42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
|
|
title: Malware Shellcode in Verclsid Target Process
|
|
author: John Lambert (tech), Florian Roth (rule)
|
|
date: 2017/03/04
|
|
description: Detects a process access to verclsid.exe that injects shellcode from
|
|
a Microsoft Office application / VBA macro
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 10
|
|
SELECTION_2:
|
|
TargetImage: '*\verclsid.exe'
|
|
SELECTION_3:
|
|
GrantedAccess: '0x1FFFFF'
|
|
SELECTION_4:
|
|
CallTrace: '*|UNKNOWN(*'
|
|
SELECTION_5:
|
|
CallTrace: '*VBE7.DLL*'
|
|
SELECTION_6:
|
|
SourceImage: '*\Microsoft Office\\*'
|
|
SELECTION_7:
|
|
CallTrace: '*|UNKNOWN*'
|
|
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
|
|
SELECTION_5) or (SELECTION_6 and SELECTION_7)))
|
|
falsepositives:
|
|
- unknown
|
|
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
|
|
level: high
|
|
logsource:
|
|
category: process_access
|
|
definition: 'Use the following config to generate the necessary Event ID 10 Process
|
|
Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
|
|
onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
|
|
product: windows
|
|
references:
|
|
- https://twitter.com/JohnLaTwC/status/837743453039534080
|
|
status: experimental
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.privilege_escalation
|
|
- attack.t1055
|
|
ruletype: SIGMA
|