security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

Nterl0k - T1036 LOLBASh Your Face

Open nterl0k opened this issue 9 months ago • 0 comments

Details

This PR has 2 detections aiming at LOLBAS usage from unusual locations or when renamed. Some false positives are expected based on testing in a production environment, however they are low enough to be easily filtered.

Updated LOLBAS File Path lookup (which was unused in other content) with current data from LOLBAS project. Also corrected a number of erroneous entries in the data to prevent excessive false positives. Added wildcard file path matching on lookup definition to enable detections above.

Pending https://github.com/splunk/attack_data/pull/893

image

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

nterl0k avatar May 03 '24 15:05 nterl0k