-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathdefense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
More file actions
62 lines (59 loc) · 2.89 KB
/
defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
File metadata and controls
62 lines (59 loc) · 2.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: .NET assembly loaded by unmanaged process
id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
version: 1.2.0
description: |
Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1055
technique.name: Process Injection
technique.ref: https://attack.mitre.org/techniques/T1055/
references:
- https://detect.fyi/exploring-execute-assembly-a-deep-dive-into-in-memory-threat-execution-60adc61aef8
- https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process
condition: >
sequence
maxspan 1m
by ps.uuid
|spawn_process and
ps.token.integrity_level != 'SYSTEM' and
ps.exe not imatches
(
'?:\\Windows\\system32\\DllHost.exe',
'?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe',
'?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
'?:\\Program Files\\WindowsApps\\*\\WidgetService.exe',
'?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe',
'?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe',
'?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe',
'?:\\Program Files\\WindowsApps\\Microsoft.WinDbg_*\\*.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
'?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\WinStore.DesktopExtension\\StoreDesktopExtension.exe'
)
|
|(load_unsigned_or_untrusted_module) and
dll.path not imatches
(
'?:\\Windows\\System32\\*.dll',
'?:\\Windows\\assembly\\*\\*.ni.dll',
'?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
'?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
'?:\\$WinREAgent\\Scratch\\*.dll',
'?:\\Windows\\WinSxS\\*.dll',
'?:\\Windows\\CbsTemp\\*.dll',
'?:\\Windows\\SoftwareDistribution\\*.dll',
'?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\*.dll'
) and
ps.exe != '' and ps.pe.is_dotnet = false and
(dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll'))
|
output: >
.NET assembly %2.dll.path loaded by unmanaged process %2.ps.exe
severity: high
min-engine-version: 3.0.0