-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathdefense_evasion_process_execution_from_remote_memory_section.yml
More file actions
54 lines (51 loc) · 2.36 KB
/
defense_evasion_process_execution_from_remote_memory_section.yml
File metadata and controls
54 lines (51 loc) · 2.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Process execution from remote memory section
id: 6e4cc918-a30e-4167-ba26-6356d6384f30
version: 1.0.0
description: |
Detects execution of a process image originating from a memory section
mapped without a backing file, a strong indicator of advanced process
injection techniques such as ghostly hollowing. In this pattern, a malicious
image is mapped directly into memory, loaded into a remote process, and
subsequently executed without ever being written to disk.
This allows attackers to evade file-based detection and forensic recovery.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1055
technique.name: Process Injection
technique.ref: https://attack.mitre.org/techniques/T1055/
references:
- https://captain-woof.medium.com/ghostly-hollowing-probably-the-most-bizarre-windows-process-injection-technique-i-know-bf833c96663a
condition: >
sequence
maxspan 1m
|map_view_file and
evt.pid != 4 and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
file.view.size > 50000 and file.path = '' and file.view.type = 'IMAGE' and
ps.exe not imatches
(
'?:\\Windows\\System32\\dwm.exe',
'?:\\Windows\\System32\\svchost.exe',
'?:\\Windows\\System32\\services.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
'?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
'?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
'?:\\Windows\\servicing\\TrustedInstaller.exe',
'?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe',
'?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'
)
| as e1
|load_module and
evt.pid != module.pid and
module.base = $e1.file.view.base and
(thread.callstack.summary = '' or thread.callstack.summary imatches '*ntoskrnl.exe!NtMapViewOfSection*')
| as e2
|load_executable and thread.callstack.summary imatches concat('*', base($e2.module.path), '*')|
action:
- name: kill
output: >
Process %3.ps.exe executed from a remotely mapped memory section with no backing file
severity: high
min-engine-version: 3.0.0