EQL library where

Hello,

Just noticed an EQL query in Suspicious RDP ActiveX Client Loaded | Elastic Security Solution [7.13] | Elastic where a "library where" clause is used. What kind of events contain library? I always though the first word in the EQL queries pointed to the ECS event categories (ECS Categorization Field: event.category | Elastic Common Schema (ECS) Reference [1.10] | Elastic), but those do not contain library.

Grtz

Willem

Library is like an unofficial event category. Libraries .dll are usually affected via a process being executed or running. It is only included in rules when you want to to look when a library is being loaded.

Like the following:

• detection-rules/execution_suspicious_image_load_wmi_ms_office.toml at main · elastic/detection-rules (github.com)

library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
  event.action : "load" and
  event.category : "library" and
  dll.name : "wmiutils.dll"

• detection-rules/persistence_suspicious_image_load_scheduled_task_ms_office.toml at main · elastic/detection-rules (github.com)
• detection-rules/persistence_local_scheduled_task_scripting.toml at main · elastic/detection-rules (github.com)

And they probably didn't make it official, because it would probably been difficult to make a category library to work the same for MacOS, Linux, and Windows