Added Sigma Rules
This commit is contained in:
Tanaka Zakku
@@ -0,0 +1,80 @@
|
||||
title: Suspicious In-Memory Module Execution
|
||||
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
|
||||
date: 2019/10/27
|
||||
description: Detects the access to processes by other suspicious processes which have
|
||||
reflectively loaded libraries in their memory space. An example is SilentTrinity
|
||||
C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
|
||||
call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
|
||||
the module name. Usually this means the stack call points to a module that was
|
||||
reflectively loaded in memory. Adding to this, it is not common to see such few
|
||||
calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially
|
||||
means that most of the functions required by the process to execute certain routines
|
||||
are already present in memory, not requiring any calls to external libraries.
|
||||
The latter should also be considered suspicious.
|
||||
detection:
|
||||
SELECTION_1:
|
||||
EventID: 10
|
||||
SELECTION_10:
|
||||
GrantedAccess: '0x1F0FFF'
|
||||
SELECTION_11:
|
||||
GrantedAccess: '0x1F1FFF'
|
||||
SELECTION_12:
|
||||
GrantedAccess: '0x143A'
|
||||
SELECTION_13:
|
||||
GrantedAccess: '0x1410'
|
||||
SELECTION_14:
|
||||
GrantedAccess: '0x1010'
|
||||
SELECTION_15:
|
||||
GrantedAccess: '0x1F2FFF'
|
||||
SELECTION_16:
|
||||
GrantedAccess: '0x1F3FFF'
|
||||
SELECTION_17:
|
||||
GrantedAccess: '0x1FFFFF'
|
||||
SELECTION_18:
|
||||
SourceImage: '*\Windows\System32\sdiagnhost.exe'
|
||||
SELECTION_2:
|
||||
CallTrace: '*C:\WINDOWS\SYSTEM32\ntdll.dll+*'
|
||||
SELECTION_3:
|
||||
CallTrace: '*|C:\WINDOWS\System32\KERNELBASE.dll+*'
|
||||
SELECTION_4:
|
||||
CallTrace: '*|UNKNOWN(*'
|
||||
SELECTION_5:
|
||||
CallTrace: '*)*'
|
||||
SELECTION_6:
|
||||
CallTrace: '*UNKNOWN(*'
|
||||
SELECTION_7:
|
||||
CallTrace: '*)|UNKNOWN(*'
|
||||
SELECTION_8:
|
||||
CallTrace: '*)'
|
||||
SELECTION_9:
|
||||
CallTrace: '*UNKNOWN*'
|
||||
condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and
|
||||
SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9
|
||||
and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
|
||||
or SELECTION_15 or SELECTION_16 or SELECTION_17)) and not ((SELECTION_18)))))
|
||||
falsepositives:
|
||||
- Low
|
||||
fields:
|
||||
- ComputerName
|
||||
- User
|
||||
- SourceImage
|
||||
- TargetImage
|
||||
- CallTrace
|
||||
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
|
||||
level: critical
|
||||
logsource:
|
||||
category: process_access
|
||||
product: windows
|
||||
modified: 2021/10/21
|
||||
references:
|
||||
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
- attack.defense_evasion
|
||||
- attack.t1055.001
|
||||
- attack.t1055.002
|
||||
- attack.t1055
|
||||
yml_filename: sysmon_in_memory_assembly_execution.yml
|
||||
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
|
||||
|
||||
Reference in New Issue
Block a user