-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to investigate "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" #46
Comments
@FideliusFalcon the following steps should help triage alerts for this rule:
when copying the bytes from the unbacked region and doing a quick lookup on VT we can confirm it's malicious https://www.virustotal.com/gui/search/content%253A%257B6a0557575668903f011057ff15a8c200106a01585f5ec20c00b874b20010e8e30d000083ec185356578d45dc8965f06a10ff750833db895dec895dfc50e8b00d%257D/files Hope it helps, if still in doubt and want to share your alert for further triage please ping us on elastic security community slack channel. |
Hi @Samirbous |
Since August 19, we’ve noticed a significant increase in alerts triggered by the "Malicious Behavior Prevention Alert: Potential Evasion with Hardware Breakpoints" rule (a10e7b14-4b7b-4a34-b3f6-64791c1114b3). However, there’s a lack of clear guidance on how to trace the source of the hardware breakpoint or determine whether it’s legitimate or malicious.
The rule doesn’t provide sufficient information on how to:
Could you provide an investigation guide or recommended steps for analyzing these alerts effectively? More context or next steps within the rule itself would also be helpful.
I hope it's okay, I create a direct Github issue, otherwise just tell me, and I will open an Elastic support ticket
Thank you.
The text was updated successfully, but these errors were encountered: