보안 위협 이벤트 탐지 룰 Playbook

Elasticsearch query Rule에 대한 보안 위협 탐지를 slack 알람으로 받는내용입니다.

일부는 메일로도 발송중..

 

폐사는 주로 T사 APT 보안 솔루션을 활용하여 엘라스틱과 연동하여 사용중이며

해당 룰은 frequency(빈도), priority(우선순위)등 다양한 변수를 조합하여 운영중입니다.

 

대표적인 악성 행위에 대한 탐지 rule을 예로 든것입니다.

 

Log4j Log4Shell 공격 탐지 

 

query: deviceHostName:DDI AND name:("CVE-2021-44228 - OGNL EXPLOIT - HTTP(REQUEST)" OR "POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT - HTTP(REQUEST)" OR "POSSIBLE USERAGENT RCE EXPLOIT - HTTP (REQUEST)") AND (requestClientApplication:*jndi* OR requestUrl:*jndi*)

 

 

Malware (악성코드 설치 탐지)

 

query: deviceHostName:DDI AND name:("Executable file download from root directory - HTTP (Response)" OR "Powershell script requested from root directory - HTTP (Request)" OR "BADPOTATO - HTTP (Response)" OR "XMRIG - HTTP (Response)" OR "ZEGOST - HTTP (Response)" OR "TOOLPOW - HTTP (Response)" OR "TROJ_GEN.R002C0PAF21 - HTTP (Response)" OR "MALXMR - HTTP (Response)") AND NOT sourceAddress:("10.0.0.0/8" OR x.34.x2.22 OR x.1x1.x3.8 OR 1x.8.x0.x3 OR x.2x.1x8.220) AND NOT destinationAddress:("2x.1x.5x.0/24" OR "10.0.0.0/8") AND NOT requestUrl:(*System8* OR *KSy* OR *xxx_MAIN* OR *xxxxHelpClient* OR *agent.exe* OR *custcd* OR *xxxUINE* OR *dotNet*)

 

Cryptojacking (miner code 설치) 탐지

 

query: deviceHostName:DDI AND name:(*MINER* OR *Mining* OR "COINMINER - HTTP (Request)" OR "XMRIG - HTTP (Response)") AND NOT destinationAddress:(x.2x.1x.1x.x4 OR x.2x.1x7.3x OR xx.8.10.1x3)  AND NOT destinationPort:(4057 OR 4027 OR 11887 OR 6233 OR 1883 OR 5001 OR 7001)

 

 

RDP(원격데스크톱) 비정상 접속 탐지

 

 query: deviceHostName:DDI AND applicationProtocol:RDP AND name:"Successful logon - RDP" AND _exists_:source.country_code2 AND NOT source.country_code2:KR  AND NOT sourceAddress:(2xx.2x0.x7.xx2  OR x2.2x.1x4.2x8 OR 17x.x.x.69 OR 1x.1xx.x.55)

 

 

평판(reputation) 정보 기준 탐지

 

query: deviceHostName:DDI AND name:*Reputation* AND NOT destinationAddress:(x.2xx.1xx.x OR xx.xx.5x.x4 OR 1xx.x.1x0.2x OR x.x4.x.220) AND NOT requestUrl:(*kor_webroot* OR *downloadAttach* OR *downloadattach* OR *echo.php* OR *8UsA1* OR *bro3.biz*) AND NOT applicationProtocol:(SMTP OR POP3 OR IMAP4)

 

 

악성 Reverse 커넥션 의심 탐지

 

query: deviceHostName:DDI AND name:("Reverse Meterpreter - HTTP (Response)" OR "(Metasploit(Payload) - Reverse DLL Inject - TCP (Response)" OR "AMMYY ADMIN HTTP Request")

 

Spam mail 의심 탐지

 

query: deviceHostName:DDI AND source.country_code2:KR AND destinationPort:(25 OR 110 OR 143) AND oldFileName:(*.doc OR *.docx OR *.xlsx  OR *.xls OR *.ppt OR *.pptx OR *.hwp OR *.zip OR *.rar OR *.7z OR *.egg OR *.exe OR *.msi)

 

SQL Injection / XSS 공격 탐지

 

query: "deviceHostName:DDI AND name:(SQL* OR *WebScript*) AND NOT destinationAddress:(1x.2x.x.54 OR x.x.1x.162 OR x.x.x.180 OR x.x.x.138) AND NOT sourceAddress:x.x.x.x AND NOT requestUrl:(*index.php* || *cgi*) AND NOT requestUrl:(*switchnets* OR *scan.* OR *jhasdjahsdjasfkdaskdfasbot* OR *jaws* OR *arm*)"

 

Virus Pattern 공격 탐지

 

query: deviceHostName:DDI AND applicationProtocol:"Network Virus Pattern in TCP" AND NOT destinationAddress:x.x.3x.149

 

 

webshell(웹쉘) 공격 탐지

 

query: deviceHostName:DDI AND name:("CHOPPER - HTTP (Request)" OR "WEBSHELL - HTTP (Request)" OR "ANTSWORD - HTTP (Request)" OR "ANTSWORD - HTTP (Request) - Variant 2" OR "PHP_WEBSHELL.KK - HTTP (Request)") AND NOT requestUrl:(*.php OR *asp.jpg* OR *md5.aspx* OR *a.aspx* OR *a.asp*) AND NOT destinationAddress:x.x.x.1x2 AND NOT sourceAddress:(10.x.20.x OR 10.x.20.x)

 

 

xp_cmdshell 공격 탐지

 

query: deviceAddress:x.x.1x.x AND name:*xp_cmdshell* AND NOT name:*.bak*

xp_cmdshell alert

 

대표적인 악성 행위에 대한 탐지 사례를 예로 든것이며, 이외에도 탐지룰 playbook 형태로

보안 관제를 하고 있습니다.