逻辑sql注入_工程过程注入检测第3部分分析逻辑

逻辑sql注入

This is the third post in a series covering some of the thought processes and methodologies used when developing detections for offensive techniques. In the previous posts Jonathan Johnson discussed research and data modeling.

这是本系列的第三篇文章，涵盖了开发攻击性技术检测所使用的一些思维过程和方法。 在先前的文章中， 乔纳森·约翰逊(Jonathan Johnson)讨论了研究和数据建模。

Part 1: Research

第1部分：研究

Part 2: Data Modeling

第2部分：数据建模

In the first post, Jonny talks about the initial stage of research and his approach when starting the detection development process. In the second post he looks at data modeling and the process of isolating events created as a result of executing a Proof of Concept (PoC) exploit (credit to Dwight Hohnstein for the PoC used), establishing relationships within data, and normalizing data to allow for more effective and efficient analysis.

在第一篇文章中，Jonny讨论了研究的初始阶段及其在启动检测开发过程中的方法。 在第二篇文章中，他介绍了数据建模和隔离事件的过程，这些事件是通过执行概念验证(PoC)漏洞(使用的PoC归功于Dwight Hohnstein )而建立的，在数据​​中建立关系并规范化数据以允许进行更有效的分析。

This post covers the final step— developing analytics that can be used to detect offensive techniques. Like the last two posts, Process Hollowing is used as the example technique that is being detected.

这篇文章涵盖了最后一步-开发可用于检测攻击性技术的分析。 像最后两篇文章一样，过程空心化被用作检测到的示例技术。

从数据模型到分析 (From Data Models to Analytics)

In the context of detection engineering, an analytic is a logic statement or query that is used to identify an offensive tactic, technique, or procedure based on correlated data and behaviors. The research and data modeling steps from the first two posts provided the information needed to start creating analytics. Some of the data and indicators seen in the attack include:

在检测工程的上下文中，分析是一种逻辑语句或查询，用于根据相关的数据和行为来识别进攻性战术，技术或程序。 前两个帖子中的研究和数据建模步骤提供了开始创建分析所需的信息。 攻击中看到的一些数据和指标包括：

• The name of the PoC binary (processhollowing.exe)
  PoC二进制文件的名称(processhollowing.exe)
• The parent process of processhollowing.exe
  processhollowing.exe的父进程
• The directory from which processhollowing.exe was ran
  运行processhollowing.exe的目录
• The user that executed processhollowing.exe
  执行processhollowing.exe的用户
• Processes accessed with specific access rights
  具有特定访问权限的进程
• A “Hello World” text box pop-up
  弹出“ Hello World”文本框

Some of these may be more obvious than others, and there are many more that can be identified. Any event that was generated due to the execution of a technique presents a potential way to detect it, but only some of these are suitable for practical use. A couple questions that can help decide what may work are:

其中一些可能比其他一些更为明显，并且还有很多可以识别。 由于执行某项技术而产生的任何事件均表示检测该事件的潜在方法，但其中只有一部分适合实际使用。 可以帮助您确定可行的几个问题是：

• What data is available?
  有哪些可用数据？
• How unique is the behavior or indicator to this technique?
  这种技术的行为或指标有多独特？

I’ll look at two potential analytics as an example:

我将以两个潜在的分析为例：

• Analytic 1 — The name of the PoC binary-processhollowing.exe

  解析1-PoC binary-processhollowing.exe的名称

• Analytic 2 — Processes being accessed with specific access rights
  分析2-使用特定的访问权限访问流程

Analytic 1 — The name of the binary used to perform the technique is processhollowing.exe. It may seem too simple or specific but honing in on indicators such as file names, hashes, or strings embedded in binaries can be an easy way to detect known implementations of a technique. These indicators can’t always be predicated and are normally easy to alter without affecting the functionality of the technique. Because of this, analytics that focus on behavioral qualities should be included since they are more likely to catch various implementations of a technique.

解析1 —用于执行该技术的二进制文件的名称为processhollowing.exe 。 看起来似乎太简单或太具体，但细化诸如二进制文件中嵌入的文件名，哈希或字符串之类的指示符可能是检测技术已知实现的简便方法。 这些指示符并非总是可以预测的，并且通常易于更改而不会影响该技术的功能。 因此，应包括针对行为质量的分析，因为它们更可能捕获技术的各种实现。

Analytic 2 — During research Jonny identified that Sysmon Event ID (EID) 10 contains the process_granted_access field. This event was logged upon PoC execution when processhollowing.exe opened a handle to another process. Research showed that specific process access rights (PROCESS_VM_WRITE, PROCESS_VM_OPERATION, PROCESS_SUSPEND_RESUME, PROCESS_CREATE_PROCESS) are required to perform process hollowing. This may be another approach to detect the technique.

分析2-在研究过程中，Jonny确定Sysmon事件ID(EID)10包含process_granted_access字段。 当processhollowing.exe打开另一个进程的句柄时，在PoC执行时记录此事件。 研究表明，需要特定的进程访问权限( PROCESS_VM_WRITE，PROCESS_VM_OPERATION，PROCESS_SUSPEND_RESUME，PROCESS_CREATE_PROCESS) 。 这可能是检测该技术的另一种方法。

分析注意事项 (Considerations for Analytics)

有哪些可用数据？ (What data is available?)

Answering this question first can save a lot of time since it filters out any analytics that require a data source I can’t access. The data modeling step documented which sensors and data sources are available — Sysmon and Windows Event Logs. Sysmon EID 1 and EID 10 provide the data needed for both Analytic 1 and 2, as seen in the photo below via the process_parent_name, process_name, process_target_name, and process_granted_access fields.

首先回答这个问题可以节省大量时间，因为它可以过滤掉所有需要我无法访问的数据源的分析。 数据建模步骤记录了哪些传感器和数据源可用-Sysmon和Windows事件日志。 Sysmon EID 1和EID 10提供了分析1和2所需的数据，如下图所示，它们通过process_parent_name，process_name，process_target_name和process_granted_access字段提供。

这种技术的行为或指标有多独特？ (How unique is the behavior or indicator to this technique?)

Several behaviors and characteristics can be identified in the data generated by technique execution, but many of these are very common in benign activity as well, resulting in False Positive (FP) events. The Detection Spectrum explains the difference between broad and precise analytics and is helpful when figuring out how these indicators relate to the technique. An analytic that detects the executable name processhollowing.exe will have a low FP rate in most environments since that shouldn’t be too common in benign network activity. This analytic is more precise.

在通过技术执行生成的数据中可以识别出几种行为和特征，但是许多行为和特征在良性活动中也很常见，从而导致误报(FP)事件。 检测谱解释了广泛分析与精确分析之间的区别，在弄清楚这些指标与该技术之间的关系时非常有用。 在大多数环境中，检测到可执行文件名称processhollowing.exe的分析程序的FP率较低，因为在良性网络活动中这种情况不太常见。 这种分析更为精确。

On the other hand, an analytic looking at process access rights will likely have more FPs due to the large number of standard, benign instances where process access rights are utilized. This analytic is more towards the broad side of the spectrum.

另一方面，由于大量使用过程访问权限的标准良性实例，因此对过程访问权限的分析可能会拥有更多的FP。 这种分析更倾向于广泛的领域。

The volume of FPs should be considered to determine if an analytic has potential to be used as part of a detection. In general — the less, the better. There’s normally a limit to the number of FPs an analytic should return within a certain time-frame before the time required to triage all the events makes it unfit. However, various ways of implementing analytics, such as a weighted scoring system for alerts, can make FPs less of an issue. Analytics with too many FPs can sometimes be tuned to filter them out while minimizing the possibility of a True Positive event being filtered.

应该考虑FP的体积，以确定分析是否有潜力用作检测的一部分。 通常，越少越好。 在对所有事件进行分类所需的时间使其不适合之前，分析应在特定时间范围内返回的FP数量通常受到限制。 但是，各种实施分析的方法(例如，警报的加权评分系统)可以使FP的问题减少。 有时可以调整具有太多FP的分析以将其过滤掉，同时最大程度地减少过滤True True事件的可能性。

定义策略 (Defining the Strategy)

For Analytic 1 I need to find logs that reference the names of binaries being executed. Which events should I be focusing on? Both analytics focus on process creation and execution related events. Based on the outputs of Data Modeling, I know that Sysmon EID 1 (Process Creation) and Sysmon EID 10 (Process Access) logs are generated when executing the PoC. I’ll focus on these two events going forward since they appear to provide the data I’m looking for. Since I know which data sources I’m using I can define how the analytic will function.

对于分析1，我需要找到引用正在执行的二进制文件名称的日志。 我应该关注哪些事件？ 两种分析均专注于流程创建和与执行相关的事件。 基于数据建模的输出，我知道执行PoC时会生成Sysmon EID 1(进程创建)和Sysmon EID 10(进程访问)日志。 我将继续关注这两个事件，因为它们似乎提供了我想要的数据。 由于我知道我正在使用的数据源，因此可以定义分析的工作方式。

Analytic 1 — Search for process events that contain the string processhollowing.exe

分析1-搜索包含字符串processhollowing.exe的流程事件

Analytic 2 — Search for process access events with the rights used for Process Hollowing

分析2-搜索具有流程空心化权限的流程访问事件

创建查询 (Creating Queries)

Like in programming, a useful first step for creating an analytic is writing out a plain-language pseudo-analytic. This pseudo-analytic describes the behaviors, data, and relationships involved in the analytic without worrying about specific query-language syntax. The core functionality of the analytic will normally remain the same across different security solutions, while the specific query syntax may change.

像在编程中一样，创建分析的一个有用的第一步是写出一种纯语言的伪分析。 该伪分析描述了分析中涉及的行为，数据和关系，而无需担心特定的查询语言语法。 在不同的安全解决方案中，分析的核心功能通常将保持不变，而特定的查询语法可能会更改。

The pseudo-analytic is then used to create a query in the proper format for the environment, in this case Kibana Query Language (KQL).

然后使用伪分析以适合环境的格式(在这种情况下为Kibana查询语言(KQL))创建查询。

Analytic 1

分析1

Name of the PoC binary (processhollowing.exe)

Strategy/Pseudo-Code

策略/伪代码

Search for process events that contain the string “processhollowing.exe”

Kibana Query

Kibana查询

(event_id:1 OR event_id:10) AND “processhollowing.exe”

This query returns Sysmon EID 1 (Process Creation) and Sysmon EID 10 (Process Access) events that contain the string processhollowing.exe.

此查询返回包含字符串processhollowing.exe的 Sysmon EID 1(进程创建)和Sysmon EID 10(进程访问)事件。

Results of the Kibana query for the first analytic

第一次分析的Kibana查询结果

Analytic 2

分析2

Processes being accessed with defined rights

Strategy/Pseudo-Code

策略/伪代码

Search for process access events with the rights used for the Process Hollowing PoC

Kibana Query

Kibana查询

event_id:10 AND process_granted_access:2097151

This query returns Sysmon EID 10 events that utilize the same permissions of the PoC used during testing (2097151) represented by a decimal value. The next section goes into more details on this.

该查询返回Sysmon EID 10事件，这些事件利用由十进制值表示的测试期间(2097151)使用的PoC的相同权限。 下一节将对此进行详细介绍。

Results of the Kibana Query for the second analytic

Kibana查询的结果用于第二个分析

调优 (Tuning and Refinement)

Both of the above queries returned the events from the Process Hollowing PoC and successfully identified the technique being used, also returning some FPs. If FPs are returned the query can still be refined to filter them out while trying to keep as much of the core functionality as possible. In this case, I triage each event to determine if it is related to the technique I am detecting and adjust my query to exclude any event which is not.

以上两个查询均从流程空心PoC返回了事件，并成功识别了所使用的技术，还返回了一些FP。 如果返回了FP，在尝试保留尽可能多的核心功能时，仍然可以优化查询以将其过滤掉。 在这种情况下，我将对每个事件进行分类，以确定它是否与我正在检测的技术有关，并调整查询以排除任何无关的事件。

For the Analytic 1 Query the only FP events returned were related to msmpeng.exe (Windows Defender Antivirus Service). This appears to be Windows Defender interacting with the malicious executable. While seeing this during an investigation would stand out, its not directly related to the core Process Hollowing execution behavior, and so I’ll choose to filter it out. The final query, which returns no FPs, is:

对于分析1查询，仅返回的FP事件与msmpeng.exe(Windows Defender防病毒服务)相关。 这似乎是Windows Defender与恶意可执行文件进行交互。 尽管在调查过程中看到这一点会很明显，但它与核心流程空心执行行为并不直接相关，因此我选择将其过滤掉。 最终查询(不返回任何FP)是：

(event_id:1 OR event_id:10) AND NOT process_name:msmpeng.exe AND “processhollowing.exe”

The Analytic 2 query resulted in a lot of events that don’t appear to be connected to Process Hollowing. It looks like the process_granted_access rights utilized by processhollowing.exe are commonly used, especially by Windows system binaries. In fact, the access rights utilized by the PoC, represented by the value 2097151, are the full rights — PROCESS_ALL_ACCESS.

Analytic 2查询导致许多事件似乎与流程空心无关。 看起来processhollowing.exe利用的process_granted_access权限是常用的，尤其是Windows系统二进制文件。 实际上，由PoC使用的访问权限(由值2097151表示)是完整权限-PROCESS_ALL_ACCESS。

This presents a problem. For Analytic 1 I simply filtered out the few false positives that were not directly related to the core execution of the PoC. Using this same approach for Analytic 2 has a higher chance of filtering out True Positives if an exclusion is made for all of these Windows binaries.

这带来了问题。 对于分析1，我只是过滤掉了一些与PoC核心执行没有直接关系的误报。 如果对所有这些Windows二进制文件都进行了排除，则对Analytic 2使用相同的方法就更有可能滤除True Positives。

Based on the research done in Part 1 I know that Process Hollowing doesn’t necessarily need full access rights in order to be performed. The minimum rights needed are:

基于在第1部分中所做的研究，我知道过程镂空并不一定需要完全访问权限才能执行。 所需的最低权限是：

PROCESS_VM_WRITE
PROCESS_VM_OPERATION
PROCESS_SUSPEND_RESUME
PROCESS_CREATE_PROCESS

Converting the rights to to the associated values found in the Microsoft Documentation and summing up the results gives the decimal value 2312. Since the PoC doesn’t utilize these I could try to modify it in order to validate the functionality. Using this value may result in less FPs and identify process hollowing exploits that utilize the bare minimum rights, but it wouldn’t catch the PoC used during testing. At this point it looks like it may be difficult to implement an operational process rights-based analytic with only KQL queries. If I can manipulate and access the data in additional ways it could open up new vectors to create an analytic focused on the behavior of the technique from multiple stages of execution.

将权利转换为Microsoft文档中找到的关联值并汇总结果，得出的十进制值为2312。由于PoC并未利用这些值，因此我可以尝试对其进行修改以验证功能。 使用此值可能会导致FP减少，并识别利用最低限度的最低权限的进程挖空漏洞，但不会捕获测试期间使用的PoC。 此时，仅使用KQL查询似乎很难实施基于操作流程权限的分析。 如果我可以通过其他方式操纵和访问数据，则可以打开新的向量来创建一个集中于技术从多个执行阶段的行为的分析。

Analytics solutions like Jupyter Notebooks can be used to for this, enabling operations like inner JOINs. Jonny created a Jupyter notebook that can more accurately identify process hollowing based on bare minimum process access rights and the expected behavior of the technique during execution.

诸如Jupyter Notebook之类的分析解决方案可用于此目的，从而实现内部JOIN之类的操作。 Jonny创建了一个Jupyter笔记本，它可以根据最低限度的最小进程访问权限和该技术在执行过程中的预期行为，更准确地识别出进程是否空洞。

Process Hollowing Jupyter Notebook Analytic

过程空心Jupyter Notebook分析

Overall, this notebook returns logs where an unsigned binary executed to create a process, accessed another process with the minimum rights, and was eventually terminated. Incorporating additional checks like binary signatures helps reduce FPs. Here is where this analytic ties into the chain of events for process hollowing (see Part 2 for more details):

总的来说，此笔记本返回日志，在该日志中执行了未签名的二进制文件以创建一个进程，以最小的权限访问了另一个进程，并最终终止了该日志。 合并其他检查(例如二进制签名)有助于减少FP。 在这里，此分析与事件链相关联以进行过程挖空(请参阅第2部分以获取更多详细信息)：

• The initial exploit, unsigned exploit binary processhollowing.exe is executed and a process is created (EID 4688 & 7)
  执行初始漏洞利用程序(即未签名的漏洞利用程序二进制程序processhollowing.exe)并创建一个进程(EID 4688和7)
• This process creates a new process in a suspended state (EID 1, 10, & 4688)
  此过程在挂起状态(EID 1、10和4688)中创建一个新过程
• A section of memory in the new process is unmapped
  新进程中的一部分内存未映射
• A binary is inserted into memory
  二进制文件已插入内存
• ResumeThread is called, executing HelloWorld.exe
  调用ResumeThread，执行HelloWorld.exe
• The original ProcessHollowing.exe process terminates (EID 5)
  原始ProcessHollowing.exe进程终止(EID 5)

绕过分析(寻找盲点) (Bypassing the Analytic (Looking for Blind Spots))

Not all analytics will detect a technique 100% of the time. If the technique indicator or behavior that the analytic focuses on can be modified by an attacker then there’s a chance that the analytic can be bypassed, creating a gap in detection (a blind spot).

并非所有分析都可以100％地检测到技术。 如果攻击者可以修改分析所关注的技术指标或行为，那么就有可能绕过分析，从而造成检测空白(盲点)。

To evade Analytic 1, an attacker simply needs to use an executable that isn’t named processhollowing.exe. This is trivial to do and would result in an easy bypass of the analytic, as the query would not return the events associated with the attack.

要逃避分析1，攻击者只需要使用未命名为processhollowing.exe的可执行文件。 这样做很简单，并且可以轻松绕过分析，因为查询不会返回与攻击相关的事件。

Examples of how Analytic 2 can be bypassed include:

如何绕过Analytic 2的示例包括：

• Using a combination of access rights not equal to 2312 that still have the required permissions
  使用仍然具有所需权限的不等于2312的访问权限组合
• Using several handles to perform the technique — one handle to start and suspend the process, a separate handle to modify the memory, and another to resume the process
  使用多个句柄执行该技术-一个句柄用于启动和挂起进程，另一个句柄用于修改内存，另一个句柄用于恢复进程
• Altering the Sysmon configuration or service
  更改Sysmon配置或服务

• Using API calls that are not monitored by Sysmon

  使用不受Sysmon监视的 API调用

It’s normal for analytics to have blind spots. This doesn’t mean that it won’t be useful, just that there are certain situations in which it won’t work as intended. Researching, identifying, and documenting these blind spots helps determine the weaknesses of the analytic and the circumstances in which an attacker may evade it.

分析存在盲点是正常的。 这并不意味着它不会有用，只是在某些情况下它无法按预期工作。 研究，识别和记录这些盲点有助于确定分析的弱点以及攻击者可能规避的情况。

Blind spot documentation also helps decide how to best focus efforts for improving the overall security program — including tool acquisitions, configurations, and policies. Blind spots can mitigated and sometimes eliminated with changes in these areas.

盲点文档还有助于确定如何最好地集中精力改进整体安全程序，包括工具获取，配置和策略。 这些区域的变化可以减轻甚至有时消除盲点。

The Finished Analytic

完成的分析

At this point I have two analytics that can be used to detect process hollowing, the first one being more specific to this implementation. I’ve filtered out false positives so that I’m not overwhelmed with events and alerts, and identified some conditions in which an attacker can bypass these analytics.

在这一点上，我有两个分析可用于检测过程的空心化，第一个分析更特定于此实现。 我已经过滤掉了误报，以便不让事件和警报不知所措，并确定了攻击者可以绕过这些分析的某些条件。

Analytic 1 by itself is not the most robust solution due to how precise it is. The blind spot identified shows that this will only alert with a specific and easily modifiable filename. There is value in using it though, and I would likely identify additional precise analytics to increase the chance of detecting common implementations of the technique.

由于解析1的精确度，它本身并不是最可靠的解决方案。 识别出的盲点表明，这只会以特定且易于修改的文件名发出警报。 尽管使用它很有价值，但我可能会确定其他精确的分析方法，以增加检测该技术的常见实现的机会。

Analytic 2 has more chance of detecting process hollowing in general since it focuses on broad behaviors. Between the two analytics, this one is more likely to trigger when process hollowing is performed in a variety of ways and by various threat actors. It focuses more on the core indicators that must be present for the technique to work. An attacker can possibly change these, but must do so in a way that still allows for successful execution of the technique.

由于分析2着重于广泛的行为，因此通常有更多机会检测过程中空。 在这两种分析之间，当以各种方式和各种威胁参与者执行过程中空操作时，更可能触发这一分析。 它更多地侧重于该技术工作所必须具备的核心指标。 攻击者可以更改这些内容，但必须以仍然能够成功执行该技术的方式进行。

Now that I have some finished analytics I’ll look at my environment to decide how to best implement them. There are several ways these can be used, such as for hunt operations or monitoring and alerting. Instead of using just one analytic, I can increase the chance of detection by using both. Joshua Prager’s Detection in Depth post goes into more detail about using multiple analytics to detect a technique.

现在，我已经完成了一些分析，接下来我将研究我的环境，以确定如何最好地实施它们。 有几种方法可以使用这些方法，例如用于寻线操作或监视和警报。 我可以不使用一种分析方法，而可以同时使用两种方法来增加检测的机会。 约书亚·普拉格 ( Joshua Prager)的 《 深度检测》文章深入探讨了使用多种分析技术检测技术的细节。

Overall, layering analytics that focus on different aspects of the technique is a useful way to reduce blind spots and detect multiple variations of the same technique. Going forward, I can tie this into the concept of Capability Abstraction and potentially develop analytics that can detect the technique’s behavior at each abstraction layer, providing a more robust detection strategy.

总体而言，关注该技术不同方面的分层分析是减少盲点并检测同一技术的多种变化的有用方法。 展望未来，我可以将其与功能抽象的概念联系起来，并有可能开发可在每个抽象层检测该技术行为的分析方法，从而提供更可靠的检测策略。

结论 (Conclusion)

This series looked at the process of detection engineering, beginning with research, moving into understanding the available data and isolating events related to execution of a PoC, and then finally looking at an approach to developing analytics for offensive techniques.

本系列介绍了检测工程的过程，从研究开始，深入了解可用数据并隔离与执行PoC有关的事件，然后最终探讨了开发进攻性技术分析的方法。

Research lays the foundation for detections. The information about process hollowing obtained in this step reveals the core functionality of how it works and what is required. This research then helps decide what to focus on during data modeling. Using a PoC allows for testing and identification of events that are related to the technique. Analytics can then be built around the events that were identified as related to process hollowing.

研究为检测奠定了基础。 在此步骤中获得的有关过程空心化的信息揭示了其工作原理和要求的核心功能。 然后，这项研究有助于确定在数据建模期间应关注的重点。 使用PoC可以测试和识别与该技术相关的事件。 然后，可以围绕与流程挖空相关的事件构建分析。

One of my first steps for analytic development is to create a list of indicators seen when executing the PoC and isolating events. A couple questions helped guide and understand which of these indicators may have potential to be developed further:

我进行分析开发的第一步之一就是创建一个执行PoC和隔离事件时可以看到的指标列表。 几个问题帮助指导和理解了哪些指标可能具有进一步发展的潜力：

• What data is available?
  有哪些可用数据？
• How unique is the behavior or indicator to this technique?
  这种技术的行为或指标有多独特？

After looking through the list of indicators and answering these questions, I chose two that seemed to have potential. The strategy of how this analytic functions was defined and a pseudo-query was created to help guide the creation of a language-specific query.

在查看了指标列表并回答了这些问题之后，我选择了两个似乎有潜力的指标。 如何定义此分析功能以及创建伪查询的策略，以帮助指导特定于语言的查询的创建。

Running these queries to look for the PoC data resulted in FP events for both analytics. Tuning and refinement involved filtering out these unwanted results. I was able to filter out FPs from Analytic 1, but Analytic 2 required additional data operations and logic to get it to a usable state. Jupyter Notebooks allowed for a more flexible approach that focused on the behavior of the technique at multiple stages of execution. Blind spots were identified and documented to understand the weaknesses of the analytics, which were then ready to be implemented.

运行这些查询以查找PoC数据会导致两个分析的FP事件。 调整和完善涉及过滤掉这些不需要的结果。 我能够从分析1过滤掉FP，但是分析2需要额外的数据操作和逻辑才能使其变为可用状态。 Jupyter Notebooks提供了一种更灵活的方法，该方法专注于该技术在执行的多个阶段的行为。 识别盲点并记录下来，以了解分析的弱点，然后准备将其实施。

The detection engineering process can be approached in many ways. This series showed one approach that Jonny and I use and have had success with in the past. The analytics created from this process are not necessarily the best way to detect process hollowing, and there are many more that can be made. Different data sources, PoCs, and access to data can all enable the creation of analytics that aren’t possible with the setup used in this lab. These factors vary between environments, and so the analytics that are possible will as well.

检测工程过程可以通过多种方式进行。 本系列展示了Jonny和我过去使用的一种方法，该方法在过去曾获得成功。 从该过程创建的分析不一定是检测过程空化的最佳方法，并且可以做更多的事情。 不同的数据源，PoC和对数据的访问都可以创建本实验中使用的设置无法实现的分析。 这些因素在不同的环境中会有所不同，因此可能的分析也会有所不同。

Regardless of the approach used, researching the technique, understanding the available data, and identifying technique behaviors/indicators are important parts of developing detections for offensive techniques, and ultimately, catching malicious activity on the network.

无论使用哪种方法，研究技术，理解可用数据以及识别技术行为/指标都是开发检测攻击性技术的重要部分，并最终捕获网络上的恶意活动。

翻译自: https://posts.specterops.io/engineering-process-injection-detections-part-3-analytic-logic-b6014a83d4c8

逻辑sql注入