使用 ES|QL 进行检测、搜寻和总结
在本多部分系列的之前文章中 [1] [2] [3],Elastic 安全实验室团队的恶意软件研究人员分解了 REMCOS 配置结构,并提供了有关其 C2 命令的详细信息。在最后一部分中,您将了解更多关于使用 Elastic 技术检测和搜寻 REMCOS 的信息。
检测和搜寻
以下 Elastic Defend 检测会触发这些技术
持久性(Run 键)
进程注入
- Windows.Trojan.Remcos,shellcode_thread(在 watchdog 和主 REMCOS 注入进程上多次触发)
- 可能伪装成 SVCHOST(REMCOS watchdog 默认设置为注入的 svchost.exe 子实例)
- 通过映射的远程进程注入(在 watchdog 和注入 C:\Program Files (x86)\Internet Explorer\iexplore.exe 时触发)
权限提升(UAC 绕过)
规避(禁用 UAC)
- 通过修改注册表禁用用户帐户控制(REMCOS 生成 cmd.exe,该进程使用 reg.exe 通过修改注册表来禁用 UAC)
命令和控制
- 未签名二进制文件连接到动态 DNS 提供程序(虽然不是必需的,但大多数观察到的样本都使用动态 DNS)
文件删除
修改注册表
REMCOS watchdog 进程使用的 ExePath 注册表值可以用作入侵指示器。以下是 KQL 查询示例
event.category:"registry" and event.action:"modification" and
registry.value:"EXEpath" and not process.code_signature.trusted:trueREMCOS 包括三个用于清除浏览器数据的选项,可能试图强制受害者用户重新输入其网络凭据以进行键盘记录
enable_browser_cleaning_on_startup_flagenable_browser_cleaning_only_for_the_first_run_flagbrowser_cleaning_sleep_time_in_minutes
这会导致删除浏览器 cookie 和与历史记录相关的文件。以下 KQL 查询可用于搜寻未签名进程的此类行为
event.category:file and event.action:deletion and file.name:container.dat and
file.path:*INetCookies* and not process.code_signature.trusted:trueREMCOS 还采用了三种主要的信息收集方法。第一种是通过 SetWindowsHookEx API 进行键盘记录。以下 ES|QL 可用于搜寻执行此行为的罕见或异常进程
from logs-endpoint.events.api*
/* keylogging can be done by calling SetwindowsHook to hook keyboard events */
| where event.category == "api" and process.Ext.api.name == "SetWindowsHookEx" and process.Ext.api.parameters.hook_type like "WH_KEYBOARD*"
/* normalize process paths to ease aggregation by process path */
| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\")
/* limit results to those that are unique to a host across the agents fleet */
| stats occurrences = count(*), agents = count_distinct(host.id) by process_path
| where occurrences == 1 and agents == 1以下是在 iexplore.exe (由 REMCOS 注入)上的匹配项示例
第二种方法是拍摄多个屏幕截图,并将其保存为 jpg 文件,文件名模式以 time_year-month-day_hour-min-sec.jpb 开头(例如,time_20240308_171037.jpg)。以下 ES|QL 搜寻可用于识别具有类似行为的可疑进程
from logs-endpoint.events.file*
/* remcos screenshots naming pattern */
| where event.category == "file" and host.os.family == "windows" and event.action == "creation" and file.extension == "jpg" and file.name rlike """time_202\d{5}_\d{6}.jpg"""
| stats occurrences = count(*), agents = count_distinct(host.id) by process.name, process.entity_id
/* number of screenshots i more than 5 by same process.pid and this behavior is limited to a unique host/process */
| where occurrences >= 5 and agents == 1下图显示了 REMCOS 和注入的 iexplore.exe 实例(可以通过 process.entity_id 进行透视,以进行进一步调查)
第三种收集方法是将录音保存为 WAV 文件。以下 ES|QL 搜寻可用于查找丢弃 WAV 文件的罕见进程
from logs-endpoint.events.file*
| where event.category == "file" and host.os.family == "windows" and event.action == "creation" and file.extension == "wav"
/* normalize process paths to ease aggregation by process path */
| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\")
| stats wav_files_count = count(*), agents = count_distinct(host.id) by process_path
/* limit results to unique process observed in 1 agent and number of dropped wav files is less than 20 */
| where agents == 1 and wav_files_count <= 10以下 ES|QL 搜寻还可以查找使用相同 process.pid 丢弃 JPG 和 WAV 文件的进程
from logs-endpoint.events.file*
| where event.category == "file" and host.os.family == "windows" and event.action == "creation" and file.extension in ("wav", "jpg") and
/* excluding privileged processes and limiting the hunt to unsigned
process or signed by untrusted certificate or signed by Microsoft */
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and (process.code_signature.trusted == false or process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft"))
| eval wav_pids = case(file.extension == "wav", process.entity_id, null), jpg_pids = case(file.extension == "jpg", process.entity_id, null), others = case(file.extension != "wav" and file.extension != "jpg", process.entity_id, null)
/* number of jpg and wav files created by unique process identifier */
| stats count_wav_files = count(wav_pids), count_jpg_files = count(jpg_pids), other_files = count(others) by process.entity_id, process.name
/* limit results to same process dropping both file extensions */
| where count_jpg_files >= 1 and count_wav_files >= 1REMCOS 和注入的 iexplore.exe 进程上的匹配项示例
通过 process.entity_id 进行透视以进一步调查可疑进程,安装程序、浏览器和解压缩实用程序通常是最常观察到的误报。
YARA 规则
使用 Elastic 安全实验室生成的以下 YARA 规则静态检测 REMCOS 4.9.3 版
恶意软件和 MITRE ATT&CK
Elastic 使用 MITRE ATT&CK 框架来记录高级持续威胁针对企业网络使用的常见策略、技术和程序。
策略
策略表示技术或子技术的原因。它是攻击者的战术目标:执行操作的原因。
技术
技术表示攻击者如何通过执行操作来实现战术目标。
结论
随着 REMCOS 的不断快速发展,我们对 4.9.3 版的深入分析提供了重要的见解,可以显著帮助恶意软件研究社区理解和对抗这种普遍存在的威胁。
通过在本系列中揭示其功能和特性,我们提供了增强对这种恶意软件的理解和加强防御的必要信息。
我们还表明,我们的 Elastic Defend 产品可以检测并阻止 REMCOS 威胁。正如本文所证明的那样,我们的新查询语言 ES|QL 使搜寻威胁变得简单而有效。
Elastic 安全实验室仍然致力于此项工作,这是我们开源理念的一部分,该理念致力于分享知识并与更广泛的网络安全社区合作。展望未来,我们将继续分析类似的恶意软件系列,为加强集体防御新兴网络威胁贡献宝贵的见解。
样本哈希和 C2
(分析参考)0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5
remchukwugixiemu4.duckdns[.]org:57844
remchukwugixiemu4.duckdns[.]org:57846
remchukwugix231fgh.duckdns[.]org:57844
remchukwugix231fgh.duckdns[.]org:57846
3e32447ea3b5f07c7f6a180269f5443378acb32c5d0e0bf01a5e39264f691587
122.176.133[.]66:2404
122.176.133[.]66:2667
8c9202885700b55d73f2a76fbf96c1b8590d28b061efbadf9826cdd0e51b9f26
43.230.202[.]33:7056
95dfdb588c7018babd55642c48f6bed1c281cecccbd522dd40b8bea663686f30
107.175.229[.]139:8087
517f65402d3cf185037b858a5cfe274ca30090550caa39e7a3b75be24e18e179
money001.duckdns[.]org:9596
b1a149e11e9c85dd70056d62b98b369f0776e11b1983aed28c78c7d5189cfdbf
104.250.180[.]178:7902
ba6ee802d60277f655b3c8d0215a2abd73d901a34e3c97741bc377199e3a8670
185.70.104[.]90:2404
185.70.104[.]90:8080
185.70.104[.]90:465
185.70.104[.]90:80
77.105.132[.]70:80
77.105.132[.]70:8080
77.105.132[.]70:2404
77.105.132[.]70:465