进程注入检测
DLL注入检测的几种方式:
1、命令行,包含某些特定注入工具的关键字
2、排除白名单的可疑注入
3、可疑的DLL加载
4、特定工具注入的startaddress异常
以下内容来自CAR和splunk等开源检测渠道:
title: CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
tags:
- attack.defense_evasion
- attack.t1055.001
status: experimental
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2021/11/20
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'==》检测start address
condition: selection
falsepositives:
- Unknown
level: high
title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html
date: 2019/08/11
modified: 2021/11/27
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA' ==》检测可疑的DLL加载
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.defense_evasion
- attack.t1055.001
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 2019/10/27
modified: 2022/03/16
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1055.001
- attack.t1055.002
logsource:
category: process_access
product: windows
detection:
selection1:
CallTrace|contains|all:
- 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
- '|C:\WINDOWS\System32\KERNELBASE.dll+'
- '|UNKNOWN('
- ')'
selection2:
CallTrace|contains|all:
- 'UNKNOWN('
- ')|UNKNOWN('
CallTrace|endswith: ')'
selection3:
CallTrace|contains: 'UNKNOWN'
GrantedAccess:
- '0x1F0FFF'
- '0x1F1FFF'
- '0x143A'
- '0x1410'
- '0x1010'
- '0x1F2FFF'
- '0x1F3FFF'
- '0x1FFFFF'
filter:
- SourceImage|endswith: ==》直接排除白名单,不在白名单内的就是可疑的进程注入,这个应该就是我想要的
- '\Windows\System32\sdiagnhost.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\Microsoft VS Code\Code.exe'
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\git\usr\bin\sh.exe'
- '\IDE\devenv.exe'
- '\GitHubDesktop\Update.exe'
- '\RuntimeBroker.exe'
- '\backgroundTaskHost.exe'
- '\GitHubDesktop.exe'
- SourceImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\Microsoft.NET\Framework'
- 'C:\WINDOWS\System32\DriverStore\'
- 'C:\Windows\System32\WindowsPowerShell\'
- SourceImage:
- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\WINDOWS\system32\ctfmon.exe'
- 'C:\WINDOWS\system32\NhNotifSys.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\explorer.exe'
- TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'
- TargetImage|endswith: '\Microsoft VS Code\Code.exe'
- CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter
filter_set_1:
SourceImage:
- 'C:\WINDOWS\Explorer.EXE'
TargetImage:
- 'C:\WINDOWS\system32\backgroundTaskHost.exe'
- 'C:\WINDOWS\explorer.exe'
filter_msmpeng:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
SourceImage|endswith: '\MsMpEng.exe'
filter_eclipse:
SourceImage|endswith: '\eclipse.exe'
CallTrace|contains:
- '\jre\bin\java.dll'
- '|C:\Windows\SYSTEM32\windows.storage.dll+'
- '\configuration\org.eclipse.osgi\'
filter_openwith:
SourceImage: 'C:\Windows\system32\OpenWith.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*
fields:
- ComputerName
- User
- SourceImage
- TargetImage
- CallTrace
level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high
falsepositives:
- SysInternals Process Explorer
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
author: Florian Roth
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
date: 2020/07/30
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'dll,MyStart'
- 'dll MyStart'
selection2a:
CommandLine|endswith:
- ' MyStart'
selection2b:
CommandLine|contains:
- 'rundll32.exe' ==》就是rundll32啊,和进程注入有啥关系。。。呃。。。
condition: selection1 or ( selection2a and selection2b )
falsepositives:
- Unknown
level: critical
tags:
- attack.execution
- attack.t1055.001
title: MavInject Process Injection
id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
status: stable
description: Detects process injection using the signed Windows tool Mavinject32.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152
date: 2018/12/12
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING ' ==》检测特定进程命令行
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.t1055.001
- attack.t1218
title: ZOHO Dctask64 Process Injection
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: Detects suspicious process injection using ZOHO's dctask64.exe
author: Florian Roth
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
date: 2020/01/28
modified: 2021/11/27
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\dctask64.exe' ==》检测特定注入工具的进程名是一类
filter:
CommandLine|contains:
- 'DesktopCentral_Agent\agent'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
- ParentImage
falsepositives:
- Unknown yet
level: high
tags:
- attack.defense_evasion
- attack.t1055.001
implementations:
- description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
code: |
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
output remote_thread
type: pseudocode
- description: LogPoint version of the above pseudocode.
code: |
norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
type: LogPoint
data_model: LogPoint native
title: DLL Injection with Mavinject
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-003
description: |
Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
coverage:
- technique: T1055
tactics:
- TA0004
- TA0005
subtechniques:
- T1055.001
coverage: Low
implementations:
- name: Pseudocode - mavinject process and its common argument
description: This is a pseudocode representation of the below splunk search.
code: |
processes = search Process:Create
mavinject_processes = filter processes where (
exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*" ==》命令行
output mavinject_processes
description: DynamicWrapperX is an ActiveX component that can be used in a script
to call Windows API functions, but it requires the dynwrapx.dll to be installed
and registered. With that, registering or loading dynwrapx.dll to a host is highly
suspicious. In most instances when it is used maliciously, the best way to triage
is to review parallel processes and pivot on the process_guid. Review the registry
for any suspicious modifications meant to load dynwrapx.dll. Identify any suspicious
module loads of dynwrapx.dll. This detection will return and identify the processes
that invoke vbs/wscript/cscript.
search: '`sysmon` EventCode=7 (ImageLoaded = "*\\dynwrapx.dll" OR OriginalFileName
= "dynwrapx.dll" OR Product = "DynamicWrapperX") | stats count min(_time) as firstTime
max(_time) as lastTime by Image ImageLoaded OriginalFileName Product process_name
Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ==》检测加载的DLL名字
| `loading_of_dynwrapx_module_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on processes that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` and `Filesystem`
node. In addition, confirm the latest CIM App 4.20 or higher is installed and the
latest TA for the endpoint product.
description: |
Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).
- Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)
- Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx)
- Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx).
This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
coverage:
- technique: T1055
tactics:
- TA0005
subtechniques:
- T1055.001
coverage: Moderate
- technique: T1548
tactics:
- TA0004
subtechniques:
- T1548.002
coverage: Moderate
implementations:
- description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
code: |
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe") ==》同样是排除白名单的loadlibrary
进程注入白名单分析:
思路,看createremotethread的函数是否在导入表里使用,也就是kernel32.dll里:
库 | Kernel32.lib |
DLL | Kernel32.dll |
当然,严谨看,还要看看kernelbase和ntdll。如下:
通过WinDbg查看函数CreateRemoteThead在用户模式下的调用流程,观察这个调用情况可以确定在用户模式下,这个函数涉及到了三个dll模块(KERNEL32、KERNELBASE、ntdll)。而CreateRemoteThead这个API在KERNEL32模块中真正的函数名是CreateRemoteThreadStub,通过这个KERNEL32中的CreateRemoteThreadStubAPI将参数转发到KERNELBASE模块中的CreateRemoteThreadEx中,然后在KERNELBASE中调用ntdll模块中的NtCreateThreadExAPI,进入内核。待内核处理结束后获取返回值,进行返回值的处理并返回结果。
- '\Windows\System32\sdiagnhost.exe' 误报:在我的win7、win10、win11上没有看到进程注入,因为其导入表里根本就没有使用该函数。
白名单错误!
- '\procexp64.exe'
在32位下有进程注入,但不是创建远程线程注入,如下
- '\Microsoft VS Code\Code.exe' ==》这个是有远程线程注入的,看来是要排除:
这是国外开源的EDR,先不考虑了,下载还得专门申请,也是醉了。。。
- '\aurora-agent.exe' 同上
没有看到注入
有注入,但不是线程注入
没有看到注入,其导入表很少,CFF explorer还打不开该文件,也是很诡异
没看到注入
windows程序,没看到注入
没有看到注入
- SourceImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
如下图所示,导入表函数很少,估计是加壳了
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Windows\Microsoft.NET\Framework'
- 'C:\WINDOWS\System32\DriverStore\'
- 'C:\Windows\System32\WindowsPowerShell\'
- SourceImage:
- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
没有看到注入,另外,win7没有该文件
没有看到注入,win7 win11都是
没有这个文件
win11没有注入,win7没有该文件
可以看到,是有注入的,见后面api-ms-win-core-processthreads-l1-1-0.dll的分析。
- TargetImage: 'C:\Windows\System32\RuntimeBroker.exe'
- TargetImage|endswith: '\Microsoft VS Code\Code.exe'
- CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter
filter_set_1:
SourceImage:
- 'C:\WINDOWS\Explorer.EXE'
TargetImage:
- 'C:\WINDOWS\system32\backgroundTaskHost.exe'
- 'C:\WINDOWS\explorer.exe'
filter_msmpeng:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
没有看到注入,看来微软defender没有做注入,也是很奇怪
再度确认了下所有的DLL,的确是没有。
filter_eclipse:
没有看到注入
CallTrace|contains:
- '\jre\bin\java.dll'
- '|C:\Windows\SYSTEM32\windows.storage.dll+'
- '\configuration\org.eclipse.osgi\'
filter_openwith:
win11 64/32都没有看到注入,win7没有该文件
TargetImage: 'C:\Windows\Explorer.EXE'
condition: ( selection1 or selection2 or selection3 ) and not 1 of filter*
另外,sysmon采集的时候给了白名单:
<RuleGroup name="" groupRelation="or">
<CreateRemoteThread onmatch="exclude">
<!--COMMENT: Exclude mostly-safe sources and log anything else.
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage>
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage>
<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule>
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage>
-->
</CreateRemoteThread>
</RuleGroup>
蛋疼,我来再度一一确认吧:
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage> 有进程注入,如下,虽然不是kernel32 DLL:
内存操作也有注入相关的特征。
继续追根溯源,
可以看到的确是有createremotethread的!
说明的确是要加入到白名单!
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage> 有进程注入
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage> 有明确的注入行为
<SourceImage condition="is">C:\Windows\system32\csrss.exe</SourceImage> 不太确定,从DLL看应该没有远程线程注入!
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage> 有注入,如下:
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage> 有注入:
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage> 有注入
<StartModule condition="is">C:\Windows\system32\kernel32.dll</StartModule> pass
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage> 这个是要排除!
综上,通过静态分析看到,可以设置的进程注入白名单如下:
<TargetImage condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</TargetImage> 这个是要排除!因为我本机的确看到远程线程注入。
<SourceImage condition="is">C:\Windows\system32\audiodg.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\winlogon.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\services.exe</SourceImage> 有注入
<SourceImage condition="is">C:\Windows\system32\wininit.exe</SourceImage> 有明确的远程线程注入
<SourceImage condition="is">C:\Windows\system32\svchost.exe</SourceImage> 有进程注入
<SourceImage condition="is">C:\Windows\system32\wbem\WmiPrvSE.exe</SourceImage>
- 'C:\Windows\explorer.exe' 有注入
- '\IDE\devenv.exe' 有注入,但不是线程注入
- '\Microsoft VS Code\Code.exe' 有远程线程注入
其他通过动态行为观察到注入的:
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:41:04.087
SourceProcessGuid: {d4c3f587-095e-64b6-5c05-000000000200}
SourceProcessId: 8296
SourceImage: C:\Users\bonelee\Desktop\procexp64.exe
TargetProcessGuid: {d4c3f587-0820-64b6-4c05-000000000200}
TargetProcessId: 7396
TargetImage: C:\Windows\System32\notepad.exe
NewThreadId: 7720
StartAddress: 0x00007FF852D48D70
StartModule: C:\WINDOWS\SYSTEM32\ntdll.dll
StartFunction: RtlpQueryProcessDebugInformationRemote
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:37:47.220
SourceProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
SourceProcessId: 564
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-f06b-64b5-8904-000000000200}
TargetProcessId: 6484
TargetImage: C:\Windows\System32\cmd.exe
NewThreadId: 660
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: DESKTOP-CJ1GAS4\bonelee
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:37:47.206
SourceProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
SourceProcessId: 564
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
TargetProcessId: 8404
TargetImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
NewThreadId: 8700
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: DESKTOP-CJ1GAS4\bonelee
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:08:02.416
SourceProcessGuid: {d4c3f587-0212-64b6-1b05-000000000200}
SourceProcessId: 4732
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 2064
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:08:02.416
SourceProcessGuid: {d4c3f587-0212-64b6-1b05-000000000200}
SourceProcessId: 4732
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 2064
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
开机启动看到的:
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:24.334
SourceProcessGuid: {d4c3f587-8169-64b6-0a00-000000000300}
SourceProcessId: 612
SourceImage: C:\Windows\System32\winlogon.exe
TargetProcessGuid: {d4c3f587-8169-64b6-0900-000000000300}
TargetProcessId: 548
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 1244
StartAddress: 0xFFFF97E7FBDC20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.053
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0a00-000000000200}
TargetProcessId: 632
TargetImage: C:\Windows\System32\services.exe
NewThreadId: 6768
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0b00-000000000200}
TargetProcessId: 644
TargetImage: C:\Windows\System32\lsass.exe
NewThreadId: 6308
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-330c-64b5-af00-000000000200}
TargetProcessId: 4696
TargetImage: C:\Windows\System32\svchost.exe
NewThreadId: 1012
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-f08c-64b5-9404-000000000200}
TargetProcessId: 3948
TargetImage: C:\Windows\Sysmon.exe
NewThreadId: 6984
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-372c-64b5-a802-000000000200}
TargetProcessId: 8888
TargetImage: C:\Windows\System32\svchost.exe
NewThreadId: 8968
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e624-64b5-de02-000000000200}
TargetProcessId: 1972
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\HipsDaemon.exe
NewThreadId: 6204
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e626-64b5-df02-000000000200}
TargetProcessId: 7316
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\usysdiag.exe
NewThreadId: 3764
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.037
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-e6ad-64b5-f902-000000000200}
TargetProcessId: 5296
TargetImage: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
NewThreadId: 8936
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-5300-000000000200}
TargetProcessId: 3376
TargetImage: C:\Windows\System32\vm3dservice.exe
NewThreadId: 6936
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3148-64b5-5800-000000000200}
TargetProcessId: 3692
TargetImage: C:\Windows\System32\wbem\WmiPrvSE.exe
NewThreadId: 4148
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4300-000000000200}
TargetProcessId: 2908
TargetImage: C:\Program Files (x86)\Huorong\Sysdiag\bin\wsctrlsvc.exe
NewThreadId: 344
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-330a-64b5-a900-000000000200}
TargetProcessId: 780
TargetImage: C:\Windows\System32\SearchIndexer.exe
NewThreadId: 4128
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-31c0-64b5-7a00-000000000200}
TargetProcessId: 456
TargetImage: C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
NewThreadId: 5216
StartAddress: 0x0000000076ABF3C0
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3173-64b5-6f00-000000000200}
TargetProcessId: 4280
TargetImage: C:\Windows\System32\dllhost.exe
NewThreadId: 7552
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3173-64b5-7100-000000000200}
TargetProcessId: 4192
TargetImage: C:\Windows\System32\msdtc.exe
NewThreadId: 8024
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\NETWORK SERVICE
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4600-000000000200}
TargetProcessId: 1460
TargetImage: C:\Windows\System32\spoolsv.exe
NewThreadId: 112
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4e00-000000000200}
TargetProcessId: 3292
TargetImage: C:\Program Files\quasardb\bin\qdb_service.exe
NewThreadId: 3560
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\LOCAL SERVICE
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-5200-000000000200}
TargetProcessId: 3348
TargetImage: C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
NewThreadId: 8636
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:11:00.005
SourceProcessGuid: {d4c3f587-313f-64b5-0600-000000000200}
SourceProcessId: 464
SourceImage: C:\Windows\System32\csrss.exe
TargetProcessGuid: {d4c3f587-3146-64b5-4d00-000000000200}
TargetProcessId: 3284
TargetImage: C:\Program Files\quasardb\bin\qdb_rest_service.exe
NewThreadId: 7952
StartAddress: 0x00007FF850682880
StartModule: C:\WINDOWS\System32\KERNELBASE.dll
StartFunction: CtrlRoutine
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 12:08:38.493
SourceProcessGuid: {d4c3f587-80c6-64b6-8a06-000000000200}
SourceProcessId: 5244
SourceImage: C:\Program Files\VMware\VMware Tools\VMwareResolutionSet.exe
TargetProcessGuid: {d4c3f587-313f-64b5-0900-000000000200}
TargetProcessId: 564
TargetImage: C:\Windows\System32\csrss.exe
NewThreadId: 5728
StartAddress: 0xFFFF992BEC2A20D0
StartModule: -
StartFunction: -
SourceUser: NT AUTHORITY\SYSTEM
TargetUser: NT AUTHORITY\SYSTEM
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 07:36:36.841
SourceProcessGuid: {9955143a-a510-64b0-cc15-000000002700}
SourceProcessId: 13552
SourceImage: C:\Windows\SysWOW64\SpesAgent.exe
TargetProcessGuid: {9955143a-4104-64b6-2166-030000002700}
TargetProcessId: 4620
TargetImage: C:\Windows\SysWOW64\cmd.exe
NewThreadId: 9296
StartAddress: 0x00000000758A1D60
StartModule: C:\WINDOWS\System32\KERNEL32.DLL
StartFunction: LoadLibraryW
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 06:06:00.330
SourceProcessGuid: {9955143a-a502-64b0-8d15-000000002700}
SourceProcessId: 524
SourceImage: C:\Windows\explorer.exe
TargetProcessGuid: {9955143a-2bc8-64b6-2561-030000002700}
TargetProcessId: 15728
TargetImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
NewThreadId: 22124
StartAddress: 0x00007FFE77A70660
StartModule: C:\WINDOWS\System32\KERNEL32.DLL
StartFunction: LoadLibraryW
这些都是常见的系统进程注入,也需要排除。