Peeling back the curtain with call stacks — Elastic Security Labs
Tags
cmtmf-attack-pattern: Code Injection
attack-pattern: Data Direct Code Injection - T1540 Dns - T1071.004 Dns - T1590.002 Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Native Api - T1575 Port Monitors - T1547.010 Powershell - T1059.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Software - T1592.002 Windows Service - T1543.003 Execution Through Api - T1106 Hooking - T1179 Port Monitors - T1013 Powershell - T1086 Rundll32 - T1085 Scheduled Task - T1053 Hooking
Show in Graph
Common Information
Type Value
UUID 9c09a42b-dffa-4410-94e4-38b07b23c0de
Fingerprint 3a1ec133a9b6d654
Analysis status DONE
Considered CTI value 0
Text language
Published Sept. 13, 2023, midnight
Added to db Nov. 20, 2023, 1:02 a.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline Peeling back the curtain with call stacks
Title Peeling back the curtain with call stacks — Elastic Security Labs
Detected Hints/Tags/Attributes 65/2/44
Source URLs
Redirection Url
Details Source https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks
URL Provider
Details Provider Source level domain
Details elastic.co www.elastic.co
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 306 Elastic Security Labs https://www.elastic.co/security-labs/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 21 
process.parent.name
Details Domain 5 
dll.name
Details Domain 55 
process.name
Details Domain 1 
file.ext.original.name
Details Domain 2 
mscorlib.ni
Details Domain 4127 
github.com
Details Domain 18 
user.id
Details Domain 6 
registry.data
Details File 380 
notepad.exe
Details File 291 
user32.dll
Details File 142 
wmiprvse.exe
Details File 240 
wmic.exe
Details File 1 
wbemcons.dll
Details File 1122 
svchost.exe
Details File 2 
ubpm.dll
Details File 1260 
explorer.exe
Details File 376 
wscript.exe
Details File 2125 
cmd.exe
Details File 1 
zipfld.dll
Details File 533 
ntdll.dll
Details File 49 
process.exe
Details File 81 
werfault.exe
Details File 10 
faultrep.dll
Details File 130 
ws2_32.dll
Details File 34 
winhttp.dll
Details File 146 
wininet.dll
Details File 15 
explore.exe
Details File 323 
winword.exe
Details File 199 
excel.exe
Details File 92 
powerpnt.exe
Details File 82 
kernelbase.dll
Details File 748 
kernel32.dll
Details File 16 
ni.dll
Details File 17 
wow64.dll
Details File 12 
wow64cpu.dll
Details File 131 
spoolsv.exe
Details File 5 
localspl.dll
Details File 9 
win32u.dll
Details File 3 
regsvc.dll
Details File 41 
rpcrt4.dll
Details File 7 
registry.dat
Details Github username 2 
rbmm
Details Url 1 
https://github.com/rbmm/ldrpkernel32dllname
Details Windows Registry Key 1 
HKLM\SYSTEM\ControlSet