Suspicious Process Access via Direct System Call

  1[metadata]
  2creation_date = "2021/10/11"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook
 11userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass
 12hooked functions by writing malicious functions that call syscalls directly.
 13"""
 14from = "now-9m"
 15index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious Process Access via Direct System Call"
 19references = [
 20    "https://twitter.com/SBousseaden/status/1278013896440324096",
 21    "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs",
 22]
 23risk_score = 73
 24rule_id = "2dd480be-1263-4d9c-8672-172928f6789a"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Defense Evasion",
 31    "Tactic: Execution",
 32    "Resources: Investigation Guide",
 33    "Data Source: Sysmon",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39process where host.os.type == "windows" and event.code == "10" and
 40 length(winlog.event_data.CallTrace) > 0 and
 41
 42 /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */
 43 not winlog.event_data.CallTrace :
 44            ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*",
 45             "?:\\WINDOWS\\SysWOW64\\ntdll.dll*",
 46             "?:\\Windows\\System32\\sysfer.dll*",
 47             "?:\\Windows\\System32\\wow64cpu.dll*",
 48             "?:\\WINDOWS\\System32\\wow64win.dll*",
 49             "?:\\Windows\\System32\\win32u.dll*",
 50             "?:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\*\\sysfer.dll*") and
 51
 52 not winlog.event_data.TargetImage :
 53            ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe",
 54             "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
 55             "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe",
 56             "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and
 57
 58 not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe",
 59                            "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and
 60      not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe")
 61'''
 62
 63note = """## Triage and analysis
 64
 65### Investigating Suspicious Process Access via Direct System Call
 66
 67#### Possible investigation steps
 68
 69- What did the Sysmon process-access event prove?
 70  - Focus: `winlog.event_data.SourceImage`, `winlog.event_data.SourceProcessGUID`, `winlog.event_data.TargetImage`, `winlog.event_data.GrantedAccess`, and `winlog.event_data.CallTrace`.
 71  - Implication: escalate when the call trace starts in UNKNOWN or unbacked memory before the Windows syscall layer and the source opens lsass.exe, a browser, or a security process with memory-read, memory-write, thread, duplicate-handle, or all-access rights; lower concern only when the same source-target-access pattern matches recognized EDR, anti-exploit, debugger, accessibility, anti-cheat, or browser instrumentation.
 72- Which source process instance made the access?
 73  - Focus: recover the source process start on `host.id` using `process.entity_id`, or `winlog.event_data.SourceProcessGUID` plus `process.pid` and alert-time proximity as a weaker fallback; review `process.executable`, `process.hash.sha256`, PE metadata, and code signature. $investigate_0
 74  - Hint: hash, PE metadata, and signature fields are optional; if absent, keep disposition tied to source path, GUID/PID recovery, parent or command context, and target/access evidence rather than closing.
 75  - Implication: escalate when the source is unsigned, recently dropped, user-writable, renamed, or mismatched to PE metadata; lower concern only when identity, signer or hash, path, and recovery context fit the same recognized security, debugger, accessibility, anti-cheat, or instrumentation workflow.
 76- Did launch and user context fit that workflow?
 77  - Focus: recovered `process.command_line`, parent executable/command line, alert `user.id`, and session context.
 78  - Hint: join `process.Ext.authentication_id` to `winlog.event_data.TargetLogonId` only when session origin changes severity; if absent, keep origin unresolved and rely on alert user plus recovered session context.
 79  - Implication: escalate when Office, browsers, script hosts, archive tools, LOLBins, or remote-interactive sessions launch the accessor; lower concern when parent, command line, account, and session type fit the same recognized low-level tool. If process/session fields cannot be recovered, treat the gap as unresolved, not benign.
 80- Did the same source process create dumping, injection, or staging artifacts?
 81  - Focus: same-source child starts and file events where `file.path` shows dump output, temp staging, payload drops, or renamed executable content. $investigate_1 $investigate_2
 82  - Hint: use the transform when `process.entity_id` is present; otherwise repeat the `host.id` plus `process.pid` alert-time fallback from source recovery.
 83  - Implication: escalate when the source writes dumps, stages payloads, or spawns tooling after access; missing process or file telemetry is unresolved, not benign.
 84- Did the same source process communicate after access?
 85  - Focus: process-scoped DNS `dns.question.name` and connections to `destination.ip`.
 86  - Hint: correlate DNS to destination IP only after matching the same recovered process, `host.id`, and surrounding time window. $investigate_3
 87  - Implication: escalate when the source reaches rare or misaligned destinations, connects directly to public IPs, or talks outbound after accessing a sensitive process; missing network telemetry is unresolved, not benign.
 88- If local evidence remains suspicious or unresolved, is there related activity for the same user, host, or source binary?
 89  - Focus: related alerts for `user.id`, `host.id`, and recovered `process.hash.sha256` when available, especially process-access, dump-file, injection, credential-access, or persistence alerts.
 90  - Hint: start with user-scoped alerts when the alert user is meaningful. $investigate_4
 91  - Hint: use host-scoped alerts when the source runs as a service identity or user context is sparse. $investigate_5
 92  - Implication: broaden scope only when local source, target, access, identity, or follow-on evidence remains suspicious or unresolved; expand containment and credential scoping when related alerts show the same access pattern beyond one process.
 93- Escalate unauthorized direct-syscall access to credential-bearing, browser, or security processes when source-target-access-call-trace, recovered identity, launch/session context, or follow-on evidence remain suspicious; close only when those categories bind to one recognized workflow with outside confirmation for any legitimacy gap; preserve and escalate mixed evidence or visibility gaps.
 94
 95### False positive analysis
 96
 97- Security agents, anti-exploit tools, debuggers, accessibility tools, anti-cheat systems, browser or PDF instrumentation, backup, and virtualization tools can perform low-level process access. Confirm source executable, signer or hash history, parent workflow, target cohort, access mask, call-trace shape, user/session context, recurrence, and quiet follow-on telemetry all align with one exact product workflow; require owner, inventory, vendor, or change evidence for legitimacy gaps. Recurrence is only corroboration: require the same stable source identity, parent/session context, target cohort, access pattern, and lack of dump or staging artifacts for the same `host.id` and `user.id`.
 98- Build exceptions from the minimum confirmed pattern: recovered source executable or signer, recovered parent workflow, `winlog.event_data.TargetImage`, access-mask class, first-frame call-trace shape, and relevant `host.id` or `user.id` scope. Avoid exceptions on `winlog.event_data.GrantedAccess`, `winlog.event_data.CallTrace`, process name, or target image alone.
 99
100### Response and remediation
101
102- If confirmed benign, reverse temporary containment and document the source identity, launch/session context, source-target-access-call-trace tuple, target cohort, and evidence that confirmed the product workflow. Create an exception only for the exact recurring pattern.
103- If suspicious but unconfirmed, preserve the alert record, Sysmon Event ID 10 details, source and target process GUIDs, call trace string, recovered process start, relevant authentication records, dump files, staged payloads, and network indicators before containment or cleanup.
104- Apply reversible containment first: heightened monitoring, temporary outbound restrictions, or response-tool policy on the affected `host.id`. Escalate to host isolation or process suspension only when the target sensitivity, access rights, identity evidence, or follow-on artifacts indicate likely dumping, injection, or credential theft.
105- If confirmed malicious, isolate the endpoint and suspend or terminate the recovered source process after recording its identity, command line, parent chain, source-target pair, access mask, call trace, staged files, and network indicators. If direct response is unavailable, hand off that evidence set to the team that can isolate the host or account.
106- If the target process held credentials, browser secrets, or security-product context, scope related users, sessions, tokens, and hosts before credential resets or broad process termination so evidence and blast radius are not lost.
107- Eradicate only the dump files, injectors, loaders, persistence artifacts, or staged payloads identified during the investigation, then remediate the launcher, delivery path, or exposed credential path that enabled the direct-syscall process access.
108- Post-incident hardening: retain Sysmon Event ID 10 plus supporting process, file, network, and Windows Security telemetry, and document direct NtOpenProcess, unhooking, or call-stack-spoofing variants observed in the case for future detection review."""
109
110setup = """## Setup
111
112This rule requires Sysmon telemetry to be enabled and ingested.
113
114Setup instructions: https://ela.st/sysmon-event-10-setup
115"""
116
117[rule.investigation_fields]
118field_names = [
119    "@timestamp",
120    "event.code",
121    "host.name",
122    "host.id",
123    "user.id",
124    "process.entity_id",
125    "process.pid",
126    "process.name",
127    "process.executable",
128    "winlog.event_data.SourceProcessGUID",
129    "winlog.event_data.SourceImage",
130    "winlog.event_data.TargetProcessGUID",
131    "winlog.event_data.TargetImage",
132    "winlog.event_data.GrantedAccess",
133    "winlog.event_data.CallTrace",
134]
135
136[transform]
137
138[[transform.investigate]]
139label = "Events for the same source process on this host"
140description = ""
141providers = [
142  [
143    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
144    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
145  ]
146]
147relativeFrom = "now-1h"
148relativeTo = "now"
149
150[[transform.investigate]]
151label = "Child process starts from the source process"
152description = ""
153providers = [
154  [
155    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
156    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
157    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
158    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
159  ]
160]
161relativeFrom = "now-1h"
162relativeTo = "now"
163
164[[transform.investigate]]
165label = "File events for the source process"
166description = ""
167providers = [
168  [
169    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
170    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
171    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
172  ]
173]
174relativeFrom = "now-1h"
175relativeTo = "now"
176
177[[transform.investigate]]
178label = "Network and DNS events for the source process"
179description = ""
180providers = [
181  [
182    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
183    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
184    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
185  ],
186  [
187    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
188    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
189    { excluded = false, field = "event.category", queryType = "phrase", value = "dns", valueType = "string" }
190  ]
191]
192relativeFrom = "now-1h"
193relativeTo = "now"
194
195[[transform.investigate]]
196label = "Alerts associated with the user"
197description = ""
198providers = [
199  [
200    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
201    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
202  ]
203]
204relativeFrom = "now-48h/h"
205relativeTo = "now"
206
207[[transform.investigate]]
208label = "Alerts associated with the host"
209description = ""
210providers = [
211  [
212    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
213    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
214  ]
215]
216relativeFrom = "now-48h/h"
217relativeTo = "now"
218
219[[rule.threat]]
220framework = "MITRE ATT&CK"
221[[rule.threat.technique]]
222id = "T1055"
223name = "Process Injection"
224reference = "https://attack.mitre.org/techniques/T1055/"
225
226[rule.threat.tactic]
227id = "TA0005"
228name = "Defense Evasion"
229reference = "https://attack.mitre.org/tactics/TA0005/"
230[[rule.threat]]
231framework = "MITRE ATT&CK"
232[[rule.threat.technique]]
233id = "T1106"
234name = "Native API"
235reference = "https://attack.mitre.org/techniques/T1106/"
236
237[rule.threat.tactic]
238id = "TA0002"
239name = "Execution"
240reference = "https://attack.mitre.org/tactics/TA0002/"