From e0915a17f26c55fb129e22970ba562d654aebcd9 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 29 Jan 2026 20:46:57 +0100
Subject: [PATCH] feat(rules): Add Potential NTDLL unhooking via file mapping
 rule

Identifies processes that map a fresh image view of NTDLL.dll
from disk, a behavior commonly associated with user-mode API
unhooking. Malware often remaps the original NTDLL image to
restore pristine code sections and bypass user-mode security hooks placed by EDRs or AMSI.
---
 ...ntial_ntdll_unhooking_via_file_mapping.yml | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml

diff --git a/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml b/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml
new file mode 100644
index 000000000..64ec59ceb
--- /dev/null
+++ b/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml
@@ -0,0 +1,38 @@
+name: Potential NTDLL unhooking via file mapping
+id: b000955d-90df-44eb-8e32-8269d395f0ef
+version: 1.0.0
+description: |
+  Identifies processes that map a fresh image view of NTDLL.dll
+  from disk, a behavior commonly associated with user-mode API
+  unhooking. Malware often remaps the original NTDLL image to
+  restore pristine code sections and bypass user-mode security
+  hooks placed by EDRs or AMSI.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
+  technique.name: Process Injection
+  technique.ref: https://attack.mitre.org/techniques/T1055/
+references:
+  - https://github.com/hwbp/NTDLL-Unhook
+
+condition: >
+  map_view_file and
+  file.view.type = 'IMAGE' and evt.pid not in (0, 4) and
+  file.path imatches
+            (
+              '?:\\Windows\\System32\\ntdll.dll',
+              '?:\\Windows\\SysWOW64\\ntdll.dll'
+            ) and
+  ps.exe not imatches
+            (
+              '?:\\Windows\\System32\\WerFault.exe',
+              '?:\\Windows\\SysWOW64\\WerFault.exe',
+              '?:\\Windows\\System32\\wermgr.exe',
+              '?:\\Windows\\SysWOW64\\wermgr.exe'
+            )
+
+severity: high
+
+min-engine-version: 3.0.0