feat(rules): New DLL loaded via APC queue rule

Identifies loading of a DLL with a callstack originating from the thread alertable state that led to the execution of an APC routine. This may be indicative of sleep obfuscation or process injection attempt.

Author: rabbitstack

rules/defense_evasion_dll_loaded_via_apc_queue.yml

@@ -0,0 +1,33 @@
+name: DLL loaded via APC queue
+id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e
+version: 1.0.0
+description: |
+  Identifies loading of a DLL with a callstack originating from the thread
+  alertable state that led to the execution of an APC routine. This may be
+  indicative of sleep obfuscation or process injection attempt.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+  subtechnique.id: T1055.003
+references:
+  - https://github.com/Idov31/Cronos
+
+condition: >
+  load_dll and base(image.name) iin 
+    (
+      'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
+      'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
+      'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll',
+      'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll'
+    )
+    and 
+  thread.callstack.symbols imatches ('ntdll.dll!KiUserApcDispatcher')
+    and
+  thread.callstack.symbols imatches ('ntdll.dll!ZwDelayExecution')
+    and
+  thread.callstack.symbols imatches ('KernelBase.dll!Sleep*')
+
+min-engine-version: 2.0.0