From 6cd0642a9e6dfd74589e4e53f9c9ab7654f013a5 Mon Sep 17 00:00:00 2001 From: John Uhlmann Date: Fri, 3 May 2024 12:17:35 +0800 Subject: [PATCH] add truncated_stack to api.behaviors documentation --- custom_schemas/custom_api.yml | 3 ++- .../data_stream/api/fields/fields.yml | 2 +- schemas/v1/api/api.yaml | 21 ++++++++++--------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/custom_schemas/custom_api.yml b/custom_schemas/custom_api.yml index b191551b6..2bcbb7d8f 100644 --- a/custom_schemas/custom_api.yml +++ b/custom_schemas/custom_api.yml @@ -45,9 +45,10 @@ "image_rop" - no call instruction preceded an entry in the call stack "image_rwx" - an entry in the callstack is writable "unbacked_rwx" - an entry in the callstack is non-image and writable + "truncated_stack" - call stack is unexpected truncated due to malicious tampering or system load "allocate_shellcode" - a region of non-image executable memory allocated more executable memory "execute_fluctuation" - the PAGE_EXECUTE protection is unexpectedly fluctuating - 'write_fluctuation" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating + "write_fluctuation" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating "hook_api" - a change to the memory protection of a small executable image memory region was made "hollow_image" - a change to the memory protection of a large executable image memory region was made "hook_unbacked" - a change to the memory protection of a small executable non-image memory was made diff --git a/package/endpoint/data_stream/api/fields/fields.yml b/package/endpoint/data_stream/api/fields/fields.yml index 667ed08f8..3066aa169 100644 --- a/package/endpoint/data_stream/api/fields/fields.yml +++ b/package/endpoint/data_stream/api/fields/fields.yml @@ -1159,7 +1159,7 @@ level: custom type: keyword ignore_above: 1024 - description: "A list of observed behaviors.\n \"cross-process\" - the observed activity was between two processes\n \"parent-child\" - the observed activity was between a parent process and its child\n \"native_api\" - a call was made directly to the Native API rather than the Win32 API\n \"direct_syscall\" - a syscall instruction originated outside of the Native API layer\n \"proxy_call\" - the call stack may indicate of a proxied API call to mask the true source\n \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n \"image_indirect_call\" - an entry in the callstack was preceded by a call to a dynamically resolved function\n \"image_rop\" - no call instruction preceded an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"allocate_shellcode\" - a region of non-image executable memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is unexpectedly fluctuating\n 'write_fluctuation\" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change to the memory protection of a small executable image memory region was made\n \"hollow_image\" - a change to the memory protection of a large executable image memory region was made\n \"hook_unbacked\" - a change to the memory protection of a small executable non-image memory was made\n 'hollow_unbacked\" - a change to the memory protection of a large executable non-image memory was made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n \"execute_shellcode\" - a region of non-image executable memory was unexpectedly transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was set\n \"rapid_background_polling\" - a suspicious process which does rapid input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\" - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState API were observed" + description: "A list of observed behaviors.\n \"cross-process\" - the observed activity was between two processes\n \"parent-child\" - the observed activity was between a parent process and its child\n \"native_api\" - a call was made directly to the Native API rather than the Win32 API\n \"direct_syscall\" - a syscall instruction originated outside of the Native API layer\n \"proxy_call\" - the call stack may indicate of a proxied API call to mask the true source\n \"sensitive_api\" - executable non-image memory is unexpectedly calling a sensitive API\n \"shellcode\" - suspicious executable non-image memory is calling a sensitive API\n \"image_hooked\" - an entry in the callstack appears to have been hooked\n \"image_indirect_call\" - an entry in the callstack was preceded by a call to a dynamically resolved function\n \"image_rop\" - no call instruction preceded an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"truncated_stack\" - call stack is unexpected truncated due to malicious tampering or system load\n \"allocate_shellcode\" - a region of non-image executable memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE protection of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change to the memory protection of a small executable image memory region was made\n \"hollow_image\" - a change to the memory protection of a large executable image memory region was made\n \"hook_unbacked\" - a change to the memory protection of a small executable non-image memory was made\n 'hollow_unbacked\" - a change to the memory protection of a large executable non-image memory was made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n \"execute_shellcode\" - a region of non-image executable memory was unexpectedly transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was set\n \"rapid_background_polling\" - a suspicious process which does rapid input polling via GetAsyncKeyState API was observed\n \"multiple_polling_processes\" - multiple suspicious processes which do rapid input polling via the GetAsyncKeyState API were observed" example: - cross-process - rapid_background_polling diff --git a/schemas/v1/api/api.yaml b/schemas/v1/api/api.yaml index ee76382c5..d990f0f03 100644 --- a/schemas/v1/api/api.yaml +++ b/schemas/v1/api/api.yaml @@ -2364,16 +2364,17 @@ process.Ext.api.behaviors: \ to a dynamically resolved function\n \"image_rop\" - no call instruction preceded\ \ an entry in the call stack\n \"image_rwx\" - an entry in the callstack is writable\n\ \ \"unbacked_rwx\" - an entry in the callstack is non-image and writable\n \"\ - allocate_shellcode\" - a region of non-image executable memory allocated more\ - \ executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE protection is\ - \ unexpectedly fluctuating\n 'write_fluctuation\" - the PAGE_WRITE protection\ - \ of executable memory is unexpectedly fluctuating\n \"hook_api\" - a change\ - \ to the memory protection of a small executable image memory region was made\n\ - \ \"hollow_image\" - a change to the memory protection of a large executable\ - \ image memory region was made\n \"hook_unbacked\" - a change to the memory protection\ - \ of a small executable non-image memory was made\n 'hollow_unbacked\" - a change\ - \ to the memory protection of a large executable non-image memory was made\n \ - \ \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n\ + truncated_stack\" - call stack is unexpected truncated due to malicious tampering\ + \ or system load\n \"allocate_shellcode\" - a region of non-image executable\ + \ memory allocated more executable memory\n \"execute_fluctuation\" - the PAGE_EXECUTE\ + \ protection is unexpectedly fluctuating\n \"write_fluctuation\" - the PAGE_WRITE\ + \ protection of executable memory is unexpectedly fluctuating\n \"hook_api\"\ + \ - a change to the memory protection of a small executable image memory region\ + \ was made\n \"hollow_image\" - a change to the memory protection of a large\ + \ executable image memory region was made\n \"hook_unbacked\" - a change to the\ + \ memory protection of a small executable non-image memory was made\n 'hollow_unbacked\"\ + \ - a change to the memory protection of a large executable non-image memory was\ + \ made\n \"guarded_code\" - executable memory was unexpectedly marked as PAGE_GUARD\n\ \ \"hidden_code\" - executable memory was unexpectedly marked as PAGE_NOACCESS\n\ \ \"execute_shellcode\" - a region of non-image executable memory was unexpectedly\ \ transferred control\n \"hardware_breakpoint_set\" - a hardware breakpoint was\