Skip to content

feat(rules): New Activation Context memory section hijacking rule #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rabbitstack wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(rules): New Activation Context memory section hijacking rule #685

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions rules/defense_evasion_activation_context_memory_section_hijacking.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Activation Context memory section hijacking
id: 3d56281e-9608-4a70-b7b7-7651ccd3752b
version: 1.0.0
description: |
Detects abuses of a legitimate Windows feature present in most processes
called Activation Contexts with the objective of loading an arbitrary DLL
into signed executables.
Adversaries can unmap the legitimate read-only memory section view backing
the process Activation Context, then map a new pagefile-backed section at
the exact same base address containing a malicious Activation Context.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1055
technique.name: Process Injection
technique.ref: https://attack.mitre.org/techniques/T1055/
references:
- https://github.com/r3xmax/PhantomCtx
- https://learn.microsoft.com/en-us/windows/win32/sbscs/activation-contexts

condition: >
sequence
maxspan 40s
by ps.uuid, file.view.base
|unmap_view_file and
file.view.type = 'PAGEFILE' and file.view.protection = 'READONLY' and
(file.view.size = 12288 or (file.view.size = 4096 and
not (ps.parent.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.exe imatches '?:\\Windows\\System32\\taskhostw.exe') and
not (ps.parent.exe imatches '?:\\Windows\\explorer.exe' and ps.exe imatches '?:\\Program Files\\WindowsApps\\*.exe') and
not (ps.parent.exe imatches '?:\\Windows\\System32\\winlogon.exe' and ps.exe imatches '?:\\Windows\\System32\\dwm.exe') and
not (ps.parent.exe imatches '?:\\Windows\\System32\\winlogon.exe' and ps.exe imatches '?:\\Windows\\System32\\csrss.exe') and
not (ps.parent.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.exe imatches '?:\\Program Files\\Microsoft Office\\*\\ActionsServer\\ActionsServer.exe') and
not (ps.parent.exe imatches '?:\\Program Files\\Mozilla Firefox\\firefox.exe' and ps.exe imatches '?:\\Program Files\\Mozilla Firefox\\firefox.exe' and ps.cmdline imatches concat('*-contentproc -parentBuildID* -parentPid ', ps.ppid)))
)
|
|map_view_file and file.view.size = 12288 and file.view.type = 'PAGEFILE' and file.view.protection = 'READWRITE'|

severity: high

min-engine-version: 3.0.0
Loading