olafhartong
commented
5 years ago I'll look in to this Kirtar, thanks for pointing it out!
Closed Kirtar22 closed 5 years ago
olafhartong
commented
5 years ago I'll look in to this Kirtar, thanks for pointing it out!
olafhartong
commented
5 years ago seems with empty details in a whitelist this is not functioning, modified the registry_whitelist, works fine now
olafhartong
commented
5 years ago also I've fixed all searches, thanks for noticing
Hi Olaf,
Just like to draw your attention, not sure if this is deliberate but many of the techniques in "savedsearches.conf" are missing following couple of lines
request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search
Moreover, the issue I am facing is that any changes to AppInit DLLs are NOT reflected in "ThreatHunting" main dashboard, moreover, these events are NOT shown in threathunting index as well. however, when I run the search given in savedsearches.conf for AppInit DLLs it works and fetches the events.
When, I checked the configuration for AppInit DLLs in savedsearches.conf - it is as below
[[T1103] AppInit DLLs] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index.mitre_category = Persistence,Privilege_Escalation action.summary_index.mitre_technique = AppInit DLLs action.summary_index.mitre_technique_id = T1103 alert.track = 0 cron_schedule = /15 dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 search =
sysmon(event_id=12 OR event_id=13 OR event_id=14) (registry_key_path="\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\" OR registry_key_path="\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*") \ | eval mitre_technique_id="T1103" \ |registry_whitelist\ | table _time event_description event_type host_fqdn process_path process_id process_guid registry_key_path registry_key_detailsWhere I could see that following statements are missing while comparing one the ones which are working for me
action.summary_index._name = threathunting request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search
I added these statements to the AppInit DLLs in savedsearches.conf and moreover, i changed dispatch.earliest_time = -15m from dispatch.earliest_time = -15m@m.
Still, I dont see the data. Any clue???
Thanks