From 9219478d354f22b265d89324ad1995c2448dbeb8 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 15 Oct 2024 18:22:20 +0200
Subject: [PATCH] feat(rules): Potential injection via .NET debugging

Identifies creation of a process on behalf of the CLR debugging facility which may
be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess
method to attach the debugger to the remote process.
---
 ...tential_injection_via_dotnet_debugging.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/defense_evasion_potential_injection_via_dotnet_debugging.yml

diff --git a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml
new file mode 100644
index 000000000..275fa0673
--- /dev/null
+++ b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml
@@ -0,0 +1,37 @@
+name: Potential injection via .NET debugging
+id: 193ebf2f-e365-4f57-a639-275b7cdf0319
+version: 1.0.0
+description: |
+  Identifies creation of a process on behalf of the CLR debugging facility which may
+  be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess
+  method to attach the debugger to the remote process.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+references:
+  - https://blog.xpnsec.com/debugging-into-net/
+  - https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/debugging/iclrdebugging-openvirtualprocess-method
+
+condition: >
+  spawn_process and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess')
+    and
+    not
+  ps.child.exe imatches
+    (
+      '?:\\Visual Studio\\Common?\\IDE\\devenv.exe',
+      '?:\\Program Files\\Microsoft Visual Studio\\*.exe',
+      '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe',
+      '?:\\Program Files\\IIS Express\\iisexpress.exe',
+      '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe'
+    )
+  and not ps.exe imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
+
+output: >
+  Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection
+severity: high
+
+min-engine-version: 2.0.0