-
Notifications
You must be signed in to change notification settings - Fork 499
/
defense_evasion_masquerading_vlc_dll.toml
80 lines (69 loc) · 2.17 KB
/
defense_evasion_masquerading_vlc_dll.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
[metadata]
bypass_bbr_timing = true
creation_date = "2023/08/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/31"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their
payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate
applications to deceive machine learning algorithms by incorporating authentic and benign code.
"""
from = "now-9m"
index = ["logs-endpoint.events.library-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as VLC DLL"
risk_score = 21
rule_id = "4494c14f-5ff8-4ed2-8e99-bf816a1642fc"
severity = "low"
tags = [
"Domain: Endpoint",
"Data Source: Elastic Defend",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Persistence",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
library where host.os.type == "windows" and event.action == "load" and
dll.name : ("libvlc.dll", "libvlccore.dll", "axvlc.dll") and
not (
dll.code_signature.subject_name : ("VideoLAN", "716F2E5E-A03A-486B-BC67-9B18474B9D51")
and dll.code_signature.trusted == true
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.001"
name = "Invalid Code Signature"
reference = "https://attack.mitre.org/techniques/T1036/001/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Host Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"