Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dlux 3 - New & Updated AD / GPO / ACL Detections #3026

Merged
merged 28 commits into from
Aug 21, 2024
Merged

Dlux 3 - New & Updated AD / GPO / ACL Detections #3026

merged 28 commits into from
Aug 21, 2024

Conversation

dluxtron
Copy link
Collaborator

@dluxtron dluxtron commented Jul 2, 2024
edited
Loading

Lots of new detections focused on Active Directory.

ACL Abuse, GPO Modifications & other AD persistence vectors.

New lookups created to support resolving guids & making sense of the ACEs.

@dluxtron
Copy link
Collaborator Author

dluxtron commented Jul 2, 2024

Need to upload SA-admon to the S3 bucket
https://splunkbase.splunk.com/app/6853

https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-admon-enrichment_110.tgz

@patel-bhavin
Copy link
Contributor

Need to upload SA-admon to the S3 bucket https://splunkbase.splunk.com/app/6853

https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-admon-enrichment_110.tgz

Looks like we will need to updated contentctl code create an exception for this. Its likely not to do with attack range code

@patel-bhavin patel-bhavin mentioned this pull request Jul 29, 2024
Merged
@patel-bhavin
Copy link
Contributor

@dluxtron : Thank you for the PR : A couple of things before we get this shipped

  • Looks like attack_data is not present for a few detections. Can you submit those?
  • Lets we improve the text in the description, how to implement, known false positives.

Here's the screenshot of unit testing failures

image

@dluxtron dluxtron requested a review from ljstella as a code owner August 8, 2024 05:48
@patel-bhavin
Copy link
Contributor

Need to upload SA-admon to the S3 bucket https://splunkbase.splunk.com/app/6853
https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-admon-enrichment_110.tgz

Looks like we will need to updated contentctl code create an exception for this. Its likely not to do with attack range code

DOne: https://github.com/splunk/contentctl/releases/tag/v4.2.2

@patel-bhavin
Copy link
Contributor

@dluxtron : Thanks for contributing the updated datasets and fixing up this PR! I believe this PR is more or less ready to go! I made some minor updates to this PR! Amazing contribution, yet again :)

@patel-bhavin patel-bhavin added this to the v4.39.0 milestone Aug 20, 2024
@patel-bhavin patel-bhavin merged commit b909d35 into develop Aug 21, 2024
6 checks passed
@patel-bhavin patel-bhavin deleted the dlux_3 branch August 21, 2024 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees
No one assigned
Labels
Detections Lookups
Projects
None yet
Milestone
v4.39.0
Development

Successfully merging this pull request may close these issues.
2 participants
@dluxtron @patel-bhavin