Potential Direct Syscall of NtOpenProcess

Severity: medium
Author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
Source: upstream

Detects potential calls to NtOpenProcess directly from NTDLL.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1106` Native API

Event coverage

Provider	Event ID	Title
Sysmon	10	ProcessAccess

Stages and Predicates

Stage 1: `selection`

CallTrace|startswith: UNKNOWN

Stage 2: `not 1 of filter_main_*`

or:
or:
SourceImage|contains: ':\Program Files (x86)\'
SourceImage|contains: ':\Program Files\'
SourceImage|contains: ':\Windows\SysWOW64\'
SourceImage|contains: ':\Windows\System32\'
SourceImage|contains: ':\Windows\WinSxS\'
or:
TargetImage|contains: ':\Program Files (x86)\'
TargetImage|contains: ':\Program Files\'
TargetImage|contains: ':\Windows\SysWOW64\'
TargetImage|contains: ':\Windows\System32\'
TargetImage|contains: ':\Windows\WinSxS\'
SourceImage|endswith: vcredist_x64.exe
TargetImage|endswith: vcredist_x64.exe
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'

Stage 3: `not 1 of filter_optional_*`

or:
GrantedAccess: 0x1000
SourceImage|endswith: '\Yammer.exe'
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
SourceImage|endswith: AmazonSSMAgentSetup.exe
TargetImage|endswith: AmazonSSMAgentSetup.exe
SourceImage|endswith: '\AcroCEF.exe'
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
SourceImage|endswith: setup64.exe
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
TargetImage|endswith: '\Discord.exe'
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Evernote\Evernote.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CallTrace`	starts_with	`UNKNOWN`
`GrantedAccess`	eq	`0x1000`
`Provider_Name`	eq	`Microsoft-Windows-Kernel-Audit-API-Calls`
`SourceImage`	ends_with	`:\Windows\Explorer.EXE` `AmazonSSMAgentSetup.exe` `\AcroCEF.exe` `\AppData\Local\Microsoft\Teams\current\Teams.exe` corpus 2 (sigma 2) `\AppData\Local\Programs\Microsoft VS Code\Code.exe` corpus 2 (sigma 2) `\Yammer.exe` `setup64.exe` `vcredist_x64.exe`
`SourceImage`	match	`:\Program Files (x86)\` corpus 4 (sigma 4) `:\Program Files\` corpus 6 (sigma 6) `:\Program Files\Adobe\Acrobat DC\Acrobat\` `:\Windows\SysWOW64\` corpus 7 (sigma 7) `:\Windows\System32\` corpus 6 (sigma 6) `:\Windows\WinSxS\` corpus 3 (sigma 3) `\AppData\Local\yammerdesktop\app-`
`TargetImage`	ends_with	`:\Program Files\Cylance\Desktop\CylanceUI.exe` `:\Windows\system32\systeminfo.exe` `AmazonSSMAgentSetup.exe` `\AcroCEF.exe` `\AppData\Local\Microsoft\Teams\current\Teams.exe` `\AppData\Local\Programs\Microsoft VS Code\Code.exe` `\Discord.exe` `\Evernote\Evernote.exe` `\Yammer.exe` `vcredist_x64.exe`
`TargetImage`	match	`:\Program Files (x86)\` `:\Program Files\` `:\Program Files\Adobe\Acrobat DC\Acrobat\` `:\Windows\SysWOW64\` `:\Windows\System32\` `:\Windows\WinSxS\` `\AppData\Local\Discord\` `\AppData\Local\yammerdesktop\app-`