[rule] description = """ Identifies attempt to allocate an executable memory region in a remote process followed by writing content to it. This behavior is consistent with remote code injection attacks. """ id = "f1d05929-4271-4d39-9cae-05eab6d4efca" license = "Elastic License v2" name = "Potential Remote Code Injection" os_list = ["windows"] version = "1.0.10" query = ''' sequence by process.entity_id, process.Ext.api.parameters.address, Target.process.pid with maxspan=60s [api where process.Ext.api.behaviors == "cross-process" and not process.Ext.api.behaviors == "parent-child" and process.executable != null and process.thread.Ext.call_stack_final_user_module.name != null and process.Ext.api.name in ("VirtualAllocEx", "MapViewOfFile", "MapViewOfFile2", "VirtualProtect", "VirtualProtectEx") and process.Ext.api.parameters.protection like "*X*" and (process.code_signature.trusted == false or process.code_signature.exists == false or process.name : "rundll32.exe" or process.executable : ("?:\\Windows\\Microsoft.NET\\*", "?:\\Users\\Public")) and not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and not _arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info: "?:\\program files*\\cisco\\amp\\exprev\\protector*.dll*") and not (process.code_signature.trusted == true and startswith~(process.thread.Ext.call_stack_final_user_module.path, process.executable)) and not process.thread.Ext.call_stack_final_user_module.name in ("Unknown", "Undetermined", "Kernel") and not process.thread.Ext.call_stack_final_user_module.path like ("?:\\program files\\*", "?:\\program files (x86)\\*", "\\program files\\*", "\\program files (x86)\\*", "?:\\windows\\microsoft.net\\framework*.dll", "\\windows\\microsoft.net\\framework*.dll", "?:\\windows\\system32\\*", "\\windows\\system32\\*", "?:\\windows\\winsxs\\*", "\\windows\\winsxs\\*", "?:\\windows\\syswow64\\*", "\\windows\\syswow64\\*", "?:\\windows\\assembly\\*", "\\windows\\assembly\\*", "?:\\windows\\veeamvsssupport\\veeamvsssupport.dll") and not process.thread.Ext.call_stack_final_user_module.hash.sha256 in ("70a8c4ae129e3d79854c6658b199faf27590800cb2d7fa5681d6bfdbe0111993", "13d8d9823d8f9e41247f32831e5a044fb4b09187571e498b807c07caa8c3004f", "51409099241d9af2b9005a0de21081ae9dbb64c0c98eb4a6460e1d1946461ce0", "6ad87a98d9e91e784fb1e275b9e37709a1ae85f8d6096cbf5a8ce3104314d5ed", "d9070a90ea8a8bc1c9120397c2588d3e8f588bcce4a261cc9f0e9f0c37c8d726", "2ac92e1b48ad518efa47313aac59b67950da234d20e651b221b7232e4ae9e65d", "c8469c12a2cf76b8b4225d8910958810847e31263487df0065c8648b572467ef", "9bb82a8b466b48176bd876a8fa7a9b3708cf3d86aa1b6c420cf73b003d41495d", "c9f420fb873c8d26c134314cd2543442685b98349a79cb51f06bd364c16aa298", "06e8f5fc9ac8ab8a9390531eebac30372fed6982cceac4d54bb6653f9f6603f7", "27d34c6032491d4dce1060eb3bf8382357a8fde4909aed3855e5c250e0789433", "31f65b7afe91e23ae88d8229fd54c5eb494ffd4594bdc3d6a91d2d69892b284b", "91ff5261cd17ad19edfacfb905a375c300cc6e323e6eaa42446a005a701880b4", "c8469c12a2cf76b8b4225d8910958810847e31263487df0065c8648b572467ef", "e77507caca8b74b197329f3584a540d7015aad5a94d9aa29a3427959cf129bcd", "cacf583a07df75fd7d76a43a78338c1d032833e1cc2d9945229df04385cfc10f", "a1bbeed70452386d4d3b4383dd47180e9a96440011dbdcadcc6c48c3e1337eac", "f71ae100e2c4a6de86033f7664db07dcba74319de4da0e72f9b5908f09257519", "a63dffea3202a2499abef6c507a3a84aab04e1f43a086ba79784ccb29f4a3156", "dd69b5adcc1832c449ee31ede33ba17dfafba278eb3627dbabf3a42b02a457d8", "dd1eaa53b13e901e8236d034400e36bda7249bf7bb74f50b46d31ebe4896ebb9", "e3fdcd2b4c5215e74b0cabe91ce7fe2800cbf8e2a28157342960bca61bbd6b5d", "f24968ff313caf2d1f6a87b5b2265bcb7278ab598e414fd60b1037aa9b226370", "2a08e0247dcd2363430f48db72ca6c3d2f5d84486c7894cff54e6aae2eb45721", "e9f8a89ccb79d3ce6c148022f9ba830521ece008749fb98ea129c7073b9449f9", "3226b506e186e98c68d57b3dcd046695e59ab0b818a58b4fb9613cbe1e9049a0", "f30518fad5e56b63c807c306b3b3ab70f043eb24956aa128e96e1482380c5e80", "0723de6b33653635781c72d282552ad13d3a5dbe37ca6f4fd62b1f3173dc085d", "3a2a379f7fcea34ea52fe908c57cd5bb1c76bf58306261ea30aeef35ca17e4ed", "097a19028e711f08600ea254bbff08d03539f6d54accc297255cdd13dbede01e", "91744edcc8efb66deda82a2ac1e560da85cd84735b0ad42ad77d28e559741015", "ae04a881df5e2256eae703efda6f021145dbdde5230201e1501433c67f29dfb1", "4c5391497df553576490432e32dfc5dc2e7e195027cd6faa3c8058a63899d6ab", "c4ced30ef9ad364d35edca795bb03b128849bcdf9d4c958086309327341d7107", "2c5c370bd7c51e834784b97af7da480653eb3e61aa2e7c662d70c1875ace0c03", "2f8eb40944200c4b4ddf36c78a4d2e758d9ec6e43396cf85f03970ffa268c334", "77b08483aa5d9cc5ac6050169edff7293522ce865786f181edb6fcc2e41652ca", "ceafaeb950cae0fb4a6b8f6dd68aec8311ebad923f658335b6abc0f7114a62ac", "b50f97afb49255d1ca37968e3fdc51515b9b9ef447d0460744ece428dc0f850c", "e948b1c8189fbd76a85a0a4e50d7db33991ff2a0c3993d44ab54530bf8a0287e", "e0552b8681250e081dce00fc1745926106f5c638030d0a2bbe529b152960ae15", "5442ecad629b42c4ebc8df3c8fab67783bacbc0d4c5121845b91ef538099073d", "19c2b71f25587376e352aeb7a9f62ea52096b41461817fadc067a9e8b46379f2", "c729c4b5a6ad8d247acd4b0d32d5a5999647461ee5f565c618b26d339caebbca") and not _arraysearch(process.thread.Ext.call_stack_final_user_module.code_signature, $entry, $entry.trusted == true and $entry.subject_name in ("Microsoft Windows Hardware Compatibility Publisher", "Microsoft Windows Software Compatibility Publisher", "Barco N.V.", "Eclipse.org Foundation, Inc.")) ] [api where process.Ext.api.behaviors : "cross-process" and not process.Ext.api.behaviors == "parent-child" and process.Ext.api.name == "WriteProcessMemory"] ''' min_endpoint_version = "8.10.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1055" name = "Process Injection" reference = "https://attack.mitre.org/techniques/T1055/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "8.10.0"