rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml

title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: test
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
author: John Lambert (tech), Florian Roth (rule)
references:
  - https://twitter.com/JohnLaTwC/status/837743453039534080
date: 2017/03/04
modified: 2021/11/27
logsource:
  category: process_access
  product: windows
  definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
  selection:
    TargetImage|endswith: '\verclsid.exe'
    GrantedAccess: '0x1FFFFF'
  combination1:
    CallTrace|contains|all:
      - '|UNKNOWN('
      - 'VBE7.DLL'
  combination2:
    SourceImage|contains: '\Microsoft Office\'
    CallTrace|contains: '|UNKNOWN'
  condition: selection and 1 of combination*
falsepositives:
  - unknown
level: high
tags:
  - attack.defense_evasion
  - attack.privilege_escalation
  - attack.t1055
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`title: Malware Shellcode in Verclsid Target Process`
			`id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro`
			`author: John Lambert (tech), Florian Roth (rule)`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://twitter.com/JohnLaTwC/status/837743453039534080`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`date: 2017/03/04`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_access`
			`product: windows`
			`definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`TargetImage\|endswith: '\verclsid.exe'`
			`GrantedAccess: '0x1FFFFF'`
			`combination1:`
			`CallTrace\|contains\|all:`
			`- '\|UNKNOWN('`
			`- 'VBE7.DLL'`
			`combination2:`
			`SourceImage\|contains: '\Microsoft Office\'`
			`CallTrace\|contains: '\|UNKNOWN'`
			`condition: selection and 1 of combination*`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- unknown`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`level: high`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.privilege_escalation`
			`- attack.t1055`