@@ -122,7 +122,7 @@ Update the previous EQL query as follows:
122122
123123* Change the `any` keyword to `process`. This limits matches to events with an
124124`event.category` of `process`.
125- * Add the `and process.command_line != null` condition to match only
125+ * Add the `and process.command_line.keyword != null` condition to match only
126126events with a command line value.
127127
128128You'll also need to remove the `filter_path=-hits.events` query parameter. This
@@ -133,7 +133,7 @@ lets you retrieve the document source for any matching events.
133133GET /my-index-000001/_eql/search
134134{
135135 "query": """
136- process where process.name == "regsvr32.exe" and process.command_line != null
136+ process where process.name == "regsvr32.exe" and process.command_line.keyword != null
137137 """
138138}
139139----
@@ -142,8 +142,8 @@ GET /my-index-000001/_eql/search
142142The query matches one process event. The event has an `event.type` of
143143`creation`, indicating the start of a `regsvr32.exe` process.
144144
145- Based on the `process.command_line` value, `regsvr32.exe` used `scrobj.dll` to
146- register a script, `RegSvr32.sct`. This fits the behavior of a
145+ Based on the `process.command_line` value in the response , `regsvr32.exe` used
146+ `scrobj.dll` to register a script, `RegSvr32.sct`. This fits the behavior of a
147147https://attack.mitre.org/techniques/T1218/010/["Squiblydoo" attack], a known
148148variant of `regsvr32` misuse.
149149
@@ -214,7 +214,7 @@ malicious script, `RegSvr32.sct`. Next, see if `regsvr32.exe` later loads the
214214Modify the previous EQL query as follows:
215215
216216* Change the `process` keyword to `library`.
217- * Replace the `process.command_line != null` condition with
217+ * Replace the `process.command_line.keyword != null` condition with
218218`dll.name == "scrobj.dll`.
219219
220220[source,console]
0 commit comments