[BUG] Logical flaw in ESCU rule "Detect Renamed WinRAR" due to incorrect use of OR instead of AND in process #3550
Description
Describe the bug
The correlation search "ESCU - Detect Renamed WinRAR - Rule" contains a logic flaw in the tstats search condition:
(Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe)
This condition will always evaluate to true, because any process_name that equals rar.exe still satisfies the clause != winrar.exe, and vice versa. As a result, legitimate executions of rar.exe and winrar.exe are incorrectly included in the output, causing false positives.
Expected behavior
The rule should exclude both rar.exe and winrar.exe processes, meaning the condition should use AND instead of OR:
(Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe)
This ensures that only processes with a different name than the known legitimate binaries are flagged.
Incorrect condition:
(Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe)
Due to OR, the output includes:
process_name original_file_name count
WinRAR.exe WinRAR.exe 35
rar.exe WinRAR.exe 12
Correct condition:
(Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe)
Correct output would include only renamed executables like:
process_name original_file_name count
setup.exe WinRAR.exe 4
winrar5.8_x64.exe WinRAR.exe 2
App Version:
ESCU: 3.51.0
Splunk Security Essentials: 3.5.0
Additional context
Corrected tstats SPL:
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where Processes.original_file_name=WinRAR.exe
(Processes.process_name!=rar.exe AND Processes.process_name!=winrar.exe)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| drop_dm_object_name(Processes)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| detect_renamed_winrar_filter
This change ensures accurate detection of renamed WinRAR executables while suppressing legitimate usage of rar.exe and winrar.exe.