-
Notifications
You must be signed in to change notification settings - Fork 121
/
defense_evasion_virtualprotect_call_via_nttestalert.toml
47 lines (40 loc) · 1.44 KB
/
defense_evasion_virtualprotect_call_via_nttestalert.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
[rule]
description = """
Detects calls to the VirtualProtect Windows API to change memory permissions and the call is originating from a thread
pointing to the API NtTestAlert. This may indicate that this call is coming from a pending APC or a sleeping thread.
"""
id = "9906a386-771f-4003-b426-fbe75bdd6e73"
license = "Elastic License v2"
name = "VirtualProtect Call via NtTestAlert"
os_list = ["windows"]
version = "1.0.3"
query = '''
api where
process.Ext.api.name : "VirtualProtect" and
process.thread.Ext.call_stack_summary : "ntdll.dll*" and
_arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : ("*NtTestAlert*", "*ZwTestAlert*")) and
_arraysearch(process.thread.Ext.call_stack, $entry, $entry.symbol_info : "*ProtectVirtualMemory*") and
process.thread.Ext.call_stack_summary : ("ntdll.dll", "ntdll.dll|kernelbase.dll|ntdll.dll|Unknown", "ntdll.dll|Unbacked", "ntdll.dll|Unknown")
'''
min_endpoint_version = "8.8.0"
optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[[threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[internal]
min_endpoint_version = "8.8.0"