[SIEM] Detection - Adobe Hijack Persistence Query Typo in msiexec.exe #58803
Description
Kibana version:
7.6.0
Elasticsearch version:
7.6.0
Server OS version:
N/A
Browser version:
N/A
Browser OS version:
N/A
Original install method (e.g. download page, yum, from source, etc.):
N/A
Describe the bug:
Typo in Detection for "Adobe Hijack Persistence"
Steps to reproduce:
- Enabled Adobe Hijack Persistence Detection rule in Kibana
- See thousands of false positives
Expected behavior:
See more true positive events
Screenshots (if relevant):
Errors in browser console (if relevant):
N/A
Provide logs and/or server output (if relevant):
N/A
Any additional context:
Should be a simple change in the rule. I duplicated and removed the 2nd e in msiexeec.exe to make this msiexec.exe to resolve the issue.
Original:
file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created (rule: FileCreate)" and not process.name:msiexeec.exe
Modified:
file.path:("C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" or "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe") and event.action:"File created (rule: FileCreate)" and not process.name:msiexec.exe