rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml

title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: experimental
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
references:
    - https://twitter.com/JohnLaTwC/status/837743453039534080
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1055
author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
logsource:
    product: windows
    service: sysmon
    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
    selection:
        EventID: 10
        TargetImage: '*\verclsid.exe'
        GrantedAccess: '0x1FFFFF'
    combination1:
        CallTrace: '*|UNKNOWN(*VBE7.DLL*'
    combination2:
        SourceImage: '*\Microsoft Office\\*'
        CallTrace: '*|UNKNOWN*'
    condition: selection and 1 of combination*
falsepositives:
    - unknown
level: high
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`title: Malware Shellcode in Verclsid Target Process`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1`
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`status: experimental`
Fixed typoes 2018-07-10 09:14:07 -05:00			`description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- https://twitter.com/JohnLaTwC/status/837743453039534080`
rules update 2019-03-06 00:43:42 +01:00			`tags:`
			`- attack.defense_evasion`
			`- attack.privilege_escalation`
			`- attack.t1055`
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`author: John Lambert (tech), Florian Roth (rule)`
			`date: 2017/03/04`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00			`definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'`
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`detection:`
			`selection:`
			`EventID: 10`
			`TargetImage: '*\verclsid.exe'`
			`GrantedAccess: '0x1FFFFF'`
			`combination1:`
			`CallTrace: '\|UNKNOWN(VBE7.DLL*'`
			`combination2:`
Escaped '\' to '\\' where required 2019-02-03 00:24:57 +01:00			`SourceImage: '\Microsoft Office\\'`
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`CallTrace: '\|UNKNOWN'`
Simplified rule conditions with new condition constructs 2018-03-06 23:14:43 +01:00			`condition: selection and 1 of combination*`
Rule: Sysmon Malware Shellcode in Verclsid Process 2017-03-04 10:38:23 +01:00			`falsepositives:`
			`- unknown`
			`level: high`