-
Notifications
You must be signed in to change notification settings - Fork 159
/
inject-pe.yml
31 lines (31 loc) · 1.01 KB
/
inject-pe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule:
meta:
name: inject pe
namespace: host-interaction/process/inject
authors:
- 0x534a@mailbox.org
scopes:
static: function
dynamic: unsupported # requires characteristic, mnemonic features
att&ck:
- Defense Evasion::Process Injection::Portable Executable Injection [T1055.002]
- Defense Evasion::Reflective Code Loading [T1620]
references:
- https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
examples:
- ce8d7590182db2e51372a4a04d6a0927a65b2640739f9ec01cfd6c143b1110da:0x4014E0
features:
- and:
- characteristic: loop
- optional:
- or:
- match: open process
- match: host-interaction/process/create
- match: allocate or change RWX memory
- basic block:
- description: virtual address offset calculation
- and:
- mnemonic: and
- number: 0x0FFF
- match: write process memory
- match: create thread