[BUG] Incorrect logic statement in detection search "Detect Renamed PSExec"

[OberAlex]

Description:

The detection search "Detect Renamed PSExec" in the "Active Directory Lateral Movement" Analytic Story has an incorrect logic statement in its search query that results in all results being return with an "original_file_name=psexec.c".

Expected Result:

If process_name=psexec.exe or process_name=psexec64.exe and original_file_name=psexec.c then it shouldn't return the event. It should only return it if it doesn't equal both psexec.exe and psexec64.exe.

Actual Result:

In my case, my process_name was "PsExec.exe", which shouldn't be returned. But it was because it didn't satisfy both conditions of the OR statement. "PsExec.exe" does equal "psexec.exe" but it doesn't equal "psexec64.exe".

App version:

• ESCU: 4.31.0
• Splunk Security Essentials: 3.8.0

Suggested Fix:

Change this part of the query from...
(Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe)

to...

(Processes.process_name!=psexec.exe AND Processes.process_name!=psexec64.exe)