title: Malware Shellcode in Verclsid Target Process
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
    product: windows
    service: sysmon
    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
    selection:
        EventID: 10
        TargetImage: '*\verclsid.exe'
        GrantedAccess: '0x1FFFFF'
    combination1:
        CallTrace: '*|UNKNOWN(*VBE7.DLL*'
    combination2:
        SourceImage: '*\Microsoft Office\*'
        CallTrace: '*|UNKNOWN*'
    condition: selection and 1 of combination*
falsepositives:
    - unknown
level: high