security_content icon indicating copy to clipboard operation
security_content copied to clipboard
verified publisher icon splunk

Nterl0k - [T1574] Hijacks Gone Wild 2

Open nterl0k opened this issue 1 year ago • 1 comments

Details

Rewrote the previous tstats based search to work solely on EID7, while using backwards compatible evals/extractions in the detection.

It's less efficient cause no tstats, but shouldn't break with TA changes.   image

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

nterl0k avatar Apr 07 '24 00:04 nterl0k

@patel-bhavin - I did the thing, enjoy.

nterl0k avatar Apr 07 '24 00:04 nterl0k