From 83df2270b3414c4d3c752b9c66ba5b0158c80f2b Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Sun, 17 Nov 2024 15:53:41 +0100 Subject: [PATCH] feat(rules): New `Image load via NTFS transaction` rule Identifies image loading of a file written to disk via NTFS transaction. Adversaries may exploit the transactional API to execute code in the address space of the running process without committing the code to disk. --- ...vasion_image_load_via_ntfs_transaction.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/defense_evasion_image_load_via_ntfs_transaction.yml diff --git a/rules/defense_evasion_image_load_via_ntfs_transaction.yml b/rules/defense_evasion_image_load_via_ntfs_transaction.yml new file mode 100644 index 000000000..3f115ff34 --- /dev/null +++ b/rules/defense_evasion_image_load_via_ntfs_transaction.yml @@ -0,0 +1,28 @@ +name: Image load via NTFS transaction +id: ce8de3d0-0768-41a7-bab9-4eca27ed1e3c +version: 1.0.0 +description: | + Identifies image loading of a file written to disk via NTFS transaction. Adversaries may exploit + the transactional API to execute code in the address space of the running process without committing + the code to disk. +labels: + tactic.id: TA0005 + tactic.name: Defense Evasion + tactic.ref: https://attack.mitre.org/tactics/TA0005/ + technique.id: T1055 + technique.name: Process Injection + technique.ref: https://attack.mitre.org/techniques/T1055/ +references: + - https://learn.microsoft.com/en-us/windows/win32/fileio/about-transactional-ntfs + +condition: > + sequence + maxspan 2m + |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by file.name + |load_module and kevt.pid != 4| by image.name + +output: > + Image %2.image.name written via transactional NTFS and loaded afterward +severity: high + +min-engine-version: 2.0.0