From 6c11ee78739105c9cb0b2ae6dad777e1a3602e1e Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Wed, 26 Nov 2025 11:25:03 +0100 Subject: [PATCH] fix_cwd_path_detections --- .../T1053.003/auditd_path_cron/auditd_path_cron.yml | 13 +++++++++++++ .../T1053.003/auditd_path_cron/path_cron.log | 3 +++ .../auditd_path_ssh_config.yml | 13 +++++++++++++ .../auditd_path_ssh_config/path_ssh_config.log | 3 +++ .../T1529/auditd_path_sysrq/auditd_path_sysrq.yml | 13 +++++++++++++ .../T1529/auditd_path_sysrq/path_sysrq.log | 3 +++ .../auditd_path_cwd_doas_conf.yml | 13 +++++++++++++ .../auditd_path_cwd_doas_conf/path_doas.log | 3 +++ .../auditd_path_sudoers/auditd_path_sudoers.yml | 13 +++++++++++++ .../T1548.003/auditd_path_sudoers/path_sudoers.log | 3 +++ .../auditd_path_preload_file.yml | 13 +++++++++++++ .../auditd_path_preload_file/path_preload.log | 3 +++ 12 files changed, 96 insertions(+) create mode 100644 datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml create mode 100644 datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log create mode 100644 datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml create mode 100644 datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log create mode 100644 datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml create mode 100644 datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log create mode 100644 datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml create mode 100644 datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log create mode 100644 datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml create mode 100644 datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log create mode 100644 datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml create mode 100644 datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log diff --git a/datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml b/datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml new file mode 100644 index 00000000..9ee06ea0 --- /dev/null +++ b/datasets/attack_techniques/T1053.003/auditd_path_cron/auditd_path_cron.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: ebb93346-cab0-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path cron in attack range. +environment: attack_range +directory: auditd_path_cron +mitre_technique: +- T1053.003 +datasets: +- name: path_cron.log + path: /datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log b/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log new file mode 100644 index 00000000..761f868f --- /dev/null +++ b/datasets/attack_techniques/T1053.003/auditd_path_cron/path_cron.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d1781b8eef7b1b634222d6cbc00044798f5ccadd1130de8517059f39ccec57cc +size 2790 diff --git a/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml new file mode 100644 index 00000000..94024211 --- /dev/null +++ b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/auditd_path_ssh_config.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 30034558-caa9-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path ssh config in attack range. +environment: attack_range +directory: auditd_path_ssh_config +mitre_technique: +- T1098.004 +datasets: +- name: path_ssh_config.log + path: /datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log new file mode 100644 index 00000000..a5c138d5 --- /dev/null +++ b/datasets/attack_techniques/T1098.004/auditd_path_ssh_config/path_ssh_config.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:221486c9e0f0e8101de8d8f2198586f3119bf6e6548de6804aa00da26e2ea8e4 +size 1441 diff --git a/datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml b/datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml new file mode 100644 index 00000000..4a2397e6 --- /dev/null +++ b/datasets/attack_techniques/T1529/auditd_path_sysrq/auditd_path_sysrq.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: f685a614-cab1-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path sysrq in attack range. +environment: attack_range +directory: auditd_path_sysrq +mitre_technique: +- T1529 +datasets: +- name: path_sysrq.log + path: /datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log b/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log new file mode 100644 index 00000000..64052ed4 --- /dev/null +++ b/datasets/attack_techniques/T1529/auditd_path_sysrq/path_sysrq.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c4ca9e6150c822cf1b12e8a1090e0f1007b084fb0f8ab0c330d289516f7d823 +size 523 diff --git a/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml new file mode 100644 index 00000000..e98cd7a2 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/auditd_path_cwd_doas_conf.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: af16a08e-caa8-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path cwd doas conf in attack range. +environment: attack_range +directory: auditd_path_cwd_doas_conf +mitre_technique: +- T1548.003 +datasets: +- name: path_doas.log + path: /datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log new file mode 100644 index 00000000..bbc10f5d --- /dev/null +++ b/datasets/attack_techniques/T1548.003/auditd_path_cwd_doas_conf/path_doas.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:42b3a666077a4b1f6335788d5cc3d358b6a9e83c8cf2ef3f309f9727bed6fa0a +size 1206 diff --git a/datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml new file mode 100644 index 00000000..ce8e1ecf --- /dev/null +++ b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/auditd_path_sudoers.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 982cabce-caa9-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path sudoers in attack range. +environment: attack_range +directory: auditd_path_sudoers +mitre_technique: +- T1548.003 +datasets: +- name: path_sudoers.log + path: /datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log new file mode 100644 index 00000000..ac89d30c --- /dev/null +++ b/datasets/attack_techniques/T1548.003/auditd_path_sudoers/path_sudoers.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:31daf0628fc00efcb59f410b9376b6f9220d12eac5137bd58eee91a97b2c22cc +size 765 diff --git a/datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml new file mode 100644 index 00000000..788cff45 --- /dev/null +++ b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/auditd_path_preload_file.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 371a046e-cab1-11f0-9d54-629be353806a +date: '2025-11-26' +description: Generated datasets for auditd path preload file in attack range. +environment: attack_range +directory: auditd_path_preload_file +mitre_technique: +- T1574.006 +datasets: +- name: path_preload.log + path: /datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log + sourcetype: 'auditd' + source: 'auditd' \ No newline at end of file diff --git a/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log new file mode 100644 index 00000000..46d1d70e --- /dev/null +++ b/datasets/attack_techniques/T1574.006/auditd_path_preload_file/path_preload.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf0e1802bdc54ca88f641f7e33088f48596afd026d4955bc52a0d8b6c5c720f3 +size 1488