Skip to main content

Table 9 Implicit file removal through code injection into process \(p_2\) by process \(p_1\) [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

# System calls Description
1 VirtualAllocEx \(e_1= \langle s_1, o_1, a_1, t_1 \rangle , a_1=C,\) \(Thread(s_1), s_1 \xrightarrow {partOf} p_1,\) \(Memory(o_1), o_1 \xrightarrow {partOf} p_2\)
2 WriteProcessMemory \(e_2= \langle s_1, o_1, a_2, t_2 \rangle , a_2= W, t_2=t_1+\epsilon\)
3 CreateRemoteThread \(e_3= \langle s_1, o_2, a_3, t_3 \rangle , a_3=C, Thread(o_2), o_2 \xrightarrow {partOf} p_2, o_1 \xrightarrow {partOf} o_2, t_3=t_2+\epsilon\)
4 SetThreadContext \(e_4= \langle s_1, o_3, a_4, t_4 \rangle , a_4=W, Context(o_3),\) \(o_3 \xrightarrow {partOf} o_2, t_4=t_3+\epsilon ,\)
5 ResumeThread \(e_5= \langle s_1, o_2, a_5, t_5 \rangle , a_5=E, t_5=t_4 + \epsilon\)
6 DeleteFile \(e_6= \langle o_2, o_4, a_6, t_6 \rangle , a_6=D, File(o_4), t_6=t_5 + \epsilon\)