diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 7cb329b61..abdd7977d 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/07/11" +updated_date = "2024/10/09" [rule] author = ["Elastic"] @@ -99,7 +99,7 @@ any where host.os.type == "windows" and ?dll.name : ( "wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", - "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll" ) and ( @@ -110,11 +110,18 @@ any where host.os.type == "windows" and not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher") ) ) or + /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */ + ( + (?dll.path : "?:\\Windows\\*\\oci.dll" and process.executable : "?:\\Windows\\*.exe" and + (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or + + (file.path : "?:\\Windows\\*\\oci.dll" and not file.code_signature.status == "Valid" and process.executable : "?:\\Windows\\*.exe") + ) or /* compatible with Sysmon EventID 7 - Image Load */ (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", - "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll", "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and not file.hash.sha256 : ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", @@ -128,13 +135,25 @@ any where host.os.type == "windows" and "?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll", "?:\\Windows\\System32\\windowsperformancerecordercontrol.dll", - "?:\\Windows\\System32\\wlanhlp.dll" + "?:\\Windows\\System32\\wlanhlp.dll", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wbemcomn.dll", + "\\Device\\HarddiskVolume?\\Windows\\System32\\wbemcomn.dll", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wlanhlp.dll", + "\\Device\\HarddiskVolume?\\Windows\\System32\\wlanhlp.dll", + "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\windowsperformancerecordercontrol.dll", + "\\Device\\HarddiskVolume?\\Windows\\System32\\windowsperformancerecordercontrol.dll", + "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll", + "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll", + "\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll" ) or file.path : ( "?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll", "?:\\Windows\\System32\\windowsperformancerecordercontrol.dll", - "?:\\Windows\\System32\\wlanhlp.dll" + "?:\\Windows\\System32\\wlanhlp.dll", + "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll", + "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\wbemcomn.dll", + "\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll" ) ) )