security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Suspicious Process Access via Direct System Call (#1536)

Browse Source 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 81a62f5f68)
This commit is contained in:
Samirbous
2021-11-15 10:18:26 +01:00
committed by github-actions[bot]
parent 06340b69b0
commit cb1a765524
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
+49
View File
@@ -0,0 +1,49 @@
[metadata]
creation_date = "2021/10/11"
maturity = "production"
updated_date = "2021/10/11"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland
Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked
functions by writing malicious functions that call syscalls directly.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Process Access via Direct System Call"
references = [
"https://twitter.com/SBousseaden/status/1278013896440324096",
"https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"
]
risk_score = 73
rule_id = "2dd480be-1263-4d9c-8672-172928f6789a"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.code == "10" and
length(winlog.event_data.CallTrace) > 0 and
/* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */
not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"