Skip to content

sesameop #3827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tccontre wants to merge 15 commits into
base: develop
Choose a base branch
from
Open

sesameop #3827

tccontre wants to merge 15 commits into from
+199 −39

Conversation

@tccontre
Copy link
Contributor

@tccontre tccontre commented Dec 10, 2025
edited
Loading

tagged

    modified:   detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
    modified:   detections/endpoint/executables_or_script_creation_in_temp_path.yml
    modified:   detections/endpoint/registry_keys_used_for_persistence.yml
    modified:   detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
    modified:   detections/endpoint/windows_process_execution_in_temp_dir.yml
    modified:   detections/endpoint/windows_suspicious_process_file_path.yml
    modified:   detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
    modified:   detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml
    modified:   detections/network/suspicious_process_dns_query_known_abuse_web_services.yml
    modified:   detections/endpoint/executables_or_script_creation_in_temp_path.yml
    modified:   detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml

new

    new file:   detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml

updated

    modified:   detections/endpoint/windows_ai_platform_dns_query.yml

story

    new file:   stories/sesameop.yml
    new file:   stories/promptflux.yml

What does this PR have in it? Screenshots are worth 1000 words 😄

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

@tccontre tccontre self-assigned this Dec 10, 2025
@tccontre tccontre added the WIP DO NOT MERGE Work in Progress label Dec 10, 2025
nasbench
nasbench reviewed Dec 10, 2025
View reviewed changes
nasbench
nasbench reviewed Dec 10, 2025
View reviewed changes
tccontre and others added 2 commits December 11, 2025 10:34
@github-actions github-actions bot removed the Macros label Dec 11, 2025
@tccontre tccontre removed the WIP DO NOT MERGE Work in Progress label Dec 11, 2025
nasbench
nasbench reviewed Dec 12, 2025
View reviewed changes
detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml
Comment on lines +74 to +75
- field: file_names
type: file_name
Copy link
Contributor

@nasbench nasbench Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ljstella question for you. How do multi value threat objects show up?

nasbench
nasbench reviewed Dec 12, 2025
View reviewed changes
detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
Copy link
Contributor

@nasbench nasbench Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ljstella same question here. If the condition is grouping the file name into MVs. What's best to use here? Should we perhaps use file_names and would it show correctly.

Copy link
Contributor

@patel-bhavin patel-bhavin Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nas, multi value fields do not have the best interpretation when it comes to risk_message. I enabled this detection as is on Endor and you can check out how the risk event looks using this query :

index=risk risk_object="ar-win-1" source="ESCU - Windows Potential AppDomainManager Hijack Artifacts Creation - Rule"

you can either use file_name or file_names and it would show up in with those field_names in the risk index but I tend to like using the CIM field name - file_name and file_path so that this generated risk event has CIM complaint field names that can be leveraged downstream.

For this detection, there are 3 files_names and 3 file_paths that get created as threat_objects as a part of a single risk event.

Copy link
Contributor

@patel-bhavin patel-bhavin Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image

Copy link
Contributor

@patel-bhavin patel-bhavin Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when you agree with using CIM field names here, i can make this change and I think we should remove these multi value field names from the risk_message variable which would perhaps give the best UI experience.

Copy link
Contributor

@nasbench nasbench Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree on using CIM generally but I think there could be issues.

First file_name is not part of the output of the detection, and second which file_name entry will be used or will all entries matched by the original condition be listed?

@nasbench nasbench added this to the v5.20.0 milestone Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@tccontre tccontre

Labels

Detections Stories

Projects

None yet

Milestone

v5.20.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tccontre @patel-bhavin @nasbench @t-contreras