You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@joseph-coulter thank you for reporting this, indeed 80%+ of the noise is coming from Oracle OCI.dll related modules (diverse hashes and paths). We pushed a tuning here https://github.com/elastic/detection-rules/pull/4144/files (you can also duplicate the rule and use the provided tuning if you don't want to wait for artifact updates).
Link to Rule
rules/windows/privilege_escalation_persistence_phantom_dll.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
In environments where Oracle OEM is used frequently, this alert produces a lot of false positives. It looks like this is an oracle made .dll file, and because the current version of the file( I used https://download.oracle.com/otn_software/nt/instantclient/2350000/instantclient-basic-windows.x64-23.5.0.24.07.zip as an example which was found at https://www.oracle.com/database/technologies/instant-client/winx64-64-downloads.html) doesn't have a signature, it will always also meet both of 3 other criteria that will cause the alert to trigger, "?dll.code_signature.trusted != true", "?dll.code_signature.exists != true", and "not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")".
Example Data
any where host.os.type == "windows" and
(event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded*")) and
(
/* compatible with Elastic Endpoint Library Events */
(
?dll.name : (
"wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll"
)
and (
?dll.code_signature.trusted != true or
?dll.code_signature.exists != true or
(
dll.code_signature.trusted == true and
not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
)
) or
/* compatible with Sysmon EventID 7 - Image Load */
(file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
"wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
"cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
"tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and
not file.hash.sha256 :
("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f",
"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4",
"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and
not file.code_signature.status == "Valid")
) and
not
(
?dll.path : (
"?:\Windows\System32\wbemcomn.dll",
"?:\Windows\SysWOW64\wbemcomn.dll",
"?:\Windows\System32\windowsperformancerecordercontrol.dll",
"?:\Windows\System32\wlanhlp.dll"
) or
file.path : (
"?:\Windows\System32\wbemcomn.dll",
"?:\Windows\SysWOW64\wbemcomn.dll",
"?:\Windows\System32\windowsperformancerecordercontrol.dll",
"?:\Windows\System32\wlanhlp.dll"
)
)
)
The text was updated successfully, but these errors were encountered: