1、#BHAS BlackHatEvents#BHAS BlackHatEvents2#BHAS BlackHatEvents3#BHAS BlackHatEvents火車(Kasha)4#BHAS BlackHatEvents2020-20212019-2021-20225#BHAS BlackHatEvents6#BHAS BlackHatEventsScnCfg32.Exevsodscpl.dll_.ziphello.xmlhello.bin7#BHAS BlackHatEvents#BHAS BlackHatEvents9#BHAS BlackHatEvents10#BHAS BlackH
2、atEvents11#BHAS BlackHatEvents12#BHAS BlackHatEvents13#BHAS BlackHatEvents#BHAS BlackHatEventsdefault.wsbWindows Sandboxmsiexec.txtmsiexec.exe(WinRAR)msiexec.batmsiexec.dathello.xmlhello.binmsiexec.cmd.RARschtasksC:UsersPublicAppDatamsiexec.txtmsiexec.batmsiexec.dat.RARC:ProgramData15#BHAS BlackHatE
3、vents16#BHAS BlackHatEvents17#BHAS BlackHatEvents18#BHAS BlackHatEvents19#BHAS BlackHatEvents20#BHAS BlackHatEvents21#BHAS BlackHatEvents22#BHAS BlackHatEvents#BHAS BlackHatEvents24#BHAS BlackHatEvents25#BHAS BlackHatEventsCommandActionwsb.exe startcreates and launches a new sandboxwsb.exe listdispl
4、ays a table that shows the information the running Windows Sandbox sessions for the current userwsb.exe connect-id starts a remote session within the sandboxwsb.exe exec-id -command“cmd.exe-run-as ExistingLoginexecutes a command in the sandboxwsb.exe stop-id stops a running Windows Sandbox session26
5、#BHAS BlackHatEvents27#BHAS BlackHatEventstitle:Execution of wsb.exe with Suspicious Configurationstatus:experimentaldescription:Detects the execution of wsb.exe with-config or-c parameter containing,which could indicate an attempt to execute a command inside Windows Sandbox.logsource:category:proce
6、ss_creationproduct:windowsservice:sysmondetection:selection:EventID:1Image|endswith:AppDataLocalMicrosoftWindowsAppswsb.exeCommandLine|contains:-config-cCommandLine|contains:condition:selectionfalsepositives:-Legitimate use of Windows Sandb