先看官方例子:
匹配 TTP 模式
编写一个模式来匹配战术、技术和程序 (TTP)。TTP 模式描述了一种 Web 服务漏洞利用,其中 Web 服务的工作进程(例如nginx
或NodeJS
)与不是 Web 服务的二进制文件相关联。==>在RCE场景会遇到。就是在做通过nodejs的进程产生了一个可疑非法进程。
从上面的数据看,进程里面需要parent_ref, binary_ref两个字段。我们看看stix里面是否有?
参考stix标准数据格式:http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber-observable-objects.html
2.13 Process Object
Type Name: process
The Process Object represents common properties of an instance of a computer program as executed on an operating system. A Process Object MUST contain at least one property (other than type) from this object (or one of its extensions).
2.13.1 Properties
Common Properties |
||
type, extensions |
||
Process Object Specific Properties |
||
is_hidden, pid, name, created, cwd, arguments, command_line, environment_variables, opened_connection_refs, creator_user_ref, binary_ref, parent_ref, child_refs |
||
Property Name |
Type |
Description |
type (required) |
string |
The value of this property MUST be process. |
extensions (optional) |
dictionary |
The Process Object defines the following extensions. In addition to these, producers MAY create their own.
windows-process-ext, windows-service-ext
Dictionary keys MUST identify the extension type by name.
The corresponding dictionary values MUST contain the contents of the extension instance. |
is_hidden (optional) |
boolean |
Specifies whether the process is hidden. |
pid (optional) |
integer |
Specifies the Process ID, or PID, of the process. |
name (optional) |
string |
Specifies the name of the process. |
created (optional) |
timestamp |
Specifies the date/time at which the process was created. |
cwd (optional) |
string |
Specifies the current working directory of the process. |
arguments (optional) |
list of type string |
Specifies the list of arguments used in executing the process. Each argument MUST be captured separately as a string. |
command_line (optional) |
string |
Specifies the full command line used in executing the process, including the process name (depending on the operating system). |
environment_variables (optional) |
dictionary |
Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. |
opened_connection_refs (optional) |
list of type object-ref |
Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic Objects.
The objects referenced in this list MUST be of type network-traffic. |
creator_user_ref (optional) |
object-ref |
Specifies the user that created the process, as a reference to a User Account Object.
The object referenced in this property MUST be of type user-account. |
binary_ref (optional) |
object-ref |
Specifies the executable binary that was executed as the process, as a reference to a File Object.
The object referenced in this property MUST be of type file. |
parent_ref (optional) |
object-ref |
Specifies the other process that spawned (i.e. is the parent of) this one, as reference to a Process Object.
The object referenced in this property MUST be of type process. |
child_refs (optional) |
list of type object-ref |
Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process Objects.
The objects referenced in this list MUST be of type process. |
google翻译:
属性
共同属性 |
||
类型,扩展名 |
||
进程对象特定属性 |
||
is_hidden, pid, name, created, cwd, arguments, command_line, environment_variables, opens_connection_refs, creator_user_ref, binary_ref, parent_ref, child_refs |
||
名称 |
类型 |
描述 |
类型 (必填) |
细绳 |
这个属性的值必须是process。 |
扩展 (可选) |
字典 |
Process Object 定义了以下扩展。除此之外,生产者可以创建自己的。
windows-process-ext , windows-service-ext
字典键必须按名称标识扩展类型。
相应的字典值必须包含扩展实例的内容。 |
is_hidden (可选) |
布尔值 |
指定进程是否隐藏。 |
pid (可选) |
整数 |
指定进程的进程 ID 或 PID。 |
名称 (可选) |
细绳 |
指定进程的名称。 |
已创建 (可选) |
时间戳 |
指定创建进程的日期/时间。 |
cwd (可选) |
细绳 |
指定进程的当前工作目录。 |
参数 (可选) |
字符串类型列表 |
指定在执行过程中使用的参数列表。每个参数必须作为字符串单独捕获。 |
命令行 (可选) |
细绳 |
指定用于执行进程的完整命令行,包括进程名称(取决于操作系统)。 |
环境变量 (可选) |
字典 |
将与进程关联的环境变量列表指定为字典。字典中的每个键必须是环境变量名称的大小写保留版本,每个对应的值必须是作为字符串的环境变量值。 |
opens_connection_refs (可选) |
对象引用类型列表 |
指定进程打开的网络连接列表,作为对一个或多个网络流量对象的引用。
此列表中引用的对象必须是network-traffic类型 。 |
creator_user_ref (可选) |
对象引用 |
指定创建进程的用户,作为对用户帐户对象的引用。
此属性中引用的对象必须是user-account类型。 |
binary_ref (可选) |
对象引用 |
指定作为进程执行的可执行二进制文件,作为对文件对象的引用。
此属性中引用的对象必须是文件类型。 |
parent_ref (可选) |
对象引用 |
指定产生这个进程的另一个进程(即它的父进程),作为对进程对象的引用。
此属性中引用的对象必须是process类型。 |
child_refs (可选) |
对象引用类型列表 |
指定由该进程(即其子进程)产生的其他进程,作为对一个或多个其他进程对象的引用。
此列表中引用的对象必须是process类型 。 |
Examples
Basic Process
{
"0": {
"type": "file",
"hashes": {
"SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
},
},
"1": {
"type": "process",
"pid": 1221,
"name": "gedit-bin",
"created": "2016-01-20T14:11:25.55Z",
"arguments" :[
"--new-window"
],
"binary_ref": "0"
}
}
在之前kestrel对接elasticsearch踩坑记里面提到,ES里数据格式是这样的,
{
"process"
: {
"name"
:
"firefox.exe"
,
"content"
:
"I hava a friend who loves smile, gymbo is his name"
,
"pid"
:
"121321"
},
"@timestamp"
:
"2021-11-02T14:44:23.453+0000"
}
对应的kestrel是:
browsers = GET process FROM stixshifter:
//host110 WHERE [process:name IN ('firefox.exe', 'chrome.exe')] START t'2021-01-01T00:00:00Z' STOP t'2021-12-31T00:00:00Z'
DISP browsers ATTR name, pid
那么匹配 TTP 模式的kestrel case要能正常运行的话,需要数据格式应该是:
{ "process": { "name": "xxx_shell", "content": "what ever...", "pid": "9121321", "parent_ref": { "name": "node", "pid": "88888" }, "binary_ref": { "name": "xxx_shell.exe", "SHA-256": "35a01331xxxx" } }, "@timestamp": "2021-11-02T14:44:23.453+0000" }
我们试试效果。。。
todo