SigmaHQ/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml
2019-11-12 23:12:27 +01:00

33 lines
1.2 KiB
YAML

title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\\*'
CallTrace: '*|UNKNOWN*'
condition: selection and 1 of combination*
falsepositives:
- unknown
level: high