Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Direct Syscall of NtOpenProcess

Detects potential calls to NtOpenProcess directly from NTDLL.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Christian Burkard (Nextron Systems), Tim SheltonCreated Wed Jul 28Updated Wed Dec 133f3f3506-1895-401b-9cc3-e86b16e630d0windows
Log Source
WindowsProcess Access
ProductWindows← raw: windows
CategoryProcess Access← raw: process_access

Events when a process opens a handle to another process, commonly used for credential dumping via LSASS.

Detection Logic
Detection Logic13 selectors
detection:
    selection:
        CallTrace|startswith: 'UNKNOWN'
    filter_main_vcredist:
        TargetImage|endswith: 'vcredist_x64.exe'
        SourceImage|endswith: 'vcredist_x64.exe'
    filter_main_generic:
        # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
        TargetImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
    filter_main_kerneltrace_edge:
        # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
        Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
    filter_optional_vmware:
        TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
        SourceImage|endswith: 'setup64.exe' # vmware
    filter_optional_cylance:
        SourceImage|endswith: ':\Windows\Explorer.EXE'
        TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
    filter_optional_amazon:
        SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
        TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
    filter_optional_vscode: # VsCode
        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
    filter_optional_teams: # MS Teams
        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    filter_optional_discord: # Discord
        TargetImage|contains: '\AppData\Local\Discord\'
        TargetImage|endswith: '\Discord.exe'
    filter_optional_yammer:
        SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
        SourceImage|endswith: '\Yammer.exe'
        TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
        TargetImage|endswith: '\Yammer.exe'
        GrantedAccess: '0x1000'
    filter_optional_evernote:
        TargetImage|endswith: '\Evernote\Evernote.exe'
    filter_optional_adobe_acrobat:
        SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        SourceImage|endswith: '\AcroCEF.exe'
        TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        TargetImage|endswith: '\AcroCEF.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
3f3f3506-1895-401b-9cc3-e86b16e630d0
Status
test
Level
medium
Type
Detection
Created
Wed Jul 28
Modified
Wed Dec 13
Author
Christian Burkard (Nextron Systems), Tim Shelton
Path
rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml
Raw Tags
attack.executionattack.t1106
View on GitHub