From cb1a76552489aeadcf2cfcbca021ae53b26bedbf Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 15 Nov 2021 10:18:26 +0100 Subject: [PATCH] [New Rule] Suspicious Process Access via Direct System Call (#1536) * [New Rule] Suspicious Process Access via Direct System Call * updated query to catch also CallTrace with non ntdll modules * Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update defense_evasion_suspicious_process_access_direct_syscall.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> (cherry picked from commit 81a62f5f683260a6816339a055a6c5dffb971410) --- ...picious_process_access_direct_syscall.toml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml new file mode 100644 index 000000000..3621e7ec3 --- /dev/null +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2021/10/11" +maturity = "production" +updated_date = "2021/10/11" + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland +Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked +functions by writing malicious functions that call syscalls directly. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Process Access via Direct System Call" +references = [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" +] +risk_score = 73 +rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"