{"id":53163,"date":"2025-10-09T12:11:35","date_gmt":"2025-10-09T10:11:35","guid":{"rendered":"https:\/\/www.secuinfra.com\/news\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/"},"modified":"2025-10-09T16:11:51","modified_gmt":"2025-10-09T14:11:51","slug":"detecting-suspicious-processes-behavior-based-detection-with-elastic","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/","title":{"rendered":"Detecting suspicious processes: behavior-based detection with Elastic"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#Filtering_out_suspicious_processes\" >Filtering out suspicious processes<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#transparency_and_own_operation\" >transparency and own operation<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#Detection_logic\" >Detection logic<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#Behavior-based_detection_in_Elastic_Defend\" >Behavior-based detection in Elastic Defend<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/detecting-suspicious-processes-behavior-based-detection-with-elastic\/#Further_links\" >Further links<\/a><\/li><\/ul><\/nav><\/div>\n\n<p class=\"wp-block-paragraph\">Modern EDR or XDR solutions are capable of detecting suspicious behavior. The widely used Elastic solution has integrated this feature with Elastic Defend since 2019 and offers industry-leading transparency. Below we show how security experts work with it. First, some general information:  <\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Endpoint Detection and Response<\/strong><\/p>\n\n<p class=\"wp-block-paragraph\">Endpoint detection and response systems (EDR) are a central component of comprehensive IT security concepts. As a further development of classic antivirus programs, they continuously monitor the behaviour of endpoints and search for signs of potential security breaches or attacks. The function of an EDR system is also included in the even more comprehensive XDR systems (eXtended Detection and Response), which also analyze network traffic in a threat-oriented manner. Managed Detection and Response (MDR) systems have the same functions as EDR and XDR, but offer round-the-clock managed services for monitoring end devices and eliminating and remedying threats.   <\/p>\n\n<p class=\"wp-block-paragraph\"><strong>Transparency through an open source approach<\/strong><\/p>\n\n<p class=\"wp-block-paragraph\">The Elastic Security detection and response solution was expanded into a comprehensive product family with the acquisition of Endgame in 2019. One special feature is that Elastic, a provider rooted in the open source movement, published the corresponding detection rules for its EDR solution Elastic Defend on Github shortly afterwards. The company had previously published its SIEM detection rules.  <\/p>\n\n<p class=\"wp-block-paragraph\">With the exception of machine learning components, all detection logic for the Windows, Linux and macOS operating systems can be found in the <a  href=\"https:\/\/github.com\/elastic\/protections-artifacts\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >protections-artifacts repo<\/a>. This transparency is rare in the IT security industry and may seem strange at first glance. However, in line with the security concept of open source software, this approach makes a lot of sense as it has many advantages:  <\/p>\n\n<ul class=\"wp-block-list\">\n<li>Better understanding of how it works<\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li>Detection of gaps in detection rules<\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li>Opportunity for collaboration and exchange<\/li>\n<\/ul>\n\n<ul class=\"wp-block-list\">\n<li>Quality assurance through the multiple-eye principle<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Filtering_out_suspicious_processes\"><\/span><strong>Filtering out suspicious processes<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">Within the IT security community, Elastic&#8217;s publications of detection rules have repeatedly generated positive feedback, most recently regarding the <a  href=\"https:\/\/www.elastic.co\/security-labs\/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >call stack telemetry from Microsoft Windows Threat Intelligence Event Tracing for Windows (Ti-ETW)<\/a>. By way of explanation, call stacks are very useful for both technical detection and threat hunting as they provide a lot of context to the activities of a process. This is valuable because, simply put, the call stack lists the logical flow of all functions imported and called by a program from the Microsoft API.  <\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"transparency_and_own_operation\"><\/span><strong>transparency<\/strong><strong> <\/strong><strong>and<\/strong><strong> <\/strong><strong>own operation<\/strong><strong><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">By deciding to publish its detection logic, Elastic is deliberately bucking a negative trend. Apart from OpenEDR, no other EDR provider is prepared to do so. Instead, all other vendors refer at best to abstract metrics such as MITRE ATT&amp;CK, which do not allow any reliable, qualitative classification. This convenient policy can become problematic for customers in the medium term. In the SIEM environment, for example, BaFin has long been demanding transparency from banks and insurance companies regarding the functionality of use cases. It is not unlikely that the supervisory authority will also demand more transparency for EDR systems in the long term.     <\/p>\n\n<p class=\"wp-block-paragraph\">In addition, Elastic also scores points for cloud compulsion with freedom of choice and a high level of data protection, which is extremely relevant in terms of confidentiality and is not least a focus in Germany. After all, it should not be forgotten that US companies are obliged to hand over data stored in their cloud to their own authorities on demand, even if the data is stored in an EU-based data center. <\/p>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Detection_logic\"><\/span><strong>Detection logic<\/strong><strong><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">The detection logics published by Elastic can be divided into the following categories:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><a  href=\"https:\/\/virustotal.github.io\/yara\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >YARA signature-based<\/a> recognition for files and memory<\/li>\n\n\n\n<li>Behavior-based detection in the form of <a  href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/8.12\/eql.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >EQL<\/a>, KQL or ES|QL<\/li>\n\n\n\n<li><a  href=\"https:\/\/github.com\/elastic\/protections-artifacts\/tree\/main\/ransomware\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Ransomware detection<\/a><\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Behavior-based_detection_in_Elastic_Defend\"><\/span><strong>Behavior-based detection in Elastic Defend<\/strong><strong><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">By correlating file operations, network data, memory accesses and system events, malicious behavior is detected and prevented. Examples of this include <\/p>\n\n<ul class=\"wp-block-list\">\n<li>Execution of unknown or suspicious processes<\/li>\n\n\n\n<li>Suspicious file activities<\/li>\n\n\n\n<li>Unusual network activities<\/li>\n\n\n\n<li>Abnormal user behavior patterns<\/li>\n\n\n\n<li>Suspicious system configuration changes<\/li>\n\n\n\n<li>File and folder access changes<\/li>\n\n\n\n<li>Execution of privileged actions by unauthorized users<\/li>\n<\/ul>\n\n<p class=\"wp-block-paragraph\">The following examples show how behavior-based detection is implemented in Elastic Defend:<\/p>\n\n<h3 class=\"wp-block-heading\"><strong>Example 1:<\/strong><\/h3>\n\n<h3 class=\"wp-block-heading\"><a  href=\"https:\/\/attack.mitre.org\/techniques\/T1003\/001\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" ><strong>OS Credential Dumping: LSASS Memory (ID: T1003.001)<\/strong><\/a><strong><\/strong><\/h3>\n\n<p class=\"wp-block-paragraph\">LSASS memory dumping&#8221; involves accessing the working memory of the LSASS process (Local Security Authority Subsystem Service) in order to extract sensitive information such as login information, passwords or tokens. This information can then be used by the attacker to gain access to privileged accounts or to access the system later. <\/p>\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"688\" height=\"668\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/OS-Credential-Dumping-LSASS-Memory.jpg\" alt=\"\" class=\"wp-image-53113\"\/><\/figure>\n\n<p class=\"wp-block-paragraph\">The generated dump file:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"696\" height=\"680\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Das-erzeugte-dump-File.jpg\" alt=\"\" class=\"wp-image-53115\"\/><\/figure>\n\n<p class=\"wp-block-paragraph\">The generated alarm in Elastic Defend:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"692\" height=\"244\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Der-erzeugte-Alarm-in-Elastic-Defend.jpg\" alt=\"\" class=\"wp-image-53117\"\/><\/figure>\n\n<p class=\"wp-block-paragraph\">The corresponding <a  href=\"https:\/\/github.com\/elastic\/protections-artifacts\/blob\/main\/behavior\/rules\/credential_access_lsass_memory_dump_via_minidumpwritedump.toml\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >rule<\/a> from the Elastic Repository:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1248\" height=\"1056\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Regel-aus-der-Elastic-Repository-1.png\" alt=\"\" class=\"wp-image-53119\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Regel-aus-der-Elastic-Repository-1.png 1248w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Regel-aus-der-Elastic-Repository-1-800x677.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Regel-aus-der-Elastic-Repository-1-768x650.png 768w\" sizes=\"(max-width: 1248px) 100vw, 1248px\" \/><\/figure>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1246\" height=\"516\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.40.37.png\" alt=\"\" class=\"wp-image-53123\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.40.37.png 1246w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.40.37-800x331.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.40.37-768x318.png 768w\" sizes=\"(max-width: 1246px) 100vw, 1246px\" \/><\/figure>\n\n<p class=\"wp-block-paragraph\">In this example, the following behavior is detected:<\/p>\n\n<ol class=\"wp-block-list\">\n<li>Calling the Windows API Calls <a  href=\"https:\/\/learn.microsoft.com\/de-de\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-openprocess\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >OpenProcess<\/a> or <a  href=\"https:\/\/learn.microsoft.com\/de-de\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-openthread\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >OpenThread<\/a><\/li>\n\n\n\n<li>Target process is lsass.exe<\/li>\n\n\n\n<li>The executing process imports the <a  href=\"https:\/\/learn.microsoft.com\/de-de\/windows\/win32\/api\/minidumpapiset\/nf-minidumpapiset-minidumpwritedump\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >MiniDumpWriteDump<\/a> function from the system libraries dbgcore.dll or comsvcs.dll<\/li>\n<\/ol>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"248\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/3.-Der-ausfuehrende-Prozess-importiert-die-Funktion-MiniDumpWriteDump-aus-den-System-Bibliotheken-dbgcore.dll-oder-comsvcs.dll_.jpg\" alt=\"\" class=\"wp-image-53125\"\/><\/figure>\n\n<h3 class=\"wp-block-heading\"><strong>Example 2:<\/strong><strong><\/strong><\/h3>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/attack.mitre.org\/tactics\/TA0005\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Defense Evasion (ID: TA0005)<\/a> <\/p>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Process Injection (ID: T1055)<\/a><\/p>\n\n<p class=\"wp-block-paragraph\">In this example, we see the execution of meterpreter shellcode in a newly started process (calc.exe). Meterpreter is a component of the <a  href=\"https:\/\/www.metasploit.com\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Metasploit framework<\/a> and, along with Cobalt Strike, one of the most frequently used C2 frameworks<a href=\"#_ftn1\" id=\"_ftnref1\">[1]<\/a>. <\/p>\n\n<p class=\"wp-block-paragraph\">A look at the &#8220;Potential Injection via Asynchronous Procedure Call&#8221; rule:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1220\" height=\"1244\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.17.png\" alt=\"\" class=\"wp-image-53131\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.17.png 1220w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.17-785x800.png 785w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.17-768x783.png 768w\" sizes=\"(max-width: 1220px) 100vw, 1220px\" \/><\/figure>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<p class=\"wp-block-paragraph\">[<a id=\"_ftn1\" href=\"#_ftnref1\">1]<\/a> Sources:<\/p>\n\n<p class=\"wp-block-paragraph\">Meterpreter, a key component of the Metasploit framework, is one of the few highly-prevalent malware families we see impact Windows, Linux, and macOS.<a  href=\"https:\/\/www.elastic.co\/de\/explore\/security-without-limits\/global-threat-report\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >(Elastic Global Threat Report 2023<\/a>)<\/p>\n\n<p class=\"wp-block-paragraph\">Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt Strike.<a  href=\"https:\/\/redcanary.com\/resources\/guides\/threat-detection-report\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >(Red Canary 2023 Threat Detection Report<\/a>)<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1202\" height=\"180\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.34.png\" alt=\"\" class=\"wp-image-53133\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.34.png 1202w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.34-800x120.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Bildschirmfoto-2024-07-24-um-14.44.34-768x115.png 768w\" sizes=\"(max-width: 1202px) 100vw, 1202px\" \/><\/figure>\n\n<p class=\"wp-block-paragraph\">This rule recognizes the call of the <a  href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-queueuserapc\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >QueueUserAPC<\/a> function<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"164\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Diese-Regel-erkennt-den-Aufruf-der-Funktion-QueueUserAPC.jpg\" alt=\"\" class=\"wp-image-53135\"\/><\/figure>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-queueuserapc\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" ><strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-queueuserapc\"><\/a><\/strong><\/a><\/p>\n\n<h4 class=\"wp-block-heading\"><a  href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-queueuserapc\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" ><strong>APC Queue<\/strong><\/a><\/h4>\n\n<p class=\"wp-block-paragraph\">If a process is in a kind of waiting or sleeping state, this is referred to as an &#8220;<a  href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/fileio\/alertable-i-o\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >alertable state<\/a>&#8220;. Further instructions are then written to a so-called APC queue. The Windows kernel processes these instructions until the process leaves the &#8220;alertable state&#8221;. The code injection process is as follows:   <\/p>\n\n<h5 class=\"wp-block-heading\">1. <strong>start a new process (calc.exe &#8211; Suspended)<\/strong><\/h5>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1246\" height=\"312\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Neuen-Prozess-starten-calc.exe-Suspended-1.png\" alt=\"\" class=\"wp-image-53139\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Neuen-Prozess-starten-calc.exe-Suspended-1.png 1246w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Neuen-Prozess-starten-calc.exe-Suspended-1-800x200.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Neuen-Prozess-starten-calc.exe-Suspended-1-768x192.png 768w\" sizes=\"(max-width: 1246px) 100vw, 1246px\" \/><\/figure>\n\n<h5 class=\"wp-block-heading\">2.  <strong><strong>2. Allocate memory in the new process<\/strong><\/strong><\/h5>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1150\" height=\"350\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicher-im-neuen-Prozess-zuweisen.png\" alt=\"\" class=\"wp-image-53141\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicher-im-neuen-Prozess-zuweisen.png 1150w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicher-im-neuen-Prozess-zuweisen-800x243.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicher-im-neuen-Prozess-zuweisen-768x234.png 768w\" sizes=\"(max-width: 1150px) 100vw, 1150px\" \/><\/figure>\n\n<h5 class=\"wp-block-heading\">3. <strong>write meterpreter shellcode into the memory<\/strong><\/h5>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1194\" height=\"288\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Meterpreter-Shellcode-in-den-Speicher-schreiben.png\" alt=\"\" class=\"wp-image-53143\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Meterpreter-Shellcode-in-den-Speicher-schreiben.png 1194w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Meterpreter-Shellcode-in-den-Speicher-schreiben-800x193.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Meterpreter-Shellcode-in-den-Speicher-schreiben-768x185.png 768w\" sizes=\"(max-width: 1194px) 100vw, 1194px\" \/><\/figure>\n\n<h5 class=\"wp-block-heading\">4. <strong>make the memory area executable<\/strong><\/h5>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1250\" height=\"284\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicherbereich-ausfuehrbar-machen.png\" alt=\"\" class=\"wp-image-53145\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicherbereich-ausfuehrbar-machen.png 1250w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicherbereich-ausfuehrbar-machen-800x182.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Speicherbereich-ausfuehrbar-machen-768x174.png 768w\" sizes=\"(max-width: 1250px) 100vw, 1250px\" \/><\/figure>\n\n<h5 class=\"wp-block-heading\">5. <strong>insert the code into the APC queue and start the process<\/strong>:<\/h5>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"976\" height=\"162\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Einfuegen-des-Codes-in-die-APC-Queue-und-starten-des-Prozesses.png\" alt=\"\" class=\"wp-image-53147\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Einfuegen-des-Codes-in-die-APC-Queue-und-starten-des-Prozesses.png 976w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Einfuegen-des-Codes-in-die-APC-Queue-und-starten-des-Prozesses-800x133.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Einfuegen-des-Codes-in-die-APC-Queue-und-starten-des-Prozesses-768x127.png 768w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><\/figure>\n\n<h5 class=\"wp-block-heading\">Result<\/h5>\n\n<p class=\"wp-block-paragraph\">The successful code injection via APC queue leads to a meterpreter session:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"228\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/Code-Injection-via-APC-Queue-fuehrt-zu-einer-Meterpreter-Session.png\" alt=\"\" class=\"wp-image-53149\"\/><\/figure>\n\n<p class=\"wp-block-paragraph\">Successful detection and alerting in Elastic Defend:<\/p>\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"686\" height=\"276\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/erfolgreiche-Erkennung-und-Alarmierung-in-Elastic-Defend.jpg\" alt=\"\" class=\"wp-image-53151\"\/><\/figure>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><strong><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\">As these examples show, behavior-based detection with Elastic Defend is a powerful but easy-to-use tool that reaches down to the level of individual function calls in the call stack and even includes modern obfuscation methods such as Threadless Injection or PoolParty Injection.<\/p>\n\n<p class=\"wp-block-paragraph\"><strong><br\/><\/strong>Do you want to comprehensively detect, analyze and defend against cyber attacks without drowning in a flood of alarms? Discover the cloud-free MDR solution from SECUINFRA now: <\/p>\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-secuinfra-gmbh wp-block-embed-secuinfra-gmbh\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/testing.secuinfra.com\/managed-detection-and-response\/on-premises\n<\/div><\/figure>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Further_links\"><\/span><strong>Further links<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/www.elastic.co\/security-labs\/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/www.elastic.co\/security-labs\/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks<\/a><\/p>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/www.elastic.co\/security-labs\/doubling-down-etw-callstacks\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/www.elastic.co\/security-labs\/doubling-down-etw-callstacks<\/a><\/p>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/www.elastic.co\/security-labs\/hunting-memory\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/www.elastic.co\/security-labs\/hunting-memory<\/a><\/p>\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/0x00sec.org\/t\/process-injection-apc-injection\/24608\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >https:\/\/0x00sec.org\/t\/process-injection-apc-injection\/24608<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Modern EDR or XDR solutions are capable of detecting suspicious behavior. The widely used Elastic solution has integrated this feature with Elastic Defend since 2019 and offers industry-leading transparency. Below we show how security experts work with it.   <\/p>\n","protected":false},"author":36,"featured_media":60561,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[252,280,81],"tags":[350,723,705,724],"dpc_coauthors":[],"class_list":["post-53163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-detection-response","category-edr","category-techtalk","tag-cyber-defense-en","tag-edr-en","tag-mdr-en","tag-xdr-en"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/53163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=53163"}],"version-history":[{"count":2,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/53163\/revisions"}],"predecessor-version":[{"id":60582,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/53163\/revisions\/60582"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/60561"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=53163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=53163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=53163"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=53163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}