通过在不同变体中识别相似的行为模式,我们为端点产品提供了一些前瞻性规则: Endpoint Security (ENS)和 Trellix 端点(以前称为 MVISION Endpoint)。这些规则旨在有效地防止安装和/或这些威胁的历史、当前和不断变化的新变体的负载。
从内部支持测试中,我们发现以下 ENS 对策在各种类型的勒索软件攻击中有效:
ENS 自适应威胁防护 JTI 规则(ATP):
在自适应威胁防护下的 ePolicy Orchestrator (ePO)服务器设置中,启用或禁用以下规则的设置。有三种不同的配置:生产效率、平衡和安全。在服务器设置中所做的更改将应用到 ATP 选项策略中的规则组分配。
Rule ID 4: Use GTI file reputation to identify trusted or malicious files
Rule ID 5: Use GTI URL reputation to identify trusted or malicious processes
Rule ID 239: Identify suspicious command parameter execution
Rule ID 240: Identify suspicious files with characteristics that have been predominantly seen in ransomware
Rule ID 255: Detect potentially obfuscated command-line parameters
Rule ID 263: Detect processes accessing suspicious URLs
Rule ID 300: Prevent office applications from starting child processes that can execute script commands
Rule ID 309: Block processes attempting to launch from Office applications.
Rule ID 312: Prevent email applications, such as Outlook, from spawning script editors and dual use tool
Rule ID 313: Prevent text editors like Notepad and WordPad from spawning processes that can execute script commands in all rule group assignments
Rule ID 316: Prevent PDF readers from starting processes that can execute scripts in all rule group assignments
Rule ID 318: Prevent PDF readers from starting cmd.exe
Rule ID 319: Prevent cmd.exe from starting other script interpreters such as cscript or PowerShell in all rule group assignments
Rule ID 323: Prevent mshta from being launched as a child process.
Rule ID 332: Prevent certutil.exe from downloading or decoding files with suspect extensions
Rule ID 341: Identify and block patterns being used in Ransomware attacks in security rule group assignments.
Rule ID 342: Identify and block patterns being used in Ransomware attacks
Rule ID 502: Detect new service creation
Rule ID 513: Detect commands used for copying files from a remote system
Rule ID 517: Prevent actor process with unknown reputations from launching processes in common system folders
ENS 动态应用程序封闭(DAC):
仅当该进程的信誉符合 ATP 选项策略中定义的信誉条件时,才会触发 DAC。当 DAC 包含某个进程时,它必须遵循执行监控并在 DAC 策略中启用任何规则。
Rule: Deleting files commonly targeted by ransomware-class malware
Rule: Disabling critical operating system executables
Rule: Modifying appinit DLL registry entries
Rule: Modifying Image File Execution Options registry entries
Rule: Modifying screen saver settings
Rule: Modifying startup registry locations
Rule: Reading files commonly targeted by ransomware-class malware
Rule: Suspending a process
Rule: Terminating another process
Rule: Reading from another process' memory
Rule: Writing to files commonly targeted by ransomware-class malware
注意: 有关最佳做法,请参阅:
KB87843-动态应用程序封闭规则和最佳做法。与访问保护规则类似,请测试所有 DAC 规则,以防止环境中出现中断。
ENS 威胁防护防恶意软件扫描接口(AMSI):
与 AMSI 的启用集成。AMSI 提供增强型脚本扫描。AMSI 是一种通用接口标准,可让应用程序和服务与威胁防护相集成,从而针对恶意软件提供更好的保护。Microsoft 提供 AMSI。AMSI 在 Windows 10 和 Windows Server 2016 (及更高版本)系统上受支持。使用 AMSI 可在非基于浏览器的脚本(例如 PowerShell、WScript 和 CScript)中增强对威胁的扫描。
ENS 漏洞利用防护:
Signature 344: New StartUp Creation
Signature 413: Suspicious Double File Extension Execution
Signature 428: Generic Buffer Overflow
Signature 6107: MS Word trying to execute unwanted programs
Signature 6108: Suspicious download string script execution
Signature 6113: Fileless Threat: Reflective Self Injection
Signature 6114: Fileless Threat: Reflective EXE Self Injection
Signature 6115: Fileless Threat: Reflective DLL Remote Injection
Signature 6116: Mimikatz LSASS Suspicious Memory Read
Signature 6117: Mimikatz LSASS Suspicious Memory DMP Read
Signature 6120: Fileless Threat: Process Hollowing
Signature 6121: Fileless Threat: Process Hollowing
Signature 6127: Suspicious LSASS Access from PowerShell
Signature 6131: Weaponized OLE object infection via WMI
Signature 6148: Malware Behavior: Windows EFS abuse
Signature 6153: Malware Behavior: Ryuk Ransomware activity detected
Signature 6155: Malicious Behavior: Directory Junction attempt detected
ENS 漏洞利用防护专家规则:
Trellix Advanced Research Center GitHub 存储库包含一组专家规则示例,可在漏洞利用防护策略中直接与 Endpoint Security 一起使用。以下专家规则特定于针对勒索软件攻击:
Detect_Deletion_Of_Shadow_Copies_Using_WMIC.EXE.md.txt
Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt
File_Block_Rclone (为此规则提供的两种方案。)
ENS 访问保护默认规则:
Browsers launching programs from downloaded programs file folders
Creating new executable file in the programs files folder
Creating new executable file in the windows folder
Disabling registry editor and task manager
Doppelganger attack on processes
Executing mimikatz malware
Executing scripts by windows script host
Remotely creating or modifying files or folders
Remotely creating or modifying PE,.INI and core system locations
