Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ordinal of ShellExec_RunDLL #5082

Merged
merged 6 commits into from
Dec 1, 2024
Merged

Added ordinal of ShellExec_RunDLL #5082

merged 6 commits into from
Dec 1, 2024

Conversation

swachchhanda000
Copy link
Contributor

@swachchhanda000 swachchhanda000 commented Nov 16, 2024
edited by nasbench
Loading

Summary of the Pull Request

Adversaries have been observed leveraging the ordinal number of the ShellExec_RunDLL function in the shell32.dll library instead of explicitly using the function name (ShellExec_RunDLL). This technique bypasses this current detection, which rely solely on the function name, enabling execution of arbitrary system binaries such as cmd.exe or powershell.exe.

Changelog

new: Suspicious ShellExec_RunDLL Call Via Ordinal

Example Log Event

Screen.Recording.2024-11-16.at.7.03.25.PM.mov

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 16, 2024
@frack113
Copy link
Member

frack113 commented Nov 16, 2024
edited
Loading

HI,
I was looking for malware references to add about the ordinal , I found that https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
But get
ShellExec_RunDLL | 568 | Exported Function

@swachchhanda000
Copy link
Contributor Author

HI, I was looking for malware references to add about the ordinal , I found that https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html But get ShellExec_RunDLL | 568 | Exported Function

@frack113 I also referred to the same link, but it didn't work as expected with the ordinal number 568 for ShellExec_RunDLL. It seems they got it wrong or something has changed. I will look at SHELL32.dll exported functions and their ordinal numbers
to verify it

@nasbench
Copy link
Member

HI, I was looking for malware references to add about the ordinal , I found that https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html But get ShellExec_RunDLL | 568 | Exported Function

@frack113 I also referred to the same link, but it didn't work as expected with the ordinal number 568 for ShellExec_RunDLL. It seems they got it wrong or something has changed. I will look at SHELL32.dll exported functions and their ordinal numbers to verify it

Just FYI @frack113 @swachchhanda000 This is due to different versions of the DLL somewhere in Win11 the export ordinals changed

{6BA1C772-F327-4736-B201-7E2AF6A2E30A} {DA592657-71AF-4A56-9ECE-E7E974BD3B58}

Just as a side note, you need to add all 3 variations because they achieve the same thing.

The only dangerous thing is the FP rate with cross version of windows. As long there isn't a field indicating which version of windows this is running on, there's gonna be false alerts. You could use the Imphash (if you wanna track them) as a side solution with each collection in their independent selection.

In my opinion just create a new hunting version of this that focuses on using ordinals and specify in details what I discussed here in the description

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Nov 17, 2024
@swachchhanda000
Copy link
Contributor Author

HI, I was looking for malware references to add about the ordinal , I found that https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html But get ShellExec_RunDLL | 568 | Exported Function

@frack113 I also referred to the same link, but it didn't work as expected with the ordinal number 568 for ShellExec_RunDLL. It seems they got it wrong or something has changed. I will look at SHELL32.dll exported functions and their ordinal numbers to verify it

Just FYI @frack113 @swachchhanda000 This is due to different versions of the DLL somewhere in Win11 the export ordinals changed

{6BA1C772-F327-4736-B201-7E2AF6A2E30A} {DA592657-71AF-4A56-9ECE-E7E974BD3B58}
Just as a side note, you need to add all 3 variations because they achieve the same thing.

The only dangerous thing is the FP rate with cross version of windows. As long there isn't a field indicating which version of windows this is running on, there's gonna be false alerts. You could use the Imphash (if you wanna track them) as a side solution with each collection in their independent selection.

In my opinion just create a new hunting version of this that focuses on using ordinals and specify in details what I discussed here in the description

I think we can reduce false positives by being more specific. For example, we can include these indicators in the parentcommandline, ensuring it has spawned the child process. This means the ordinal number is effective; if it isn't, the rule won't trigger at all. To be even more precise, we can specify a rule to hunt for suspicious child processes, such as cmd.exe, powershell.exe, wscript.exe, and others.
what do you think @nasbench and @frack113 ?

@frack113
Copy link
Member

As they can be many FP with the ordinal.
Why not make a derived from d87bd452-6da1-456e-8155-7dc988157b7d for the ordonal only ?

swachchhanda1 and others added 2 commits November 25, 2024 10:54
@swachchhanda000
Copy link
Contributor Author

HI @frack113 , @nasbench ,
I have accommodated all the ordinals as suggested and made a derived rule

@nasbench @frack113
Update rules/windows/process_creation/proc_creation_win_rundll32_susp…
068223d 
…_shellexec_execution.yml

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
frack113
frack113 approved these changes Nov 26, 2024
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The detection logic looks good to me

@nasbench nasbench removed Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Dec 1, 2024
@nasbench nasbench merged commit f39c9ac into SigmaHQ:master Dec 1, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 approved these changes

@nasbench nasbench nasbench approved these changes

Assignees
No one assigned
Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swachchhanda000 @frack113 @nasbench