Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It’s possible to bypass hooked functions by writing malicious functions that call syscalls directly.
Rule type: eql
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Defense Evasion
Rule license: Elastic License v2
## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
process where event.code == "10" and length(winlog.event_data.CallTrace) > 0 and /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*")
Framework: MITRE ATT&CKTM