Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1574.002 Hijacks gone wild #2963

Closed
wants to merge 7 commits into from

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Feb 19, 2024

Details

This PR updates the lookup "hijacklibs.csv" with 2024 data from the Hijacklibs project. CSV has been updated to also include the known paths for each library as an "exclude" column.

Updates the corresponding lookup definition to allow for more precise correlations using the exclude column.

2 correlations leveraging this updated lookup are provided, they are more accurate than the existing "Hijacklibs hunt" however, should probably still be leverage as an RBA only alert. 1 alert is based on sysmon EID7 the other is a more traditional EID 1/11 join.

Pending approval of attack_data splunk/attack_data#874

I've also submitted a PR to the modular sysmon project based on hijacklibs data that can be used for production environments for precise logging of sysmon EID7. olafhartong/sysmon-modular#195

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

@patel-bhavin
Copy link
Contributor

@nterl0k : Just getting around to reviewing this detection and testing it via CI. We are tracking an internal PR with this content and will be released soon! Thanks for the PR! 🥇

@patel-bhavin
Copy link
Contributor

Hello Steven, We have released one of the two detections with the updated lookup Windows Known Abused DLL Created

We couldnt merge the other one since there is a new SYSMON TA 4.0.0 that has come breaking changes for support that Datamodel query. Thank you for submitting these detections!

@nterl0k
Copy link
Contributor Author

nterl0k commented Apr 4, 2024

@patel-bhavin thanks for letting me know... I thought I tested it against 4.0...maybe not, Hopefully the updates to the lookup can beneficial otherwise.

I can resubmit a detection that doesn't use the DM.

@nterl0k
Copy link
Contributor Author

nterl0k commented Apr 4, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants