valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b0cb0abc01
SigmaHQ/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml

28 lines
1.0 KiB
YAML
Raw Normal View History

Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 09:38:23 +00:00
title: Malware Shellcode in Verclsid Target Process
status: experimental
Fixed typoes
2018-07-10 14:14:07 +00:00
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
Change All "str" references to be "list"to mach schema update
2018-01-27 23:24:16 +00:00
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 09:38:23 +00:00
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
Sysmon as 'service' of product 'windows'
2017-03-13 08:23:08 +00:00
product: windows
service: sysmon
Replace "logsource: description" with "definition" to match the specs
2018-11-15 06:00:06 +00:00
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 09:38:23 +00:00
detection:
selection:
EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\*'
CallTrace: '*|UNKNOWN*'
Simplified rule conditions with new condition constructs
2018-03-06 22:14:43 +00:00
condition: selection and 1 of combination*
Rule: Sysmon Malware Shellcode in Verclsid Process
2017-03-04 09:38:23 +00:00
falsepositives:
- unknown
level: high
Reference in New Issue Copy Permalink