Potential NT API Stub Patching

Nov 10, 2023 · attack.defense_evasion attack.t1562.002 ·

Detects potential NT API stub patching as seen used by the project PatchingAPI

Sigma rule (View on GitHub)

 1title: Potential NT API Stub Patching
 2id: b916cba1-b38a-42da-9223-17114d846fd6
 3status: experimental
 4description: Detects potential NT API stub patching as seen used by the project PatchingAPI
 5references:
 6    - https://github.com/D1rkMtr/UnhookingPatch
 7    - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 8author: frack113
 9date: 2023/01/07
10modified: 2023/11/09
11tags:
12    - attack.defense_evasion
13    - attack.t1562.002
14logsource:
15    category: process_access
16    product: windows
17detection:
18    selection:
19        GrantedAccess: '0x1FFFFF'
20        CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
21        CallTrace|contains: '|UNKNOWN('
22        CallTrace|endswith: ')'
23    filter_main_generic:
24        # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
25        - SourceImage|contains:
26              - ':\Program Files\'
27              - ':\Program Files (x86)\'
28              - ':\Windows\System32\'
29              - ':\Windows\SysWOW64\'
30        - TargetImage|contains:
31              - ':\Program Files\'
32              - ':\Program Files (x86)\'
33              - ':\Windows\System32\'
34              - ':\Windows\SysWOW64\'
35    filter_optional_thor:
36        SourceImage|endswith:
37            - '\thor.exe'
38            - '\thor64.exe'
39    filter_optional_githubdesktop:
40        SourceImage|contains|all:
41            - ':\Users\'
42            - '\AppData\Local\GitHubDesktop\app-'
43        SourceImage|endswith:
44            - '\GitHubDesktop.exe'
45            - '\resources\app\git\usr\bin\sh.exe'
46        TargetImage|contains|all:
47            - ':\Users\'
48            - '\AppData\Local\GitHubDesktop\app-'
49    filter_main_dotnet:
50        SourceImage|contains:
51            - ':\Windows\Microsoft.NET\Framework\v'
52            - ':\Windows\Microsoft.NET\Framework64\v'
53        SourceImage|endswith: '\NGenTask.exe'
54        TargetImage|contains:
55            - ':\Windows\Microsoft.NET\Framework\v'
56            - ':\Windows\Microsoft.NET\Framework64\v'
57    filter_main_taskhost:
58        SourceImage|contains:
59            - ':\WINDOWS\system32\taskhostw.exe'
60            - ':\Windows\system32\taskhost.exe'
61        TargetImage|contains:
62            - ':\Windows\Microsoft.NET\Framework\v'
63            - ':\Windows\Microsoft.NET\Framework64\v'
64        TargetImage|endswith: '\NGenTask.exe'
65    filter_optional_teams_to_update:
66        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
67        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
68    filter_optional_teams_update_regsvr32:
69        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
70        TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
71    filter_optional_teams_update_to_teams:
72        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
73        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
74    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
75falsepositives:
76    - Unknown
77level: medium

References

https://github.com/D1rkMtr/UnhookingPatch

Read More
Something went wrong, but don’t fret — let’s give it another shot.

Read More

Potential NT API Stub Patching

Sigma rule (View on GitHub)

References

https://github.com/D1rkMtr/UnhookingPatch

Related rules