Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Linux Service Started Or Enabled triggering on Windows events #2944

Open
0xC0FFEEEE opened this issue Jan 17, 2024 · 2 comments
Open

[BUG] Linux Service Started Or Enabled triggering on Windows events #2944

0xC0FFEEEE opened this issue Jan 17, 2024 · 2 comments
Assignees
@josehelps
Labels
bug Something isn't working

Comments

@0xC0FFEEEE
Copy link
Contributor

Describe the bug

The Linux Service Started Or Enabled rule can trigger on Windows events.

Expected behavior

Rule does not trigger on events from Windows Sysmon

Screenshots

image

App Version:

  • ESCU: 4.18.0

Additional context

I got a good laugh out of this.

Appending NOT Processes.os="Microsoft Windows" to the end of the where clause seems sufficient for resolving this issue.
@0xC0FFEEEE 0xC0FFEEEE added the bug Something isn't working label Jan 17, 2024
@josehelps
Copy link
Collaborator

oh man, that is 1 for the data models and 0 for the detections, thank you for raising this! Will make sure its patched on our next release.

@josehelps josehelps self-assigned this Jan 24, 2024
@0xC0FFEEEE
Copy link
Contributor Author

Thanke @josehelps

I think the score is even. I've had to further update the filter with the following as the CIM datamodel is inconsistent between Sysmon and the Security Channel:

NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josehelps josehelps

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josehelps @0xC0FFEEEE