execute-shellcode-via-windows-callback-function.yml

rule:
  meta:
    name: execute shellcode via Windows callback function
    namespace: load-code/shellcode
    authors:
      - ervin.ocampo@mandiant.com
      - jakub.jozwiak@mandiant.com
      - still@teamt5.org
    description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Reflective Code Loading [T1620]
    mbc:
      - Defense Evasion::Hijack Execution Flow::Abuse Windows Function Calls [F0015.006]
    references:
      - https://github.com/ChaitanyaHaritash/Callback_Shellcode_Injection
      - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
      - http://ropgadget.com/posts/abusing_win_functions.html
      - https://github.com/aahmad097/AlternativeShellcodeExec/
      - https://osandamalith.com/2021/04/01/executing-shellcode-via-callbacks/
    examples:
      - 10cd7afd580ee9c222b0a87ff241d306:0x10008BE0
      - 268d61837aa248c1d49a973612a129ce:0x1000CEC0
      - 4a2992b4c7a1573bf7c74065e3bf5b0d:0x1000D050
      - 43db867967c71bd3aaba9a9a3084e7fa:0x140001000
  features:
    - and:
      - match: allocate or change RWX memory
      - or:
        - api: AddPropSheetPageProc
        - api: CallWindowProc
        - api: CertEnumSystemStore
        - api: CertEnumSystemStoreLocation
        - api: CreateTimerQueueTimer
        - api: CryptEnumOIDInfo
        - and:
          - api: DPA_Create
          - api: DPA_SetPtr
          - api: DPA_EnumCallback
        - and:
          - api: DSA_Create
          - api: DSA_InsertItem
          - api: DSA_EnumCallback
        - api: DrawState
        - api: EnumCalendarInfo
        - api: EnumCalendarInfoEx
        - api: EnumChildWindows
        - api: EnumDateFormats
        - api: EnumDesktops
        - api: EnumDesktopWindows
        - api: EnumDirTree
        - api: EnumDisplayMonitors
        - api: EnumFontFamilies
        - api: EnumFontFamiliesEx
        - api: EnumFonts
        - api: EnumLanguageGroupLocales
        - and:
          - or:
            - api: GetDC
            - api: GetDCEx
          - api: EnumObjects
        - api: EnumProps
        - api: EnumPropsEx
        - api: EnumPwrSchemes
        - api: EnumResourceTypes
        - api: EnumSystemCodePages
        - api: EnumSystemGeoID
        - api: EnumSystemGeoNames
        - api: EnumSystemLanguageGroups
        - api: EnumSystemLocales
        - api: EnumThreadWindows
        - api: EnumTimeFormats
        - api: EnumUILanguages
        - api: EnumWindows
        - api: EnumWindowStations
        - api: EnumerateLoadedModules
        - api: GrayString
        - api: ImmEnumInputContext
        - api: LineDDA
        - and:
          - api: SymInitialize
          - or:
            - api: SymEnumProcesses
            - api: SymRegisterCallback
        - api: VerifierEnumerateResource