HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
Sigma rule (View on GitHub)
1title: HackTool - LittleCorporal Generated Maldoc Injection
2id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
3status: test
4description: Detects the process injection of a LittleCorporal generated Maldoc.
5references:
6 - https://github.com/connormcgarr/LittleCorporal
7author: Christian Burkard (Nextron Systems)
8date: 2021-08-09
9modified: 2023-11-28
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.privilege-escalation
14 - attack.t1204.002
15 - attack.t1055.003
16logsource:
17 category: process_access
18 product: windows
19detection:
20 selection:
21 SourceImage|endswith: '\winword.exe'
22 CallTrace|contains|all:
23 - ':\Windows\Microsoft.NET\Framework64\v2.'
24 - 'UNKNOWN'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
LittleCorporal: A C# Automated Maldoc Generator. Contribute to connormcgarr/LittleCorporal development by creating an account on GitHub.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- Control Panel Items
- Created Files by Microsoft Sync Center