Detection rules › Elastic
Suspicious Process Access via Direct System Call
Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1106 Native API |
| Privilege Escalation | T1055 Process Injection |
| Defense Evasion | T1055 Process Injection |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 10 | ProcessAccess |
Stages and Predicates
Stage 1: eql:process
not (not winlog.event_data.TargetImage:"?:\\WINDOWS\\system32\\lsass.exe" and process.executable:"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe") and not winlog.event_data.CallTrace:"?:\\WINDOWS\\SYSTEM32\\ntdll.dll*" and not winlog.event_data.TargetImage:"?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | TargetImage | eq | ?:\WINDOWS\system32\lsass.exe |
| 2 | Image | eq | ?:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe, ?:\Program Files (x86)\World of Warcraft\_classic_\WowClassic.exe |
| 3 | CallTrace | wildcard | ?:\WINDOWS\SYSTEM32\ntdll.dll*, ?:\WINDOWS\SysWOW64\ntdll.dll*, ?:\WINDOWS\System32\sysfer.dll*, ?:\Windows\System32\wow64cpu.dll*, ?:\WINDOWS\System32\wow64win.dll*, ?:\Windows\System32\win32u.dll*, ?:\ProgramData\Symantec\Symantec Endpoint Protection\*\sysfer.dll* |
| 4 | TargetImage | wildcard | ?:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe, ?:\Program Files\Cisco\AMP\*\sfc.exe, ?:\Program Files (x86)\Microsoft\EdgeWebView\Application\*\msedgewebview2.exe, ?:\Program Files\Adobe\Acrobat DC\Acrobat\*\AcroCEF.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.TargetImage | wildcard |
|