Malware Shellcode in Verclsid Target Process

 1title: Malware Shellcode in Verclsid Target Process
 2id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
 3status: test
 4description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
 5references:
 6    - https://twitter.com/JohnLaTwC/status/837743453039534080
 7author: John Lambert (tech), Florian Roth (Nextron Systems)
 8date: 2017-03-04
 9modified: 2021-11-27
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1055
14    - detection.emerging-threats
15logsource:
16    category: process_access
17    product: windows
18    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
19detection:
20    selection_target:
21        TargetImage|endswith: '\verclsid.exe'
22        GrantedAccess: '0x1FFFFF'
23    selection_calltrace_1:
24        CallTrace|contains|all:
25            - '|UNKNOWN('
26            - 'VBE7.DLL'
27    selection_calltrace_2:
28        SourceImage|contains: '\Microsoft Office\'
29        CallTrace|contains: '|UNKNOWN'
30    condition: selection_target and 1 of selection_calltrace_*
31falsepositives:
32    - Unknown
33level: high