Unusual or suspicious processes loading critical native API DLLs (e.g., ntdll.dll, kernel32.dll) followed by direct syscall behavior, memory manipulation, or hollowing.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| DllName | May tune DLL filters to focus on low-level API providers (e.g., ntdll.dll) |
| Image | Tune for expected parent processes (e.g., explorer.exe, winlogon.exe) |
| TargetProcess | Scope to suspicious targets like LSASS, csrss, etc. |
Userland processes invoking syscall-heavy libraries (libc, glibc) followed by fork, mmap, or ptrace behavior commonly associated with code injection or memory manipulation.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | auditd:SYSCALL | execve, fork, mmap, ptrace |
| Module Load (DC0016) | auditd:SYSCALL | module load or memory map path |
| Field | Description |
|---|---|
| SyscallType | Filter for fork, mmap, ptrace based on context |
| ProcessName | Whitelist known daemon and scheduled task patterns |
| MAPS Path | Tune suspicious memory map regions (e.g., /tmp/.evilshmem) |
Execution of processes that link to CoreServices or Foundation APIs followed by creation of memory regions, code execution, or abnormal library injection.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | macos:unifiedlog | launch and dylib load |
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| Field | Description |
|---|---|
| API Framework Name | Filter on CoreServices, Cocoa, Foundation framework usage |
| Execution Context | Tune to exclude known developer tools or test environments |