ALPC events #32
Labels
kevents: alpc
Anything related to ALPC events
needs: config
Indicates the issue requires changes in the config file/flags
needs: docs
Indicates that the issue needs documentation updates
needs: filters
Indicates that new filters should be added
scope: events
Anything related to kernel events
Comments
rabbitstack
added
scope: events
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
ALPC is the Windows internal messaging system. ALPC is frequently utilized by malware actors to inject shellcode into benign processes. If we could get the visibility into ALPC message flow, that would allow surfacing the ALPC indicators of compromise. The NT Kernel Logger ETW provider permits gathering the ALPC events, however, the event parameters are vague and not really useful. For example, we can't get the content of the ALPC message, just its identifier. The following ALPC events are produced by the NT Kernel Logger:
We could probably have the following ALPC events in Fibratus:
AlpcSendwithmessage_idparameter. I'm not sure if we could get anything meaningful from this parameter without peeking into kernel space. ALPC port name?AlpcRecvwithmessage_idandsource_pidparameters. Anything else that we could dig out?Prior art
The text was updated successfully, but these errors were encountered: