Detection rules › Sigma
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1106 Native API |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 10 | ProcessAccess |
Rule body yaml
title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
- attack.execution
- attack.t1106
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|startswith: 'UNKNOWN'
filter_main_vcredist:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
filter_main_generic:
# Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
TargetImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_main_kerneltrace_edge:
# Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
filter_optional_vmware:
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
SourceImage|endswith: 'setup64.exe' # vmware
filter_optional_cylance:
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
filter_optional_amazon:
SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
filter_optional_vscode: # VsCode
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_teams: # MS Teams
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_discord: # Discord
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Discord.exe'
filter_optional_yammer:
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
GrantedAccess: '0x1000'
filter_optional_evernote:
TargetImage|endswith: '\Evernote\Evernote.exe'
filter_optional_adobe_acrobat:
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Stages and Predicates
Stage 0: condition
selection and not 1 of filter_main_* and not 1 of filter_optional_*Stage 1: selection
selection:
CallTrace|startswith: 'UNKNOWN'
Stage 2: not filter_main_*
filter_main_vcredist:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
filter_main_generic:
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
TargetImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_main_kerneltrace_edge:
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
Stage 3: not filter_optional_*
filter_optional_vmware:
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
SourceImage|endswith: 'setup64.exe'
filter_optional_cylance:
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
filter_optional_amazon:
SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_teams:
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_discord:
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Discord.exe'
filter_optional_yammer:
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
GrantedAccess: '0x1000'
filter_optional_evernote:
TargetImage|endswith: '\Evernote\Evernote.exe'
filter_optional_adobe_acrobat:
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
SourceImage | match | :\Program Files (x86)\ |
SourceImage | match | :\Program Files\ |
SourceImage | match | :\Windows\SysWOW64\ |
SourceImage | match | :\Windows\System32\ |
SourceImage | match | :\Windows\WinSxS\ |
TargetImage | match | :\Program Files (x86)\ |
TargetImage | match | :\Program Files\ |
TargetImage | match | :\Windows\SysWOW64\ |
TargetImage | match | :\Windows\System32\ |
TargetImage | match | :\Windows\WinSxS\ |
SourceImage | ends_with | vcredist_x64.exe |
TargetImage | ends_with | vcredist_x64.exe |
Provider_Name | eq | Microsoft-Windows-Kernel-Audit-API-Calls |
GrantedAccess | eq | 0x1000 |
SourceImage | ends_with | \Yammer.exe |
SourceImage | match | \AppData\Local\yammerdesktop\app- |
TargetImage | ends_with | \Yammer.exe |
TargetImage | match | \AppData\Local\yammerdesktop\app- |
SourceImage | ends_with | :\Windows\Explorer.EXE |
TargetImage | ends_with | :\Program Files\Cylance\Desktop\CylanceUI.exe |
SourceImage | ends_with | AmazonSSMAgentSetup.exe |
TargetImage | ends_with | AmazonSSMAgentSetup.exe |
SourceImage | ends_with | \AcroCEF.exe |
SourceImage | match | :\Program Files\Adobe\Acrobat DC\Acrobat\ |
TargetImage | ends_with | \AcroCEF.exe |
TargetImage | match | :\Program Files\Adobe\Acrobat DC\Acrobat\ |
SourceImage | ends_with | \AppData\Local\Microsoft\Teams\current\Teams.exe |
TargetImage | ends_with | \AppData\Local\Microsoft\Teams\current\Teams.exe |
SourceImage | ends_with | \AppData\Local\Programs\Microsoft VS Code\Code.exe |
TargetImage | ends_with | \AppData\Local\Programs\Microsoft VS Code\Code.exe |
SourceImage | ends_with | setup64.exe |
TargetImage | ends_with | :\Windows\system32\systeminfo.exe |
TargetImage | ends_with | \Discord.exe |
TargetImage | match | \AppData\Local\Discord\ |
TargetImage | ends_with | \Evernote\Evernote.exe |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CallTrace | starts_with |
|