Malware Shellcode in Verclsid Target Process

calendar Dec 4, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1055 detection.emerging_threats  ·
Share on: linkedin copy

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Sigma rule (View on GitHub)

 1title: Malware Shellcode in Verclsid Target Process
 2id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
 3status: test
 4description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
 5references:
 6    - https://twitter.com/JohnLaTwC/status/837743453039534080
 7author: John Lambert (tech), Florian Roth (Nextron Systems)
 8date: 2017/03/04
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.privilege_escalation
13    - attack.t1055
14    - detection.emerging_threats
15logsource:
16    category: process_access
17    product: windows
18    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
19detection:
20    selection_target:
21        TargetImage|endswith: '\verclsid.exe'
22        GrantedAccess: '0x1FFFFF'
23    selection_calltrace_1:
24        CallTrace|contains|all:
25            - '|UNKNOWN('
26            - 'VBE7.DLL'
27    selection_calltrace_2:
28        SourceImage|contains: '\Microsoft Office\'
29        CallTrace|contains: '|UNKNOWN'
30    condition: selection_target and 1 of selection_calltrace_*
31falsepositives:
32    - Unknown
33level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top