Malware Shellcode in Verclsid Target Process
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.
Definition
Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>
detection:
selection_target:
TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
selection_calltrace_1:
CallTrace|contains|all:
- '|UNKNOWN('
- 'VBE7.DLL'
selection_calltrace_2:
SourceImage|contains: '\Microsoft Office\'
CallTrace|contains: '|UNKNOWN'
condition: selection_target and 1 of selection_calltrace_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Techniques
Other