Examples and Real World Scenarios

1) Process Injection Monitoring:

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread are flagged.
EDR logs the full injection chain and arguments (target PID, buffer, size).

2) Fileless Execution Monitoring:

EDRs detect PowerShell invoking encoded commands via -enc flag.
API call patterns + command-line arguments = detection logic.

3) Network Activity:

Calls to WSAConnect, connect, or HttpSendRequest are monitored.
EDR may intercept arguments to see destination IP/domain.

Real-World Scenario

Scenario: A malware performs process hollowing by:

Creating a suspended process.
Unmapping the target image.
Writing shellcode.
Resuming the thread.

Monitored API Calls:

CreateProcess, NtUnmapViewOfSection, WriteProcessMemory, ResumeThread.

EDR Response:

Flags unusual call sequence + memory permissions.
Real-time alert or post-event correlation triggered.

Evasion Tactic:

Use syscall-level injection, avoid known API calls, use delay and obfuscation.

PreviousAPI Calls and System Calls NextExecution Flow Monitoring

Last updated 4 months ago