forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
evasion_ntdll_from_unusual_path.py
43 lines (33 loc) · 1.38 KB
/
evasion_ntdll_from_unusual_path.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
from pathlib import Path
from . import RtaMetadata, common
metadata = RtaMetadata(
uuid="e6d5315f-4c70-4788-8564-e7c23786a4d0",
platforms=["windows"],
endpoint=[{"rule_name": "NTDLL Loaded from an Unusual Path", "rule_id": "3205274e-7eb0-4765-a712-5783361091ae"}],
siem=[],
techniques=["T1055"],
)
@common.requires_os(*metadata.platforms)
def main():
import time
from os import path
import win32api
import win32file
win32file.CopyFile(path.expandvars("%systemroot%\\system32\\ntdll.dll"), path.expandvars("%localappdata%\\Temp\\notntdll.dll"), 0)
if Path(path.expandvars("%localappdata%\\Temp\\notntdll.dll")).is_file():
print(f"[+] - NTDLL copied")
r = win32api.LoadLibrary(path.expandvars("%localappdata%\\Temp\\notntdll.dll"))
if r > 0 :
print(f"[+] - NTDLL copy loaded")
time.sleep(1)
win32api.FreeLibrary(r)
win32file.DeleteFile(path.expandvars("%localappdata%\\Temp\\notntdll.dll"))
print(f'[+] - NTDLL copy deleted')
else :
print('f[+] - Failed to load ntdll')
if __name__ == "__main__":
exit(main())