/
defense_evasion_microsoft_common_language_runtime_loaded_from_suspicious_memory.toml
58 lines (52 loc) · 2.84 KB
/
defense_evasion_microsoft_common_language_runtime_loaded_from_suspicious_memory.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
[rule]
description = """
Identifies the load of the Microsoft Common Language Runtime DLL CLR.dll from unbacked memory region with suspicious
memory allocation properties. This could be the result of attempts to load an assembly from an already injected process.
"""
id = "ad2c6fcc-89d3-4939-85d9-d7114d6bbf14"
license = "Elastic License v2"
name = "Microsoft Common Language Runtime Loaded from Suspicious Memory"
os_list = ["windows"]
version = "1.0.22"
query = '''
library where dll.name : "clr.dll" and
process.thread.Ext.call_stack_summary :
("ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|mscoreei.dll|Unbacked",
"ntdll.dll|kernelbase.dll|mscoreei.dll|Unbacked") and
_arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : "*mscoreei.dll!CreateInterface*") and
not (process.executable : "?:\\Program Files\\Dell\\DTP\\DiagnosticsSubAgent\\Dell.TechHub.Diagnostics.SubAgent.exe" and
process.code_signature.trusted == true and process.code_signature.subject_name : "Dell Inc") and
not (process.code_signature.trusted == true and
process.code_signature.subject_name : ("Azul Systems, Inc.", "JetBrains s.r.o.", "HAYLEM Technologies Inc.", "MicroStrategy, Inc.", "Oracle America, Inc.")) and
not (process.executable : "C:\\ManageEngine\\ADManager Plus\\jre\\bin\\java.exe" and
process.code_signature.subject_name : "Oracle America, Inc." and process.code_signature.trusted == true) and
not (process.executable : "?:\\Program Files*\\Amazon Corretto\\jdk*\\bin\\java.exe" and
process.code_signature.subject_name : ("Amazon.com Services LLC", "Amazon Services LLC", "Adaptive Protocols, Inc.") and process.code_signature.trusted == true) and
not process.executable :
("?:\\Program Files\\Microsoft Visual Studio\\*.exe",
"?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe",
"?:\\Program Files (x86)\\PMP\\jre\\bin\\java.exe",
"?:\\Program Files\\ManageEngine\\PAM360\\jre\\bin\\java.exe",
"?:\\Program Files (x86)\\Adaptiva\\AdaptivaClient\\bin\\AdaptivaClientService.exe") and
not _arraysearch(process.thread.Ext.call_stack, $entry,
$entry.callsite_trailing_bytes : ("c5f8774883ec10c5fb1104244883ec104889042449ba00000000000000004*",
"*488b8d48ffffff48894b104c8b658049894424084c896588c745c0*"))
'''
min_endpoint_version = "8.8.0"
optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[internal]
min_endpoint_version = "8.8.0"