-
Notifications
You must be signed in to change notification settings - Fork 166
/
Copy pathenumerate-process-modules.yml
51 lines (51 loc) · 1.7 KB
/
enumerate-process-modules.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
rule:
meta:
name: enumerate process modules
namespace: host-interaction/process/modules/list
authors:
scopes:
static: function
dynamic: span of calls
att&ck:
- Discovery::Process Discovery [T1057]
examples:
- 6F99A2C8944CB02FF28C6F9CED59B161:0x419FF8
- 9B2FD471274C41626B75DDBB5C897877:0x100046B0
features:
- or:
- and:
- optional:
- or:
- api: kernel32.OpenProcess
- api: kernel32.CloseHandle
- or:
- api: kernel32.K32EnumProcessModules
- api: kernel32.K32EnumProcessModulesEx
- api: kernel32.K32EnumProcesses
# depending on OS version in kernel32 or psapi
- api: EnumProcessModules
- api: EnumProcessModulesEx
- api: EnumProcesses
- and:
- api: kernel32.Module32First
- api: kernel32.Module32Next
- optional:
- basic block:
- and:
- or:
- number: 0x8 = TH32CS_SNAPMODULE
- number: 0x10 = TH32CS_SNAPMODULE32
- number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32
- api: kernel32.CreateToolhelp32Snapshot
- call:
- and:
- or:
- number: 0x8 = TH32CS_SNAPMODULE
- number: 0x10 = TH32CS_SNAPMODULE32
- number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32
- api: kernel32.CreateToolhelp32Snapshot
- and:
- property/read: System.Diagnostics.Process::Modules
- property/read: System.Diagnostics.ProcessModuleCollection::Item