Just noticed an EQL query in Suspicious RDP ActiveX Client Loaded | Elastic Security Solution [7.13] | Elastic where a "library where" clause is used. What kind of events contain library? I always though the first word in the EQL queries pointed to the ECS event categories (ECS Categorization Field: event.category | Elastic Common Schema (ECS) Reference [1.10] | Elastic), but those do not contain library.
Library is like an unofficial event category. Libraries
.dll are usually affected via a
process being executed or running. It is only included in rules when you want to to look when a library is being loaded.
Like the following:
library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
event.action : "load" and
event.category : "library" and
dll.name : "wmiutils.dll"
And they probably didn't make it official, because it would probably been difficult to make a category
library to work the same for MacOS, Linux, and Windows
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.