规则名称为 "bioc.vulnerable_driver_dropped_$name "的BTP警报是否为假阳性检测?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
Did you find this article helpful? Yes No
No ratings

总结:

这篇文章描述了BTP警报的情况,它的规则名称如下。
bioc.vulnerable_driver_dropped_$name
bioc.sync.vulnerable_driver_loaded_$name
bioc.sync.vulnerable_driver_by_original_name_loaded_$name
bioc.sync.vulnerable_driver_by_signer_name_loaded_$name
bioc.sync.malicious_driver_by_signer_name_loaded_$name
bioc.sync.malicious_driver_by_original_name_loaded__$name

 

环境:

  • Cortex XDR for Windows
  • Behavioral Threat Protection (BTP)

答案:

这不是一个假阳性检测。
这是一个易受攻击的驱动程序,正在被客户机器上的一个应用程序使用。所以我们阻止了它。
这个驱动程序可以被攻击者滥用,以获得权限的提升。
注意:如果一个规则名称有这些内容,它不是一个假阳性。它们也是由有漏洞的驱动文件引起的。

 

bioc.vulnerable_driver_dropped_$name
bioc.sync.vulnerable_driver_loaded_$name
bioc.sync.vulnerable_driver_by_original_name_loaded_$name
bioc.sync.vulnerable_driver_by_signer_name_loaded_$name
bioc.sync.malicious_driver_by_signer_name_loaded_$name
bioc.sync.malicious_driver_by_original_name_loaded__$name
Rate this article:
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last update:
‎01-19-2023 03:53 AM
Updated by: