Samirbous/ES|QL Masquerading as MS Native DLL

## ES|QL Masquerading as MS Native DLL
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c


ES|QL query:

from .ds-logs-endpoint.events.library-*
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and
 not dll.path rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.dll"""
| ENRICH enrich-dll1
| where native == "yes" and not dll.path like "?:?Windows?assembly?NativeImages*"
| eval process_path = replace(process.executable, "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}", ""), dll_path = replace(dll.path, "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}", "")
| stats cc = count(*) by dll.name, process_path, dll_path
| sort cc desc
	// DLLs normally located in system32 but unsigned and loaded from elsewhere
	// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
	// example ENRICH libs-policy creation steps
	https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c


	ES\|QL query:

	from .ds-logs-endpoint.events.library-*
	\| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and
	not dll.path rlike """[c-fC-F]:\\Windows\\(System32\|SysWOW64)\\[a-zA-Z0-9_]+.dll"""
	\| ENRICH enrich-dll1
	\| where native == "yes" and not dll.path like "?:?Windows?assembly?NativeImages*"
	\| eval process_path = replace(process.executable, "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}", ""), dll_path = replace(dll.path, "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}", "")
	\| stats cc = count(*) by dll.name, process_path, dll_path
	\| sort cc desc