Suspicious module load using direct syscall

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Native API (T1106)
Severity	Low

Description

A module was loaded to a process using a direct syscall.

Attacker's Goals

An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.

Investigative actions

Investigate the direct syscall mapped image to verify if it is malicious.
Investigate the loaded module to verify if it is malicious.

Variations

A module was loaded to an unsigned process by using a direct syscall

Synopsis

ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Native API (T1106)
Severity	Medium

Description

A module was loaded to an unsigned process using a direct syscall.

Attacker's Goals

An attacker might try to use direct syscalls to evade detection and load a malicious module to a legitimate program.

Investigative actions

Investigate the direct syscall mapped image to verify if it is malicious.
Investigate the loaded module to verify if it is malicious.