Security-Experts-Community / open-xp-rules

Открытый репозиторий с правилами на языке eXtraction and Processing (XP)
Apache License 2.0
20 stars 44 forks source link

Feature/persistence silent process exit image hijack sysmon 13 1 #422

Closed AmwNLTL closed 4 months ago

AmwNLTL commented 4 months ago

In the context of this monitoring feature, we use the term silent exit to mean that the monitored process terminates in one of the following ways:

The monitoring feature does not detect normal process termination that happens when the last thread of the process exits. The monitoring feature does not detect process termination that is initiated by kernel-mode code.

source

Атакующему необходимо добавить 3 значения в реестр, чтобы закрепиться на узле:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"

Resolves #182