WPS 0day EDR检测规则

近日， Windows 平台下 WPS Office 个人版和企业版的RCE（远程代码执行）0day 漏洞，金山官方修复该漏洞后，第一时间发布了相关的漏洞预警。

检测规则1

规则含义：检测wps\et\wpp等进程是否创建powershell\*script\rundll32此类可疑进程，以及是否创建无签名类可疑进程。

规则内容：

[AppleScript] 纯文本查看 复制代码

id: 0
date: 2022/08/02
author: 'ThreatBook'
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        Image|endswith:
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\mshta.exe'
            - '\verclsid.exe'
            - '\control.exe'
            - '\wmic.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\powershell.exe'
        ParentImage|endswith:
            - '\wps.exe'
            - '\et.exe'
            - '\wpp.exe'
    selection2:
        Image|endswith:
            - '\cmd.exe'
        CommandLine|contains:
            - ' regsvr32'
            - ' rundll32'
            - ' mshta'
            - ' verclsid'
            - ' control'
            - ' wmic'
            - ' cscript'
            - ' wscript'
            - ' powershell'
        ParentImage|endswith:
            - '\wps.exe'
            - '\et.exe'
            - '\wpp.exe'
    selection3:
        ImageSignStatus:
            - 'Unable'
        ParentImage|endswith:
            - '\wps.exe'
            - '\et.exe'
            - '\wpp.exe'
    condition: 1 of selection*

检测规则2

规则含义：检测wps\et\wpp等进程是否通过smb协议加载sct脚本。

规则内容：

[AppleScript] 纯文本查看 复制代码

id: 1
date: 2022/08/02
author: 'ThreatBook'
logsource:
    product: windows
    category: smbfile_transmit
detection:
    selection:
        TargetFilename|contains:
            - '.sct'
        Image|endswith:
            - '\wps.exe'
            - '\et.exe'
            - '\wpp.exe'
    condition: selection