Direct Syscall of NtOpenProcess
Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
Sigma rule (View on GitHub)
1title: Direct Syscall of NtOpenProcess
2id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
3status: experimental
4description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
5references:
6 - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
7author: Christian Burkard (Nextron Systems), Tim Shelton
8date: 2021/07/28
9modified: 2023/03/22
10tags:
11 - attack.execution
12 - attack.t1106
13logsource:
14 category: process_access
15 product: windows
16detection:
17 selection:
18 CallTrace|startswith: 'UNKNOWN'
19 falsepositive1:
20 TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe'
21 SourceImage: 'C:\Windows\Explorer.EXE'
22 falsepositive2:
23 TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
24 SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
25 SourceImage|endswith: '\MicrosoftEdgeUpdate.exe'
26 falsepositive3:
27 TargetImage|endswith: 'vcredist_x64.exe'
28 SourceImage|endswith: 'vcredist_x64.exe'
29 falsepositive4:
30 TargetImage: 'C:\Windows\system32\systeminfo.exe'
31 SourceImage|endswith: 'setup64.exe' #vmware
32 falsepositive5:
33 TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
34 SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
35 falsepositive6:
36 TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
37 SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe'
38 falsepositive7: # VsCode
39 TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
40 SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
41 falsepositive8: # Google Chrome
42 TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
43 SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
44 falsepositive9: # Google Chrome Update
45 TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
46 SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe'
47 falsepositive10: # MS Teams
48 TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
49 SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
50 falsepositives11:
51 TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe'
52 SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe'
53 falsepositives12:
54 TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
55 SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
56 falsepositives13: # Discord
57 TargetImage|startswith: 'C:\Users\'
58 TargetImage|contains: '\AppData\Local\Discord\'
59 TargetImage|endswith: '\Discord.exe'
60 falsepositives14:
61 TargetImage: 'C:\WINDOWS\system32\AUDIODG.EXE'
62 falsepositives15:
63 SourceImage|startswith: 'C:\Users\'
64 SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
65 SourceImage|endswith: '\Yammer.exe'
66 TargetImage|startswith: 'C:\Users\'
67 TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
68 TargetImage|endswith: '\Yammer.exe'
69 GrantedAccess: '0x1000'
70 falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
71 Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
72 falsepositives_mixed:
73 TargetImage|endswith: '\Evernote\Evernote.exe'
74 condition: selection and not 1 of falsepositive*
75falsepositives:
76 - Unknown
77level: high