Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

Potential Shellcode Injection

Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Bhabesh RajCreated Fri Mar 11Updated Tue Jul 02250ae82f-736e-4844-a68b-0b5e8cc887dawindows
Hunting Hypothesis
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic
Detection Logic5 selectors
detection:
    selection:
        GrantedAccess:
            - '0x147a'
            - '0x1f3fff'
        CallTrace|contains: 'UNKNOWN'
    filter_main_wmiprvse:
        SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
        TargetImage: 'C:\Windows\system32\lsass.exe'
    filter_optional_dell_folders:
        # If dell software is installed we get matches like these
        # Example 1:
        #   SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   GrantedAccess: 0x1F3FFF
        # Example 2:
        #   SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
        #   TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   GrantedAccess: 0x1F3FFF
        # Example 3:
        #   SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
        #   TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
        #   GrantedAccess: 0x1F3FFF
        SourceImage|startswith:
            - 'C:\Program Files\Dell\'
            - 'C:\Program Files (x86)\Dell\'
        TargetImage|startswith:
            - 'C:\Program Files\Dell\'
            - 'C:\Program Files (x86)\Dell\'
    filter_optional_dell_specifc:
        SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
        TargetImage: 'C:\Windows\Explorer.EXE'
    filter_optional_visual_studio:
        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
250ae82f-736e-4844-a68b-0b5e8cc887da
Status
test
Level
medium
Type
Threat Hunt
Created
Fri Mar 11
Modified
Tue Jul 02
Author
Bhabesh Raj
Path
rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1055detection.threat-hunting
View on GitHub