Skip to content

Add dataset for T1546.015 BitLocker COM Hijacking lateral movement #1098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nasbench merged 6 commits into from
Dec 1, 2025
Merged

Add dataset for T1546.015 BitLocker COM Hijacking lateral movement #1098

nasbench merged 6 commits into from
Dec 1, 2025

Conversation

@AAtashGar
Copy link
Contributor

@AAtashGar AAtashGar commented Nov 25, 2025

Adds simulated attack data for the novel BitLocker COM Hijacking technique (first public detection).

Related security_content PR: splunk/security_content#3801

nasbench
nasbench reviewed Nov 25, 2025
View reviewed changes
@AAtashGar AAtashGar mentioned this pull request Nov 25, 2025
Open
7 tasks
@AAtashGar
Copy link
Contributor Author

AAtashGar commented Nov 25, 2025

Dear @nasbench,

I quickly implemented the changes you suggested, the datasets are now xml and I also updated the yml file.

@nasbench
Refactor BitLocker COM Hijacking dataset YAML
9402b9b 
Updated the BitLocker COM Hijacking dataset YAML file to streamline the structure and remove redundant entries.
@nasbench
Delete datasets/attack_techniques/T1546.015/bitlocker_com_hijacking/.…
7b26fc2 
…gitattributes
@nasbench
Copy link
Contributor

nasbench commented Nov 26, 2025

@AAtashGar stop using AI to fix things. As this will lead to closing this PR :)
I fixed the yaml, but you have to push the fix for the logs - Here is an example how they should look like https://media.githubusercontent.com/media/splunk/attack_data/5f19dcf9bc26db70a83fd4ef9e14fedbd3a45535/datasets/attack_techniques/T1036/executables_suspicious_file_path/exec_susp_path2.log

Just do an export raw from Splunk without additional formatting

@AAtashGar
Copy link
Contributor Author

AAtashGar commented Nov 30, 2025

Dear @nasbench,
The problem with the raw log has been fixed, I hope there will be no more problems
Thanks for your help and guidance

@nasbench
Copy link
Contributor

nasbench commented Dec 1, 2025

Validation is passing.

image

Error is due to lack of permissions from forks.

@nasbench nasbench merged commit d5b2f93 into splunk:master Dec 1, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AAtashGar @nasbench