[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation #4139
Assignees
Labels
Comments
joseph-coulter
added
Rule: Tuning
|
@joseph-coulter thank you for reporting this, indeed 80%+ of the noise is coming from Oracle OCI.dll related modules (diverse hashes and paths). We pushed a tuning here https://github.com/elastic/detection-rules/pull/4144/files (you can also duplicate the rule and use the provided tuning if you don't want to wait for artifact updates). |
|
Thanks. If that's the sort of tuning you want I'll try to keep them coming. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link to Rule
rules/windows/privilege_escalation_persistence_phantom_dll.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
In environments where Oracle OEM is used frequently, this alert produces a lot of false positives. It looks like this is an oracle made .dll file, and because the current version of the file( I used https://download.oracle.com/otn_software/nt/instantclient/2350000/instantclient-basic-windows.x64-23.5.0.24.07.zip as an example which was found at https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html) doesn't have a signature, it will always also meet both of 3 other criteria that will cause the alert to trigger, "?dll.code_signature.trusted != true", "?dll.code_signature.exists != true", and "not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")".
Example Data
any where host.os.type == "windows" and
(event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded*")) and
(
/* compatible with Elastic Endpoint Library Events */
(
?dll.name : (
"wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll"
)
and (
?dll.code_signature.trusted != true or
?dll.code_signature.exists != true or
(
dll.code_signature.trusted == true and
not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
)
) or
/* compatible with Sysmon EventID 7 - Image Load */
(file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and
not file.hash.sha256 :
("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f",
"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4",
"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and
not file.code_signature.status == "Valid")
) and
not
(
?dll.path : (
"?:\Windows\System32\wbemcomn.dll",
"?:\Windows\SysWOW64\wbemcomn.dll",
"?:\Windows\System32\windowsperformancerecordercontrol.dll",
"?:\Windows\System32\wlanhlp.dll"
) or
file.path : (
"?:\Windows\System32\wbemcomn.dll",
"?:\Windows\SysWOW64\wbemcomn.dll",
"?:\Windows\System32\windowsperformancerecordercontrol.dll",
"?:\Windows\System32\wlanhlp.dll"
)
)
)
The text was updated successfully, but these errors were encountered: