Skip to content

[Rule Tuning] Suspicious Process Access via Direct System Call #5895

Open
Open
[Rule Tuning] Suspicious Process Access via Direct System Call#5895
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@lowlevel01

Description

@lowlevel01
lowlevel01
opened on Mar 28, 2026

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Rule Tuning Type

False Negatives - Enhancing detection of true threats that were previously missed.

Description

Hi,

I have a question. I noticed this rule uses the wildcard "*" in the excluded paths. I wonder if this is safe? Do we assume if the user has admin rights then they can use direct syscalls?

Example Data

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions