-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhollow.txt
89 lines (81 loc) · 2.65 KB
/
hollow.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
rule output
{
meta:
author = "MITRE Engenuity"
date = "2/16/2021"
description = "Used to detect output from hollow.exe"
strings:
$output1 = "[---> Process Hollow <---]"
$output2 = "[*] Running the target executable (%s)"
$output3 = "-k netsrv"
$output4 = "Error: Unable to run the target executable. CreateProcess failed with error %d"
$output5 = "Process created in suspended state (%s PID: %d)"
$output6 = "Memory unmapped from child process!"
$output7 = "Error: Invalid executable format."
$output8 = "Allocating RWX memory in child process."
$output9 = "Error: Unable to allocate memory in child process. VirtualAllocEx failed with error %d"
$output10 = "Memory allocated. Address: %#zx"
$output11 = "Writing executable image into child process."
$output12 = "New entry point: %#zx"
$output13 = "Setting the context of the child process's primary thread."
$output14 = "Resuming child process's primary thread."
$output15 = "Thread resumed."
condition:
all of them
}
rule functions
{
meta:
author = "MITRE Engenuity"
date = "2/16/2021"
description = "Used to detect funtions associated with hollow.exe"
strings:
$function1 = "GetLastError"
$function2 = "VirtualAllocEx"
$function3 = "ReadProcessMemory"
$function4 = "CreateProcessA"
$function5 = "KERNEL32.dll"
$function6 = "NtGetContextThread"
$function7 = "NtQueryInformationProcess"
$function8 = "NtReadVirtualMemory"
$function9 = "NtClose"
$function10 = "NtSetContextThread"
$function11 = "NtWriteVirtualMemory"
$function12 = "NtUnmapViewOfSection"
$function13 = "NtTerminateProcess"
$function14 = "NtResumeThread"
$function15 = "RtlCaptureContext"
$function16 = "RtlLookupFunctionEntry"
$function17 = "RtlVirtualUnwind"
$function18 = "UnhandledExceptionFilter"
$function19 = "SetUnhandledExceptionFilter"
$function20 = "GetCurrentProcess"
$function21 = "TerminateProcess"
$function22 = "IsProcessorFeaturePresent"
$function23 = "QueryPerformanceCounter"
$function24 = "GetCurrentProcessId"
$function25 = "GetCurrentThreadId"
$function26 = "GetSystemTimeAsFileTime"
$function27 = "InitializeSListHead"
$function28 = "IsDebuggerPresent"
$function29 = "GetModuleHandleW"
$function30 = "ExitProcess"
$function31 = "VirtualAlloc"
condition:
all of them
}
rule hollow_strings
{
meta:
author = "MITRE Engenuity"
date = "7/17/2020"
description = "Used to detect strings associated with hollow.exe"
strings:
$string1 = "PAYLOAD:"
$string2 = "ntdll.dll"
$string3 = "wininet"
$string6 = "ProcessHollowing32-64-master"
$string7 = "ProcessHollowing.pdb"
condition:
all of them
}