Skip to content

Fix Windows EDRSilencer renamed binary detection coverage#4123

Open
raylee-hawkins wants to merge 1 commit into
splunk:developfrom
raylee-hawkins:raylee/issue-4101-edrsilencer-detection-fix
Open

Fix Windows EDRSilencer renamed binary detection coverage#4123
raylee-hawkins wants to merge 1 commit into
splunk:developfrom
raylee-hawkins:raylee/issue-4101-edrsilencer-detection-fix

Conversation

@raylee-hawkins

@raylee-hawkins raylee-hawkins commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • Expands Windows EDRSilencer command-line matching so renamed binaries using blockedr can still be detected when blockedr is the final argument.
  • Keeps the analytic on normalized process telemetry and avoids adding new data-source/schema entries.

Fixes #4101.

Validation

  • YAML parse passed.
  • Targeted EventBasedDetection schema validation passed.
  • Targeted metadata/SPL/data_source sanity check passed.
  • git diff --check passed.
  • contentctl validate was previously attempted, but repo-wide validation is currently blocked by unrelated lookup/KVStore validation issues.

Maintainer note

This keeps the change to one detection YAML and only narrows the existing command-line matching gap described in the issue.

@raylee-hawkins raylee-hawkins marked this pull request as ready for review June 13, 2026 10:29
@raylee-hawkins raylee-hawkins force-pushed the raylee/issue-4101-edrsilencer-detection-fix branch from 66aa6cf to 8a432ae Compare June 13, 2026 11:24
@raylee-hawkins raylee-hawkins marked this pull request as draft June 13, 2026 11:27
@raylee-hawkins raylee-hawkins marked this pull request as ready for review June 13, 2026 12:56
@nasbench nasbench added this to the V6.2.0 milestone Jun 14, 2026
@nasbench

nasbench commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

This does not currently fully address the issue reported in 4101, which suggest adding a new rule covering EID 5447.

I moved this to 6.2 release for now, until we explore this furter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@nasbench nasbench Awaiting requested review from nasbench nasbench is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections

Projects

None yet

Milestone

V6.2.0

Development

Successfully merging this pull request may close these issues.

[BUG]Poor Logic of Windows EDRSilencer Execution

2 participants

@raylee-hawkins @nasbench