From c54d3b712789f8ef2c1be731af68a8876a15e43a Mon Sep 17 00:00:00 2001
From: Steven Dick <38897662+nterl0k@users.noreply.github.com>
Date: Wed, 15 Jan 2025 15:22:05 -0500
Subject: [PATCH] upload

---
 .../transport_rule_change/transport_rule_change.log |  3 +++
 .../transport_rule_change/transport_rule_change.yml | 13 +++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log
 create mode 100644 datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml

diff --git a/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log
new file mode 100644
index 00000000..c847f7ce
--- /dev/null
+++ b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1520bac551d6b6d79dc2326e444f7414166d3706fdf6dc2a4ab8c701c317d292
+size 3113
diff --git a/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml
new file mode 100644
index 00000000..5e8dbe5d
--- /dev/null
+++ b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml
@@ -0,0 +1,13 @@
+author: Steven Dick
+id: 3528c82a-ac25-4d88-b877-7c067f3a3710
+date: '2025-01-15'
+description: 'Sample of events when an Exchange transport rule is created or modified.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1114/003/
+- https://cardinalops.com/blog/cardinalops-contributes-new-mitre-attck-techniques-related-to-abuse-of-mail-transport-rules/
+- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/
\ No newline at end of file