标签:ram session body run reg sys cmd shel with
路径: VirusScan Enterprise > Access Protection Policies
Port blocking rules
|
Rule 1-1 Alerts when Powershell opens a remote HTTP session |
|---|
| Process | powershell.exe |
| Port | 80 |
| Direction | Outbound |
| Action | Report |
| Rule name | Powershell HTTP remote session |
|
Rule 2-1 Alerts when Microsoft Word spawns a cmd session FP Risk: Low |
|---|
| Process | winword.exe |
| File |
C:\Windows\Sys*\cmd.exe |
| File actions | Files being executed |
| Action | Block, Report |
| Rule name | Word cmd execution |
|
Rule 2-2 Alerts when Microsoft Excel spawns a cmd session FP Risk: Medium |
|---|
| Process | excel.exe |
| File |
C:\Windows\Sys*\cmd.exe |
| File actions | Files being executed |
| Action | Report |
| Rule name | Excel cmd execution |
|
Rule 2-3 Alerts when Microsoft Word spawns a powershell session FP Risk: Low |
|---|
| Process | winword.exe |
| File |
C:\Windows\Sys*\powershell.exe |
| File actions | Files being executed |
| Action | Block, Report |
| Rule name | Word powershell execution |
|
Rule 2-4 Alerts when Microsoft Excel spawns a powershell session FP Risk: Medium |
|---|
| Process | excel.exe |
| File |
C:\Windows\Sys*\powershell.exe |
| File actions | Files being executed |
| Action | Block, Report |
| Rule name | Excel powershell execution |
|
Rule 2-5 Protects against recent Emotet campaigns seen in the wild FP Risk: Low |
|---|
| Process | powershell.exe |
| File |
C:\Users\Public\*.exe |
| File actions |
New files being created, Files being executed |
| Action |
Block, Report |
| Rule name |
Powershell emotet launcher |
|
Rule 2-6 Prevents possible Trojans from being launched from AppData FP Risk: Low |
|---|
| Process | * |
| File |
C:\Users\*\AppData\*.exe |
| File actions |
New files being created, Files being executed |
| Action |
Block, Report |
| Rule name |
AppData File Execution |
|
Rule 2-7 Blocks the Tor browser from being launched FP Risk: Very Low |
|---|
| Process | * |
| File |
tor.exe |
| File actions |
New files being created, Files being executed |
| Action |
Block, Report |
| Rule name |
Tor process launched |
|
Rule 2-8 rundll32 file executions in AppData FP Risk: Low |
|---|
| Process | rundll32.exe |
| File |
C:\Users\*\AppData\* |
| File actions |
Files being executed |
| Action |
Block, Report |
| Rule name |
rundll32 AppData file execution |
|
Rule 2-9 Word uses certutil to decode encrypted commands in macros FP Risk: Low |
|---|
| Process | winword.exe |
| File |
C:\Windows\System32\certutil.exe |
| File actions |
Files being executed |
| Action |
Block, Report |
| Rule name |
Word certutil execution |
|
Rule 2-10 Excel uses certutil to decode encrypted commands in macros FP Risk: Low |
|---|
| Process | excel.exe |
| File |
C:\Windows\System32\certutil.exe |
| File actions |
Files being executed |
| Action |
Block, Report |
| Rule name |
Excel certutil execution |
|
Rule 2-11 regsvr32 launches with sct file FP Risk: Low |
|---|
| Process | regsvr32.exe |
| File |
*.sct* |
| File actions |
Files being executed |
| Action |
Block, Report |
| Rule name |
Regsvr32 sct file execution |
|
Rule 2-12 mshta.exe launches with a .hta file FP Risk: Low |
|---|
| Process | mshta.exe |
| File |
*.hta* |
| File actions |
Files being executed |
| Action |
Block, Report |
| File name |
hta file execution |
|
Rule 3-1 Monitors programs added to autostart for persistence for all users FP Risk: Medium |
|---|
| Process | * |
| Key |
HKLM/Software/Microsoft/Windows/CurrentVersion/Run |
| Reg actions |
Create key or value |
| Action |
Report |
| Rule name |
HKLM Persistence |
|
Rule 3-2 Monitors programs added to autostart for persistence for local user FP Risk: Medium |
|---|
| Process | * |
| Key |
HKCU/Software/Microsoft/Windows/CurrentVersion/Run |
| Reg actions |
Create key or value |
| Action |
Report |
| Rule name |
HKCU Persistence |
标签:ram session body run reg sys cmd shel with
原文地址:https://www.cnblogs.com/m1cha31/p/10652774.html
