/
defense_evasion_network_activity_from_a_stomped_module.toml
70 lines (64 loc) · 3.19 KB
/
defense_evasion_network_activity_from_a_stomped_module.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
[rule]
description = """
Identifies when a process loads a network library and the thread call stack is pointing to a modified memory module.
This may be the result of a code injection using module stomping or DLL hollowing via overwriting the content of legit
DLL with malicious code.
"""
id = "4388a77b-4ddf-4e15-8314-ecf96c77807a"
license = "Elastic License v2"
name = "Network Activity from a Stomped Module"
os_list = ["windows"]
version = "1.0.3"
query = '''
sequence by process.entity_id with maxspan=2m
[api where process.Ext.api.name == "VirtualProtect" and process.Ext.api.summary : "*.dll*" and
not process.Ext.api.metadata.target_address_name : ("ntdll.dll", "kernelbase.dll") and
process.Ext.api.metadata.target_address_path :
("?:\\Windows\\System32\\*.dll",
"?:\\Windows\\SysWOW64\\*.dll",
"\\Windows\\System32\\*.dll",
"\\Windows\\SysWOW64\\*.dll",
"?:\\program files*\\Microsoft\\*.dll",
"?:\\program files*\\Windows*.dll",
"?:\\program files*\\common files\\Microsoft*.dll") and
not process.thread.Ext.call_stack_final_user_module.name : ("kernel", "kernel|*") and
not process.thread.Ext.call_stack_final_user_module.path :
("?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"\\Program Files\\*",
"\\Program Files (x86)\\*",
"?:\\windows\\syswow64\\combase.dll",
"?:\\windows\\syswow64\\apphelp.dll",
"?:\\windows\\system32\\apphelp.dll",
"?:\\windows\\syswow64\\ntdll.dll",
"?:\\windows\\system32\\ntdll.dll",
"?:\\windows\\system32\\rltkapo64.dll")] as event0
[any where
(
(event.category : "library" and dll.name : ("ws2_32.dll", "wininet.dll", "winhttp.dll")) or
(event.category : "registry" and registry.path : "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\*")
) and
endswith~(process.thread.Ext.call_stack_summary, event0.process.Ext.api.metadata.target_address_name) and
process.thread.Ext.call_stack_summary : "ntdll.dll|*" and
_arraysearch(process.thread.Ext.call_stack, $entry,
$entry.allocation_private_bytes >= 100000 and
stringcontains~($entry.symbol_info, event0.process.Ext.api.metadata.target_address_name) and $entry.callsite_trailing_bytes : "?*")]
'''
min_endpoint_version = "8.10.0"
optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[internal]
min_endpoint_version = "8.10.0"