From 227ace7e532edb8b26025925fe68492ff827dc24 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 8 Nov 2024 21:48:37 +0100
Subject: [PATCH] feat(rules): DLL loaded via a callback function rule

Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback function.
---
 ...asion_dll_loaded_via_callback_function.yml | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 rules/defense_evasion_dll_loaded_via_callback_function.yml

diff --git a/rules/defense_evasion_dll_loaded_via_callback_function.yml b/rules/defense_evasion_dll_loaded_via_callback_function.yml
new file mode 100644
index 000000000..3f538919a
--- /dev/null
+++ b/rules/defense_evasion_dll_loaded_via_callback_function.yml
@@ -0,0 +1,42 @@
+name: DLL loaded via a callback function
+id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
+version: 1.0.0
+description: |
+  Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
+  the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
+  function.
+labels:
+   tactic.id: TA0005
+   tactic.name: Defense Evasion
+   tactic.ref: https://attack.mitre.org/tactics/TA0005/
+   technique.id: T1055
+   technique.name: Process Injection
+   technique.ref: https://attack.mitre.org/techniques/T1055/
+tags:
+  - https://github.com/hlldz/misc/tree/main/proxy_calls
+  - https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
+
+condition: >
+  sequence
+  maxspan 2m
+   |spawn_process| by ps.child.uuid
+   |load_dll and base(image.name) iin 
+      (
+        'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
+        'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
+        'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll',
+        'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll'
+      )
+    and thread.callstack.summary 
+      imatches 
+      (
+        'ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll', 
+        'ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll'
+      )
+   | by ps.uuid
+
+output: >
+  %2.image.name loaded from callback function by process %ps.exe
+severity: high
+
+min-engine-version: 2.0.0