-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-11-003.yaml
51 lines (51 loc) · 2.11 KB
/
CAR-2020-11-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
title: DLL Injection with Mavinject
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-003
description: |-
Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
coverage:
- technique: T1055
tactics:
- TA0004
- TA0005
subtechniques:
- T1055.001
coverage: Low
implementations:
- name: Pseudocode - mavinject process and its common argument
description: This is a pseudocode representation of the below splunk search.
code: |-
processes = search Process:Create
mavinject_processes = filter processes where (
exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
output mavinject_processes
data_model: CAR native
type: Pseudocode
- name: Splunk Search - mavinject
description: Search for instances of mavinject.exe or mavinject32.exe
code: |-
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - mavinject
description: Search for instances of mavinject.exe or mavinject32.exe
code: |-
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")
data_model: LogPoint native
type: LogPoint
data_model_references:
- process/create/exe
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis