sigmahighHunting

HackTool - LittleCorporal Generated Maldoc Injection

Detects the process injection of a LittleCorporal generated Maldoc.

MITRE ATT&CK

defense-evasionexecutionprivilege-escalation

Detection Query

selection:
  SourceImage|endswith: \winword.exe
  CallTrace|contains|all:
    - :\Windows\Microsoft.NET\Framework64\v2.
    - UNKNOWN
condition: selection

Author

Christian Burkard (Nextron Systems)

Created

2021-08-09

Data Sources

windowsProcess Access Events

Platforms

windows

References

https://github.com/connormcgarr/LittleCorporal

Tags

attack.defense-evasionattack.executionattack.privilege-escalationattack.t1204.002attack.t1055.003

Raw Content

title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
    - https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-11-28
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.privilege-escalation
    - attack.t1204.002
    - attack.t1055.003
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\winword.exe'
        CallTrace|contains|all:
            - ':\Windows\Microsoft.NET\Framework64\v2.'
            - 'UNKNOWN'
    condition: selection
falsepositives:
    - Unknown
level: high