/
defense_evasion_potential_thread_call_stack_spoofing.toml
65 lines (55 loc) · 2.32 KB
/
defense_evasion_potential_thread_call_stack_spoofing.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[rule]
description = """
Detects Windows Memory API calls within a potentially altered call stack in order to conceal the true source of the
call.
"""
id = "0cd206df-f54d-47e8-9276-d6a73bb65f47"
license = "Elastic License v2"
name = "Potential Thread Call Stack Spoofing"
os_list = ["windows"]
version = "1.0.3"
query = '''
any where
(
(event.category : "api" and
process.Ext.api.behaviors : ("proxy_call", "indirect_syscall") and
_arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : ("*kernel32.dll!SetDefaultCommConfigW+0x*", "*kernel32.dll!SortGetHandle*")) and
process.thread.Ext.call_stack_summary :
("ntdll.dll|kernelbase.dll|kernel32.dll|ntdll.dll",
"ntdll.dll|kernel32.dll|ntdll.dll",
"ntdll.dll|kernel32.dll|Unknown",
"ntdll.dll|kernel32.dll|*|Unknown",
"ntdll.dll|kernel32.dll|*|kernel32.dll|ntdll.dll")) or
(event.category : "library" and _arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : ("*kernel32.dll!SetDefaultCommConfigW+0x*", "*kernel32.dll!SortGetHandle*")) and
process.thread.Ext.call_stack_summary : ("ntdll.dll|kernelbase.dll|kernel32.dll|ntdll.dll", "ntdll.dll|kernel32.dll|ntdll.dll", "ntdll.dll|kernel32.dll|*|kernel32.dll|ntdll.dll")) or
(event.category : "api" and process.Ext.api.behaviors : "proxy_call" and
process.thread.Ext.call_stack_summary : "ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll" and
_arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : "*ntdll.dll!RtlDeregisterWaitEx*") and
process.thread.Ext.call_stack_final_user_module.name : "ntdll.dll")
)
'''
min_endpoint_version = "8.10.0"
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[optional_actions]]
action = "rollback"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[internal]
min_endpoint_version = "8.10.0"