-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathpersistence_executable_file_dropped_by_unsigned_service_dll.yml
More file actions
36 lines (33 loc) · 1.59 KB
/
persistence_executable_file_dropped_by_unsigned_service_dll.yml
File metadata and controls
36 lines (33 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
name: Executable file dropped by an unsigned service DLL
id: 3e29da58-0fc4-44c0-91c0-0dfc6af87e9d
version: 1.0.3
description: |
Identifies the loading of an unsigned DLL by svchost process followed by creating an
executable file. Adversaries may rely on Windows Services to repeatedly execute malicious
payloads as part of persistence.
labels:
tactic.id: TA0003
tactic.name: Persistence
tactic.ref: https://attack.mitre.org/tactics/TA0003/
technique.id: T1543
technique.name: Create or Modify System Process
technique.ref: https://attack.mitre.org/techniques/T1543/
subtechnique.id: T1543.003
subtechnique.name: Windows Service
subtechnique.ref: https://attack.mitre.org/techniques/T1543/003/
references:
- https://grzegorztworek.medium.com/persistence-with-windows-services-1b21579f0ff3
- https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain
condition: >
sequence
maxspan 3m
|load_unsigned_dll and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe')| as e1
|create_file and
evt.pid != 4 and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe') and
(file.extension iin ('.exe', '.dll', '.com', '.js', '.vbs', '.cmd', '.bat', '.vbe') or file.is_exec or file.is_dll or file.is_driver) and
thread.callstack.symbols iin (concat($e1.module.name, '!ServiceMain'))
|
output: >
Service %1.ps.cmdline loaded an unsigned DLL %1.dll.path and subsequently dropped an executable file %2.file.path
severity: high
min-engine-version: 3.0.0