Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
Sigma rule (View on GitHub)
1title: Potential Direct Syscall of NtOpenProcess
2id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
3status: test
4description: Detects potential calls to NtOpenProcess directly from NTDLL.
5references:
6 - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
7author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
8date: 2021-07-28
9modified: 2023-12-13
10tags:
11 - attack.execution
12 - attack.t1106
13logsource:
14 category: process_access
15 product: windows
16detection:
17 selection:
18 CallTrace|startswith: 'UNKNOWN'
19 filter_main_vcredist:
20 TargetImage|endswith: 'vcredist_x64.exe'
21 SourceImage|endswith: 'vcredist_x64.exe'
22 filter_main_generic:
23 # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
24 SourceImage|contains:
25 - ':\Program Files (x86)\'
26 - ':\Program Files\'
27 - ':\Windows\System32\'
28 - ':\Windows\SysWOW64\'
29 - ':\Windows\WinSxS\'
30 TargetImage|contains:
31 - ':\Program Files (x86)\'
32 - ':\Program Files\'
33 - ':\Windows\System32\'
34 - ':\Windows\SysWOW64\'
35 - ':\Windows\WinSxS\'
36 filter_main_kerneltrace_edge:
37 # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
38 Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
39 filter_optional_vmware:
40 TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
41 SourceImage|endswith: 'setup64.exe' # vmware
42 filter_optional_cylance:
43 SourceImage|endswith: ':\Windows\Explorer.EXE'
44 TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
45 filter_optional_amazon:
46 SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
47 TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
48 filter_optional_vscode: # VsCode
49 SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
50 TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
51 filter_optional_teams: # MS Teams
52 TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
53 SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
54 filter_optional_discord: # Discord
55 TargetImage|contains: '\AppData\Local\Discord\'
56 TargetImage|endswith: '\Discord.exe'
57 filter_optional_yammer:
58 SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
59 SourceImage|endswith: '\Yammer.exe'
60 TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
61 TargetImage|endswith: '\Yammer.exe'
62 GrantedAccess: '0x1000'
63 filter_optional_evernote:
64 TargetImage|endswith: '\Evernote\Evernote.exe'
65 filter_optional_adobe_acrobat:
66 SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
67 SourceImage|endswith: '\AcroCEF.exe'
68 TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
69 TargetImage|endswith: '\AcroCEF.exe'
70 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
71falsepositives:
72 - Unknown
73level: medium
References
-
Direct system calls are a popular technique used by attackers to bypass certain EDR solutions. In this blog we deep-dive into how direct…
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- BPFDoor Abnormal Process ID or Lock File Accessed
- HackTool - CobaltStrike BOF Injection Pattern
- HackTool - HandleKatz Duplicating LSASS Handle