81 lines
2.8 KiB
YAML
81 lines
2.8 KiB
YAML
title: Suspicious In-Memory Module Execution
|
|
author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
|
|
date: 2019/10/27
|
|
description: Detects the access to processes by other suspicious processes which have
|
|
reflectively loaded libraries in their memory space. An example is SilentTrinity
|
|
C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack
|
|
call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as
|
|
the module name. Usually this means the stack call points to a module that was
|
|
reflectively loaded in memory. Adding to this, it is not common to see such few
|
|
calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially
|
|
means that most of the functions required by the process to execute certain routines
|
|
are already present in memory, not requiring any calls to external libraries.
|
|
The latter should also be considered suspicious.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 10
|
|
SELECTION_10:
|
|
GrantedAccess: '0x1F0FFF'
|
|
SELECTION_11:
|
|
GrantedAccess: '0x1F1FFF'
|
|
SELECTION_12:
|
|
GrantedAccess: '0x143A'
|
|
SELECTION_13:
|
|
GrantedAccess: '0x1410'
|
|
SELECTION_14:
|
|
GrantedAccess: '0x1010'
|
|
SELECTION_15:
|
|
GrantedAccess: '0x1F2FFF'
|
|
SELECTION_16:
|
|
GrantedAccess: '0x1F3FFF'
|
|
SELECTION_17:
|
|
GrantedAccess: '0x1FFFFF'
|
|
SELECTION_18:
|
|
SourceImage: '*\Windows\System32\sdiagnhost.exe'
|
|
SELECTION_2:
|
|
CallTrace: '*C:\WINDOWS\SYSTEM32\ntdll.dll+*'
|
|
SELECTION_3:
|
|
CallTrace: '*|C:\WINDOWS\System32\KERNELBASE.dll+*'
|
|
SELECTION_4:
|
|
CallTrace: '*|UNKNOWN(*'
|
|
SELECTION_5:
|
|
CallTrace: '*)*'
|
|
SELECTION_6:
|
|
CallTrace: '*UNKNOWN(*'
|
|
SELECTION_7:
|
|
CallTrace: '*)|UNKNOWN(*'
|
|
SELECTION_8:
|
|
CallTrace: '*)'
|
|
SELECTION_9:
|
|
CallTrace: '*UNKNOWN*'
|
|
condition: (SELECTION_1 and (((SELECTION_2 and SELECTION_3 and SELECTION_4 and
|
|
SELECTION_5) or (SELECTION_6 and SELECTION_7 and SELECTION_8)) or ((SELECTION_9
|
|
and (SELECTION_10 or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14
|
|
or SELECTION_15 or SELECTION_16 or SELECTION_17)) and not ((SELECTION_18)))))
|
|
falsepositives:
|
|
- Low
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- SourceImage
|
|
- TargetImage
|
|
- CallTrace
|
|
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
|
|
level: critical
|
|
logsource:
|
|
category: process_access
|
|
product: windows
|
|
modified: 2021/10/21
|
|
references:
|
|
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
|
|
status: experimental
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.t1055.001
|
|
- attack.t1055.002
|
|
- attack.t1055
|
|
yml_filename: sysmon_in_memory_assembly_execution.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access
|
|
|