Potential Shellcode Injection
Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
Sigma rule (View on GitHub)
1title: Potential Shellcode Injection
2id: 250ae82f-736e-4844-a68b-0b5e8cc887da
3status: test
4description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
5references:
6 - https://github.com/EmpireProject/PSInject
7author: Bhabesh Raj
8date: 2022/03/11
9modified: 2023/11/29
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 GrantedAccess:
20 - '0x147a'
21 - '0x1f3fff'
22 CallTrace|contains: 'UNKNOWN'
23 filter_optional_dell_folders:
24 # If dell software is installed we get matches like these
25 # Example 1:
26 # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
27 # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
28 # GrantedAccess: 0x1F3FFF
29 # Example 2:
30 # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
31 # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
32 # GrantedAccess: 0x1F3FFF
33 # Example 3:
34 # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
35 # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
36 # GrantedAccess: 0x1F3FFF
37 SourceImage|contains:
38 - ':\Program Files\Dell\'
39 - ':\Program Files (x86)\Dell\'
40 TargetImage|contains:
41 - ':\Program Files\Dell\'
42 - ':\Program Files (x86)\Dell\'
43 GrantedAccess: '0x1F3FFF'
44 CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
45 filter_optional_dell_specifc:
46 SourceImage|endswith: ':\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
47 TargetImage|endswith: ':\Windows\Explorer.EXE'
48 GrantedAccess: '0x1F3FFF'
49 CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
50 filter_optional_visual_studio:
51 SourceImage|endswith:
52 - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
53 - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
54 TargetImage|endswith:
55 - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
56 - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
57 CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
58 filter_optional_ddvdatacollector:
59 SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
60 SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
61 TargetImage|endswith: ':\Program Files\Dell\DellDataVault\DDVDataCollector.exe'
62 filter_optional_wmiprvese:
63 SourceImage|endswith: ':\Windows\System32\Wbem\Wmiprvse.exe'
64 TargetImage|endswith: ':\Windows\system32\lsass.exe'
65 CallTrace|startswith: '?:\Windows\SYSTEM32\ntdll.dll'
66 condition: selection and not 1 of filter_optional_*
67falsepositives:
68 - Unknown
69level: high
References
Related rules
- CobaltStrike Named Pipe Patterns
- PowerShell ShellCode
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation By Uncommon Source Image
- Malicious Named Pipe Created