-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nterl0k - T1574.002 Hijacks gone wild #2963
Conversation
Update with more hijacklib api entries and exclusion paths
updating to align with updated lookup
Testing data location fix
Testing data location fix
@nterl0k : Just getting around to reviewing this detection and testing it via CI. We are tracking an internal PR with this content and will be released soon! Thanks for the PR! 🥇 |
Hello Steven, We have released one of the two detections with the updated lookup Windows Known Abused DLL Created We couldnt merge the other one since there is a new SYSMON TA 4.0.0 that has come breaking changes for support that Datamodel query. Thank you for submitting these detections! |
@patel-bhavin thanks for letting me know... I thought I tested it against 4.0...maybe not, Hopefully the updates to the lookup can beneficial otherwise. I can resubmit a detection that doesn't use the DM. |
Seems like they made some breaking changes for CIM in : |
Yeah, looks like I can rewrite it and make it functional.
I'll do another PR!
…-------- Original message --------
From: Bhavin Patel ***@***.***>
Date: 4/4/24 4:52 PM (GMT-05:00)
To: splunk/security_content ***@***.***>
Cc: Steven Dick ***@***.***>, Mention ***@***.***>
Subject: Re: [splunk/security_content] Nterl0k - T1574.002 Hijacks gone wild (PR #2963)
Seems like they made some breaking changes for CIM in :
https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Releasenotes?_gl=1*10jm91t*_ga*Njg4MDM0MTQzLjE2ODU3MzQ1ODQ.*_ga_GS7YF8S63Y*MTcxMjI1NTM1My4zNDUuMC4xNzEyMjU3MTg4LjQ5LjAuMA..*_ga_5EPM2P39FV*MTcxMjI2Mzg5OS44MTguMS4xNzEyMjYzODk5LjAuMC4xMTMzMjI0Mzkx&_ga=2.23006523.1828948600.1712077542-688034143.1685734584
—
Reply to this email directly, view it on GitHub<#2963 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7W6IM4DABZUNOHJZODY3W4RFAVCNFSM6AAAAABDPVV5PCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZYGE4TONBTGU>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Details
This PR updates the lookup "hijacklibs.csv" with 2024 data from the Hijacklibs project. CSV has been updated to also include the known paths for each library as an "exclude" column.
Updates the corresponding lookup definition to allow for more precise correlations using the exclude column.
2 correlations leveraging this updated lookup are provided, they are more accurate than the existing "Hijacklibs hunt" however, should probably still be leverage as an RBA only alert. 1 alert is based on sysmon EID7 the other is a more traditional EID 1/11 join.
Pending approval of attack_data splunk/attack_data#874
I've also submitted a PR to the modular sysmon project based on hijacklibs data that can be used for production environments for precise logging of sysmon EID7. olafhartong/sysmon-modular#195
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature