Detection of unpacking behavior through abnormal memory allocation, followed by executable code injection and execution from non-image sections.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ParentProcessName | To scope detections to suspicious parent-child process relationships typical of loaders or droppers. |
| AllocationSizeThreshold | To tune for unusually large virtual memory allocations that might indicate unpacked payloads. |
Correlates ELF file execution with high-entropy writable memory segments and self-modifying code patterns.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Process Modification (DC0020) | auditd:SYSCALL | mprotect |
| Field | Description |
|---|---|
| EntropyThreshold | Useful for tuning unpacked sections containing high entropy indicative of compression or encryption. |
| TimeWindow | Can be tuned to correlate file writes to execution within a set timeframe. |
Detection of packed Mach-O binaries unpacking into memory and transferring control to dynamically modified code segments.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process::exec |
| Process Modification (DC0020) | macos:endpointsecurity | ES_EVENT_MMAP |
| Field | Description |
|---|---|
| SignedBinaryContext | Helps to distinguish between signed/unsigned packed binaries (common in legitimate vs. malicious cases). |
| UserContext | Can be used to scope to specific users or service accounts targeted in attacks. |