Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nterl0k - T1649 - ESC1 abuse with certify/certipy toolkits #809

Closed
wants to merge 16 commits into from
Closed

Nterl0k - T1649 - ESC1 abuse with certify/certipy toolkits #809

wants to merge 16 commits into from

Conversation

nterl0k
Copy link
Contributor

@nterl0k nterl0k commented May 25, 2023

Uploading data for upcoming Certipy/ESC1 abuse detection.

@nterl0k nterl0k changed the title Nterl0k t1649 esc1 abuse Nterl0k - T1649 - ESC1 abuse with certify/certipy toolkits Jun 13, 2023
@nterl0k nterl0k mentioned this pull request Jul 23, 2023
Closed
5 tasks
@patel-bhavin
Copy link
Collaborator

@nterl0k : we don't support multiple log types in a single. Can you split the datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.log LFS files into separate files based on what sourcetype it is and then update the links in the detection.yml

patel-bhavin
patel-bhavin requested changes Jul 26, 2023
View reviewed changes
Copy link
Collaborator

@patel-bhavin patel-bhavin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comments added above

@nterl0k
Copy link
Contributor Author

nterl0k commented Jul 26, 2023

@nterl0k : we don't support multiple log types in a single. Can you split the datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.log LFS files into separate files based on what sourcetype it is and then update the links in the detection.yml

@patel-bhavin Not a problem at all, I will know better in the future. I'll get to work on splitting / updating based on sourcetype.

@patel-bhavin
Copy link
Collaborator

Thats awesome! i did some minor updates and created a new PR based on this which has now been merged. Will now check if it passes testing for this PR : splunk/security_content#2787

@patel-bhavin
Copy link
Collaborator

Thank you for updating the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nterl0k @patel-bhavin