Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
18 lines (17 sloc) 5.04 KB
<?xml version='1.0' encoding='utf-8'?>
<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://openioc.org/schemas/OpenIOC_1.1" id="cdcd5fdb-fcd3-4947-8c76-d2fbdc1b5f82" last-modified="2015-02-26T06:13:27" published-date="0001-01-01T00:00:00">
<metadata>
<short_description>UAC pop-up bypass (sdb)</short_description>
<description>http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html
</description>
<keywords/>
<authored_by>Takahiro Haruyama</authored_by>
<authored_date>2014-06-10T06:32:32</authored_date>
<links/>
</metadata>
<criteria>
<Indicator operator="OR" id="46ec92ad-a7a4-4f98-ba5d-dca86c1553d3">
<Indicator id="b64ef53a-80f9-4049-9421-a5e59eeefd41" operator="AND"><IndicatorItem preserve-case="false" negate="false" id="403f5a01-bfcb-45a0-8691-4d0c2d1af02e" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">AllocateAndInitializeSid</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="d7b718ea-c2cb-4233-8bc7-9edadfc86a58" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">EqualSid</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="2b440cfb-dea4-4ba6-9c3c-5740acc198dd" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">RtlQueryElevationFlags</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="ea6945f9-3adb-4e82-a5a4-1fbb2b1d9102" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">GetTokenInformation</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="ac7a58fd-8430-42ff-931e-16db3f972f08" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">GetSidSubAuthority</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="0f360b05-dcc6-46c5-980d-e91b4cedb4e5" condition="contains"><Context document="ProcessItem" search="ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string" type="volatility"/><Content type="string">GetSidSubAuthorityCount</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="d2c67183-cdd4-41a2-b48b-b70c21db756f" condition="contains"><Context document="ProcessItem" search="ProcessItem/StringList/string" type="volatility"/><Content type="string">sdbinst.exe</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="false" id="9a4235fc-0deb-491e-aa4c-8db085d5a9c7" condition="contains"><Context document="ProcessItem" search="ProcessItem/StringList/string" type="volatility"/><Content type="string">RedirectEXE</Content></IndicatorItem><IndicatorItem preserve-case="false" negate="true" id="6b0a0be7-4d15-4904-8dcd-dccd1e4bcaac" condition="is"><Context document="ProcessItem" search="ProcessItem/ParentProcessName" type="volatility"/><Content type="string">smss.exe</Content></IndicatorItem></Indicator></Indicator>
</criteria>
<parameters><param id="83a84047-496e-42ef-9451-3bda9611f3f2" ref-id="403f5a01-bfcb-45a0-8691-4d0c2d1af02e" name="score"><value type="string">15</value></param><param id="1aa61bb5-d7f7-484e-8e45-96f2e714717c" ref-id="d7b718ea-c2cb-4233-8bc7-9edadfc86a58" name="score"><value type="string">15</value></param><param id="112a5074-670f-4917-9400-ec813b66c912" ref-id="2b440cfb-dea4-4ba6-9c3c-5740acc198dd" name="score"><value type="string">15</value></param><param id="9f9fb80a-cd33-4e04-a7a0-99fa9daf021a" ref-id="ea6945f9-3adb-4e82-a5a4-1fbb2b1d9102" name="score"><value type="string">15</value></param><param id="6d7e3ab8-3e85-4cc8-9184-6c09d203d980" ref-id="ac7a58fd-8430-42ff-931e-16db3f972f08" name="score"><value type="string">15</value></param><param id="c35d8588-0195-46b0-8912-c09a5b70e82f" ref-id="0f360b05-dcc6-46c5-980d-e91b4cedb4e5" name="score"><value type="string">15</value></param><param id="66e66877-9a0a-4e3d-94e9-25216dc179db" ref-id="d2c67183-cdd4-41a2-b48b-b70c21db756f" name="score"><value type="string">20</value></param><param id="0cd345ab-4913-4ce3-bb8d-e50533603b9d" ref-id="9a4235fc-0deb-491e-aa4c-8db085d5a9c7" name="score"><value type="string">20</value></param><param id="f674886b-680d-457d-926e-81e33661cf5c" ref-id="6b0a0be7-4d15-4904-8dcd-dccd1e4bcaac" name="score"><value type="string">15</value></param><param id="92a9aa85-46ba-441c-a98d-e0e1f4c58d90" ref-id="06e6639a-4d84-4045-b911-a2cd2c6457b4" name="detail"><value type="string">on</value></param></parameters>
</OpenIOC>