Potential NT API Stub Patching

calendar Dec 4, 2023 · attack.defense_evasion attack.t1562.002  ·
Share on: linkedin copy

Detects potential NT API stub patching as seen used by the project PatchingAPI

Sigma rule (View on GitHub)

 1title: Potential NT API Stub Patching
 2id: b916cba1-b38a-42da-9223-17114d846fd6
 3status: experimental
 4description: Detects potential NT API stub patching as seen used by the project PatchingAPI
 5references:
 6    - https://github.com/D1rkMtr/UnhookingPatch
 7    - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 8author: frack113
 9date: 2023/01/07
10modified: 2023/11/27
11tags:
12    - attack.defense_evasion
13    - attack.t1562.002
14logsource:
15    category: process_access
16    product: windows
17detection:
18    selection:
19        GrantedAccess: '0x1FFFFF'
20        CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
21        CallTrace|contains: '|UNKNOWN('
22        CallTrace|endswith: ')'
23    filter_main_generic:
24        # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
25        - SourceImage|contains:
26              - ':\Program Files\'
27              - ':\Program Files (x86)\'
28              - ':\Windows\System32\'
29              - ':\Windows\SysWOW64\'
30        - TargetImage|contains:
31              - ':\Program Files\'
32              - ':\Program Files (x86)\'
33              - ':\Windows\System32\'
34              - ':\Windows\SysWOW64\'
35    filter_optional_thor:
36        SourceImage|endswith:
37            - '\thor.exe'
38            - '\thor64.exe'
39    filter_optional_githubdesktop:
40        SourceImage|contains|all:
41            - ':\Users\'
42            - '\AppData\Local\GitHubDesktop\app-'
43        SourceImage|endswith:
44            - '\GitHubDesktop.exe'
45            - '\resources\app\git\usr\bin\sh.exe'
46        TargetImage|contains|all:
47            - ':\Users\'
48            - '\AppData\Local\GitHubDesktop\app-'
49    filter_main_dotnet:
50        SourceImage|contains: ':\Windows\Microsoft.NET\'
51        TargetImage|contains: ':\Windows\Microsoft.NET\'
52    filter_main_taskhost:
53        SourceImage|contains:
54            - ':\Windows\system32\taskhostw.exe'
55            - ':\Windows\system32\taskhost.exe'
56        TargetImage|contains:
57            - ':\Windows\Microsoft.NET\Framework\v'
58            - ':\Windows\Microsoft.NET\Framework64\v'
59        TargetImage|endswith: '\NGenTask.exe'
60    filter_optional_teams_to_update:
61        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
62        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
63    filter_optional_teams_update_regsvr32:
64        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
65        TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
66    filter_optional_teams_update_to_teams:
67        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
68        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
69    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
70falsepositives:
71    - Unknown
72level: medium

References

Related rules

to-top