From e62f5efb284d0c859e16e5dffc8d75e6904320fb Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:51:15 -0500 Subject: [PATCH] Push IT --- .../sysmon_usb_use_execution.log | 3 +++ .../sysmon_usb_use_execution.yml | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log create mode 100644 datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log new file mode 100644 index 00000000..f04eeb38 --- /dev/null +++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2ff8b475eaec6f05411043503cf210d126c15e6a747a8c5f5c5241af1b106f4 +size 8767 diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml new file mode 100644 index 00000000..e6d4f1e0 --- /dev/null +++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml @@ -0,0 +1,13 @@ +author: Steven Dick +id: 8d818c50-7925-4664-82c6-f8eb626d4c2f +date: '2025-01-17' +description: 'Sample of events from executing suspicious files from a recently attached USB drive.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log +sourcetypes: +- XmlWinEventLog +references: +- https://attack.mitre.org/techniques/T1200/ +- https://www.cisa.gov/news-events/news/using-caution-usb-drives +- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ \ No newline at end of file