-
Notifications
You must be signed in to change notification settings - Fork 108
/
defense_evasion_virtualprotect_api_call_from_an_unsigned_dll.toml
149 lines (130 loc) · 8.14 KB
/
defense_evasion_virtualprotect_api_call_from_an_unsigned_dll.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
[rule]
description = """
Identifies the load of an unsigned or untrusted DLL by a trusted binary followed by calling VirtualProtect API to change
memory permission to execute or write. This may indicate execution via DLL sideloading to perform code injection.
"""
id = "8858facd-72b7-495c-831c-4d8ad12a8bf0"
license = "Elastic License v2"
name = "VirtualProtect API Call from an Unsigned DLL"
os_list = ["windows"]
version = "1.0.18"
query = '''
sequence by process.entity_id
[library where process.name != null and
(dll.Ext.relative_file_creation_time <= 900 or
dll.Ext.relative_file_name_modify_time <= 900 or
(dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk","USB *") and not dll.path : "C:\\*") or
dll.path : ("\\Device\\Mup\\*", "?:\\Users\\Public\\*", "?:\\Windows\\Tasks\\*", "?:\\ProgramData\\*")) and
not dll.code_signature.status : "trusted" and dll.hash.sha256 != null and
not dll.path : ("?:\\Windows\\Installer\\*",
"?:\\Windows\\System32\\DriverStore\\FileRepository\\*",
"?:\\Windows\\SysWOW64\\DriverStore\\FileRepository\\*",
"?:\\Windows\\assembly\\*",
"?:\\Windows\\twain_32\\*") and
not (process.executable : ("?:\\Windows\\splwow64.exe", "?:\\Windows\\System32\\mstsc.exe") and
dll.path : "?:\\ProgramData\\EPSON\\*.DLL") and
not (process.code_signature.trusted == true and
process.code_signature.subject_name :
("PFU LIMITED", "Sky UK Limited", "Genetec inc", "Sky International AG",
"EFI Software (Electronics for Imaging, Inc.)", "Amazon.com Services LLC",
"VICON INDUSTRIES, INC.")) and
not (dll.name : "chrome_elf.dll" and dll.pe.original_file_name : "chrome_elf.dll") and
not dll.pe.imphash : ("8ed92d81df1fc6d13329436de2be9225", "71db138be05fb8109bd4d1747f7fab68") and
not dll.hash.sha256 :
("624bf5fbf96b6399fe0a624c8da7122cc207dba4273d6373fac7796d2dc1bed9",
"dfa6e54b8c5659abcf7f1ac605379afcde27f713ca6a071e9da1367c5f5098ea",
"4b3d1f4ec733afa5c593be64f251560515b91cb328e5c741ff877455aff0d453",
"b950c9f7fb8e9b558d9caf634d7463fb4bf0aaf69a501d8f922763f8837b0ad2",
"6eed2886728608f1b3f4a54a7a7d338ef1b1669f6f53a5d38bcd352f0ec755c9",
"139a3fba0e2035830021d50bd24b73dc6d5b8b0520ee6d946ebef1ec2f602ff0",
"127ebabd8e20267bdd26165cd26398bd9225d89b2977ff8de2b5f9da8a231e67",
"4a23537d3523441a06b705bca6a7bd601c450b17a0586d669b07fd86c1dc0962",
"3ed846264d5003acbd0dd624cbe4ca84606fe897fd8caa29350621906a3e28c0",
"b211c61e1fa89cbaf4570ee5f9712772582b2f4bb23597549ec32ea066a20b76",
"deaf71807722382d05244160ee35b1a14c0e621d7caf74c863475669e5c95b35",
"7bafd0da58d427bbe8a2d34c953a53809bcbb3ff6c6f90b8acbe6c2b3ab8fa08",
"8747dc251af9c3192bad2001786c626ad03903c3afaadb8c6a8c2627c66730bd",
"5c45a7439d127c09b74fa16a0b300fb290ba15d316397579985464be484b8e17",
"262816adf053d82039f17512bb4e168020cc7f5f37efdf712589a22b89903a80",
"96c8eb8c7ad08ef045861b711b1655df7346cd387580ba038d74e938f2037bf5",
"0c33dfdc0e86f85a0e848cfbb8820868a1df2cedb850ccaf9831659d1c00e3ee",
"454f7d08b4e572051be599d04f202518311f9af62e2046e4640b2b2dcbab1ff2",
"4e6a640686b467ea054785430b87cdce7579a03cbdc7934dd26b30212ea04318",
"43bb2dabb8bb734f32c73df321f8cb39794568c0aad4f020867f8878852747a4",
"55bfb4a17b931176304990be2f502c4e8b29c6ee2893527d973740e2104ca92f",
"c90a438b8de5d948e5f834ace04a0e34d20121d21b5a64b04f07bc3be2c349d9",
"3cc352ae187aeb3467649ea1a6c7351f42d703c42570873891e22dddd5aa1650",
"ff7a3550d183e202f16074f71744f3500b99a3fe8bd6f7d3c14d570854b2e06e",
"55bfb4a17b931176304990be2f502c4e8b29c6ee2893527d973740e2104ca92f",
"ddcbecf2cd2cd4904cf21e3db40c6a918df0ed3b258473fc5d6e2688dee72696",
"454f7d08b4e572051be599d04f202518311f9af62e2046e4640b2b2dcbab1ff2",
"7c47cf9b3881355cb36781ee187adc45004f0a4239b6592c3628cf559835e515",
"34de1c3d74bcff8452bdd05251e9ac3f37fa73d7d0d842c5ccf8f1d4be31e733",
"4e6a640686b467ea054785430b87cdce7579a03cbdc7934dd26b30212ea04318",
"0107b58df1574083db235906c3ed6897561fbcaef4921d01d76d80e4cf5c6cee",
"55bfb4a17b931176304990be2f502c4e8b29c6ee2893527d973740e2104ca92f",
"f03e30c6a8c883b0d2086894675f76c772368865bb1394274f1e7ae3284ab80a",
"bb1611e0a0b017a657aea72067ea00db4fd6731a4899e368b6860e07f0d61922",
"c64b26b3d1f6e3958fabd1180c76f6bb40b55e0a47844609d2557ec93f5a7cf0",
"3c31dd1de5d03b4c375d4a4acc5c3a782ba4a6635c7034af5d3d7d215bef5c86",
"e7e403ed90519579fc6bac225f957e3658b4612d5af582e64e8149e4eaca7477",
"07bc9d5b972acc1b9c11ea47104711ca487337131355f69019c6ac53577194a9",
"188d7f7979d3e69ef0f4059e7da221e690db684a93746cd4e7607397bc513c97",
"c33c59e0735971c4ad3ff96bedf51d74e4032206adeeea305df8f7c71b840d6d",
"20635d15698d547289edb8d512cec1a322a6a0f30d101d459cf6ea0d1f2f9c38",
"8a43ec41225a095bf1d6e027407e86a406c5b236e0a50c15b77c524cf2010597",
"cff49758ffcbb6d8166accb4dc905d31e79a5d587121f95ea691bf64536ce362",
"a986c968e948bd83033d9fda1a85c2f44e274f552bf5da9a899ab1ee794727f9",
"2edc91bd457353f798678ba55884e4e6dae66fec7b444e1750f6b8e83584905e",
"794f0f11f13aa2e43d2a5f0ff1938394ed71a95e4b3e8c4190907610573e3327",
"d6054babd7f4dce815e9bf888ed815398b63029165681a0b62f492900d2f2ad1",
"c827359d5b62371c5c033eefd011a2daf6d2bdaa203c29db64eeaa280248f6a1",
"8f0f64fb33cf656cdaed265a8184f16ea734fc3758224ab40796eb46bdb23cd0",
"dd2bc044ee8c887225fadea3c948ab88ad86a19eb5f32e69e129ff79fca46691")] as event0
[api where
process.Ext.api.name : "VirtualProtect*" and process.Ext.api.parameters.protection : ("*X*", "*W*") and
process.Ext.api.parameters.size > 4096 and
not process.thread.Ext.call_stack_final_user_module.name : "Kernel" and
(
_arraysearch(process.thread.Ext.call_stack, $entry, stringcontains~($entry.protection_provenance, event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|kernelbase.dll|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|kernelbase.dll|Unknown|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|Unknown|", event0.dll.name)) or
startswith~(process.thread.Ext.call_stack_summary, concat("ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|Unknown|kernelbase.dll|Unbacked|", event0.dll.name))
)
]
until [process where event.action:"end"]
'''
min_endpoint_version = "8.10.0"
reputation = true
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[optional_actions]]
action = "rollback"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[[threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[threat.technique.subtechnique]]
id = "T1574.002"
name = "DLL Side-Loading"
reference = "https://attack.mitre.org/techniques/T1574/002/"
[threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[internal]
min_endpoint_version = "8.10.0"