-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ThemeBleed and Share Point #2866
Conversation
detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml
Outdated
Show resolved
Hide resolved
…urity_content into themebleed_and_cve_2023_29357
Added Web.status=200 Web.http_method=GET to keep it tight. Based on exploit code available, this will work well.
as lastTime from datamodel=Endpoint.Processes where | ||
(Processes.process="C:\\Windows\\system32\\rundll32.exe*themecpl.dll,OpenThemeAction*theme") OR (Processes.process="*rundll32.exe uxtheme.dll,#64 *.msstyles*") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name | ||
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | ||
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
macro needs an update!
can we perhaps manually simulate a dataset that would trigger on this - trying to avoid experimental / non tested detections
After consulting with Mike, we are removing theme bleed from this PR since the detection needs fixes and data! will merge the other detection! |
: PR for sharepoint #2886 |
Details
Add 2 New Detections:
Add 2 New story:
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature