Potential Shellcode Injection

calendar Jan 29, 2024 · attack.defense_evasion attack.privilege_escalation attack.t1055  ·
Share on: linkedin copy

Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject

Sigma rule (View on GitHub)

 1title: Potential Shellcode Injection
 2id: 250ae82f-736e-4844-a68b-0b5e8cc887da
 3status: test
 4description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
 5references:
 6    - https://github.com/EmpireProject/PSInject
 7author: Bhabesh Raj
 8date: 2022/03/11
 9modified: 2023/11/29
10tags:
11    - attack.defense_evasion
12    - attack.privilege_escalation
13    - attack.t1055
14logsource:
15    category: process_access
16    product: windows
17detection:
18    selection:
19        GrantedAccess:
20            - '0x147a'
21            - '0x1f3fff'
22        CallTrace|contains: 'UNKNOWN'
23    filter_optional_dell_folders:
24        # If dell software is installed we get matches like these
25        # Example 1:
26        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
27        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
28        #   GrantedAccess: 0x1F3FFF
29        # Example 2:
30        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
31        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
32        #   GrantedAccess: 0x1F3FFF
33        # Example 3:
34        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
35        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
36        #   GrantedAccess: 0x1F3FFF
37        SourceImage|contains:
38            - ':\Program Files\Dell\'
39            - ':\Program Files (x86)\Dell\'
40        TargetImage|contains:
41            - ':\Program Files\Dell\'
42            - ':\Program Files (x86)\Dell\'
43        GrantedAccess: '0x1F3FFF'
44        CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
45    filter_optional_dell_specifc:
46        SourceImage|endswith: ':\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
47        TargetImage|endswith: ':\Windows\Explorer.EXE'
48        GrantedAccess: '0x1F3FFF'
49        CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
50    filter_optional_visual_studio:
51        SourceImage|endswith:
52            - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
53            - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
54        TargetImage|endswith:
55            - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
56            - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
57        CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
58    filter_optional_ddvdatacollector:
59        SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
60        SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
61        TargetImage|endswith: ':\Program Files\Dell\DellDataVault\DDVDataCollector.exe'
62    filter_optional_wmiprvese:
63        SourceImage|endswith: ':\Windows\System32\Wbem\Wmiprvse.exe'
64        TargetImage|endswith: ':\Windows\system32\lsass.exe'
65        CallTrace|startswith: '?:\Windows\SYSTEM32\ntdll.dll'
66    condition: selection and not 1 of filter_optional_*
67falsepositives:
68    - Unknown
69level: high

References

Related rules

to-top