22creation_date = " 2020/01/07"
33integration = [" endpoint" " windows"
44maturity = " production"
5- updated_date = " 2024/07/11 "
5+ updated_date = " 2024/10/09 "
66
77[rule ]
88author = [" Elastic"
@@ -99,7 +99,7 @@ any where host.os.type == "windows" and
9999 ?dll.name : (
100100 "wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
101101 "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
102- "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", " TPPCOIPW32.dll",
102+ "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
103103 "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll"
104104 )
105105 and (
@@ -110,11 +110,18 @@ any where host.os.type == "windows" and
110110 not dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Publisher")
111111 )
112112 ) or
113+ /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */
114+ (
115+ (?dll.path : "?:\\Windows\\*\\oci.dll" and process.executable : "?:\\Windows\\*.exe" and
116+ (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or
117+
118+ (file.path : "?:\\Windows\\*\\oci.dll" and not file.code_signature.status == "Valid" and process.executable : "?:\\Windows\\*.exe")
119+ ) or
113120
114121 /* compatible with Sysmon EventID 7 - Image Load */
115122 (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll",
116123 "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll",
117- "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", " TPPCOIPW32.dll",
124+ "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "TPPCOIPW32.dll",
118125 "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and
119126 not file.hash.sha256 :
120127 ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f",
@@ -128,13 +135,25 @@ any where host.os.type == "windows" and
128135 "?:\\Windows\\System32\\wbemcomn.dll",
129136 "?:\\Windows\\SysWOW64\\wbemcomn.dll",
130137 "?:\\Windows\\System32\\windowsperformancerecordercontrol.dll",
131- "?:\\Windows\\System32\\wlanhlp.dll"
138+ "?:\\Windows\\System32\\wlanhlp.dll",
139+ "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wbemcomn.dll",
140+ "\\Device\\HarddiskVolume?\\Windows\\System32\\wbemcomn.dll",
141+ "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\wlanhlp.dll",
142+ "\\Device\\HarddiskVolume?\\Windows\\System32\\wlanhlp.dll",
143+ "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\windowsperformancerecordercontrol.dll",
144+ "\\Device\\HarddiskVolume?\\Windows\\System32\\windowsperformancerecordercontrol.dll",
145+ "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
146+ "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
147+ "\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll"
132148 ) or
133149 file.path : (
134150 "?:\\Windows\\System32\\wbemcomn.dll",
135151 "?:\\Windows\\SysWOW64\\wbemcomn.dll",
136152 "?:\\Windows\\System32\\windowsperformancerecordercontrol.dll",
137- "?:\\Windows\\System32\\wlanhlp.dll"
153+ "?:\\Windows\\System32\\wlanhlp.dll",
154+ "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\windowsperformancerecordercontrol.dll",
155+ "C:\\ProgramData\\docker\\windowsfilter\\*\\Files\\Windows\\System32\\wbemcomn.dll",
156+ "\\Device\\vmsmb\\VSMB-{*}\\os\\windows\\system32\\*.dll"
138157 )
139158 )
140159)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments