feat(rules): Add Suspicious activity from a reflected process rule

rabbitstack · rabbitstack · commit 6c09debfdac0 · 2026-03-06T10:53:47.000+01:00
Detects the execution of a process clone via RtlCreateProcessReflection followed by network activity or loading of common networking DLLs.
This behaviour may indicate that an attacker is abusing process reflection for shellcode injection.
diff --git a/rules/defense_evasion_suspicious_activity_from_reflected_process.yml b/rules/defense_evasion_suspicious_activity_from_reflected_process.yml
@@ -0,0 +1,48 @@
+name: Suspicious activity from a reflected process
+id: 2c5d3663-3e76-4cba-bd72-178757112f2c
+version: 1.0.0
+description: |
+  Detects the execution of a process clone via RtlCreateProcessReflection
+  followed by network activity or loading of common networking DLLs.
+  This behaviour may indicate that an attacker is abusing process reflection
+  for shellcode injection.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+references:
+  - https://unprotect.it/technique/dirty-vanity/
+  - https://github.com/Whitecat18/Rust-for-Malware-Development/tree/main/Dirty_Vanity
+  - https://www.deepinstinct.com/blog/dirty-vanity-a-new-approach-to-code-injection-edr-bypass
+
+condition: >
+  sequence
+  maxspan 2m
+  by ps.uuid
+    |spawn_process and
+     thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*')
+    |
+    |(connect_socket and
+      net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and
+      not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')) or
+     (load_dll and dll.name iin
+                            (
+                              'dnsapi.dll',
+                              'ws2_32.dll',
+                              'winhttp.dll',
+                              'bitsproxy.dll',
+                              'wininet.dll',
+                              'mswsock.dll',
+                              'iphlpapi.dll',
+                              'httpapi.dll'
+                             ))
+    |
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0
