valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
11df6468c4
atomic-threat-coverage/Atomic_Threat_Coverage/Detection_Rules/sysmon_malware_verclsid_shellcode.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

4.9 KiB
Raw Blame History

Title Malware Shellcode in Verclsid Target Process
Description Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
ATT&CK Tactic
    ATT&CK Technique
      Data Needed
      Trigger There is no Trigger for this technique yet.
      Severity Level high
      False Positives
      • unknown
      Development Status experimental
      References
      Author John Lambert (tech), Florian Roth (rule)

      Detection Rules

      Sigma rule

      title: Malware Shellcode in Verclsid Target Process
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
    product: windows
    service: sysmon
    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
    selection:
        EventID: 10
        TargetImage: '*\verclsid.exe'
        GrantedAccess: '0x1FFFFF'
    combination1:
        CallTrace: '*|UNKNOWN(*VBE7.DLL*'
    combination2:
        SourceImage: '*\Microsoft Office\*'
        CallTrace: '*|UNKNOWN*'
    condition: selection and 1 of combination*
falsepositives:
    - unknown
level: high

      Kibana query

      ((EventID:"10" AND TargetImage.keyword:*\\\\verclsid.exe AND GrantedAccess:"0x1FFFFF") AND (CallTrace.keyword:*|UNKNOWN\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\Microsoft\\ Office\\* AND CallTrace.keyword:*|UNKNOWN*)))

      X-Pack Watcher

      curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_xpack/watcher/watch/Malware-Shellcode-in-Verclsid-Target-Process <<EOF\n{\n  "trigger": {\n    "schedule": {\n      "interval": "30m"\n    }\n  },\n  "input": {\n    "search": {\n      "request": {\n        "body": {\n          "size": 0,\n          "query": {\n            "query_string": {\n              "query": "((EventID:\\"10\\" AND TargetImage.keyword:*\\\\\\\\verclsid.exe AND GrantedAccess:\\"0x1FFFFF\\") AND (CallTrace.keyword:*|UNKNOWN\\\\(*VBE7.DLL* OR (SourceImage.keyword:*\\\\\\\\Microsoft\\\\ Office\\\\* AND CallTrace.keyword:*|UNKNOWN*)))",\n              "analyze_wildcard": true\n            }\n          }\n        },\n        "indices": []\n      }\n    }\n  },\n  "condition": {\n    "compare": {\n      "ctx.payload.hits.total": {\n        "not_eq": 0\n      }\n    }\n  },\n  "actions": {\n    "send_email": {\n      "email": {\n        "to": null,\n        "subject": "Sigma Rule \'Malware Shellcode in Verclsid Target Process\'",\n        "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n        "attachments": {\n          "data.json": {\n            "data": {\n              "format": "json"\n            }\n          }\n        }\n      }\n    }\n  }\n}\nEOF\n

      Graylog

      ((EventID:"10" AND TargetImage:"*\\\\verclsid.exe" AND GrantedAccess:"0x1FFFFF") AND (CallTrace:"*|UNKNOWN\\(*VBE7.DLL*" OR (SourceImage:"*\\\\Microsoft Office\\*" AND CallTrace:"*|UNKNOWN*")))