security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
3ddbfdfbb1979a526186f89d852f9acca70bb81b
sigma-rules/rules_building_block/defense_evasion_masquerading_vlc_dll.toml
T
shashank-elastic e4856d3c2c Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30

81 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
bypass_bbr_timing = true
creation_date = "2023/08/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/05"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their
payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate
applications to deceive machine learning algorithms by incorporating authentic and benign code.
"""
from = "now-9m"
index = ["logs-endpoint.events.library-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as VLC DLL"
risk_score = 21
rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc"
severity = "low"
tags = [
"Domain: Endpoint",
"Data Source: Elastic Defend",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
library where host.os.type == "windows" and event.action == "load" and
dll.name : ("libvlc.dll", "libvlccore.dll", "axvlc.dll") and
not (
dll.code_signature.subject_name : ("VideoLAN", "716F2E5E-A03A-486B-BC67-9B18474B9D51")
and dll.code_signature.trusted == true
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.001"
name = "Invalid Code Signature"
reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Resource Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Host Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink