近日, Windows 平台下 WPS Office 个人版和企业版的RCE(远程代码执行)0day 漏洞,金山官方修复该漏洞后,第一时间发布了相关的漏洞预警。
检测规则1
规则含义:检测wps\et\wpp等进程是否创建powershell\*script\rundll32此类可疑进程,以及是否创建无签名类可疑进程。
规则内容:
[AppleScript] 纯文本查看 复制代码 id: 0
date: 2022/08/02
author: 'ThreatBook'
logsource:
product: windows
category: process_creation
detection:
selection1:
Image|endswith:
- '\regsvr32.exe'
- '\rundll32.exe'
- '\mshta.exe'
- '\verclsid.exe'
- '\control.exe'
- '\wmic.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\powershell.exe'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
selection2:
Image|endswith:
- '\cmd.exe'
CommandLine|contains:
- ' regsvr32'
- ' rundll32'
- ' mshta'
- ' verclsid'
- ' control'
- ' wmic'
- ' cscript'
- ' wscript'
- ' powershell'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
selection3:
ImageSignStatus:
- 'Unable'
ParentImage|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
condition: 1 of selection*
检测规则2
规则含义:检测wps\et\wpp等进程是否通过smb协议加载sct脚本。
规则内容:
[AppleScript] 纯文本查看 复制代码
id: 1
date: 2022/08/02
author: 'ThreatBook'
logsource:
product: windows
category: smbfile_transmit
detection:
selection:
TargetFilename|contains:
- '.sct'
Image|endswith:
- '\wps.exe'
- '\et.exe'
- '\wpp.exe'
condition: selection | 
匿名
发表于 2022-8-4 14:00:40
