Open
Description
Link to Rule
Rule Tuning Type
Behavioral Tuning - Refining rules to better detect deviations from typical behavior.
Description
Title: Detection Rule Fails When process.working_directory Has Subdirectory in Non-Standard Drive
Description:
Hello Elastic team,
We're currently testing the following detection rule, intended to catch suspicious script executions launched from non-standard drives (i.e., other than C:\):
process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
(process.working_directory : "?:\\" and not process.working_directory: "C:\\") and
process.parent.name : "explorer.exe" and
process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe")
Problem:
We noticed that this rule does not trigger alerts in cases where a suspicious script (e.g., wscript.exe) is launched from a subdirectory on a non-C drive.
Example Data
Example:
process.name:wscript.exeprocess.parent.name:explorer.exeprocess.working_directory:F:\rootdir\
→ No alert was triggered, despite the working directory clearly not being on the C:\ drive.
Concern:
It seems that the use of the following part might not be matching as intended when the working directory includes additional path depth like F:\rootdir\:
(process.working_directory : "?:\\" and not process.working_directory: "C:\\")
Solution:
The following query resolves the issue:
process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and
(process.working_directory : "?:\\*" and not process.working_directory: "C:\\*") and
process.parent.name : "Explorer.EXE" and
process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe")