进程注入检测——DLL注入检测的几种方式:1、命令行,包含某些特定注入工具的关键字 2、排除白名单的可疑注入 3、可疑的DLL加载 4、特定工具注入的startaddress异常

进程注入检测

DLL注入检测的几种方式:

1、命令行,包含某些特定注入工具的关键字

2、排除白名单的可疑注入

3、可疑的DLL加载

4、特定工具注入的startaddress异常

 

以下内容来自CAR和splunk等开源检测渠道:

 

title: CobaltStrike Process Injection

id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

references:

    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

tags:

    - attack.defense_evasion

    - attack.t1055.001

status: experimental

author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

date: 2018/11/30

modified: 2021/11/20

logsource:

    product: windows

    category: create_remote_thread

detection:

    selection:

        StartAddress|endswith:

            - '0B80'

            - '0C7C'

            - '0C88'==》检测start address

    condition: selection

falsepositives:

    - Unknown

level: high

 

 

title: CreateRemoteThread API and LoadLibrary

id: 052ec6f6-1adc-41e6-907a-f1c813478bee

status: test

description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

author: Roberto Rodriguez @Cyb3rWard0g

references:

  - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html

date: 2019/08/11

modified: 2021/11/27

logsource:

  product: windows

  category: create_remote_thread

detection:

  selection:

    StartModule|endswith: '\kernel32.dll'

    StartFunction: 'LoadLibraryA' ==》检测可疑的DLL加载

  condition: selection

falsepositives:

  - Unknown

level: critical

tags:

  - attack.defense_evasion

  - attack.t1055.001

 

 

title: Suspicious In-Memory Module Execution

id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39

description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.

status: experimental

date: 2019/10/27

modified: 2022/03/16

author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro

references:

    - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/

tags:

    - attack.privilege_escalation

    - attack.defense_evasion

    - attack.t1055.001

    - attack.t1055.002

logsource:

    category: process_access

    product: windows

detection:

    selection1:

        CallTrace|contains|all:

              - 'C:\WINDOWS\SYSTEM32\ntdll.dll+'

              - '|C:\WINDOWS\System32\KERNELBASE.dll+'

              - '|UNKNOWN('

              - ')'

    selection2:

        CallTrace|contains|all:

              - 'UNKNOWN('

              - ')|UNKNOWN('

        CallTrace|endswith: ')'

    selection3:

        CallTrace|contains: 'UNKNOWN'

        GrantedAccess:

            - '0x1F0FFF'

            - '0x1F1FFF'

            - '0x143A'

            - '0x1410'

            - '0x1010'

            - '0x1F2FFF'

            - '0x1F3FFF'

            - '0x1FFFFF'

    filter:

        - SourceImage|endswith: ==》直接排除白名单,不在白名单内的就是可疑的进程注入,这个应该就是我想要的

            - '\Windows\System32\sdiagnhost.exe'

            - '\procexp64.exe'

            - '\procexp.exe'

            - '\Microsoft VS Code\Code.exe'

            - '\aurora-agent-64.exe'

            - '\aurora-agent.exe'

            - '\git\usr\bin\sh.exe'

            - '\IDE\devenv.exe'

            - '\GitHubDesktop\Update.exe'

            - '\RuntimeBroker.exe'

            - '\backgroundTaskHost.exe'

            - '\GitHubDesktop.exe'

        - SourceImage|startswith:

            - 'C:\Program Files (x86)\'

            - 'C:\Program Files\'

            - 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe'

            - 'C:\Program Files (x86)\Microsoft Visual Studio\'

            - 'C:\Program Files\Microsoft Visual Studio\'

            - 'C:\Windows\Microsoft.NET\Framework'

            - 'C:\WINDOWS\System32\DriverStore\'

            - 'C:\Windows\System32\WindowsPowerShell\'

        - SourceImage:

            - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'

            - 'C:\WINDOWS\system32\taskhostw.exe'

            - 'C:\WINDOWS\system32\ctfmon.exe'

            - 'C:\WINDOWS\system32\NhNotifSys.exe'

            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'

            - 'C:\Windows\explorer.exe'

        - TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'

        - TargetImage|endswith: '\Microsoft VS Code\Code.exe'

        - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+'  # attempt to save the rule with a broader filter

    filter_set_1:

        SourceImage:

            - 'C:\WINDOWS\Explorer.EXE'

        TargetImage:

            - 'C:\WINDOWS\system32\backgroundTaskHost.exe'

            - 'C:\WINDOWS\explorer.exe'

    filter_msmpeng:

        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'

        SourceImage|endswith: '\MsMpEng.exe'

    filter_eclipse:

        SourceImage|endswith: '\eclipse.exe'

        CallTrace|contains:

            - '\jre\bin\java.dll'

            - '|C:\Windows\SYSTEM32\windows.storage.dll+'

            - '\configuration\org.eclipse.osgi\'

    filter_openwith:

        SourceImage: 'C:\Windows\system32\OpenWith.exe'

        TargetImage: 'C:\Windows\Explorer.EXE'

    condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*

fields:

    - ComputerName

    - User

    - SourceImage

    - TargetImage

    - CallTrace

level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high

falsepositives:

- SysInternals Process Explorer

 

 

 

title: TAIDOOR RAT DLL Load

id: d1aa3382-abab-446f-96ea-4de52908210b

status: test

description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load

author: Florian Roth

references:

  - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a

date: 2020/07/30

modified: 2021/11/27

logsource:

  category: process_creation

  product: windows

detection:

  selection1:

    CommandLine|contains:

      - 'dll,MyStart'

      - 'dll MyStart'

  selection2a:

    CommandLine|endswith:

      - ' MyStart'

  selection2b:

    CommandLine|contains:

      - 'rundll32.exe' ==》就是rundll32啊,和进程注入有啥关系。。。呃。。。

  condition: selection1 or ( selection2a and selection2b )

falsepositives:

  - Unknown

level: critical

tags:

  - attack.execution

  - attack.t1055.001

 

title: MavInject Process Injection

id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8

status: stable

description: Detects process injection using the signed Windows tool Mavinject32.exe

author: Florian Roth

references:

  - https://twitter.com/gN3mes1s/status/941315826107510784

  - https://reaqta.com/2017/12/mavinject-microsoft-injector/

  - https://twitter.com/Hexacorn/status/776122138063409152

date: 2018/12/12

modified: 2021/11/27

logsource:

  category: process_creation

  product: windows

detection:

  selection:

    CommandLine|contains: ' /INJECTRUNNING ' ==》检测特定进程命令行

  condition: selection

falsepositives:

  - Unknown

level: critical

tags:

  - attack.t1055.001

  - attack.t1218

 

title: ZOHO Dctask64 Process Injection

id: 6345b048-8441-43a7-9bed-541133633d7a

status: test

description: Detects suspicious process injection using ZOHO's dctask64.exe

author: Florian Roth

references:

  - https://twitter.com/gN3mes1s/status/1222088214581825540

  - https://twitter.com/gN3mes1s/status/1222095963789111296

  - https://twitter.com/gN3mes1s/status/1222095371175911424

date: 2020/01/28

modified: 2021/11/27

logsource:

  category: process_creation

  product: windows

detection:

  selection:

    Image|endswith:

      - '\dctask64.exe' ==》检测特定注入工具的进程名是一类

  filter:

    CommandLine|contains:

      - 'DesktopCentral_Agent\agent'

  condition: selection and not filter

fields:

  - CommandLine

  - ParentCommandLine

  - ParentImage

falsepositives:

  - Unknown yet

level: high

tags:

  - attack.defense_evasion

  - attack.t1055.001

 

implementations:

  - description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '

    code: |

      remote_thread = search Thread:RemoteCreate

      remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")

      remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

 

      output remote_thread

    type: pseudocode

  - description: LogPoint version of the above pseudocode.

    code: |

      norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"

    type: LogPoint

    data_model: LogPoint native

 

 

title: DLL Injection with Mavinject

submission_date: 2020/11/30

information_domain: Host

platforms:

  - Windows

subtypes:

  - Process

analytic_types:

  - TTP

contributors:

  - Olaf Hartong

id: CAR-2020-11-003

description: |

  Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.

coverage:

  - technique: T1055

    tactics:

      - TA0004

      - TA0005

    subtechniques:

      - T1055.001

    coverage: Low

implementations:

  - name: Pseudocode - mavinject process and its common argument

    description: This is a pseudocode representation of the below splunk search.

    code: |

      processes = search Process:Create

      mavinject_processes = filter processes where (

        exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" ==》命令行

      output mavinject_processes

 

description: DynamicWrapperX is an ActiveX component that can be used in a script

  to call Windows API functions, but it requires the dynwrapx.dll to be installed

  and registered. With that, registering or loading dynwrapx.dll to a host is highly

  suspicious. In most instances when it is used maliciously, the best way to triage

  is to review parallel processes and pivot on the process_guid. Review the registry

  for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious

  module loads of dynwrapx.dll. This detection will return and identify the processes

  that invoke vbs/wscript/cscript.

search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName

  = "dynwrapx.dll" OR  Product = "DynamicWrapperX") | stats count min(_time) as firstTime

  max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name

  Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ==》检测加载的DLL名字

  | `loading_of_dynwrapx_module_filter`'

how_to_implement: To successfully implement this search you need to be ingesting information

  on processes that include the name of the process responsible for the changes from

  your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem`

  node. In addition, confirm the latest CIM App 4.20 or higher is installed and the

  latest TA for the endpoint product.

 

 

 

description: |

  Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).

 

  -   Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)

  -   Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)

  -   Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).

 

  This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

coverage:

  - technique: T1055

    tactics:

      - TA0005

    subtechniques:

      - T1055.001

    coverage: Moderate

  - technique: T1548

    tactics:

      - TA0004

    subtechniques:

      - T1548.002

    coverage: Moderate

implementations:

  - description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '

    code: |

      remote_thread = search Thread:RemoteCreate

      remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")

      remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe") ==》同样是排除白名单的loadlibrary

 

进程注入白名单分析:

思路,看createremotethread的函数是否在导入表里使用,也就是kernel32.dll里:

 

Kernel32.lib
DLL
Kernel32.dll

 

 当然,严谨看,还要看看kernelbase和ntdll。如下:

通过WinDbg查看函数CreateRemoteThead在用户模式下的调用流程,观察这个调用情况可以确定在用户模式下,这个函数涉及到了三个dll模块(KERNEL32、KERNELBASE、ntdll)。CreateRemoteThead这个API在KERNEL32模块中真正的函数名是CreateRemoteThreadStub,通过这个KERNEL32中的CreateRemoteThreadStubAPI将参数转发到KERNELBASE模块中的CreateRemoteThreadEx中,然后在KERNELBASE中调用ntdll模块中的NtCreateThreadExAPI,进入内核。待内核处理结束后获取返回值,进行返回值的处理并返回结果。 ​

 

 

 

 - '\Windows\System32\sdiagnhost.exe'  误报:在我的win7、win10、win11上没有看到进程注入,因为其导入表里根本就没有使用该函数。

 白名单错误!

 

 

            - '\procexp64.exe'

 

            - '\procexp.exe'  在32位下有进程注入,但不是创建远程线程注入,如下

 

 

 

            - '\Microsoft VS Code\Code.exe' ==》这个是有远程线程注入的,看来是要排除:

 

 

            - '\aurora-agent-64.exe' 这是国外开源的EDR,先不考虑了,下载还得专门申请,也是醉了。。。

 

 

            - '\aurora-agent.exe' 同上

 

            - '\git\usr\bin\sh.exe'  没有看到注入

 

 

            - '\IDE\devenv.exe'  有注入,但不是线程注入

 

 

 

 

 

            - '\GitHubDesktop\Update.exe'  没有看到注入,其导入表很少,CFF explorer还打不开该文件,也是很诡异

 

 

            - '\RuntimeBroker.exe'  windows程序,没看到注入

 

            - '\backgroundTaskHost.exe'   windows程序,没看到注入

 

            - '\GitHubDesktop.exe'  没有看到注入

 

        - SourceImage|startswith:

 

            - 'C:\Program Files (x86)\'

 

            - 'C:\Program Files\'

 

            - 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe' 如下图所示,导入表函数很少,估计是加壳了

 

 

            - 'C:\Program Files (x86)\Microsoft Visual Studio\'

 

            - 'C:\Program Files\Microsoft Visual Studio\'

 

            - 'C:\Windows\Microsoft.NET\Framework'

 

            - 'C:\WINDOWS\System32\DriverStore\'

 

            - 'C:\Windows\System32\WindowsPowerShell\'

 

        - SourceImage:

 

            - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'

 

            - 'C:\WINDOWS\system32\taskhostw.exe'  没有看到注入,另外,win7没有该文件 

 

            - 'C:\WINDOWS\system32\ctfmon.exe'   没有看到注入,win7 win11都是

 

            - 'C:\WINDOWS\system32\NhNotifSys.exe'  没有这个文件

 

            - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'  win11没有注入,win7没有该文件

 

            - 'C:\Windows\explorer.exe'   初看没有注入,实际上是有的

 

 

 可以看到,是有注入的,见后面api-ms-win-core-processthreads-l1-1-0.dll的分析。

 

        - TargetImage: 'C:\Windows\System32\RuntimeBroker.exe' 

 

        - TargetImage|endswith: '\Microsoft VS Code\Code.exe'

 

        - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+'  # attempt to save the rule with a broader filter

 

    filter_set_1:

 

        SourceImage:

 

            - 'C:\WINDOWS\Explorer.EXE'

 

        TargetImage:

 

            - 'C:\WINDOWS\system32\backgroundTaskHost.exe'

 

            - 'C:\WINDOWS\explorer.exe'

 

    filter_msmpeng:

 

        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'

 

        SourceImage|endswith: '\MsMpEng.exe' 没有看到注入,看来微软defender没有做注入,也是很奇怪

 

再度确认了下所有的DLL,的确是没有。 

 

 

    filter_eclipse:

 

        SourceImage|endswith: '\eclipse.exe' 没有看到注入

 

        CallTrace|contains:

 

            - '\jre\bin\java.dll'

 

            - '|C:\Windows\SYSTEM32\windows.storage.dll+'

 

            - '\configuration\org.eclipse.osgi\'

 

    filter_openwith:

 

        SourceImage: 'C:\Windows\system32\OpenWith.exe' win11 64/32都没有看到注入,win7没有该文件

 

        TargetImage: 'C:\Windows\Explorer.EXE'

 

    condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*

 

 

另外,sysmon采集的时候给了白名单:

	<RuleGroup name="" groupRelation="or">
		<CreateRemoteThread onmatch="exclude">
			<!--COMMENT: Exclude mostly-safe sources and log anything else.
			
			<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
			<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
			<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
			
			-->
		</CreateRemoteThread>
	</RuleGroup>

  

蛋疼,我来再度一一确认吧:

 

<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage> 有进程注入,如下,虽然不是kernel32 DLL:
		

 

 内存操作也有注入相关的特征。

继续追根溯源,

 可以看到的确是有createremotethread的!

 

 说明的确是要加入到白名单!

	<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage> 有进程注入

 

			<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage> 有明确的注入行为

 

			<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage> 不太确定,从DLL看应该没有远程线程注入!

 



<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage> 有注入,如下:

 


<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage> 有注入:

 


<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage> 有注入

 

			<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule> pass
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage> 这个是要排除!

 

综上,通过静态分析看到,可以设置的进程注入白名单如下:
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage> 这个是要排除!因为我本机的确看到远程线程注入。
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage> 有明确的远程线程注入
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage> 有进程注入
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
- 'C:\Windows\explorer.exe' 有注入
- '\IDE\devenv.exe' 有注入,但不是线程注入
- '\Microsoft VS Code\Code.exe' 有远程线程注入

 

其他通过动态行为观察到注入的:

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:41:04.087
SourceProcessGuid: {d4c3f587-095e-64b6-5c05-000000000200}
SourceProcessId: 8296
SourceImage: C:\Users\bonelee\Desktop\procexp64.exe
TargetProcessGuid: {d4c3f587-0820-64b6-4c05-000000000200}
TargetProcessId: 7396
TargetImage: C:\Windows\System32\notepad.exe
NewThreadId: 7720
StartAddress: 0x00007FF852D48D70
StartModule: C:\WINDOWS\SYSTEM32\ntdll.dll
StartFunction: RtlpQueryProcessDebugInformationRemote
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee


CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:37:47.220
SourceProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
SourceProcessId: 564
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-f06b-64b5-8904-000000000200}
TargetProcessId: 6484
TargetImage: C:\Windows\System32\cmd.exe
NewThreadId: 660
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: DESKTOP-CJ1GAS4\bonelee


CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:37:47.206
SourceProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
SourceProcessId: 564
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
TargetProcessId: 8404
TargetImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
NewThreadId: 8700
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: DESKTOP-CJ1GAS4\bonelee


CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:08:02.416
SourceProcessGuid: {d4c3f587-0212-64b6-1b05-000000000200}
SourceProcessId: 4732
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 2064
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:08:02.416
SourceProcessGuid: {d4c3f587-0212-64b6-1b05-000000000200}
SourceProcessId: 4732
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 2064
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

  

开机启动看到的:

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:24.334
SourceProcessGuid: {d4c3f587-8169-64b6-0a00-000000000300}
SourceProcessId: 612
SourceImage: C:\Windows\System32\winlogon.exe
TargetProcessGuid: {d4c3f587-8169-64b6-0900-000000000300}
TargetProcessId: 548
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 1244
StartAddress: 0xFFFF97E7FBDC20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM


CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.053
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0a00-000000000200}
TargetProcessId: 632
TargetImage: C:\Windows\System32\services.exe
NewThreadId: 6768
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0b00-000000000200}
TargetProcessId: 644
TargetImage: C:\Windows\System32\lsass.exe
NewThreadId: 6308
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-330c-64b5-af00-000000000200}
TargetProcessId: 4696
TargetImage: C:\Windows\System32\svchost.exe
NewThreadId: 1012
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-f08c-64b5-9404-000000000200}
TargetProcessId: 3948
TargetImage: C:\Windows\Sysmon.exe
NewThreadId: 6984
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-372c-64b5-a802-000000000200}
TargetProcessId: 8888
TargetImage: C:\Windows\System32\svchost.exe
NewThreadId: 8968
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e624-64b5-de02-000000000200}
TargetProcessId: 1972
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe
NewThreadId: 6204
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e626-64b5-df02-000000000200}
TargetProcessId: 7316
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe
NewThreadId: 3764
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e6ad-64b5-f902-000000000200}
TargetProcessId: 5296
TargetImage: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
NewThreadId: 8936
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-5300-000000000200}
TargetProcessId: 3376
TargetImage: C:\Windows\System32\vm3dservice.exe
NewThreadId: 6936
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3148-64b5-5800-000000000200}
TargetProcessId: 3692
TargetImage: C:\Windows\System32\wbem\WmiPrvSE.exe
NewThreadId: 4148
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4300-000000000200}
TargetProcessId: 2908
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe
NewThreadId: 344
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-330a-64b5-a900-000000000200}
TargetProcessId: 780
TargetImage: C:\Windows\System32\SearchIndexer.exe
NewThreadId: 4128
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-31c0-64b5-7a00-000000000200}
TargetProcessId: 456
TargetImage: C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
NewThreadId: 5216
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3173-64b5-6f00-000000000200}
TargetProcessId: 4280
TargetImage: C:\Windows\System32\dllhost.exe
NewThreadId: 7552
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3173-64b5-7100-000000000200}
TargetProcessId: 4192
TargetImage: C:\Windows\System32\msdtc.exe
NewThreadId: 8024
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4600-000000000200}
TargetProcessId: 1460
TargetImage: C:\Windows\System32\spoolsv.exe
NewThreadId: 112
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4e00-000000000200}
TargetProcessId: 3292
TargetImage: C:\Program Files\quasardb\bin\qdb_service.exe
NewThreadId: 3560
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\LOCAL SERVICE

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-5200-000000000200}
TargetProcessId: 3348
TargetImage: C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
NewThreadId: 8636
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4d00-000000000200}
TargetProcessId: 3284
TargetImage: C:\Program Files\quasardb\bin\qdb_rest_service.exe
NewThreadId: 7952
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM


CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:08:38.493
SourceProcessGuid: {d4c3f587-80c6-64b6-8a06-000000000200}
SourceProcessId: 5244
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 5728
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM

  

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 07:36:36.841
SourceProcessGuid: {9955143a-a510-64b0-cc15-000000002700}
SourceProcessId: 13552
SourceImage: C:\Windows\SysWOW64\SpesAgent.exe
TargetProcessGuid: {9955143a-4104-64b6-2166-030000002700}
TargetProcessId: 4620
TargetImage: C:\Windows\SysWOW64\cmd.exe
NewThreadId: 9296
StartAddress: 0x00000000758A1D60
StartModule: C:\WINDOWS\System32\KERNEL32.DLL
StartFunction: LoadLibraryW



CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 06:06:00.330
SourceProcessGuid: {9955143a-a502-64b0-8d15-000000002700}
SourceProcessId: 524
SourceImage: C:\Windows\explorer.exe
TargetProcessGuid: {9955143a-2bc8-64b6-2561-030000002700}
TargetProcessId: 15728
TargetImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
NewThreadId: 22124
StartAddress: 0x00007FFE77A70660
StartModule: C:\WINDOWS\System32\KERNEL32.DLL
StartFunction: LoadLibraryW

  

这些都是常见的系统进程注入,也需要排除。

posted @ 2023-07-17 11:41  bonelee  阅读(1068)  评论(0编辑  收藏  举报