Open joseph-coulter opened 5 days ago
rules/windows/privilege_escalation_persistence_phantom_dll.toml
False Positives - Reducing benign events mistakenly identified as threats.
In environments where Oracle OEM is used frequently, this alert produces a lot of false positives. It looks like this is an oracle made .dll file, and because the current version of the file( I used https://download.oracle.com/otn_software/nt/instantclient/2350000/instantclient-basic-windows.x64-23.5.0.24.07.zip as an example which was found at https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html) doesn't have a signature, it will always also meet both of 3 other criteria that will cause the alert to trigger, "?dll.code_signature.trusted != true", "?dll.code_signature.exists != true", and "not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")".
any where host.os.type == "windows" and (event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded")) and ( / compatible with Elastic Endpoint Library Events */ ( ?dll.name : ( "wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll" ) and ( ?dll.code_signature.trusted != true or ?dll.code_signature.exists != true or ( dll.code_signature.trusted == true and not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher") ) ) or
/ compatible with Sysmon EventID 7 - Image Load / (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and not file.hash.sha256 : ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and not file.code_signature.status == "Valid") ) and not ( ?dll.path : ( "?:\Windows\System32\wbemcomn.dll", "?:\Windows\SysWOW64\wbemcomn.dll", "?:\Windows\System32\windowsperformancerecordercontrol.dll", "?:\Windows\System32\wlanhlp.dll" ) or file.path : ( "?:\Windows\System32\wbemcomn.dll", "?:\Windows\SysWOW64\wbemcomn.dll", "?:\Windows\System32\windowsperformancerecordercontrol.dll", "?:\Windows\System32\wlanhlp.dll" ) ) )
Link to Rule
rules/windows/privilege_escalation_persistence_phantom_dll.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
In environments where Oracle OEM is used frequently, this alert produces a lot of false positives. It looks like this is an oracle made .dll file, and because the current version of the file( I used https://download.oracle.com/otn_software/nt/instantclient/2350000/instantclient-basic-windows.x64-23.5.0.24.07.zip as an example which was found at https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html) doesn't have a signature, it will always also meet both of 3 other criteria that will cause the alert to trigger, "?dll.code_signature.trusted != true", "?dll.code_signature.exists != true", and "not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")".
Example Data
any where host.os.type == "windows" and (event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded")) and ( / compatible with Elastic Endpoint Library Events */ ( ?dll.name : ( "wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll" ) and ( ?dll.code_signature.trusted != true or ?dll.code_signature.exists != true or ( dll.code_signature.trusted == true and not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher") ) ) or
/ compatible with Sysmon EventID 7 - Image Load / (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and not file.hash.sha256 : ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and not file.code_signature.status == "Valid") ) and not ( ?dll.path : ( "?:\Windows\System32\wbemcomn.dll", "?:\Windows\SysWOW64\wbemcomn.dll", "?:\Windows\System32\windowsperformancerecordercontrol.dll", "?:\Windows\System32\wlanhlp.dll" ) or file.path : ( "?:\Windows\System32\wbemcomn.dll", "?:\Windows\SysWOW64\wbemcomn.dll", "?:\Windows\System32\windowsperformancerecordercontrol.dll", "?:\Windows\System32\wlanhlp.dll" ) ) )