当前位置:首页 > 报告详情

跳出思维定式:定向攻击中对 Windows 沙箱的实际滥用.pdf

上传人: 竿*** 编号:981845 2025-11-29 33页 2.96MB

1、#BHAS BlackHatEvents#BHAS BlackHatEvents2#BHAS BlackHatEvents3#BHAS BlackHatEvents火車(Kasha)4#BHAS BlackHatEvents2020-20212019-2021-20225#BHAS BlackHatEvents6#BHAS BlackHatEventsScnCfg32.Exevsodscpl.dll_.ziphello.xmlhello.bin7#BHAS BlackHatEvents#BHAS BlackHatEvents9#BHAS BlackHatEvents10#BHAS BlackH

2、atEvents11#BHAS BlackHatEvents12#BHAS BlackHatEvents13#BHAS BlackHatEvents#BHAS BlackHatEventsdefault.wsbWindows Sandboxmsiexec.txtmsiexec.exe(WinRAR)msiexec.batmsiexec.dathello.xmlhello.binmsiexec.cmd.RARschtasksC:UsersPublicAppDatamsiexec.txtmsiexec.batmsiexec.dat.RARC:ProgramData15#BHAS BlackHatE

3、vents16#BHAS BlackHatEvents17#BHAS BlackHatEvents18#BHAS BlackHatEvents19#BHAS BlackHatEvents20#BHAS BlackHatEvents21#BHAS BlackHatEvents22#BHAS BlackHatEvents#BHAS BlackHatEvents24#BHAS BlackHatEvents25#BHAS BlackHatEventsCommandActionwsb.exe startcreates and launches a new sandboxwsb.exe listdispl

4、ays a table that shows the information the running Windows Sandbox sessions for the current userwsb.exe connect-id starts a remote session within the sandboxwsb.exe exec-id -command“cmd.exe-run-as ExistingLoginexecutes a command in the sandboxwsb.exe stop-id stops a running Windows Sandbox session26

5、#BHAS BlackHatEvents27#BHAS BlackHatEventstitle:Execution of wsb.exe with Suspicious Configurationstatus:experimentaldescription:Detects the execution of wsb.exe with-config or-c parameter containing,which could indicate an attempt to execute a command inside Windows Sandbox.logsource:category:proce

6、ss_creationproduct:windowsservice:sysmondetection:selection:EventID:1Image|endswith:AppDataLocalMicrosoftWindowsAppswsb.exeCommandLine|contains:-config-cCommandLine|contains:condition:selectionfalsepositives:-Legitimate use of Windows Sandb

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据标记内容,全文主要关于Windows Sandbox的使用和潜在的安全风险。以下是关键点: 1. Windows Sandbox命令行工具:wsb.exe,用于创建、启动、列出、连接、执行和停止沙盒。 2. 检测wsb.exe执行时使用可疑配置,如包含"",可能表明尝试在Windows Sandbox中执行命令。 3. 检测使用SYSTEM权限执行Windows Sandbox,可能用于隐藏UI和日志。 4. 操作系统:Windows 10和Windows 11。 5. 潜在误报:合法使用Windows Sandbox和系统管理员的合法使用。
安全漏洞检测" 权限滥用警示" 配置异常风险揭秘"
客服
商务合作
小程序
服务号
折叠