-
-
Notifications
You must be signed in to change notification settings - Fork 212
ALPC events #32
Copy link
Copy link
Open
Labels
events: alpcAnything related to ALPC eventsAnything related to ALPC eventsneeds: configIndicates the issue requires changes in the config file/flagsIndicates the issue requires changes in the config file/flagsneeds: docsIndicates that the issue needs documentation updatesIndicates that the issue needs documentation updatesneeds: filtersIndicates that new filters should be addedIndicates that new filters should be addedscope: eventsAnything related to kernel eventsAnything related to kernel events
Description
Metadata
Metadata
Assignees
Labels
events: alpcAnything related to ALPC eventsAnything related to ALPC eventsneeds: configIndicates the issue requires changes in the config file/flagsIndicates the issue requires changes in the config file/flagsneeds: docsIndicates that the issue needs documentation updatesIndicates that the issue needs documentation updatesneeds: filtersIndicates that new filters should be addedIndicates that new filters should be addedscope: eventsAnything related to kernel eventsAnything related to kernel events
Description
ALPC is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC message flow, that would allow surfacing the ALPC indicators of compromise. The NT Kernel Logger ETW provider permits gathering the ALPC events, however, the event parameters are vague and not really useful. For example, we can't get the content of the ALPC message, just its identifier. The following ALPC events are produced by the NT Kernel Logger:
We could probably have the following ALPC events in Fibratus:
AlpcSendwithmessage_idparameter. I'm not sure if we could get anything meaningful from this parameter without peeking into kernel space. ALPC port name?AlpcRecvwithmessage_idandsource_pidparameters. Anything else that we could dig out?Prior art