-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathdefense_evasion_process_execution_from_hollowed_memory_section.yml
More file actions
54 lines (50 loc) · 2.1 KB
/
defense_evasion_process_execution_from_hollowed_memory_section.yml
File metadata and controls
54 lines (50 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Process execution from hollowed memory section
id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
version: 2.0.0
description: |
Adversaries may inject malicious code into suspended and hollowed processes in order to
evade process-based defenses. Process hollowing is a method of executing arbitrary code
in the address space of a separate live process.
Process hollowing is commonly performed by creating a process in a suspended state then
unmapping/hollowing its memory, which can then be replaced with malicious code. A victim
process can be created with native Windows API calls such as CreateProcess, which includes
a flag to suspend the processes primary thread. At this point the process can be unmapped
using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written
to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory,
SetThreadContext, then ResumeThread/ResumeProcess respectively.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1055
technique.name: Process Injection
technique.ref: https://attack.mitre.org/techniques/T1055/
subtechnique.id: T1055.012
subtechnique.name: Process Hollowing
subtechnique.ref: https://attack.mitre.org/techniques/T1055/012/
references:
- https://www.ired.team/offensive-security/code-injection-process-injection/process-hollowing-and-pe-image-relocations
condition: >
sequence
maxspan 2m
|spawn_process and
ps.parent.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
ps.parent.exe not imatches
(
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe'
)
| as e1
|unmap_view_of_section and
ps.uuid = $e1.ps.uuid and
file.view.size > 20000 and file.view.protection != 'READONLY'
| as e2
|load_executable and
ps.uuid = $e2.ps.uuid and image.base.address = $e2.file.view.base
|
action:
- name: kill
output: >
Process %3.ps.exe executed from hollowed memory section
severity: high
min-engine-version: 3.0.0