fibratus/rules/defense_evasion_process_execution_from_self_deleting_binary.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: Process execution from a self-deleting binary
id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
version: 1.0.6
description: |
  Identifies the execution of the process from a self-deleting binary. The attackers can
  abuse undocumented API functions to create a process from a file-backed section. The file
  is put into a delete-pending state allowing the attacker to bypass kernel callback controls
  by closing the handle to the file before the main thread is spawned.
labels:
  tactic.id: TA0005
  tactic.name: Defense Evasion
  tactic.ref: https://attack.mitre.org/tactics/TA0005/
  technique.id: T1055
  technique.name: Process Injection
  technique.ref: https://attack.mitre.org/techniques/T1055/
references:
  - https://github.com/hasherezade/process_ghosting
  - https://www.elastic.co/es/blog/process-ghosting-a-new-executable-image-tampering-attack

condition: >
  sequence
  maxspan 1m
    |delete_file and
     file.info.is_disposition_delete_file and
     ps.exe not imatches
                (
                  '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
                  '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe',
                  '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe',
                  '?:\\WINDOWS\\System32\\svchost.exe',
                  '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe',
                  '?:\\Windows\\UUS\\*\\wuaucltcore.exe'
                ) and
     ps.parent.exe not imatches '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe' and
     file.path not imatches
                (
                  '?:\\Windows\\SoftwareDistribution\\Download\\*.exe',
                  '?:\\Windows\\uus\\packages\\preview\\*.exe',
                  '?:\\$WinREAgent\\Scratch\\*.exe',
                  '?:\\WINDOWS\\WinSxS\\*.exe',
                  '?:\\WINDOWS\\CbsTemp\\*.exe',
                  '?:\\WINDOWS\\SoftwareDistribution\\*.exe'
                )
    | by file.name
    |load_module and ext(module.path) != '.dll'| by module.name

output: >
  Process %2.module.path spawned from self-deleting binary
severity: high

min-engine-version: 3.0.0