From 2cafd083f67f1243f2b22bc8cdc8570e61f08f6e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 28 Jan 2025 15:48:55 -0500 Subject: [PATCH] Upload data --- .../o365_sus_file_activity.log | 3 +++ .../o365_sus_file_activity.yml | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log create mode 100644 datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log new file mode 100644 index 00000000..682f6ddf --- /dev/null +++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef3b8cc321fed3031bca6d16d4c35e7de3112ab40ea08f2fca02879a065d8774 +size 503181 diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml new file mode 100644 index 00000000..a27cd3a1 --- /dev/null +++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml @@ -0,0 +1,13 @@ +author: Steven Dick +id: a5b98f63-2116-4f7d-bd46-228872bc79f8 +date: '2025-01-28' +description: 'Sample of events when an actor attempts to exfiltrate data from sharepoint using various methods.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ \ No newline at end of file