Credential Access Sensitive File Access RDCMan Rule - Whitelist Subject Names missing for Microsoft

[davideciacciolo]

When using Elastic Defend, there is a generic Rule that will fire for when the Elastic Defend detects or prevents a threat

It's not possible to modify this kind of Rules, which can only be seen in the protection-artifacts repository as .toml files.

In my case, there was an alert that fired because of this specific Rule, which "Identifies an unusual process accessing Remote Desktop Connection Manager settings file". Inspecting the raw rule from the repository, my team and I found out that the only whitelisted value for the field process.code_signature.subject_name is Microsoft Corporation.

In particular, the executed query is the following:

file where event.type == "access" and
    /* domain user RID */
    user.id : ("S-1-5-21*", "S-1-12-*") and process.pid != 4 and
    file.path : "?:\\Users\\*\\AppData\\Local\\*\\Remote Desktop Connection Manager\\RDCMan.settings" and
    not process.executable : "?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe" and
    not (process.name : "RDCMan.exe" and process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true)

The problem is that, when it's Microsoft to have signed the executable, slightly different values for this field can pop out, triggering false positive alerts.

In our case, these values were Microsoft Windows, Microsoft Windows Publisher and Microsoft Dynamic Code Publisher.

Is it possible to add these values to the rule or, even better, to allow users to directly customize these rules?

[Samirbous]

@davideciacciolo thank you for reporting this and sorry for the delayed answer. I think its already solved (3 months ago) since we added wildcard here
19c75a9#diff-4a57e706a549bb974523eca735f6f5aee43afcec997214680950458bb12d9f42R22