2019-02-11 22:28:16 +00:00
| Title | Malware Shellcode in Verclsid Target Process |
|:---------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| ATT& CK Tactic | < ul > < / ul > |
| ATT& CK Technique | < ul > < / ul > |
| Data Needed | < ul > < li > [DN_0014_10_windows_sysmon_ProcessAccess](../Data_Needed/DN_0014_10_windows_sysmon_ProcessAccess.md)< / li > < / ul > |
| Trigger | There is no Trigger for this technique yet. |
| Severity Level | high |
| False Positives | < ul > < li > unknown< / li > < / ul > |
| Development Status | experimental |
| References | < ul > < li > [https://twitter.com/JohnLaTwC/status/837743453039534080](https://twitter.com/JohnLaTwC/status/837743453039534080)< / li > < / ul > |
| Author | John Lambert (tech), Florian Roth (rule) |
## Detection Rules
### Sigma rule
```
title: Malware Shellcode in Verclsid Target Process
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
- https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
product: windows
service: sysmon
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: < ProcessAccess onmatch = "include" > < CallTrace condition = "contains" > VBE7.DLL< / CallTrace > < / ProcessAccess > < ProcessAccess onmatch = "exclude" > < CallTrace condition = "excludes" > UNKNOWN< / CallTrace > < / ProcessAccess > '
detection:
selection:
EventID: 10
TargetImage: '*\verclsid.exe'
GrantedAccess: '0x1FFFFF'
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\*'
CallTrace: '*|UNKNOWN*'
condition: selection and 1 of combination*
falsepositives:
- unknown
level: high
```
### Kibana query
```
2019-02-12 03:55:11 +00:00
((EventID:"10" AND TargetImage.keyword:*\\\\verclsid.exe AND GrantedAccess:"0x1FFFFF") AND (CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\Microsoft\\ Office\\* AND CallTrace.keyword:*|UNKNOWN*)))
2019-02-11 22:28:16 +00:00
```
### X-Pack Watcher
```
2019-02-12 03:55:11 +00:00
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malware-Shellcode-in-Verclsid-Target-Process < < EOF \n{ \n " trigger " : { \n " schedule " : { \n " interval " : " 30m " \n } \n }, \n " input " : { \n " search " : { \n " request " : { \n " body " : { \n " size " : 0 , \n " query " : { \n " query_string " : { \n " query " : "(( EventID: \\" 10 \\" AND TargetImage . keyword: * \\\\\\\\verclsid . exe AND GrantedAccess: \\" 0x1FFFFF \\") AND ( CallTrace . keyword: *| UNKNOWN \\\\(* VBE7 . DLL * OR ( SourceImage . keyword: * \\\\\\\\Microsoft \\\\ Office \\\\* AND CallTrace . keyword: *| UNKNOWN *)))", \n " analyze_wildcard " : true \n } \n } \n }, \n " indices " : [] \n } \n } \n }, \n " condition " : { \n " compare " : { \n " ctx . payload . hits . total " : { \n " not_eq " : 0 \n } \n } \n }, \n " actions " : { \n " send_email " : { \n " email " : { \n " to " : null , \n " subject " : " Sigma Rule \'Malware Shellcode in Verclsid Target Process \'", \n " body " : " Hits: \\n {{# ctx . payload . hits . hits }}{{ _source }} \\n = =============================================================================== \\n{{/ctx.payload.hits.hits}}", \n " attachments " : { \n " data . json " : { \n " data " : { \n " format " : " json " \n } \n } \n } \n } \n } \n } \n} \nEOF \n
2019-02-11 22:28:16 +00:00
```
### Graylog
```
((EventID:"10" AND TargetImage:"*\\\\verclsid.exe" AND GrantedAccess:"0x1FFFFF") AND (CallTrace:"*|UNKNOWN\\(*VBE7.DLL*" OR (SourceImage:"*\\\\Microsoft Office\\*" AND CallTrace:"*|UNKNOWN*")))
```
