CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
83d891b2faaa8fa0be012c34b200950d20a3f307
hayabusa/rules/sigma/process_access/sysmon_malware_verclsid_shellcode.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

43 lines
1.3 KiB
YAML
Raw Blame History

title: Malware Shellcode in Verclsid Target Process
ruletype: Sigma
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
description: Detects a process access to verclsid.exe that injects shellcode from
a Microsoft Office application / VBA macro
detection:
SELECTION_1:
EventID: 10
SELECTION_2:
TargetImage: '*\verclsid.exe'
SELECTION_3:
GrantedAccess: '0x1FFFFF'
SELECTION_4:
CallTrace: '*|UNKNOWN(*'
SELECTION_5:
CallTrace: '*VBE7.DLL*'
SELECTION_6:
SourceImage: '*\Microsoft Office\\*'
SELECTION_7:
CallTrace: '*|UNKNOWN*'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and ((SELECTION_4 and
SELECTION_5) or (SELECTION_6 and SELECTION_7)))
falsepositives:
- unknown
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
level: high
logsource:
category: process_access
definition: 'Use the following config to generate the necessary Event ID 10 Process
Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess
onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
product: windows
modified: 2021/11/27
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
status: test
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
Reference in New Issue View Git Blame Copy Permalink