fibratus/rules/defense_evasion_suspicious_activity_from_reflected_process.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Suspicious activity from a reflected process
id: 2c5d3663-3e76-4cba-bd72-178757112f2c
version: 1.0.0
description: |
  Detects the execution of a process clone via RtlCreateProcessReflection
  followed by network activity or loading of common networking DLLs.
  This behaviour may indicate that an attacker is abusing process reflection
  for shellcode injection.
labels:
  tactic.id: TA0005
  tactic.name: Defense Evasion
  tactic.ref: https://attack.mitre.org/tactics/TA0005/
  technique.id: T1055
  technique.name: Process Injection
  technique.ref: https://attack.mitre.org/techniques/T1055/
references:
  - https://unprotect.it/technique/dirty-vanity/
  - https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/Dirty_Vanity
  - https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass

condition: >
  sequence
  maxspan 2m
  by ps.uuid
    |spawn_process and
     thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*')
    |
    |(connect_socket and
      net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and
      not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')) or
     (load_dll and dll.name iin
                            (
                              'dnsapi.dll',
                              'ws2_32.dll',
                              'winhttp.dll',
                              'bitsproxy.dll',
                              'wininet.dll',
                              'mswsock.dll',
                              'iphlpapi.dll',
                              'httpapi.dll'
                             ))
    |
action:
  - name: kill

severity: high

min-engine-version: 3.0.0