Nterl0k - T1574.002 Hijacks gone wild

[nterl0k]

Details

This PR updates the lookup "hijacklibs.csv" with 2024 data from the Hijacklibs project. CSV has been updated to also include the known paths for each library as an "exclude" column.

Updates the corresponding lookup definition to allow for more precise correlations using the exclude column.

2 correlations leveraging this updated lookup are provided, they are more accurate than the existing "Hijacklibs hunt" however, should probably still be leverage as an RBA only alert. 1 alert is based on sysmon EID7 the other is a more traditional EID 1/11 join.

Pending approval of attack_data splunk/attack_data#874

I've also submitted a PR to the modular sysmon project based on hijacklibs data that can be used for production environments for precise logging of sysmon EID7. olafhartong/sysmon-modular#195

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.

[patel-bhavin]

@nterl0k : Just getting around to reviewing this detection and testing it via CI. We are tracking an internal PR with this content and will be released soon! Thanks for the PR! 🥇

[patel-bhavin]

Hello Steven, We have released one of the two detections with the updated lookup Windows Known Abused DLL Created

We couldnt merge the other one since there is a new SYSMON TA 4.0.0 that has come breaking changes for support that Datamodel query. Thank you for submitting these detections!

[nterl0k]

@patel-bhavin thanks for letting me know... I thought I tested it against 4.0...maybe not, Hopefully the updates to the lookup can beneficial otherwise.

I can resubmit a detection that doesn't use the DM.

[patel-bhavin]

Seems like they made some breaking changes for CIM in :

https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Releasenotes?_gl=1*10jm91t*_ga*Njg4MDM0MTQzLjE2ODU3MzQ1ODQ.*_ga_GS7YF8S63Y*MTcxMjI1NTM1My4zNDUuMC4xNzEyMjU3MTg4LjQ5LjAuMA..*_ga_5EPM2P39FV*MTcxMjI2Mzg5OS44MTguMS4xNzEyMjYzODk5LjAuMC4xMTMzMjI0Mzkx&_ga=2.23006523.1828948600.1712077542-688034143.1685734584

[nterl0k]

Yeah, looks like I can rewrite it and make it functional. I'll do another PR!

…

-------- Original message -------- From: Bhavin Patel ***@***.***> Date: 4/4/24 4:52 PM (GMT-05:00) To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>, Mention ***@***.***> Subject: Re: [splunk/security_content] Nterl0k - T1574.002 Hijacks gone wild (PR #2963) Seems like they made some breaking changes for CIM in : https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Releasenotes?_gl=1*10jm91t*_ga*Njg4MDM0MTQzLjE2ODU3MzQ1ODQ.*_ga_GS7YF8S63Y*MTcxMjI1NTM1My4zNDUuMC4xNzEyMjU3MTg4LjQ5LjAuMA..*_ga_5EPM2P39FV*MTcxMjI2Mzg5OS44MTguMS4xNzEyMjYzODk5LjAuMC4xMTMzMjI0Mzkx&_ga=2.23006523.1828948600.1712077542-688034143.1685734584 — Reply to this email directly, view it on GitHub<#2963 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7W6IM4DABZUNOHJZODY3W4RFAVCNFSM6AAAAABDPVV5PCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZYGE4TONBTGU>. You are receiving this because you were mentioned.Message ID: ***@***.***>