正文

威胁检测与搜寻建模13.寻找可疑的 Windows 服务

admin
admin V管理员 /0 评论 /85 阅读
0131
此篇文章发布距今已超过232天,您需要注意文章的内容或图片是否可用!

什么是 Windows 服务?

Windows 服务被设计为长时间运行的可执行文件,在专用的 Windows 会话中运行,它们可以在系统启动期间自动启动,它们可以在没有任何用户界面的情况下以非交互模式暂停、重新启动和操作。

它们更适合执行扩展任务,这些任务在后台无缝运行,而不会中断同一台机器上的其他用户。此外,这些服务可以配置为在指定用户帐户的安全上下文下执行,这与当前登录的用户或系统的默认帐户不同。

相关视频教程

新到了155节

为什么要监视服务活动?

Windows 服务在系统的启动周期中自动启动,通常以更高的权限运行。这种组合允许恶意行为者确保他们的代码不仅在重新启动后仍然存在,而且还以足够的权限运行以访问敏感资源。

恶意行为者通常利用服务的创建和修改来执行有害的有效负载。他们可能会使用易于检测或欺骗性的服务名称,通常模仿合法的服务名称,以混入并维持它们在系统中未被发现的存在。

勒索软件攻击还经常涉及篡改或禁用现有服务,并牢记以下几个关键目标:

  • 确保它要加密的文件未被其他服务使用,否则可能会阻止成功加密。

  • 避免安全软件服务的检测和中断。

  • 阻止备份软件服务创建可用于还原加密文件的副本。

MITRE 提供了有关各种威胁参与者如何操纵服务的宝贵信息,并在以下链接中提供了详细的“过程示例”:https://attack.mitre.org/techniques/T1543/003/

服务名称和路径是在 SIEM 中监视或用于 DFIR 目的的重要属性。这就是为什么我整理了一份服务列表的原因,您应该在您的环境中监视这些服务,并伴有战略性狩猎搜索。

了解新服务安装过程

在计算机上安装 Windows 服务时,它会生成这些特定跟踪

思维导图从

纳斯雷丁·本切尔查利

 https://github.com/nasbench/MindMaps/blob/main/Windows%20System%20Processes/Services/Windows%20Services%20(创建).xmind

我们将模拟服务安装并分析它生成的日志。以下是创建服务的各种方法的示例:

生成的安全日志

  • EventID 4697 (系统中安装了服务))

用户在计算机上安装了一个名为“执行有效负载”的新服务 DESKTOP-GI9JDDB,这是一个内核驱动程序服务,由服务帐户 LocalSystem 设置为手动启动 (ServiceStartType 3)mthchtmthcht-serviceC:UsersPublicpayloadpayload.sys

有关日志格式的更多详细信息,请点击此处 https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697

生成的系统日志

  • 事件 ID 7045 (系统中安装了服务))

与安全事件 ID 4697 不同,安全事件 ID 4697 提供操作参与者的已翻译主题用户名,对于 EID 7045,您只会获得用户 SID,而不会获得已翻译的用户名

  • EventID 7000(执行/可选 — 服务启动失败)

  • EventID 7009 (执行/可选 — 服务启动失败)

  • 事件 ID 7026 (执行/可选 — 驱动程序服务无法启动)

    • EventID 7034(执行/可选 — 服务崩溃)

    • EventID 7040(执行/可选 — 启动类型已更改)

Also useful to detect disabled services

在系统日志的思维导图中包含其他事件 ID,特别是与在服务创建事件期间或之后观察到的服务执行日志相关的事件 ID,使我们能够在事件 ID 7000、7009、7023、7026、7034、7036 和 7040 中识别服务名称

生成的 Sysmon 日志

  • EventID 12(创建/删除注册表项)

注册表项由进程服务在 NT AUTHORITYSYSTEM 帐户下创建.exe这是我们的服务名称HKLMSystemCurrentControlSetServicesmthcht-servicemthcht-service

  • EventID 13 (注册表值修改 — 值集)

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System>
<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2024-01-05T10:39:01.614220700Z'/>
<EventRecordID>2222689</EventRecordID>
<Correlation/>
<Execution ProcessID='2276' ThreadID='9160'/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-GI9JDDB</Computer>
<Security UserID='S-1-5-18'/>
</System>
<EventData>
<Data Name='RuleName'>-</Data>
<Data Name='EventType'>SetValue</Data>
<Data Name='UtcTime'>2024-01-05 10:39:01.604</Data>
<Data Name='ProcessGuid'>{ba956c93-dad5-6597-0a00-000000000e00}</Data>
<Data Name='ProcessId'>568</Data>
<Data Name='Image'>C:Windowssystem32services.exe</Data>
<Data Name='TargetObject'>HKLMSystemCurrentControlSetServicesmthcht-serviceTest</Data>
<Data Name='Details'>DWORD (0x00000001)</Data>
<Data Name='User'>NT AUTHORITYSYSTEM</Data>
</EventData>
</Event>

在 NT AUTHORITYSYSTEM 帐户下运行的进程 services.exe 修改了 的注册表值,将其设置为 DWORD (0x00000001) 。HKLMSystemCurrentControlSetServicesmthcht-serviceTest

ETW(Windows 事件跟踪)

Service Names Detections with ETW

事件跟踪模型

[Microsoft-Windows-服务]

提供程序的详细信息 Microsoft-Windows-Services(使用 EtwExplorer)

ETW [Microsoft-Windows-Services] 105 — ServiceStatusChange

我们使用 SilkETW 在 EventLog SilkETW-Log中记录活动以进行模拟

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user

我的服务创建事件的事件日志输出:

我们得到创建的:!ServiceNamemthcht-service

[Microsoft-Windows-内核注册表]

解决注册表事件的 Microsoft-Windows-Kernel-Registry 被证明更具挑战性...

ETW [Microsoft-Windows-内核注册表] 事件 ID 1 — 创建密钥

ETW [Microsoft-Windows-内核注册表] EventID 5 — SetValueKey

你会注意到与此提供程序相关的几个不一致,EventID 2 的 RelativeName 和 EventID 7 的 ValueName 将包含键和值的值,但不包括大多数其他 EventID(如 EID 1 和 5)的值...您将无法直接通过此提供程序获取服务名称

下面是随机日志条目的示例,其中实际注册表项存在于字段中:RelativeName

不幸的是,在安装新的 Windows 服务时,使用此提供程序不会获得相同的结果

使用 ETW 内核注册表监视注册表操作时,请务必了解此提供程序主要捕获句柄和对象信息,而不是有关正在修改或创建的密钥的直接详细信息。这意味着,为了有效地解释日志,必须将句柄数据与实际注册表项相关联。ETW 日志本身无法提供到注册表操作中涉及的特定键或值的直接映射。

若要重新构造注册表事件,可以使用 Windows API 枚举所有活动注册表句柄,并使用枚举列表将 ETW 条目中具有句柄的每个事件映射到相应的注册表项。BaseObject

检测可疑的 Windows 服务名称

可疑的 Windows 服务列表

了解服务执行留下的痕迹是关键,但是我们如何有效地识别可疑的服务名称呢?为此,在 GitHub 上整理了一个可疑服务名称列表,您可以使用这些名称在环境中进行搜寻。

https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv

文件结构:

此文件使用以下字段对每个服务名称进行分类:

service_name:包含可疑的服务名称。

service_path:服务的可执行路径。

metadata_tool_name:标识与要检测的服务关联的工具名称。

metadata_tool_category:将工具分为凭据访问、C2、RMM、横向移动、防御规避、收集、持久性、利用、影响、加密挖掘、数据泄露等类别。

metadata_tool_type:指示工具的性质

  • offensive_tool:对手专门用于攻击目的的工具。

  • greyware_tool:一种可被攻击者利用的管理工具。

metadata_severity:为每个工具分配严重性分数,从信息严重对它们进行排名,以便确定优先级。

metadata_comment:提供有关该工具的其他详细信息,包括必要的相关链接。

以下是截至此日期(2024/01/06)我在列表中拥有的工具的概述

我的列表会不断更新我分析过的最新工具,目前我正在尝试包含我可以测试的所有 RMM 工具服务,同时还将其他检测模式添加到每个攻击性或灰色软件工具的威胁狩猎关键字项目https://github.com/mthcht/ThreatHunting-Keywords中,感谢🤝贡献

使用 SIEM 进行搜寻

收集

正如我们在本博客的第一部分中看到的那样,要在 SIEM 中收集的有趣 Windows 事件日志如下所示:

  • 安全事件 ID 4697(建议通过系统 EID 7045)

  • 系统事件 ID 7045(与 EID 4697 相同,但用户上下文较少)

  • 系统事件 ID 7000、7009、7023、7026、7034、7036、7040(建议用于日志中服务名称的额外跟踪)

如果您有 sysmon 日志:

  • Sysmon EventID 12 和 13(推荐 — 注册表项路径 HKLMSystemCurrentControlSetServices* 中的服务名称)

如果使用包含注册表和服务事件的 EDR 遥测数据,请务必在所有日志源中标准化字段名称。这种标准化可确保搜索查询在每个日志源上都能正常运行。

在不收集 EDR 或 Windows EventID 的情况下,可以使用 和 等工具定期收集有关计算机上正在运行的服务和加载的 DLL 的信息。psservice.exelistdlls.exe

使用列表进行检测

收集后,必须解析日志。确保为每个收集的 EventID 分析字段(服务名称)和(服务可执行文件的完整路径(如果可用)。继续将列表上传到 Splunk 中。然后,创建一个查找定义,该定义为以下两个 and 启用不区分大小写的搜索和通配符匹配:service_nameservice_pathservice_nameservice_path

  • 寻找一切

带有注释说明的详细搜索

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)

RMM 服务检测的截断结果示例:

特定狩猎

在原始搜索中添加条件:

|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)

  • 只寻找攻击性工具

|  where metadata_tool_type="offensive_tool"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

  • 仅搜寻灰色软件工具

|  where metadata_tool_type="greyware_tool"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

  • 搜寻特定工具(例如:psexec)

|  where metadata_tool_name="psexec"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

  • 搜寻特定工具类别(示例)

Hun for RMM tools

|  where metadata_tool_category="metadata_tool_category"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

寻找 C2

|  where metadata_tool_category="C2"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

寻找防御规避工具

|  where metadata_tool_category="C2"
   AND (isnotnull(service_name_detected) OR isnotnull(service_path_detected))

寻找横向移动工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user0

搜寻权限提升工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user1

搜寻凭据访问工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user2

寻找加密挖矿工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user3

搜寻持久性工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user4

检查列表中工具类别的完整列表以查找...

  • 仅搜寻关键严重性工具

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user5

没有列表的检测

在不使用我的可疑服务名称列表的情况下,我们有多种搜寻策略:

[狩猎]搜索创建 Windows 服务的命令

使用文章开头的思维导图:https://cdn-images-1.medium.com/max/1500/1*pxI3jivpnA7eZqxeVjyUfQ.png

我们可以将这些正则表达式模式放在一起,用于检测命令行/脚本内容或文件内容中的服务名称:

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user6

[狩猎]从不寻常的父进程创建服务:

思维导图从

纳斯雷丁·本切尔查利

 https://github.com/nasbench/MindMaps/blob/main/Windows%20System%20Processes/Services/Windows%20Services%20(创建).xmind

我们将前面的正则表达式模式与典型的父进程相结合,用于服务创建检测。(使用通配符调整模式并将它们包含在列表中service_creations_commands_list.csv)
这将有助于我们识别由不寻常的父进程启动的服务创建

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user7

[狩猎]横向移动 - 远程服务创建

灵感来自 Jupyter 笔记本 https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html

识别远程创建的服务:将服务创建(EventID 4697 而不是 EventID 7045,因为它不包含参与者的翻译用户名)与远程用户登录(EventID 4624 + LogonType 3)相关联

使用 splunk:

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user8

您还可以在末尾添加:

SilkETW.exe -pn 0063715b-eeDa-4007–9429-ad526f62696e -ot eventlog -t user9

这将筛选事件,以仅显示远程用户登录后 5 分钟内发生的服务创建。

[狩猎]使用异常路径创建服务:

临时或公共目录检测(包含在我的列表中):

service_path IN ("*\Temp\*","*\tmp\*","*%APPDATA%*","*%PUBLIC%*")

[狩猎]服务名称中的空格

在服务名称中使用空格并不罕见,但可以作为一种混淆技术(包含在我的列表中)

service_name="* *"

[狩猎]使用双文件扩展名创建服务

不包含在我的列表中

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)0

[狩猎]不寻常的服务帐户

服务帐户不是 ORNT AUTHORITY*LocalSystem

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)1

[狩猎]异常长度服务名称

  • 静态的:

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)2
(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)3

  • 自动

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)4

  • eval length=len(service_name):这将创建一个名为的新字段,用于存储每个服务名称的长度。length

  • eventstats avg(length) as avgLength, stdev(length) as stdevLength:这将计算跨事件的字段的平均长度和标准差。length

  • where length > avgLength + (3*stdevLength) OR length < avgLength - (4*stdevLength):此条件筛选出长度与平均值相差超过 3 或 4 个标准差(较长或较短)的服务名称。

[狩猎]服务路径中的网络路径

查找二进制路径包含网络路径的服务创建

不包含在我的列表中

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)5

[狩猎]服务启动 cmd.exe

(`wineventlog`
  ```security and system logs``` 
  (vendor_product="Microsoft Windows"
    AND signature_id IN (4697,7009,7023,7026,7034,7036,7040,7045)
    AND (service_name=* OR service_path=*))
  OR
   ```sysmon registry logs``` 
  (vendor_product="Microsoft Sysmon"
    AND signature_id IN (12,13)
    AND registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*"))
)
OR
```including data from various endpoint logs, including EDR and AV```
(`endpoint`
  service_name=* 
  OR service_path=*
  OR registry_path IN ("HKLM\System\CurrentControlSet\Services\*","HKLM\System\CurrentControlSet001\services\*")
)
   ```
   Parsing the service name from the CurrentControlSet registry key path.
   This isn't typically parsed by default, to optimize performance, consider integrating this parsing into your Splunk configuration.
   For demonstration, it's included in this SPL search.
   ```
| rex field=registry_path "HKLM\\System\\(CurrentControlSet|CurrentControlSet001)\\[Ss]ervices\\(?<service_name>.+?(?=\\))"
```To enhance the speed of our search with the | lookup command, we're narrowing down the results by filtering for suspicious service names and paths using | inputlookup```
| search 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_name]
    OR 
    [|inputlookup suspicious_windows_services_names_list.csv | fields service_path]
```filter and add context to each matched service name or path for more detailed insights```
| lookup suspicious_windows_services_names_list service_name as service_name OUTPUT service_name as service_name_detected metadata_tool_name as mtn_temp1 metadata_tool_category as mtc_temp1 metadata_severity as ms_temp1 metadata_tool_type as mtt_temp1 metadata_comment as mc_temp1
| lookup suspicious_windows_services_names_list service_path as service_path OUTPUT service_path as service_path_detected metadata_tool_name as mtn_temp2 metadata_tool_category as mtc_temp2 metadata_severity as ms_temp2 metadata_tool_type as mtt_temp2 metadata_comment as mc_temp2
|  eval metadata_tool_name=coalesce(mtn_temp1,mtn_temp2),
   metadata_tool_category=coalesce(mtc_temp1,mtc_temp2),
   metadata_severity=coalesce(ms_temp1,ms_temp2),
   metadata_comment=coalesce(mc_temp1,mc_temp2),
   metadata_tool_type=coalesce(mtt_temp1,mtt_temp2)
|  where isnotnull(service_name_detected) OR isnotnull(service_path_detected)
```Compiling all pertinent fields in the search results to facilitate a thorough investigation```
|  stats earliest(_time) as firsttime latest(_time) as lasttime
   values(action) values(metadata_tool_name) values(metadata_tool_category) values(metadata_severity) values(metadata_comment) values(registry_path) values(registry_value_data) values(index) values(sourcetype) values(vendor_product) values(signature_id) values(signature) values(service_path_detected) values(service_name_detected) values(process_id) values(service_hash) values(src_user) values(service_account) values(service_id) values(start_mode) values(service_type) values(service_path) values(metadata_tool_type)
   count by service_name dvc_nt_host
| rename values(*) as *
| eval  service_path = if(isnull(service_path) OR service_path="", "N/A", service_path),
  service_path_detected = if(isnull(service_path_detected) OR service_path_detected="", "N/A", service_path_detected),
  service_hash = if(isnull(service_hash) OR service_hash="", "N/A", service_hash),
  service_id = if(isnull(service_id) OR service_id="", "N/A", service_id),
  metadata_comment = if(isnull(metadata_comment) OR metadata_comment="", "N/A", metadata_comment)
|  convert timeformat="%Y/%M/%d %H:%M:%S" ctime(firsttime) ctime(lasttime)6

[狩猎]服务篡改命令

勒索软件攻击通常涉及篡改或禁用现有服务。

禁用服务 - 命令行检测模式

  • sc.exe:sc config * start=disabled

  • Powershell:Set-Service * -Status Stopped*

  • Powershell:Set-Service *-StartupType Disabled*

  • Powershell:Set-ItemProperty *HKLM:SYSTEMCurrentControlSet* -Name “Start” -Value 4

  • WMI:Get-WmiObject -Classs Win32_Service -Filter *ServiceName*.ChangeStartMode(*Disabled*

设置服务二进制路径 - 命令行检测模式:

  • sc.exe:sc config * binpath=*.*

  • WMI:Get-WmiObject -Classs Win32_Service -Filter *ServiceName*.Change(*:*

  • Powershell:Set-ItemProperty *HKLM:SYSTEMCurrentControlSet* -Name "ImagePath” -Value *

[狩猎]基线 - 监控新服务

识别并记录环境中关键计算机的列表,包括其特定角色、操作系统详细信息(理想情况下,将 CMDB 日志集成到 SIEM 中)及其严重性级别。

维护这些关键系统的列表,主动将每个计算机集群的预期已知服务二进制路径列入白名单,并为任何新的服务安装/修改设置仪表板和报告以供查看!

⚠️ 安装良性软件时,通常会触发大量误报。实施基线和应用程序控制措施以及一组具有已知角色的关键计算机可以有效地减少环境中的这些误报。

结论

概述的搜寻搜索应强调全面监控的重要性,帮助您更有效地检测和解决潜在威胁,但请记住,这些搜索中的大多数都是为威胁搜寻活动量身定制的,通常不建议作为标准检测规则实施

我相信这编制的列表https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv将成为识别可疑服务的有用资源。我计划定期更新它,并欢迎任何贡献。

祝您狩猎愉快!

  • 洞课程()

  • windows

  • windows()

  • USB()

  • ()

  • ios

  • windbg

  • ()


推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
宙飒天下网-ZhouSa.com