AMP — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/amp/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 15:00:00 +0000Suspicious Process Access via Direct System Callhttps://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-direct-syscall-process-access/Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.This detection identifies suspicious process access events on Windows systems where a process attempts to access another process’s memory via direct system calls, bypassing standard Windows API calls. Endpoint security solutions often hook userland Windows APIs to detect malicious code execution. Attackers can evade these hooks by directly invoking syscalls, which are lower-level instructions that interact directly with the operating system kernel. The rule specifically looks for process access events (Sysmon Event ID 10) where the call trace does not originate from known Windows system DLLs like ntdll.dll, indicating a potential attempt to bypass security measures. The rule excludes certain legitimate applications, such as Malwarebytes Anti-Exploit, Cisco AMP, Microsoft EdgeWebView, and Adobe Acrobat DC, to reduce false positives. This technique is often employed by advanced malware and red teams to evade detection.

Attack Chain

  1. A malicious process is executed on the system, either through user interaction or exploitation of a vulnerability.
  2. The process attempts to gain access to another process’s memory space (Target Process).
  3. Instead of using standard Windows API calls, the malicious process directly invokes system calls (syscalls) to access the target process’s memory.
  4. The CallTrace in the Sysmon event does not originate from expected system DLLs like ntdll.dll, sysfer.dll, wow64cpu.dll, wow64win.dll, or win32u.dll, indicating a direct syscall.
  5. The process might attempt to read sensitive information such as credentials, inject malicious code, or manipulate the target process’s behavior.
  6. The malicious process performs actions within the context of the target process, such as executing injected code or accessing sensitive data.
  7. The attacker leverages the compromised process to achieve their objectives, such as data exfiltration, lateral movement, or privilege escalation.
  8. The attacker cleans up any traces of their activity and attempts to maintain persistence on the compromised system.

Impact

Successful exploitation can lead to the compromise of sensitive data, the injection of malicious code into legitimate processes, and the complete takeover of the affected system. This can result in data breaches, financial loss, and reputational damage. The impact is especially significant if the target process holds sensitive credentials, browser secrets, or has security-product context.

Recommendation

  • Enable Sysmon process access logging (Event ID 10) with call tracing and ingest the logs into your SIEM to activate the rules above (https://ela.st/sysmon-event-10-setup).
  • Deploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect direct syscall process access.
  • Investigate any alerts generated by these rules, focusing on the SourceImage, TargetImage, GrantedAccess, and CallTrace fields in the Sysmon event to determine the legitimacy of the process access attempt.
  • Prioritize investigation of alerts where the target process is lsass.exe or other security-sensitive processes.
  • Implement robust endpoint detection and response (EDR) solutions to detect and prevent malicious activity on endpoints.
  • Monitor for suspicious process creation events originating from the flagged processes.
]]>highadvisorydefense-evasionexecutionwindows