-
-
Notifications
You must be signed in to change notification settings - Fork 209
Expand file tree
/
Copy pathdefense_evasion_dll_loaded_via_callback_function.yml
More file actions
42 lines (39 loc) · 1.57 KB
/
defense_evasion_dll_loaded_via_callback_function.yml
File metadata and controls
42 lines (39 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: DLL loaded via a callback function
id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
version: 1.0.6
description: |
Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
function.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1055
technique.name: Process Injection
technique.ref: https://attack.mitre.org/techniques/T1055/
tags:
- https://github.com/hlldz/misc/tree/main/proxy_calls
- https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
condition: >
sequence
maxspan 2m
by ps.uuid
|spawn_process|
|load_dll and dll.name iin
(
'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll',
'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll'
) and
thread.callstack.summary imatches
(
'ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll',
'ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll'
)
|
output: >
%2.module.path loaded from callback function by process %ps.exe
severity: high
min-engine-version: 3.0.0