LOLBAS icon indicating copy to clipboard operation
LOLBAS copied to clipboard

Published 20 hours ago verified publisher icon LOLBAS-Project

Add Splunk detections to LOLBAS

Open josehelps opened this issue 2 years ago • 4 comments

Hello LOLBAS Team this PR does 2 major things:

  1. adds a new script called enrich_with_splunk.py under scripts/enrich_with_splunk.py
  2. updates all the LOLBAS to include known Splunk Security Content detections for these LOLBAS under the detection reference.

The script logic for matching which LOLBAS has a detection is somewhat simple, it uses the following heuristic:

  1. looks if Splunk has detection matching the MITRE Technique ID of the Command
  2. If the Technique ID matches it checks if the LOLBAS is in the name of the Splunk search
  3. A URL is added to the Detection array to include the matching Splunk detection

This can use a bit of testing and maybe a README but please give me any feedback you might have.

josehelps avatar Aug 11 '22 23:08 josehelps

There are the updated LOLBAS that now have references:

(enrich-with-splunk-IWdu2Nuj-py3.10) jhernandez in ~/splunk/LOLBAS on master ● ● λ grep -ri 'splunk' yml/* | awk '{print $1}' | sort  | uniq -c
3 yml/OSBinaries/At.yml:-
1 yml/OSBinaries/Certutil.yml:-
4 yml/OSBinaries/Cmd.yml:-
1 yml/OSBinaries/Cmstp.yml:-
1 yml/OSBinaries/Control.yml:-
1 yml/OSBinaries/Eventvwr.yml:-
1 yml/OSBinaries/Forfiles.yml:-
6 yml/OSBinaries/Installutil.yml:-
1 yml/OSBinaries/Mavinject.yml:-
2 yml/OSBinaries/Microsoft.Workflow.Compiler.yml:-
2 yml/OSBinaries/Mmc.yml:-
4 yml/OSBinaries/Msbuild.yml:-
1 yml/OSBinaries/Msdt.yml:-
6 yml/OSBinaries/Mshta.yml:-
6 yml/OSBinaries/Msiexec.yml:-
3 yml/OSBinaries/Netsh.yml:-
3 yml/OSBinaries/Odbcconf.yml:-
1 yml/OSBinaries/Pcalua.yml:-
1 yml/OSBinaries/Rasautou.yml:-
3 yml/OSBinaries/Regasm.yml:-
1 yml/OSBinaries/Regedit.yml:-
3 yml/OSBinaries/Regsvcs.yml:-
4 yml/OSBinaries/Regsvr32.yml:-
2 yml/OSBinaries/Reg.yml:-
15 yml/OSBinaries/Rundll32.yml:-
3 yml/OSBinaries/Schtasks.yml:-
1 yml/OSBinaries/Verclsid.yml:-
1 yml/OSBinaries/Wsreset.yml:-
1 yml/OSLibraries/Advpack.yml:-
1 yml/OSLibraries/comsvcs.yml:-
1 yml/OSLibraries/Setupapi.yml:-
1 yml/OSLibraries/Syssetup.yml:-
1 yml/OSScripts/Cl_invocation.yml:-
1 yml/OSScripts/CL_LoadAssembly.yml:-
1 yml/OSScripts/CL_mutexverifiers.yml:-
1 yml/OSScripts/Manage-bde.yml:-
1 yml/OSScripts/pester.yml:-
1 yml/OSScripts/Pubprn.yml:-
1 yml/OSScripts/Syncappvpublishingserver.yml:-
1 yml/OSScripts/UtilityFunctions.yml:-
1 yml/OSScripts/Winrm.yml:-
1 yml/OtherMSBinaries/Dotnet.yml:-
1 yml/OtherMSBinaries/Ntdsutil.yml:-

josehelps avatar Aug 11 '22 23:08 josehelps

@josehelps This is a great PR. Let me know what I can do to help get this verified and added

bohops avatar Dec 30 '22 00:12 bohops

Hey @bohops I will work on the merge conflicts tonight to get it all working!

josehelps avatar Jan 02 '23 14:01 josehelps

brought the branch up to date @bohops but looks like there are some linting issues with the yaml will look into that next.

josehelps avatar Jan 03 '23 03:01 josehelps