增加uac提权检测

2022-08-29 18:46:56 +08:00
parent fd360c9995
commit d3907bb427
6 changed files with 77 additions and 7 deletions
--- a/Server/rules/py/process.py
+++ b/Server/rules/py/process.py
@@ -306,6 +306,21 @@ rule = [
        'score': 30,
        'name': '从服务创建的进程'
    },
+    {
+        'rules': [
+            'parentimage =~ ".*svchost.exe"',
+            'originalfilename =~ ".*werfault.exe"'
+        ],
+        'score': 60,
+        'name': 'svchost.exe启动了werfault'
+    },
+    {
+        'rules': [
+            'parentimage =~ ".*werfault.exe"',
+        ],
+        'score': 30,
+        'name': '从werfault创建的进程'
+    },
    {
        'rules': [
            'originalfilename =~ ".*wscript.exe"',