Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1219 - RMM Detection for Registry locations. #3257

Merged
merged 9 commits into from
Jan 9, 2025

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented Dec 28, 2024

Details

An update for common registry auto-start locations used by RMMs, to flush out existing RMM monitoring detection.

Pending splunk/attack_data#924

image

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the datestamp in the lookup CSV filename, and the reference to it in the YAML needs to be updated.

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 6, 2025 via email

@patel-bhavin
Copy link
Contributor

patel-bhavin commented Jan 6, 2025

@nterl0k : Thank you for making those prompt changes. Now we also need two drill down as defaults in our yamls for TTP, Anomaly and Correlation detections . Can you add these two drilldowns? We will look into automating these drilldowns in a future release!

Here is the CI error : https://github.com/splunk/security_content/actions/runs/12641453140/job/35223884630?pr=3257 from the build stage
eg:

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 6, 2025 via email

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 7, 2025

@patel-bhavin Let me ask a few clarifying questions.

Do you want me to just add the generic drill downs similar to security_content/detections/endpoint/add_or_set_windows_defender_exclusion.yml

or

Would the inclusion of my targeted drill downs be acceptable?

How many drill downs are allowed 2+ or 2 exactly?

Thanks

@patel-bhavin
Copy link
Contributor

@nterl0k : we would need the two generic ones and we can/should add the targeted drill downs after the first two! Thank you

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 7, 2025

Alright I added the generics + my own to the yaml on this and my other current PRs. Hopefully that allows it to pass smoother.

@nterl0k
Copy link
Contributor Author

nterl0k commented Jan 8, 2025

Ok looks like this one is hanging because the lookup "asset_lookup_by_str" isn't in the testing environment (which is part of ES).

The macro 'remote_access_software_usage_exceptions' contains a reference to the lookup asset_lookup_by_str, same as all the other RMM detections I submitted previously with it.

@patel-bhavin
Copy link
Contributor

yeah, Looks like we have added "manual_test: This detection uses A&I lookups from Enterprise Security." for the other RMM detections! I will test the detection locally and add that flag! Thanks @nterl0k

patel-bhavin
patel-bhavin previously approved these changes Jan 8, 2025
@patel-bhavin patel-bhavin merged commit ede80f4 into splunk:develop Jan 9, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants