From 32e0271bbce134f2fdd4e582aa1657e74a9d386d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 13:26:29 -0500 Subject: [PATCH 1/2] Initial upload --- .../o365_exchange_suspect_events.log | 3 +++ .../o365_messagetrace_suspect_events.log | 3 +++ .../o365_suspect_email_actions.yml | 15 +++++++++++++++ 3 files changed, 21 insertions(+) create mode 100644 datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log create mode 100644 datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log create mode 100644 datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log new file mode 100644 index 00000000..1455201d --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:160fa66447af2201fc9b30c0f2cd6e18b1a6014abe4737d81e676d2da7da9639 +size 175687 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log new file mode 100644 index 00000000..29c0e2dd --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:33dd77a4ea6bf85eaab9a244085f0e6f3fc79a191dfaa3b50357d9e229ab46e9 +size 1998 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml new file mode 100644 index 00000000..c3261d25 --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml @@ -0,0 +1,15 @@ +author: Steven Dick +id: 986d1ac2-f76a-48d8-b3af-bf76dc4e80a4 +date: '2025-01-20' +description: 'Sample of events when an actor compromises a mailbox and conducts certain suspect activities such as email hard deletes, exfiltration, or password/banking information changes.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log +sourcetypes: +- o365:management:activity +- o365:reporting:messagetrace +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack \ No newline at end of file From 953f34551724ce58859bbd007d7b82165cb44eb9 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 23 Jan 2025 14:10:21 -0500 Subject: [PATCH 2/2] Log edit --- .../o365_exchange_suspect_events.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log index 1455201d..3583f449 100644 --- a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:160fa66447af2201fc9b30c0f2cd6e18b1a6014abe4737d81e676d2da7da9639 -size 175687 +oid sha256:34a11765788b8f38d9a7d499eeeac5f5ea8acd6e5a81af7cf3ebf8bd4a3e01c9 +size 175659