利用以提升特权
- ID:T1068
- 参考 URL:https://attack.mitre.org/techniques/T1068/