From e5424c68402249a20c1cf6fb04ed74eece5cea78 Mon Sep 17 00:00:00 2001
From: dluxtron <106139814+dluxtron@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:26:51 +1000
Subject: [PATCH] Uploading defender eventlog datasets

---
 ...exclusion_defender_operational_wineventlog.yml | 14 ++++++++++++++
 .../defender_operational_wineventlog.log          |  3 +++
 .../disable_defender_component.log                |  3 +++
 .../disable_defender_operational_wineventlog.yml  | 15 +++++++++++++++
 .../disable_defender_rtm.log                      |  3 +++
 5 files changed, 38 insertions(+)
 create mode 100644 datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml
 create mode 100644 datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_operational_wineventlog.log
 create mode 100644 datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_component.log
 create mode 100644 datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml
 create mode 100644 datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_rtm.log

diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml
new file mode 100644
index 00000000..e487dd3d
--- /dev/null
+++ b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml
@@ -0,0 +1,14 @@
+author: Dean Luxton
+id: a8ccdeca-c332-4bb6-84b5-76786138925d
+date: '2025-01-08'
+description: Generated datasets for defender exclusion in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_operational_wineventlog.log
+sourcetype:
+- xmlwineventlog
+source:
+- WinEventLog:Microsoft-Windows-Windows Defender/Operational
+references:
+- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
+- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_operational_wineventlog.log b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_operational_wineventlog.log
new file mode 100644
index 00000000..6c86ecf9
--- /dev/null
+++ b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_operational_wineventlog.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e49ea1bdb0d05ec52f1a91164edb5849c110ec4a53cdba41081ac7fc52a63145
+size 1786
diff --git a/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_component.log b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_component.log
new file mode 100644
index 00000000..18e63d45
--- /dev/null
+++ b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_component.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b57d92104547cd02a24b4705d6f7b5b453be9d3f71de8e759b0e69bdeb67a670
+size 10677
diff --git a/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml
new file mode 100644
index 00000000..bdd71597
--- /dev/null
+++ b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml
@@ -0,0 +1,15 @@
+author: Dean Luxton
+id: bc8c2a9d-8e22-4354-90b8-fcb66c6f9b2e
+date: '2025-01-08'
+description: Generated datasets for defender exclusion in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_component.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_rtm.log
+sourcetype:
+- xmlwineventlog
+source:
+- WinEventLog:Microsoft-Windows-Windows Defender/Operational
+references:
+- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
+- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_rtm.log b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_rtm.log
new file mode 100644
index 00000000..3aa969a0
--- /dev/null
+++ b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_rtm.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:03c698ff69b9b7af4e42db7e4bf3e6a486f0256f68c33872f936c025ca48ca5f
+size 3040