mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
26 lines
1.0 KiB
YAML
26 lines
1.0 KiB
YAML
title: Malware Shellcode in Verclsid Target Process
|
|
status: experimental
|
|
description: Detetcs a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
|
|
reference: https://twitter.com/JohnLaTwC/status/837743453039534080
|
|
author: John Lambert (tech), Florian Roth (rule)
|
|
date: 2017/03/04
|
|
logsource:
|
|
product: sysmon
|
|
description: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
|
|
detection:
|
|
selection:
|
|
EventID: 10
|
|
TargetImage: '*\verclsid.exe'
|
|
GrantedAccess: '0x1FFFFF'
|
|
combination1:
|
|
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
|
|
combination2:
|
|
SourceImage: '*\Microsoft Office\*'
|
|
CallTrace: '*|UNKNOWN*'
|
|
condition: selection and ( combination1 or combination2 )
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|
|
|
|
|