Skip to content

Update windows_wmi_process_and_service_list.yml #3651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 25, 2025
Merged

Update windows_wmi_process_and_service_list.yml #3651

merged 3 commits into from
Aug 25, 2025

Conversation

PJS-Cyber
Copy link
Contributor

@PJS-Cyber PJS-Cyber commented Aug 20, 2025
edited
Loading

Resolved a detection bypass technique where inserting multiple spaces between commands allowed evasion. Validated the fix in a production environment.

Details

What does this PR have in it? Screenshots are worth 1000 words 😄
Resolved a detection bypass technique where inserting multiple spaces between commands allowed evasion. Validated the fix in a production environment.

Test by :
Running this in cmd (with extra spaces between process and list): "wmic process list brief"

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

  • If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
  • Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
  • Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

@PJS-Cyber
Update windows_wmi_process_and_service_list.yml
3b713fa 
Resolved a detection bypass technique where inserting multiple spaces between commands allowed evasion. Validated the fix in a production environment.
nasbench
nasbench approved these changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the search to avoid using wildcards in the middle of the string as it can cause performance issues and incorrect matches

@nasbench nasbench self-assigned this Aug 25, 2025
@patel-bhavin patel-bhavin added this to the v5.14.0 milestone Aug 25, 2025
@patel-bhavin
Copy link
Contributor

Known issue - inspect fails on PRs from forks ! the changes look good! 🚢

@patel-bhavin patel-bhavin merged commit 1384d69 into splunk:develop Aug 25, 2025
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees

@nasbench nasbench

Labels
Detections
Projects
None yet
Milestone
v5.14.0
Development

Successfully merging this pull request may close these issues.
3 participants
@PJS-Cyber @patel-bhavin @nasbench