Skip to main content

Table 9 Implicit file removal through code injection into process \(p_2\) by process \(p_1\) [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

#

System calls

Description

1

VirtualAllocEx

\(e_1= \langle s_1, o_1, a_1, t_1 \rangle , a_1=C,\) \(Thread(s_1), s_1 \xrightarrow {partOf} p_1,\) \(Memory(o_1), o_1 \xrightarrow {partOf} p_2\)

2

WriteProcessMemory

\(e_2= \langle s_1, o_1, a_2, t_2 \rangle , a_2= W, t_2=t_1+\epsilon\)

3

CreateRemoteThread

\(e_3= \langle s_1, o_2, a_3, t_3 \rangle , a_3=C, Thread(o_2), o_2 \xrightarrow {partOf} p_2, o_1 \xrightarrow {partOf} o_2, t_3=t_2+\epsilon\)

4

SetThreadContext

\(e_4= \langle s_1, o_3, a_4, t_4 \rangle , a_4=W, Context(o_3),\) \(o_3 \xrightarrow {partOf} o_2, t_4=t_3+\epsilon ,\)

5

ResumeThread

\(e_5= \langle s_1, o_2, a_5, t_5 \rangle , a_5=E, t_5=t_4 + \epsilon\)

6

DeleteFile

\(e_6= \langle o_2, o_4, a_6, t_6 \rangle , a_6=D, File(o_4), t_6=t_5 + \epsilon\)