WPS 0day EDR检测规则
近日, Windows 平台下 WPS Office 个人版和企业版的RCE(远程代码执行)0day 漏洞,金山官方修复该漏洞后,第一时间发布了相关的漏洞预警。检测规则1
规则含义:检测wps\et\wpp等进程是否创建powershell\*script\rundll32此类可疑进程,以及是否创建无签名类可疑进程。
规则内容:
id: 0
date: 2022/08/02
author: 'ThreatBook'
logsource:
product: windows
category: process_creation
detection:
selection1:
Image|endswith:
- '\regsvr32.exe'
- '\rundll32.exe'
- '\mshta.exe'
- '\verclsid.exe'
- '\control.exe'
- '\wmic.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\powershell.exe'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
selection2:
Image|endswith:
- '\cmd.exe'
CommandLine|contains:
- ' regsvr32'
- ' rundll32'
- ' mshta'
- ' verclsid'
- ' control'
- ' wmic'
- ' cscript'
- ' wscript'
- ' powershell'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
selection3:
ImageSignStatus:
- 'Unable'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
condition: 1 of selection*
检测规则2
规则含义:检测wps\et\wpp等进程是否通过smb协议加载sct脚本。
规则内容:
id: 1
date: 2022/08/02
author: 'ThreatBook'
logsource:
product: windows
category: smbfile_transmit
detection:
selection:
TargetFilename|contains:
- '.sct'
Image|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
condition: selection
Re: WPS 0day EDR检测规则
感谢分享!这个WPS 0day的EDR检测规则写得很清晰,覆盖了进程创建和SMB传输两个关键攻击面。特别是规则1中通过父进程限制到wps/et/wpp,并匹配常见可疑子进程(如powershell、rundll32),以及无签名进程的检测,对实战防御很有帮助。规则2关注通过SMB加载.sct脚本,正好对应了这类漏洞常用的远程加载手法。不过想请教一下,在实际部署中是否需要考虑白名单过滤,避免误报?或者有没有推荐的调优思路?再次感谢!
页:
[1]