diff --git a/.github/validate_dataset_ymls.py b/.github/validate_dataset_ymls.py deleted file mode 100644 index 45b7f1b2c..000000000 --- a/.github/validate_dataset_ymls.py +++ /dev/null @@ -1,46 +0,0 @@ -import datetime -import pathlib -import sys -from enum import StrEnum, auto -from uuid import UUID - -from pydantic import BaseModel, Field, HttpUrl - - -class Environment(StrEnum): - attack_range = auto() - - -class AttackDataYml(BaseModel): - author: str = Field(..., min_length=5) - id: UUID - date: datetime.date - description: str = Field(..., min_length=5) - environment: Environment - dataset: list[HttpUrl] = Field(..., min_length=1) - sourcetypes: list[str] = Field(..., min_length=1) - references: list[HttpUrl] = Field(..., min_length=1) - - -# Get all of the yml files in the datasets folder -datasets_root = pathlib.Path("datasets/") - - -# We only permit certain filetypes to be present in this directory. -# This is to avoid the inclusion of unsupported file types and to -# assist in the validation of the YML files -ALLOWED_SUFFIXES = [".yml", ".log", ".json"] -SPECIAL_GIT_GILES = ".gitkeep" -bad_files = [ - name - for name in datasets_root.glob(r"**/*.*") - if name.is_file() - and not (name.suffix in ALLOWED_SUFFIXES or name.name == SPECIAL_GIT_GILES) -] - -if len(bad_files) > 0: - print( - f"Error, the following files were found in the {datasets_root} folder. Only files ending in {ALLOWED_SUFFIXES} or {SPECIAL_GIT_GILES} are allowed:" - ) - print("\n".join([str(f) for f in bad_files])) - sys.exit(1) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 000000000..acce3ce87 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,123 @@ +name: Validate Attack Data + +on: + pull_request: + branches: [ master, main ] + types: [opened, synchronize, reopened] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + push: + branches: [ master, main ] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + +permissions: + contents: read + issues: write + pull-requests: write + +jobs: + validate-attack-data: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + lfs: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r bin/requirements.txt + + # Validate all YAML files + - name: Validate all YAML files + run: | + python bin/validate.py + env: + PYTHONPATH: ${{ github.workspace }}/bin + + # PR-specific success/failure handling + - name: Comment PR on validation failure + if: failure() && github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + + const body = `❌ **Attack Data Validation Failed** + + The YAML files in this PR do not pass validation. Please check the workflow logs for detailed error messages and fix the issues before merging. + + [View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})`; + + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: body + }); + + - name: Comment PR on validation success + if: success() && github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + + const body = `✅ **Attack Data Validation Passed** + + All YAML files in this PR have been successfully validated against the schema. + + Ready for review and merge! 🚀`; + + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: body + }); + + # Push-specific failure handling (create issue) + - name: Create issue on validation failure (Push) + if: failure() && github.event_name == 'push' + uses: actions/github-script@v7 + with: + script: | + const title = `🚨 Attack Data Validation Failed - ${new Date().toISOString().split('T')[0]}`; + const body = `**Validation failed on push to ${context.ref}** + + Commit: ${context.sha} + + The YAML files in the datasets directory do not pass validation. This indicates that invalid data has been merged into the main branch. + + **Action Required:** + 1. Review the [failed workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) + 2. Fix the validation errors + 3. Create a hotfix PR to resolve the issues + `; + + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: title, + body: body, + labels: ['bug', 'validation-failure', 'high-priority'] + }); + + diff --git a/bin/add_uuid.py b/bin/add_uuid.py deleted file mode 100644 index 12745dea2..000000000 --- a/bin/add_uuid.py +++ /dev/null @@ -1,64 +0,0 @@ -import yaml -import sys -import argparse -import uuid -from os import path, walk - -def add_uuid(REPO_PATH, content_part, VERBOSE): - manifest_files = [] - - types = ["attack_techniques", "malware", "suspicious_behaviour"] - for t in types: - for root, dirs, files in walk(REPO_PATH + "/" + content_part + '/' + t): - for file in files: - if file.endswith(".yml"): - manifest_files.append((path.join(root, file))) - - for manifest_file in manifest_files: - pretty_yaml = dict() - if VERBOSE: - print("processing manifest {0}".format(manifest_file)) - - with open(manifest_file, 'r') as stream: - try: - object = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - print("Error reading {0}".format(manifest_file)) - error = True - continue - - pretty_yaml['author'] = object['author'] - pretty_yaml['id'] = str(uuid.uuid1()) - pretty_yaml['date'] = object['date'] - pretty_yaml['description'] = object['description'] - pretty_yaml['environment'] = object['environment'] - pretty_yaml['dataset'] = object['dataset'] - pretty_yaml['sourcetypes'] = object['sourcetypes'] - if 'references' in object: - pretty_yaml['references'] = object['references'] - else: - pretty_yaml['references'] = [] - - with open(manifest_file, 'w') as file: - documents = yaml.dump(pretty_yaml, file, sort_keys=False) - - return manifest_files - -def main(args): - parser = argparse.ArgumentParser(description="adds uuid") - parser.add_argument("-p", "--path", required=True, help="path to security_content repo") - parser.add_argument("-v", "--verbose", required=False, default=False, action='store_true', help="prints verbose output") - - args = parser.parse_args() - REPO_PATH = args.path - VERBOSE = args.verbose - output = [] - content_part = 'datasets' - manifest_files = add_uuid(REPO_PATH, content_part, VERBOSE) - - print("process {0} attack data files".format(len(manifest_files))) - - -if __name__ == "__main__": - main(sys.argv[1:]) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py new file mode 100644 index 000000000..c616278b8 --- /dev/null +++ b/bin/dataset_analyzer.py @@ -0,0 +1,1224 @@ +#!/usr/bin/env python3 +""" +Dataset Analyzer for Attack Data Repository + +This script analyzes datasets in the attack_data repository and categorizes them +based on filename patterns and content types. It recursively searches through +directories to find data files and creates data.yml files in the same directories +as the data files. + +Features: +- Recursive analysis of all directories containing data files (default behavior) +- Analyze a specific folder and its subdirectories +- Generic directory structure support (not tied to specific naming conventions) +- Automatic categorization based on filename patterns and content detection +- Automatic creation of data.yml files in directories containing data files +- Summary report generation + +Usage Examples: + # Analyze all directories recursively + python dataset_analyzer.py + + # Analyze a specific directory and its subdirectories + python dataset_analyzer.py --folder datasets/attack_techniques/T1003.001 + + # Analyze a specific folder (malware, honeypots, etc.) + python dataset_analyzer.py --folder datasets/malware + + # Use custom base path + python dataset_analyzer.py --base-path /path/to/data + +Author: Generated for attack_data repository analysis +""" + +import re +import logging +import argparse +import uuid +from pathlib import Path +from typing import Dict, List, Tuple, Optional, Callable, Any +from dataclasses import dataclass, field +from datetime import datetime + +try: + import yaml +except ImportError: + print("Warning: PyYAML not installed. Install with: pip install PyYAML") + yaml = None + +# Configure logging +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s' +) +logger = logging.getLogger(__name__) + + +@dataclass +class DatasetInfo: + """Information about a dataset file""" + name: str + path: str + sourcetype: str + source: Optional[str] = None + + +@dataclass +class CategoryRule: + """Rule for categorizing datasets""" + pattern: str + sourcetype: str + source: Optional[str] = None + content_check: Optional[str] = None + description: str = "" + field_checks: Dict[str, Any] = field(default_factory=dict) + data_checker: Optional[Callable[[Path], Tuple[Optional[str], Optional[str]]]] = None + + +class DatasetAnalyzer: + """Analyzes and categorizes datasets in the attack_data repository""" + + def __init__(self, base_path: str = "datasets"): + self.base_path = Path(base_path) + self.rules = self._initialize_rules() + self.provider_mappings = self._initialize_provider_mappings() + + def _initialize_provider_mappings(self) -> Dict[str, Dict[str, str]]: + """Initialize Windows Event Log provider name to source/sourcetype mappings""" + return { + "Microsoft-Windows-Sysmon": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" + }, + "Microsoft-Windows-PowerShell": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" + }, + "Microsoft-Windows-Security-Auditing": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Security" + }, + "Microsoft-Windows-Kernel-General": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Microsoft-Windows-Kernel-Power": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Service Control Manager": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Microsoft-Windows-Windows Defender": { + "sourcetype": "XmlWinEventLog", + "source": ("XmlWinEventLog:Microsoft-Windows-Windows " + "Defender/Operational") + }, + "Microsoft-Windows-WinLogon": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Security" + }, + "Microsoft-Windows-TerminalServices-LocalSessionManager": { + "sourcetype": "XmlWinEventLog", + "source": ("XmlWinEventLog:Microsoft-Windows-" + "TerminalServices-LocalSessionManager/Operational") + }, + "Microsoft-Windows-Application-Experience": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Application" + }, + "Application Error": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Application" + } + } + + def _check_windows_xml_provider(self, file_path: Path) -> ( + Tuple[Optional[str], Optional[str]]): + """Check Windows XML logs for Provider name and return source/sourcetype""" + try: + with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: + # Read first few events to find provider + content = f.read(8192) # Read first 8KB + + # Look for Provider Name pattern + provider_pattern = r' List[CategoryRule]: + """Initialize categorization rules based on common patterns""" + return [ + # Windows Event Logs - XML format with provider-based detection + CategoryRule( + pattern=r".*windows.*", + # Default, will be overridden by data_checker + sourcetype="XmlWinEventLog", + source=None, # Will be set by data_checker + content_check="xml", + description=("Windows Event logs in XML format " + "(provider-based detection)"), + data_checker=self._check_windows_xml_provider + ), + CategoryRule( + pattern=r".*\.xml.*", + sourcetype="XmlWinEventLog", + source=None, + content_check="xml", + description="XML Event logs (provider-based detection)", + data_checker=self._check_windows_xml_provider + ), + # Legacy specific Windows log patterns (lower priority) + CategoryRule( + pattern=r".*windows-sysmon.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", + content_check="xml", + description=("Windows Sysmon logs in XML format " + "(legacy pattern)") + ), + CategoryRule( + pattern=r".*sysmon.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", + content_check="xml", + description=("Sysmon logs in XML format " + "(legacy pattern)") + ), + CategoryRule( + pattern=r".*windows-security.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Security", + content_check="xml", + description=("Windows Security Event logs in XML format " + "(legacy pattern)") + ), + CategoryRule( + pattern=r".*windows-system.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:System", + content_check="xml", + description=("Windows System Event logs in XML format " + "(legacy pattern)") + ), + CategoryRule( + pattern=r".*windows-powershell.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", + content_check="xml", + description=("Windows PowerShell logs in XML format " + "(legacy pattern)") + ), + CategoryRule( + pattern=r".*windows-application.*", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Application", + content_check="xml", + description=("Windows Application Event logs in XML " + "format (legacy pattern)") + ), + + # CrowdStrike Falcon + CategoryRule( + pattern=r".*crowdstrike.*", + sourcetype="crowdstrike:events:sensor", + source="crowdstrike", + content_check="json", + description="CrowdStrike Falcon sensor events" + ), + CategoryRule( + pattern=r".*falcon.*", + sourcetype="crowdstrike:events:sensor", + source="crowdstrike", + content_check="json", + description="CrowdStrike Falcon sensor events" + ), + + # Linux/Unix logs + CategoryRule( + pattern=r".*syslog.*", + sourcetype="syslog", + source="syslog", + description="Linux/Unix syslog files" + ), + CategoryRule( + pattern=r".*auth.*", + sourcetype="linux_secure", + source="linux_secure", + description="Linux authentication logs" + ), + CategoryRule( + pattern=r".*secure.*", + sourcetype="linux_secure", + source="linux_secure", + description="Linux secure logs" + ), + CategoryRule( + pattern=r".*auditd.*", + sourcetype="auditd", + source="auditd", + description="Linux auditd logs" + ), + CategoryRule( + pattern=r".*sysmon_linux.*", + sourcetype="sysmon:linux", + source="Syslog:Linux-Sysmon/Operational", + description="Linux Sysmon logs" + ), + + # Network and Firewall logs + CategoryRule( + pattern=r".*firewall.*", + sourcetype="firewall", + description="Firewall logs" + ), + CategoryRule( + pattern=r".*palo.*alto.*", + sourcetype="pan:traffic", + description="Palo Alto firewall logs" + ), + CategoryRule( + pattern=r".*cisco_secure_firewall.*", + sourcetype="cisco:sfw:estreamer", + source="not_applicable", + description="Cisco network device logs" + ), + + # Web server logs + CategoryRule( + pattern=r".*access.*", + sourcetype="access_combined", + description="Web server access logs" + ), + CategoryRule( + pattern=r".*apache.*", + sourcetype="access_combined", + description="Apache web server logs" + ), + CategoryRule( + pattern=r".*nginx.*", + sourcetype="nginx:plus:access", + description="Nginx web server logs" + ), + CategoryRule( + pattern=r".*iis.*", + sourcetype="iis", + source="iis", + description="IIS web server logs" + ), + + # Cloud and container logs + CategoryRule( + pattern=r".*aws.*", + sourcetype="aws:cloudtrail", + source="aws_cloudtrail", + description="AWS CloudTrail logs" + ), + CategoryRule( + pattern=r".*asl.*", + sourcetype="aws:cloudtrail:lake", + source="aws_asl", + description="AWS ASL logs" + ), + CategoryRule( + pattern=r".*azure.*", + sourcetype="azure:monitor:aad", + source="azure", + description="Azure activity logs" + ), + CategoryRule( + pattern=r".*kubernetes.*", + sourcetype="__json", + source="kubernetes", + description="Kubernetes container logs" + ), + + # Application logs + CategoryRule( + pattern=r".*okta.*", + sourcetype="OktaIM2:log", + source="Okta", + description="Okta logs" + ), + CategoryRule( + pattern=r".*pingid.*", + sourcetype="__json", + source="PINGID", + description="PingID logs" + ), + CategoryRule( + pattern=r".*gws.*", + sourcetype="gws:reports:login", + source="gws:reports:login", + description="Google Workspace logs" + ), + CategoryRule( + pattern=r".*gsuite.*", + sourcetype="gsuite:gmail:bigquery", + source="http:gsuite", + description="GSuite logs" + ), + CategoryRule( + pattern=r".*o365.*", + sourcetype="o365:management:activity", + source="o365", + description="O365 logs" + ), + CategoryRule( + pattern=r".*cisco_duo.*", + sourcetype="cisco:duo:administrator", + source="duo", + description="Cisco Duo logs" + ), + CategoryRule( + pattern=r".*esxi.*", + sourcetype="vmw-syslog", + source="vmware:esxlog", + description="VMware ESXi logs" + ), + CategoryRule( + pattern=r".*zscalar.*", + sourcetype="zscalernss-web", + source="zscaler", + description="Zscaler logs" + ), + CategoryRule( + pattern=r".*suricata.*", + sourcetype="suricata", + source="suricata", + description="Suricata logs" + ), + CategoryRule( + pattern=r".*zeek_conn.*", + sourcetype="bro:conn:json", + source="bro", + description="Zeek conn logs" + ), + CategoryRule( + pattern=r".*exchange.*", + sourcetype="MSExchange:Management", + source="MSExchange:Management", + description="Microsoft Exchange logs" + ), + CategoryRule( + pattern=r".*sharepoint.*", + sourcetype="sharepoint:uls", + description="SharePoint logs" + ), + CategoryRule( + pattern=r".*crushftp.*", + sourcetype="crushftp:sessionlogs", + source="crushftp", + description="CrushFTP logs" + ), + + # JSON format logs (generic) + CategoryRule( + pattern=r".*\.json.*", + sourcetype="json", + content_check="json", + description="JSON formatted logs" + ), + + ] + + def _detect_content_type(self, file_path: Path) -> str: + """Detect the content type of a file by examining its contents""" + try: + # Read first few lines to determine format + with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: + first_lines = [] + for i, line in enumerate(f): + if i >= 10: # Read first 10 lines + break + first_lines.append(line.strip()) + + content = '\n'.join(first_lines) + + # Check for XML (Windows Event Log format) + if (' 1: + # Simple heuristic: if most lines have similar comma count + comma_counts = [line.count(',') for line in first_lines + if line] + if comma_counts and len(set(comma_counts)) <= 2: + return 'csv' + + return 'text' + + except Exception as e: + logger.warning(f"Could not detect content type for {file_path}: {e}") + return 'unknown' + + def _apply_rules(self, file_path: Path) -> Optional[ + Tuple[str, Optional[str], bool] + ]: + """Apply categorization rules and return (sourcetype, source, + is_specific_rule)""" + filename = file_path.name.lower() + content_type = self._detect_content_type(file_path) + + for i, rule in enumerate(self.rules): + if re.match(rule.pattern.lower(), filename): + # If rule has content check, verify it matches + if rule.content_check and rule.content_check != content_type: + continue + + # Check if rule has a data checker + # (for field-based detection) + sourcetype = rule.sourcetype + source = rule.source + if rule.data_checker: + try: + checked_sourcetype, checked_source = ( + rule.data_checker(file_path)) + if checked_sourcetype: + sourcetype = checked_sourcetype + logger.info( + f"Data checker updated sourcetype to " + f"'{sourcetype}' for {filename}") + if checked_source: + source = checked_source + logger.info( + f"Data checker updated source to " + f"'{source}' for {filename}") + except Exception as e: + logger.warning(f"Data checker failed for {filename}: {e}") + # Continue with original rule values if + # checker fails + + # Check if this is the generic fallback rule (last rule) + is_specific_rule = i < len(self.rules) - 1 + + logger.debug( + f"Applied rule '{rule.description}' to {filename} " + f"(specific: {is_specific_rule}, sourcetype: {sourcetype}, " + f"source: {source})") + return sourcetype, source, is_specific_rule + + logger.warning(f"No matching rule found for {filename}") + return None + + def _is_data_file(self, file_path: Path) -> bool: + """Check if a file is a data file (not .yml, .zip, or system files)""" + excluded_extensions = {'.yml', '.yaml', '.zip', '.tar', '.gz', + '.rar', '.7z'} + excluded_filenames = {'.ds_store'} + + return (file_path.suffix.lower() not in excluded_extensions and + file_path.name.lower() not in excluded_filenames) + + def _find_datasets(self, technique_path: Path) -> List[Path]: + """Find all dataset files in a technique directory""" + datasets = [] + + for item in technique_path.rglob('*'): + if item.is_file() and self._is_data_file(item): + datasets.append(item) + + return datasets + + def _get_mitre_technique(self, technique_path: Path) -> str: + """Extract MITRE technique ID from path""" + # Extract technique ID from path like "datasets/attack_techniques/T1003.001/..." + parts = technique_path.parts + for part in parts: + if part.startswith('T') and ('.' in part or part[1:].isdigit()): + return part + return "unknown" + + def _generate_dataset_info( + self, datasets: List[Path], base_path: Path + ) -> Tuple[List[DatasetInfo], List[Dict]]: + """Generate dataset information with categorization and track ignored files""" + dataset_infos = [] + ignored_files = [] + + for dataset_path in datasets: + # Create relative path from the datasets directory + try: + # Find the datasets root by looking for "datasets" in the path + datasets_root = None + for parent in dataset_path.parents: + if parent.name == "datasets": + datasets_root = parent + break + + if datasets_root: + relative_path = dataset_path.relative_to(datasets_root) + web_path = f"/datasets/{relative_path.as_posix()}" + else: + # If no datasets parent found, try the original base_path + relative_path = dataset_path.relative_to(self.base_path) + web_path = f"/datasets/{relative_path.as_posix()}" + except ValueError: + # Fallback if relative path fails + web_path = f"/datasets/{dataset_path.name}" + + # Apply categorization rules + result = self._apply_rules(dataset_path) + if result: + sourcetype, source, is_specific_rule = result + + if is_specific_rule: + # Only include files that match specific rules + dataset_info = DatasetInfo( + name=dataset_path.name, + path=web_path, + sourcetype=sourcetype, + source=source + ) + dataset_infos.append(dataset_info) + logger.info(f"Categorized {dataset_path.name} as {sourcetype}") + else: + # Track files that only match generic fallback rules + ignored_files.append({ + 'name': dataset_path.name, + 'path': web_path, + 'sourcetype': sourcetype, + 'reason': 'generic_fallback_rule' + }) + logger.info( + f"Ignored {dataset_path.name} (generic rule: {sourcetype})" + ) + else: + # Track files that don't match any rule + ignored_files.append({ + 'name': dataset_path.name, + 'path': web_path, + 'sourcetype': 'unknown', + 'reason': 'no_matching_rule' + }) + logger.error(f"Could not categorize {dataset_path.name}") + + return dataset_infos, ignored_files + + def analyze_technique_directory(self, technique_path: Path) -> Optional[Dict]: + """Analyze a single technique directory and generate YAML structure""" + if not technique_path.is_dir(): + return None + + datasets = self._find_datasets(technique_path) + if not datasets: + logger.info(f"No datasets found in {technique_path}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info( + datasets, self.base_path + ) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {technique_path}") + return None + + # Extract technique information + mitre_technique = self._get_mitre_technique(technique_path) + + # Generate YAML structure + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': str(uuid.uuid4()), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets for technique ' + f'{mitre_technique}'), + 'environment': 'attack_range', + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_specific_folder(self, folder_path: str) -> Dict[str, Dict]: + """Analyze a specific folder recursively and return results""" + results = {} + target_path = Path(folder_path) + + if not target_path.exists(): + logger.error(f"Folder not found: {target_path}") + return results + + if not target_path.is_dir(): + logger.error(f"Path is not a directory: {target_path}") + return results + + logger.info(f"Analyzing specific folder: {target_path}") + + # Initialize ignored files tracking + self._ignored_files = [] + + # Store the analysis base path for later use in creating data.yml files + self._analysis_base_path = target_path.resolve() + + # Find all directories that contain data files within the target path + data_directories = self._find_directories_with_data(target_path) + + if not data_directories: + logger.warning(f"No directories with data files found in {target_path}") + return results + + logger.info(f"Found {len(data_directories)} directories containing data files") + + for data_dir in data_directories: + logger.info(f"Analyzing {data_dir}...") + yaml_data = self._analyze_data_directory(data_dir) + + if yaml_data: + # Store the actual directory path in the yaml_data for later use + yaml_data['_source_directory'] = str(data_dir.resolve()) + + # Use relative path from target_path as key for uniqueness + try: + rel_path = data_dir.relative_to(target_path) + results[str(rel_path)] = yaml_data + except ValueError: + # Fallback if relative path fails + results[data_dir.name] = yaml_data + logger.info(f"Successfully analyzed {data_dir}") + else: + logger.info(f"No analyzable data in {data_dir}") + + return results + + def _find_directories_with_data(self, base_path: Path) -> List[Path]: + """Find all directories that contain data files (recursively)""" + data_directories = [] + + # First, check if the base_path itself contains data files + has_data_files = False + for file_item in base_path.iterdir(): + if file_item.is_file() and self._is_data_file(file_item): + has_data_files = True + break + + if has_data_files: + data_directories.append(base_path) + + # Then use rglob to find subdirectories that contain data files + for item in base_path.rglob('*'): + if item.is_dir(): + # Check if this directory contains any data files (non-recursive check) + has_data_files = False + for file_item in item.iterdir(): + if file_item.is_file() and self._is_data_file(file_item): + has_data_files = True + break + + if has_data_files: + data_directories.append(item) + + return data_directories + + def _analyze_data_directory(self, data_dir: Path) -> Optional[Dict]: + """Analyze a directory containing data files""" + if not data_dir.is_dir(): + return None + + # Find data files in this specific directory (not recursive) + datasets = [] + for item in data_dir.iterdir(): + if item.is_file() and self._is_data_file(item): + datasets.append(item) + + if not datasets: + logger.info(f"No data files found in {data_dir}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info(datasets, data_dir) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {data_dir}") + return None + + # Generate YAML structure for data directory + try: + relative_path = data_dir.relative_to(self.base_path) + directory_str = str(relative_path) + except ValueError: + # Fallback if relative path fails (e.g., when target is outside base_path) + relative_path = data_dir + directory_str = str(data_dir.name) + + # Extract MITRE technique from directory path + mitre_technique = self._get_mitre_technique(data_dir) + + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': str(uuid.uuid4()), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets in directory ' + f'{directory_str}'), + 'environment': 'attack_range', + 'directory': directory_str, + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_generic_directory(self, directory_path: Path) -> Optional[Dict]: + """Analyze a generic directory that doesn't follow technique naming""" + if not directory_path.is_dir(): + return None + + datasets = self._find_datasets(directory_path) + if not datasets: + logger.info(f"No datasets found in {directory_path}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info( + datasets, directory_path + ) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {directory_path}") + return None + + # Generate YAML structure for generic directory + # Extract MITRE technique from directory path + mitre_technique = self._get_mitre_technique(directory_path) + + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': str(uuid.uuid4()), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets in directory ' + f'{directory_path.name}'), + 'environment': 'attack_range', + 'directory': directory_path.name, + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_all_directories(self) -> Dict[str, Dict]: + """Analyze all directories recursively and return results""" + results = {} + + if not self.base_path.exists(): + logger.error(f"Base path not found: {self.base_path}") + return results + + logger.info(f"Starting recursive analysis from: {self.base_path}") + + # Initialize ignored files tracking + self._ignored_files = [] + + # Find all directories that contain data files + data_directories = self._find_directories_with_data(self.base_path) + + logger.info(f"Found {len(data_directories)} directories containing data files") + + for data_dir in data_directories: + logger.info(f"Analyzing {data_dir}...") + yaml_data = self._analyze_data_directory(data_dir) + + if yaml_data: + # Store the actual directory path in the yaml_data for later use + yaml_data['_source_directory'] = str(data_dir.resolve()) + + # Use relative path as key for uniqueness + rel_path = data_dir.relative_to(self.base_path) + results[str(rel_path)] = yaml_data + logger.info(f"Successfully analyzed {data_dir}") + else: + logger.info(f"No analyzable data in {data_dir}") + + return results + + def create_data_yaml_files(self, results: Dict[str, Dict]): + """Create data.yml files in the same directories as the datasets""" + if yaml is None: + logger.error("PyYAML not available. Cannot create data.yml files.") + return + + for directory_key, yaml_data in results.items(): + if 'datasets' not in yaml_data or not yaml_data['datasets']: + continue + + # Check if we have the actual source directory stored + if '_source_directory' in yaml_data: + directory_path = Path(yaml_data['_source_directory']) + + # Remove the internal metadata before saving + yaml_data_clean = yaml_data.copy() + del yaml_data_clean['_source_directory'] + + if directory_path.exists() and directory_path.is_dir(): + data_yml_path = directory_path / "data.yml" + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data_clean, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + logger.info(f"Created data.yml in {directory_path}") + except Exception as e: + logger.error(f"Failed to create data.yml in {directory_path}: " + f"{e}") + else: + logger.warning(f"Source directory does not exist: {directory_path}") + continue + + # Fallback to the old method for backward compatibility + first_dataset = yaml_data['datasets'][0] + dataset_path = first_dataset.get('path', '') + + if dataset_path.startswith('/datasets/'): + # Convert web path to local path + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_file_path = self.base_path / local_path + directory_path = full_file_path.parent + + if directory_path.exists() and directory_path.is_dir(): + data_yml_path = directory_path / "data.yml" + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + logger.info(f"Created data.yml in {directory_path}") + except Exception as e: + logger.error(f"Failed to create data.yml in {directory_path}: " + f"{e}") + else: + logger.warning(f"Directory does not exist: {directory_path}") + else: + logger.warning(f"Invalid dataset path format: {dataset_path}") + + def _find_technique_directory(self, technique_id: str) -> Optional[Path]: + """Find the directory path for a given technique ID""" + attack_techniques_path = self.base_path / "attack_techniques" + technique_path = attack_techniques_path / technique_id + + if technique_path.exists() and technique_path.is_dir(): + return technique_path + return None + + def _find_generic_directory(self, directory_name: str, + yaml_data: Dict) -> Optional[Path]: + """Find a generic directory based on dataset paths""" + if 'datasets' not in yaml_data or not yaml_data['datasets']: + return None + + # Get the first dataset path and extract the directory + first_dataset = yaml_data['datasets'][0] + dataset_path = first_dataset.get('path', '') + + # Convert web path back to local path + if dataset_path.startswith('/datasets/'): + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_path = self.base_path / local_path + + # Get the directory containing the file + directory_path = full_path.parent + if directory_path.exists() and directory_path.is_dir(): + return directory_path + + return None + + def _create_data_yml_from_paths(self, base_directory: Path, yaml_data: Dict): + """Create data.yml files based on dataset paths""" + if 'datasets' not in yaml_data: + return + + # Group datasets by their directory + datasets_by_dir = {} + + for dataset in yaml_data['datasets']: + dataset_path = dataset.get('path', '') + if dataset_path.startswith('/datasets/'): + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_path = self.base_path / local_path + dataset_dir = full_path.parent + + if dataset_dir not in datasets_by_dir: + datasets_by_dir[dataset_dir] = [] + datasets_by_dir[dataset_dir].append(dataset) + + # Create data.yml in each directory that has datasets + for directory, datasets in datasets_by_dir.items(): + if directory.exists() and directory.is_dir(): + dir_yaml_data = yaml_data.copy() + dir_yaml_data['datasets'] = datasets + self._create_data_yml_in_directory(directory, dir_yaml_data) + + def _find_subdirs_with_datasets(self, technique_path: Path) -> List[Path]: + """Find subdirectories that contain dataset files""" + subdirs_with_datasets = [] + + for item in technique_path.iterdir(): + if item.is_dir(): + # Check if this subdirectory contains dataset files + datasets = self._find_datasets(item) + if datasets: + subdirs_with_datasets.append(item) + + return subdirs_with_datasets + + def _get_datasets_for_directory(self, directory: Path, + yaml_data: Dict) -> List[Dict]: + """Get datasets that belong to a specific directory""" + directory_datasets = [] + dir_name = directory.name + + for dataset in yaml_data['datasets']: + # Check if the dataset path contains this directory name + if f"/{dir_name}/" in dataset['path']: + directory_datasets.append(dataset) + + return directory_datasets + + def _create_data_yml_in_directory(self, directory: Path, yaml_data: Dict): + """Create a data.yml file in the specified directory""" + data_yml_path = directory / "data.yml" + + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + + logger.info(f"Created data.yml in {directory}") + + except Exception as e: + logger.error(f"Failed to create data.yml in {directory}: {e}") + + def generate_summary_report(self, results: Dict[str, Dict]) -> str: + """Generate a summary report of the analysis""" + total_techniques = len(results) + total_datasets = sum(len(data['datasets']) for data in results.values()) + + # Count sourcetypes for included datasets + sourcetype_counts = {} + for data in results.values(): + for dataset in data['datasets']: + sourcetype = dataset['sourcetype'] + sourcetype_counts[sourcetype] = ( + sourcetype_counts.get(sourcetype, 0) + 1 + ) + + # Count ignored files + ignored_files = getattr(self, '_ignored_files', []) + total_ignored = len(ignored_files) + ignored_sourcetype_counts = {} + + for ignored_file in ignored_files: + sourcetype = ignored_file['sourcetype'] + ignored_sourcetype_counts[sourcetype] = ( + ignored_sourcetype_counts.get(sourcetype, 0) + 1 + ) + + report = f""" +Dataset Analysis Summary Report +============================== + +Total Techniques Analyzed: {total_techniques} +Total Datasets Categorized: {total_datasets} +Total Files Ignored: {total_ignored} + +Sourcetype Distribution (Included in data.yml): +{'-' * 50} +""" + + for sourcetype, count in sorted(sourcetype_counts.items(), + key=lambda x: x[1], reverse=True): + report += f"{sourcetype:<40} {count:>6}\n" + + if ignored_files: + report += f"\nIgnored Files (Generic/No Rules):\n{'-' * 50}\n" + for sourcetype, count in sorted(ignored_sourcetype_counts.items(), + key=lambda x: x[1], reverse=True): + report += f"{sourcetype:<40} {count:>6}\n" + + report += f"\nIgnored File Details:\n{'-' * 50}\n" + for ignored_file in ignored_files: + reason = ignored_file['reason'].replace('_', ' ').title() + report += f"{ignored_file['path']:<80} {reason}\n" + + report += f"\n{'-' * 50}\n" + report += (f"Report generated on: " + f"{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n") + + return report + + +def parse_arguments(): + """Parse command line arguments""" + parser = argparse.ArgumentParser( + description="Dataset Analyzer for Attack Data Repository", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + # Analyze all directories recursively (creates data.yml files automatically) + python dataset_analyzer.py + + # Analyze a specific directory and its subdirectories + python dataset_analyzer.py --folder datasets/attack_techniques/T1003.001 + + # Analyze any custom folder + python dataset_analyzer.py --folder /path/to/custom/folder + + # Use custom base path + python dataset_analyzer.py --base-path /path/to/data + """ + ) + + parser.add_argument( + "--folder", "-f", + type=str, + help="Specific folder to analyze (default: analyze all directories recursively)" + ) + + parser.add_argument( + "--base-path", "-b", + type=str, + default="datasets", + help="Base path for the datasets directory (default: datasets)" + ) + + parser.add_argument( + "--verbose", "-v", + action="store_true", + help="Enable verbose logging" + ) + + return parser.parse_args() + + +def main(): + """Main execution function""" + args = parse_arguments() + + # Configure logging level + if args.verbose: + logging.getLogger().setLevel(logging.DEBUG) + + print("Dataset Analyzer for Attack Data Repository") + print("=" * 50) + + # Initialize analyzer with custom base path if provided + analyzer = DatasetAnalyzer(base_path=args.base_path) + + # Determine analysis mode + if args.folder: + # Analyze specific folder + print(f"Starting analysis of specific folder: {args.folder}") + results = analyzer.analyze_specific_folder(args.folder) + analysis_type = "folder" + else: + # Analyze all directories (default behavior) + print("Starting analysis of all directories...") + results = analyzer.analyze_all_directories() + analysis_type = "all directories" + + if not results: + print(f"No results found for {analysis_type}. " + f"Please check the path and directory structure.") + return + + # Create data.yml files in dataset directories + print("\nCreating data.yml files in dataset directories...") + analyzer.create_data_yaml_files(results) + + # Generate and save summary report + report = analyzer.generate_summary_report(results) + print(report) + + # Save report to file + report_filename = (f"dataset_analysis_report_" + f"{datetime.now().strftime('%Y%m%d_%H%M%S')}.txt") + with open(report_filename, "w", encoding="utf-8") as f: + f.write(report) + + print("Analysis complete!") + print(f"- Summary report saved to: {report_filename}") + print("- data.yml files created in dataset directories") + + if args.folder: + print(f"- Analyzed folder: {args.folder}") + else: + print(f"- Analyzed {len(results)} directories with data files") + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/bin/dataset_schema.json b/bin/dataset_schema.json new file mode 100644 index 000000000..6acc39cf5 --- /dev/null +++ b/bin/dataset_schema.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97085370d23378475c243e900bfeb0b462b849ff3e2b4f38fec5547177c91a3b +size 2274 diff --git a/bin/replay.py b/bin/replay.py deleted file mode 100644 index 8064624ce..000000000 --- a/bin/replay.py +++ /dev/null @@ -1,196 +0,0 @@ -import argparse -import sys -import yaml -import os -import re -import io -import json -import fileinput -from datetime import datetime -from datetime import timedelta -import splunklib.client as client - - -class DataManipulation: - - def manipulate_timestamp(self, file_path, sourcetype, source): - # check that we support the source or sourcetype sent for manipulation - SUPPORTED = ['WinEventLog:System', 'WinEventLog:Security', 'exchange', 'aws:cloudtrail'] - if (sourcetype in SUPPORTED) or (source in SUPPORTED): - print("updating timestamps before replaying for file: {0}".format(file_path)) - else: - print("WARNING - cannot manipulate the timestamp for file: {0}, sourcetype: `{1}` or source: `{2}` it is not currently supported.".format(file_path, sourcetype, source)) - return - - if sourcetype == 'aws:cloudtrail': - self.manipulate_timestamp_cloudtrail(file_path) - - if source == 'WinEventLog:System' or source == 'WinEventLog:Security': - self.manipulate_timestamp_windows_event_log_raw(file_path) - - if source == 'exchange': - self.manipulate_timestamp_exchange_logs(file_path) - - - def manipulate_timestamp_exchange_logs(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%S") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S") - - difference = now - latest_event - f.close() - - for line in fileinput.input(path, inplace=True): - d = json.loads(line) - original_time = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S") - print (line.replace(original_time, new_time),end ='') - - - def manipulate_timestamp_windows_event_log_raw(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") - self.now = datetime.now() - self.now = self.now.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - self.now = datetime.strptime(self.now,"%Y-%m-%dT%H:%M:%S.%fZ") - - # read raw logs - regex = r'\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [AP]M' - data = f.read() - lst_matches = re.findall(regex, data) - if len(lst_matches) > 0: - latest_event = datetime.strptime(lst_matches[-1],"%m/%d/%Y %I:%M:%S %p") - self.difference = self.now - latest_event - f.close() - - result = re.sub(regex, self.replacement_function, data) - - with io.open(file_path, "w+", encoding='utf8') as f: - f.write(result) - else: - f.close() - return - - - def replacement_function(self, match): - try: - event_time = datetime.strptime(match.group(),"%m/%d/%Y %I:%M:%S %p") - new_time = self.difference + event_time - return new_time.strftime("%m/%d/%Y %I:%M:%S %p") - except Exception as e: - print("ERROR - in timestamp replacement occured: " + str(e)) - return match.group() - - - def manipulate_timestamp_cloudtrail(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") - - try: - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S.%fZ") - except ValueError: - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%SZ") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%SZ") - - difference = now - latest_event - f.close() - - for line in fileinput.input(file_path, inplace=True): - try: - d = json.loads(line) - original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - print (line.replace(original_time, new_time),end ='') - except ValueError: - d = json.loads(line) - original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%SZ") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%SZ") - print (line.replace(original_time, new_time),end ='') - - -def send_to_splunk(settings): - # connect to splunk - try: - service = client.connect(host=settings['splunk']['host'], port=8089, username=settings['splunk']['username'], password=settings['splunk']['password']) - except ConnectionRefusedError as e: - print("ERROR - could not connect to the splunk server {}:8089".format(settings['splunk']['host'])) - sys.exit(1) - - # go through all datasets - for dataset in settings['datasets']: - # check dataset is enabled - if dataset['enabled']: - # does the index exists? - if dataset['replay_parameters']['index'] not in service.indexes: - print("ERROR - index {0} does not exist on splunk server {1}.".format(dataset['replay_parameters']['index'], settings['splunk']['host'])) - sys.exit(1) - # set index - index = service.indexes[dataset['replay_parameters']['index']] - fullpath = os.path.abspath(dataset['path']) - - # update timestamps before replay - if 'update_timestamp' in dataset['replay_parameters']: - if dataset['replay_parameters']['update_timestamp'] == True: - data_manipulation = DataManipulation() - data_manipulation.manipulate_timestamp(fullpath, dataset['replay_parameters']['sourcetype'], dataset['replay_parameters']['source']) - - # upload file - kwargs_submit = dict() - kwargs_submit['sourcetype'] = dataset['replay_parameters']['sourcetype'] - kwargs_submit['rename-source'] = dataset['replay_parameters']['source'] - results = index.upload(fullpath, **kwargs_submit) - return True - -def parse_config(CONFIG_PATH, VERBOSE): - with open(CONFIG_PATH, 'r') as stream: - try: - settings = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - print("ERROR: reading configuration file {0}".format(CONFIG_PATH)) - sys.exit(1) - return settings - - -if __name__ == "__main__": - # grab arguments - parser = argparse.ArgumentParser(description="replays attack_data datasets into a configured splunk server", epilog=""" - replay.py requires you to have a running splunk instance and username/password set under replay.yml in order to function.""") - parser.add_argument("-c", "--config", required=False, default="replay.yml", - help="path to the configuration file of replay.py, defaults to replay.yml") - parser.add_argument("-v", "--verbose", required=False, action='store_true', help="prints verbose output") - - # parse them - args = parser.parse_args() - CONFIG_PATH = args.config - verbose = args.verbose - settings = parse_config(CONFIG_PATH, verbose) - status = send_to_splunk(settings) - - if status: - print("successfully indexed {0} dataset on splunk server {1}".format(len(settings['datasets']), settings['splunk']['host'])) - else: - print("ERROR - issue replaying desired datasets on splunk server {0}".format(settings['splunk']['host'])) diff --git a/bin/replay.yml b/bin/replay.yml deleted file mode 100644 index e6c45057d..000000000 --- a/bin/replay.yml +++ /dev/null @@ -1,27 +0,0 @@ -splunk: - # connects to host on port 8089 make sure you have access to :8089 - host: localhost - username: admin - password: changeme - -datasets: -#name of data set to replay -- name: T1003.002_windows_security -# relative path of raw file ... NOTE: this path/file has to exist locally on the Splunk server - path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log -# splunk parameters to pass - replay_parameters: - source: WinEventLog:Security - sourcetype: WinEventLog - index: main - # updates timestamp of the dataset to current time. - update_timestamp: True - enabled: True - -- name: T1003.002_sysmon - path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log - replay_parameters: - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - index: main - enabled: True diff --git a/bin/replay_all.py b/bin/replay_all.py new file mode 100644 index 000000000..1898c152c --- /dev/null +++ b/bin/replay_all.py @@ -0,0 +1,243 @@ +#!/usr/bin/env python3 + +import os +import sys +import argparse +import glob +import uuid +import urllib +import requests +from urllib3 import disable_warnings +import yaml +from pathlib import Path + + +def load_environment_variables(): + """Load required environment variables for Splunk connection.""" + required_vars = ['SPLUNK_HOST', 'SPLUNK_HEC_TOKEN'] + env_vars = {} + for var in required_vars: + value = os.environ.get(var) + if not value: + raise ValueError(f"Environment variable {var} is required but not set") + env_vars[var.lower().replace('splunk_', '')] = value + return env_vars + + +def find_data_yml_files(folder_path): + """Find all data.yml files recursively in folder and subfolders.""" + data_yml_files = [] + folder_path = Path(folder_path) + + # Use pathlib to recursively find all data.yml files + for yml_file in folder_path.rglob("data.yml"): + data_yml_files.append(str(yml_file)) + + if not data_yml_files: + print(f"Warning: No data.yml files found in {folder_path}") + else: + print(f"Found {len(data_yml_files)} data.yml files") + + return data_yml_files + + +def parse_data_yml(yml_file_path): + """Parse a data.yml file and extract dataset information.""" + try: + with open(yml_file_path, 'r') as file: + data = yaml.safe_load(file) + + # Extract required fields + file_id = data.get('id', str(uuid.uuid4())) + datasets = data.get('datasets', []) + + # Return tuple of (id, datasets_list) + return file_id, datasets + + except Exception as e: + print(f"Error parsing {yml_file_path}: {e}") + return None, [] + + +def find_data_files(folder_path): + """Find all data files in the specified folder (supports .log, .json, .txt).""" + files = [] + for ext in ("*.log", "*.json", "*.txt"): + files.extend(glob.glob(os.path.join(folder_path, ext))) + if not files: + print(f"Warning: No data files found in {folder_path}") + return files + + +def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, + index="test", source="test", sourcetype="test"): + """Send a data file to Splunk HEC.""" + disable_warnings() + hec_channel = str(uuid.uuid4()) + headers = { + "Authorization": f"Splunk {hec_token}", + "X-Splunk-Request-Channel": hec_channel, + } + url_params = { + "index": index, + "source": source, + "sourcetype": sourcetype, + "host": event_host_uuid, + } + url = urllib.parse.urljoin( + f"https://{splunk_host}:8088", + "services/collector/raw" + ) + with open(file_path, "rb") as datafile: + try: + res = requests.post( + url, + params=url_params, + data=datafile.read(), + allow_redirects=True, + headers=headers, + verify=False, + ) + res.raise_for_status() + print(f":white_check_mark: Sent {file_path} to Splunk HEC") + except Exception as e: + print(f":x: Error sending {file_path} to Splunk HEC: {e}") + + +def main(): + parser = argparse.ArgumentParser( + description="Recursively find and replay datasets from data.yml files " + "to Splunk via HTTP Event Collector (HEC)", + epilog=""" +Environment Variables Required: + SPLUNK_HOST - Splunk server hostname/IP + SPLUNK_HEC_TOKEN - Splunk HEC token + +Example usage: + python replay_all.py /path/to/datasets/folder + python replay_all.py datasets/attack_techniques --host-uuid 12345678-abcd-efgh + export SPLUNK_HOST="192.168.1.100" + export SPLUNK_HEC_TOKEN="your-hec-token" + +This script will: +1. Recursively find all data.yml files in the specified directory +2. Parse each data.yml file to extract dataset information +3. Replay each dataset using the source and sourcetype from the yml file +4. Use the id field from data.yml as the host field for Splunk events + """, + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + parser.add_argument( + 'path', + help='Path to a directory containing data.yml files ' + '(searches recursively)' + ) + parser.add_argument( + '--source', + default='test', + help='Source field for Splunk events (default: test)' + ) + parser.add_argument( + '--sourcetype', + default='test', + help='Sourcetype field for Splunk events (default: test)' + ) + parser.add_argument( + '--index', + default='test', + help='Splunk index to send events to (default: test)' + ) + parser.add_argument( + '--host-uuid', + help='UUID to use as the host field for Splunk events ' + '(generates random UUID if not provided)' + ) + args = parser.parse_args() + + try: + env_vars = load_environment_variables() + splunk_host = env_vars['host'] + hec_token = env_vars['hec_token'] + + if not os.path.isdir(args.path): + print(f"Error: {args.path} is not a valid directory") + sys.exit(1) + + # Find all data.yml files recursively + data_yml_files = find_data_yml_files(args.path) + + if not data_yml_files: + print(f"No data.yml files found in {args.path}") + sys.exit(1) + + # Process each data.yml file + for yml_file in data_yml_files: + print(f"\nProcessing {yml_file}...") + file_id, datasets = parse_data_yml(yml_file) + + if not file_id or not datasets: + print(f"Skipping {yml_file} - no valid data found") + continue + + # Use the id from data.yml as host field (unless user provided one) + event_host_uuid = args.host_uuid or file_id + print(f"Using host UUID: {event_host_uuid}") + + # Process each dataset in the data.yml file + for dataset in datasets: + dataset_name = dataset.get('name', 'unknown') + dataset_path = dataset.get('path', '') + dataset_source = dataset.get('source', args.source) + dataset_sourcetype = dataset.get('sourcetype', args.sourcetype) + + if not dataset_path: + print(f"Warning: No path specified for dataset " + f"'{dataset_name}', skipping") + continue + + # Handle relative paths - relative to attack_data root + if dataset_path.startswith('/datasets/'): + # Convert to absolute path based on project structure + if Path(args.path).name == 'datasets': + base_dir = Path(args.path).parent + else: + base_dir = Path(args.path) + while (base_dir.name != 'attack_data' and + base_dir.parent != base_dir): + base_dir = base_dir.parent + + if base_dir.name == 'attack_data': + full_path = base_dir / dataset_path.lstrip('/') + else: + # Fallback: assume current working directory structure + full_path = Path.cwd() / dataset_path.lstrip('/') + else: + # Assume relative to yml file location + yml_dir = Path(yml_file).parent + full_path = yml_dir / dataset_path + + if not full_path.exists(): + print(f"Warning: Dataset file not found: {full_path}") + continue + + print(f" Sending dataset '{dataset_name}' from {full_path}") + print(f" source: {dataset_source}") + print(f" sourcetype: {dataset_sourcetype}") + + send_data_to_splunk( + file_path=str(full_path), + splunk_host=splunk_host, + hec_token=hec_token, + event_host_uuid=event_host_uuid, + index=args.index, + source=dataset_source, + sourcetype=dataset_sourcetype, + ) + + except Exception as e: + print(f"Error: {e}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/bin/requirements.txt b/bin/requirements.txt index 235849b6d..f15921c97 100644 --- a/bin/requirements.txt +++ b/bin/requirements.txt @@ -1,8 +1,8 @@ -certifi==2021.5.30 -chardet==5.2.0 -idna==2.10 -pathlib==1.0.1; python_version < '3.4' -PyYAML==6.0 -requests==2.25.1 -splunk-sdk==2.0.2 -urllib3==2.3.0 +requests +urllib3 +pyyaml +splunk-sdk +gitpython +tqdm +colorama +jsonschema \ No newline at end of file diff --git a/bin/run_escu_detections.py b/bin/run_escu_detections.py new file mode 100644 index 000000000..385aa1cf7 --- /dev/null +++ b/bin/run_escu_detections.py @@ -0,0 +1,612 @@ +#!/usr/bin/env python3 + +""" +Splunk ESCU Detection Runner + +This script clones the Splunk security_content repository and runs all ESCU detections +against a Splunk instance. It parses detection YAML files and executes the searches +via Splunk's REST API. + +Author: Attack Data Team +Dependencies: See requirements.txt +""" + +import os +import sys +import argparse +import yaml +import json +import time +import logging +from pathlib import Path +from typing import List, Dict, Any, Optional +from datetime import datetime + +import splunklib.client as client +import splunklib.results as results +from git import Repo +from tqdm import tqdm +from colorama import init, Fore, Style + +# Initialize colorama for colored output +init(autoreset=True) + +# Configure logging +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s', + handlers=[ + logging.FileHandler('escu_detections.log'), + logging.StreamHandler() + ] +) +logger = logging.getLogger(__name__) + + +class SecurityContentManager: + """Manages the security_content repository operations.""" + + def __init__(self, repo_path: str = "./security_content"): + self.repo_path = Path(repo_path) + self.repo_url = "https://github.com/splunk/security_content.git" + + def clone_or_update_repo(self) -> bool: + """Clone or update the security_content repository.""" + try: + if self.repo_path.exists() and (self.repo_path / ".git").exists(): + logger.info(f"Updating existing repository at {self.repo_path}") + repo = Repo(self.repo_path) + origin = repo.remotes.origin + origin.pull() + logger.info("Repository updated successfully") + else: + logger.info(f"Cloning repository to {self.repo_path}") + self.repo_path.parent.mkdir(parents=True, exist_ok=True) + Repo.clone_from(self.repo_url, self.repo_path) + logger.info("Repository cloned successfully") + return True + except Exception as e: + logger.error(f"Failed to clone/update repository: {e}") + return False + + def find_detection_files(self) -> List[Path]: + """Find all detection YAML files in the repository.""" + detections_dir = self.repo_path / "detections" + if not detections_dir.exists(): + logger.error(f"Detections directory not found: {detections_dir}") + return [] + + detection_files = [] + for yaml_file in detections_dir.rglob("*.yml"): + detection_files.append(yaml_file) + + logger.info(f"Found {len(detection_files)} detection files") + return detection_files + + +class DetectionParser: + """Parses detection YAML files and extracts relevant information.""" + + @staticmethod + def parse_detection_file(file_path: Path) -> Optional[Dict[str, Any]]: + """Parse a detection YAML file and extract detection information.""" + try: + with open(file_path, 'r', encoding='utf-8') as f: + detection_data = yaml.safe_load(f) + + if not detection_data: + logger.warning(f"Empty detection file: {file_path}") + return None + + # Validate required fields + required_fields = ['name', 'search', 'type'] + for field in required_fields: + if field not in detection_data: + logger.warning(f"Missing required field '{field}' in {file_path}") + return None + + # Extract key information + detection = { + 'file_path': str(file_path), + 'name': detection_data.get('name', ''), + 'id': detection_data.get('id', ''), + 'description': detection_data.get('description', ''), + 'search': detection_data.get('search', ''), + 'type': detection_data.get('type', ''), + 'data_source': detection_data.get('data_source', []), + 'mitre_attack_id': detection_data.get('tags', {}).get('mitre_attack_id', []), + 'analytic_story': detection_data.get('tags', {}).get('analytic_story', []), + 'asset_type': detection_data.get('tags', {}).get('asset_type', ''), + 'security_domain': detection_data.get('tags', {}).get('security_domain', ''), + 'risk_score': detection_data.get('rba', {}).get('risk_objects', []), + 'status': detection_data.get('status', 'unknown') + } + + return detection + + except yaml.YAMLError as e: + logger.error(f"YAML parsing error in {file_path}: {e}") + return None + except Exception as e: + logger.error(f"Error parsing {file_path}: {e}") + return None + + +class SplunkConnector: + """Handles connection and search execution with Splunk.""" + + def __init__(self, host: str, port: int, username: str, password: str, + verify_ssl: bool = False): + self.host = host + self.port = port + self.username = username + self.password = password + self.verify_ssl = verify_ssl + self.service = None + + def connect(self) -> bool: + """Establish connection to Splunk.""" + try: + self.service = client.connect( + host=self.host, + port=self.port, + username=self.username, + password=self.password, + verify=self.verify_ssl + ) + logger.info(f"Successfully connected to Splunk at {self.host}:{self.port}") + return True + except Exception as e: + logger.error(f"Failed to connect to Splunk: {e}") + return False + + def run_search(self, search_query: str, earliest_time: str = "-24h", + latest_time: str = "now", max_results: int = 1000) -> Dict[str, Any]: + """Execute a search query on Splunk.""" + if not self.service: + raise Exception("Not connected to Splunk") + + try: + # Prepare search parameters + search_kwargs = { + 'earliest_time': earliest_time, + 'latest_time': latest_time, + 'max_count': max_results, + 'output_mode': 'json' + } + + # Execute the search + logger.debug(f"Executing search: {search_query[:100]}...") + job = self.service.jobs.create(search_query, **search_kwargs) + + # Wait for the job to complete + while not job.is_done(): + time.sleep(0.5) + + # Get results + results_stream = job.results(output_mode='json') + results_data = results.JSONResultsReader(results_stream) + + search_results = [] + for result in results_data: + if isinstance(result, dict): + search_results.append(result) + + # Get job statistics + job_stats = { + 'result_count': len(search_results), + 'scan_count': job.content.get('scanCount', 0), + 'event_count': job.content.get('eventCount', 0), + 'run_duration': job.content.get('runDuration', 0), + 'is_finalized': job.content.get('isFinalized', False), + 'dispatch_state': job.content.get('dispatchState', 'UNKNOWN') + } + + return { + 'success': True, + 'results': search_results, + 'stats': job_stats, + 'message': f"Search completed successfully with {len(search_results)} results" + } + + except Exception as e: + logger.error(f"Search execution failed: {e}") + return { + 'success': False, + 'results': [], + 'stats': {}, + 'message': f"Search failed: {str(e)}" + } + + +class ESCUDetectionRunner: + """Main class for running ESCU detections.""" + + def __init__(self, splunk_host: str, splunk_port: int, splunk_username: str, + splunk_password: str, repo_path: str = "./security_content", + verify_ssl: bool = False): + self.repo_manager = SecurityContentManager(repo_path) + self.splunk = SplunkConnector(splunk_host, splunk_port, splunk_username, + splunk_password, verify_ssl) + self.results = [] + + def setup(self) -> bool: + """Setup the environment and connections.""" + logger.info("Setting up ESCU Detection Runner...") + + # Clone/update repository + if not self.repo_manager.clone_or_update_repo(): + return False + + # Connect to Splunk + if not self.splunk.connect(): + return False + + logger.info("Setup completed successfully") + return True + + def run_all_detections(self, detection_filter: Optional[Dict[str, Any]] = None, + earliest_time: str = "-24h", latest_time: str = "now", + max_results: int = 1000, parallel: bool = False) -> List[Dict[str, Any]]: + """Run all detection searches and collect results.""" + + # Find detection files + detection_files = self.repo_manager.find_detection_files() + if not detection_files: + logger.error("No detection files found") + return [] + + # Parse detections + detections = [] + logger.info("Parsing detection files...") + for file_path in tqdm(detection_files, desc="Parsing detections"): + detection = DetectionParser.parse_detection_file(file_path) + if detection: + # Apply filters if provided + if detection_filter: + if self._should_include_detection(detection, detection_filter): + detections.append(detection) + else: + detections.append(detection) + + logger.info(f"Parsed {len(detections)} valid detections") + + # Execute detections + results = [] + logger.info("Executing detections...") + + for detection in tqdm(detections, desc="Running detections"): + try: + start_time = time.time() + + # Execute the search + search_result = self.splunk.run_search( + detection['search'], + earliest_time=earliest_time, + latest_time=latest_time, + max_results=max_results + ) + + execution_time = time.time() - start_time + + # Compile result + result = { + 'detection_name': detection['name'], + 'detection_id': detection['id'], + 'detection_type': detection['type'], + 'file_path': detection['file_path'], + 'execution_time': execution_time, + 'timestamp': datetime.now().isoformat(), + 'search_query': detection['search'], + 'mitre_attack_id': detection['mitre_attack_id'], + 'analytic_story': detection['analytic_story'], + 'success': search_result['success'], + 'result_count': search_result['stats'].get('result_count', 0), + 'event_count': search_result['stats'].get('event_count', 0), + 'scan_count': search_result['stats'].get('scan_count', 0), + 'message': search_result['message'], + 'results_preview': search_result['results'][:5] if search_result['results'] else [] + } + + results.append(result) + + # Log result + status_color = Fore.GREEN if search_result['success'] else Fore.RED + logger.info(f"{status_color}Detection: {detection['name']} - " + f"Results: {result['result_count']} - " + f"Time: {execution_time:.2f}s{Style.RESET_ALL}") + + except Exception as e: + logger.error(f"Failed to execute detection {detection['name']}: {e}") + results.append({ + 'detection_name': detection['name'], + 'detection_id': detection['id'], + 'success': False, + 'message': f"Execution failed: {str(e)}", + 'timestamp': datetime.now().isoformat() + }) + + self.results = results + return results + + def _should_include_detection(self, detection: Dict[str, Any], + filters: Dict[str, Any]) -> bool: + """Check if detection should be included based on filters.""" + + # Filter by type + if 'type' in filters and detection['type'] not in filters['type']: + return False + + # Filter by MITRE ATT&CK ID + if 'mitre_attack_id' in filters: + if not any(attack_id in detection['mitre_attack_id'] + for attack_id in filters['mitre_attack_id']): + return False + + # Filter by analytic story + if 'analytic_story' in filters: + if not any(story in detection['analytic_story'] + for story in filters['analytic_story']): + return False + + # Filter by security domain + if 'security_domain' in filters: + if detection['security_domain'] not in filters['security_domain']: + return False + + # Filter by status + if 'status' in filters: + if detection['status'] not in filters['status']: + return False + + return True + + def generate_report(self, output_file: str = None) -> str: + """Generate a comprehensive report of detection results.""" + if not self.results: + return "No results to report" + + # Calculate statistics + total_detections = len(self.results) + successful_detections = sum(1 for r in self.results if r['success']) + failed_detections = total_detections - successful_detections + total_results = sum(r.get('result_count', 0) for r in self.results) + + # Group by MITRE ATT&CK + mitre_stats = {} + for result in self.results: + for attack_id in result.get('mitre_attack_id', []): + if attack_id not in mitre_stats: + mitre_stats[attack_id] = {'total': 0, 'with_results': 0} + mitre_stats[attack_id]['total'] += 1 + if result.get('result_count', 0) > 0: + mitre_stats[attack_id]['with_results'] += 1 + + # Generate report + report_lines = [ + "=" * 80, + "SPLUNK ESCU DETECTION EXECUTION REPORT", + "=" * 80, + f"Report Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}", + "", + "SUMMARY:", + f" Total Detections Executed: {total_detections}", + f" Successful Executions: {successful_detections}", + f" Failed Executions: {failed_detections}", + f" Success Rate: {(successful_detections/total_detections)*100:.1f}%", + f" Total Results Found: {total_results}", + "", + "TOP MITRE ATT&CK TECHNIQUES BY RESULTS:", + ] + + # Sort MITRE techniques by results + sorted_mitre = sorted(mitre_stats.items(), + key=lambda x: x[1]['with_results'], reverse=True) + + for attack_id, stats in sorted_mitre[:10]: + report_lines.append(f" {attack_id}: {stats['with_results']}/{stats['total']} detections with results") + + report_lines.extend([ + "", + "DETECTIONS WITH RESULTS:", + ]) + + # Show detections that found results + detections_with_results = [r for r in self.results if r.get('result_count', 0) > 0] + detections_with_results.sort(key=lambda x: x.get('result_count', 0), reverse=True) + + for result in detections_with_results[:20]: # Top 20 + report_lines.append(f" {result['detection_name']}: {result['result_count']} results") + + if len(detections_with_results) > 20: + report_lines.append(f" ... and {len(detections_with_results) - 20} more") + + report_lines.extend([ + "", + "FAILED DETECTIONS:", + ]) + + failed_results = [r for r in self.results if not r['success']] + for result in failed_results[:10]: # Show first 10 failures + report_lines.append(f" {result['detection_name']}: {result.get('message', 'Unknown error')}") + + if len(failed_results) > 10: + report_lines.append(f" ... and {len(failed_results) - 10} more failures") + + report_lines.append("=" * 80) + + report_text = "\n".join(report_lines) + + # Save to file if specified + if output_file: + with open(output_file, 'w') as f: + f.write(report_text) + logger.info(f"Report saved to {output_file}") + + return report_text + + def export_results(self, output_file: str = "escu_results.json"): + """Export detailed results to JSON file.""" + with open(output_file, 'w') as f: + json.dump(self.results, f, indent=2, default=str) + logger.info(f"Detailed results exported to {output_file}") + + +def load_environment_variables(): + """Load required environment variables for Splunk connection.""" + required_vars = ['SPLUNK_HOST', 'SPLUNK_USERNAME', 'SPLUNK_PASSWORD'] + env_vars = {} + + for var in required_vars: + value = os.environ.get(var) + if not value: + raise ValueError(f"Environment variable {var} is required but not set") + env_vars[var.lower().replace('splunk_', '')] = value + + # Optional variables with defaults + env_vars['port'] = int(os.environ.get('SPLUNK_PORT', '8089')) + env_vars['verify_ssl'] = os.environ.get('SPLUNK_VERIFY_SSL', 'false').lower() == 'true' + + return env_vars + + +def main(): + parser = argparse.ArgumentParser( + description="Run all Splunk ESCU detections from security_content repository", + epilog=""" +Environment Variables Required: + SPLUNK_HOST - Splunk server hostname/IP + SPLUNK_USERNAME - Splunk username + SPLUNK_PASSWORD - Splunk password + SPLUNK_PORT - Splunk management port (default: 8089) + SPLUNK_VERIFY_SSL - Verify SSL certificates (default: false) + +Example usage: + export SPLUNK_HOST="192.168.1.100" + export SPLUNK_USERNAME="admin" + export SPLUNK_PASSWORD="changeme" + python run_escu_detections.py --time-range "-7d,now" + """, + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + + parser.add_argument( + '--repo-path', + default='./security_content', + help='Path to clone/find security_content repository (default: ./security_content)' + ) + + parser.add_argument( + '--time-range', + default='-24h,now', + help='Time range for searches in format "earliest,latest" (default: -24h,now)' + ) + + parser.add_argument( + '--max-results', + type=int, + default=1000, + help='Maximum results per detection (default: 1000)' + ) + + parser.add_argument( + '--filter-type', + nargs='+', + help='Filter detections by type (e.g., TTP Hunting Correlation)' + ) + + parser.add_argument( + '--filter-mitre', + nargs='+', + help='Filter detections by MITRE ATT&CK ID (e.g., T1003 T1059)' + ) + + parser.add_argument( + '--filter-status', + nargs='+', + default=['production'], + help='Filter detections by status (default: production)' + ) + + parser.add_argument( + '--output-report', + default='escu_detection_report.txt', + help='Output file for summary report (default: escu_detection_report.txt)' + ) + + parser.add_argument( + '--output-json', + default='escu_detection_results.json', + help='Output file for detailed JSON results (default: escu_detection_results.json)' + ) + + parser.add_argument( + '--verbose', + action='store_true', + help='Enable verbose logging' + ) + + args = parser.parse_args() + + if args.verbose: + logging.getLogger().setLevel(logging.DEBUG) + + try: + # Load environment variables + env_vars = load_environment_variables() + + # Parse time range + time_parts = args.time_range.split(',') + if len(time_parts) != 2: + raise ValueError("Time range must be in format 'earliest,latest'") + earliest_time, latest_time = time_parts + + # Create filters + filters = {} + if args.filter_type: + filters['type'] = args.filter_type + if args.filter_mitre: + filters['mitre_attack_id'] = args.filter_mitre + if args.filter_status: + filters['status'] = args.filter_status + + # Initialize runner + runner = ESCUDetectionRunner( + splunk_host=env_vars['host'], + splunk_port=env_vars['port'], + splunk_username=env_vars['username'], + splunk_password=env_vars['password'], + repo_path=args.repo_path, + verify_ssl=env_vars['verify_ssl'] + ) + + # Setup environment + if not runner.setup(): + logger.error("Setup failed") + sys.exit(1) + + # Run detections + logger.info("Starting detection execution...") + results = runner.run_all_detections( + detection_filter=filters if filters else None, + earliest_time=earliest_time, + latest_time=latest_time, + max_results=args.max_results + ) + + # Generate reports + logger.info("Generating reports...") + report = runner.generate_report(args.output_report) + print(report) + + runner.export_results(args.output_json) + + logger.info(f"Detection execution completed. Processed {len(results)} detections.") + + except Exception as e: + logger.error(f"Error: {e}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/bin/validate.py b/bin/validate.py new file mode 100644 index 000000000..38e67b146 --- /dev/null +++ b/bin/validate.py @@ -0,0 +1,310 @@ +#!/usr/bin/env python3 +""" +YAML Dataset Validation Script + +This script validates YAML files in the specified directory against a +predefined JSON schema. +All dataset YAML files must conform to the specified structure with mandatory fields. +""" + +import argparse +import json +import sys +import uuid +from datetime import datetime +from pathlib import Path +from typing import Dict, List, Any + +import yaml +from jsonschema import validate, ValidationError, draft7_format_checker + + +def load_yaml_schema() -> Dict[str, Any]: + """ + Load and return the JSON schema for validating YAML dataset files. + + Returns: + Dict containing the JSON schema definition + + Raises: + FileNotFoundError: If schema file doesn't exist + json.JSONDecodeError: If schema file is invalid JSON + """ + # Get the schema file path relative to the script location + script_dir = Path(__file__).parent + schema_path = script_dir / 'dataset_schema.json' + + try: + with open(schema_path, 'r', encoding='utf-8') as file: + return json.load(file) + except FileNotFoundError: + raise FileNotFoundError(f"Schema file not found: {schema_path}") + except json.JSONDecodeError as e: + raise json.JSONDecodeError(f"Invalid JSON in schema file {schema_path}: {e}") + + +def validate_uuid(uuid_string: str) -> bool: + """ + Validate that a string is a properly formatted UUID. + + Args: + uuid_string: String to validate as UUID + + Returns: + True if valid UUID, False otherwise + """ + try: + uuid.UUID(uuid_string) + return True + except ValueError: + return False + + +def validate_date(date_string: str) -> bool: + """ + Validate that a string is a properly formatted date (YYYY-MM-DD). + + Args: + date_string: String to validate as date + + Returns: + True if valid date, False otherwise + """ + try: + datetime.strptime(date_string, '%Y-%m-%d') + return True + except ValueError: + return False + + +def load_yaml_file(file_path: Path) -> Dict[str, Any]: + """ + Load and parse a YAML file. + + Args: + file_path: Path to the YAML file + + Returns: + Parsed YAML content as dictionary + + Raises: + yaml.YAMLError: If YAML parsing fails + FileNotFoundError: If file doesn't exist + """ + try: + with open(file_path, 'r', encoding='utf-8') as file: + return yaml.safe_load(file) + except yaml.YAMLError as e: + raise yaml.YAMLError(f"YAML parsing error in {file_path}: {e}") + except FileNotFoundError: + raise FileNotFoundError(f"File not found: {file_path}") + + +def validate_yaml_file(file_path: Path, schema: Dict[str, Any]) -> List[str]: + """ + Validate a single YAML file against the schema. + + Args: + file_path: Path to the YAML file to validate + schema: JSON schema to validate against + + Returns: + List of validation errors (empty if valid) + """ + errors = [] + + try: + # Load YAML content + yaml_content = load_yaml_file(file_path) + + # Validate against JSON schema + validate(yaml_content, schema, format_checker=draft7_format_checker) + + # Additional custom validations + if 'id' in yaml_content and not validate_uuid(yaml_content['id']): + errors.append(f"Invalid UUID format for 'id': {yaml_content['id']}") + + if 'date' in yaml_content and not validate_date(yaml_content['date']): + errors.append( + f"Invalid date format for 'date': {yaml_content['date']} " + f"(expected YYYY-MM-DD)" + ) + + except ValidationError as e: + errors.append(f"Schema validation error: {e.message}") + if e.absolute_path: + errors.append(f" Path: {' -> '.join(str(p) for p in e.absolute_path)}") + except yaml.YAMLError as e: + errors.append(f"YAML parsing error: {e}") + except FileNotFoundError as e: + errors.append(f"File error: {e}") + except Exception as e: + errors.append(f"Unexpected error: {e}") + + return errors + + +def find_yaml_files(input_dir: Path) -> List[Path]: + """ + Find all YAML files in the specified directory. + + Args: + input_dir: Path to the directory to search for YAML files + + Returns: + List of paths to YAML files + """ + yaml_files = [] + + # Look for .yml and .yaml files recursively + for pattern in ['**/*.yml', '**/*.yaml']: + yaml_files.extend(input_dir.glob(pattern)) + + # Exclude template files and files with 'old' in the name + yaml_files = [ + f for f in yaml_files + if not f.name.startswith('TEMPLATE') and 'old' not in f.name.lower() + ] + + return sorted(yaml_files) + + +def parse_arguments(): + """ + Parse command-line arguments. + + Returns: + argparse.Namespace: Parsed arguments + """ + parser = argparse.ArgumentParser( + description="Validate YAML files against a predefined JSON schema.", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + %(prog)s # Validate files in default 'datasets' dir (failures only) + %(prog)s -v # Validate with verbose output (show all files) + %(prog)s /path/to/data # Validate files in a specific directory + %(prog)s ../other_datasets # Validate files in a relative path + """ + ) + + parser.add_argument( + 'input_folder', + nargs='?', + default='datasets', + help='Directory to search for YAML files (default: datasets)' + ) + + parser.add_argument( + '-v', '--verbose', + action='store_true', + help='Show validation results for all files (default: only show failures)' + ) + + return parser.parse_args() + + +def main(): + """ + Main function to validate all YAML files in the specified directory. + """ + # Parse command-line arguments + args = parse_arguments() + + # Get the project root directory and input directory + script_dir = Path(__file__).parent + project_root = script_dir.parent + + # Handle input folder path (can be relative or absolute) + if Path(args.input_folder).is_absolute(): + input_dir = Path(args.input_folder) + else: + input_dir = project_root / args.input_folder + + if not input_dir.exists(): + print(f"Error: Input directory not found: {input_dir}") + sys.exit(1) + + if not input_dir.is_dir(): + print(f"Error: Input path is not a directory: {input_dir}") + sys.exit(1) + + print(f"Validating YAML files in: {input_dir}") + + # Load the JSON schema + try: + schema = load_yaml_schema() + except (FileNotFoundError, json.JSONDecodeError) as e: + print(f"Error loading schema: {e}") + sys.exit(1) + + # Find all YAML files + yaml_files = find_yaml_files(input_dir) + + if not yaml_files: + print(f"No YAML files found in the input directory: {input_dir}") + return + + print(f"Found {len(yaml_files)} YAML files to validate...") + if args.verbose: + print("-" * 60) + + total_files = len(yaml_files) + valid_files = 0 + invalid_files = 0 + failed_validations = [] # Track failed files and their errors + + # Validate each file + for yaml_file in yaml_files: + # Try to get relative path from project root, fallback to input_dir + try: + relative_path = yaml_file.relative_to(project_root) + except ValueError: + relative_path = yaml_file.relative_to(input_dir) + + errors = validate_yaml_file(yaml_file, schema) + + if errors: + invalid_files += 1 + # Always show failures + print(f"\n❌ INVALID: {relative_path}") + print(f" {len(errors)} error(s):") + for error in errors: + print(f" • {error}") + # Store failed validation details + failed_validations.append((relative_path, errors)) + else: + valid_files += 1 + # Only show valid files in verbose mode + if args.verbose: + print(f"\n✅ VALID: {relative_path}") + + # Print summary + print("\n" + "=" * 60) + print("VALIDATION SUMMARY") + print("=" * 60) + print(f"Total files processed: {total_files}") + print(f"Valid files: {valid_files}") + print(f"Invalid files: {invalid_files}") + + if invalid_files > 0: + print(f"\n❌ {invalid_files} file(s) failed validation!") + + # In verbose mode, also print detailed failed validations at the end + if args.verbose and failed_validations: + print("\n" + "=" * 60) + print("FAILED VALIDATIONS SUMMARY") + print("=" * 60) + for file_path, errors in failed_validations: + print(f"\n📁 {file_path}") + print("-" * 40) + for i, error in enumerate(errors, 1): + print(f"{i}. {error}") + + sys.exit(1) + else: + print("\n✅ All files passed validation!") + + +if __name__ == "__main__": + main() diff --git a/bin/write_dataset_url.py b/bin/write_dataset_url.py deleted file mode 100644 index 690d4db28..000000000 --- a/bin/write_dataset_url.py +++ /dev/null @@ -1,73 +0,0 @@ -import yaml -import glob -import os -import sys -import requests -import argparse -from os import path, walk -from pathlib import Path -import pathlib -from urllib.parse import urlparse - - -def load_file(file_path): - with open(file_path, 'r', encoding="utf-8") as stream: - try: - file = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - sys.exit("ERROR: reading {0}".format(file_path)) - return file - - -def write_file(obj, file_path): - with open(os.path.join(os.path.dirname(__file__), '../datasets/', file_path), 'w+' ) as outfile: - yaml.dump(obj, outfile , default_flow_style=False, sort_keys=False) - - -def write_new_object(obj, relative_path, branch): - new_obj = obj.copy() - new_obj['dataset'] = [] - for dataset in obj['dataset']: - a = urlparse(dataset) - data_file_name = os.path.basename(a.path) - new_obj['dataset'].append('https://media.githubusercontent.com/media/splunk/attack_data/' + branch + '/datasets/' + os.path.dirname(relative_path) + '/' + data_file_name) - - write_file(new_obj, relative_path) - - -def load_objects(relative_path): - files = [] - objs = [] - manifest_files = os.path.join(os.path.dirname(__file__), '../', relative_path) - for file in sorted(glob.glob(manifest_files)): - p = pathlib.Path(file) - rel_path = str(pathlib.Path(*p.parts[2:])) - objs.append(load_file(file)) - files.append(rel_path) - return objs, files - - -def convert_attack_data_objects(relative_path, branch): - attack_data_objs, attack_data_files = load_objects(relative_path) - - counter = 0 - for attack_data_obj in attack_data_objs: - write_new_object(attack_data_obj, attack_data_files[counter], branch) - counter += 1 - - -def main(args): - parser = argparse.ArgumentParser(description="changes url links to datasets") - parser.add_argument("-b", "--branch", required=True, help="new branch") - - args = parser.parse_args() - branch = args.branch - - convert_attack_data_objects('datasets/attack_techniques/*/*/*.yml', branch) - convert_attack_data_objects('datasets/malware/*/*.yml', branch) - convert_attack_data_objects('datasets/suspicious_behaviour/*/*.yml', branch) - - -if __name__ == "__main__": - main(sys.argv[1:]) diff --git a/datasets/TEMPLATE.yml b/datasets/TEMPLATE.yml index 2ac949fc5..dc17bb454 100644 --- a/datasets/TEMPLATE.yml +++ b/datasets/TEMPLATE.yml @@ -1,16 +1,13 @@ -# Template for creating dataset.yml -author: Patrick Bareiss -description: Credential Dumping attempt via LSASS, specifically those launched - by Atomic Red Team using Windows Credential Editor, ProcDump, comsvcs.dll, - direct system calls and API unhooking, Windows Task Manager, Mimikatz and finally pypykatz. +author: Author Name +id: cc9b25d6-efc9-11eb-926b-550bf0943fbb +date: '2022-01-12' +description: 'Describe the dataset and what techniques/tests were executed here' environment: attack_range -technique: T1003.001 -dataset: - - https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1003.001/attack_data.json - - https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1003.001/attack_data.tar.gz -references: - - https://attack.mitre.org/techniques/T1003/001/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md - - https://github.com/splunk/security-content/blob/develop/tests/T1003_001.yml -sourcetypes: 'Microsoft-Windows-Sysmon/Operational' -date: '2020-07-21' +directory: your_directory_name +mitre_technique: +- T1XXX.XXX +datasets: +- name: dataset_name + path: /datasets/attack_techniques/T1XXX.XXX/directory/dataset_file.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml index a03c4885e..035258bfe 100644 --- a/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml @@ -9,22 +9,27 @@ description: 'Atomic Test Results: Successful Execution of test T1003.001-1 Wind Offline Credential Theft With Mimikatz Return value unclear for test T1003.001-7 LSASS read with pypykatz ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_001.yml +directory: atomic_red_team +mitre_technique: +- T1003.001 +datasets: +- name: windows-sysmon_creddump + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: procdump_windows-security + path: /datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: createdump_windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log b/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log deleted file mode 100644 index e7df7a031..000000000 --- a/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4df6844399f561cdcf9a8429babd79f643e0b0173aef9e522589815ec0da4094 -size 14733218 diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml index 30055e5f2..5b52451ba 100644 --- a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml @@ -5,22 +5,15 @@ description: 'Atomic Test Results: Successful Execution of test T1003.002-1 Regi dump of SAM, creds, and secrets Return value unclear for test T1003.002-2 Registry parse with pypykatz Successful Execution of test T1003.002-3 esentutl.exe SAM copy ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/attack-range-windows-domain-controller.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/copy-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security_ssa.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_002.yml +directory: atomic_red_team +mitre_technique: +- T1003.002 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml b/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml new file mode 100644 index 000000000..bb1e66244 --- /dev/null +++ b/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1805765d-d6b1-4877-bd35-9520939dae1f +date: '2025-08-12' +description: Automatically categorized datasets in directory detect_copy_of_shadowcopy_with_script_block_logging +environment: attack_range +directory: detect_copy_of_shadowcopy_with_script_block_logging +mitre_technique: +- T1003.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml b/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml deleted file mode 100644 index d3f9fe29d..000000000 --- a/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Mauricio Velazco, Michael Haag -id: cc9b25e8-efc9-11eb-926b-550bf0943fbb -date: '2021-07-21' -description: CVE-2021-36934 exploitation using PowerShell to copy the SAM, SYSTEM - and SECURITY hives from a Volume Shadow Copy to a temp folder -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 diff --git a/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml b/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml index 4c1823bf9..923e6da58 100644 --- a/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml +++ b/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml @@ -4,11 +4,11 @@ date: '2021-07-21' description: CVE-2021-36934 exploitation using PowerShell to copy the SAM, SYSTEM and SECURITY hives from a Volume Shadow Copy to a temp folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 +directory: serioussam +mitre_technique: +- T1003.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml index 77ce3eeb5..0f2d7bbb3 100644 --- a/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml @@ -9,21 +9,19 @@ description: 'Atomic Test Results: Successful Execution of test T1003.003-1 Crea with Powershell Successful Execution of test T1003.003-6 Create Symlink to Volume Shadow Copy ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sec-events.out -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_003.yml +directory: atomic_red_team +mitre_technique: +- T1003.003 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: 4688_windows-security + path: /datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml b/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml index ae362a164..9683a3305 100644 --- a/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml +++ b/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: e68c62ae-dc5b-4852-bfb1-860b104358b7 date: '2023-12-15' description: Generated datasets for NoLMHash in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: NoLMHash +mitre_technique: +- T1003.004 +datasets: +- name: lsa-reg-settings-sysmon + path: /datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.006/impacket/impacket.yml b/datasets/attack_techniques/T1003.006/impacket/impacket.yml new file mode 100644 index 000000000..559786202 --- /dev/null +++ b/datasets/attack_techniques/T1003.006/impacket/impacket.yml @@ -0,0 +1,14 @@ +author: Dean Luxton +id: 3529f540-4c07-44f5-8e9c-940ebf3af41a +date: '2022-07-20' +description: Manual execution of secretsdump.py to perform a DCSync attack using a + domain administrator account & also DC's computer account. +environment: attack_range +directory: impacket +mitre_technique: +- T1003.006 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml b/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml deleted file mode 100644 index 6f011dce1..000000000 --- a/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: 3529f540-4c07-44f5-8e9c-940ebf3af41a -date: '2022-07-20' -description: Manual execution of secretsdump.py to perform a DCSync attack using a domain administrator account & also DC's computer account. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/zeek-dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-directory_service.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -references: -- https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py -- https://attack.mitre.org/techniques/T1003/006 diff --git a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml b/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml deleted file mode 100644 index 67e4fb6e7..000000000 --- a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Dean Luxton -id: b8460129-8cfb-449a-9b69-ac1148698319 -date: '2022-07-20' -description: Manual execution of the mimikatz DCSync attack. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/zeek-dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-directory_service.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1729 -- https://attack.mitre.org/techniques/T1003/006 diff --git a/datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml b/datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml new file mode 100644 index 000000000..360846b90 --- /dev/null +++ b/datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: b8460129-8cfb-449a-9b69-ac1148698319 +date: '2022-07-20' +description: Manual execution of the mimikatz DCSync attack. +environment: attack_range +directory: mimikatz +mitre_technique: +- T1003.006 +datasets: +- name: xml-windows-security + path: /datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml index e4b273d66..1a2bd0ba5 100644 --- a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml +++ b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml @@ -3,9 +3,11 @@ id: 55292554-6262-11ec-aae4-acde48001122 date: '2021-12-21' description: Generated datasets for copy file stdoutpipe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1003/008/ \ No newline at end of file +directory: copy_file_stdoutpipe +mitre_technique: +- T1003.008 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml index 0d969405e..0b412daf5 100644 --- a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml +++ b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml @@ -3,9 +3,11 @@ id: f4e7c8fc-c534-415b-9f99-9e9419096db5 date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1003/008 +directory: esxi_sensitive_files +mitre_technique: +- T1003.008 +datasets: +- name: esxi_shell_enabled + path: /datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml index a3fdc8e8d..db69774ca 100644 --- a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml +++ b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml @@ -3,9 +3,15 @@ id: 6c67fe1c-ef9e-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd access credential in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd \ No newline at end of file +directory: linux_auditd_access_credential +mitre_technique: +- T1003.008 +datasets: +- name: auditd_proctitle_access_cred + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log + sourcetype: auditd + source: auditd +- name: linux_auditd_access_credential + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml b/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml index f8b41c3a3..8320f70b4 100644 --- a/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml +++ b/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml @@ -3,18 +3,12 @@ id: cc9b2669-efc9-11eb-926b-550bf0143fb1 date: '2021-02-23' description: Credential extraction via DSInternals and PowerSploit modules, as well as CacheDump, FGDump, Lazagne, Mimikatz, native Microsoft debugging tools -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logFgdump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logPowerShellModule.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLazagneCredDump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log -sourcetypes: -- WinEventLog:Security -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1003/ \ No newline at end of file +environment: attack_range +directory: credential_extraction +mitre_technique: +- T1003 +datasets: +- name: mimikatzwindows-sysmon + path: /datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml b/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml index cabbffe1e..b5174e2e5 100644 --- a/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml +++ b/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml @@ -3,7 +3,11 @@ id: 63aa35fd-7ada-4d23-8cf1-070b8c5abd3f date: '2021-10-05' description: wdigest regsitry enable datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/wdigest_enable/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: wdigest_enable +mitre_technique: +- T1003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1003/wdigest_enable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml index 7024e2b33..30accb17c 100644 --- a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml +++ b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386 date: '2025-07-09' -description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools." +description: Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools. environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1005 +directory: esxi_vm_download +mitre_technique: +- T1005 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1014/T1014.yml b/datasets/attack_techniques/T1014/T1014.yml new file mode 100644 index 000000000..7a5eb4b43 --- /dev/null +++ b/datasets/attack_techniques/T1014/T1014.yml @@ -0,0 +1,17 @@ +author: Michael Haag +id: cc9b25f1-efc1-12eb-926b-550bf0943fbb +date: '2022-04-04' +description: Interesting drivers loading on Windows. +environment: attack_range +directory: T1014 +mitre_technique: +- T1014 +datasets: +- name: windows-system + path: /datasets/attack_techniques/T1014/windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: windows-sysmon + path: /datasets/attack_techniques/T1014/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1014/drivers.yml b/datasets/attack_techniques/T1014/drivers.yml deleted file mode 100644 index 1ab551a6b..000000000 --- a/datasets/attack_techniques/T1014/drivers.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Michael Haag -id: cc9b25f1-efc1-12eb-926b-550bf0943fbb -date: '2022-04-04' -description: Interesting drivers loading on Windows. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- XmlWinEventLog:System -references: -- https://attack.mitre.org/techniques/T1014 diff --git a/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml b/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml index 7c9c63691..4f7540439 100644 --- a/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml +++ b/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml @@ -3,10 +3,11 @@ id: 2481e83c-b888-4383-bc61-9d292f4e03ea date: '2025-08-05' description: Logs from usage of the Medusa rootkit on a Linux host. environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1014/ +directory: medusa_rootkit +mitre_technique: +- T1014 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml index 2b6e26368..c81dd314b 100644 --- a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml +++ b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml @@ -3,9 +3,11 @@ id: 93252b82-8d73-11ec-bb43-acde48001122 date: '2022-02-14' description: Generated datasets for linux net discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md \ No newline at end of file +directory: linux_net_discovery +mitre_technique: +- T1016 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml b/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml index d200ffa42..647347365 100644 --- a/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml +++ b/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml @@ -3,10 +3,15 @@ id: e0c0d5e5-8c29-4db3-9d27-d42f31c552f5 date: '2025-08-15' description: Generated datasets for MacOS net discovery environment: vm -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log -sourcetypes: -- osquery:results -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md \ No newline at end of file +directory: macos_net_discovery +mitre_technique: +- T1016 +datasets: +- name: osquery:results + path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log + sourcetype: osquery:results + source: osquery:results +- name: osquery:results + path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: osquery:results \ No newline at end of file diff --git a/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml b/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml index cf7007bd9..93c5b6db8 100644 --- a/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml +++ b/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml @@ -3,15 +3,11 @@ id: cc9b25e5-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual execution of multiple discovery commands. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1016 +directory: discovery_commands +mitre_technique: +- T1016 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml index 0cda382ee..9f93fc959 100644 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml @@ -3,9 +3,11 @@ id: 4655b948-5ef9-11ef-8b94-acde48001122 date: '2024-08-20' description: Generated datasets for linux auditd net tool in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log -sourcetypes: -- 'linux:audit' -references: -- https://attack.mitre.org/techniques/T1016/ \ No newline at end of file +directory: linux_auditd_net_tool +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml index 52b0a7219..38a3ec9cc 100644 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml @@ -3,9 +3,11 @@ id: 05399f54-1ab2-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd net tool new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_net_tool_new +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool_bucket_new + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml index 63422e637..dc3081f10 100644 --- a/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: 82e395f1-71d8-4cfc-8757-2dd3ab527e77 date: '2021-09-07' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml index fd8a62523..b4ce177f3 100644 --- a/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml @@ -11,16 +11,11 @@ description: 'Atomic Test Results: Return value unclear for test T1018-1 Remote T1018-10 Adfind - Enumerate Active Directory Computer Objects Return value unclear for test T1018-11 Adfind - Enumerate Active Directory Domain Controller Objects ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1018/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +directory: atomic_red_team +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/constrained/powerview.yml b/datasets/attack_techniques/T1018/constrained/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/constrained/powerview.yml rename to datasets/attack_techniques/T1018/constrained/powerview_old.yml diff --git a/datasets/attack_techniques/T1018/unconstrained/powerview.yml b/datasets/attack_techniques/T1018/unconstrained/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/unconstrained/powerview.yml rename to datasets/attack_techniques/T1018/unconstrained/powerview_old.yml diff --git a/datasets/attack_techniques/T1018/unconstrained2/getadcomputer.yml b/datasets/attack_techniques/T1018/unconstrained2/getadcomputer_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/unconstrained2/getadcomputer.yml rename to datasets/attack_techniques/T1018/unconstrained2/getadcomputer_old.yml diff --git a/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml b/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml new file mode 100644 index 000000000..46fd79d83 --- /dev/null +++ b/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 44b5d16b-fa31-411d-92f9-076961c78516 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_get_adcomputer_unconstrained_delegation_discovery +environment: attack_range +directory: windows_get_adcomputer_unconstrained_delegation_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml b/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml new file mode 100644 index 000000000..3c354a766 --- /dev/null +++ b/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2067686c-38db-4751-b494-e7a1fe59ac7c +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_powerview_constrained_delegation_discovery +environment: attack_range +directory: windows_powerview_constrained_delegation_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1020/T1020.yml b/datasets/attack_techniques/T1020/T1020.yml new file mode 100644 index 000000000..d89d29b26 --- /dev/null +++ b/datasets/attack_techniques/T1020/T1020.yml @@ -0,0 +1,13 @@ +author: Michael Haag, Splunk +id: cc9b2621-efc9-11eb-926b-550bf0943fbb +date: '2021-05-13' +description: Generation of rclone activity related to ransomware. +environment: attack_range +directory: T1020 +mitre_technique: +- T1020 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1020/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1020/rclone.yml b/datasets/attack_techniques/T1020/rclone.yml deleted file mode 100644 index 7bf00dc92..000000000 --- a/datasets/attack_techniques/T1020/rclone.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b2621-efc9-11eb-926b-550bf0943fbb -date: '2021-05-13' -description: Generation of rclone activity related to ransomware. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1020 -- https://redcanary.com/blog/rclone-mega-extortion/ -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml index fd564fe6e..dae784e42 100644 --- a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml +++ b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml @@ -3,9 +3,11 @@ id: 2050c38a-6d1e-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for bmc creation in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: bmc_creation +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/bmc_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml index 706475278..0c0ba143a 100644 --- a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml +++ b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml @@ -3,9 +3,11 @@ id: bf432e34-6d3b-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for mstsc admini in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: mstsc_admini +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/mstsc_admini/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml index 27ccea159..dd8383bdd 100644 --- a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml +++ b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml @@ -3,9 +3,11 @@ id: 5886e632-0336-11f0-bf1c-629be3538069 date: '2025-03-17' description: Generated datasets for mstsc rdp cmd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a \ No newline at end of file +directory: mstsc_rdp_cmd +mitre_technique: +- T1021.001 +datasets: +- name: mstsc_sysmon + path: /datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml b/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml index 9fcfe8967..d55258678 100644 --- a/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml +++ b/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml @@ -3,9 +3,11 @@ id: 30e07cc0-6d25-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for rdp creation in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: rdp_creation +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/rdp_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml b/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml index 34e28e932..cf28cd542 100644 --- a/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml +++ b/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml @@ -3,9 +3,11 @@ id: d96eb482-6dee-11f0-b544-629be3538069 date: '2025-07-31' description: Generated datasets for rdp session established in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log -sourcetypes: -- 'XmlWinEventLog:Security' -references: -- https://thelocalh0st.github.io/posts/rdp/ \ No newline at end of file +directory: rdp_session_established +mitre_technique: +- T1021.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml b/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml index e377081b9..66e157f63 100644 --- a/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml +++ b/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: b57a97b8-bf1c-48fd-990a-e82fc13dd7ed date: '2024-02-27' -description: 'Remote Desktop Connection' +description: Remote Desktop Connection environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log -sourcetypes: -- bro:conn:json -references: -- https://attack.mitre.org/techniques/T1021/001/ +directory: remote_desktop_connection +mitre_technique: +- T1021.001 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml index e320f516d..30c1c856e 100644 --- a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml +++ b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml @@ -3,9 +3,11 @@ id: 27f7e43a-6d3a-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for terminal server reg created in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: terminal_server_reg_created +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/terminal_server_reg_created/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml index 9f5fa6747..250d33eb3 100644 --- a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml +++ b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml @@ -3,9 +3,11 @@ id: a2d674e4-6d3c-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for unhide file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: unhide_file +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/unhide_file/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml index 951aa2be3..60c8ad4fb 100644 --- a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml @@ -6,20 +6,35 @@ description: 'Atomic Test Results: Return value unclear for test T1021.002-1 Map value unclear for test T1021.002-3 Copy and Execute File with PsExec Return value unclear for test T1021.002-4 Execute command writing output to local Admin Share ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: atomic_red_team +mitre_technique: +- T1021.002 +datasets: +- name: smbexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: wmiexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_smbexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: firewall-powershell + path: /datasets/attack_techniques/T1021.002/atomic_red_team/firewall-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: 4688_wmiexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml b/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml index fbaf03e5b..8fafb04e3 100644 --- a/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml +++ b/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 177bc2a6-ce86-4bb6-a73e-4a15f9377177 date: '2024-01-30' -description: 'Executable File in SMB File Share' +description: Executable File in SMB File Share environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: executable_in_share +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml b/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml index 1299b9764..bbb3ebb58 100644 --- a/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml +++ b/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 09ce0268-89f8-4029-8812-49383f8afd36 date: '2024-02-01' -description: 'Impacket smbexec execution' +description: Impacket smbexec execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: impacket_smbexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml b/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml index b8256b354..4009324df 100644 --- a/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml +++ b/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 24447df7-2244-454e-9d8d-20d770c07f2a date: '2024-02-01' -description: 'Impacket wmiexec execution' +description: Impacket wmiexec execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: impacket_wmiexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.003/impacket/impacket.yml b/datasets/attack_techniques/T1021.003/impacket/impacket.yml index cd117a877..3c20e42d5 100644 --- a/datasets/attack_techniques/T1021.003/impacket/impacket.yml +++ b/datasets/attack_techniques/T1021.003/impacket/impacket.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: d4dcde41-3544-46b9-a59d-fd5b8a4ad675 date: '2021-11-19' -description: Manually using the impacket tools to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the impacket tools to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/ +directory: impacket +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml index 55f1bb135..929a89eb6 100644 --- a/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml @@ -1,18 +1,22 @@ author: Mauricio Velazco id: dc188e4b-94ed-4e9f-82a1-c720657f94fc date: '2021-11-15' -description: Manually using the command line to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the command line to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://www.cybereason.com/blog/dcom-lateral-movement-techniques - - +directory: lateral_movement +mitre_technique: +- T1021.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml index f1c8eb0ed..76f39aa60 100644 --- a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,17 +1,14 @@ author: Mauricio Velazco id: 1bacf0a4-52cc-47e3-85c5-a82dac07aa71 date: '2021-11-23' -description: Manually using the command line to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the command line to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://www.cybereason.com/blog/dcom-lateral-movement-techniques -- https://lolbas-project.github.io/ - - +directory: lateral_movement_lolbas +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml index a0dc32ff5..dda0d0e27 100644 --- a/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml @@ -3,9 +3,11 @@ id: cc9b260c-efc9-11eb-916b-150bf0941fbb date: '2022-07-24' description: 'Simulated lateral movement with SSH' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log -sourcetypes: -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1021/004/ +directory: atomic_red_team +mitre_technique: +- T1021.004 +datasets: +- name: linux-sysmon + path: /datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml index 4e7ed3744..a679440c8 100644 --- a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml +++ b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml @@ -3,9 +3,11 @@ id: 6bce52c9-2cd1-4916-be2d-7d6214bc5c98 date: '2025-07-09' description: 'Sample of ESXi syslog events ssh being enabled on the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1021/004 +directory: esxi_ssh_enabled +mitre_technique: +- T1021.004 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml b/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml index e7c891196..55365cda8 100644 --- a/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml +++ b/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml @@ -3,9 +3,11 @@ id: 2eba8f04-033e-11f0-bf1c-629be3538069 date: '2025-03-17' description: Generated datasets for compmgtm access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/compmgtm_access/compmgmt_load.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a \ No newline at end of file +directory: compmgtm_access +mitre_technique: +- T1021.006 +datasets: +- name: compmgmt_load + path: /datasets/attack_techniques/T1021.006/compmgtm_access/compmgmt_load.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml index 97429f06c..93628486e 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 39baeeae-8bf1-4ebc-8a0c-0d5613454288 date: '2021-11-12' -description: Manually using the winrs.exe binary to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using the winrs.exe binary to start a process on a remote endpoint + leveraging the WinRM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs +directory: lateral_movement +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml index 218bd5f6b..edfd511cb 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: cd2e9c68-828b-4d5d-bbd5-a69dcb1cb69a date: '2021-11-23' -description: Manually using PowerShell and the Invoke-Command commandlet to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using PowerShell and the Invoke-Command commandlet to start + a process on a remote endpoint leveraging the WinRM protocol for lateral movement + and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 - +directory: lateral_movement_lolbas +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml b/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml index f883dea1e..ef44c7eac 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml @@ -1,16 +1,19 @@ author: Mauricio Velazco id: 97992f40-9110-40cb-b3c0-f9f615db6833 date: '2021-11-16' -description: Manually using the command line and powershell.exe to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using the command line and powershell.exe to start a process + on a remote endpoint leveraging the WinRM protocol for lateral movement and remote + code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ +directory: lateral_movement_psh +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml index 19bbdc979..0483d862f 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: adb9ad41-df52-40f7-a500-3ce343c1bbde date: '2021-11-18' -description: Manually using PowerShell to start an interactive session on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using PowerShell to start an interactive session on a remote + endpoint leveraging the WinRM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2 +directory: lateral_movement_pssession +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml b/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml index 357c5803a..d5e6fc4d7 100644 --- a/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml +++ b/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml @@ -3,9 +3,11 @@ id: 805b344a-b946-11ef-8789-acde48001122 date: '2024-12-13' description: Generated datasets for wirm execute shell in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://strontic.github.io/xcyclopedia/library/winrshost.exe-6790044CEB4BA5BE6AA8161460D990FD.html \ No newline at end of file +directory: wirm_execute_shell +mitre_technique: +- T1021.006 +datasets: +- name: winrshost_pwh + path: /datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml index b96be2e0d..576b9d722 100644 --- a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml +++ b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: a7e8ecfc-4ee6-4869-bd77-0d9fe5bcdc85 date: '2023-11-23' description: Generated datasets for wsman trustedhost in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate +environment: attack_range +directory: wsman_trustedhost +mitre_technique: +- T1021.006 +datasets: +- name: wsman_pwh + path: /datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml b/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml new file mode 100644 index 000000000..f61fb0c73 --- /dev/null +++ b/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 84c0e5ff-5ee7-424d-9b86-dd4e4d434a90 +date: '2025-08-12' +description: Automatically categorized datasets in directory allow_inbound_traffic_in_firewall_rule +environment: attack_range +directory: allow_inbound_traffic_in_firewall_rule +mitre_technique: +- T1021 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml index b3e936a27..41a862a15 100644 --- a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml +++ b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml @@ -3,9 +3,11 @@ id: 117b7a96-83f5-4de9-9394-be8997bc43f4 date: '2025-07-09' description: 'Sample of ESXi syslog events showing ESXi shell access being enabled.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1021 +directory: esxi_shell_enabled +mitre_technique: +- T1021 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content.yml b/datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content_old.yml similarity index 100% rename from datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content.yml rename to datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content_old.yml diff --git a/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry.yml b/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry_old.yml similarity index 100% rename from datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry.yml rename to datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry_old.yml diff --git a/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution.yml b/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution_old.yml similarity index 100% rename from datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution.yml rename to datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution_old.yml diff --git a/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml b/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml index d7f1e43b2..853660061 100644 --- a/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml +++ b/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml @@ -1,16 +1,16 @@ author: Michael Haag, Jose Hernandez, Splunk id: 3192b298-3dfb-4d5c-b231-83edabd0d83f date: '2022-03-18' -description: 'Ran an obfuscated [payload](https://gist.github.com/MHaggis/ccd9848a52dc76e6aa0eb1da14bb7752?permalink_comment_id=4102502#gistcomment-4102502) using FuckThatPacker. These are the raw logs from both Aurora EDR Lite running default logging in json. - Also Splunk Windows Universal Forwarder with Windows TA and powershell EventCode 4101 script logging enabled.' +description: Ran an obfuscated [payload](https://gist.github.com/MHaggis/ccd9848a52dc76e6aa0eb1da14bb7752?permalink_comment_id=4102502#gistcomment-4102502) + using FuckThatPacker. These are the raw logs from both Aurora EDR Lite running default + logging in json. Also Splunk Windows Universal Forwarder with Windows TA and powershell + EventCode 4101 script logging enabled. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/FuckThatPacker/aurora-edr.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- aurora-edr -references: -- https://attack.mitre.org/techniques/T1027 -- https://www.nextron-systems.com/2021/11/13/aurora-sigma-based-edr-agent-preview/ -- https://github.com/Unknow101/FuckThatPacker +directory: FuckThatPacker +mitre_technique: +- T1027 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml index 599d20ac8..48c5c7c1b 100644 --- a/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml @@ -6,21 +6,11 @@ description: 'Atomic Test Results: Successful Execution of test T1027-2 Execute from Windows Registry Return value unclear for test T1027-4 Execution from Compressed File ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/attack_data.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/attack_data.tar.gz -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1027 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md -- https://github.com/splunk/security-content/blob/develop/tests/T1027.yml +directory: atomic_red_team +mitre_technique: +- T1027 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1027/trickbot_drop/data.yml b/datasets/attack_techniques/T1027/trickbot_drop/data.yml new file mode 100644 index 000000000..c1619099f --- /dev/null +++ b/datasets/attack_techniques/T1027/trickbot_drop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 998ecdcb-5d17-4d08-b35d-83eb1d84f7e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_drop +environment: attack_range +directory: trickbot_drop +mitre_technique: +- T1027 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1027/trickbot_drop/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml index 71abe3301..31321f1d9 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml @@ -3,9 +3,15 @@ id: a3e1c738-ef85-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd split b exec in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_b_exec +mitre_technique: +- T1030 +datasets: +- name: auditd_execve_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log + sourcetype: auditd + source: auditd +- name: linux_auditd_split_b_exec + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml index 52c35fac6..6a89a2f27 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml @@ -3,9 +3,11 @@ id: c6be94ea-5e01-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd split syscall in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_syscall +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_split_syscall + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml index e1d52dca3..ea411d2f2 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml @@ -3,9 +3,11 @@ id: 7d0ae338-1aaf-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd split syscall new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_syscall_new +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_new_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml index 932841f7e..4b2277ec1 100644 --- a/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml @@ -1,13 +1,18 @@ author: Mauricio Velazco id: a382f0d7-3c76-42b3-90a8-8806b633226d date: '2021-09-13' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1033 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml index afa943c59..5a2991ebc 100644 --- a/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml @@ -5,15 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1033-1 System Discovery Return value unclear for test T1033-3 Find computers where user has session - Stealth mode (PowerView) ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md +directory: atomic_red_team +mitre_technique: +- T1033 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml index 9d494a96a..1f6174cb9 100644 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml @@ -3,9 +3,11 @@ id: 77d03c0c-5e07-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd whoami in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log -sourcetypes: -- 'linux:audit' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_whoami +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml index de1b8c2ee..48353d50d 100644 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml @@ -3,9 +3,11 @@ id: 4cb6c050-1ab2-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd whoami new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_whoami_new +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_new_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml index 4581e907b..73b80b340 100644 --- a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml +++ b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: bc42ab4c-bb02-479c-88da-b5b870bce9d0 date: '2022-10-21' description: Generated datasets for qakbot discovery cmdline in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://securelist.com/qakbot-technical-analysis/103931/ +environment: attack_range +directory: qakbot_discovery_cmdline +mitre_technique: +- T1033 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.yml b/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.yml rename to datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage_old.yml diff --git a/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml b/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml index dbf37520a..ae8916fac 100644 --- a/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml +++ b/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: ea89e255-f54a-4627-a8de-10dcbd662993 date: '2023-12-15' description: Generated datasets for whoami priv in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: whoami_priv +mitre_technique: +- T1033 +datasets: +- name: whoami-priv-sysmon + path: /datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost.yml b/datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost_old.yml similarity index 100% rename from datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost.yml rename to datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost_old.yml diff --git a/datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override.yml b/datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override.yml rename to datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override_old.yml diff --git a/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml index 2cfa8b3f0..b9f6800c3 100644 --- a/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml @@ -11,16 +11,11 @@ description: 'Atomic Test Results: Successful Execution of test T1036.003-1 Masq Execution of test T1036.003-8 Malicious process Masquerading as LSM.exe Successful Execution of test T1036.003-9 File Extension Masquerading ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +directory: atomic_red_team +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml b/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml index 0a07d8213..83c3fa65f 100644 --- a/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml +++ b/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml @@ -3,7 +3,11 @@ id: a025437b-078f-4377-a932-e081ff356fcd date: '2021-10-05' description: copy files form system32 or syswow64 folder datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: copy_sysmon +mitre_technique: +- T1036.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml b/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml index 6aa8c3e1c..a2bd7c84d 100644 --- a/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml +++ b/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml @@ -3,7 +3,11 @@ id: a025437b-075a-43b7-a932-e081ff356fcd date: '2022-07-18' description: copy files form system32 or syswow64 folder datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log -sourcetypes: -- XmlWinEventLog +directory: mpcmdrun +mitre_technique: +- T1036.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell.yml b/datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell.yml rename to datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell_old.yml diff --git a/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml b/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml index 92a258c06..bd2704553 100644 --- a/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml +++ b/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml @@ -3,16 +3,11 @@ id: cc9b2656-efc9-11eb-926b-550bf0943fbb date: '2020-11-19' description: Manual generation of samsam ransomware file extension environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +directory: samsam_extension +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata.yml b/datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata.yml rename to datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata_old.yml diff --git a/datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit.yml b/datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit.yml rename to datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit_old.yml diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml rename to datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage_old.yml diff --git a/datasets/attack_techniques/T1036/debugger_execution/debugger_execution.yml b/datasets/attack_techniques/T1036/debugger_execution/debugger_execution_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/debugger_execution/debugger_execution.yml rename to datasets/attack_techniques/T1036/debugger_execution/debugger_execution_old.yml diff --git a/datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path.yml b/datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path.yml rename to datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path_old.yml diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml index 85e64fd41..b4fa367c3 100644 --- a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml +++ b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 70ab291a-0372-4d70-b256-1b0ec12076a5 date: '2023-11-21' description: Generated datasets for msdtc process param in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx +environment: attack_range +directory: msdtc_process_param +mitre_technique: +- T1036 +datasets: +- name: msdtc_a_sysmon + path: /datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/process_temp_path/process_temp_path.yml b/datasets/attack_techniques/T1036/process_temp_path/process_temp_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/process_temp_path/process_temp_path.yml rename to datasets/attack_techniques/T1036/process_temp_path/process_temp_path_old.yml diff --git a/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml b/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml index 01ff456fd..d91b83bba 100644 --- a/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml +++ b/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml @@ -3,9 +3,11 @@ id: 2fa5d1b2-dc97-11ef-8b8c-acde48001122 date: '2025-01-27' description: Generated datasets for suspicious process path in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat \ No newline at end of file +directory: suspicious_process_path +mitre_technique: +- T1036 +datasets: +- name: susp_path_sysmon1 + path: /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location.yml b/datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location.yml rename to datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location_old.yml diff --git a/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml b/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml index 6346b2a03..54e59a862 100644 --- a/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml +++ b/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml @@ -3,15 +3,11 @@ id: cc9b25f7-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual create file C:\$Recycle.Bin\test.ps1 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036 +directory: write_to_recycle_bin +mitre_technique: +- T1036 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml b/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml index 2a92354d9..78583ec26 100644 --- a/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml +++ b/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: 4226e60c-f258-4d8b-b91a-8a4d425074d2 date: '2021-09-28' -description: Manual generation of attack data for logonscript registry entry for persistence and privilege escalation. +description: Manual generation of attack data for logonscript registry entry for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: logonscript_reg +mitre_technique: +- T1037.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1040/ssltls/ssltls.yml b/datasets/attack_techniques/T1040/ssltls/ssltls_old.yml similarity index 100% rename from datasets/attack_techniques/T1040/ssltls/ssltls.yml rename to datasets/attack_techniques/T1040/ssltls/ssltls_old.yml diff --git a/datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl.yml b/datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl_old.yml similarity index 100% rename from datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl.yml rename to datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl_old.yml diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml index 3d2c69b79..0c88cc708 100644 --- a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml +++ b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml @@ -3,9 +3,11 @@ id: d8aaa455-a7ba-4bd8-a588-e09ef1dce552 date: '2023-12-07' description: Kubernetes scanning activity in Kubernetes audit logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1046 +directory: kubernetes_scanning +mitre_technique: +- T1046 +datasets: +- name: kubernetes_scanning-json + path: /datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1046/nmap/nmap.yml b/datasets/attack_techniques/T1046/nmap/nmap_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/nmap/nmap.yml rename to datasets/attack_techniques/T1046/nmap/nmap_old.yml diff --git a/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml rename to datasets/attack_techniques/T1046/open_dns_port/open_dns_port_old.yml diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml rename to datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery_old.yml diff --git a/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml index 98d4adedf..5fdc07a45 100644 --- a/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml @@ -8,20 +8,19 @@ description: 'Atomic Test Results: Return value unclear for test T1047-1 WMI Rec test T1047-5 WMI Execute Local Process Return value unclear for test T1047-6 WMI Execute Remote Process ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/attack_data.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/attack_data.tar.gz -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md +directory: atomic_red_team +mitre_technique: +- T1047 +datasets: +- name: 4104-cimmethod-windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: invokewmiexec_windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml b/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml index 791203d54..909f24b84 100644 --- a/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml +++ b/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml @@ -3,15 +3,11 @@ id: cc9b25d4-efc9-11eb-926b-550bf0943fbb date: '2020-12-07' description: Manual execution of scrcons.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047 +directory: execution_scrcons +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml index c6606edfd..4be584bdf 100644 --- a/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 8b1880b0-3533-45a7-bbce-73f46d4636d4 date: '2021-11-15' -description: Manually using PowerShell to start a process on a remote endpoint abusing WMI and the Invoke-WmiMethod commandlet for - lateral movement and remote code execution. +description: Manually using PowerShell to start a process on a remote endpoint abusing + WMI and the Invoke-WmiMethod commandlet for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1047/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 +directory: lateral_movement +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml index caee3f243..35257d071 100644 --- a/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 0febf3ef-8284-4422-ba5f-08dd37f5ef25 date: '2021-11-23' -description: Manually using PowerShell to start a process on a remote endpoint abusing WMI and the Invoke-WmiMethod commandlet for - lateral movement and remote code execution. +description: Manually using PowerShell to start a process on a remote endpoint abusing + WMI and the Invoke-WmiMethod commandlet for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-securitylog -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 +directory: lateral_movement_lolbas +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml b/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml index 182c73cf0..ae6f67299 100644 --- a/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml +++ b/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 702d7454-b111-4e1a-ac14-cf773e6a4fb5 date: '2022-10-24' description: Generated datasets for wmi impersonate in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.joesandbox.com/analysis/278341/0/html +environment: attack_range +directory: wmi_impersonate +mitre_technique: +- T1047 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml b/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml index 38b90d250..02a7afc97 100644 --- a/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml +++ b/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml @@ -3,9 +3,11 @@ id: 66247ba9-97d1-4c69-bc85-519354346315 date: '2023-03-16' description: Manual generation of attack data by access WebDav with rundll32.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: cve-2023-23397 +mitre_technique: +- T1048.003 +datasets: +- name: webdav_windows-sysmon + path: /datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml b/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml index 0f6357dba..0b2de3aaf 100644 --- a/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml +++ b/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml @@ -3,9 +3,11 @@ id: cc9b2614-efc9-11eb-926b-550bf0943fbb date: '2021-01-18' description: Manual generation of attack data by browsing to long urls. of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: long_dns_queries +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml b/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml index e473e0cf3..c25ab93c3 100644 --- a/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml +++ b/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml @@ -3,9 +3,11 @@ id: 52fd86dd-5f85-4d16-b80f-31b87592829f date: '2021-12-08' description: Manual generation of attack data by generating 100 xls files environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: mass_file_creation +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml b/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml index 8c71db4ff..e7f399084 100644 --- a/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml +++ b/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml @@ -3,9 +3,15 @@ id: 83752ecc-e349-11ec-8e0c-acde48001122 date: '2022-06-03' description: Generated datasets for nslookup exfil in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ \ No newline at end of file +directory: nslookup_exfil +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml b/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml index 6de308041..ae8fcfb30 100644 --- a/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml +++ b/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml @@ -3,8 +3,11 @@ id: 83752ecc-e349-11ec-8e0c-acde48001123 date: '2024-02-27' description: ftp connection environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log -sourcetypes: -- bro:conn:json -references: [] \ No newline at end of file +directory: ftp_connection +mitre_technique: +- T1048 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml index e387d6d6f..745beeb77 100644 --- a/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 61da8e36-d038-4a92-900e-8f726bfc1b05 date: '2021-09-10' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1049 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml b/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml index 79db5168e..4a5f5c0e9 100644 --- a/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml +++ b/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml @@ -3,9 +3,11 @@ id: 75f7d048-5f54-11ec-ba63-acde48001122 date: '2021-12-17' description: Generated datasets for at execution in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://linuxize.com/post/at-command-in-linux/ +directory: at_execution +mitre_technique: +- T1053.002 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml new file mode 100644 index 000000000..9fbc4ab21 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml @@ -0,0 +1,14 @@ +author: Mauricio Velazco +id: 1842051e-6efb-4fd8-8d5d-e82e14e6f493 +date: '2021-11-12' +description: Manually using the at.exe binary to create and start a Scheduled Task + on a remote endpoint for lateral movement and remote code execution. +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1053.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml deleted file mode 100644 index 1ef499bfe..000000000 --- a/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Mauricio Velazco -id: 1842051e-6efb-4fd8-8d5d-e82e14e6f493 -date: '2021-11-12' -description: Manually using the at.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/002/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml b/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml index abb20beef..6acb96f8f 100644 --- a/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml +++ b/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml @@ -3,9 +3,11 @@ id: 48cc7e46-562a-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd at in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log -sourcetypes: -- 'linux:audit' -references: -- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ \ No newline at end of file +directory: linux_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_at_execution + path: /datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml index 0bc9d4f6f..e4d66fda2 100644 --- a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml +++ b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml @@ -3,9 +3,15 @@ id: f27b4edc-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chown root in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/617850/changing-from-user-to-superuser \ No newline at end of file +directory: linux_auditd_chown_root +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml index c83405681..a92514956 100644 --- a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml +++ b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml @@ -3,9 +3,11 @@ id: efcf229a-1aae-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux new auditd at in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log -sourcetypes: -- 'auditd' -references: -- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ \ No newline at end of file +directory: linux_new_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_new_at + path: /datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml b/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml index ccebb848c..a122d5535 100644 --- a/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml +++ b/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml @@ -3,9 +3,15 @@ id: e5ff2d94-5f51-11ec-ba52-acde48001122 date: '2021-12-17' description: Generated datasets for cronjobs entry in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: cronjobs_entry +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux_cron_append + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml index 3380b7513..f88dc9cee 100644 --- a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml +++ b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml @@ -3,9 +3,11 @@ id: d18a1f12-5f52-11ec-a48e-acde48001122 date: '2021-12-17' description: Generated datasets for crontab edit parameter in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: crontab_edit_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml b/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml index 02821dbca..a72e10a6c 100644 --- a/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml +++ b/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml @@ -3,9 +3,11 @@ id: 3c9236a6-c537-11ec-bdfa-acde48001122 date: '2022-04-26' description: Generated datasets for crontab list parameter in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://cert.gov.ua/article/39518 \ No newline at end of file +directory: crontab_list_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml index cbd270cd5..cc983e56d 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml @@ -3,9 +3,11 @@ id: 6f8a621e-45d5-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd cron file audited in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log -sourcetypes: -- 'auditd' -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: linux_auditd_cron_file_audited +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_cron_file_audited2 + path: /datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml index 871f13b84..51c6ee6a2 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml @@ -3,9 +3,11 @@ id: 0a6dfea0-5647-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd crontab edit in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log -sourcetypes: -- 'linux:audit' -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: linux_auditd_crontab_edit +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_crontab_edit + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml index 723d06f94..e61f0f3c4 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml @@ -3,9 +3,11 @@ id: 4bed5528-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd crontab edit new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: linux_auditd_crontab_edit_new +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_new_crontab + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml index c6ba35e94..170359ce5 100644 --- a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml +++ b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 7f4b9485-175d-49ce-9c43-fcd7abae3acd date: '2023-01-26' description: Generated datasets for asyncrat highest priv schtasks in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: asyncrat_highest_priv_schtasks +mitre_technique: +- T1053.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml index 0a5e05304..6f178602d 100644 --- a/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml @@ -6,19 +6,19 @@ description: 'Atomic Test Results: Return value unclear for test T1053.005-1 Sch Return value unclear for test T1053.005-3 Scheduled task Remote Return value unclear for test T1053.005-4 Powershell Cmdlet Scheduled Task ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4104_scheduledtaskcreation.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: atomic_red_team +mitre_technique: +- T1053.005 +datasets: +- name: 4698_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4698_shell_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml index 2647f4cf5..805b75dac 100644 --- a/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a539c3bb-0652-47e5-94ba-3352329d7674 date: '2021-11-12' -description: Manually using the schtasks.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. +description: Manually using the schtasks.exe binary to create and start a Scheduled + Task on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/003/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +directory: lateral_movement +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml index 4d6f5c9da..f94cf514b 100644 --- a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: f2f37309-e4ee-47d2-95c6-e0c4aa5ac464 date: '2021-11-23' -description: Manually using the schtasks.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. +description: Manually using the schtasks.exe binary to create and start a Scheduled + Task on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/003/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +directory: lateral_movement_lolbas +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml b/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml index a770d76dc..ed6532d49 100644 --- a/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml +++ b/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml @@ -3,15 +3,11 @@ id: cc9b265e-efc9-11eb-926b-550bf0943fbb date: '2020-12-07' description: Manual generation of schtask which will do a shutdown. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: schtask_shutdown +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml b/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml index 352f36426..f5892795c 100644 --- a/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml +++ b/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml @@ -3,9 +3,11 @@ id: cc9b265e-efc9-11eb-926b-550bf0712cbb date: '2022-02-10' description: Manual generation of schtask meant to start as system. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: schtask_system +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtasks/schtask.yml b/datasets/attack_techniques/T1053.005/schtasks/schtask.yml deleted file mode 100644 index 4d8a9f57f..000000000 --- a/datasets/attack_techniques/T1053.005/schtasks/schtask.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Patrick Bareiss -id: cc9b265f-efc9-11eb-926b-550bf0943fbb -date: '2020-12-07' -description: Manual generation of schtask registering a binary to run from non-standard - paths. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md diff --git a/datasets/attack_techniques/T1053.005/schtasks/schtasks.yml b/datasets/attack_techniques/T1053.005/schtasks/schtasks.yml new file mode 100644 index 000000000..00ddfd91b --- /dev/null +++ b/datasets/attack_techniques/T1053.005/schtasks/schtasks.yml @@ -0,0 +1,14 @@ +author: Patrick Bareiss +id: cc9b265f-efc9-11eb-926b-550bf0943fbb +date: '2020-12-07' +description: Manual generation of schtask registering a binary to run from non-standard + paths. +environment: attack_range +directory: schtasks +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml b/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml new file mode 100644 index 000000000..963298fff --- /dev/null +++ b/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5e4c4946-43cb-4caa-be45-9a4186664aa0 +date: '2025-08-12' +description: Automatically categorized datasets in directory svchost_lolbas_execution_process_spawn +environment: attack_range +directory: svchost_lolbas_execution_process_spawn +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml b/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml index 4ed2b912d..f05f446ae 100644 --- a/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml +++ b/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml @@ -4,13 +4,15 @@ date: '2022-04-18' description: Manual generation of schtask registering a binary to run from non-standard path. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md -- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ +directory: taskschedule +mitre_technique: +- T1053.005 +datasets: +- name: sd_delete_windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml b/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml deleted file mode 100644 index 745146de0..000000000 --- a/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b2660-efc9-11eb-926b-550bf0943f23 -date: '2021-10-21' -description: Scheduled Tasks logs captured from Microsoft-Windows-TaskScheduler/Operational. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule_xml.log -sourcetypes: -- WinEventLog:Microsoft-Windows-TaskScheduler/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md -- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml b/datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml new file mode 100644 index 000000000..1921bcb9d --- /dev/null +++ b/datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml @@ -0,0 +1,13 @@ +author: Michael Haag, Splunk +id: cc9b2660-efc9-11eb-926b-550bf0943f23 +date: '2021-10-21' +description: Scheduled Tasks logs captured from Microsoft-Windows-TaskScheduler/Operational. +environment: attack_range +directory: windows_taskschedule +mitre_technique: +- T1053.005 +datasets: +- name: windows-taskschedule_xml + path: /datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TaskScheduler diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml new file mode 100644 index 000000000..f5757fb4b --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0b41d7cf-ba30-4267-9e21-f71f33e236bb +date: '2025-08-12' +description: Automatically categorized datasets in directory winevent_scheduled_task_created_to_spawn_shell +environment: attack_range +directory: winevent_scheduled_task_created_to_spawn_shell +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml deleted file mode 100644 index 76b5d5d04..000000000 --- a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Steven Dick -id: ea908665-bc39-4493-a20a-041543ba4f3b -date: '2025-01-28' -description: 'A sample event with a known malicous Task Name.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1053/005/ -- https://www.ic3.gov/CSA/2023/231213.pdf -- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ -- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv \ No newline at end of file diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml new file mode 100644 index 000000000..f7598e9a7 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml @@ -0,0 +1,13 @@ +author: Steven Dick +id: ea908665-bc39-4493-a20a-041543ba4f3b +date: '2025-01-28' +description: A sample event with a known malicous Task Name. +environment: attack_range +directory: winevent_scheduled_task_with_suspect_name +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml new file mode 100644 index 000000000..b94421ca1 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: aed2ac9a-81af-43ad-a2d0-7172f0670b53 +date: '2025-08-12' +description: Automatically categorized datasets in directory winevent_windows_task_scheduler_event_action_started +environment: attack_range +directory: winevent_windows_task_scheduler_event_action_started +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TaskScheduler diff --git a/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml b/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml index 86bff091d..d8cef32fe 100644 --- a/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml +++ b/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml @@ -3,9 +3,11 @@ id: 98af8e7e-efa1-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux services restart in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1543/003/ \ No newline at end of file +directory: linux_services_restart +mitre_technique: +- T1053.006 +datasets: +- name: auditd_proctitle_service_restart + path: /datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml b/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml index 4e62b7695..b56ad253e 100644 --- a/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml +++ b/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml @@ -3,9 +3,11 @@ id: 55096932-6242-11ec-bdd6-acde48001122 date: '2021-12-21' description: Generated datasets for service systemd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: service_systemd +mitre_technique: +- T1053.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml index 6c2585e23..3be0d141c 100644 --- a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml +++ b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml @@ -3,9 +3,11 @@ id: 18171239-e152-41f4-a1af-459d1b2aacb3 date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a cron job. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1053/007 +directory: kubernetes_audit_cron_job_creation +mitre_technique: +- T1053.007 +datasets: +- name: kubernetes_audit_cron_job_creation-json + path: /datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task.yml b/datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task.yml rename to datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task_old.yml diff --git a/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.yml b/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.yml rename to datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll_old.yml diff --git a/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.yml b/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.yml rename to datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask_old.yml diff --git a/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml b/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml index a6fc3517f..ec3e70cfe 100644 --- a/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml +++ b/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml @@ -3,12 +3,11 @@ id: cc9b25f4-efc9-11eb-926b-660bf0943faa date: '2022-02-15' description: Testing using DueDLLigence. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055.001 -- https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1 +directory: rasautou +mitre_technique: +- T1055.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml b/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml index fd2cab8ec..913915104 100644 --- a/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml +++ b/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml @@ -4,12 +4,19 @@ date: '2021-02-22' description: Manual generation of attack data using Cobalt Strike to generate default named pipes. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/cobalt_spawnto.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1055 +directory: cobalt_strike +mitre_technique: +- T1055 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_searchprotocolhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_dllhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/msra/msra.yml b/datasets/attack_techniques/T1055/msra/msra.yml index 3bc534b55..0ac814df0 100644 --- a/datasets/attack_techniques/T1055/msra/msra.yml +++ b/datasets/attack_techniques/T1055/msra/msra.yml @@ -4,12 +4,15 @@ date: '2021-02-22' description: Manual generation of attack data using Cobalt Strike to generate default named pipes. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055 +directory: msra +mitre_technique: +- T1055 +datasets: +- name: msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: raw-msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer.yml b/datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer_old.yml similarity index 100% rename from datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer.yml rename to datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer_old.yml diff --git a/datasets/attack_techniques/T1055/sliver/sliver.yml b/datasets/attack_techniques/T1055/sliver/sliver.yml new file mode 100644 index 000000000..454bccdea --- /dev/null +++ b/datasets/attack_techniques/T1055/sliver/sliver.yml @@ -0,0 +1,21 @@ +author: Michael Haag +id: 0cdc5c21-49af-47ed-a96a-84a0bb5070be +date: '2023-02-22' +description: Attack data generation using SliverC2 by BishopFox. +environment: attack_range +directory: sliver +mitre_technique: +- T1055 +datasets: +- name: notepad_windows-sysmon + path: /datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sliver_windows-system + path: /datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: T1055_windows-sysmon + path: /datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/sliver/sliverc2.yml b/datasets/attack_techniques/T1055/sliver/sliverc2.yml deleted file mode 100644 index 7787cfb2d..000000000 --- a/datasets/attack_techniques/T1055/sliver/sliverc2.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Michael Haag -id: 0cdc5c21-49af-47ed-a96a-84a0bb5070be -date: '2023-02-22' -description: Attack data generation using SliverC2 by BishopFox. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055 -- https://attack.mitre.org/techniques/T1569 diff --git a/datasets/attack_techniques/T1055/splunk_ds/splunkd.yml b/datasets/attack_techniques/T1055/splunk_ds/splunkd_old.yml similarity index 100% rename from datasets/attack_techniques/T1055/splunk_ds/splunkd.yml rename to datasets/attack_techniques/T1055/splunk_ds/splunkd_old.yml diff --git a/datasets/attack_techniques/T1055/trickbot_inf/data.yml b/datasets/attack_techniques/T1055/trickbot_inf/data.yml new file mode 100644 index 000000000..1f1cff52c --- /dev/null +++ b/datasets/attack_techniques/T1055/trickbot_inf/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 739ec99c-d1b2-43e3-bcf2-6538a6f67f96 +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_inf +environment: attack_range +directory: trickbot_inf +mitre_technique: +- T1055 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055/trickbot_inf/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml b/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml index 813f165b4..22935f514 100644 --- a/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml +++ b/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 1c2643c1-0837-4026-a0f1-62ede1415bab date: '2023-12-15' description: Generated datasets for process commandline discovery in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: process_commandline_discovery +mitre_technique: +- T1057 +datasets: +- name: wmic-cmdline-sysmon + path: /datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml index 8c28dc239..bad485c24 100644 --- a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml +++ b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 6ea89cfe-c6e2-4c77-9708-eef588178d15 date: '2023-01-26' description: Generated datasets for asyncrat crypto pwh namespace in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: asyncrat_crypto_pwh_namespace +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml index c9d675c4b..c3413c5f9 100644 --- a/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml @@ -4,24 +4,39 @@ date: '2021-03-01' description: Invoke-atomictest T1059.001 of all Atomic Red Team T1059.001 PowerShell tests. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log/win32_scheduledjob_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/irm_powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -- bit9:carbonblack:json -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md +directory: atomic_red_team +mitre_technique: +- T1059.001 +datasets: +- name: captcha_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: get_ciminstance_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: start_stop_service_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-2 + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4104-psremoting-windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: win32_scheduledjob_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: enableat_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml b/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml index f1db7126e..7d8f76000 100644 --- a/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml +++ b/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml @@ -3,12 +3,23 @@ id: cc9b264d-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Manual generation of encoded powershell command environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: encoded_powershell +mitre_technique: +- T1059.001 +datasets: +- name: explorer_spawns_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: padded_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059.001/exchange/exchange.yml b/datasets/attack_techniques/T1059.001/exchange/exchange.yml index 54c0de491..7e7199fcf 100644 --- a/datasets/attack_techniques/T1059.001/exchange/exchange.yml +++ b/datasets/attack_techniques/T1059.001/exchange/exchange.yml @@ -1,13 +1,18 @@ author: Michael Haag, Splunk id: 16c9ac54-d483-4ca6-9bea-662531eec469 date: '2022-10-05' -description: Manual generation suspicious PowerShell Exchange modules used in ProxyShell or ProxyNotShell based attacks. +description: Manual generation suspicious PowerShell Exchange modules used in ProxyShell + or ProxyNotShell based attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- MSExchange:management -references: -- https://attack.mitre.org/techniques/T1059/001 \ No newline at end of file +directory: exchange +mitre_technique: +- T1059.001 +datasets: +- name: msexchangemanagement + path: /datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log + sourcetype: MSExchange:Management + source: MSExchange:Management +- name: windows-powershell + path: /datasets/attack_techniques/T1059.001/exchange/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml b/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml index badd92bd5..79fa4736d 100644 --- a/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml +++ b/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml @@ -4,16 +4,11 @@ date: '2020-11-20' description: Manual generation of a download of a file with powershell using a hidden window environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001 \ No newline at end of file +directory: hidden_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml b/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml index 19870793f..dc1213e3f 100644 --- a/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml +++ b/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml @@ -3,9 +3,11 @@ id: 7c18915c-f85f-11ec-b8f1-acde48001122 date: '2022-06-30' description: Generated datasets for import applocker policy in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ \ No newline at end of file +directory: import_applocker_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml index a58a93766..6273a66b6 100644 --- a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml +++ b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml @@ -3,9 +3,11 @@ id: c503c2fe-7936-11ec-a7f6-acde48001122 date: '2022-01-19' description: Observed example of adversaries abusing powershell commands for execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: malicious_cmd_line_samples +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml index 9219e5bbc..ff7bd1bfa 100644 --- a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml +++ b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml @@ -1,13 +1,13 @@ author: Michael Haag -id: 3f9b2623-abd5-11eb-926b-120zf0943f11 +id: 05ee5a71-724f-4386-86de-746f9ba957fd date: '2023-06-22' description: PowerShell execution from MSIX packages and WindowsApps directory environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1059.001/msix_powershell/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001 -- https://redcanary.com/blog/threat-intelligence/msix-installers/ -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/msix_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml b/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml index d7500ea29..1c94a7564 100644 --- a/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml +++ b/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml @@ -3,10 +3,11 @@ id: cc9b2648-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Manual generation of obfuscated powershell commands using Invoke-Obfuscation environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ -- https://github.com/danielbohannon/Invoke-Obfuscation +directory: obfuscated_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml b/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml index ca0991f21..9fa51ed94 100644 --- a/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml +++ b/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml @@ -3,15 +3,11 @@ id: cc9b2649-efc9-11eb-926b-550bf0943fbb date: '2020-12-09' description: Change execution policy to bypass with regedit. registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_execution_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml b/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml index 327b5e6b1..a736202e0 100644 --- a/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml +++ b/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml @@ -2,11 +2,20 @@ author: Teoderick Contreras, Splunk id: a92e1082-ce62-4cdd-88e2-96707c6b0a39 date: '2023-06-16' description: Generated datasets for powershell remotesigned in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +environment: attack_range +directory: powershell_remotesigned +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: remotesigned_sysmon + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-remote-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml new file mode 100644 index 000000000..517d03017 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml @@ -0,0 +1,21 @@ +author: Michael Haag +id: cc9b264c-efc9-11eb-926b-550bf0943fbb +date: '2021-06-09' +description: Manual and Atomic Red Team testing to generate script block logging data. +environment: attack_range +directory: powershell_script_block_logging +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: credaccess-powershell + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml deleted file mode 100644 index 4b1ca8dc3..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml +++ /dev/null @@ -1,19 +0,0 @@ -author: Michael Haag -id: cc9b264c-efc9-11eb-926b-550bf0943fbb -date: '2021-06-09' -description: Manual and Atomic Red Team testing to generate script block logging data. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/pswa_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ diff --git a/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml b/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml index 09d6134e4..0f0cb543f 100644 --- a/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml +++ b/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml @@ -1,15 +1,14 @@ author: Michael Haag id: cc9b264c-efc9-11eb-926b-550bf0943fbb date: '2021-06-09' -description: BC-Security Empire, Cobalt Strike, and Atomic Red Team T1059.001 and T1482 used to generate data. +description: BC-Security Empire, Cobalt Strike, and Atomic Red Team T1059.001 and + T1482 used to generate data. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_testing +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml b/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml index 70b800471..0cf35c189 100644 --- a/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml +++ b/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml @@ -4,15 +4,11 @@ date: '2020-11-20' description: 'Atomic Test Results: Successful Execution of test T1059.001-8 Powershell XML requests ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_xml_requests +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml b/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml index 5cb57b04b..bd8bb5f4d 100644 --- a/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml +++ b/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml @@ -3,11 +3,11 @@ id: cc9b2646-efc9-11eb-926b-550bf0943fbb date: '2021-06-03' description: Manual SharpHound testing to simulate all the behavior seen in the wild. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: sharphound +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml b/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml index 1b476e56a..9936c08c4 100644 --- a/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml +++ b/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml @@ -3,9 +3,11 @@ id: adfb4776-87af-4521-a9a1-dda25b01a69f date: '2024-02-13' description: Manual soaphound testing to simulate all the behavior seen in the wild. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon-soaphound.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: soaphound +mitre_technique: +- T1059.001 +datasets: +- name: sysmon_soaphound + path: /datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml b/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml new file mode 100644 index 000000000..90747e7bb --- /dev/null +++ b/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6034b5b7-b19c-435b-9d30-03cafde3f66a +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_cmd_powershell +environment: attack_range +directory: trickbot_cmd_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml index e0fefb31e..0e1b07c37 100644 --- a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml +++ b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: c76dae70-1dc5-49e5-b480-a78da4239701 date: '2023-02-22' -description: Manually using Nimplant to execute a PowerShell commandlet using unmanaged PowerShell. +description: Manually using Nimplant to execute a PowerShell commandlet using unmanaged + PowerShell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ -- https://github.com/leechristensen/UnmanagedPowerShell -- https://github.com/chvancooten/NimPlant +directory: unmanaged_powershell_execution +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml b/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml rename to datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer_old.yml diff --git a/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml index 37b223b16..3d669f236 100644 --- a/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml @@ -3,11 +3,11 @@ id: cc9b25f9-efc9-11eb-926b-550bf09d3fbd date: '2024-02-04' description: Atomic Red Team T1059.003 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/atomic_red_team/invokesqlcmd_powershell.log -sourcetypes: -- XmlWinEventLog -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/003/ \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1059.003 +datasets: +- name: sqlcmd_windows_sysmon + path: /datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments.yml b/datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments.yml rename to datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments_old.yml diff --git a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml index 2050a2afc..a893a1c10 100644 --- a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml +++ b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml @@ -3,15 +3,11 @@ id: cc9b25fc-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual generation of attack data in which cmd.exe spawn cscript.exe. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/003/ +directory: cmd_spawns_cscript +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history.yml b/datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history.yml rename to datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history_old.yml diff --git a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml index 442b30150..d4e9a8e4a 100644 --- a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml +++ b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml @@ -3,15 +3,11 @@ id: cc9b25fa-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual generation of attack data by spawn cmd.exe from powershell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/003/ +directory: powershell_spawn_cmd +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/ryuk/ryuk.yml b/datasets/attack_techniques/T1059.003/ryuk/ryuk.yml new file mode 100644 index 000000000..b5d4f1ced --- /dev/null +++ b/datasets/attack_techniques/T1059.003/ryuk/ryuk.yml @@ -0,0 +1,14 @@ +author: Michael Haag +id: cc9b25fb-efc9-11eb-926b-550bf0943fbb +date: '2021-03-01' +description: Manual generation of attack data related to Ryuk with command line argument + of 8 LAN, related to wake on lan. +environment: attack_range +directory: ryuk +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml b/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml deleted file mode 100644 index 0160089b4..000000000 --- a/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Michael Haag -id: cc9b25fb-efc9-11eb-926b-550bf0943fbb -date: '2021-03-01' -description: Manual generation of attack data related to Ryuk with command line argument - of 8 LAN, related to wake on lan. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/003/ diff --git a/datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers.yml b/datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers.yml rename to datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers_old.yml diff --git a/datasets/attack_techniques/T1059.003/ssa_validation/office/office.yml b/datasets/attack_techniques/T1059.003/ssa_validation/office/office_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/ssa_validation/office/office.yml rename to datasets/attack_techniques/T1059.003/ssa_validation/office/office_old.yml diff --git a/datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line.yml b/datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line.yml rename to datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line_old.yml diff --git a/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml b/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml index c18f78366..61626086d 100644 --- a/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml +++ b/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml @@ -3,13 +3,11 @@ id: 93252b82-8d73-11ec-bb43-acd118001122 date: '2022-02-14' description: Generated datasets for linux net discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/matrices/enterprise/linux/ -- https://github.com/IvanGlinkin/AutoSUID -- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS -- https://github.com/rebootuser/LinEnum -- https://attack.mitre.org/techniques/T1059/004/ \ No newline at end of file +directory: linux_discovery_tools +mitre_technique: +- T1059.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin.yml b/datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin.yml rename to datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin_old.yml diff --git a/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml b/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml index c277a426f..74a8de157 100644 --- a/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml +++ b/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml @@ -3,9 +3,11 @@ id: 1dea83b6-792e-11ec-95bc-acde48001122 date: '2022-01-19' description: Generated datasets for discord dnsquery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: discord_dnsquery +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml b/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml index 587594d6b..ab96054a7 100644 --- a/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml +++ b/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: eb98e75f-a568-4ab3-b0e3-406a781259b3 date: '2021-10-01' -description: Manual generation of attack data for txtfile vbs script execution through wscript process. +description: Manual generation of attack data for txtfile vbs script execution through + wscript process. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: vbs_wscript +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/autoit/autoit.yml b/datasets/attack_techniques/T1059/autoit/autoit.yml index ece05fe5f..419e5b630 100644 --- a/datasets/attack_techniques/T1059/autoit/autoit.yml +++ b/datasets/attack_techniques/T1059/autoit/autoit.yml @@ -3,11 +3,11 @@ id: 75c8fefc-fdc7-4b8c-814f-7b6cd323dace date: '2023-11-08' description: Generated datasets for autoit3.exe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059 \ No newline at end of file +directory: autoit +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/autoit/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/defender/ms_defender.yml b/datasets/attack_techniques/T1059/defender/ms_defender_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/defender/ms_defender.yml rename to datasets/attack_techniques/T1059/defender/ms_defender_old.yml diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml index d5cfc80ec..9e5de8982 100644 --- a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml +++ b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml @@ -3,9 +3,11 @@ id: cf946971-ec10-4792-a697-4b208bc42e7f date: '2025-07-08' description: 'Sample of ESXi syslog events showing reverse shell attempts from the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1059 +directory: esxi_reverse_shell +mitre_technique: +- T1059 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml b/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml new file mode 100644 index 000000000..cd234ff1a --- /dev/null +++ b/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1790d351-021e-4824-bddb-0fbfa1efbc9a +date: '2025-08-12' +description: Automatically categorized datasets in directory excessive_distinct_processes_from_windows_temp +environment: attack_range +directory: excessive_distinct_processes_from_windows_temp +mitre_technique: +- T1059 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic.yml b/datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic.yml rename to datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic_old.yml diff --git a/datasets/attack_techniques/T1059/metasploit/metasploit.yml b/datasets/attack_techniques/T1059/metasploit/metasploit.yml index 9b75c6084..3a0e02669 100644 --- a/datasets/attack_techniques/T1059/metasploit/metasploit.yml +++ b/datasets/attack_techniques/T1059/metasploit/metasploit.yml @@ -2,13 +2,12 @@ author: Michael Haag id: 705b1487-8c72-4307-89ee-19b105d5bb5f date: '2022-11-21' description: Execution of payloads from MetaSploit. -environment: Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/ +environment: attack_range +directory: metasploit +mitre_technique: +- T1059 +datasets: +- name: apachebench_windows-sysmon + path: /datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes.yml b/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes.yml rename to datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes_old.yml diff --git a/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes.yml b/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes.yml rename to datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes_old.yml diff --git a/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml b/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml index cff034ef0..727af17f9 100644 --- a/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml +++ b/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml @@ -3,9 +3,11 @@ id: f0fdb998-e01d-11ec-b3b2-acde48001122 date: '2022-05-30' description: Generated datasets for path traversal in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ \ No newline at end of file +directory: path_traversal +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/path_traversal/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers.yml b/datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers.yml rename to datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers_old.yml diff --git a/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline.yml b/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline.yml rename to datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline_old.yml diff --git a/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml b/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml index 7ff36a76e..b57185b28 100644 --- a/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml +++ b/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml @@ -1,11 +1,14 @@ author: Michael Hart id: 8179ffc0-7628-4c7b-a137-f17184efb4ed date: '2022-02-15' -description: A sample log where an adversary compiles and runs an executable with a randomly generated name under the Windows folder, ostensibly to avoid detection. +description: A sample log where an adversary compiles and runs an executable with + a randomly generated name under the Windows folder, ostensibly to avoid detection. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/ +directory: suspiciously_named_executables +mitre_technique: +- T1059 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml index 632c1456e..c3ba90362 100644 --- a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml +++ b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml @@ -3,9 +3,11 @@ id: 45640c5f-9ef7-4d93-aa3e-2bc188d0be0a date: '2025-07-30' description: 'Sample of Sysmon events showing execution of commands on a host via VMWare Tools.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059 +directory: vmtoolsd_execution +mitre_technique: +- T1059 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059/vmtoolsd/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1068/drivers/drivers.yml b/datasets/attack_techniques/T1068/drivers/drivers.yml index 7fd391169..e8c8ec5ba 100644 --- a/datasets/attack_techniques/T1068/drivers/drivers.yml +++ b/datasets/attack_techniques/T1068/drivers/drivers.yml @@ -1,17 +1,17 @@ author: Michael haag id: cc9b25d8-efc9-22eb-126b-350bf0943fbb date: '2022-05-16' -description: 'Simulation of drivers loading up.' +description: Simulation of drivers loading up. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/7045_kerneldrivers.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1068 +directory: drivers +mitre_technique: +- T1068 +datasets: +- name: sysmon_sys_filemod + path: /datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: xml7045_windows-system + path: /datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1068/pkexec/pkexec_lpe.yml b/datasets/attack_techniques/T1068/pkexec/pkexec_lpe_old.yml similarity index 100% rename from datasets/attack_techniques/T1068/pkexec/pkexec_lpe.yml rename to datasets/attack_techniques/T1068/pkexec/pkexec_lpe_old.yml diff --git a/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml b/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml index c5fe7e795..799b7a897 100644 --- a/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml +++ b/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml @@ -1,14 +1,13 @@ -author: Steven Dick -id: eb8bda82-5e06-4d02-983c-dde9a445661c -date: '2023-11-30' -description: 'Detection of common behaviors seen during process escalation/elevation.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1068/ -- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor -- https://redcanary.com/blog/getsystem-offsec/ -- https://atomicredteam.io/privilege-escalation/T1134.001/ \ No newline at end of file +author: Steven Dick +id: eb8bda82-5e06-4d02-983c-dde9a445661c +date: '2023-11-30' +description: Detection of common behaviors seen during process escalation/elevation. +environment: attack_range +directory: windows_escalation_behavior +mitre_technique: +- T1068 +datasets: +- name: windows_escalation_behavior_sysmon + path: /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml b/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml index be34a0045..9968eba57 100644 --- a/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml +++ b/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml @@ -3,15 +3,11 @@ id: cc9b2627-efc9-11eb-926b-550bf0943fbb date: '2020-11-19' description: Manual generation of child process of zoom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1068/ +directory: zoom_child_process +mitre_technique: +- T1068 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml new file mode 100644 index 000000000..03b435453 --- /dev/null +++ b/datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml @@ -0,0 +1,17 @@ +author: Michael Haag +id: d6a30644-63bf-464b-8a2a-4df5de49aa43 +date: '2021-09-14' +description: Simulated events with Atomic Red Team and manual. +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1069.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml b/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml deleted file mode 100644 index 8a6b5f147..000000000 --- a/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: d6a30644-63bf-464b-8a2a-4df5de49aa43 -date: '2021-09-14' -description: 'Simulated events with Atomic Red Team and manual.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check.yml b/datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check_old.yml similarity index 100% rename from datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check.yml rename to datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check_old.yml diff --git a/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml index 2973712f6..80e1ea389 100644 --- a/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml @@ -1,16 +1,34 @@ author: Mauricio Velazco id: d6a30644-63bf-464b-8a2a-4df5de49aa3f date: '2021-09-07' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security +directory: AD_discovery +mitre_technique: +- T1069.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: ldifde_4688_windows-security + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: ldifde_windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-xml-powerview + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml b/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml new file mode 100644 index 000000000..fb4f348a1 --- /dev/null +++ b/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 212f3e49-f79e-4f08-94e2-d5038d45afed +date: '2025-08-12' +description: Automatically categorized datasets in directory domain_group_discovery_with_adsisearcher +environment: attack_range +directory: domain_group_discovery_with_adsisearcher +mitre_technique: +- T1069.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml index 99714d777..5d1b17ab1 100644 --- a/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml @@ -4,17 +4,11 @@ date: '2020-10-09' description: 'Atomic Test Results: Return value unclear for test T1070.001-1 Clear Logs Successful Execution of test T1070.001-2 Delete System Logs Using Clear-EventLog ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1070/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1070_001.yml +directory: atomic_red_team +mitre_technique: +- T1070.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml b/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml new file mode 100644 index 000000000..627c1e98d --- /dev/null +++ b/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 551fb2cd-6b46-4da2-b424-13816cf36e49 +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_event_log_service_behavior +environment: attack_range +directory: suspicious_event_log_service_behavior +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml b/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml new file mode 100644 index 000000000..496bf00c7 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 17c57915-4d82-4671-9abb-354bbbff107c +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_kerberos_service_ticket_request +environment: attack_range +directory: suspicious_kerberos_service_ticket_request +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml new file mode 100644 index 000000000..8db767b2c --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9c17ce79-5056-42e9-a614-4c2087471b67 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_event_log_cleared +environment: attack_range +directory: windows_event_log_cleared +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared.yml b/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared.yml rename to datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared_old.yml diff --git a/datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion.yml b/datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion.yml rename to datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion_old.yml diff --git a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml index b1f3f760e..fdf0a2c08 100644 --- a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml +++ b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml @@ -3,9 +3,11 @@ id: c6e9706c-6d27-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for automatic file deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: automatic_file_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/automatic_file_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml index d66fab1b3..165bae8f3 100644 --- a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml +++ b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml @@ -3,9 +3,11 @@ id: e9002aca-6d26-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for bmc file deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: bmc_file_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/bmc_file_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/cipher/cipher.yml b/datasets/attack_techniques/T1070.004/cipher/cipher_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.004/cipher/cipher.yml rename to datasets/attack_techniques/T1070.004/cipher/cipher_old.yml diff --git a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml index f6f6debea..185978650 100644 --- a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml +++ b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml @@ -3,9 +3,11 @@ id: 55943188-6d25-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for rdp deletion in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: rdp_deletion +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/rdp_deletion/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml index 342bfa271..a252771ef 100644 --- a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml +++ b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml @@ -3,9 +3,11 @@ id: 8c2fbcce-6d3b-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for terminal server reg deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_client_reg_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: terminal_server_reg_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml index 329e43653..74d0a8085 100644 --- a/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml @@ -5,15 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1070.005-1 Add Share Return value unclear for test T1070.005-2 Remove Network Share Return value unclear for test T1070.005-3 Remove Network Share PowerShell ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +directory: atomic_red_team +mitre_technique: +- T1070.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml index e37a4f697..d8048beec 100644 --- a/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-12-08' description: 'Atomic Test Results: Return value unclear for test T1070-1 Indicator Removal using FSUtil ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md +directory: atomic_red_team +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml index b5c1411f2..7c91d06e7 100644 --- a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml +++ b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml @@ -3,9 +3,11 @@ id: f8571084-93e7-46fc-ae37-7a22e81e57f3 date: '2025-07-09' description: 'Sample of ESXi syslog events showing manipulation of the system clock.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1070 +directory: esxi_system_clock_manipulation +mitre_technique: +- T1070 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml b/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml index 85f76696a..2399bac92 100644 --- a/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml +++ b/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml @@ -3,9 +3,11 @@ id: 5e746ff0-b464-44f8-b4ec-38ede346e371 date: '2021-08-11' description: simulated Execution of lockbit ransomware malware in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ \ No newline at end of file +directory: fsutil_file_zero +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion.yml b/datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion_old.yml similarity index 100% rename from datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion.yml rename to datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion_old.yml diff --git a/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml b/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml index 922aef430..ae0d2ee6b 100644 --- a/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml +++ b/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 8e60394b-3334-484e-89e7-3cd9bbbac9fd date: '2024-01-29' -description: 'Clear Windows Event Logs using wevtutil.exe' +description: Clear Windows Event Logs using wevtutil.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md +directory: remove_windows_security_event_log +mitre_technique: +- T1070 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml b/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir_old.yml similarity index 100% rename from datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml rename to datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir_old.yml diff --git a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml index db71aadc3..5e1201512 100644 --- a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml +++ b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: 219c898a-39d5-4d63-ad1d-07bec9cabc5c date: '2024-02-27' description: Outbound smb traffic to another server -environment: Attack range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log -sourcetypes: -- bro:conn:json -references: -- https://attack.mitre.org/techniques/T1071/002/ +environment: attack_range +directory: outbound_smb_traffic +mitre_technique: +- T1071.002 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1072/intune/intune.yml b/datasets/attack_techniques/T1072/intune/intune_old.yml similarity index 100% rename from datasets/attack_techniques/T1072/intune/intune.yml rename to datasets/attack_techniques/T1072/intune/intune_old.yml diff --git a/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml b/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml index 8e949f408..233d3bb28 100644 --- a/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml +++ b/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml @@ -3,16 +3,19 @@ id: cc9b25d7-efc9-11eb-926b-550bf0943fbb date: '2020-11-09' description: Manual generation of attack data by locking out an account environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1078/002/ +directory: account_lockout +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078.002/account_login/account_login.yml b/datasets/attack_techniques/T1078.002/account_login/account_login_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.002/account_login/account_login.yml rename to datasets/attack_techniques/T1078.002/account_login/account_login_old.yml diff --git a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml index 5f193ac27..21be74f50 100644 --- a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml +++ b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 21d1c884-80c5-4e9e-a3bc-4d13ce420b1b date: '2023-04-21' -description: Manually leverage PowerView to enumerate for active directory access control lists. +description: Manually leverage PowerView to enumerate for active directory access + control lists. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1078/002/ -- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 -- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces -- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ \ No newline at end of file +directory: powerview_acl_enumeration +mitre_technique: +- T1078.002 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing.yml b/datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing.yml rename to datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing_old.yml diff --git a/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml b/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml new file mode 100644 index 000000000..2789f6e45 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f1bc213c-49d0-43cb-96c8-7b29a95431bb +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_computer_account_name_change +environment: attack_range +directory: suspicious_computer_account_name_change +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml b/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml new file mode 100644 index 000000000..610712ed4 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d744f41d-c676-4aee-adad-ae7b65e2d543 +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_ticket_granting_ticket_request +environment: attack_range +directory: suspicious_ticket_granting_ticket_request +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa.yml b/datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa.yml rename to datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa_old.yml diff --git a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml index 507bf74d4..8d67edbc9 100644 --- a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml +++ b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 27baa027-31cf-43f8-bf9e-20c3946d4c45 date: '2024-02-12' -description: 'Used python to authenticate as a service principal to an Azure AD tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log -sourcetypes: -- azure_monitor_aad -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins +description: Used python to authenticate as a service principal to an Azure AD tenant. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_service_principal_authentication +mitre_technique: +- T1078.004 +datasets: +- name: azure_ad_service_principal_authentication + path: /datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml b/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml index 2e1154cf7..1433a3daa 100644 --- a/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml +++ b/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 49d07696-6d7f-468f-8b22-c021b6128627 date: '2022-08-23' -description: Manually create an Azure Automation Runbook account using the Azure Portal. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html -- https://attack.mitre.org/techniques/T1078/004/ \ No newline at end of file +description: Manually create an Azure Automation Runbook account using the Azure Portal. + Tenant specific details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_automation_runbook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml index 3a4af155d..bc9c269d8 100644 --- a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml +++ b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: f8e3dbe1-73ae-418b-8d71-5dcdae97cceb date: '2022-08-23' -description: 'Manually created a Webhook for an Azure Automation Runbook through the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html +description: Manually created a Webhook for an Azure Automation Runbook through the + Azure portal. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_runbook_webhook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread/azuread.yml b/datasets/attack_techniques/T1078.004/azuread/azuread.yml index cde6f9473..a18ae111d 100644 --- a/datasets/attack_techniques/T1078.004/azuread/azuread.yml +++ b/datasets/attack_techniques/T1078.004/azuread/azuread.yml @@ -1,13 +1,16 @@ author: Mauricio Velazco id: d6b4e3c8-1f45-40a0-81a8-0fd5b9af19f2 date: '2022-07-12' -description: 'Used PowerShell to manually authenticate to an Azure AD tenant with an account that does not have Multi Factor authenttication enabled. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0 +description: Used PowerShell to manually authenticate to an Azure AD tenant with an + account that does not have Multi Factor authenttication enabled. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: azuread +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml b/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml index 34ded3f27..567beaf22 100644 --- a/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml +++ b/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 7bf1f61a-9cec-46d0-99cb-5e84c7df53bd date: '2022-07-13' -description: 'Manually used the PowerShell commandlet Connect-AzureAD to authenticate to an Azure AD tenant with a valid account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0 +description: Manually used the PowerShell commandlet Connect-AzureAD to authenticate + to an Azure AD tenant with a valid account. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azuread_pws +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml index aeebe406e..8a17ad0bc 100644 --- a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml +++ b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 09261f80-30d7-4482-92e1-a9e3ecb6abfe date: '2022-10-13' -description: 'Manually authenticateed to a GCP tenant with an account that does not have Multi Factor authenttication enabled. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1078/004/ +description: Manually authenticateed to a GCP tenant with an account that does not + have Multi Factor authenttication enabled. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: gcp_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml index e62bd0c1c..85f91e950 100644 --- a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml +++ b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 70265c3b-8d9e-46b2-aaa4-2b0a42d4b4d1 date: '2024-03-26' -description: 'Created a forwarding rule programatically using msInvader which triggered an alert by Security & Compliance' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide +description: Created a forwarding rule programatically using msInvader which triggered + an alert by Security & Compliance +environment: attack_range +directory: o365_security_and_compliance_alert_triggered +mitre_technique: +- T1078.004 +datasets: +- name: o365_security_and_compliance_alert_triggered + path: /datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml index 1e6907e07..d7a3f0d9d 100644 --- a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml +++ b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml @@ -1,11 +1,13 @@ author: Bhavin Patel -id: 71ad47d1-w6bd-4e0a-b35c-020ad9a6959q +id: 1664c41a-5f46-4f83-bd5d-619aa02870fc date: '2024-03-18' -description: 'Manually generated dataset for a single factor authentication attempt' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078.004 \ No newline at end of file +description: Manually generated dataset for a single factor authentication attempt +environment: attack_range +directory: okta_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: okta_single_factor_auth + path: /datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml index 9da19626d..57dfb7860 100644 --- a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml +++ b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: b63a92e5-412f-415f-abf9-bb29be4bbfc3 date: '2024-04-02' -description: 'Attempted to authenticate multiple times across different users with from the same Ip' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078/004/ +description: Attempted to authenticate multiple times across different users with + from the same Ip +environment: attack_range +directory: okta_threatinsight_threat_detected +mitre_technique: +- T1078.004 +datasets: +- name: okta_threatinsight_threat_detected + path: /datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.yml b/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.yml rename to datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml_old.yml diff --git a/datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy.yml b/datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy.yml rename to datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy_old.yml diff --git a/datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role.yml b/datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role.yml rename to datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role_old.yml diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml index 36e5957a4..144f3b992 100644 --- a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml +++ b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml @@ -3,12 +3,16 @@ id: cc9b2645-efc9-11eb-926b-550bf0943fbb date: '2021-02-22' description: This search looks for CloudTrail events where a user created a policy version that allows them to access any resource in their account -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_create_policy_version +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml index 618e60f45..2e721f558 100644 --- a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml +++ b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml @@ -5,14 +5,16 @@ description: CloudTrail events where a user A who has already permission to crea access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_createaccesskey +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml b/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml index d5f337d02..1bcec2df3 100644 --- a/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml +++ b/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml @@ -1,13 +1,16 @@ author: Bhavin Patel +id: 96c87adb-e09f-404c-8586-3132a9c2f949 date: '2021-02-22' -description: This dataset has CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -environment: Cloud Attack Range -technique: +description: This dataset has CloudTrail events where a user A(victim A) creates a + login profile for user B, followed by a AWS Console login event from user B from + the same src_ip as user B. This correlated event can be indicative of privilege + escalation since both events happened from the same src_ip +environment: attack_range +directory: aws_createloginprofile +mitre_technique: - T1078 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ -sourcetypes: -- aws:cloudtrail +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml index 2b3139793..8d8a8ef56 100644 --- a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml +++ b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml @@ -5,11 +5,12 @@ description: This search provides specific SAML access from specific Service Pro user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1552/004/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +environment: attack_range +directory: aws_saml_access_by_provider_user_and_principal +mitre_technique: +- T1078 +datasets: +- name: aws_saml_access_by_provider_user_and_principal + path: /datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml index 687dbb486..dd69f555d 100644 --- a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml +++ b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml @@ -5,11 +5,12 @@ description: This search provides detection of updates to SAML provider in AWS. to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1552/004/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +environment: attack_range +directory: aws_saml_update_identity_provider +mitre_technique: +- T1078 +datasets: +- name: aws_saml_update_identity_provider-json + path: /datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml index efe66eda8..3e9be852a 100644 --- a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml +++ b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml @@ -5,11 +5,12 @@ description: This dataset has CloudTrail events where a user has set a default p versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_setdefaultpolicyversion +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml b/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml index 187e85435..0b23b0c11 100644 --- a/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml +++ b/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml @@ -5,11 +5,16 @@ description: This dataset has CloudTrail events where a user A who has already p to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_updateloginprofile +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml index a5dfbbd45..f1ebe0094 100644 --- a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml +++ b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: 05a138d2-ba8f-40bc-9b26-ea01e06b6b72 date: '2023-10-25' -description: 'Used Invoke-MfaSweep with a valid account against an Azure AD tenant' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Used Invoke-MfaSweep with a valid account against an Azure AD tenant +environment: attack_range +directory: azure_ad_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: azure_ad_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role.yml b/datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role.yml rename to datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role_old.yml diff --git a/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml b/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml index 4feeab40f..6c627b26b 100644 --- a/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml +++ b/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml @@ -3,9 +3,11 @@ id: dd9b25d7-efc9-11eb-926b-330cf0943fbb date: '2021-11-15' description: Manual generation of attack data by enabling DefaultAccount on Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1078/002/ +directory: defaultaccount +mitre_technique: +- T1078 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml index f29be6cbd..7be4d10db 100644 --- a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml +++ b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml @@ -3,9 +3,11 @@ id: ebd8a8a8-e517-43d1-b744-a8260f18ef6e date: '2025-07-08' description: 'Sample of ESXi syslog events showing root logins from an external system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1078 +directory: esxi_external_root_login +mitre_technique: +- T1078 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml index 966851506..6dee33972 100644 --- a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml +++ b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml @@ -3,9 +3,11 @@ id: a61432b5-65c6-4509-b44a-3c176fa00d86 date: '2025-07-09' description: 'Sample of ESXi syslog events showing root logins from multple locations in quick succession.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1078 +directory: esxi_stolen_root_account +mitre_technique: +- T1078 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework.yml b/datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework.yml rename to datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework_old.yml diff --git a/datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource.yml b/datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource.yml rename to datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource_old.yml diff --git a/datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project.yml b/datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project.yml rename to datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project_old.yml diff --git a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml index b3f36c341..5c4113eab 100644 --- a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml +++ b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml @@ -4,11 +4,12 @@ date: '2021-01-26' description: This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078 -- https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ +environment: attack_range +directory: o365_excessive_sso_logon_errors +mitre_technique: +- T1078 +datasets: +- name: o365_excessive_sso_logon_errors-json + path: /datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml index b2bdd8197..00c8f1743 100644 --- a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml +++ b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: c1b7f147-4a2d-4405-83bb-ff9259b2de3a date: '2023-10-24' -description: 'Used Invoke-MfaSweep with a valid account against an O365 tenant' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Used Invoke-MfaSweep with a valid account against an O365 tenant +environment: attack_range +directory: o365_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: o365_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml index 47cdb78ac..e081abd87 100644 --- a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml +++ b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: 3fdec92b-7b2a-45ed-a74c-386708fbc877 date: '2024-03-11' -description: Manually reported suspicious user behavior using the link from an Okta email. -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078 +description: Manually reported suspicious user behavior using the link from an Okta + email. +environment: attack_range +directory: okta_suspicious_activity_reported_by_user +mitre_technique: +- T1078 +datasets: +- name: okta_suspicious_activity_reported_by_user + path: /datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml index 5cee58159..e6602fef0 100644 --- a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml +++ b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: b9cd42b4-d84d-4969-b61c-4a18b89efecd date: '2023-03-27' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder with a domain admin to discover network file shares and check access in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder with a + domain admin to discover network file shares and check access in an Active Directory + network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: special_logon_on_mulitple_hosts +mitre_technique: +- T1078 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078/splunkd_auth/audittrail.yml b/datasets/attack_techniques/T1078/splunkd_auth/audittrail_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/splunkd_auth/audittrail.yml rename to datasets/attack_techniques/T1078/splunkd_auth/audittrail_old.yml diff --git a/datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage.yml b/datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage.yml rename to datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage_old.yml diff --git a/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml b/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml index cc63bbe3d..b466fca56 100644 --- a/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml +++ b/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b2637-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Update saml provider in aws -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1078/ +environment: attack_range +directory: update_saml_provider +mitre_technique: +- T1078 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml index 2e5f4b303..4325fb5d1 100644 --- a/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml @@ -3,18 +3,11 @@ id: cc9b2615-efc9-11eb-926b-550bf0943fbb date: '2020-10-09' description: Atomic Red Team Execution of T1082 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1082 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +directory: atomic_red_team +mitre_technique: +- T1082 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml index 6782dd4fe..936e47562 100644 --- a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml +++ b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml @@ -3,9 +3,11 @@ id: 632f631d-6d62-4bc6-8b6b-c51a9134a016 date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to enumerate system information.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1082 +directory: esxi_system_information +mitre_technique: +- T1082 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml index 4e30b7738..d6641aa6d 100644 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml @@ -3,9 +3,11 @@ id: f0ce5c20-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd lsmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log -sourcetypes: -- 'linux:audit' -references: -- https://man7.org/linux/man-pages/man8/kmod.8.html \ No newline at end of file +directory: linux_auditd_lsmod +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml index 3d8a31c7f..2b608267b 100644 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml @@ -3,9 +3,11 @@ id: 10da084a-1ab1-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd lsmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log -sourcetypes: -- 'auditd' -references: -- https://man7.org/linux/man-pages/man8/kmod.8.html \ No newline at end of file +directory: linux_auditd_lsmod_new +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_new_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml b/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml index 1f26ade49..2c0aa98d8 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml @@ -3,9 +3,11 @@ id: a33aa580-5e02-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd find db in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log -sourcetypes: -- 'linux:audit' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_db +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_db + path: /datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml b/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml index 1a803e304..d66810f0f 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml @@ -3,9 +3,15 @@ id: 7146152c-ef94-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find document in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_document +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_file_dir_discovery + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_document + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml index 096b902c8..a41c146dc 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml @@ -3,9 +3,15 @@ id: 2a0d7642-efa7-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find virtual disk in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_virtual_disk +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_virtual_disk + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log + sourcetype: auditd + source: auditd +- name: auditd_execve_find_vhd + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml index 8d2eaf9be..4b5c5cd1a 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml @@ -3,9 +3,15 @@ id: 3747f0f4-ef9c-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd hidden file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_hidden_file +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log + sourcetype: auditd + source: auditd +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml index 8c8f301c7..c9a18c445 100644 --- a/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml @@ -1,13 +1,17 @@ author: Mauricio Velazco id: 1e2c5670-7953-492f-90e2-aa95aa190049 date: '2021-08-24' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1087.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml index c68a85cbf..c888bd0bb 100644 --- a/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml @@ -1,15 +1,33 @@ author: Teoderick Contreras id: 85738b9d-8066-4934-a6ad-3285db2085c3 date: '2021-08-24' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-LocalAdminAccess-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-DomainOU-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-ForestDomain-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-interestingACL-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml b/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml index fc44b0644..ce8352468 100644 --- a/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml +++ b/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml @@ -3,9 +3,19 @@ id: acd06afa-c6d6-11ec-9d0f-acde48001122 date: '2022-04-28' description: Generated datasets for adsi discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: adsi_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml1 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml b/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml index 72d7d666c..1aa9f6897 100644 --- a/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml +++ b/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: 3392c05e-dc43-4688-b695-d8265af0d6e8 date: '2021-09-07' -description: blackmailer ransomware accessing schcache due to creation of adsi object for its ldap query. +description: blackmailer ransomware accessing schcache due to creation of adsi object + for its ldap query. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: blackmatter_schcache +mitre_technique: +- T1087.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied_old.yml similarity index 100% rename from datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml rename to datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied_old.yml diff --git a/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml index f09a2c08f..dd6afba23 100644 --- a/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml +++ b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml @@ -2,10 +2,12 @@ author: Dean Luxton id: 14a1f8ea-e34a-449d-9081-0f16341e83c9 date: '2025-01-07' description: Detonating AzureHound against Frothly -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log -sourcetypes: -- azure:monitor:aad -references: -- https://github.com/SpecterOps/AzureHound \ No newline at end of file +environment: attack_range +directory: azurehound +mitre_technique: +- T1087.004 +datasets: +- name: azurehound + path: /datasets/attack_techniques/T1087.004/azurehound/azurehound.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml b/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml index 4723d83c3..aaba304bc 100644 --- a/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml +++ b/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml @@ -1,11 +1,14 @@ author: Bhavin Patel id: cc922114-efc9-11eb-926b-550bf0943f55 date: '2024-03-07' -description: This dataset is synthetically generated using by simulating events in a lab -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log -sourcetypes: -- OktaIM2:log -references: -- https: //attack.mitre.org/techniques/T1087.004 \ No newline at end of file +description: This dataset is synthetically generated using by simulating events in + a lab +environment: attack_range +directory: okta_unauth_access +mitre_technique: +- T1087.004 +datasets: +- name: okta_unauth_access + path: /datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml b/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml new file mode 100644 index 000000000..f213edc07 --- /dev/null +++ b/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a8798432-c057-489c-a8f3-310728397f62 +date: '2025-08-12' +description: Automatically categorized datasets in directory enumerate_users_local_group_using_telegram +environment: attack_range +directory: enumerate_users_local_group_using_telegram +mitre_technique: +- T1087 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire.yml b/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire_old.yml similarity index 100% rename from datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire.yml rename to datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire_old.yml diff --git a/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml b/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml index 9d0401ed9..62f2610c2 100644 --- a/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml +++ b/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 7bf3cd9f-08b8-45f4-93f4-0713375fb1e0 date: '2023-05-25' description: Generated datasets for netsh portproxy in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ +environment: attack_range +directory: netsh_portproxy +mitre_technique: +- T1090.001 +datasets: +- name: volt_sysmon + path: /datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.yml b/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed_old.yml similarity index 100% rename from datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.yml rename to datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed_old.yml diff --git a/datasets/attack_techniques/T1095/palologs/disable_rdp.yml b/datasets/attack_techniques/T1095/palologs/disable_rdp_old.yml similarity index 100% rename from datasets/attack_techniques/T1095/palologs/disable_rdp.yml rename to datasets/attack_techniques/T1095/palologs/disable_rdp_old.yml diff --git a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml index dd7302e13..1c5e85e4a 100644 --- a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml +++ b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 9a52b439-5e84-4378-9338-ab7771112346 date: '2022-08-18' -description: 'Manually added new client credentials (secret and certificate) for a Service Principal account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications -- https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/ +description: Manually added new client credentials (secret and certificate) for a + Service Principal account. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml index 6d487df02..b3cd6632a 100644 --- a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml +++ b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 3a911821-f424-4698-9083-e1143a035e12 date: '2023-09-01' -description: 'Manually added new client credentials (secret and certificate) for a Service Principal account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications \ No newline at end of file +description: Manually added new client credentials (secret and certificate) for a + Service Principal account. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: o365_service_principal_credentials + path: /datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml index 212787b4f..4256d6c81 100644 --- a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml +++ b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 3d1583ce-a8bd-48e0-a098-f602c0ebdb28 date: '2024-03-06' -description: 'Manually created a new API token using the Okta portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1098/001/ \ No newline at end of file +description: Manually created a new API token using the Okta portal. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_new_api_token_created +mitre_technique: +- T1098.001 +datasets: +- name: okta_new_api_token_created + path: /datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.yml b/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned_old.yml similarity index 100% rename from datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.yml rename to datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned_old.yml diff --git a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml index 1cdd7f2fc..031a270e5 100644 --- a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: 6cd62088-3b97-40d2-9469-769e09fbf085 date: '2024-01-29' -description: 'Manually assigned the full_access_as_app API permission to an application registration' -environment: Azure AD -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Manually assigned the full_access_as_app API permission to an application + registration +environment: attack_range +directory: full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml index d1e1c46e2..10c482db9 100644 --- a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: 284e870f-82f4-4d60-8903-d84a52644407 date: '2024-01-29' -description: 'Manually assigned the full_access_as_app API permission to an application registration' -environment: Office 365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Manually assigned the full_access_as_app API permission to an application + registration +environment: attack_range +directory: o365_full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: o365_full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml index 70225b20a..ef3cecd9e 100644 --- a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml +++ b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: d3b30181-a1d8-48e7-b695-bac28c10acd1 date: '2024-03-28' -description: 'Added mailbox permissions programatically using msInvader' -environment: Office 365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/002/ -- https://github.com/mvelazc0/msInvader \ No newline at end of file +description: Added mailbox permissions programatically using msInvader +environment: attack_range +directory: o365_mailbox_folder_read_granted +mitre_technique: +- T1098.002 +datasets: +- name: o365_mailbox_folder_read_granted + path: /datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml index f64968871..eb5f98225 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 3ee40ccb-0098-4738-88e7-76cfcc9026be date: '2023-09-14' -description: 'Manually added granted admin consent to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal \ No newline at end of file +description: Manually added granted admin consent to an application registration. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml index 3ee99d4d4..c477a66c8 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml @@ -1,12 +1,13 @@ author: Gowthamaraj Rajendran id: 2e0f8b91-0a1a-4617-9936-172815b5b4b5 date: '2022-08-17' -description: Manually assigned Global Administrator role to a user. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://attack.mitre.org/techniques/T1098/003/ +description: Manually assigned Global Administrator role to a user. +environment: attack_range +directory: azure_ad_assign_global_administrator +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml index 5c76e9c87..aaa98ce02 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 73315548-b201-42c2-a6e6-4333bb940287 date: '2022-08-29' -description: Manually assigned privileged Azure AD roles to a user. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://attack.mitre.org/techniques/T1098/003/ +description: Manually assigned privileged Azure AD roles to a user. +environment: attack_range +directory: azure_ad_assign_privileged_role +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml index 7be4a99d6..770ded3e7 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: 4e6ff64a-ab31-4935-a0a0-cdac3ca1a191 date: '2024-02-09' -description: 'Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass the admin consent process' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/003/ +description: Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass + the admin consent process +environment: attack_range +directory: azure_ad_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml index 7195fa812..e853ce073 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml @@ -2,11 +2,12 @@ author: Mauricio Velazco id: b6b3a10d-c90b-4b2c-9c6b-e200d16f266f date: '2023-04-26' description: Manually assigned and activated an Azure AD PIM role -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure -- https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role +environment: attack_range +directory: azure_ad_pim_role_activated +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml index 35f17c797..1aeb35283 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: acdd083c-0ba8-4f5a-ba89-2e6855fb515d date: '2023-01-30' -description: Manually assigned a high privileged Graph API permission to an application registration. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log -sourcetypes: -- azure_monitor_aad -references: -- https://cloudbrothers.info/en/azure-attack-paths/ -- https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json -- https://learn.microsoft.com/en-us/graph/permissions-reference -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 +description: Manually assigned a high privileged Graph API permission to an application + registration. +environment: attack_range +directory: azure_ad_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml index 1c258abc7..b2f30c4d3 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: d24bfc98-78d4-4610-ab73-a377c968bb4a date: '2023-04-28' description: Manually assigned privileged Azure AD roles to a service principal -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 -- https://attack.mitre.org/techniques/T1098/003/ +environment: attack_range +directory: azure_ad_privileged_role_serviceprincipal +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml index b2cb9022f..b8c946371 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml @@ -1,13 +1,13 @@ author: Dean Luxton id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b date: '2025-01-07' -description: Performing SPN Priviliege escalation. -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log -sourcetypes: -- azure:monitor:aad -references: -- https://github.com/mvelazc0/BadZure -- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html -- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc +description: Performing SPN Priviliege escalation. +environment: attack_range +directory: azure_ad_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_spn_privesc + path: /datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml b/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml index ac0010ac7..b3e24f48f 100644 --- a/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 324610ab-47d5-4428-95cb-1a4fabe7fe7b date: '2023-09-05' -description: 'Manually added granted admin consent to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal \ No newline at end of file +description: Manually added granted admin consent to an application registration. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: o365_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml index a1363add5..c7cbbde94 100644 --- a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: dc543b87-f169-4f05-8818-926b1eab8cf3 date: '2023-02-09' -description: 'Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass the admin consent process' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ +description: Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass + the admin consent process +environment: attack_range +directory: o365_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml index f9c5377b2..fb753d9b6 100644 --- a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml +++ b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 21ced607-7805-4725-943e-ea593097dd74 date: '2023-09-04' -description: 'Manually added new the Mail.Read Graph API permissions to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications \ No newline at end of file +description: Manually added new the Mail.Read Graph API permissions to an application + registration. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: o365_grant_mail_read +mitre_technique: +- T1098.003 +datasets: +- name: o365_grant_mail_read + path: /datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml index cf33eebf4..555ee6975 100644 --- a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml +++ b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 10c9c0de-2051-468e-8c86-6a5fc6678e94 date: '2023-10-20' -description: 'Manually added granted high privilege roles to a user in an Office 365 tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference -- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide -- https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role \ No newline at end of file +description: Manually added granted high privilege roles to a user in an Office 365 + tenant. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_high_priv_role_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_high_priv_role_assigned + path: /datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml index 2a25acf6b..1592c2c00 100644 --- a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml +++ b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 33369d17-7deb-47df-93f1-f458afdd3838 date: '2024-01-30' -description: Manually assigned a high privileged Graph API permission to an application registration. -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log -sourcetypes: -- o365:management:activity -references: -- https://cloudbrothers.info/en/azure-attack-paths/ -- https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json -- https://learn.microsoft.com/en-us/graph/permissions-reference -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 +description: Manually assigned a high privileged Graph API permission to an application + registration. +environment: attack_range +directory: o365_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml index 0026242bc..64e4c9ec0 100644 --- a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml +++ b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml @@ -1,13 +1,13 @@ author: Dean Luxton id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b date: '2025-01-07' -description: Performing SPN Priviliege escalation. -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log -sourcetypes: -- o365:management:activity -references: -- https://github.com/mvelazc0/BadZure -- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html -- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc \ No newline at end of file +description: Performing SPN Priviliege escalation. +environment: attack_range +directory: o365_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: o365_spn_privesc + path: /datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml index a8f207309..dce50561a 100644 --- a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml +++ b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml @@ -3,9 +3,11 @@ id: ccf196f8-45d4-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd nopasswd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log -sourcetypes: -- 'auditd' -references: -- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ \ No newline at end of file +directory: linux_auditd_nopasswd +mitre_technique: +- T1098.004 +datasets: +- name: linux_auditd_ssh_config + path: /datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml index f1e8ab429..387aad11a 100644 --- a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml +++ b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml @@ -3,10 +3,15 @@ id: 6d3fda80-72dd-11ec-90de-acde48001122 date: '2022-01-11' description: Generated datasets for ssh authorized keys in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ \ No newline at end of file +directory: ssh_authorized_keys +mitre_technique: +- T1098.004 +datasets: +- name: authkey_linux-sysmon + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log + sourcetype: linux_secure + source: linux_secure +- name: sysmon_linux + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml index 37fdbdca7..8ff2160ff 100644 --- a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml +++ b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 1080fb28-9a11-40c8-907d-70daf17415e4 date: '2023-10-31' -description: 'Added a new MFA method for a user within an Azure AD tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/005/ -- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ \ No newline at end of file +description: Added a new MFA method for a user within an Azure AD tenant. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: azure_ad_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: azure_ad_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml index 997e55931..7d526b318 100644 --- a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml +++ b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: ad17ba95-859f-4faf-b1fa-1c331d83822f date: '2023-10-20' -description: 'Added a new MFA method for a user within an Office 365 tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/005/ -- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ \ No newline at end of file +description: Added a new MFA method for a user within an Office 365 tenant. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: o365_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: o365_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml index 6bcf93119..a81fe8c60 100644 --- a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml +++ b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: e8b09d11-6659-4bf9-85a5-4f804ddeeac0 date: '2024-03-08' -description: 'Enrolled a new device for a user within an Okta tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1098/005/ \ No newline at end of file +description: Enrolled a new device for a user within an Okta tenant. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_new_device_enrolled +mitre_technique: +- T1098.005 +datasets: +- name: okta_new_device_enrolled + path: /datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml b/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml index 1c4d9a2a9..6787c3314 100644 --- a/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml +++ b/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml @@ -2,18 +2,12 @@ author: Stanislav Miskovic id: cc9b25ec-efc9-11eb-926b-550bf0943fbb date: '2021-02-23' description: Account manipulation with likely malicious intent or tools. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllDSInternalsModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllMimikatzModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllPowerSploitModulesWithOldNames.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log -sourcetypes: -- WinEventLog:Security -- aws:cloudtrail -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1098/ +environment: attack_range +directory: account_manipulation +mitre_technique: +- T1098 +datasets: +- name: xml-windows-security + path: /datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml b/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml new file mode 100644 index 000000000..2ab76fb5e --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a3a9b580-0784-4205-952b-53c71752832d +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_delete_policy +environment: attack_range +directory: aws_iam_delete_policy +mitre_technique: +- T1098 +datasets: +- name: aws_iam_delete_policy-json + path: /datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml b/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml new file mode 100644 index 000000000..27fe479e5 --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: f00793d6-bbb7-446e-b78c-35b86cb6f0cc +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_failure_group_deletion +environment: attack_range +directory: aws_iam_failure_group_deletion +mitre_technique: +- T1098 +datasets: +- name: aws_iam_failure_group_deletion-json + path: /datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml b/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml new file mode 100644 index 000000000..b11c2b21c --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: af15eeb9-cadd-4e69-8346-3e83f7d988c0 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_successful_group_deletion +environment: attack_range +directory: aws_iam_successful_group_deletion +mitre_technique: +- T1098 +datasets: +- name: aws_iam_successful_group_deletion-json + path: /datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml index d7b58a65f..c306b8a19 100644 --- a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml +++ b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 629949e6-2905-4f9e-93da-7165df77f3ba date: '2022-08-30' -description: 'Manually added a new owner to a service principal using the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/ +description: Manually added a new owner to a service principal using the Azure portal. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_add_serviceprincipal_owner +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml index a2c603b9c..316910963 100644 --- a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml +++ b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 27d4f73d-6036-44f1-ad6d-a00a142ea33e date: '2022-08-30' -description: 'Manually enabled a previously disabled account and changed its password within 2 minutes using the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/ +description: Manually enabled a previously disabled account and changed its password + within 2 minutes using the Azure portal. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_enable_and_reset +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml index 1220a6e1a..2c932fdb9 100644 --- a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml +++ b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml @@ -1,17 +1,15 @@ author: Mauricio Velazco id: 5edadd1e-f507-4924-8622-6c85eeea3990 date: '2022-09-02' -description: 'Manually updated the ImmutableId atribute using the Set-MsolUser PowerShell commandlet. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://o365blog.com/post/federation-vulnerability/ -- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html -- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors -- https://github.com/Gerenios/AADInternals -- https://attack.mitre.org/techniques/T1098/ +description: Manually updated the ImmutableId atribute using the Set-MsolUser PowerShell + commandlet. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_set_immutableid +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml b/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml index 041522e64..5b339b76d 100644 --- a/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml +++ b/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml @@ -3,11 +3,11 @@ id: 164be50d-ff1c-482d-902a-cb65bf27ef93 date: '2022-04-06' description: Added a new user to the DnsAdmins active directory group. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ -- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise -- https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/ +directory: dnsadmins_member_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml new file mode 100644 index 000000000..48a2363f1 --- /dev/null +++ b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml @@ -0,0 +1,20 @@ +author: Dean Luxton +id: c34cf284-c478-4a27-8c98-f4a76b76b2fb +date: '2022-07-21' +description: Firstly resetting the DSRM account password using ntdsutil (captured + via the DSRM password reset event code 4795), second event was altering the functionality + of the DSRM account to enable it to become a backdoor account (reg.exe modifying + the DSRMAdminLogonBehavior value) +environment: attack_range +directory: dsrm_account +mitre_technique: +- T1098 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml deleted file mode 100644 index 591266e4b..000000000 --- a/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: c34cf284-c478-4a27-8c98-f4a76b76b2fb -date: '2022-07-21' -description: Firstly resetting the DSRM account password using ntdsutil (captured via the DSRM password reset event code 4795), second event was altering the functionality of the DSRM account to enable it to become a backdoor account (reg.exe modifying the DSRMAdminLogonBehavior value) -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log -sourcetypes: -- WinEventLog -- XmlWinEventLog -- xmlwineventlog -references: -- https://adsecurity.org/?p=1714 -- https://attack.mitre.org/techniques/T1098/ diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml index e562742e6..bc177e973 100644 --- a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml +++ b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml @@ -3,9 +3,11 @@ id: 7ebe0ae9-792a-4da1-aa7d-b338db54edfc date: '2025-07-08' description: 'Sample of ESXi syslog events showing account manipulation of esxi account with malicious intent.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1098/ +directory: esxi_account_modified +mitre_technique: +- T1098 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml index ba8682d40..fb79bfe15 100644 --- a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml +++ b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml @@ -3,9 +3,11 @@ id: 6957528c-1167-469f-a982-d03dea0ff09e date: '2025-07-09' description: 'Sample of ESXi syslog events showing account manipulation of esxi account to give it the admin role.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1098/ +directory: esxi_admin_role +mitre_technique: +- T1098 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change_old.yml similarity index 100% rename from datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml rename to datasets/attack_techniques/T1098/linux_password_change/linux_password_change_old.yml diff --git a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml index 3c303ffd4..3336fe006 100644 --- a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml +++ b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 0f9f0b2e-87d4-4a04-8cd0-9e2c6effcf65 date: '2023-09-06' -description: 'Manually added a new owner to an application registration on the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners +description: Manually added a new owner to an application registration on the Azure + portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_add_app_registration_owner +mitre_technique: +- T1098 +datasets: +- name: o365_add_app_registration_owner + path: /datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml index 07427af1e..0ac2e48b1 100644 --- a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml @@ -1,25 +1,15 @@ -author: Steven Dick -id: a44c84cb-231b-4657-8386-0f5d4b8f183e -date: '2024-4-13' -description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098 -- https://attack.mitre.org/techniques/T1484/002/ -- https://attack.mitre.org/techniques/T1136/003/ -- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference -- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide -- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal -- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 -- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html -- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ -- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ -- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf -- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 -- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ -- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration -- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 \ No newline at end of file +author: Steven Dick +id: a44c84cb-231b-4657-8386-0f5d4b8f183e +date: 2024-4-13 +description: Various Office 365 events sourced from the Universal Access Log, meant + to duplicate other Azure detections without relying on using Azure event hubs in + the MS Cloud Services add-on. +environment: attack_range +directory: o365_azure_workload_events +mitre_technique: +- T1098 +datasets: +- name: o365_azure_workload_events + path: /datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml b/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml index 39e27597b..9c6bfb5ff 100644 --- a/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml +++ b/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 6a89cdab-e808-47b9-a1c3-0c890cf6d80b date: '2022-11-17' -description: Manually adding a Service Principal Name for a domain admin account account using setspn.exe +description: Manually adding a Service Principal Name for a domain admin account account + using setspn.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=3466 -- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting +directory: service_principal_name_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml b/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml index 27c335950..728382fa3 100644 --- a/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml +++ b/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 6d48ceda-9d92-42b7-b612-253032070b8b date: '2022-11-18' -description: Manually adding and then deleting a Service Principal Name for a domain admin account account using setspn.exe +description: Manually adding and then deleting a Service Principal Name for a domain + admin account account using setspn.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=3466 -- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting +directory: short_lived_service_principal_name +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml index 96b9d308f..d56314f6b 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml @@ -3,9 +3,11 @@ id: b4a3cd3d-c91a-4883-81b4-8b3d9b72d557 date: '2024-02-21' description: Deleted multiple users using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_accounts_deleted +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_deleted + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml index 7bf20e209..128284648 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml @@ -3,9 +3,11 @@ id: f206d1da-d4f1-4e2c-ab5f-41d8f96aa388 date: '2024-02-21' description: Disabled multiple users using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_accounts_disabled +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_disabled + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml index 3c047f9a7..a29691fa4 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml @@ -3,9 +3,11 @@ id: 383918f9-182a-4355-9f4f-edec858dfcad date: '2024-02-21' description: Updated multiple accounts passwords using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_passwords_changed +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_passwords_changed + path: /datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli.yml b/datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli_old.yml similarity index 100% rename from datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli.yml rename to datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli_old.yml diff --git a/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns.yml b/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns_old.yml similarity index 100% rename from datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns.yml rename to datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns_old.yml diff --git a/datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection.yml b/datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection_old.yml similarity index 100% rename from datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection.yml rename to datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection_old.yml diff --git a/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml index 73a662f96..b33f98809 100644 --- a/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml @@ -4,21 +4,23 @@ date: '2021-03-25' description: Successful execution of Atomic Red Team T1105 - Ingress Tool Transfer. Also included Invoke-CertUtil using different command switches. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- sysmon_linux -- bit9:carbonblack:json -references: -- https://attack.mitre.org/techniques/T1105 +directory: atomic_red_team +mitre_technique: +- T1105 +datasets: +- name: T1105_explorer-windows-security + path: /datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon_curl_upload + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_curl + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query.yml b/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query_old.yml similarity index 100% rename from datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query.yml rename to datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query_old.yml diff --git a/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml b/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml index 00c5062fa..27ff5cced 100644 --- a/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml +++ b/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml @@ -3,9 +3,11 @@ id: efa49be2-3149-4802-b2b1-67c11403cb29 date: '2022-08-08' description: Dataset which contains cloudtrail events with AWS login failure. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1110/001/ \ No newline at end of file +directory: aws_login_failure +mitre_technique: +- T1110.001 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml index 36fac61cf..777088ffe 100644 --- a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 65340060-37c2-40fb-a969-45596e7c5e8b date: '2023-01-23' -description: 'Used Invoke-MSOLSpray to perform a brute force attack attack against a unique Azure AD account with 25 passwords. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/dafthack/MSOLSpray +description: Used Invoke-MSOLSpray to perform a brute force attack attack against + a unique Azure AD account with 25 passwords. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_high_number_of_failed_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml index 937d3e249..2a367a917 100644 --- a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml +++ b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 5f673895-0a89-4c21-bd0a-54d28fb4b948 date: '2023-01-24' -description: 'Used a browser to authenticate to the same Azure AD account from two different Ips. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://attack.mitre.org/techniques/T1110/003/ +description: Used a browser to authenticate to the same Azure AD account from two + different Ips. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_successful_authentication_from_different_ips +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source.yml b/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source.yml rename to datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source_old.yml diff --git a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml index 9770ea9f2..6e2a1540c 100644 --- a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml +++ b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 096d5c2a-e867-48a5-b78e-2c6587b397ab date: '2023-10-10' -description: 'Used o365spray to perform a brute force attack attack against a unique O365 account with 25 passwords. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/0xZDH/o365spray +description: Used o365spray to perform a brute force attack attack against a unique + O365 account with 25 passwords. Tenant specific details have been replaced in the + dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_high_number_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: o365_high_number_authentications_for_user + path: /datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml index e02401dec..2bd9e93c5 100644 --- a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml +++ b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml @@ -3,7 +3,11 @@ id: 22c3ece3-6513-4dbd-a8bb-3afd24eb354a date: '2025-01-10' description: data sets for rdp brute force attacks from attack range environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: rdp_brute_sysmon +mitre_technique: +- T1110.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml index a6fcae9e6..fd16fdd07 100644 --- a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml +++ b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml @@ -1,11 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: baa24d41-2a93-43c6-af77-ff9e97f75191 date: '2022-08-08' -description: Dataset which contains cloudtrail events with AWS RDS Database master password reset. +description: Dataset which contains cloudtrail events with AWS RDS Database master + password reset. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds/ \ No newline at end of file +directory: aws_rds_password_reset +mitre_technique: +- T1110.002 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml index 23ae40b01..ed58b0af9 100644 --- a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml +++ b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml @@ -1,12 +1,14 @@ author: Bhavin Patel id: cc9b2674-efc9-11eb-9211-110bf0943fbb date: '2022-09-26' -description: This dataset is generated from cloudtrail events in Attack range by manually simulating attacks -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1110/003/ - +description: This dataset is generated from cloudtrail events in Attack range by manually + simulating attacks +environment: attack_range +directory: aws_mulitple_failed_console_login +mitre_technique: +- T1110.003 +datasets: +- name: aws_cloudtrail-json + path: /datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user.yml b/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user.yml rename to datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user_old.yml diff --git a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml index 30534c829..9bd5e6534 100644 --- a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml +++ b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml @@ -1,16 +1,13 @@ -author: Mauricio Velazco -id: d1277c1d-ab8c-4b44-aaec-f77525d8e6f9 -date: '2023-11-06' -description: 'Used Invoke-MSOLSpray and fireprox to perform a distributed password spraying attack against an Azure AD tenant using 30 users accounts. The environment was created with BadZure - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://github.com/ustayready/fireprox -- https://github.com/mvelazc0/BadZure \ No newline at end of file +author: Generated by dataset_analyzer.py +id: a5169e72-9b94-4ac9-91f6-e48f9ef786f2 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_distributed_spray +environment: attack_range +directory: azure_ad_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: azure_ad_distributed_spray + path: /datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml b/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml index aaeff1e80..a818cb48d 100644 --- a/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml +++ b/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml @@ -1,15 +1,16 @@ author: Mauricio Velazco id: a962463f-581b-4faf-a237-da45248b4fb7 date: '2022-07-11' -description: 'Used Invoke-MSOLSpray to perform a password spraying attack against an Azure AD tenant using 50 users accounts. One of the authentication atttemps is successful. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +description: Used Invoke-MSOLSpray to perform a password spraying attack against an + Azure AD tenant using 50 users accounts. One of the authentication atttemps is successful. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azuread_highrisk +mitre_technique: +- T1110.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml index 318ae0533..92940101c 100644 --- a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml +++ b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml @@ -2,13 +2,12 @@ author: Bhavin Patel id: a962263f-581b-411f-a237-da45248b4fb7 date: '2022-10-11' description: This is a synthetic dataset based on a real login failure event -environment: Google Workspace tenant configured to send data to Splunk. Data parsed by Splunk_TA_Google_Workspace 2.3.0 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +environment: attack_range +directory: gcp_gws_multiple_login_failure +mitre_technique: +- T1110.003 +datasets: +- name: gws_login-json + path: /datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml rename to datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack_old.yml diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml rename to datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce_old.yml diff --git a/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml b/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml index 27b499695..fc2bd807b 100644 --- a/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml +++ b/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml @@ -1,16 +1,16 @@ author: Mauricio Velazco id: ce5ee9b2-8247-4744-99c3-fc943e3437d0 date: '2023-11-06' -description: 'Used o365 spray and fireprox to perform a distributed password spraying attack against an Offic3 365 tenant using 30 users accounts. The environment was created with BadZure. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distriyuted_spray.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/0xZDH/o365spray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://github.com/mvelazc0/BadZure -- https://github.com/ustayready/fireprox \ No newline at end of file +description: Used o365 spray and fireprox to perform a distributed password spraying + attack against an Offic3 365 tenant using 30 users accounts. The environment was + created with BadZure. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: o365_distributed_spray + path: /datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml index fc704f150..493c1f627 100644 --- a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml +++ b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: a15c0de3-afb5-4090-9205-72366c135f3c date: '2023-10-10' -description: 'Used o365 spray to perform a password spraying attack against an Office 365 tenant using 30 users accounts. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/0xZDH/o365spray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray +description: Used o365 spray to perform a password spraying attack against an Office + 365 tenant using 30 users accounts. Tenant specific details have been replaced in + the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: o365_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml index 5cb764d3f..65015e96c 100644 --- a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml +++ b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 84f64eb3-722c-4fe7-857c-c8e15bb96ef1 -date: '2022-02-29' -description: 'Used a tool to spray Okta users' -environment: Okta -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1110/003/ +date: '2022-02-27' +description: Used a tool to spray Okta users +environment: attack_range +directory: okta_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: okta_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml b/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml index c74915b3c..9401ab453 100644 --- a/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml +++ b/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: e73d690b-57d8-430f-be60-b64a0f1405cd date: '2023-06-16' -description: 'Used Invoke-MSOLSpray to perform a password spraying attack against an Azure AD tenant using 30 users accounts. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray +description: Used Invoke-MSOLSpray to perform a password spraying attack against an + Azure AD tenant using 30 users accounts. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: password_spraying_azuread +mitre_technique: +- T1110.003 +datasets: +- name: azuread_signin + path: /datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml new file mode 100644 index 000000000..45c880f7e --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9cd97ff0-127c-449a-90e2-018bf7f533fb +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_disabled_users_kerberos_xml +environment: attack_range +directory: purplesharp_disabled_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray.yml rename to datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml index bc4e503f7..f8bafc9fd 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco -id: +id: cc959a2c-7e5c-4a0b-a0fd-0f6e75eeaada date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Remote password spraying attack against one host using NTLM' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_explicit_credential_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml index 21fdd0ece..7b55ef1ab 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml @@ -3,12 +3,12 @@ id: 8d6bfa7a-0a19-4beb-8f19-6e9e1ba56f5a date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 randomly generated usernames' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_invalid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm.yml rename to datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml index b0215d31f..f170969c4 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml @@ -3,12 +3,12 @@ id: e44d2275-8b33-4244-9123-73e28eff4d77 date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: NTLM Password Spraying with randomly 50 generated usernames' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_invalid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process.yml rename to datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml index 57de90ab2..174e7120a 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml @@ -3,12 +3,12 @@ id: a9d28148-7cea-4b32-8ba9-71c1d2c80ccf date: '2022-09-09' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 random domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_multiple_users_from_process_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray.yml rename to datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml index b88af528c..18548d031 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml @@ -3,12 +3,12 @@ id: 327c6937-a2e5-4f1e-99bf-0ad58652ae0b date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Remote password spraying attack against one host using NTLM' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_remote_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml index 4b8310323..33aacef81 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml @@ -3,12 +3,12 @@ id: 5c8c641e-f287-457a-b291-12cfd34f9077 date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 randomly picked domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_valid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm.yml rename to datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml index bf9f55eea..9b672cf9e 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml @@ -3,12 +3,12 @@ id: 1dc8be3a-8648-4ff8-8858-a3f05384115e date: '2022-09-07' description: 'Automated generation of attack data using PurpleSharp: NTLM Password Spraying with 50 randomly picked domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_valid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml index 2b33e22b6..77cb8b0b1 100644 --- a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml +++ b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: c5017f8c-178d-4c06-ad70-556a2c499448 date: '2023-03-22' -description: Manually executed Crackmapexec to spray several endpoints with one combination of username and password using the Administrator account. This dataset contains the failed authentication events for 50+ endpoints. +description: Manually executed Crackmapexec to spray several endpoints with one combination + of username and password using the Administrator account. This dataset contains + the failed authentication events for 50+ endpoints. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110.004 -- https://wiki.porchetta.industries/smb-protocol/password-spraying \ No newline at end of file +directory: local_administrator_cred_stuffing +mitre_technique: +- T1110.004 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml index bbeddc30a..1ce0bd059 100644 --- a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml @@ -1,14 +1,13 @@ -author: Steven Dick -id: 27ba7e07-280e-4890-9b31-f2060d86f4c6 -date: '2024-12-19' -description: 'Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110 -- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ -- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ -- https://github.com/dafthack/MFASweep/tree/master +author: Steven Dick +id: 27ba7e07-280e-4890-9b31-f2060d86f4c6 +date: '2024-12-19' +description: Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses. +environment: attack_range +directory: azure_mfasweep_events +mitre_technique: +- T1110 +datasets: +- name: azure_mfasweep_events + path: /datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml index 575295697..8be972666 100644 --- a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml +++ b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml @@ -3,9 +3,11 @@ id: 5c239f0f-ec10-4107-b6a0-c9228257e4b1 date: '2025-07-09' description: 'Sample of ESXi syslog events showing an ssh brute force attempt against an ESXi server.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1110 +directory: esxi_ssh_brute_force +mitre_technique: +- T1110 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml b/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml index 2a183380f..000ec2284 100644 --- a/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml +++ b/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml @@ -3,10 +3,11 @@ id: cc9b2650-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Brute Force Attack O365 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_brute_force_login +mitre_technique: +- T1110 +datasets: +- name: o365_brute_force_login-json + path: /datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml index 12c146792..0655ffe91 100644 --- a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml +++ b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco, Splunk id: 0419ad47-a1c2-46b2-a647-4651456a9029 date: '2024-03-04' -description: Performed a brute force attack against an Okta tenant until accounts were locked out. -environment: Okta -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1110/ \ No newline at end of file +description: Performed a brute force attack against an Okta tenant until accounts + were locked out. +environment: attack_range +directory: okta_multiple_accounts_lockout +mitre_technique: +- T1110 +datasets: +- name: okta_multiple_accounts_lockout + path: /datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml index 71f8f2228..eacf8e166 100644 --- a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml +++ b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 4bfb4b66-673f-4f7e-863d-c812ee74d9a1 date: '2023-11-23' description: Generated datasets for AuthenticationLevelOverride in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate +environment: attack_range +directory: AuthenticationLevelOverride +mitre_technique: +- T1112 +datasets: +- name: auth_sys + path: /datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml b/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml rename to datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias_old.yml diff --git a/datasets/attack_techniques/T1112/T1112.yml b/datasets/attack_techniques/T1112/T1112_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/T1112.yml rename to datasets/attack_techniques/T1112/T1112_old.yml diff --git a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml index 19782c182..22589883d 100644 --- a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml @@ -7,20 +7,23 @@ description: 'Atomic Test Results: Successful Execution of test T1112-1 Modify R logon credentials Successful Execution of test T1112-4 Add domain to Trusted sites Zone Successful Execution of test T1112-5 Javascript in registry ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1112 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md -- https://github.com/splunk/security-content/blob/develop/tests/T1112.yml +directory: atomic_red_team +mitre_technique: +- T1112 +datasets: +- name: wdigest_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: safemode_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-webview + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting.yml b/datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting.yml rename to datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting_old.yml diff --git a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml index 1c7295429..39266ce7e 100644 --- a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml +++ b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 01f4eb45-edd9-4618-a606-c2848c5fa0cb date: '2023-07-10' description: Generated datasets for enablelinkedconnections in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ +environment: attack_range +directory: enablelinkedconnections +mitre_technique: +- T1112 +datasets: +- name: blackbyte_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml index 0f9d134ff..8f9809318 100644 --- a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml +++ b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 50a77464-fdac-4102-b0d8-ae74b00c3c1d date: '2023-07-10' description: Generated datasets for longpathsenabled in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ +environment: attack_range +directory: longpathsenabled +mitre_technique: +- T1112 +datasets: +- name: longpath_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml b/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml index 9475c9a21..018a3ee38 100644 --- a/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml +++ b/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml @@ -3,9 +3,11 @@ id: fb50a0d2-8fd6-11ec-b295-acde48001122 date: '2022-02-17' description: Generated datasets for disable notif center in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html \ No newline at end of file +directory: disable_notif_center +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/disable_notif_center/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/disable_rdp/disable_rdp.yml b/datasets/attack_techniques/T1112/disable_rdp/disable_rdp_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/disable_rdp/disable_rdp.yml rename to datasets/attack_techniques/T1112/disable_rdp/disable_rdp_old.yml diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml index 2694f7118..57e32fa0d 100644 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml @@ -3,9 +3,15 @@ id: f3c9a6d2-3f61-11ef-8fb2-acde48001122 date: '2024-07-11' description: Generated datasets for firewall modify delete in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ \ No newline at end of file +directory: firewall_modify_delete +mitre_technique: +- T1112 +datasets: +- name: firewall-mod-delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: firewall_mod_delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.yml b/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.yml rename to datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg_old.yml diff --git a/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml b/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml index 6ab72f217..4d6534e0b 100644 --- a/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml +++ b/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml @@ -3,7 +3,11 @@ id: 732edf10-2522-47de-be21-710ac8dcde73 date: '2021-10-05' description: minint registry datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: minint_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/minint_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry.yml b/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry.yml rename to datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry_old.yml diff --git a/datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper.yml b/datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper.yml rename to datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper_old.yml diff --git a/datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml b/datasets/attack_techniques/T1112/proxy_enable/proxy_enable_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml rename to datasets/attack_techniques/T1112/proxy_enable/proxy_enable_old.yml diff --git a/datasets/attack_techniques/T1112/proxy_server/proxy_server.yml b/datasets/attack_techniques/T1112/proxy_server/proxy_server_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/proxy_server/proxy_server.yml rename to datasets/attack_techniques/T1112/proxy_server/proxy_server_old.yml diff --git a/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.yml b/datasets/attack_techniques/T1112/pwn_reg/pwn_reg_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/pwn_reg/pwn_reg.yml rename to datasets/attack_techniques/T1112/pwn_reg/pwn_reg_old.yml diff --git a/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml b/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml index 7eb2a558c..48b8ff747 100644 --- a/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml +++ b/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml @@ -3,9 +3,11 @@ id: c5bf208a-9ecf-11ec-98d7-acde48001122 date: '2022-03-08' description: Generated datasets for ransomware disable reg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ \ No newline at end of file +directory: ransomware_disable_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml index 7f706d0ff..6bc5b5a99 100644 --- a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml +++ b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml @@ -3,9 +3,11 @@ id: eff617c0-72aa-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for reg profiles private in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: reg_profiles_private +mitre_technique: +- T1112 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1112/reg_profiles_private/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml b/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml index 54fac6dc7..edb138274 100644 --- a/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml +++ b/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml @@ -3,7 +3,11 @@ id: 112d5721-f697-4bec-b42c-a227d4109898 date: '2021-10-05' description: shimcache flush datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: shimcache_flush +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/shimcache_flush/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy.yml b/datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy.yml rename to datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy_old.yml diff --git a/datasets/attack_techniques/T1112/test_registry/test_registry.yml b/datasets/attack_techniques/T1112/test_registry/test_registry_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/test_registry/test_registry.yml rename to datasets/attack_techniques/T1112/test_registry/test_registry_old.yml diff --git a/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.yml b/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.yml rename to datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2_old.yml diff --git a/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml b/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml rename to datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui_old.yml diff --git a/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior.yml b/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior.yml rename to datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior_old.yml diff --git a/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.yml b/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot_old.yml similarity index 100% rename from datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.yml rename to datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot_old.yml diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml index dd06918fe..5a79588c5 100644 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 2ee0daa3-784e-4113-8c3b-63f5a597501d date: '2024-04-01' -description: 'Manually exported a content search on M365 compliance portal' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 \ No newline at end of file +description: Manually exported a content search on M365 compliance portal +environment: attack_range +directory: o365_compliance_content_search_exported +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_exported + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml index af026082b..dcf28744b 100644 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 779bf322-0493-41d8-b0db-d6f012057ce8 date: '2024-04-01' -description: 'Manually start a content search on M365 compliance portal' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 \ No newline at end of file +description: Manually start a content search on M365 compliance portal +environment: attack_range +directory: o365_compliance_content_search_started +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_started + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml index 31139e7b1..9f21d6e2f 100644 --- a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml +++ b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 2751009e-d929-4f65-aee4-c1222b414305 date: '2023-09-06' -description: 'Manually provided inbox folder access to Anonymous. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf \ No newline at end of file +description: Manually provided inbox folder access to Anonymous. Tenant specific details + have been replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_inbox_shared_with_all_users +mitre_technique: +- T1114.002 +datasets: +- name: o365_inbox_shared_with_all_users + path: /datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml index bb68bed68..e0f4c5cb4 100644 --- a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml +++ b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 3da9163a-e320-4dd1-9c2c-dddf0436f9ba date: '2024-02-01' -description: 'Manually accessed multipla O365 mailboxes using the Graph API and an OAuth application registration using a python script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in -- https://learn.microsoft.com/en-us/graph/permissions-reference \ No newline at end of file +description: Manually accessed multipla O365 mailboxes using the Graph API and an + OAuth application registration using a python script +environment: attack_range +directory: o365_multiple_mailboxes_accessed_via_api +mitre_technique: +- T1114.002 +datasets: +- name: o365_multiple_mailboxes_accessed_via_api + path: /datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + sourcetype: o365:management:activity + source: o365 \ No newline at end of file diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml index ace2228bf..0e626af88 100644 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 7ffc2d34-d6c4-4987-bbfa-b1195a93affc date: '2024-02-01' -description: 'Manually accessed O365 emails via Exchange Web Services and an OAuth application registration using a PowerShell script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture \ No newline at end of file +description: Manually accessed O365 emails via Exchange Web Services and an OAuth + application registration using a PowerShell script +environment: attack_range +directory: o365_oauth_app_ews_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_ews_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml index 762d845aa..27478ae2c 100644 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 82a7da52-467c-40f2-bbdb-37c97bbf67be date: '2024-01-31' -description: 'Manually accessed O365 emails via the Graph API and an OAuth application registration using a PowerShell script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in -- https://learn.microsoft.com/en-us/graph/permissions-reference \ No newline at end of file +description: Manually accessed O365 emails via the Graph API and an OAuth application + registration using a PowerShell script +environment: attack_range +directory: o365_oauth_app_graph_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_graph_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.yml b/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation_old.yml similarity index 100% rename from datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.yml rename to datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation_old.yml diff --git a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml index 6f3949754..89974f8e4 100644 --- a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml +++ b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: 3e913102-26d8-4c05-aa42-7adb788db03d date: '2024-03-28' -description: 'Created a forwarding rule programatically using msInvader' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide -- https://github.com/mvelazc0/msInvader \ No newline at end of file +description: Created a forwarding rule programatically using msInvader +environment: attack_range +directory: o365_email_forwarding_rule_created +mitre_technique: +- T1114.003 +datasets: +- name: o365_email_forwarding_rule_created + path: /datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml deleted file mode 100644 index 948deb135..000000000 --- a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Patrick Bareiss -id: cc9b25f8-efc9-11eb-926b-550bf0943fbb -date: '2020-12-16' -description: Configured forwarding rules for mailboxes in Office 365. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/003 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf diff --git a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml new file mode 100644 index 000000000..0a6bb4654 --- /dev/null +++ b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml @@ -0,0 +1,13 @@ +author: Patrick Bareiss +id: cc9b25f8-efc9-11eb-926b-550bf0943fbb +date: '2020-12-16' +description: Configured forwarding rules for mailboxes in Office 365. +environment: attack_range +directory: o365_mailbox_forwarding_enabled +mitre_technique: +- T1114.003 +datasets: +- name: o365_mailbox_forwarding_enabled-json + path: /datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change_old.yml similarity index 100% rename from datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml rename to datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change_old.yml diff --git a/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml b/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml index a93cb5a02..6eb0e0fcf 100644 --- a/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml +++ b/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml @@ -3,10 +3,11 @@ id: cc9b2651-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Export PST file in O365 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_export_pst_file +mitre_technique: +- T1114 +datasets: +- name: o365_export_pst_file-json + path: /datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml index 755bbf33c..9c8100fee 100644 --- a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml +++ b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml @@ -2,11 +2,12 @@ author: Mauricio Velazco id: a23751d9-73dc-4f83-bbaa-79f9f56cb3ee date: '2023-04-10' description: Created a forwarding mailflow rule in Office 365 using PowerShell. -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/ -- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules +environment: attack_range +directory: o365_new_forwarding_mailflow_rule_created +mitre_technique: +- T1114 +datasets: +- name: o365_new_forwarding_mailflow_rule_created + path: /datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml index c3261d253..391323b4f 100644 --- a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml @@ -1,15 +1,17 @@ -author: Steven Dick -id: 986d1ac2-f76a-48d8-b3af-bf76dc4e80a4 -date: '2025-01-20' -description: 'Sample of events when an actor compromises a mailbox and conducts certain suspect activities such as email hard deletes, exfiltration, or password/banking information changes.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log -sourcetypes: -- o365:management:activity -- o365:reporting:messagetrace -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack \ No newline at end of file +author: Generated by dataset_analyzer.py +id: 16bfceea-a344-4013-8c6d-8a5ffe7fd5eb +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_suspect_email_actions +environment: attack_range +directory: o365_suspect_email_actions +mitre_technique: +- T1114 +datasets: +- name: o365_messagetrace_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + sourcetype: o365:management:activity + source: o365 +- name: o365_exchange_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml b/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml index 8f980ad96..57325f153 100644 --- a/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml +++ b/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml @@ -3,9 +3,15 @@ id: 92f98534-ef83-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd xclip in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log -sourcetypes: -- 'auditd' -references: -- https://linux.die.net/man/1/xclip \ No newline at end of file +directory: linux_auditd_xclip +mitre_technique: +- T1115 +datasets: +- name: linux_auditd_xclip + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log + sourcetype: auditd + source: auditd +- name: linux_auditd_xclip2 + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync.yml b/datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync_old.yml similarity index 100% rename from datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync.yml rename to datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync_old.yml diff --git a/datasets/attack_techniques/T1127.001/T1127.001.yml b/datasets/attack_techniques/T1127.001/T1127.001.yml new file mode 100644 index 000000000..269fca229 --- /dev/null +++ b/datasets/attack_techniques/T1127.001/T1127.001.yml @@ -0,0 +1,13 @@ +author: Michael Haag +id: cc9b261a-efc9-11eb-926b-550bf0943fbb +date: '2021-01-15' +description: MSBuild.exe execution simulating a suspicious spawn, renamed and moved. +environment: attack_range +directory: T1127.001 +mitre_technique: +- T1127.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1127.001/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127.001/atomic_red_team.yml b/datasets/attack_techniques/T1127.001/atomic_red_team.yml deleted file mode 100644 index 8593cb13c..000000000 --- a/datasets/attack_techniques/T1127.001/atomic_red_team.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag -id: cc9b261a-efc9-11eb-926b-550bf0943fbb -date: '2021-01-15' -description: MSBuild.exe execution simulating a suspicious spawn, renamed and moved. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1127/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md -- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ diff --git a/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml b/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml index d7f853624..98980659f 100644 --- a/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml +++ b/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml @@ -3,9 +3,11 @@ id: 6e769297-65cc-473f-9df8-1698364c5942 date: '2021-10-03' description: data sets for njrat vbs malware.. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/powershell.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational +directory: regsvr32_silent +mitre_technique: +- T1127.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml index 9af9816a5..5c863d8be 100644 --- a/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml @@ -3,11 +3,11 @@ id: cc9b25ea-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Microsoft.workflow.compiler.exe usage including renamed and moved. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1127/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution -- https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ +directory: atomic_red_team +mitre_technique: +- T1127 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml b/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml index b2dbb6144..47880f950 100644 --- a/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml +++ b/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml @@ -3,7 +3,11 @@ id: c528749d-6fb9-43e1-814f-dc39bfece3cd date: '2021-10-07' description: etw disable registry datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: etw_disable +mitre_technique: +- T1127 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127/etw_disable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules.yml b/datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules_old.yml similarity index 100% rename from datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules.yml rename to datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules_old.yml diff --git a/datasets/attack_techniques/T1133/rdp/rdp_terminalservices.yml b/datasets/attack_techniques/T1133/rdp/rdp_terminalservices_old.yml similarity index 100% rename from datasets/attack_techniques/T1133/rdp/rdp_terminalservices.yml rename to datasets/attack_techniques/T1133/rdp/rdp_terminalservices_old.yml diff --git a/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml b/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml new file mode 100644 index 000000000..b267f8e67 --- /dev/null +++ b/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml @@ -0,0 +1,15 @@ +author: Dean Luxton +id: fbedf606-d7c8-4fe5-96ae-ad0526b90ec0 +date: '2022-08-23' +description: Utilising the sid::patch & sid::add commands from a mimikatz shell running + debug privilegs. Successfully patched ntds & added a SID history ad attribute to + a user object. Note, also works with computer accounts ;) +environment: attack_range +directory: mimikatz +mitre_technique: +- T1134.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml b/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml deleted file mode 100644 index 930777e90..000000000 --- a/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Dean Luxton -id: fbedf606-d7c8-4fe5-96ae-ad0526b90ec0 -date: '2022-08-23' -description: Utilising the sid::patch & sid::add commands from a mimikatz shell running debug privilegs. Successfully patched ntds & added a SID history ad attribute to a user object. Note, also works with computer accounts ;) -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1772 -- https://attack.mitre.org/techniques/T1134/005/ diff --git a/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml b/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml index d64b12805..9d8c2c45c 100644 --- a/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml +++ b/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 9a0a610f-a53a-405f-ace7-0c3e2809ed68 date: '2022-11-17' -description: Utilising the sid::patch & sid::add commands from a mimikatz shell running debug privilegs. Successfully patched ntds & added a SID history ad attribute to a user object. +description: Utilising the sid::patch & sid::add commands from a mimikatz shell running + debug privilegs. Successfully patched ntds & added a SID history ad attribute to + a user object. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1772 -- https://attack.mitre.org/techniques/T1134/005/ +directory: sid_history2 +mitre_technique: +- T1134.005 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1134.005/sid_history2/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml b/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline_old.yml similarity index 100% rename from datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml rename to datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline_old.yml diff --git a/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml b/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml index b2e1d9dcb..84ebebc17 100644 --- a/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml +++ b/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: acc6dde7-c023-46ba-abfc-9a16b664797d date: '2023-03-23' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: ipc_share_accessed +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml index 771687203..cc57b7eb0 100644 --- a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml +++ b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 03c013d4-3818-454b-b907-0f81330d6197 date: '2023-03-21' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network. This dataset contains the Kerberos service ticket requests for 50+ endpoints. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network. This dataset contains the Kerberos + service ticket requests for 50+ endpoints. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: large_number_computer_service_tickets +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/net_share/net_share.yml b/datasets/attack_techniques/T1135/net_share/net_share.yml index e26815960..d5d7b8bdb 100644 --- a/datasets/attack_techniques/T1135/net_share/net_share.yml +++ b/datasets/attack_techniques/T1135/net_share/net_share.yml @@ -1,11 +1,14 @@ author: Dean Luxton -id: 112a2ded-6924-4a3a-a30c-e527b9c9d75d +id: 112a2ded-6924-4a3a-a30c-e527b9c9d75d date: '2023-04-21' -description: Manually executed Net Share to discover network file shares in an Active Directory network. +description: Manually executed Net Share to discover network file shares in an Active + Directory network. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1135 +directory: net_share +mitre_technique: +- T1135 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1135/net_share/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml index fb0e42656..ba734f3ca 100644 --- a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml +++ b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml @@ -2,10 +2,16 @@ author: Teoderick Contreras, Splunk id: fe9d47bb-2da6-41d0-b8ac-ed38f3a08f71 date: '2023-05-23' description: Generated datasets for net share discovery via dir in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +environment: attack_range +directory: net_share_discovery_via_dir +mitre_technique: +- T1135 +datasets: +- name: smb_access_security_xml + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Auditing +- name: smbaccess-5140-security-xml2 + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Auditing diff --git a/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml b/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml index 57e3f56d9..183827344 100644 --- a/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml +++ b/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: f2a92824-4e44-4a7a-bcc6-fbbcfbab4686 date: '2023-03-20' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: powerview_sharefinder +mitre_technique: +- T1135 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml index 7a1bfd395..e0ce9e6e6 100644 --- a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml +++ b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 9024a52e-836e-4e95-aea8-ef37cde946e6 date: '2023-03-23' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: rapid_authentication_multiple_hosts +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml index adde9f4ae..0818075ec 100644 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml @@ -6,23 +6,31 @@ description: 'Atomic Test Results: Return value unclear for test T1136.001-3 Cre new user in PowerShell Successful Execution of test T1136.001-6 Create a new Windows admin user ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1136/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1136_001.yml +directory: atomic_red_team +mitre_technique: +- T1136.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: xml-windows-security + path: /datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml index 66727f3ca..97ec54804 100644 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml @@ -3,9 +3,15 @@ id: 96cbb496-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd add user in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log -sourcetypes: -- 'auditd' -references: -- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ \ No newline at end of file +directory: linux_auditd_add_user +mitre_technique: +- T1136.001 +datasets: +- name: auditd_proctitle_user_add + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log + sourcetype: auditd + source: auditd +- name: linux_auditd_add_user + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml index baf09b08f..b943aff42 100644 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml @@ -3,9 +3,11 @@ id: 6f5ae8be-5a20-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd add user type in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_add_user_type +mitre_technique: +- T1136.001 +datasets: +- name: linux_auditd_add_user_type + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.001/net_create_user/net_create_user.yml b/datasets/attack_techniques/T1136.001/net_create_user/net_create_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1136.001/net_create_user/net_create_user.yml rename to datasets/attack_techniques/T1136.001/net_create_user/net_create_user_old.yml diff --git a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml index 4807b01ac..15840fc86 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml @@ -1,13 +1,13 @@ author: Gowthamaraj Rajendran id: 6cdf42f8-1c1e-454c-a56e-8aad7f084a6d date: '2022-08-17' -description: Manually add Service Principal in the Azure AD. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals -- https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0 -- https://attack.mitre.org/techniques/T1136/003/ +description: Manually add Service Principal in the Azure AD. +environment: attack_range +directory: azure_ad_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml index 025eddc93..8907c3614 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml @@ -1,13 +1,14 @@ author: Gowthamaraj Rajendran id: 6cdf42f8-1c1e-454c-a56e-8aad7f084a6a date: '2022-08-18' -description: Manually invite External Guest user to the Azure AD. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf -- https://attack.mitre.org/techniques/T1136/003/ -- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +description: Manually invite External Guest user to the Azure AD. Tenant specific + details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_ad_external_guest_user_invited +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml index db7d780a3..b370e49c5 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 55543737-a4d0-42fe-909e-c2750e409700 date: '2024-02-07' -description: -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ +description: 'azure ad multiple service principals created' +environment: attack_range +directory: azure_ad_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: azure_ad_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml b/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml index c7eb14120..63af336ff 100644 --- a/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml +++ b/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: ea2f4a6a-424f-4c5a-9974-ac61a9d96122 date: '2022-08-19' -description: Manually create an Azure Automation account using the Azure Portal. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html -- https://attack.mitre.org/techniques/T1136/003/ \ No newline at end of file +description: Manually create an Azure Automation account using the Azure Portal. Tenant + specific details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_automation_account +mitre_technique: +- T1136.003 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml index 6eb13f38b..fe810a54c 100644 --- a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml +++ b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml @@ -3,11 +3,12 @@ id: cc9b25da-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the creation of a new Federation setting by alerting about an specific event related to its creation. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_add_app_role_assignment_grant_user +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_app_role_assignment_grant_user-json + path: /datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml b/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml index 85ac52cee..ad842261a 100644 --- a/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25dd-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add service principal credentials -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml b/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml index f94a8c8a4..99403f88b 100644 --- a/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml @@ -3,11 +3,16 @@ id: cc9b25db-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the creation of a new Federation setting by alerting about an specific event related to its creation. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_added_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log + sourcetype: o365:management:activity + source: o365 +- name: o365_added_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml index c256a6c03..409b3c302 100644 --- a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: f9e755a0-5abc-4675-8313-79da901c87dd date: '2024-02-07' -description: -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ +description: 'o365 multiple service principals created' +environment: attack_range +directory: o365_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: o365_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml index 86330da60..0fc00365c 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25de-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add-FederatedDomain -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain/oo365_new_federated_domain.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_new_federated_domain +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federated_domain-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml index 12814b21e..05df38651 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml @@ -2,11 +2,16 @@ author: Rod Soto id: cc9b25d9-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the addition of a new Federated domain. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_new_federated_domain_added +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_federated_domain + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log + sourcetype: o365:management:activity + source: o365 +- name: o365_new_federated_domain_added-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml b/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml index 720115ede..3594ad52a 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25dc-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add app role assignment grant to user -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_new_federation +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federation-json + path: /datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml rename to datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user_old.yml diff --git a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml index 03addd324..b89e37c57 100644 --- a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml @@ -4,12 +4,11 @@ date: '2021-03-25' description: 'Atomic Red Team test results of T1140, certutil.exe decode. Also included Invoke-CertUtil decoding files. ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/encode-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1140 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md +directory: atomic_red_team +mitre_technique: +- T1140 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml b/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml index 14162f1d1..0c914076c 100644 --- a/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml +++ b/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml @@ -3,9 +3,15 @@ id: d027d710-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd base64 in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log -sourcetypes: -- 'auditd' -references: -- https://gtfobins.github.io/gtfobins/dd/ \ No newline at end of file +directory: linux_auditd_base64 +mitre_technique: +- T1140 +datasets: +- name: auditd_execve_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log + sourcetype: auditd + source: auditd +- name: linux_auditd_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1176.001/disable_extension/disable_extension.yml b/datasets/attack_techniques/T1176.001/disable_extension/disable_extension_old.yml similarity index 100% rename from datasets/attack_techniques/T1176.001/disable_extension/disable_extension.yml rename to datasets/attack_techniques/T1176.001/disable_extension/disable_extension_old.yml diff --git a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml index b494c2371..7c0d1db6a 100644 --- a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml @@ -1,15 +1,15 @@ author: Bhavin Patel id: c56117f4-95de-46ae-8fbe-7b41e49bf95e date: '2023-01-24' -description: 'Used Evilnginx2 to phish an AWS user and steal session cookies , then logged into the console from attacker machiner while the session from victim machine was also connected.' -environment: STRT AWS Account -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1185 -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx2 to phish an AWS user and steal session cookies , then + logged into the console from attacker machiner while the session from victim machine + was also connected. +environment: attack_range +directory: aws_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml index 394f35b90..33fc2b78b 100644 --- a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,14 +1,16 @@ author: Mauricio Velazco id: c56d67f4-95de-46ae-8fbe-7b41e49bf95e date: '2023-01-24' -description: 'Used Evilnginx2 to phish an Azure AD user and steal session cookies. Then, imported the stolen session cookies into a different browser to access Azure AD resources from a different location and source ip. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx2 to phish an Azure AD user and steal session cookies. + Then, imported the stolen session cookies into a different browser to access Azure + AD resources from a different location and source ip. Tenant specific details have + been replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1185/headlessbrowser/headless_browser.yml b/datasets/attack_techniques/T1185/headlessbrowser/headless_browser_old.yml similarity index 100% rename from datasets/attack_techniques/T1185/headlessbrowser/headless_browser.yml rename to datasets/attack_techniques/T1185/headlessbrowser/headless_browser_old.yml diff --git a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml index fdc2952e1..75da0faa1 100644 --- a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml @@ -1,14 +1,16 @@ author: Mauricio Velazco id: 892ce442-f2e8-4e4c-894e-cb068ffe1fee date: '2023-12-04' -description: 'Used Evilnginx3 to phish an O365 user and steal session cookies. Then, imported the stolen session cookies into a different browser to access M365 resources from a different location and source ip. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: O365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1185/ -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx3 to phish an O365 user and steal session cookies. Then, + imported the stolen session cookies into a different browser to access M365 resources + from a different location and source ip. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: o365_concurrent_sessions_from_different_ips + path: /datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml b/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml index 0869323da..7f5d33187 100644 --- a/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml +++ b/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml @@ -1,13 +1,18 @@ author: Mauricio Velazcom, Michael Haag id: 5b562df1-7eca-4b70-bbbc-d2e870739abc date: '2021-09-01' -description: Running Petitpotam, ntlmrealy, Rubeus and mimikatz to obtain a TGT as a domain controller and execute a DcSyn attack. +description: Running Petitpotam, ntlmrealy, Rubeus and mimikatz to obtain a TGT as + a domain controller and execute a DcSyn attack. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/TA1187/petitpotam/windows-security.log -sourcetypes: -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1187/ -- https://github.com/topotam/PetitPotam -- https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429 +directory: petitpotam +mitre_technique: +- T1187 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml b/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml index 975344510..2fd647887 100644 --- a/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml +++ b/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml @@ -3,9 +3,11 @@ id: cc9b266c-efc9-11eb-926b-550bf0943fbb date: '2021-01-14' description: Manual generation of attack data by browsing to dyndns site of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1189 +directory: dyn_dns_site +mitre_technique: +- T1189 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml b/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml deleted file mode 100644 index b0da77549..000000000 --- a/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Rod Soto -id: cc99276c-bac9-24eb-726b-551bf0903fbb -date: '2024-12-27' -description: Manual generation of attack data -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/svd-2024-1011.log -sourcetypes: -- splunkd_ui_access -references: -- https://attack.mitre.org/techniques/T1189 diff --git a/datasets/attack_techniques/T1189/xss/splunk_web_access.yml b/datasets/attack_techniques/T1189/xss/splunk_web_access.yml deleted file mode 100644 index 62da98b70..000000000 --- a/datasets/attack_techniques/T1189/xss/splunk_web_access.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Lou Stella -id: cc9b266c-efc9-24eb-726b-550bf0943fbb -date: '2022-04-27' -description: Manual generation of attack data by inserting parameters in Splunk monitoring console. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log -sourcetypes: -- splunk_web_access -references: -- https://attack.mitre.org/techniques/T1189 diff --git a/datasets/attack_techniques/T1190/T1190.yml b/datasets/attack_techniques/T1190/T1190.yml new file mode 100644 index 000000000..703ccd741 --- /dev/null +++ b/datasets/attack_techniques/T1190/T1190.yml @@ -0,0 +1,13 @@ +author: Michael Haag, Splunk +id: cc9b266c-efc9-11eb-926b-550bf0943fbb +date: '2021-09-01' +description: Manual generation of attack data related to ProxyShell. +environment: attack_range +directory: T1190 +mitre_technique: +- T1190 +datasets: +- name: exchange_events-json + path: /datasets/attack_techniques/T1190/exchange_events.json + sourcetype: MSExchange:Management + source: MSExchange:Management diff --git a/datasets/attack_techniques/T1190/adobe/adobe.yml b/datasets/attack_techniques/T1190/adobe/adobe_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/adobe/adobe.yml rename to datasets/attack_techniques/T1190/adobe/adobe_old.yml diff --git a/datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe.yml b/datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe.yml rename to datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe_old.yml diff --git a/datasets/attack_techniques/T1190/citrix/citrix.yml b/datasets/attack_techniques/T1190/citrix/citrix.yml index 8de9e39a6..4ea438d51 100644 --- a/datasets/attack_techniques/T1190/citrix/citrix.yml +++ b/datasets/attack_techniques/T1190/citrix/citrix.yml @@ -1,19 +1,21 @@ author: Michael Haag, Splunk -id: cc9b266c-19c9-11eb-926b-220bf0943fas +id: 56fbbe5d-d63e-4b59-abed-738363477b95 date: '2023-07-21' description: Attack data related to CVE-2023-3519 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/suricata_citrixbleed3.log -sourcetypes: -- pan:threat -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ - - https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf \ No newline at end of file +directory: citrix +mitre_technique: +- T1190 +datasets: +- name: suricata_citrixbleed2 + path: /datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log + sourcetype: suricata + source: suricata +- name: nginx_kv_citrixbleed2_startwebview + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log + sourcetype: nginx:plus:access + source: nginx +- name: nginx_kv_cve_2023-4966-citrix + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/confluence/confluence.yml b/datasets/attack_techniques/T1190/confluence/confluence.yml index 2c6a4511b..e31225d6c 100644 --- a/datasets/attack_techniques/T1190/confluence/confluence.yml +++ b/datasets/attack_techniques/T1190/confluence/confluence.yml @@ -3,18 +3,23 @@ id: 15c6f2a9-a960-4f60-b1c2-bd2ae129ef7d date: '2023-07-21' description: Attack data related to CVE-2023-22515 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/shellservlet.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log -sourcetypes: -- suricata -- nginx:plus:kv -references: - - https://attack.mitre.org/techniques/T1190 - - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html - - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ \ No newline at end of file +directory: confluence +mitre_technique: +- T1190 +datasets: +- name: nginx_plus_kv_confluence + path: /datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + sourcetype: nginx:plus:access + source: nginx +- name: nginx_kv_confluence_CVE-2024-21683 + path: /datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log + sourcetype: nginx:plus:access + source: nginx +- name: suricata_confluence_cve-2023-22527 + path: /datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log + sourcetype: suricata + source: suricata +- name: nginx_shellservlet + path: /datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/crushftp/crushftp.yml b/datasets/attack_techniques/T1190/crushftp/crushftp.yml index 04c8a943e..256e33bf8 100644 --- a/datasets/attack_techniques/T1190/crushftp/crushftp.yml +++ b/datasets/attack_techniques/T1190/crushftp/crushftp.yml @@ -1,17 +1,22 @@ author: Michael Haag, Splunk id: 1e1c1f1c-0b0b-4b0b-8b0b-0b0b0b0b0b0d date: '2024-05-23' -description: Generated event logs from CrushFTP server from simulated attack leveraging CVE-2024-4040 and CVE-2025-31161,. +description: Generated event logs from CrushFTP server from simulated attack leveraging + CVE-2024-4040 and CVE-2025-31161,. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/windows-sysmon.log -sourcetypes: -- crushftp:sessionlogs - -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/airbus-cert/CVE-2024-4040 - - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ - - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation \ No newline at end of file +directory: crushftp +mitre_technique: +- T1190 +datasets: +- name: crushftp + path: /datasets/attack_techniques/T1190/crushftp/crushftp.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: crushftp11_session + path: /datasets/attack_techniques/T1190/crushftp/crushftp11_session.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/crushftp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/f5/f5.yml b/datasets/attack_techniques/T1190/f5/f5_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/f5/f5.yml rename to datasets/attack_techniques/T1190/f5/f5_old.yml diff --git a/datasets/attack_techniques/T1190/fortigate/fortigate.yml b/datasets/attack_techniques/T1190/fortigate/fortigate_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/fortigate/fortigate.yml rename to datasets/attack_techniques/T1190/fortigate/fortigate_old.yml diff --git a/datasets/attack_techniques/T1190/ivanti/ivanti.yml b/datasets/attack_techniques/T1190/ivanti/ivanti.yml index 504f89041..0c533348f 100644 --- a/datasets/attack_techniques/T1190/ivanti/ivanti.yml +++ b/datasets/attack_techniques/T1190/ivanti/ivanti.yml @@ -3,23 +3,39 @@ id: 193d25ad-5fe7-4ade-8d61-33350cb453f0 date: '2023-08-08' description: Attack data related to CVE-2023-35081 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_secure_connect.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log -sourcetypes: -- suricata -- web_access -- nginx:plus:kv -- ivanti_vtm_audit -references: - - https://attack.mitre.org/techniques/T1190 - - https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081 \ No newline at end of file +directory: ivanti +mitre_technique: +- T1190 +datasets: +- name: suricata_ivanti_secure_connect_checkphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_saml + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_secure_connect_exploitphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_epm + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_CVE202335078 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log + sourcetype: suricata + source: suricata +- name: ivanti_bookmark_web_access + path: /datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_CVE202335082 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log + sourcetype: suricata + source: suricata +- name: ivanti_vtm_nginxproxy + path: /datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/java/java.yml b/datasets/attack_techniques/T1190/java/java.yml index 32fccb7d1..25c244bbe 100644 --- a/datasets/attack_techniques/T1190/java/java.yml +++ b/datasets/attack_techniques/T1190/java/java.yml @@ -3,15 +3,11 @@ id: cc9b266c-23c9-11eb-926b-220bf0943fbb date: '2021-12-13' description: Attack data related to Log4Shell CVE-2021-44228 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log -sourcetypes: -- stream:http -- nginx:plus:kv -- sysmon_linux -- pan:threat -references: - - https://attack.mitre.org/techniques/T1190 +directory: java +mitre_technique: +- T1190 +datasets: +- name: log4shell-nginx + path: /datasets/attack_techniques/T1190/java/log4shell-nginx.log + sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/jenkins/jenkins.yml b/datasets/attack_techniques/T1190/jenkins/jenkins.yml index 37e1474a2..5bb69eb17 100644 --- a/datasets/attack_techniques/T1190/jenkins/jenkins.yml +++ b/datasets/attack_techniques/T1190/jenkins/jenkins.yml @@ -3,18 +3,11 @@ id: ebb89c7d-afca-456d-9cc7-6827ec14733a date: '2024-01-29' description: Attack data related to CVE-2024-23897 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log -sourcetypes: -- nginx:plus:kv -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/projectdiscovery/nuclei-templates/pull/9025 - - https://github.com/jenkinsci-cert/SECURITY-3314-3315 - - https://github.com/binganao/CVE-2024-23897 - - https://github.com/h4x0r-dz/CVE-2024-23897 - - https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ - - https://www.shodan.io/search?query=product%3A%22Jenkins%22 - - https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html - - https://www.jenkins.io/security/advisory/2024-01-29/ - +directory: jenkins +mitre_technique: +- T1190 +datasets: +- name: nginx_jenkins_cve_2023_23897 + path: /datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log + sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/jetbrains/jetbrains.yml b/datasets/attack_techniques/T1190/jetbrains/jetbrains_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/jetbrains/jetbrains.yml rename to datasets/attack_techniques/T1190/jetbrains/jetbrains_old.yml diff --git a/datasets/attack_techniques/T1190/juniper/juniper.yml b/datasets/attack_techniques/T1190/juniper/juniper.yml index 47320e460..d23689378 100644 --- a/datasets/attack_techniques/T1190/juniper/juniper.yml +++ b/datasets/attack_techniques/T1190/juniper/juniper.yml @@ -1,12 +1,14 @@ author: Michael Haag, Splunk id: 123e4567-e89b-12d3-a456-426614174000 date: '2023-08-29' -description: Attack data related to CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 +description: Attack data related to CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, + CVE-2023-36847 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log -sourcetypes: -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US \ No newline at end of file +directory: juniper +mitre_technique: +- T1190 +datasets: +- name: suricata_junos_cvemegazord + path: /datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.yml b/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.yml rename to datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs_old.yml diff --git a/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.yml b/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.yml rename to datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs_old.yml diff --git a/datasets/attack_techniques/T1190/magento/magento.yml b/datasets/attack_techniques/T1190/magento/magento.yml deleted file mode 100644 index 65715aacf..000000000 --- a/datasets/attack_techniques/T1190/magento/magento.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag, Splunk -id: 9535ef60-d482-414c-b8bb-6d1bd61e8322 -date: '2024-11-13' -description: Manual generation of attack data related to Magento access logs -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/magento/magento_access_filtered.log -sourcetypes: -- access_combined_wcookie -references: -- https://attack.mitre.org/techniques/T1190 diff --git a/datasets/attack_techniques/T1190/moveit/moveit.yml b/datasets/attack_techniques/T1190/moveit/moveit_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/moveit/moveit.yml rename to datasets/attack_techniques/T1190/moveit/moveit_old.yml diff --git a/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml b/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml index 5005b4e25..b5175c7c8 100644 --- a/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml +++ b/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml @@ -3,13 +3,11 @@ id: 118e4169-7caa-43f7-9560-322949db7ae9 date: '2021-12-15' description: Manual exploitation of CVE-2021-44228-Log4j on a Linux and Windows endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/linux-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1190 +directory: outbound_java +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/outbound_ldap/bro_conn.yml b/datasets/attack_techniques/T1190/outbound_ldap/bro_conn_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/outbound_ldap/bro_conn.yml rename to datasets/attack_techniques/T1190/outbound_ldap/bro_conn_old.yml diff --git a/datasets/attack_techniques/T1190/papercut/papercut.yml b/datasets/attack_techniques/T1190/papercut/papercut.yml index f8ae5a244..9a9bcb063 100644 --- a/datasets/attack_techniques/T1190/papercut/papercut.yml +++ b/datasets/attack_techniques/T1190/papercut/papercut.yml @@ -1,15 +1,18 @@ author: Michael Haag, Splunk id: 5bc80380-5b2b-402b-b9ef-60ec8b7921fb date: '2023-05-15' -description: Manual generation of attack data related to PaperCutNG. The "server.log" is a debug log of exploitation from the PaperCutNG Application. +description: Manual generation of attack data related to PaperCutNG. The "server.log" + is a debug log of exploitation from the PaperCutNG Application. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- stash -references: - - https://attack.mitre.org/techniques/T1190 - - https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs \ No newline at end of file +directory: papercut +mitre_technique: +- T1190 +datasets: +- name: papercutng-suricata + path: /datasets/attack_techniques/T1190/papercut/papercutng-suricata.log + sourcetype: suricata + source: suricata +- name: papercutng-app-spawn_windows-sysmon + path: /datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/proxyshell.yml b/datasets/attack_techniques/T1190/proxyshell.yml deleted file mode 100644 index d89c743a3..000000000 --- a/datasets/attack_techniques/T1190/proxyshell.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b266c-efc9-11eb-926b-550bf0943fbb -date: '2021-09-01' -description: Manual generation of attack data related to ProxyShell. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/exchange-events.json -sourcetypes: -- MSWindows:IIS -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF - - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 diff --git a/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml b/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml index c3ca58ab0..eb506c941 100644 --- a/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml +++ b/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml @@ -3,23 +3,11 @@ id: d5f9b9bf-1104-4f32-9f18-202ecb06ded1 date: '2022-10-03' description: Manual generation of attack data related to ProxyShell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log -sourcetypes: -- MSWindows:IIS -- ms:iis:splunk -- stash -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF - - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ - - https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA - - https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA - - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - - https://research.splunk.com/stories/proxyshell/ - - https://docs.splunk.com/Documentation/AddOns/released/MSIIS \ No newline at end of file +directory: proxyshell +mitre_technique: +- T1190 +datasets: +- name: msexchangehmworker_windows-sysmon + path: /datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/pswa/pswa.yml b/datasets/attack_techniques/T1190/pswa/pswa.yml deleted file mode 100644 index 082c023aa..000000000 --- a/datasets/attack_techniques/T1190/pswa/pswa.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Michael Haag, Splunk -id: d5f9b9bf-1104-4232-9f18-202ecb06ded2 -date: '2024-09-09' -description: Generation of data for the PowerShell Web Access (PSWA). -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_pswa_pool.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_4624_pswa_pool.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log -sourcetypes: -- ms:iis:splunk -- XmlWinEventLog -references: - - https://attack.mitre.org/techniques/T1190 - - \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/sap/sap.yml b/datasets/attack_techniques/T1190/sap/sap.yml index b6d1a7531..b1ff04584 100644 --- a/datasets/attack_techniques/T1190/sap/sap.yml +++ b/datasets/attack_techniques/T1190/sap/sap.yml @@ -3,11 +3,15 @@ id: ca1b266c-23c9-11eb-926b-220bf0943fbb date: '2025-04-28' description: Attack data related to NetWeaver CVE-2025-31324 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/windows-sysmon.log -sourcetypes: -- suricata -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1190 +directory: sap +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/sap/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: suricata_sapnetweaver + path: /datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml index 9ec42e60e..1e391a92b 100644 --- a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml @@ -1,16 +1,22 @@ author: Michael Haag, Splunk id: b0d3cc46-f74d-462b-b5db-71eba68d6912 date: '2024-02-21' -description: Manual generation of attack data related to ConnectWise Screenconnect CVE-2024-1708 CVE-2024-1709. +description: Manual generation of attack data related to ConnectWise Screenconnect + CVE-2024-1708 CVE-2024-1709. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log -sourcetypes: -- suricata -- XmlWinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1190 \ No newline at end of file +directory: screenconnect +mitre_technique: +- T1190 +datasets: +- name: sysmon_app_extensions + path: /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: nginx_screenconnect + path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log + sourcetype: nginx:plus:access + source: nginx +- name: connectwise_auth_suricata + path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml index 5e7981bc8..21c3a2f4b 100644 --- a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml +++ b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml @@ -3,13 +3,15 @@ id: 6e2c1f1c-0c0b-4c0b-8c0b-0c0c0c0c0c2c date: '2023-10-01' description: Manual generation of attack data related to CVE-2023-29357. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/spinstall0.log -sourcetypes: -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://x.com/cyb3rops/status/1707678149448700270?s=46&t=yQ2cOUcQNpWKLmg_cvVIxQ - - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ - - https://github.com/Chocapikk/CVE-2023-29357/ +directory: sharepoint +mitre_technique: +- T1190 +datasets: +- name: sharepointeop + path: /datasets/attack_techniques/T1190/sharepoint/sharepointeop.log + source: suricata + sourcetype: suricata +- name: spinstall0 + path: /datasets/attack_techniques/T1190/sharepoint/spinstall0.log + source: suricata + sourcetype: suricata diff --git a/datasets/attack_techniques/T1190/splunk/log_injection.yml b/datasets/attack_techniques/T1190/splunk/log_injection.yml deleted file mode 100644 index 1b6bbd1e1..000000000 --- a/datasets/attack_techniques/T1190/splunk/log_injection.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Rod Soto -id: 67e13771-9616-4363-96d3-a8c18eea2d23 -date: '2023-07-31' -description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/web_access.log -sourcetypes: -- splunk_web_access -references: -- https://advisory.splunk.com/advisories/SVD-2023-0606 -- https://attack.mitre.org/techniques/T1190/ diff --git a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml index d4d6b263a..564cc8818 100644 --- a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml +++ b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml @@ -1,16 +1,14 @@ author: Michael Haag, Splunk -id: 9535ef60-d482-214c-bxbb-6d1bd61e83be +id: 444c1707-a2db-43ee-ab04-e03307137ec5 date: '2022-04-05' -description: Manual generation of attack data related to Spring4Shell with Nginx proxy logs +description: Manual generation of attack data related to Spring4Shell with Nginx proxy + logs environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log -sourcetypes: -- nginx:plus:kv -- sysmon_linux -- stream:http -references: -- https://attack.mitre.org/techniques/T1190 +directory: spring4shell +mitre_technique: +- T1190 +datasets: +- name: spring4shell_nginx + path: /datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/text4shell/text4shell.yml b/datasets/attack_techniques/T1190/text4shell/text4shell.yml index 270a53ae8..f3a2ee033 100644 --- a/datasets/attack_techniques/T1190/text4shell/text4shell.yml +++ b/datasets/attack_techniques/T1190/text4shell/text4shell.yml @@ -1,13 +1,14 @@ author: Michael Haag, Splunk -id: 9535ef60-d482-214c-bxbb-6d1bd61e83be +id: 36cda810-e712-4d51-9e00-3d91a07e5b7f date: '2022-04-05' -description: Manual generation of attack data related to Text4Shell with Zeek HTTP logs and simulation of POC on docker. +description: Manual generation of attack data related to Text4Shell with Zeek HTTP + logs and simulation of POC on docker. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T11190/text4shell/text4shell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log -sourcetypes: -- bro:http:json -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1190 +directory: text4shell +mitre_technique: +- T1190 +datasets: +- name: text4shell_nginx + path: /datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/tomcat/tomcat.yml b/datasets/attack_techniques/T1190/tomcat/tomcat.yml index ad743677b..463bf44b3 100644 --- a/datasets/attack_techniques/T1190/tomcat/tomcat.yml +++ b/datasets/attack_techniques/T1190/tomcat/tomcat.yml @@ -1,11 +1,13 @@ author: Michael Haag, Splunk -id: 9535ef60-d182-212c-bxbb-6d1bd61e83be +id: c09bfa7f-1770-4c05-aefa-149f1b6d6e7d date: '2025-03-26' -description: Manual generation of attack data related to Tomcat with nginx proxypass. +description: Manual generation of attack data related to Tomcat with nginx proxypass. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log -sourcetypes: -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1190 +directory: tomcat +mitre_technique: +- T1190 +datasets: +- name: tomcat_nginx_access + path: /datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/vmware/vmware.yml b/datasets/attack_techniques/T1190/vmware/vmware_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/vmware/vmware.yml rename to datasets/attack_techniques/T1190/vmware/vmware_old.yml diff --git a/datasets/attack_techniques/T1190/wordpress/wordpress.yml b/datasets/attack_techniques/T1190/wordpress/wordpress_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/wordpress/wordpress.yml rename to datasets/attack_techniques/T1190/wordpress/wordpress_old.yml diff --git a/datasets/attack_techniques/T1190/ws_ftp/ws_ftp.yml b/datasets/attack_techniques/T1190/ws_ftp/ws_ftp_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/ws_ftp/ws_ftp.yml rename to datasets/attack_techniques/T1190/ws_ftp/ws_ftp_old.yml diff --git a/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.yml b/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.yml rename to datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request_old.yml diff --git a/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.yml b/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.yml rename to datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert_old.yml diff --git a/datasets/attack_techniques/T1195.002/3CX/3CX.yml b/datasets/attack_techniques/T1195.002/3CX/3CX.yml new file mode 100644 index 000000000..749afbfac --- /dev/null +++ b/datasets/attack_techniques/T1195.002/3CX/3CX.yml @@ -0,0 +1,21 @@ +author: Michael Haag +id: be2df144-7e69-464c-9c11-534c86aa9e1e +date: '2022-03-30' +description: 3CX software running in range +environment: attack_range +directory: 3CX +mitre_technique: +- T1195.002 +datasets: +- name: 3cx_network-windows-sysmon + path: /datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 3cx_4688_windows-security + path: /datasets/attack_techniques/T1195.002/3CX/3cx_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 3cx_windows-sysmon + path: /datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml b/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml deleted file mode 100644 index 0c1fb53fb..000000000 --- a/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag -id: be2df144-7e69-464c-9c11-534c86aa9e1e -date: '2022-03-30' -description: 3CX software running in range -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1195/002 \ No newline at end of file diff --git a/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.yml b/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.yml rename to datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow_old.yml diff --git a/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml index e98c00c1f..de4f2e78a 100644 --- a/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml @@ -3,20 +3,15 @@ id: cc9b2617-efc9-11eb-926b-550bf0943fbb date: '2021-03-30' description: Execution of Atomic Red Team T1197 - BITS Jobs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/T1197_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -- bit9:carbonblack:json -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1197 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +directory: atomic_red_team +mitre_technique: +- T1197 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1199/github_push_master/github_push_master.yml b/datasets/attack_techniques/T1199/github_push_master/github_push_master_old.yml similarity index 100% rename from datasets/attack_techniques/T1199/github_push_master/github_push_master.yml rename to datasets/attack_techniques/T1199/github_push_master/github_push_master_old.yml diff --git a/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml b/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml index 4f443e1ff..fe137ac98 100644 --- a/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml +++ b/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml @@ -3,9 +3,15 @@ id: ecf084c8-ef99-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd swapoff in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log -sourcetypes: -- 'auditd' -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ \ No newline at end of file +directory: linux_auditd_swapoff +mitre_technique: +- T1200 +datasets: +- name: linux_auditd_swapoff2 + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log + sourcetype: auditd + source: auditd +- name: linux_auditd_swapoff + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml index e6d4f1e0e..5c79089ef 100644 --- a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml +++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml @@ -1,13 +1,14 @@ -author: Steven Dick -id: 8d818c50-7925-4664-82c6-f8eb626d4c2f -date: '2025-01-17' -description: 'Sample of events from executing suspicious files from a recently attached USB drive.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1200/ -- https://www.cisa.gov/news-events/news/using-caution-usb-drives -- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ \ No newline at end of file +author: Steven Dick +id: 8d818c50-7925-4664-82c6-f8eb626d4c2f +date: '2025-01-17' +description: Sample of events from executing suspicious files from a recently attached + USB drive. +environment: attack_range +directory: sysmon_usb_use_execution +mitre_technique: +- T1200 +datasets: +- name: sysmon_usb_use_execution + path: /datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy.yml b/datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy.yml rename to datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy_old.yml diff --git a/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml b/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml index d5fc83d24..271fedfe0 100644 --- a/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml +++ b/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml @@ -1,15 +1,17 @@ author: Teoderick Contreras id: f42c4b90-4c31-4b96-9b9f-25e9faebfd15 date: '2021-08-26' -description: 'Simulated test Attack range dataset for AD Domain Policy Enumeration' +description: Simulated test Attack range dataset for AD Domain Policy Enumeration environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-system.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security \ No newline at end of file +directory: pwd_policy_discovery +mitre_technique: +- T1201 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml index 557800b2c..9ab43196d 100644 --- a/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml @@ -5,13 +5,15 @@ description: 'Atomic Test Results: Successful Execution of test T1202 Indirect C Execution using forfiles.exe and pcalua.exe for evading restructions on process execution.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1202 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md +directory: atomic_red_team +mitre_technique: +- T1202 +datasets: +- name: windows-sysmon_runmru + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml b/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml index f10e33550..0ee4d37b0 100644 --- a/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml +++ b/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml @@ -3,10 +3,15 @@ id: cc912623-efc9-11eb-926b-550bf0943f12 date: '2025-08-07' description: Windows Appx Deployment Server logs environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/appx/windows-appxpackaging.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: appx_deployment +mitre_technique: +- T1204.002 +datasets: +- name: appx + path: /datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-AppXDeployment-Server +- name: appx + path: /datasets/attack_techniques/T1204.002/appx/windows-appxpackaging.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-AppxPackagingOM \ No newline at end of file diff --git a/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml index 0f2423309..f26b9c77e 100644 --- a/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-11-06' description: Manual generation of attack data by playing a bat file in system32 folder of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: atomic_red_team +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml b/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml index 9a51c5cf4..2e24f0871 100644 --- a/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml +++ b/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml @@ -4,15 +4,11 @@ date: '2020-11-06' description: Manual generation of attack data by playing a bat file in system32 folder of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: batch_file_in_system32 +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml b/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml index 435d351e1..e9d662eb8 100644 --- a/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml +++ b/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml @@ -3,15 +3,11 @@ id: cc9b2625-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual generation of attack data by executing n.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: single_letter_exe +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml index eba6670d9..2bcbab9fc 100644 --- a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml +++ b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml @@ -3,11 +3,15 @@ id: 0f63eedd-c3e4-42af-af33-c0959919c494 date: '2021-08-18' description: Manual generation of attack data by uploading container to AWS ECR. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file +directory: aws_ecr_container_upload +mitre_technique: +- T1204.003 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: aws_ecr_container_upload-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml index ef0ed5acd..9ca82e6af 100644 --- a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml +++ b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml @@ -1,11 +1,14 @@ author: Patrick Bareiss id: b6751b2a-ba1e-4a53-9585-381bc5f166f1 date: '2021-08-18' -description: Manual generation of attack data by running aws ecr scanner on docker image in AWS ECR. +description: Manual generation of attack data by running aws ecr scanner on docker + image in AWS ECR. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file +directory: aws_ecr_image_scanning +mitre_technique: +- T1204.003 +datasets: +- name: aws_ecr_scanning_findings_events-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml b/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml deleted file mode 100644 index e8e97c912..000000000 --- a/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Bhavin Patel -id: b6751b2a-ba1e-4d23-9585-384fc5f166f1 -date: '2021-08-18' -description: Risk events created on Attack range by enabling AWS ECR detections in Dev Sec Ops -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log -sourcetypes: -- stash -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml b/datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml new file mode 100644 index 000000000..f3e483c0f --- /dev/null +++ b/datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml @@ -0,0 +1,14 @@ +author: Bhavin Patel +id: b6751b2a-ba1e-4d23-9585-384fc5f166f1 +date: '2021-08-18' +description: Risk events created on Attack range by enabling AWS ECR detections in + Dev Sec Ops +environment: attack_range +directory: risk_dataset +mitre_technique: +- T1204.003 +datasets: +- name: aws_ecr_risk_dataset + path: /datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml index 39a64c28d..0e1127ba2 100644 --- a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml +++ b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml @@ -3,10 +3,11 @@ id: 0f63eedd-c3e4-42af-af33-c0959919c114 date: '2022-02-28' description: Manual generation of attack data by updating a lambda function environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- http://detectioninthe.cloud/execution/modify_lambda_function_code/ -- https://attack.mitre.org/techniques/T1204/ \ No newline at end of file +directory: aws_updatelambdafunctioncode +mitre_technique: +- T1204 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml b/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml index 6da4f2543..352ebafb3 100644 --- a/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml +++ b/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: abb51bc8-a5f1-4286-ac66-c1851c67b9b7 date: '2024-02-08' -description: 'Failed login attempt service account AD' +description: Failed login attempt service account AD environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204 +directory: failed_login_service_account_ad +mitre_technique: +- T1204 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.yml b/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service_old.yml similarity index 100% rename from datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.yml rename to datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service_old.yml diff --git a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml index 1c60ca250..6e4368f70 100644 --- a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml +++ b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml @@ -3,9 +3,11 @@ id: da189cbc-c959-4681-a173-e409949470d4 date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a DaemonSet. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_audit_daemonset_created +mitre_technique: +- T1204 +datasets: +- name: kubernetes_audit_daemonset_created-json + path: /datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml index aaf40ea23..d4dd9303f 100644 --- a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml +++ b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml @@ -3,9 +3,11 @@ id: 6604d77c-fdb5-4b1c-9c1f-55ed41fcca8d date: '2023-12-13' description: Kubernetes falco logs containing a spawned shell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log -sourcetypes: -- kube:container:falco -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_falco_shell_spawned +mitre_technique: +- T1204 +datasets: +- name: kubernetes_falco_shell_spawned + path: /datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml index bd784544e..f41b7079b 100644 --- a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml +++ b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml @@ -3,9 +3,11 @@ id: 462dfa0b-7aa4-4498-927b-8d9743141e3a date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a privilged pod. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_privileged_pod +mitre_technique: +- T1204 +datasets: +- name: kubernetes_privileged_pod-json + path: /datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml index 08c2d6151..dad462416 100644 --- a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml +++ b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml @@ -3,9 +3,11 @@ id: 4db6594e-9e8c-4223-8681-262d06b4b4d3 date: '2023-12-07' description: Kubernetes audit logs which contains a forbidden access to a namespace. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_unauthorized_access +mitre_technique: +- T1204 +datasets: +- name: kubernetes_unauthorized_access-json + path: /datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml b/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml index 07b533535..eff918acf 100644 --- a/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml +++ b/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 2523b7d6-5b06-4799-be0b-b368ee0de9a8 date: '2024-03-12' -description: 'Rare executables' +description: Rare executables environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1204 +directory: rare_executables +mitre_technique: +- T1204 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml b/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml index 5f58af6f1..0469be99b 100644 --- a/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml +++ b/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml @@ -1,11 +1,13 @@ author: Dean Luxton id: a4305843-6f93-45a9-b811-01380861e45b date: '2023-01-26' -description: Manually promoting a server to a Domain Controller. +description: Manually promoting a server to a Domain Controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1207 +directory: dc_promo +mitre_technique: +- T1207 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml b/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml deleted file mode 100644 index 442fb5c31..000000000 --- a/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: d2e3db4e-f6a2-4c59-8f07-85a0ae8db5e6 -date: '2022-07-20' -description: Manual execution of the mimikatz DCShadow command. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/zeek_dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -- XmlWinEventLog -references: -- https://www.dcshadow.com/ -- https://attack.mitre.org/techniques/T1207 diff --git a/datasets/attack_techniques/T1207/mimikatz/mimikatz.yml b/datasets/attack_techniques/T1207/mimikatz/mimikatz.yml new file mode 100644 index 000000000..a6ed3ab41 --- /dev/null +++ b/datasets/attack_techniques/T1207/mimikatz/mimikatz.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: d2e3db4e-f6a2-4c59-8f07-85a0ae8db5e6 +date: '2022-07-20' +description: Manual execution of the mimikatz DCShadow command. +environment: attack_range +directory: mimikatz +mitre_technique: +- T1207 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml b/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml index 909ed0f5d..e6fe59dc4 100644 --- a/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml +++ b/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml @@ -3,11 +3,11 @@ id: f43d4bd2-77a3-4eaa-805f-319e4dd45712 date: '2022-10-17' description: Manual execution of DCShadow attack using Mimikatz. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://www.dcshadow.com/ -- https://attack.mitre.org/techniques/T1207 -- https://pentestlab.blog/2018/04/16/dcshadow/ +directory: short_lived_server_object +mitre_technique: +- T1207 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml index c58dbfb5a..a169a6822 100644 --- a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml +++ b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml @@ -1,11 +1,14 @@ author: Patrick Bareiss id: 3b02f13d-14a6-4a47-afa3-0d9a7d5cacea date: '2021-08-18' -description: Manual generation of attack data by running a LFI attack againsta kubernetes cluster with a web app running +description: Manual generation of attack data by running a LFI attack againsta kubernetes + cluster with a web app running environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log -sourcetypes: -- kube:container:controller -references: -- https://attack.mitre.org/techniques/T1212 \ No newline at end of file +directory: kubernetes_nginx_lfi_attack +mitre_technique: +- T1212 +datasets: +- name: kubernetes_nginx_lfi_attack + path: /datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log + sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml deleted file mode 100644 index 9856e88a7..000000000 --- a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Patrick Bareiss -id: 1b1953b6-aebc-492f-8cf7-8791445aeaa8 -date: '2021-08-23' -description: Manual generation of attack data by running a RFI attack againsta kubernetes cluster with a web app running -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.log -sourcetypes: -- kube:container:controller -references: -- https://attack.mitre.org/techniques/T1212 \ No newline at end of file diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml new file mode 100644 index 000000000..d1b9f47a4 --- /dev/null +++ b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml @@ -0,0 +1,14 @@ +author: Patrick Bareiss +id: 1b1953b6-aebc-492f-8cf7-8791445aeaa8 +date: '2021-08-23' +description: Manual generation of attack data by running a RFI attack againsta kubernetes + cluster with a web app running +environment: attack_range +directory: kuberntest_nginx_rfi_attack +mitre_technique: +- T1212 +datasets: +- name: kubernetes_nginx_rfi_attack + path: /datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log + sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml index 6f9312c40..3d97dc333 100644 --- a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml +++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml @@ -1,15 +1,14 @@ -author: Steven Dick -id: 722e396e-9e74-4516-882d-0fc94f5d2b33 -date: '2024-12-19' -description: 'Sample of events when Sharepoint is searched for a sensitive term / or high rate of searching.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events -- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://attack.mitre.org/techniques/T1213/002/ -- https://attack.mitre.org/techniques/T1114/002/ +author: Steven Dick +id: 722e396e-9e74-4516-882d-0fc94f5d2b33 +date: '2024-12-19' +description: Sample of events when Sharepoint is searched for a sensitive term / or + high rate of searching. +environment: attack_range +directory: o365_sus_sharepoint_search +mitre_technique: +- T1213.002 +datasets: +- name: o365_sus_sharepoint_search + path: /datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1213/audittrail/audittrail.yml b/datasets/attack_techniques/T1213/audittrail/audittrail_old.yml similarity index 100% rename from datasets/attack_techniques/T1213/audittrail/audittrail.yml rename to datasets/attack_techniques/T1213/audittrail/audittrail_old.yml diff --git a/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml index 1a7b6cf7e..072e3198a 100644 --- a/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml @@ -1,14 +1,18 @@ author: Michael Haag, Splunk id: 8a6cdffd-77bc-41cd-9ba2-b5f7a178bacf date: '2022-09-26' -description: 'Atomic Test Results: Successful Execution of test T1216 related to SyncAppvPublishingServer Signed Script PowerShell Command Execution ' +description: 'Atomic Test Results: Successful Execution of test T1216 related to SyncAppvPublishingServer + Signed Script PowerShell Command Execution ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1216 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md +directory: atomic_red_team +mitre_technique: +- T1216 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml index f091d3dba..67310b3c2 100644 --- a/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml @@ -3,15 +3,19 @@ id: cc9b2622-efc9-11eb-926b-550bf0943fbb date: '2021-02-11' description: ' Invoked AtomicTestHarnesses and executed T1218.001 manually.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1218/001 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.001/T1218.001.md -- https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.001_CompiledHTMLFile +directory: atomic_red_team +mitre_technique: +- T1218.001 +datasets: +- name: 4688_windows-security + path: /datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: hh_decom_windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml index 4091f8755..4547a7f17 100644 --- a/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag id: cc9b261b-efc9-11eb-926b-550bf0943fcc date: '2021-09-08' -description: 'Invoked T1218.002 From Atomic Red Team simulating control.exe behavior' +description: Invoked T1218.002 From Atomic Red Team simulating control.exe behavior environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/002 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml +directory: atomic_red_team +mitre_technique: +- T1218.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded.yml b/datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded.yml rename to datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded_old.yml diff --git a/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml index bcfbe5633..f5b79c47e 100644 --- a/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml @@ -3,10 +3,15 @@ id: cc9b261b-efc9-11eb-926b-550bf0943fcc date: '2021-11-12' description: ' Simulation of T1218.004 via Atomic Red Team.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/004 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md +directory: atomic_red_team +mitre_technique: +- T1218.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_installutil_path + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml index 7ad1fb69a..0c3829a88 100644 --- a/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml @@ -15,17 +15,15 @@ description: ' Invoked AtomicTestHarnesses executing T1218.005 manually and via Engine with Inline Protocol Handler Successful Execution of test T1218.005-9 Invoke HTML Application - Simulate Lateral Movement over UNC Path ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/005 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.005/T1218.005.md +directory: atomic_red_team +mitre_technique: +- T1218.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: mshta_tasks_windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml b/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml index 43e787f74..429dc2ef6 100644 --- a/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml +++ b/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml @@ -2,10 +2,16 @@ author: Teoderick Contreras, Splunk id: 3454c0fb-4318-465c-9315-61cd64fa2751 date: '2022-10-14' description: Generated datasets for mshta in registry in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1218.005/mshta_in_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://redcanary.com/threat-detection-report/techniques/mshta/ +environment: attack_range +directory: mshta_in_registry +mitre_technique: +- T1218.005 +datasets: +- name: sysmon3 + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml index ce152fffe..689784cd1 100644 --- a/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml @@ -1,17 +1,17 @@ author: Michael Haag id: 51e3fe65-2e04-4c12-9edf-225235c4cb14 date: '2022-06-16' -description: 'Simulation of all procedures from Atomic Red Team.' +description: Simulation of all procedures from Atomic Red Team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/msiexec_moved.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/007 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +directory: atomic_red_team +mitre_technique: +- T1218.007 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_msiexec-windows-security + path: /datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32.yml b/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32.yml rename to datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32_old.yml diff --git a/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml index bcf447ffc..ca46c35ec 100644 --- a/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml @@ -1,14 +1,21 @@ author: Michael Haag id: 51e3fe65-2e04-4c12-9edf-225235c4cb14 date: '2022-06-16' -description: 'Simulation of all procedures from Atomic Red Team.' +description: Simulation of all procedures from Atomic Red Team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/008 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md +directory: atomic_red_team +mitre_technique: +- T1218.008 +datasets: +- name: odbcconf-windows-security + path: /datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-odbc-rsp + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-odbc-regsvr + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml index b5ed9c20b..312f1755d 100644 --- a/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml @@ -4,10 +4,11 @@ date: '2021-02-12' description: ' Invoked T1218.009 via AtomicRedTeam and manual execution of regasm and regsvcs.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/009 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.009/T1218.009.md +directory: atomic_red_team +mitre_technique: +- T1218.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml index a9eaa0893..807e499d6 100644 --- a/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml @@ -6,16 +6,11 @@ description: Successful execution of Atomic Tests T1218.010 T1218.010-1 Regsvr32 Regsvr32 local DLL execution T1218.010-4 Regsvr32 Registering Non DLL Manual execution of same tests, but with moved/renamed regsvr32.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md +directory: atomic_red_team +mitre_technique: +- T1218.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml index eb2f62c60..bafbad22c 100644 --- a/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml @@ -8,17 +8,15 @@ description: 'Atomic Test Results: Successful Execution of test T1218.011-1 Rund Execution Return value unclear for test T1218.011-5 Rundll32 syssetup.dll Execution Return value unclear for test T1218.011-6 Rundll32 setupapi.dll Execution ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md +directory: atomic_red_team +mitre_technique: +- T1218.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ordinal_windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml index c0c9c8cbb..0eb7d61e4 100644 --- a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml +++ b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml @@ -3,9 +3,11 @@ id: 76f9a94c-6c63-11f0-89ae-629be3538068 date: '2025-07-29' description: Generated datasets for rundll32 dll in temp in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/ \ No newline at end of file +directory: rundll32_dll_in_temp +mitre_technique: +- T1218.011 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system.yml b/datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system.yml rename to datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system_old.yml diff --git a/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml b/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml index 92890f9e2..94769a13a 100644 --- a/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml +++ b/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml @@ -3,7 +3,11 @@ id: fcc00e68-1283-4cf4-bfc7-e19784f5c453 date: '2021-09-29' description: manual verclsid commandline data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: verclsid_exec +mitre_technique: +- T1218.012 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml index ad80c4074..9d38a366b 100644 --- a/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haah id: cc9b2652-efc9-19eb-126b-850bf0943fbb date: '2020-11-30' -description: 'Atomic Test T1218 simulated for MavInject.exe' +description: Atomic Test T1218 simulated for MavInject.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/013 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md +directory: atomic_red_team +mitre_technique: +- T1218.013 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml index 31ccc2379..770f00319 100644 --- a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml +++ b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml @@ -1,14 +1,17 @@ author: Michael Haag -id: kk922623-2bd5-42eb-926b-120zf0943f11 +id: 9c55b9da-3d3c-4f1d-987d-cb2162cf3b5b date: '2024-11-13' description: BitLockerToGo.exe execution with Lumma Stealer. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1218 +directory: bitlockertogo +mitre_technique: +- T1218 +datasets: +- name: 4688_bitlockertogo_windows-security + path: /datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: bitlockertogo_windows-sysmon + path: /datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml b/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml index 600e8b009..5e8475326 100644 --- a/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml +++ b/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml @@ -3,11 +3,11 @@ id: cc9b2623-abd5-11eb-926b-550bf0943fbb date: '2022-02-17' description: Execution of T1218 test 9 in atomic red team environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/atomic_red_team/windows-sysmon.log -sourcetypes: -- xmlwineventlog -- WinEventLog -references: -- https://attack.mitre.org/techniques/T1218 +directory: diskshadow +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml index beb5de4ad..54bd9042d 100644 --- a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml +++ b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml @@ -1,11 +1,13 @@ author: Michael Haag -id: k22b2623-abd5-11eb-926b-120zf0943f11 +id: cfd5079f-a845-4a22-8ccd-b10d4c2aca90 date: '2024-04-17' description: Events related to Evil Twin msc. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log -sourcetypes: -- WinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218 +directory: eviltwin +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/living_off_the_land/livingofftheland.yml b/datasets/attack_techniques/T1218/living_off_the_land/livingofftheland_old.yml similarity index 100% rename from datasets/attack_techniques/T1218/living_off_the_land/livingofftheland.yml rename to datasets/attack_techniques/T1218/living_off_the_land/livingofftheland_old.yml diff --git a/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.yml b/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic_old.yml similarity index 100% rename from datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.yml rename to datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic_old.yml diff --git a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml index 4ed9fedc3..3e8656622 100644 --- a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml +++ b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml @@ -1,12 +1,13 @@ author: Michael Haag -id: kk9b2623-abd5-11eb-926b-120zf0943f11 +id: 2ab56d32-5936-40cb-8903-eab35d4fa4c8 date: '2023-05-15' description: MSIX AI_STUBS execution detection for malicious installer packages environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1218/msix_ai_stubs/windows_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218 -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_ai_stubs +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/msix_ai_stubs/windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml index f603388fb..84cec0715 100644 --- a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag -id: mh9b260e-efc9-11eb-926b-660bf0943cac +id: 0ae53442-9f79-4e35-a58f-00d2316e23d5 date: '2022-08-22' -description: 'Atomic Red Team tests simulating remote access software installation.' +description: Atomic Red Team tests simulating remote access software installation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1219 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md +directory: atomic_red_team +mitre_technique: +- T1219 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml index 440256866..3aad87425 100644 --- a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml @@ -1,19 +1,14 @@ -author: Steven Dick -id: aa7a8c73-ecd0-4276-b48b-7aac36375641 -date: '2024-02-19' -description: 'Basic installation and usage of screenconnect RMM application for testing needs.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- pan:threat -- pan:traffic -references: -- https://attack.mitre.org/techniques/T1219/ -- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ -- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ -- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 -- https://applipedia.paloaltonetworks.com/ +author: Steven Dick +id: f3c31ec1-5f2d-4a24-8911-53d9b0a7def5 +date: '2024-02-19' +description: Basic installation and usage of screenconnect RMM application for testing + needs. +environment: attack_range +directory: screenconnect +mitre_technique: +- T1219 +datasets: +- name: screenconnect_sysmon + path: /datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml b/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml index ce18ce5a3..a5116fb92 100644 --- a/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml +++ b/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml @@ -1,11 +1,13 @@ -author: Patrick Bareiss -id: 67cf6919-0596-4f78-bb2f-ad7f43170d3c -date: '2024-08-09' -description: 'Basic usage of teamviewer.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/teamviewer/windows_security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1219/ +author: Patrick Bareiss +id: 67cf6919-0596-4f78-bb2f-ad7f43170d3c +date: '2024-08-09' +description: Basic usage of teamviewer. +environment: attack_range +directory: teamviewer +mitre_technique: +- T1219 +datasets: +- name: windows_security + path: /datasets/attack_techniques/T1219/teamviewer/windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml index 41da4d65a..fbd60cab9 100644 --- a/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag id: cc9b260e-efc9-11eb-926b-660bf0943fcc date: '2021-11-12' -description: 'Atomic Red Team tests simulating XSL execution with msxsl and wmic.' +description: Atomic Red Team tests simulating XSL execution with msxsl and wmic. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1220 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md +directory: atomic_red_team +mitre_technique: +- T1220 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml index fd5485b2d..855011060 100644 --- a/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml @@ -8,16 +8,11 @@ description: 'Atomic Test Results: Successful Execution of test T1222.001-1 Take - hide file Successful Execution of test T1222.001-5 Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1222/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md +directory: atomic_red_team +mitre_technique: +- T1222.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden.yml b/datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden_old.yml similarity index 100% rename from datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden.yml rename to datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden_old.yml diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml index 222a468b1..768f89b5d 100644 --- a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml +++ b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml @@ -1,19 +1,42 @@ author: Dean Luxton id: 809e0d76-4d6a-46d9-ba5d-0b4a838bb98a date: '2023-12-06' -description: Collection of various DACL abuse events generated manually in Active Directory. +description: Collection of various DACL abuse events generated manually in Active + Directory. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54 -- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a +directory: dacl_abuse +mitre_technique: +- T1222.001 +datasets: +- name: group_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: owner_updated_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_deletion_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: suspicious_acl_modification-windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_ou_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: user_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_object_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance.yml b/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance_old.yml similarity index 100% rename from datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance.yml rename to datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance_old.yml diff --git a/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml b/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml index 88467c083..c2347ec2a 100644 --- a/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml +++ b/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: 4df3550d-09e9-4a9a-9846-51972ea73916 date: '2024-12-06' -description: This dataset contains process execution logs of subinacl.exe from Windows Sysmon logs. +description: This dataset contains process execution logs of subinacl.exe from Windows + Sysmon logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf -- https://ss64.com/nt/subinacl.html +directory: subinacl +mitre_technique: +- T1222.001 +datasets: +- name: subinacl_sysmon + path: /datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml index 9f627b404..ba390f8c2 100644 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml @@ -3,9 +3,15 @@ id: 6e7ac4e4-ef96-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chattr i in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_chattr_i +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chattr + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chattr_i + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml index c02625a7c..a7b86b517 100644 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml @@ -3,9 +3,15 @@ id: e201ca8a-ef95-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chmod exec attrib in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_chmod_exec_attrib +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chmod + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chmod_exec_attrib + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml index e5639af34..d12b9c809 100644 --- a/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml @@ -4,12 +4,11 @@ date: '2021-01-25' description: Simulated execution of T1482 from Atomic Red Team, mimicking Ryuk Ransomware actor tradecraft. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1482/ -- https://thedfirreport.com/2020/10/08/ryuks-return/ +directory: atomic_red_team +mitre_technique: +- T1482 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1482/discovery/discovery.yml b/datasets/attack_techniques/T1482/discovery/discovery.yml new file mode 100644 index 000000000..ca40552e3 --- /dev/null +++ b/datasets/attack_techniques/T1482/discovery/discovery.yml @@ -0,0 +1,17 @@ +author: Michael Haag +id: c8cb4031-ed28-4fbc-90ed-ce8aec69102a +date: '2021-09-02' +description: Simulated execution of T1482 from Atomic Red Team and manually. +environment: attack_range +directory: discovery +mitre_technique: +- T1482 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1482/discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml b/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml deleted file mode 100644 index 5f7b85e56..000000000 --- a/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag -date: '2021-09-02' -description: Simulated execution of T1482 from Atomic Red Team and manually. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1482/ diff --git a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml index 1eda6917d..a999edfc1 100644 --- a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml +++ b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: c6b30c59-3a4e-43bf-8ad4-d2ff59d88ad8 date: '2023-03-29' -description: Manually modified the Default Domain Policy Group Policy Object on a domain controller. +description: Manually modified the Default Domain Policy Group Policy Object on a + domain controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 \ No newline at end of file +directory: default_domain_policy_modified +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml b/datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml new file mode 100644 index 000000000..a7d20e5d2 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0 +date: '2023-12-18' +description: Manual Group Policy Object modification on a domain controller. +environment: attack_range +directory: gpo_modification +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml deleted file mode 100644 index 8b8af823d..000000000 --- a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Dean Luxton -id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0 -date: '2023-12-18' -description: Manual Group Policy Object modification on a domain controller. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122 -- https://wald0.com/?p=179 -- https://learn.microsoft.com/en-gb/archive/blogs/mempson/group-policy-client-side-extension-list -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory diff --git a/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml b/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml index ebcbbd4de..3d4859faf 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml @@ -3,14 +3,11 @@ id: c7e8cdcd-e4f2-4fe4-93ff-25d9aa8d2b4b date: '2023-03-29' description: Manually created a new Group Policy Object on a domain controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 \ No newline at end of file +directory: group_policy_created +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml index 5d4de3d75..1d6f4e52a 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f date: '2024-08-07' -description: Manually deleting an active directory GPO using the Group Policy Management Console. +description: Manually deleting an active directory GPO using the Group Policy Management + Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory +directory: group_policy_deleted +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml index 2ad2b6d20..ecd1fd808 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c date: '2024-08-07' -description: Manually disabling an active directory GPO using the Group Policy Management Console. +description: Manually disabling an active directory GPO using the Group Policy Management + Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory +directory: group_policy_disabled +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml index 0309b2682..42c9284a7 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: ec16d55d-c0c6-496c-a27f-620ec19db5e5 date: '2024-08-08' -description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console. +description: Manually adding a new client side extension to an existing an active + directory group policy using the Group Policy Management Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory \ No newline at end of file +directory: group_policy_new_cse +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml b/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml index 6202df9fd..44a21c824 100644 --- a/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml +++ b/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 7c272679-8cb2-4e0c-8d0a-608239dc6520 date: '2022-09-02' -description: 'Manually added a new trusted domain using the Azure Portal and updated federation settings using AADInternals. - Tenant specific details like tenant id, user names, etc. have been modified.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://o365blog.com/post/federation-vulnerability/ -- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html -- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors -- https://github.com/Gerenios/AADInternals \ No newline at end of file +description: Manually added a new trusted domain using the Azure Portal and updated + federation settings using AADInternals. Tenant specific details like tenant id, + user names, etc. have been modified. +environment: attack_range +directory: new_federated_domain +mitre_technique: +- T1484.002 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml b/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml index 3a0656ae3..9c7659ba2 100644 --- a/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml +++ b/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml @@ -1,11 +1,14 @@ author: Dean Luxton -id: ab8cde6c-5099-4955-928c-5707b62b9d7f +id: ab8cde6c-5099-4955-928c-5707b62b9d7f date: '2023-11-10' -description: Executing the Set-DCShadowPermissions.ps1 powershell script to apply the minimal permissions required to perform a DCShadow attack. +description: Executing the Set-DCShadowPermissions.ps1 powershell script to apply + the minimal permissions required to perform a DCShadow attack. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://raw.githubusercontent.com/samratashok/nishang/master/ActiveDirectory/Set-DCShadowPermissions.ps1 +directory: DCShadowPermissions +mitre_technique: +- T1484 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml b/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml deleted file mode 100644 index a5f23a317..000000000 --- a/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Dean Luxton -id: e47f3373-8794-4def-8b58-b26a8971a059 -date: '2022-11-18' -description: Manually applying the necessary privileges to perform the DCSync attack via adsiedit. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb -- https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml diff --git a/datasets/attack_techniques/T1484/aclmodification/aclmodification.yml b/datasets/attack_techniques/T1484/aclmodification/aclmodification.yml new file mode 100644 index 000000000..1c50fce58 --- /dev/null +++ b/datasets/attack_techniques/T1484/aclmodification/aclmodification.yml @@ -0,0 +1,14 @@ +author: Dean Luxton +id: e47f3373-8794-4def-8b58-b26a8971a059 +date: '2022-11-18' +description: Manually applying the necessary privileges to perform the DCSync attack + via adsiedit. +environment: attack_range +directory: aclmodification +mitre_technique: +- T1484 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484/domain_policy_modification.yml b/datasets/attack_techniques/T1484/domain_policy_modification_old.yml similarity index 100% rename from datasets/attack_techniques/T1484/domain_policy_modification.yml rename to datasets/attack_techniques/T1484/domain_policy_modification_old.yml diff --git a/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml index f2bd25356..4cece34db 100644 --- a/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware extensions .wcry environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: atomic_red_team +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base_old.yml similarity index 100% rename from datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml rename to datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base_old.yml diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 0ffd13cc1..e07c5fdef 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -1,18 +1,17 @@ author: Jose Hernandez, Bhavin Patel id: 984e9022-b87b-499a-a260-8d0282c46ea2 date: '2025-02-14' -description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. +description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of + an intentionally exposed S3 bucket, including its creation, public access configuration + (via bucket policy and website hosting), and subsequent deletion. This simulates + the detection of potentially risky S3 bucket configurations and their decommissioning + process. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log -sourcetypes: -- aws:cloudtrail -- aws:cloudfront:accesslogs -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1485/ -- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html -- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/ -- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ +directory: decommissioned_buckets +mitre_technique: +- T1485 +datasets: +- name: web_cloudfront_access + path: /datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log + source: aws_cloudfront_accesslogs + sourcetype: aws:cloudfront:accesslogs diff --git a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml index 3f3787531..f408c00e8 100644 --- a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml +++ b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras, Steven Dick id: e1638db8-7a07-11ec-8b68-acde48001122 date: '2024-03-05' -description: Generated datasets for excessive file del in windefender dir in attack range. +description: Generated datasets for excessive file del in windefender dir in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: excessive_file_del_in_windefender_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml b/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml index cfd51597f..cca930df6 100644 --- a/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml +++ b/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml @@ -3,9 +3,11 @@ id: 0356c805-ac3f-47a6-9f49-7303c72a50c4 date: '2021-12-08' description: High amount of file deletions environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1485/ +directory: excessive_file_deletions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml index 4743d81a1..e7d33eba0 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml @@ -3,9 +3,15 @@ id: 60feae32-ef93-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd dd overwrite in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log -sourcetypes: -- 'auditd' -references: -- https://gtfobins.github.io/gtfobins/dd/ \ No newline at end of file +directory: linux_auditd_dd_overwrite +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml index d13d7b236..5a0ec25e2 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml @@ -3,9 +3,15 @@ id: 13c8b468-ef85-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd no preserve root in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log -sourcetypes: -- 'auditd' -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ \ No newline at end of file +directory: linux_auditd_no_preserve_root +mitre_technique: +- T1485 +datasets: +- name: auditd_proctitle_rm_rf + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log + sourcetype: auditd + source: auditd +- name: linux_auditd_no_preserve_root + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml b/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml index 95d1f9fea..ad54961a9 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml @@ -3,9 +3,15 @@ id: 89b601ac-efa4-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd shred in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log -sourcetypes: -- 'auditd' -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_auditd_shred +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml index 69fb4f968..041974c0a 100644 --- a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml +++ b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml @@ -3,9 +3,11 @@ id: 30da9cb2-8d8e-11ec-9761-acde48001122 date: '2022-02-14' description: Generated datasets for linux dd file overwrite in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md \ No newline at end of file +directory: linux_dd_file_overwrite +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml b/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml index 95e82a20d..403d97170 100644 --- a/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml +++ b/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml @@ -4,15 +4,11 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware filename GetYouFiles.txt environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: ransomware_extensions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml b/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml index 00ed9715e..35858d0f6 100644 --- a/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml +++ b/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml @@ -4,16 +4,15 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware filename GetYouFiles.txt environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: ransomware_notes +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ransom-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml b/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml index c08dd0594..717e035cc 100644 --- a/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml +++ b/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml @@ -3,9 +3,11 @@ id: 39bbc1a6-c607-11ec-ba6f-acde48001122 date: '2022-04-27' description: Generated datasets for rm boot dir in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: rm_boot_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml b/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml index 7ea38215c..3f6673eb5 100644 --- a/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml +++ b/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml @@ -3,9 +3,11 @@ id: 66653d16-c546-11ec-acb6-acde48001122 date: '2022-04-26' description: Generated datasets for rm shred critical dir in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: rm_shred_critical_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/sdelete/sdelete.yml b/datasets/attack_techniques/T1485/sdelete/sdelete.yml index 5b3c5a077..b80c59f91 100644 --- a/datasets/attack_techniques/T1485/sdelete/sdelete.yml +++ b/datasets/attack_techniques/T1485/sdelete/sdelete.yml @@ -3,9 +3,11 @@ id: 94fef1a8-8975-4afa-947d-24826e76f337 date: '2021-10-06' description: sdelte execution data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security \ No newline at end of file +directory: sdelete +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/sdelete/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml b/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml index d7ddf0ff7..867f753ea 100644 --- a/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml +++ b/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml @@ -5,10 +5,15 @@ description: Dataset which contains cloudtrail logs and the creation of a kms ke with a policy that all people can use the key for encryption, which is common for S3 ransomware attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1486 -- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +directory: aws_kms_key +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml b/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands_old.yml similarity index 100% rename from datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml rename to datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands_old.yml diff --git a/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml b/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml index 8224242ed..9554dac5c 100644 --- a/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml +++ b/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml @@ -3,9 +3,11 @@ id: cc9b260f-efc9-11eb-926b-660bf0943fbb date: '2020-11-15' description: Manual generation of dcrypt utility. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1486/ +directory: dcrypt +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml b/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml index 72aa42221..df9e6d1d2 100644 --- a/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml +++ b/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml @@ -4,10 +4,11 @@ date: '2021-01-11' description: Cloudtrail dataset with an s3 copy and encrypt operation. This is often used in S3 ransomware attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1486 -- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +directory: s3_file_encryption +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml b/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml index 35a6033a8..07ab523ea 100644 --- a/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml +++ b/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml @@ -4,15 +4,11 @@ date: '2020-12-07' description: Manual generation of attack data by creating a file with a known ransomware filename test.txt in Windows32 folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1486/ +directory: sam_sam_note +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml index 2ab268e66..eb896c1ee 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml @@ -3,9 +3,11 @@ id: 66554f98-5a25-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd auditd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml index c65513c8b..2526b40c7 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml @@ -3,9 +3,11 @@ id: d9926de0-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd osquerd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_osquerd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_osquerd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml index 25e713cb1..d320a36bc 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml @@ -3,9 +3,11 @@ id: da081f1e-5648-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml index d4effacae..454f9f7cf 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras, Splunk id: dfe57ad8-5a23-11ef-927e-acde48001122 date: '2024-08-14' -description: Generated datasets for linux auditd sysmon service stop.log in attack range. +description: Generated datasets for linux auditd sysmon service stop.log in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_sysmon_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_sysmon_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml b/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml index c4472c800..95e962020 100644 --- a/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml +++ b/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml @@ -3,9 +3,11 @@ id: 5612e69e-c536-11ec-b3df-acde48001122 date: '2022-04-26' description: Generated datasets for linux service stop disable in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_service_stop_disable +mitre_technique: +- T1489 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf.yml b/datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf_old.yml similarity index 100% rename from datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf.yml rename to datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf_old.yml diff --git a/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml index 087e6a000..75bc7dbfe 100644 --- a/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml @@ -9,17 +9,15 @@ description: 'Atomic Test Results: Successful Execution of test T1490-1 Windows Shadow Copies via WMI with PowerShell Successful Execution of test T1490-6 Windows - Delete Backup Files ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/shadow-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1490/ -- https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1490/T1490.md +directory: atomic_red_team +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_xml_windows_security_delete_shadow + path: /datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml b/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml index 37fd9c9a1..9167faf6a 100644 --- a/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml +++ b/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml @@ -1,11 +1,13 @@ author: Bhavin Patel id: cc9125e3-efc9-1111-916b-550bf0943fbb date: '2023-04-12' -description: Dataset which contains an event for suspension of AWS bucket versioning. +description: Dataset which contains an event for suspension of AWS bucket versioning. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1490 \ No newline at end of file +directory: aws_bucket_version +mitre_technique: +- T1490 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml b/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml new file mode 100644 index 000000000..4403148d1 --- /dev/null +++ b/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3bdc7ffb-27f6-4ab7-8145-4615922f319c +date: '2025-08-12' +description: Automatically categorized datasets in directory known_services_killed_by_ransomware +environment: attack_range +directory: known_services_killed_by_ransomware +mitre_technique: +- T1490 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml b/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml index d8060a5e3..1d056a867 100644 --- a/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml +++ b/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml @@ -9,16 +9,11 @@ description: 'Atomic Test Results: Successful Execution of test T1490-1 Windows Shadow Copies via WMI with PowerShell Successful Execution of test T1490-6 Windows - Delete Backup Files ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1490/ -- https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1490/T1490.md +directory: ransomware_notes +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml b/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml index 2cbd462db..307de52f1 100644 --- a/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml +++ b/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml @@ -3,14 +3,14 @@ id: cc9b261f-efc9-11eb-926b-550bf0943fbb date: '2025-03-18' description: This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded command to delete shadow copy. - This hex encoded command was able to decrypt by powershell log. WMIC shadowcopy delete behavior. + This hex encoded command was able to decrypt by powershell log. WMIC shadowcopy + delete behavior. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- wineventlog -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1490/ +directory: shadowcopy_del +mitre_technique: +- T1490 +datasets: +- name: wmicshadowcopydelete_sysmon + path: /datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml rename to datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage_old.yml diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml rename to datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage_old.yml diff --git a/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete.yml b/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete_old.yml similarity index 100% rename from datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete.yml rename to datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete_old.yml diff --git a/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml b/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml index b4e908c6a..5b8139c2d 100644 --- a/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml +++ b/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml @@ -3,9 +3,11 @@ id: 3a828f4c-79f5-11ec-bf39-acde48001122 date: '2022-01-20' description: Generated datasets for ping sleep in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: ping_sleep +mitre_technique: +- T1497.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe.yml b/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe_old.yml similarity index 100% rename from datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe.yml rename to datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe_old.yml diff --git a/datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox.yml b/datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox_old.yml similarity index 100% rename from datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox.yml rename to datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox_old.yml diff --git a/datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos.yml b/datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos_old.yml similarity index 100% rename from datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos.yml rename to datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos_old.yml diff --git a/datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024.yml b/datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024_old.yml similarity index 100% rename from datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024.yml rename to datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024_old.yml diff --git a/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.yml b/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability_old.yml similarity index 100% rename from datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.yml rename to datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability_old.yml diff --git a/datasets/attack_techniques/T1505.001/simulation/simulation.yml b/datasets/attack_techniques/T1505.001/simulation/simulation.yml new file mode 100644 index 000000000..8ffb1a5a0 --- /dev/null +++ b/datasets/attack_techniques/T1505.001/simulation/simulation.yml @@ -0,0 +1,25 @@ +author: Michael Haag +id: cc9b2609-1239-11eb-926b-550bf0943fbb +date: '2025-02-05' +description: Common SQL Server abuse simulation data +environment: attack_range +directory: simulation +mitre_technique: +- T1505.001 +datasets: +- name: adhocdq_windows_application + path: /datasets/attack_techniques/T1505.001/simulation/adhocdq_windows_application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:MSSQLSERVER +- name: dllprocedureload_windows-application + path: /datasets/attack_techniques/T1505.001/simulation/dllprocedureload_windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:MSSQLSERVER +- name: sqlservr-windows_sysmon + path: /datasets/attack_techniques/T1505.001/simulation/sqlservr-windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-application + path: /datasets/attack_techniques/T1505.001/simulation/windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Security-SPP diff --git a/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml b/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml deleted file mode 100644 index 43fd4749d..000000000 --- a/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Michael Haag -id: cc9b2609-1239-11eb-926b-550bf0943fbb -date: '2025-02-05' -description: Common SQL Server abuse simulation data -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/sqlservr-windows_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/windows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/sql_startupprocedure_widows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/adhocdq_windows_application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/dllprocedureload_windows-application.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Application -references: -- https://attack.mitre.org/techniques/T1505/001/ -- https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.003/T1505.003.yml b/datasets/attack_techniques/T1505.003/T1505.003.yml new file mode 100644 index 000000000..cfe9f89c9 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/T1505.003.yml @@ -0,0 +1,30 @@ +author: Michael Haag +id: cc9b2609-efc9-11eb-926b-550bf0943fbb +date: '2021-03-11' +description: The following data was produced to emulate IIS, w3wp.exe, spawning shells, + simulating web shell activity. In addition, behavior related to Microsoft Exchange + Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning + a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. + The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, + CVE-2021-26858, and CVE-2021-27065. +environment: attack_range +directory: T1505.003 +mitre_technique: +- T1505.003 +datasets: +- name: windows-sysmon_proxylogon + path: /datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_umservices + path: /datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1505.003/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: moveit_windows-sysmon + path: /datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml b/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml deleted file mode 100644 index 139e1808f..000000000 --- a/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml +++ /dev/null @@ -1,22 +0,0 @@ -author: Michael Haag -id: cc9b2609-efc9-11eb-926b-550bf0943fbb -date: '2021-03-11' -description: The following data was produced to emulate IIS, w3wp.exe, spawning shells, - simulating web shell activity. In addition, behavior related to Microsoft Exchange - Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning - a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. - The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, - CVE-2021-26858, and CVE-2021-27065. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1505/003 -- https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html -- https://my.netsurion.com/hafnium-detection-and-monitoring-solution -- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ diff --git a/datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior.yml b/datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior_old.yml similarity index 100% rename from datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior.yml rename to datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior_old.yml diff --git a/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml b/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml index 530f0c923..a647f76ea 100644 --- a/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml +++ b/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml @@ -3,13 +3,11 @@ id: cb9b2601-efc9-11eb-926b-550bf0943fbb date: '2025-07-20' description: Generation of attack data related to CVE-2025-53770 (ToolShell) showing file creation of the malicious spinstall0.aspx web shell in SharePoint layouts directories. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/sharepoint_webshell/sysmon_spinstall0.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1505/003 - - https://research.eye.security/sharepoint-under-siege/ - - https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/ - - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ - - https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 +directory: sharepoint_webshell +mitre_technique: +- T1505.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1505.003/sharepoint_webshell/sysmon_spinstall0.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.004/T1505.004.yml b/datasets/attack_techniques/T1505.004/T1505.004.yml new file mode 100644 index 000000000..b5c1fb837 --- /dev/null +++ b/datasets/attack_techniques/T1505.004/T1505.004.yml @@ -0,0 +1,54 @@ +author: Michael Haag +id: 22d2640d-cd56-4abd-8d76-13c881820615 +date: '2022-12-19' +description: The following data was produced to emulate suspicious IIS Module activity + on Windows. +environment: attack_range +directory: T1505.004 +mitre_technique: +- T1505.004 +datasets: +- name: pwsh_installediismodules + path: /datasets/attack_techniques/T1505.004/pwsh_installediismodules.log + sourcetype: iis + source: iis +- name: IIS-Configuration-Operational + path: /datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log + sourcetype: iis + source: iis +- name: 4688_disable_http_logging-windows-security + path: /datasets/attack_techniques/T1505.004/4688_disable_http_logging-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: appcmd_install-windows-sysmon + path: /datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 2282_windows-application + path: /datasets/attack_techniques/T1505.004/2282_windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-IIS-W3SVC-WP +- name: 4104_disable_http_logging_windows-powershell + path: /datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: gacutil_windows-sysmon + path: /datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4104_windows-powershell + path: /datasets/attack_techniques/T1505.004/4104_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: gacutil_4688_windows-security + path: /datasets/attack_techniques/T1505.004/gacutil_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: disable_http_logging_windows-sysmon + path: /datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: appcmd_4688-windows-security + path: /datasets/attack_techniques/T1505.004/appcmd_4688-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1505.004/iis_modules.yml b/datasets/attack_techniques/T1505.004/iis_modules.yml deleted file mode 100644 index ce9701e24..000000000 --- a/datasets/attack_techniques/T1505.004/iis_modules.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Michael Haag -id: 22d2640d-cd56-4abd-8d76-13c881820615 -date: '2022-12-19' -description: The following data was produced to emulate suspicious IIS Module activity on Windows. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_4688-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_4688_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- IIS:Configuration:Operational -- Pwsh:InstalledIISModules -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1505/004 -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf -- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ -- https://www.secureworks.com/research/bronze-union -- https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml index 48f62eaf5..fcedf5766 100644 --- a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml +++ b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml @@ -3,9 +3,11 @@ id: 61568617-ad53-4998-b9aa-88d4114f5330 date: '2025-07-08' description: 'Sample of ESXi syslog events showing attempted forced installation of malicious VIBs' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1505/006 +directory: esxi_malicious_vib_forced_install +mitre_technique: +- T1505.006 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1525/container_implant/container_implant.yml b/datasets/attack_techniques/T1525/container_implant/container_implant_old.yml similarity index 100% rename from datasets/attack_techniques/T1525/container_implant/container_implant.yml rename to datasets/attack_techniques/T1525/container_implant/container_implant_old.yml diff --git a/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml b/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml index 354854b5a..07e09a0a3 100644 --- a/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml +++ b/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml @@ -3,10 +3,11 @@ id: cc9b2659-efc9-11eb-926b-550bf0943fbb date: '2021-04-13' description: Dataset which contains cloudtrail logs from cloudsploit. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1526 -- https://github.com/aquasecurity/cloudsploit +directory: aws_security_scanner +mitre_technique: +- T1526 +datasets: +- name: aws_security_scanner-json + path: /datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml index 32cbbffcf..bad5b57f5 100644 --- a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml +++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml @@ -3,9 +3,11 @@ id: 38e470fb-3c73-42c5-a5e6-47838df5e62e date: '2023-12-07' description: Kubernetes audit logs which contains pulling a image. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1526 +directory: kubernetes_audit_pull_image +mitre_technique: +- T1526 +datasets: +- name: kubernetes_audit_pull_image-json + path: /datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml index 62809e48e..ed8ffbc49 100644 --- a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml +++ b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml @@ -3,10 +3,11 @@ id: dee3b6f3-e0fe-4aab-b85b-76d5957e8518 date: '2021-08-24' description: Dataset which contains kube-hunter scanning environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json -sourcetypes: -- kube:objects:events -references: -- https://attack.mitre.org/techniques/T1526 -- https://github.com/aquasecurity/kube-hunter +directory: kubernetes_kube_hunter +mitre_technique: +- T1526 +datasets: +- name: kubernetes_kube_hunter-json + path: /datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml index 0a19cdf74..fd99a4ca1 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 8d4c2863-de34-4dd7-96a3-19fac4c0ec5e date: '2023-10-27' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. +environment: attack_range +directory: azure_ad_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_blocked + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml index 756348dd0..b415849c1 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 2724e330-ee25-4644-8ea4-d7317f5bf8d6 date: '2023-10-30' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Simulated a user denying consent.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Simulated a user denying consent. +environment: attack_range +directory: azure_ad_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_declined + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml index 023089a5b..f32fdfdc4 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: a54ab903-b061-4ccf-b761-7dfe86a5e58b date: '2023-10-27' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Simulated a user granting consent.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Simulated a user granting consent. +environment: attack_range +directory: azure_ad_user_consent_granted +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_granted + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml b/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml index 9c993269f..be7ff82e4 100644 --- a/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml +++ b/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: b88707d8-8cf6-4ac8-9e6b-ea9fd6dc46c6 date: '2023-08-03' -description: 'Leveraged TokenTactics to perform device code phishing against an azure ad account' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/rvrsh3ll/TokenTactics -- https://embracethered.com/blog/posts/2022/device-code-phishing/ -- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html \ No newline at end of file +description: Leveraged TokenTactics to perform device code phishing against an azure + ad account +environment: attack_range +directory: device_code_authentication +mitre_technique: +- T1528 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml b/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml index d8626f0d1..ef766bae3 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: c6d3a5df-a5a6-463c-9f9c-597cdba57dd8 date: '2023-10-01' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. +environment: attack_range +directory: o365_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_blocked + path: /datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml b/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml index c35f148b2..c77d23691 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 5ddc2e5f-b6b0-43c8-8e8b-637e96d562c6 date: '2023-10-12' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack and declined the consent when presented' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log -sourcetypes: -- o365:graph:api -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack and declined the consent when presented +environment: attack_range +directory: o365_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_declined + path: /datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml index 71a022231..1e6c50971 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a5bb8668-a4e2-4d06-9de3-fae665fcf4c4 date: '2023-10-18' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Once set up, simulated a user consenting the application.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Once set up, simulated a user consenting the application. +environment: attack_range +directory: o365_user_consent_file_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_file_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml index f33c69de9..806d8cf66 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: e788bb56-f05b-431c-8823-f01d44469bb3 date: '2023-10-12' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Once set up, simulated a user consenting the application.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Once set up, simulated a user consenting the application. +environment: attack_range +directory: o365_user_consent_mail_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_mail_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml index a15f7cb4e..cf4485b88 100644 --- a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml +++ b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml @@ -3,9 +3,11 @@ id: 2bbe8c66-7262-4e13-b9a0-9d521e5d6305 date: '2025-07-08' description: 'Sample of ESXi syslog events showing commands used for bulk termination of VMs.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1529 +directory: esxi_bulk_vm_termination +mitre_technique: +- T1529 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject.yml b/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject_old.yml similarity index 100% rename from datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject.yml rename to datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject_old.yml diff --git a/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml b/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml index 0cdf8981c..f80805211 100644 --- a/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml +++ b/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml @@ -4,9 +4,11 @@ date: '2021-01-12' description: Dataset which contains cloudtrail logs and the creation of a public S3 bucket. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1530 +directory: aws_s3_public_bucket +mitre_technique: +- T1530 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml index 378604c0c..cbe3dc816 100644 --- a/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: 1514bd3e-20a3-4d53-a740-8e952f5e7afb date: '2021-11-15' -description: 'Atomic Red Team tests simulating delete net user.' +description: Atomic Red Team tests simulating delete net user. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/atomic_red_team/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: atomic_red_team +mitre_technique: +- T1531 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1531/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml rename to datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user_old.yml diff --git a/datasets/attack_techniques/T1531/log_off_user/log_off_user.yml b/datasets/attack_techniques/T1531/log_off_user/log_off_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/log_off_user/log_off_user.yml rename to datasets/attack_techniques/T1531/log_off_user/log_off_user_old.yml diff --git a/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree.yml b/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree.yml rename to datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree_old.yml diff --git a/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml b/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml index f8f585941..9a8533074 100644 --- a/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml +++ b/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml @@ -1,11 +1,17 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-11eb-926b-5511f09431bb date: '2023-03-31' -description: Adversaries made suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. +description: Adversaries made suspicious AWS AMI attribute modifications, such as + sharing it with another AWS account or making the full AMI image public. Adversaries + are known to abuse these APIs to exfiltrate sensitive organization information stored + in the AWS Resources, there by its very important to monitor these seemingly benign + API activity in Cloudtrail logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_ami_shared_public +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml b/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml index b2d9098ad..e399d4951 100644 --- a/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml +++ b/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml @@ -1,11 +1,14 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-1111-926b-5511f09431bb date: '2023-03-31' -description: This dataset contains Risk events created by the detection analytics related Collection and Exfiltration techniques in Enterprise Security +description: This dataset contains Risk events created by the detection analytics + related Collection and Exfiltration techniques in Enterprise Security environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log -sourcetypes: -- stash -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_exfil_risk_events +mitre_technique: +- T1537 +datasets: +- name: aws_risk + path: /datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml b/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml index bceb33f99..8d40b6a64 100644 --- a/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml +++ b/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml @@ -1,13 +1,19 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-11eb-926b-550bf0943fbb date: '2021-07-20' description: Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_snapshot_exfil +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share.yml b/datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share_old.yml similarity index 100% rename from datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share.yml rename to datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share_old.yml diff --git a/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml b/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml new file mode 100644 index 000000000..f4290a20e --- /dev/null +++ b/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2c94f423-56b0-4f7b-ac98-0e10692f9bea +date: '2025-08-12' +description: Automatically categorized datasets in directory high_frequency_copy_of_files_in_network_share +environment: attack_range +directory: high_frequency_copy_of_files_in_network_share +mitre_technique: +- T1537 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml index 9f53bd5de..4f9a44849 100644 --- a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml +++ b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml @@ -1,11 +1,14 @@ author: Bhavin Patel -id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959w +id: 7bbee66b-eb76-41d6-8e4e-d7890e502d23 date: '2024-03-18' -description: 'Manually generated dataset of two sessions from mutiple IPs, useragents, etc' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1539/ +description: Manually generated dataset of two sessions from mutiple IPs, useragents, + etc +environment: attack_range +directory: okta_web_session_multiple_ip +mitre_technique: +- T1539 +datasets: +- name: okta_web_session_multiple_ip + path: /datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml b/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml index c279adc3b..af35eace9 100644 --- a/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml +++ b/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml @@ -1,14 +1,13 @@ author: Automated Attack Data Service id: b3252a4d-449e-42cd-be46-bec739d77c4c date: '2023-05-03' -description: 'Attack data for bootkits' +description: Attack data for bootkits environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +directory: bootkits +mitre_technique: +- T1542.003 +datasets: +- name: network-winlogon-windows-sysmon + path: /datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml index 26a5f144f..4fb0fbac7 100644 --- a/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml @@ -6,19 +6,27 @@ description: 'Atomic Test Results: Return value unclear for test T1543.003-1 Mod Installation CMD Return value unclear for test T1543.003-3 Service Installation PowerShell ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md +directory: atomic_red_team +mitre_technique: +- T1543.003 +datasets: +- name: 4688-remcom-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-remote-service-create-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-system + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: remote_service_create_windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup.yml b/datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup_old.yml similarity index 100% rename from datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup.yml rename to datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup_old.yml diff --git a/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml index 7a907f0af..d1db2f119 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 1ccc911f-a49b-4dc9-903a-0ae2c67b0475 date: '2021-11-12' -description: Manually using the sc.exe binary to create and start a Windows Service on a remote endpoint for lateral movement and remote code execution. +description: Manually using the sc.exe binary to create and start a Windows Service + on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc +directory: lateral_movement +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml index ba8d349cd..76344e7c0 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 9aa6af3d-608e-4a69-8a89-c49b9b3cd3fa date: '2021-11-23' -description: Manually using the sc.exe binary to create and start a Windows Service on a remote endpoint for lateral movement and remote code execution. +description: Manually using the sc.exe binary to create and start a Windows Service + on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc -- https://pentestlab.blog/2020/07/21/lateral-movement-services/ +directory: lateral_movement_lolbas +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml index b9385b627..3d8ccb4be 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 32ff9c98-48d2-46aa-9e95-b79f970c5f07 date: '2021-11-29' -description: Manually using the Metasploit framework binary to create and start a Windows Service on a remote endpoint that calls PowerShell.exe for lateral movement and remote code execution. +description: Manually using the Metasploit framework binary to create and start a + Windows Service on a remote endpoint that calls PowerShell.exe for lateral movement + and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://www.rapid7.com/db/modules/exploit/windows/smb/psexec/ -- https://pentestlab.blog/2020/07/21/lateral-movement-services/ +directory: lateral_movement_powershell +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path.yml b/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path.yml rename to datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path_old.yml diff --git a/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml b/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml index 833211098..4f3ca90ea 100644 --- a/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml +++ b/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml @@ -1,12 +1,13 @@ author: Bhavin Patel id: cc9b2651-efc9-11eb-926b-550bf0143fbb date: '2023-10-02' -description: 'Attack data for services.exe spawning msiexec' +description: Attack data for services.exe spawning msiexec environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log -sourcetypes: -- XmlWinEventLog -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -- https://atomicredteam.io/privilege-escalation/T1543.003/ +directory: services_lolbas_execution +mitre_technique: +- T1543.003 +datasets: +- name: 4688_xml_windows_security + path: /datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml b/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml new file mode 100644 index 000000000..801e3147b --- /dev/null +++ b/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 45486064-f0b3-4290-9ca4-d97342972e90 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_krbrelayup_service_creation +environment: attack_range +directory: windows_krbrelayup_service_creation +mitre_technique: +- T1543.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml b/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml index ab1f08d14..8cacb4a64 100644 --- a/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml +++ b/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: 50a25246-7301-4282-99b9-6580b278cc61 date: '2021-09-28' -description: Manual generation of attack data for txtfile default file association registry entry for persistence and privilege escalation. +description: Manual generation of attack data for txtfile default file association + registry entry for persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: txtfile_reg +mitre_technique: +- T1546.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml b/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml index 4a95b6e5a..a949845bf 100644 --- a/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml +++ b/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras id: 2d6fba98-4e8d-4818-82d6-dbc0191c4ef7 date: '2021-09-28' -description: Manual generation of attack data for SCRNSAVE.EXE registry entry for persistence and privilege escalation. +description: Manual generation of attack data for SCRNSAVE.EXE registry entry for + persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1546/002 +directory: scrnsave_reg +mitre_technique: +- T1546.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml index c746ed4f6..fde0d4b58 100644 --- a/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,11 @@ date: '2020-12-08' description: 'Atomic Test Results: Return value unclear for test T1546.003-1 Persistence via WMI Event Subscription ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md +directory: atomic_red_team +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml b/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml index ddb4e1a95..55fbc5cbd 100644 --- a/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml +++ b/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml @@ -3,12 +3,11 @@ id: cc9b262d-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual WMI persistence via WMI Event Subscription environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md +directory: wmi_event_subscription +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml index 1a73380f9..1f87524cf 100644 --- a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml +++ b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml @@ -3,9 +3,11 @@ id: 6a85a94e-45d6-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd unix shell mod config in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_unix_shell_mod_config +mitre_technique: +- T1546.004 +datasets: +- name: linux_auditd_unix_shell_mod_config + path: /datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml b/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml index b22b98c23..7aa9eee2f 100644 --- a/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml +++ b/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml @@ -3,9 +3,11 @@ id: 02957dd0-6242-11ec-a156-acde48001122 date: '2021-12-21' description: Generated datasets for linux init profile in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: linux_init_profile +mitre_technique: +- T1546.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml index 2ecd932fd..b9ae3b2bd 100644 --- a/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,11 @@ id: cc9b25d2-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: Generation of Atomic Red Team technique T1546.008 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/008/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md +directory: atomic_red_team +mitre_technique: +- T1546.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml index 381807d4b..edbf615a7 100644 --- a/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml @@ -6,16 +6,11 @@ description: 'Atomic Test Results: Successful Execution of test T1546.011-1 Appl created in the default shim database directory Successful Execution of test T1546.011-3 Registry key creation and/or modification events for SDB ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md +directory: atomic_red_team +mitre_technique: +- T1546.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml index 5915f5d61..b52106bbb 100644 --- a/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml @@ -4,18 +4,15 @@ date: '2020-11-27' description: 'Atomic Test Results: Successful Execution of test T1546.012-1 IFEO Add Debugger Successful Execution of test T1546.012-2 IFEO Global Flags ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- WinEventLog:Application -references: -- https://attack.mitre.org/techniques/T1546/012/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md +directory: atomic_red_team +mitre_technique: +- T1546.012 +datasets: +- name: windows-application + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-ProcessExitMonitor +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml index 90c0dba72..bda5df25b 100644 --- a/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml @@ -1,16 +1,22 @@ author: Michael Haag, Splunk id: 48489030-45fb-4945-a761-9aef99cd5978 date: '2022-09-26' -description: 'Atomic Test Results: Successful Execution of test T1546.015 related to inprocserver32 ' +description: 'Atomic Test Results: Successful Execution of test T1546.015 related + to inprocserver32 ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/015/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.015.md +directory: atomic_red_team +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml b/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml index fc612c529..d56a10c25 100644 --- a/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml +++ b/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml @@ -3,9 +3,11 @@ id: f717f18e-aa0f-11ec-90af-acde48001122 date: '2022-03-22' description: Generated datasets for pwh com object in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://threadreaderapp.com/thread/1423361119926816776.html \ No newline at end of file +directory: pwh_com_object +mitre_technique: +- T1546.015 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml b/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml index 713d52db5..8ac9e8c0b 100644 --- a/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml +++ b/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml @@ -3,9 +3,11 @@ id: 2970b9f5-37cf-42ab-8ebe-7b90f63d69ec date: '2021-08-13' description: simulate colorui uac bypass technique. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/#_ftn2 \ No newline at end of file +directory: uac_colorui +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml b/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml index 2071b2197..373ad7154 100644 --- a/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml +++ b/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a9ed69d2-b5a2-4eba-8906-e5e407e79e16 date: '2022-11-15' -description: Used powershell to modify the ACL of the AdminSDHolder active directory object. +description: Used powershell to modify the ACL of the AdminSDHolder active directory + object. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory -- https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx -- https://adsecurity.org/?p=1906 -- https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/ \ No newline at end of file +directory: adminsdholder_modified +mitre_technique: +- T1546 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.yml b/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse_old.yml similarity index 100% rename from datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.yml rename to datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse_old.yml diff --git a/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml index 69da252f4..3da842458 100644 --- a/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml @@ -8,18 +8,15 @@ description: 'Atomic Test Results: Successful Execution of test T1547.001-1 Reg Suspicious jse file run from startup Folder Return value unclear for test T1547.001-6 Suspicious bat file run from startup Folder ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/t1547001-runonce.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1547/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md +directory: atomic_red_team +mitre_technique: +- T1547.001 +datasets: +- name: bootexecute-windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml b/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml index f04ef4633..9a6498546 100644 --- a/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml +++ b/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: ad1f89a2-47be-4c29-a7a0-9930921aa38d date: '2021-09-30' -description: manual timeprovider registry modification datasets for persistence and privilege escalation. +description: manual timeprovider registry modification datasets for persistence and + privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: timeprovider_reg +mitre_technique: +- T1547.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml b/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml index ca57acabf..dfe71dd12 100644 --- a/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml +++ b/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml @@ -1,16 +1,19 @@ author: Dean Luxton id: 23ec953f-b6b4-41ec-a81d-8c08fb3706ab date: '2022-08-23' -description: Manually copying mimilib.dll over to system32 & registering the dll as a new SSP via registry. Attack was ran successfully against a non-domain joined windows device, and a domain joined windows sever. (Also applicable against DCs) +description: Manually copying mimilib.dll over to system32 & registering the dll as + a new SSP via registry. Attack was ran successfully against a non-domain joined + windows device, and a domain joined windows sever. (Also applicable against DCs) environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log -sourcetypes: -- XmlWinEventLog -- xmlwineventlog -references: -- https://adsecurity.org/?p=1760 -- https://blog.xpnsec.com/exploring-mimikatz-part-2/ -- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package -- https://attack.mitre.org/techniques/T1547/005 +directory: malicious_ssp +mitre_technique: +- T1547.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml index 444e87985..f3927c7ac 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml @@ -3,9 +3,11 @@ id: a85c69f0-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd insmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log -sourcetypes: -- 'linux:audit' -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: linux_auditd_insmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml index f74016453..f2826f748 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml @@ -3,9 +3,11 @@ id: 9d807532-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd insmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log -sourcetypes: -- 'auditd' -references: -- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 \ No newline at end of file +directory: linux_auditd_insmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml index 63d3354c4..1e67200d4 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml @@ -3,9 +3,11 @@ id: cfe5a4be-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd modprobe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log -sourcetypes: -- 'linux:audit' -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: linux_auditd_modprobe +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml index 8437c4982..48299ae23 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml @@ -3,9 +3,11 @@ id: db4b9b9e-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd modprobe new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log -sourcetypes: -- 'auditd' -references: -- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 \ No newline at end of file +directory: linux_auditd_modprobe_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml index 1b1a3dd29..1337d1436 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml @@ -1,11 +1,18 @@ author: Teoderick Contreras, Splunk id: 6237b4fc-efa6-11ef-b72e-629be3538068 date: '2025-02-20' -description: Generated datasets for linux auditd modprobe unload module in attack range. +description: Generated datasets for linux auditd modprobe unload module in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_modprobe_unload_module +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe_unload_module + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log + sourcetype: auditd + source: auditd +- name: auditd_execve_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml index 92c585288..2988af55a 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml @@ -3,9 +3,11 @@ id: 8ceb8526-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd rmmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_rmmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml index 5b3bcf998..52aa4edcf 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml @@ -3,9 +3,11 @@ id: 460dec20-1ab1-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd rmmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_rmmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml index 71aaa75e7..c4a664052 100644 --- a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml +++ b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml @@ -3,9 +3,11 @@ id: 97358c88-632c-11ec-a5ca-acde48001122 date: '2021-12-22' description: Generated datasets for loading linux kernel module in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: loading_linux_kernel_module +mitre_technique: +- T1547.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml index a9dab2c19..4fd18792c 100644 --- a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml @@ -1,11 +1,13 @@ author: Michael Haag -id: cc9i2628-efc9-88eb-926b-550bf0943fbb +id: e0b28658-8542-40e7-9dc5-62775762ef70 date: '2022-08-22' description: Generation of Atomic Red Team technique T1547.008 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1547/008 +directory: atomic_red_team +mitre_technique: +- T1547.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml index d77724d41..64f0f44fb 100644 --- a/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,15 @@ id: cc9b2628-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: Generation of Atomic Red Team technique T1547.010 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: atomic_red_team +mitre_technique: +- T1547.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml b/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml index 2ab940fd8..5b7a14b81 100644 --- a/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml +++ b/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml @@ -1,10 +1,22 @@ author: Teoderick Contreras id: 787d019a-8348-4840-8802-e0080ab1deb6 date: '2021-09-29' -description: manual printer processor registry modification datasets for persistence and privilege escalation. +description: manual printer processor registry modification datasets for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: print_reg +mitre_technique: +- T1547.012 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1547.012/print_reg/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_print + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml b/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml index 259ba7758..4c3a26952 100644 --- a/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml +++ b/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml @@ -3,18 +3,15 @@ id: cc9b265b-efc9-11eb-926b-550bf0943fbb date: '2021-07-01' description: Automated generation of attack data by exploiting CVE-2021-1675 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -- WinEventLog:Microsoft-Windows-PrintService/Admin -- WinEventLog:Microsoft-Windows-PrintService/Operational -references: -- https://attack.mitre.org/techniques/T1547/012/ +directory: printnightmare +mitre_technique: +- T1547.012 +datasets: +- name: mimikatz-windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml b/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml index cfbf5ccb7..a8f69fe2e 100644 --- a/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml +++ b/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml @@ -3,9 +3,11 @@ id: 3cda83cc-6261-11ec-b4f9-acde48001122 date: '2021-12-21' description: Generated datasets for chmod uid in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: chmod_uid +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml index ab7943dd5..2bb93ac8d 100644 --- a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml +++ b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml @@ -3,9 +3,23 @@ id: d05ad908-efa3-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd setuid in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log -sourcetypes: -- 'auditd' -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: linux_auditd_setuid +mitre_technique: +- T1548.001 +datasets: +- name: linux_auditd_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_proctitle_setuid.log + sourcetype: auditd + source: auditd +- name: linux_auditd_setcap_priv + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log + sourcetype: auditd + source: auditd +- name: auditd_execve_setcap + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml b/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml index 4be2cfd0d..5f76a6b38 100644 --- a/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml +++ b/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml @@ -3,9 +3,11 @@ id: 0d7e7bb4-6262-11ec-9ed4-acde48001122 date: '2021-12-21' description: Generated datasets for linux setcap in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: linux_setcap +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml index 096f8e2cb..2911884e7 100644 --- a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml +++ b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: a996c867-70b4-4ac4-bfbc-fae63b60f169 date: '2021-09-30' -description: manual disable uac remote restriction registry modification datasets for persistence and privilege escalation. +description: manual disable uac remote restriction registry modification datasets + for persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: LocalAccountTokenFilterPolicy +mitre_technique: +- T1548.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml index b9caafcc8..b1e9c8d29 100644 --- a/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,15 @@ id: cc9b25fe-efc9-11eb-926b-550bf0943fbb date: '2020-11-18' description: Generation of Atomic Red Team technique T1548.002 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: atomic_red_team +mitre_technique: +- T1548.002 +datasets: +- name: dism_pswa_4688_windows-security + path: /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/slui/slui.yml b/datasets/attack_techniques/T1548.002/slui/slui.yml new file mode 100644 index 000000000..0597f3e2f --- /dev/null +++ b/datasets/attack_techniques/T1548.002/slui/slui.yml @@ -0,0 +1,13 @@ +author: Michael Haag, Splunk +id: cc9b25ff-efc9-11eb-926b-550bf0943fbb +date: '2021-05-13' +description: Generation of slui.exe UAC Bypass behaviors. +environment: attack_range +directory: slui +mitre_technique: +- T1548.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml b/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml deleted file mode 100644 index 6dfc2a9ad..000000000 --- a/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b25ff-efc9-11eb-926b-550bf0943fbb -date: '2021-05-13' -description: Generation of slui.exe UAC Bypass behaviors. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ -- https://www.exploit-db.com/exploits/46998 -- https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b -- https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 -- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html diff --git a/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml b/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml index eadd8aeb9..329ea260a 100644 --- a/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml +++ b/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml @@ -3,9 +3,11 @@ id: cc9b25fe-efc5-13eb-9d6b-550bf0943fbb date: '2022-02-23' description: SSA Slimmed logs for T1548.002 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: ssa_eventvwr +mitre_technique: +- T1548.002 +datasets: +- name: windows-sysmon-registry + path: /datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml index 1be2cca37..43fd7868b 100644 --- a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml +++ b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml @@ -1,14 +1,14 @@ -author: Steven Dick -id: 0fe95fd6-68cf-41de-9e05-26547ce1e08a -date: '2023-11-20' -description: 'Detection of common User Account Control bypass techniques, generated using Atomic Tests for T1548.002' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ -- https://atomicredteam.io/defense-evasion/T1548.002/ -- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/ -- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ \ No newline at end of file +author: Steven Dick +id: 0fe95fd6-68cf-41de-9e05-26547ce1e08a +date: '2023-11-20' +description: Detection of common User Account Control bypass techniques, generated + using Atomic Tests for T1548.002 +environment: attack_range +directory: uac_behavior +mitre_technique: +- T1548.002 +datasets: +- name: uac_behavior_sysmon + path: /datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas/doas.yml b/datasets/attack_techniques/T1548.003/doas/doas.yml index 71905749f..79800cd33 100644 --- a/datasets/attack_techniques/T1548.003/doas/doas.yml +++ b/datasets/attack_techniques/T1548.003/doas/doas.yml @@ -3,9 +3,11 @@ id: 934e2ef8-6e0e-11ec-9cba-acde48001122 date: '2022-01-05' description: Generated datasets for doas in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://wiki.gentoo.org/wiki/Doas \ No newline at end of file +directory: doas +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml b/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml index 46d528230..ff05a28f8 100644 --- a/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml +++ b/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml @@ -3,9 +3,11 @@ id: 5ee37c76-6e0f-11ec-b0d2-acde48001122 date: '2022-01-05' description: Generated datasets for doas exec in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://wiki.gentoo.org/wiki/Doas \ No newline at end of file +directory: doas_exec +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml b/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml index 826b30c06..6bab42150 100644 --- a/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml +++ b/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml @@ -3,9 +3,11 @@ id: ca07fc9e-6260-11ec-b8ae-acde48001122 date: '2021-12-21' description: Generated datasets for linux adduser in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ \ No newline at end of file +directory: linux_adduser +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml index d576a159e..ad1d2819c 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml @@ -3,9 +3,11 @@ id: 06e6ca4e-5644-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd doas in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log -sourcetypes: -- 'linux:audit' -references: -- https://www.makeuseof.com/how-to-install-and-use-doas/ \ No newline at end of file +directory: linux_auditd_doas +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml index 665f5c3f1..cfc44578e 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml @@ -3,9 +3,11 @@ id: d79ea71c-1aaf-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd doas new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log -sourcetypes: -- 'auditd' -references: -- https://www.makeuseof.com/how-to-install-and-use-doas/ \ No newline at end of file +directory: linux_auditd_doas_new +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_new_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml index 6de1019b3..baa42e9b7 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml @@ -3,9 +3,15 @@ id: 97e7e652-ef9d-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd nopasswd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: linux_auditd_nopasswd +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_nopasswd + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log + sourcetype: auditd + source: auditd +- name: linux_auditd_nopasswd2 + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml index bf81e735a..6ddf4749f 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml @@ -3,9 +3,15 @@ id: 7add3492-efa5-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd sudo su in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: linux_auditd_sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: auditd_proctitle_sudo + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log + sourcetype: auditd + source: auditd +- name: linux_auditd_sudo_su + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml index 04a42a1a3..c783d9258 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml @@ -3,9 +3,11 @@ id: f47e0ecc-45d4-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd sudoers access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log -sourcetypes: -- 'auditd' -references: -- https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf \ No newline at end of file +directory: linux_auditd_sudoers_access +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_sudoers_access + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml b/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf_old.yml similarity index 100% rename from datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml rename to datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf_old.yml diff --git a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml index 73d549d9b..525f26ba8 100644 --- a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml +++ b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml @@ -3,9 +3,11 @@ id: 4505ff28-6260-11ec-85e5-acde48001122 date: '2021-12-21' description: Generated datasets for nopasswd sudoers in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: nopasswd_sudoers +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml b/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml index 5cb4c6e56..a8ab22d53 100644 --- a/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml +++ b/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml @@ -3,9 +3,11 @@ id: 9660d0e4-6d6b-11ec-bc7d-acde48001122 date: '2022-01-04' description: Generated datasets for sudo su in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml b/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml index afb842ed8..d075703d5 100644 --- a/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml +++ b/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml @@ -3,9 +3,11 @@ id: 4ff7f3ee-64a6-11ec-83e6-acde48001122 date: '2021-12-24' description: Generated datasets for sudoers temp in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: sudoers_temp +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/visudo/visudo.yml b/datasets/attack_techniques/T1548.003/visudo/visudo.yml index 62825b2ab..f8c850cc6 100644 --- a/datasets/attack_techniques/T1548.003/visudo/visudo.yml +++ b/datasets/attack_techniques/T1548.003/visudo/visudo.yml @@ -3,9 +3,11 @@ id: f5ead72e-625f-11ec-a0f1-acde48001122 date: '2021-12-21' description: Generated datasets for visudo in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: visudo +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/abuse_elevation_control.yml b/datasets/attack_techniques/T1548/abuse_elevation_control_old.yml similarity index 100% rename from datasets/attack_techniques/T1548/abuse_elevation_control.yml rename to datasets/attack_techniques/T1548/abuse_elevation_control_old.yml diff --git a/datasets/attack_techniques/T1548/apt/apt.yml b/datasets/attack_techniques/T1548/apt/apt.yml index 4f167ac78..2d03fc843 100644 --- a/datasets/attack_techniques/T1548/apt/apt.yml +++ b/datasets/attack_techniques/T1548/apt/apt.yml @@ -3,9 +3,11 @@ id: 142db055-e432-44c3-b013-7560242c5399 date: '2022-08-12' description: Apt linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: apt +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt_get/apt_get.yml b/datasets/attack_techniques/T1548/apt_get/apt_get.yml index a8208668f..f364fc5a5 100644 --- a/datasets/attack_techniques/T1548/apt_get/apt_get.yml +++ b/datasets/attack_techniques/T1548/apt_get/apt_get.yml @@ -3,9 +3,11 @@ id: 626b6584-bdcf-4b12-9e72-6c63eda796c0 date: '2022-08-12' description: apt-get linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: apt_get +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt_get/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/awk/awk.yml b/datasets/attack_techniques/T1548/awk/awk.yml index 670ca187d..99a1fb311 100644 --- a/datasets/attack_techniques/T1548/awk/awk.yml +++ b/datasets/attack_techniques/T1548/awk/awk.yml @@ -3,9 +3,11 @@ id: c243b463-7dbb-4887-8660-b4430e68d73a date: '2022-08-01' description: AWK linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: awk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/awk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/busybox/busybox.yml b/datasets/attack_techniques/T1548/busybox/busybox.yml index 6a3f76e4e..a7b887874 100644 --- a/datasets/attack_techniques/T1548/busybox/busybox.yml +++ b/datasets/attack_techniques/T1548/busybox/busybox.yml @@ -3,9 +3,11 @@ id: 391e59ca-5057-4a8a-a009-59525071f11d date: '2022-08-12' description: Busybox linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: busybox +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/busybox/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c89/c89.yml b/datasets/attack_techniques/T1548/c89/c89.yml index fe88ca5bb..95c4510fa 100644 --- a/datasets/attack_techniques/T1548/c89/c89.yml +++ b/datasets/attack_techniques/T1548/c89/c89.yml @@ -3,9 +3,11 @@ id: b02cf07e-9e11-4c06-a4b3-db7945e9d5d0 date: '2022-08-12' description: C89 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: c89 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c89/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c99/c99.yml b/datasets/attack_techniques/T1548/c99/c99.yml index e6e6a95a6..6843d3cec 100644 --- a/datasets/attack_techniques/T1548/c99/c99.yml +++ b/datasets/attack_techniques/T1548/c99/c99.yml @@ -3,9 +3,11 @@ id: 84a4839d-cf5f-42ca-9a96-dfa0b296a94a date: '2022-08-12' description: C99 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: c99 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c99/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/composer/composer.yml b/datasets/attack_techniques/T1548/composer/composer.yml index c13784ed1..561cf878e 100644 --- a/datasets/attack_techniques/T1548/composer/composer.yml +++ b/datasets/attack_techniques/T1548/composer/composer.yml @@ -3,9 +3,11 @@ id: 8bc07a27-ecab-485f-b8e1-fdd0506dee06 date: '2022-08-12' description: Composer linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: composer +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/composer/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml b/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml index 3e1b4c441..1bcfcf5c4 100644 --- a/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml +++ b/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml @@ -3,9 +3,11 @@ id: b0389a29-5eaa-4ec0-aee3-dc8a667ebbb1 date: '2022-08-12' description: Cpulimit linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: cpulimit +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/csvtool/csvtool.yml b/datasets/attack_techniques/T1548/csvtool/csvtool.yml index e08adf684..9b81b3dfc 100644 --- a/datasets/attack_techniques/T1548/csvtool/csvtool.yml +++ b/datasets/attack_techniques/T1548/csvtool/csvtool.yml @@ -3,9 +3,11 @@ id: ab0285b6-cbed-4163-b18a-76e572b0ad34 date: '2022-08-12' description: Csvtool linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: csvtool +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/csvtool/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml b/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml new file mode 100644 index 000000000..90ad72d8d --- /dev/null +++ b/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 66b7227d-7c95-431e-951b-1930959ddc73 +date: '2025-08-12' +description: Automatically categorized datasets in directory darkside_cmstp_com +environment: attack_range +directory: darkside_cmstp_com +mitre_technique: +- T1548 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/docker/docker.yml b/datasets/attack_techniques/T1548/docker/docker.yml index 7e3f4982e..b22966eef 100644 --- a/datasets/attack_techniques/T1548/docker/docker.yml +++ b/datasets/attack_techniques/T1548/docker/docker.yml @@ -3,9 +3,11 @@ id: 7de57102-fefa-4883-b318-23be33b1a4af date: '2022-08-01' description: Docker linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: docker +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/docker/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/emacs/emacs.yml b/datasets/attack_techniques/T1548/emacs/emacs.yml index 240d8bad5..08224ec0d 100644 --- a/datasets/attack_techniques/T1548/emacs/emacs.yml +++ b/datasets/attack_techniques/T1548/emacs/emacs.yml @@ -3,9 +3,11 @@ id: ca038e78-021e-4f4f-ae04-68e58b911625 date: '2022-08-10' description: EMACS linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: emacs +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/emacs/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/find/find.yml b/datasets/attack_techniques/T1548/find/find.yml index 418248b8b..b25c03886 100644 --- a/datasets/attack_techniques/T1548/find/find.yml +++ b/datasets/attack_techniques/T1548/find/find.yml @@ -3,9 +3,11 @@ id: d86175c7-17f9-474d-aaee-686ca19ef406 date: '2022-08-10' description: Find linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: find +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/find/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gawk/gawk.yml b/datasets/attack_techniques/T1548/gawk/gawk.yml index 49650fe93..a6c08fa93 100644 --- a/datasets/attack_techniques/T1548/gawk/gawk.yml +++ b/datasets/attack_techniques/T1548/gawk/gawk.yml @@ -3,9 +3,11 @@ id: 77d7bacd-dcba-4c12-92c8-51fd87b25825 date: '2022-08-10' description: GNU Awk linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gawk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gawk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gdb/gdb.yml b/datasets/attack_techniques/T1548/gdb/gdb.yml index b836d4154..1698a92c0 100644 --- a/datasets/attack_techniques/T1548/gdb/gdb.yml +++ b/datasets/attack_techniques/T1548/gdb/gdb.yml @@ -3,9 +3,11 @@ id: f312ff8f-272f-44a2-b665-28a52f2d4667 date: '2022-08-10' description: GDB linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gdb +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gdb/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gem/gem.yml b/datasets/attack_techniques/T1548/gem/gem.yml index 618d9e88c..6dbcea522 100644 --- a/datasets/attack_techniques/T1548/gem/gem.yml +++ b/datasets/attack_techniques/T1548/gem/gem.yml @@ -3,9 +3,11 @@ id: e08064be-ad33-4dd7-9cc9-2f7e9ed81302 date: '2022-08-10' description: GEM linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gem +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gem/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/linux_risk/linux_risk.yml b/datasets/attack_techniques/T1548/linux_risk/linux_risk_old.yml similarity index 100% rename from datasets/attack_techniques/T1548/linux_risk/linux_risk.yml rename to datasets/attack_techniques/T1548/linux_risk/linux_risk_old.yml diff --git a/datasets/attack_techniques/T1548/make/make.yml b/datasets/attack_techniques/T1548/make/make.yml index d8e15c9f0..5bd3e35da 100644 --- a/datasets/attack_techniques/T1548/make/make.yml +++ b/datasets/attack_techniques/T1548/make/make.yml @@ -3,9 +3,11 @@ id: 56a53a5f-56f9-45c6-a29a-4ea5366f90eb date: '2022-08-10' description: Make linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: make +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/make/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/mysql/mysql.yml b/datasets/attack_techniques/T1548/mysql/mysql.yml index 43b6df931..a17e17a24 100644 --- a/datasets/attack_techniques/T1548/mysql/mysql.yml +++ b/datasets/attack_techniques/T1548/mysql/mysql.yml @@ -3,9 +3,11 @@ id: 6a0e3130-6fdf-4b82-9c1d-a914d1ab63b0 date: '2022-08-10' description: MySQL linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: mysql +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/mysql/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/node/node.yml b/datasets/attack_techniques/T1548/node/node.yml index 9e9803943..72b80c244 100644 --- a/datasets/attack_techniques/T1548/node/node.yml +++ b/datasets/attack_techniques/T1548/node/node.yml @@ -3,9 +3,11 @@ id: 1b157687-1552-49e6-af63-397a9a6a6eb9 date: '2022-08-01' description: Node linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: node +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/node/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/octave/octave.yml b/datasets/attack_techniques/T1548/octave/octave.yml index 411b6e819..5cb20eb40 100644 --- a/datasets/attack_techniques/T1548/octave/octave.yml +++ b/datasets/attack_techniques/T1548/octave/octave.yml @@ -3,9 +3,11 @@ id: 35f3aae2-eca4-41a7-877d-a19b3a61fab4 date: '2022-08-12' description: Octave linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: octave +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/octave/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/openvpn/openvpn.yml b/datasets/attack_techniques/T1548/openvpn/openvpn.yml index 155df0449..97d9579b8 100644 --- a/datasets/attack_techniques/T1548/openvpn/openvpn.yml +++ b/datasets/attack_techniques/T1548/openvpn/openvpn.yml @@ -3,9 +3,11 @@ id: 49252518-96e6-4f7a-8392-719c725bc3ca date: '2022-08-12' description: Openvpn linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: openvpn +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/openvpn/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/php/php.yml b/datasets/attack_techniques/T1548/php/php.yml index 1309ccfc0..94f838474 100644 --- a/datasets/attack_techniques/T1548/php/php.yml +++ b/datasets/attack_techniques/T1548/php/php.yml @@ -3,9 +3,11 @@ id: a0ef4611-c714-42cf-96e6-f06716d78bb5 date: '2022-08-10' description: PHP linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: php +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/php/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/puppet/puppet.yml b/datasets/attack_techniques/T1548/puppet/puppet.yml index 32cdf4487..8b045b145 100644 --- a/datasets/attack_techniques/T1548/puppet/puppet.yml +++ b/datasets/attack_techniques/T1548/puppet/puppet.yml @@ -3,9 +3,11 @@ id: 81e7003c-1b44-467f-84da-05a3d38d1d8f date: '2022-08-12' description: Puppet linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: puppet +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/puppet/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/rpm/rpm.yml b/datasets/attack_techniques/T1548/rpm/rpm.yml index a4755da80..61b276807 100644 --- a/datasets/attack_techniques/T1548/rpm/rpm.yml +++ b/datasets/attack_techniques/T1548/rpm/rpm.yml @@ -3,9 +3,11 @@ id: bad65c56-3e48-433c-a40c-d5a022da142c date: '2022-08-10' description: RPM linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: rpm +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/rpm/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/ruby/ruby.yml b/datasets/attack_techniques/T1548/ruby/ruby.yml index 655c5a9dc..c2566b92c 100644 --- a/datasets/attack_techniques/T1548/ruby/ruby.yml +++ b/datasets/attack_techniques/T1548/ruby/ruby.yml @@ -3,9 +3,11 @@ id: c9fcba32-de3a-42b0-8959-0e08ef5ff852 date: '2022-08-10' description: Ruby linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: ruby +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/ruby/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/splunk/data.yml b/datasets/attack_techniques/T1548/splunk/data.yml new file mode 100644 index 000000000..55efa1fd9 --- /dev/null +++ b/datasets/attack_techniques/T1548/splunk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9a65518c-c739-4d21-a710-b368d8d5dc4d +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1548 +datasets: +- name: splunk_enterprise_kv_store_incorrect_authorization_splunkd_access + path: /datasets/attack_techniques/T1548/splunk/splunk_enterprise_kv_store_incorrect_authorization_splunkd_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml b/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml index e10fa66e1..582068339 100644 --- a/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml +++ b/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml @@ -3,9 +3,11 @@ id: 5e4819bc-e65a-419c-992d-6219675b5136 date: '2022-08-12' description: Sqlite3 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: sqlite3 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml b/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml index fc1c2bf42..0aa5d03af 100644 --- a/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml +++ b/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml @@ -3,9 +3,15 @@ id: cc9b2662-efc9-11eb-926b-550bf0943fbb date: '2021-07-23' description: Privilege elevation abuse by bypassing uac windows feature environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1548/uac_bypass/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/ +directory: uac_bypass +mitre_technique: +- T1548 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml index 5d903b2c2..b441cbe4a 100644 --- a/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,11 @@ date: '2020-10-08' description: Manual generation of attack data including pass the hash attack with mimikatz and psexec. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1550/002/ -- https://attack.stealthbits.com/pass-the-hash-attack-explained +directory: atomic_red_team +mitre_technique: +- T1550.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data.yml b/datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data_old.yml similarity index 100% rename from datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data.yml rename to datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data_old.yml diff --git a/datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml b/datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml new file mode 100644 index 000000000..c3c77820b --- /dev/null +++ b/datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml @@ -0,0 +1,13 @@ +author: Mauricio Velazco +id: d0a6ab5b-6ff2-4e12-b854-296fdd8d0c9b +date: '2022-01-24' +description: Pass the ticket attack using mimikatz. +environment: attack_range +directory: mimikatz +mitre_technique: +- T1550.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml b/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml deleted file mode 100644 index 25b2da4ed..000000000 --- a/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Mauricio Velazco -id: d0a6ab5b-6ff2-4e12-b854-296fdd8d0c9b -date: '2022-01-24' -description: Pass the ticket attack using mimikatz. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://www.tarlogic.com/blog/how-to-attack-kerberos/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml b/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml index 665c2a06d..1f7c27259 100644 --- a/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: e742e10c-835e-45e2-b3ef-ca9034ca60d5 date: '2022-02-01' -description: Pass the ticket attack using rubeus. +description: Pass the ticket attack using rubeus. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://www.tarlogic.com/blog/how-to-attack-kerberos/ \ No newline at end of file +directory: rubeus +mitre_technique: +- T1550.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550/impacket/impacket.yml b/datasets/attack_techniques/T1550/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1550/impacket/impacket.yml rename to datasets/attack_techniques/T1550/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml b/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml new file mode 100644 index 000000000..68f8aadf9 --- /dev/null +++ b/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 95fd0ecc-639e-41ff-b517-fadd88c9da97 +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_tgt_request_using_rc4_encryption +environment: attack_range +directory: kerberos_tgt_request_using_rc4_encryption +mitre_technique: +- T1550 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.yml b/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.yml rename to datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage_old.yml diff --git a/datasets/attack_techniques/T1550/rubeus/rubeus.yml b/datasets/attack_techniques/T1550/rubeus/rubeus.yml index 6d3ffa5db..7d46235c5 100644 --- a/datasets/attack_techniques/T1550/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1550/rubeus/rubeus.yml @@ -3,13 +3,11 @@ id: a26a4ec9-0d36-4e60-8775-c9d7bed4f71d date: '2022-03-09' description: Over pass the hash attack using Rubeus. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/GhostPack/Rubeus -- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a -- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ \ No newline at end of file +directory: rubeus +mitre_technique: +- T1550 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config.yml b/datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config.yml rename to datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config_old.yml diff --git a/datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage.yml b/datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage.yml rename to datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage_old.yml diff --git a/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml b/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml index bdc6a0351..d595b9acb 100644 --- a/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml +++ b/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml @@ -1,11 +1,14 @@ author: Mikael Bjerkeland id: 95aa5e13-2866-494e-a9da-e7cacffa5522 date: '2022-05-27' -description: Linux SSH authentication logs containing a password where the username is expected. +description: Linux SSH authentication logs containing a password where the username + is expected. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log -sourcetypes: -- linux_secure -references: -- https://attack.mitre.org/techniques/T1552/001 +directory: password_in_username +mitre_technique: +- T1552.001 +datasets: +- name: linux_secure + path: /datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml b/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml index dfe46655f..4ac841722 100644 --- a/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml +++ b/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml @@ -1,11 +1,13 @@ author: Teoderick Contreras id: 6458a36b-ed61-4a99-8e75-1da62434adac date: '2021-09-06' -description: Simulated datasets for creation of autoadminlogon entry in registry - name. +description: Simulated datasets for creation of autoadminlogon entry in registry name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: autoadminlogon +mitre_technique: +- T1552.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml b/datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml rename to datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml index c2b327ad2..22afeacb4 100644 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml @@ -3,9 +3,15 @@ id: c188ccb2-efa0-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find gpg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_find_gpg +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml index 6bb190525..7f0831d2a 100644 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml @@ -3,9 +3,15 @@ id: 90026cbe-ef98-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find ssh files in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_ssh_files +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_ssh + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_ssh_files + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml index 6734d9c5a..661ee9650 100644 --- a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml +++ b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml @@ -3,13 +3,15 @@ id: 50f6c117-ff07-46d8-88fd-cc38515187f1 date: '2023-03-17' description: Manually executed findstr attempt to find retrieve GPP credentials. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1552 -- https://attack.mitre.org/techniques/T1552/006/ -- https://pentestlab.blog/2017/03/20/group-policy-preferences/ \ No newline at end of file +directory: findstr_gpp_discovery +mitre_technique: +- T1552.006 +datasets: +- name: windows-4688 + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery.yml b/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery.yml rename to datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery_old.yml diff --git a/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.yml b/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.yml rename to datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret_old.yml diff --git a/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml b/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml index 84a0978b3..c8180e221 100644 --- a/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml +++ b/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml @@ -1 +1,17 @@ -aws_getpassworddata \ No newline at end of file +author: Generated by dataset_analyzer.py +id: 5a01d722-30cb-4138-9311-e53f76912938 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_getpassworddata +environment: attack_range +directory: aws_getpassworddata +mitre_technique: +- T1552 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access.yml b/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access_old.yml similarity index 100% rename from datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access.yml rename to datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access_old.yml diff --git a/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation.yml b/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_old.yml similarity index 100% rename from datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation.yml rename to datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_old.yml diff --git a/datasets/attack_techniques/T1553.003/sip/sip.yml b/datasets/attack_techniques/T1553.003/sip/sip.yml index ed8c94376..b9e763f7c 100644 --- a/datasets/attack_techniques/T1553.003/sip/sip.yml +++ b/datasets/attack_techniques/T1553.003/sip/sip.yml @@ -1,17 +1,13 @@ author: Michael Haag, Splunk id: 579f138c-67a8-11ee-8c99-0242ac120002 date: '2023-10-10' -description: 'Manual testing of adding a SIP provider to the registry' +description: Manual testing of adding a SIP provider to the registry environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- XmlWinEventLog -- PwSh:SubjectInterfacePackage -references: -- https://attack.mitre.org/techniques/T1553/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md +directory: sip +mitre_technique: +- T1553.003 +datasets: +- name: sip_windows-sysmon + path: /datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml index 98a7ca3f7..fd5e4a802 100644 --- a/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml @@ -5,16 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1553.004-4 Ins root CA on Windows Successful Execution of test T1553.004-5 Install root CA on Windows with certutil ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1553/004/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +directory: atomic_red_team +mitre_technique: +- T1553.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass.yml b/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass_old.yml similarity index 100% rename from datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass.yml rename to datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass_old.yml diff --git a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml index 748cd8f23..976066e8a 100644 --- a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml +++ b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml @@ -1,13 +1,13 @@ author: Michael Haag -id: 4f9b2623-abd5-11eb-926b-120zf0943f22 +id: ebbe603c-a8e9-4d36-8c73-3bda679b4280 date: '2023-06-22' description: Detection of unsigned MSIX package installation using PowerShell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1553.005/msix_unsigned/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1553/005 -- https://redcanary.com/blog/threat-intelligence/msix-installers/ -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_unsigned +mitre_technique: +- T1553.005 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1553.005/msix_unsigned/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.yml b/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job_old.yml similarity index 100% rename from datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.yml rename to datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job_old.yml diff --git a/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.yml b/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step_old.yml similarity index 100% rename from datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.yml rename to datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step_old.yml diff --git a/datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp.yml b/datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp_old.yml similarity index 100% rename from datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp.yml rename to datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp_old.yml diff --git a/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds.yml b/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds_old.yml similarity index 100% rename from datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds.yml rename to datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds_old.yml diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml index 5dba62138..e34b8797f 100644 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml @@ -3,9 +3,15 @@ id: 00d8d032-ef98-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find credentials in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_credentials +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_find_creds + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_credentials + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml index dce9950ff..6175b79a6 100644 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml @@ -3,9 +3,15 @@ id: 465abfd6-ef97-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find password db in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_password_db +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_pwd_mgr + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_password_db + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials.yml b/datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials.yml rename to datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials_old.yml diff --git a/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml b/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml rename to datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store_old.yml diff --git a/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml b/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml rename to datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store_old.yml diff --git a/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml b/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml new file mode 100644 index 000000000..a24f85439 --- /dev/null +++ b/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b195cbca-2297-4bfd-998d-c3a4081cb0ca +date: '2025-08-12' +description: Automatically categorized datasets in directory non_chrome_process_accessing_chrome_default_dir +environment: attack_range +directory: non_chrome_process_accessing_chrome_default_dir +mitre_technique: +- T1555 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml b/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml index 90f4a1d19..74a7d0db3 100644 --- a/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml +++ b/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: c3e68b5e-babb-4ef1-b835-62de0b025006 date: '2021-11-22' -description: 'simulated brwser pass view application used by remcos in attackrange' +description: simulated brwser pass view application used by remcos in attackrange environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: web_browser_pass_view +mitre_technique: +- T1555 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml index caf02930b..80d8f9ed7 100644 --- a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml @@ -1,11 +1,13 @@ author: Michael Haag, Splunk -id: an9b2653-efc1-11eb-926b-550bf0943fbb +id: deab3766-be55-4bc3-8b9a-2ab47d84d1d2 date: '2022-03-30' description: Atomic testing with T1553.005 related to lnk and iso. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1558/001 +directory: atomic_red_team +mitre_technique: +- T1556.001 +datasets: +- name: iso_windows-sysmon + path: /datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml index 3108607e0..128832e36 100644 --- a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml +++ b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml @@ -2,14 +2,12 @@ author: Bhavin Patel id: ff860c11-881f-4d35-a9a9-83b3f311f171 date: '2023-05-22' description: Registed new MFA methods for an AWS Account -environment: AWS Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://attack.mitre.org/techniques/T1535/ +environment: attack_range +directory: aws_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml index 0977f6b77..0f7aa321c 100644 --- a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml +++ b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml @@ -2,13 +2,12 @@ author: Mauricio Velazco id: ff860c21-881f-4d35-a9a9-83b3f38bf171 date: '2023-01-30' description: Registed new MFA methods for an Azure AD account -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/techniques/T1556/006/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: azure_ad_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml index d0c8231d3..7cb8a195c 100644 --- a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml +++ b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: b582f8e4-283c-4b96-b64d-7723c540ff5e date: '2024-03-11' description: Using the Okta admin portal, disabled MFA for a user. -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/techniques/T1556/006/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: okta_mfa_method_disabled +mitre_technique: +- T1556.006 +datasets: +- name: okta_mfa_method_disabled + path: /datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1556/azuread/azuread.yml b/datasets/attack_techniques/T1556/azuread/azuread.yml index 80fd66626..60fa2e3b5 100644 --- a/datasets/attack_techniques/T1556/azuread/azuread.yml +++ b/datasets/attack_techniques/T1556/azuread/azuread.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: b0db79c9-1e82-4a32-9f69-998dc33508a8 date: '2022-08-15' description: Logs on disabling the MFA for a user -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: azuread +mitre_technique: +- T1556 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1556/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml index 9934f8881..64b9d30e5 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 01167925-4c70-4c62-a850-54c3da8ed54e date: '2025-07-10' -description: 'Deleted multiple policies in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Deleted multiple policies in Duo. +environment: attack_range +directory: cisco_duo_bulk_policy_deletion +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml index b4c51c368..5c1fe45d1 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 27cc5ad7-1afd-4409-863e-9fac6f4cf941 date: '2025-07-08' -description: 'Changed the setting for a user to allow them to bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json -sourcetypes: -- cisco:duo:activity -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Changed the setting for a user to allow them to bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml index f76903594..24fd522c6 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 876dbd42-57bb-40dc-a61f-269b6b6f6a4a date: '2025-07-08' -description: 'Generate a bypass code for a user in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Generate a bypass code for a user in Duo. +environment: attack_range +directory: cisco_duo_bypass_code +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml index 065d52878..5194dde9a 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 61a63676-89fe-4c8a-aa62-f0cf0e917837 date: '2025-07-10' -description: 'Created a policy which allows devices without screen lock in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows devices without screen lock in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_devices_without_screen_lock +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml index e9e870c09..a956feb72 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: db6c74e0-aaac-4bd2-b557-d2327746d105 date: '2025-07-09' -description: 'Created a policy which allow network bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allow network bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_network_bypass_2fa +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml index 03f465fb2..d15e62040 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: ed19ab1d-7610-4e8c-89a9-8c82ff450bb0 date: '2025-07-09' -description: 'Created a policy which allow old Flash and Java versions in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allow old Flash and Java versions in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_old_flash_and_java +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml index d3a55b959..4f333f8fe 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: b8be207e-3693-4653-aecf-a26dba43c5cc date: '2025-07-10' -description: 'Created a policy which allows tampered devices in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows tampered devices in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_tampered_devices +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml index 153f08a31..7214f530a 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 6aa8cb0c-fde5-4c1f-abc6-45aba2142277 date: '2025-07-08' -description: 'Created a policy which allows bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_policy_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml index 3276c7fc3..b04bc9352 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: bf1b3ff6-c06c-4782-8949-8f3dfc7557c2 date: '2025-07-08' -description: 'Created a policy which allows bypass 2FA in Duo for users in other countries.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows bypass 2FA in Duo for users in other countries. +environment: attack_range +directory: cisco_duo_policy_bypass_2FA_other_countries +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml index 01a64ca68..aded80a84 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 4cad132f-5b35-4397-8a0a-4566272264ed date: '2025-07-08' -description: 'Created a policy which denies access in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which denies access in Duo. +environment: attack_range +directory: cisco_duo_policy_deny_access +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml index 9fb62aa09..c0c46365d 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 8bb65e4d-656a-40a8-a8be-0f3735f4a9e5 date: '2025-07-10' -description: 'Logged in as an admin from an unusual location.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json -sourcetypes: -- cisco:duo:activity -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Logged in as an admin from an unusual location. +environment: attack_range +directory: cisco_duo_unusual_admin_login +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml b/datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml new file mode 100644 index 000000000..97c2a5bc1 --- /dev/null +++ b/datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml @@ -0,0 +1,14 @@ +author: Dean Luxton +id: 3c82c945-1a1f-47c7-86ed-f74ba444767f +date: '2022-08-23' +description: Deleteing the credential guard reg keys to disable credential guard on + a windows host. +environment: attack_range +directory: disable_credential_guard +mitre_technique: +- T1556 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1556/disable_credential_guard/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml b/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml deleted file mode 100644 index 61088f0fd..000000000 --- a/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Dean Luxton -id: 3c82c945-1a1f-47c7-86ed-f74ba444767f -date: '2022-08-23' -description: Deleteing the credential guard reg keys to disable credential guard on a windows host. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_credential_guard/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage -- https://teamhydra.blog/2020/08/25/bypassing-credential-guard - diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml b/datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml new file mode 100644 index 000000000..364da443c --- /dev/null +++ b/datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml @@ -0,0 +1,13 @@ +author: Dean Luxton +id: 8de764d7-2723-4ed0-bd65-1990c2cd9347 +date: '2022-08-23' +description: Disabling LSA Protection by deleting registry keys. +environment: attack_range +directory: disable_lsa_protection +mitre_technique: +- T1556 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml b/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml deleted file mode 100644 index b9d1f4042..000000000 --- a/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Dean Luxton -id: 8de764d7-2723-4ed0-bd65-1990c2cd9347 -date: '2022-08-23' -description: Disabling LSA Protection by deleting registry keys. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection -- https://itm4n.github.io/lsass-runasppl/ -- https://attack.mitre.org/techniques/T1556 diff --git a/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml b/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml index 1a18b1ecc..b95a4ad5e 100644 --- a/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml +++ b/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 0d1788e7-075f-4777-bdc4-f782e1dc4d4e date: '2022-10-13' -description: Logs generated by manually disabling second factor authentication for a GWS user. -environment: Google Workspace Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log -sourcetypes: -- gws:reports:admin -references: -- https://support.google.com/a/answer/175197?hl=en -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/tactics/TA0005/ +description: Logs generated by manually disabling second factor authentication for + a GWS user. +environment: attack_range +directory: gcp_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: gws_admin + path: /datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml b/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml index 3b2942445..5a6cb7e57 100644 --- a/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml +++ b/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml @@ -3,10 +3,11 @@ id: cc9b25d1-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Disbale mfa for user in Office 365. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1556 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: o365_disable_mfa-json + path: /datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml b/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml index f6911ec45..585974801 100644 --- a/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml +++ b/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml @@ -2,10 +2,16 @@ author: Patrick Bareiss id: cc9b25d0-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Multiple failed sso logins to O365 -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_sso_logon_errors +mitre_technique: +- T1556 +datasets: +- name: o365_sso_logon_errors2-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json + sourcetype: o365:management:activity + source: o365 +- name: o365_sso_logon_errors-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml b/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml index e5b4afc4b..172228fc6 100644 --- a/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml +++ b/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml @@ -1,11 +1,13 @@ author: Bhavin Patel id: 6a21e46e-d759-11e0-bbd6-932611ee0111 date: '2024-03-05' -description: 'Manually generated multple IDP changes in the OKTA tenant' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Manually generated multple IDP changes in the OKTA tenant +environment: attack_range +directory: okta_idp +mitre_technique: +- T1556 +datasets: +- name: okta + path: /datasets/attack_techniques/T1556/okta_idp/okta.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios.yml b/datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios_old.yml similarity index 100% rename from datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios.yml rename to datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios_old.yml diff --git a/datasets/attack_techniques/T1558.001/impacket/impacket.yml b/datasets/attack_techniques/T1558.001/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.001/impacket/impacket.yml rename to datasets/attack_techniques/T1558.001/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml b/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml new file mode 100644 index 000000000..33bd216c0 --- /dev/null +++ b/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3ac4ee14-73a9-403e-92c8-75fa97aae21f +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_service_ticket_request_using_rc4_encryption +environment: attack_range +directory: kerberos_service_ticket_request_using_rc4_encryption +mitre_technique: +- T1558.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.002/impacket/impacket.yml b/datasets/attack_techniques/T1558.002/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.002/impacket/impacket.yml rename to datasets/attack_techniques/T1558.002/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml index 4e774559c..4c405ceae 100644 --- a/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,15 @@ date: '2020-10-08' description: Manual kerberoasting attack with mimikatz. Changed the kerberos encryption type to RC4. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting +directory: atomic_red_team +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_setspn + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml b/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml new file mode 100644 index 000000000..b76b6dd10 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ebe1692b-a442-49b0-b092-1263aef5a82b +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberoasting_spn_request_with_rc4_encryption +environment: attack_range +directory: kerberoasting_spn_request_with_rc4_encryption +mitre_technique: +- T1558.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml b/datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml new file mode 100644 index 000000000..a95a112c0 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml @@ -0,0 +1,14 @@ +author: Gowthamaraj rajendran +id: 53fefaf9-134b-4b74-be5e-041ca28ec967 +date: '2022-06-23' +description: Using PowerView manually to get SPN accounts using Get-DomainUser or + Get-NetUser +environment: attack_range +directory: powerview-2 +mitre_technique: +- T1558.003 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml b/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml deleted file mode 100644 index 403f6cd7b..000000000 --- a/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Gowthamaraj rajendran -id: 53fefaf9-134b-4b74-be5e-041ca28ec967 -date: '2022-06-23' -description: 'Using PowerView manually to get SPN accounts using Get-DomainUser or Get-NetUser' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 diff --git a/datasets/attack_techniques/T1558.003/powerview/powerview.yml b/datasets/attack_techniques/T1558.003/powerview/powerview.yml index 2824a9fd2..a8a22131b 100644 --- a/datasets/attack_techniques/T1558.003/powerview/powerview.yml +++ b/datasets/attack_techniques/T1558.003/powerview/powerview.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 87715e15-e2ad-4d63-910c-38f2a017601c date: '2022-06-22' -description: 'Using PowerView manually to obtain a Kerberos service ticket using Get-DomainSPNTicket' +description: Using PowerView manually to obtain a Kerberos service ticket using Get-DomainSPNTicket environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 +directory: powerview +mitre_technique: +- T1558.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml b/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml index 3df1e0af3..834c8bfa7 100644 --- a/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 5c49aefd-bc2a-4af3-94b5-6f8c16be3c70 date: '2022-02-11' -description: Manual kerberoasting attack with Rubeus. Created 30 service accounts with SPNs. +description: Manual kerberoasting attack with Rubeus. Created 30 service accounts + with SPNs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/GhostPack/Rubeus +directory: rubeus +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml b/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml new file mode 100644 index 000000000..201959e45 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e49e0fe4-28b7-42b1-b1be-ed5e32e888f8 +date: '2025-08-12' +description: Automatically categorized datasets in directory unusual_number_of_kerberos_service_tickets_requested +environment: attack_range +directory: unusual_number_of_kerberos_service_tickets_requested +mitre_technique: +- T1558.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.004/getaduser/getaduser.yml b/datasets/attack_techniques/T1558.004/getaduser/getaduser_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.004/getaduser/getaduser.yml rename to datasets/attack_techniques/T1558.004/getaduser/getaduser_old.yml diff --git a/datasets/attack_techniques/T1558.004/powershell/powershell.yml b/datasets/attack_techniques/T1558.004/powershell/powershell.yml index e6a93933c..7cb9ded39 100644 --- a/datasets/attack_techniques/T1558.004/powershell/powershell.yml +++ b/datasets/attack_techniques/T1558.004/powershell/powershell.yml @@ -1,14 +1,18 @@ author: Mauricio Velazco id: 1f409a75-25d7-4ac6-99d1-27ae0bca0f4a date: '2022-02-22' -description: Using PowerShell to manually update the Kerberos Pre Authentication flag on a domain account using Set-ADAccountControl. +description: Using PowerShell to manually update the Kerberos Pre Authentication flag + on a domain account using Set-ADAccountControl. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1558/004 -- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ +directory: powershell +mitre_technique: +- T1558.004 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.004/powerview/powerview.yml b/datasets/attack_techniques/T1558.004/powerview/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.004/powerview/powerview.yml rename to datasets/attack_techniques/T1558.004/powerview/powerview_old.yml diff --git a/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml b/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml index 216aa2d97..4d0177253 100644 --- a/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml +++ b/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml @@ -3,12 +3,11 @@ id: be469518-9d2d-4ebb-b839-12683cd18a7c date: '2023-10-05' description: Manual simulation of the diamond ticket attack using rubeus and mimikatz. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/sysmon.log -sourcetypes: -- XmlWinEventLog -references: -- https://trustedsec.com/blog/a-diamond-in-the-ruff -- https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks -- https://github.com/GhostPack/Rubeus/pull/136 +directory: diamond_ticket +mitre_technique: +- T1558 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1558/diamond_ticket/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.yml b/datasets/attack_techniques/T1558/krbrelayup/krbrelayup_old.yml similarity index 100% rename from datasets/attack_techniques/T1558/krbrelayup/krbrelayup.yml rename to datasets/attack_techniques/T1558/krbrelayup/krbrelayup_old.yml diff --git a/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml new file mode 100644 index 000000000..8af257156 --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 37bab6dd-de37-411e-8043-25a0f26bbec6 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_created_by_computer_account +environment: attack_range +directory: windows_computer_account_created_by_computer_account +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml new file mode 100644 index 000000000..8bc9cfeec --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 372ef4e6-0cbb-4e17-836f-7627ecd09e92 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_requesting_kerberos_ticket +environment: attack_range +directory: windows_computer_account_requesting_kerberos_ticket +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml new file mode 100644 index 000000000..878b4b0db --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 07d678dd-1431-448c-8ab0-162d8b1d864a +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_with_spn +environment: attack_range +directory: windows_computer_account_with_spn +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_with_spn/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml b/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml new file mode 100644 index 000000000..70b55a865 --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 44b3de11-5b5e-41fb-9ef8-8613d271e73d +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_kerberos_local_successful_logon +environment: attack_range +directory: windows_kerberos_local_successful_logon +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe.yml b/datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe_old.yml similarity index 100% rename from datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe.yml rename to datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe_old.yml diff --git a/datasets/attack_techniques/T1560.001/archive_tools/archive_tools.yml b/datasets/attack_techniques/T1560.001/archive_tools/archive_tools_old.yml similarity index 100% rename from datasets/attack_techniques/T1560.001/archive_tools/archive_tools.yml rename to datasets/attack_techniques/T1560.001/archive_tools/archive_tools_old.yml diff --git a/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml b/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml index 59972629e..d2eda3cac 100644 --- a/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml +++ b/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml @@ -4,11 +4,11 @@ date: '2021-04-22' description: The following data was generated with Cobalt Strike spawning 7z.exe to archive files on disk. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1560/001/ -- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -- https://thedfirreport.com/2021/01/31/bazar-no-ryuk/ +directory: archive_utility +mitre_technique: +- T1560.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml b/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate_old.yml similarity index 100% rename from datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml rename to datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate_old.yml diff --git a/datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir.yml b/datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir_old.yml similarity index 100% rename from datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir.yml rename to datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir_old.yml diff --git a/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.yml b/datasets/attack_techniques/T1560/powershell_archive/powershell_archive_old.yml similarity index 100% rename from datasets/attack_techniques/T1560/powershell_archive/powershell_archive.yml rename to datasets/attack_techniques/T1560/powershell_archive/powershell_archive_old.yml diff --git a/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml b/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml index 4cad2f77d..667be8ddd 100644 --- a/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml +++ b/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml @@ -3,9 +3,11 @@ id: 5d8ecae2-90ab-11ec-995c-acde48001122 date: '2022-02-18' description: Generated datasets for mbr raw access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html \ No newline at end of file +directory: mbr_raw_access +mitre_technique: +- T1561.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml index d89d61135..25727b752 100644 --- a/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml @@ -18,20 +18,27 @@ description: 'Atomic Test Results: Return value unclear for test T1562.001-9 Unl Defender Evade Scanning -Extension Return value unclear for test T1562.001-23 Tamper with Windows Defender Evade Scanning -Process ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1562_001.yml +directory: atomic_red_team +mitre_technique: +- T1562.001 +datasets: +- name: hvci_windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_raccine + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: Disable-WindowsOptionalFeature-powershell + path: /datasets/attack_techniques/T1562.001/atomic_red_team/Disable-WindowsOptionalFeature-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon_dism + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering.yml b/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering.yml rename to datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering_old.yml diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml rename to datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog_old.yml diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell.yml rename to datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell_old.yml diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml index 2c3b2bddf..62d100a74 100644 --- a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml +++ b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml @@ -3,9 +3,11 @@ id: 4e425836-4de1-11ec-9b72-acde48001122 date: '2021-11-25' description: Generated datasets for defender exclusion sysmon in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/ \ No newline at end of file +directory: defender_exclusion_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml index c70e7a9eb..e8d294c17 100644 --- a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml +++ b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml @@ -3,9 +3,11 @@ id: d3a715a6-e64e-11ec-990a-acde48001122 date: '2022-06-07' description: Generated datasets for delete win defender context menu in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ \ No newline at end of file +directory: delete_win_defender_context_menu +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml index 49426d333..9d4bb8fbf 100644 --- a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml +++ b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml @@ -3,10 +3,12 @@ id: b8954128-7be5-4e5a-94eb-66632e6c468c date: '2024-01-08' description: Generated datasets for disable-windows-security-defender-features in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/undergroundwires/privacy.sexy +environment: attack_range +directory: disable-windows-security-defender-features +mitre_technique: +- T1562.001 +datasets: +- name: windefender-bypas-2-sysmon + path: /datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml b/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml index d8e41589c..f4abeeba7 100644 --- a/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml +++ b/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml @@ -3,9 +3,11 @@ id: 6833fabc-e646-11ec-995a-acde48001122 date: '2022-06-07' description: Generated datasets for disable defender logging in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ \ No newline at end of file +directory: disable_defender_logging +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml rename to datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog_old.yml diff --git a/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml b/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml index 5b5a0377f..eaf8c9f39 100644 --- a/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml +++ b/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml @@ -1,11 +1,13 @@ author: Dean Luxton id: 4ac4ac49-6718-4cd8-8939-6dddead1fdf4 date: '2023-01-26' -description: Manually disabling group policy objects on a Domain Controller. +description: Manually disabling group policy objects on a Domain Controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1562/001 +directory: disable_gpo +mitre_technique: +- T1562.001 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml b/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml new file mode 100644 index 000000000..8215116df --- /dev/null +++ b/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ecce8ed2-9f39-4ff9-9179-e2e3c749be92 +date: '2025-08-12' +description: Automatically categorized datasets in directory hotkey_disabled_hidden_user +environment: attack_range +directory: hotkey_disabled_hidden_user +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml b/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml new file mode 100644 index 000000000..725e00f7c --- /dev/null +++ b/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5c7963bf-5ccd-4d7c-9e74-1472a8c3f5ea +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_windows_defender_exclusion_commands +environment: attack_range +directory: powershell_windows_defender_exclusion_commands +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml index ab4a29be9..ce39694a4 100644 --- a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml +++ b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml @@ -3,10 +3,11 @@ id: cc9b2665-efc9-11eb-926b-550bf0943fbb date: '2021-07-05' description: Stopped win-defender application using powershell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: pwh_defender_disabling +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh.yml b/datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh.yml rename to datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh_old.yml diff --git a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml index 8b055f716..567050e08 100644 --- a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml +++ b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml @@ -1,15 +1,16 @@ author: Michael Hart +id: 40be2ce2-01a0-4210-8733-2e0b9e466df5 date: '2020-06-23' -description: 'This dataset contains observed behaviors in one of our honeypots. - It appears that the malware used sc.exe to disable various services from - starting. The sheer volume and frequency of calls is excessive, something not - typically observed in the normal course of operation on windows.' +description: This dataset contains observed behaviors in one of our honeypots. It + appears that the malware used sc.exe to disable various services from starting. The + sheer volume and frequency of calls is excessive, something not typically observed + in the normal course of operation on windows. environment: attack_range -technique: +directory: sc_service_start_disabled +mitre_technique: - T1562.001 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log -references: -- https://attack.mitre.org/techniques/T1562/001 -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/taskkill/taskkill.yml b/datasets/attack_techniques/T1562.001/taskkill/taskkill_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/taskkill/taskkill.yml rename to datasets/attack_techniques/T1562.001/taskkill/taskkill_old.yml diff --git a/datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser.yml b/datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser.yml rename to datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser_old.yml diff --git a/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml b/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml index 112dc6dab..6407fbbd1 100644 --- a/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml +++ b/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml @@ -1,13 +1,14 @@ author: Bhavin Patel id: cc9b2664-efc9-11eb-926b-550bf0943fbb date: '2022-06-01' -description: 'Unload Sysmon Filter Driver - usage of process fltMC.exe to unload a Sysmon Driver that will stop sysmon from collecting the data.' +description: Unload Sysmon Filter Driver - usage of process fltMC.exe to unload a + Sysmon Driver that will stop sysmon from collecting the data. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -- https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver +directory: unload_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml b/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml new file mode 100644 index 000000000..e6914921e --- /dev/null +++ b/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 00860277-5bb2-4d92-b5c8-cb1693610ec0 +date: '2025-08-12' +description: Automatically categorized datasets in directory win_app_defender_disabling +environment: attack_range +directory: win_app_defender_disabling +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml b/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml index 517187fb1..2e10f256d 100644 --- a/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml +++ b/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml @@ -3,16 +3,11 @@ id: cc9b2666-efc9-11eb-926b-550bf0943fbb date: '2020-11-06' description: Stopped windefend service with sc.exe stop windefend environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: win_defend_service_stop +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml b/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml new file mode 100644 index 000000000..37f451df8 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1aa70841-03ef-421a-84cc-7bedfeddf5bc +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_excessive_disabled_services_event +environment: attack_range +directory: windows_excessive_disabled_services_event +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml b/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml index a052de7de..1da3bebab 100644 --- a/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml +++ b/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml @@ -1,16 +1,15 @@ author: Nasreddine Bencherchali, Splunk id: f853dd76-9ea6-4957-b3c0-c2ca2517c35c date: '2025-01-27' -description: This dataset contains Process Creation and policy change logs set logs from Windows Sysmon and Security, related to abuse of auditpol to change, remove and clear the audit policy. +description: This dataset contains Process Creation and policy change logs set logs + from Windows Sysmon and Security, related to abuse of auditpol to change, remove + and clear the audit policy. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_security.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -- 'XmlWinEventLog:Security' -references: -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-remove -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-set -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-clear -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-resourcesacl +directory: auditpol_tampering +mitre_technique: +- T1562.002 +datasets: +- name: auditpol_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml index 3025dcf4b..38904a9e6 100644 --- a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml +++ b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: c3d46f0d-4223-437f-96e3-7ed9636198c7 date: '2024-12-06' -description: This dataset contains registry set logs from Windows Sysmon logs related to modification of the ChannelAccess and CustomSD registry values. +description: This dataset contains registry set logs from Windows Sysmon logs related + to modification of the ChannelAccess and CustomSD registry values. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy -- https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness +directory: eventlog_sddl_tampering +mitre_technique: +- T1562.002 +datasets: +- name: eventlog_sddl_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml index db546b466..9dd1e71c7 100644 --- a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml +++ b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml @@ -3,9 +3,11 @@ id: 1ca23917-04c2-41db-b31b-702bcd728737 date: '2025-07-08' description: 'Sample of ESXi syslog events showing tampering of audit settings.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_audit_tampering +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml index fe658dec0..aeebff2a7 100644 --- a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml +++ b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml @@ -3,9 +3,11 @@ id: 125f03ca-3a22-4bf7-bb02-4abd338b326e date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to modify the loghost configuration.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_loghost_config_tampering +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml index b0ca5dff3..6f68cf204 100644 --- a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml +++ b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml @@ -3,9 +3,11 @@ id: c012bd08-cbdb-49b6-9a0d-acd51b1f1cca date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to modify the syslog configuration.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_syslog_config +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml index fdfa2fed3..a1840fdaf 100644 --- a/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,11 @@ id: cc9b261c-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: atomic red team execution of technique T1562.004 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/004/ -- https://github.com/redcanaryco/atomic-red-team/blob/de05b1a73dc0edfe23d7c0b606744078496056cb/atomics/T1562.004/T1562.004.md +directory: atomic_red_team +mitre_technique: +- T1562.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml index 4cc5936b1..4580e1feb 100644 --- a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml +++ b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml @@ -3,9 +3,11 @@ id: 39edc074-9898-4de9-8296-45c51b7e18dd date: '2025-07-08' description: 'Sample of ESXi syslog events showing attempts to disable the firewall.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/004 +directory: esxi_firewall_disabled +mitre_technique: +- T1562.004 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml index 615caf46a..f4186e232 100644 --- a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml +++ b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml @@ -3,9 +3,11 @@ id: f7eb4f16-5a20-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd disable firewall in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_disable_firewall +mitre_technique: +- T1562.004 +datasets: +- name: linux_auditd_disable_firewall + path: /datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml index 94d1a10dd..e1c622b76 100644 --- a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml +++ b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml @@ -2,10 +2,16 @@ author: Teoderick Contreras, Splunk id: 5fd828a1-728d-4f17-adba-3e5e43ab290d date: '2023-12-12' description: Generated datasets for njrat add firewall rule in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html +environment: attack_range +directory: njrat_add_firewall_rule +mitre_technique: +- T1562.004 +datasets: +- name: njrat_firewall_security + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: njrat_firewall_sysmon + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml index 1736e19b6..d1f8f3ec2 100644 --- a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml +++ b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: dc0fb123-86a8-4fbc-a4aa-81ffc6346852 date: '2023-09-08' description: Generated datasets for njrat delete firewall in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +environment: attack_range +directory: njrat_delete_firewall +mitre_technique: +- T1562.004 +datasets: +- name: njrat_delete_firewall + path: /datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.yml b/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.yml rename to datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass_old.yml diff --git a/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml b/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml index 2e172fa5b..9bc03811d 100644 --- a/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml +++ b/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml @@ -4,9 +4,15 @@ date: '2021-01-12' description: Dataset which contains cloudtrail logs and the creation of a acl with all ports open. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/007/ +directory: aws_create_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml b/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml index 5a4b6247e..e08c66731 100644 --- a/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml +++ b/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml @@ -3,9 +3,15 @@ id: cc9b2605-efc9-11eb-926b-550bf0943fbb date: '2021-01-12' description: Dataset which contains cloudtrail logs and the deletion of a acl rule. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/007/ +directory: aws_delete_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml index 880e52a41..c10a2d588 100644 --- a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml +++ b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml @@ -4,10 +4,11 @@ date: '2021-01-12' description: Dataset containing activity from O365 when IP addresses are added to Trusted IP list such that the attackers can bypass MFA environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json -sourcetypes: -- o365:management:activity -references: -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf -- https://attack.mitre.org/techniques/T1562/007/ +directory: o365_bypass_mfa_via_trusted_ip +mitre_technique: +- T1562.007 +datasets: +- name: o365_bypass_mfa_via_trusted_ip-json + path: /datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml rename to datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails_old.yml diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml rename to datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging_old.yml diff --git a/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml b/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml index 9913d4e6c..08343aa59 100644 --- a/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml +++ b/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml @@ -1,14 +1,18 @@ author: Bhavin Patel, Splunk id: 31c58b11-66d9-4dfb-a614-3843d111e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events with a deletes of AWS Services like CloudWatch, Guardduy, Web Application Firewalls. +description: Dataset which contains cloudtrail events with a deletes of AWS Services + like CloudWatch, Guardduy, Web Application Firewalls. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ \ No newline at end of file +directory: aws_delete_security_services +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml index 9c5b0508a..7a2fa4d4a 100644 --- a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml +++ b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml @@ -1,14 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: 31c58bb8-66d9-4dfb-a614-3843d071e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events when a cloudwatch log group is deleted. +description: Dataset which contains cloudtrail events when a cloudwatch log group + is deleted. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: delete_cloudwatch_log_group +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml index 44960b787..b34a56142 100644 --- a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml +++ b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco, Splunk id: 77abf938-1722-4b41-82c1-996db1c5214f date: '2023-09-19' -description: 'Manually disabled advanced audit logging for one user in O365. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1562/008/ -- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf -- https://learn.microsoft.com/en-us/purview/audit-premium \ No newline at end of file +description: Manually disabled advanced audit logging for one user in O365. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: o365_advanced_audit_disabled +mitre_technique: +- T1562.008 +datasets: +- name: o365_advanced_audit_disabled + path: /datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml index 431208eba..0168c1aa9 100644 --- a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml +++ b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml @@ -1,11 +1,18 @@ author: Bhavin Patel, Splunk id: 31c58bb8-66d9-4dfb-a614-3843d111e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events with a new lifecycle rule on an S3 bucket +description: Dataset which contains cloudtrail events with a new lifecycle rule on + an S3 bucket environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/008/ \ No newline at end of file +directory: put_bucketlifecycle +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml index 05b5d9c64..20d0a8d4f 100644 --- a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml +++ b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml @@ -1,15 +1,22 @@ author: Bhavin Patel id: cc9b2603-efc9-11eb-926b-55ddf0dd3fbb date: '2022-07-12' -description: Dataset which contains cloudtrail events when a cloudtrail is stopped from logging. This attack was simulated using status red team. +description: Dataset which contains cloudtrail events when a cloudtrail is stopped + from logging. This attack was simulated using status red team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: stop_delete_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail_2-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml b/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml index 454e1da9a..a6fb034c4 100644 --- a/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml +++ b/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml @@ -1,13 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: e95c46cb-7bd8-4824-a1da-3a559058dced date: '2022-07-19' -description: Dataset which contains cloudtrail events when a cloudwatch log group is updated. +description: Dataset which contains cloudtrail events when a cloudwatch log group + is updated. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: update_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml rename to datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end_old.yml diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml index 80d830e74..55b15ee62 100644 --- a/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml +++ b/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml @@ -3,9 +3,11 @@ id: cb20a2e8-45d3-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for auditd daemon type in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log -sourcetypes: -- 'auditd' -references: -- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types \ No newline at end of file +directory: auditd_daemon_type +mitre_technique: +- T1562.012 +datasets: +- name: linux_auditd_daemon + path: /datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562/applocker/applocker.yml b/datasets/attack_techniques/T1562/applocker/applocker_old.yml similarity index 100% rename from datasets/attack_techniques/T1562/applocker/applocker.yml rename to datasets/attack_techniques/T1562/applocker/applocker_old.yml diff --git a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml index 68fcdf3fa..0ab441ad9 100644 --- a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml +++ b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: de83d520-d6eb-44e9-a24e-8a863987ce8b date: '2023-10-26' -description: 'Used the PowerShell AzureAD Module to disable risk-based step-up consent within an Azure AD tenant' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Used the PowerShell AzureAD Module to disable risk-based step-up consent + within an Azure AD tenant +environment: attack_range +directory: azuread_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: azuread_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall_old.yml similarity index 100% rename from datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml rename to datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall_old.yml diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml index 66eed2c50..1b87134bf 100644 --- a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml +++ b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml @@ -3,9 +3,11 @@ id: 05d39cf3-abd8-46e3-b775-88935c28fffc date: '2025-07-08' description: 'Sample of ESXi syslog events showing ESXi encryption settings being modified to impair defenses.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_encryption_modified +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml index 72887f93f..13fa2fa37 100644 --- a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml +++ b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml @@ -3,9 +3,11 @@ id: 98448462-9f32-47ef-ac24-844bb1c0f1c0 date: '2025-07-08' description: 'Sample of ESXi syslog events showing ESXi lockdown settings being modified to impair defenses.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_lockdown_disabled +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml index 1c4f027ef..f04b42ade 100644 --- a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml +++ b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: 2440ce36-e445-4b34-8591-12afd1f8c884 date: '2025-07-09' -description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels." +description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_vib_acceptance_level_tampering +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml index 29c798724..bdcb7c8b5 100644 --- a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml +++ b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: 31e03eb3-69a9-4072-990c-7e9e62866c20 date: '2023-10-26' -description: 'Used the PowerShell AzureAD Module to disable risk-based step-up consent within an O365 tenant' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Used the PowerShell AzureAD Module to disable risk-based step-up consent + within an O365 tenant +environment: attack_range +directory: o365_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: o365_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml b/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml index 0063f249f..3af0d1cfd 100644 --- a/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml +++ b/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml @@ -1,14 +1,17 @@ author: Michael Haag id: 04cbf4da-19b8-44b6-a143-a7cfe4d7f6ec date: '2023-03-29' -description: 'Atomic Testing of RDP Hijacking' +description: Atomic Testing of RDP Hijacking environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/remoteconnectionmanager.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1563.002 \ No newline at end of file +directory: rdphijack +mitre_technique: +- T1563.002 +datasets: +- name: tscon_windows-sysmon + path: /datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_tscon_windows-security + path: /datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml b/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml new file mode 100644 index 000000000..ad0815bb5 --- /dev/null +++ b/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9d629f1c-3bf1-4fc8-93ec-ff9cdd7d5a8e +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_rdp_connection_successful +environment: attack_range +directory: windows_rdp_connection_successful +mitre_technique: +- T1563.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager diff --git a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml index b7a527335..518fb31ec 100644 --- a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml +++ b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml @@ -3,9 +3,11 @@ id: 765100c0-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd hidden file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_hidden_file +mitre_technique: +- T1564.001 +datasets: +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1564.003/headless/headless.yml b/datasets/attack_techniques/T1564.003/headless/headless_old.yml similarity index 100% rename from datasets/attack_techniques/T1564.003/headless/headless.yml rename to datasets/attack_techniques/T1564.003/headless/headless_old.yml diff --git a/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml b/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml index 3ae3d7961..ef60fccb8 100644 --- a/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml +++ b/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml @@ -1,16 +1,13 @@ -author: Steven Dick -id: e18714c0-ab84-44f6-9117-5531e3eb3a0c -date: '2023-10-30' -description: 'Detection of common behaviors used to abouse NTFS alternate datastreams.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -- https://car.mitre.org/analytics/CAR-2020-08-001/ -- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams -- https://blog.netwrix.com/2022/12/16/alternate_data_stream/ -- https://twitter.com/0xrawsec/status/1002478725605273600?s=21 \ No newline at end of file +author: Steven Dick +id: e18714c0-ab84-44f6-9117-5531e3eb3a0c +date: '2023-10-30' +description: Detection of common behaviors used to abouse NTFS alternate datastreams. +environment: attack_range +directory: ads_abuse +mitre_technique: +- T1564.004 +datasets: +- name: ads_abuse_sysmon + path: /datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1564.008/o365/o365.yml b/datasets/attack_techniques/T1564.008/o365/o365.yml new file mode 100644 index 000000000..ac18c9b6a --- /dev/null +++ b/datasets/attack_techniques/T1564.008/o365/o365.yml @@ -0,0 +1,13 @@ +author: unknown +id: 54715c41-4283-44f7-a327-fbd230d83c60 +date: '2025-02-14' +description: Detection of suspicious mailbox rule creation. +environment: attack_range +directory: o365 +mitre_technique: +- T1564.008 +datasets: +- name: o365_suspicious_mailbox_rule + path: /datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml deleted file mode 100644 index 424cd4c7e..000000000 --- a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: 0xC0FFEEEE -id: 54715c41-4283-44f7-a327-fbd230d83c60 -date: '2025-02-14' -description: 'Detection of suspicious mailbox rule creation.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1564/008/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml b/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml index 7e62a79a8..307ae0c7e 100644 --- a/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml +++ b/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: fa0426d9-d19e-4430-8aab-f4b8d04a30fb date: '2024-12-06' -description: This dataset contains process execution logs from Windows Sysmon logs related to execution of sc.exe with the sdset flag. +description: This dataset contains process execution logs from Windows Sysmon logs + related to execution of sc.exe with the sdset flag. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1564/T1564.md#atomic-test-4---create-and-hide-a-service-with-scexe -- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +directory: sc_sdset_tampering +mitre_technique: +- T1564 +datasets: +- name: sc_sdset_tampering_sysmon + path: /datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/datasets/data.yml b/datasets/attack_techniques/T1566.001/datasets/data.yml new file mode 100644 index 000000000..16bfc1c67 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/datasets/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3b759a93-f7ca-4584-a6db-b92c673a87ee +date: '2025-08-12' +description: Automatically categorized datasets in directory datasets +environment: attack_range +directory: datasets +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon + path: /datasets/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/datasets2/data.yml b/datasets/attack_techniques/T1566.001/datasets2/data.yml new file mode 100644 index 000000000..e50b53997 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/datasets2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a409f6a-5382-4977-9055-b66aec6033ee +date: '2025-08-12' +description: Automatically categorized datasets in directory datasets2 +environment: attack_range +directory: datasets2 +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share.yml b/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share_old.yml similarity index 100% rename from datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share.yml rename to datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share_old.yml diff --git a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml index fe3630b01..a9cef7a7b 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: ab768e85-64f9-42ea-be35-979ad9132d47 date: '2021-08-19' -description: 'Simulated test Gsuite Datasets for email having external domain outbound traffic' +description: Simulated test Gsuite Datasets for email having external domain outbound + traffic environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_outbound_email_to_external +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_external_domain + path: /datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml index 88dec3a31..0924a2327 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: 37c6214c-3b6d-44a8-b3d6-8cb45283ecc9 date: '2021-08-19' -description: 'Simulated test Gsuite Datasets for email having suspicious file extension attachment' +description: Simulated test Gsuite Datasets for email having suspicious file extension + attachment environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_attachment_ext +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_gmail_file_ext + path: /datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml index e0a266dc8..d08c7a588 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: cdbf3681-65ec-4ebd-8992-257b26b5395b date: '2021-08-20' -description: 'Simulated test Gsuite Datasets for email having suspicious subject and attachment' +description: Simulated test Gsuite Datasets for email having suspicious subject and + attachment environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_subj +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_subj_attach + path: /datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml index a03b16b7a..d3bca06e2 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: 0ea6dc4a-b26d-4706-8c10-5d6fd485ba3a date: '2021-08-23' -description: 'Simulated test Gsuite Datasets for email having suspicious link' +description: Simulated test Gsuite Datasets for email having suspicious link environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_url +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_url + path: /datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/macro/data.yml b/datasets/attack_techniques/T1566.001/macro/data.yml new file mode 100644 index 000000000..8a9ed48ce --- /dev/null +++ b/datasets/attack_techniques/T1566.001/macro/data.yml @@ -0,0 +1,41 @@ +author: Generated by dataset_analyzer.py +id: ba7b0acc-bda0-4a17-92bc-17daf956901d +date: '2025-08-12' +description: Automatically categorized datasets in directory macro +environment: attack_range +directory: macro +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon_mshtml + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_cabinf + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_control + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_icedid + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_macros + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_wsh + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: msdt-windows-security + path: /datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml index c1d46835c..df60ea27c 100644 --- a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml +++ b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 8b93f6a5-ae09-451e-a52a-4f60754d2b53 date: '2023-01-27' description: Generated datasets for office doc abuses rels in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: office_doc_abuses_rels +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml index e1d90fa1d..87186e05a 100644 --- a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml +++ b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: e44d12fd-c4ff-4d10-846b-23cb9b8cdffb date: '2023-01-24' description: Generated datasets for onenote spear phishing in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: onenote_spear_phishing +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml index 4a3604d7d..7a9ce3f14 100644 --- a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml +++ b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 2145b2b6-3130-4f64-8781-c74973c87ce9 date: '2023-01-18' description: Generated datasets for phishing pdf uri in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1615382907446767616?s=20 +environment: attack_range +directory: phishing_pdf_uri +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/spearphishing_attachments.yml b/datasets/attack_techniques/T1566.001/spearphishing_attachments_old.yml similarity index 100% rename from datasets/attack_techniques/T1566.001/spearphishing_attachments.yml rename to datasets/attack_techniques/T1566.001/spearphishing_attachments_old.yml diff --git a/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml index 5f55eef14..b874a7a99 100644 --- a/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,16 @@ date: '2020-08-13' description: Evilginx2 DNS activity captured by Stream. Custom attack_range config using DC to delegate DNS to evilginx2; web traffic proxied through the Splunk server which was running Stream and resolving DNS via DC. -environment: attack_range_evilginx2 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/attack_data_stream_dns.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/attack_data_network_resolution_dm.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- stream:dns -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1566/002/ +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml index 8bc80af9c..2d328b27e 100644 --- a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml +++ b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml @@ -3,15 +3,11 @@ id: cc9b262a-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: lnk file in temp folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1566/002/ +directory: lnk_file_temp_folder +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml b/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml index 3baa5e626..e506cb7f1 100644 --- a/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml +++ b/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml @@ -1,11 +1,13 @@ author: Michael Haag id: e18714c0-ab84-44f6-9117-5531e3eb3a0c date: '2024-03-20' -description: 'Data generaeted for CVE-2024-21378' +description: Data generaeted for CVE-2024-21378 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ \ No newline at end of file +directory: cve-2024-21378 +mitre_technique: +- T1566 +datasets: +- name: inprocserver32_windows-sysmon + path: /datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml index 54e68da3c..7df8a312d 100644 --- a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml @@ -1,18 +1,13 @@ -author: Steven Dick -id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 -date: '2024-4-6' -description: 'Various Office 365 built-in and premium security feature alerts.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1566 -- https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults -- https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp -- https://learn.microsoft.com/en-us/purview/alert-policies -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide \ No newline at end of file +author: Steven Dick +id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +date: 2024-4-6 +description: Various Office 365 built-in and premium security feature alerts. +environment: attack_range +directory: o365_various_alerts +mitre_technique: +- T1566 +datasets: +- name: o365_various_alerts + path: /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll.yml b/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll_old.yml similarity index 100% rename from datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll.yml rename to datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll_old.yml diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml b/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml index b561d320d..0bbca90fd 100644 --- a/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml +++ b/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml @@ -1,11 +1,13 @@ author: Bhavin patel, Gowtham id: e18714c0-ab84-44f6-9117-5531e3eb3a0c date: '2024-03-12' -description: 'Synthentic Dataset generated for Zscaler detections for Blocked activities' +description: Synthentic Dataset generated for Zscaler detections for Blocked activities environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json -sourcetypes: -- zscalernss-web -references: -- https://help.zscaler.com/zia/nss-feed-output-format-web-logs \ No newline at end of file +directory: zscalar_web_proxy +mitre_technique: +- T1566 +datasets: +- name: zscalar_web_proxy-json + path: /datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + sourcetype: zscalernss-web + source: zscaler diff --git a/datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive.yml b/datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive_old.yml similarity index 100% rename from datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive.yml rename to datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive_old.yml diff --git a/datasets/attack_techniques/T1567/gdrive/gdrive.yml b/datasets/attack_techniques/T1567/gdrive/gdrive.yml index b4ba961d0..ee375914f 100644 --- a/datasets/attack_techniques/T1567/gdrive/gdrive.yml +++ b/datasets/attack_techniques/T1567/gdrive/gdrive.yml @@ -3,11 +3,15 @@ id: 9c1ebd7e-b293-4238-98ff-4ecef8444cdb date: '2025-08-01' description: Simulate usage of the gdrive binary to interact with Google Drive. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1567/ +directory: gdrive +mitre_technique: +- T1567 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1567/gdrive/gdrive_windows.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_linux + path: /datasets/attack_techniques/T1567/gdrive/gdrive_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml index a27cd3a17..fc3a9c772 100644 --- a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml +++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml @@ -1,13 +1,14 @@ -author: Steven Dick -id: a5b98f63-2116-4f7d-bd46-228872bc79f8 -date: '2025-01-28' -description: 'Sample of events when an actor attempts to exfiltrate data from sharepoint using various methods.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1567/exfil -- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data -- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ \ No newline at end of file +author: Steven Dick +id: a5b98f63-2116-4f7d-bd46-228872bc79f8 +date: '2025-01-28' +description: Sample of events when an actor attempts to exfiltrate data from sharepoint + using various methods. +environment: attack_range +directory: o365_sus_file_activity +mitre_technique: +- T1567 +datasets: +- name: o365_sus_file_activity + path: /datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml index 78967e0fc..c19cedac4 100644 --- a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml +++ b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml @@ -3,9 +3,11 @@ id: 15c6f211-a960-4f60-b111-bd2ae129ef7d date: '2023-02-21' description: Simulate Large Web upload with high bytes out environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log -sourcetypes: -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1567/ \ No newline at end of file +directory: web_upload_nginx +mitre_technique: +- T1567 +datasets: +- name: web_upload_nginx + path: /datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml index 9480c6cd6..482591d54 100644 --- a/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,12 @@ id: cc9b260a-efc9-11eb-926b-550bf0943fbb date: '2021-04-05' description: Adversaries may abuse the Windows SC.exe to execute malicious commands or payloads which is captured by Windows System logs. -environment: attack_range_evilginx2 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-system.log -sourcetypes: -- WinEventLog:System -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1569/002/ +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1569.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml b/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml index c21c9a57a..0ecd3dea7 100644 --- a/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml +++ b/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml @@ -3,9 +3,11 @@ id: 4057fbfc-efa2-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux service start in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_service_start +mitre_technique: +- T1569.002 +datasets: +- name: auditd_proctitle_service_start + path: /datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml b/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml new file mode 100644 index 000000000..e816dff2d --- /dev/null +++ b/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f57d04bb-4610-4104-b39d-4efed71165be +date: '2025-08-12' +description: Automatically categorized datasets in directory malicious_powershell_executed_as_a_service +environment: attack_range +directory: malicious_powershell_executed_as_a_service +mitre_technique: +- T1569.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1569.002/remcom/remcom.yml b/datasets/attack_techniques/T1569.002/remcom/remcom.yml index 3b985d2aa..56e647679 100644 --- a/datasets/attack_techniques/T1569.002/remcom/remcom.yml +++ b/datasets/attack_techniques/T1569.002/remcom/remcom.yml @@ -1,13 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2023-03-20' -description: 'Atomic Testing of Remcom' +description: Atomic Testing of Remcom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1570 \ No newline at end of file +directory: remcom +mitre_technique: +- T1569.002 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml index 99d08312d..a9d538494 100644 --- a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml +++ b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml @@ -1,11 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: d25e417e-735f-46db-b1cb-8d6c5ea9bc6f date: '2024-12-06' -description: This dataset contains process execution logs from Windows Sysmon logs related to execution of sc.exe with the sdset flag. +description: This dataset contains process execution logs from Windows Sysmon logs + related to execution of sc.exe with the sdset flag. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1569.002/T1569.002.md#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet +directory: scmanager_sddl_tamper +mitre_technique: +- T1569.002 +datasets: +- name: scmanager_sddl_tamper_sysmon + path: /datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml b/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml new file mode 100644 index 000000000..7a44c4728 --- /dev/null +++ b/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d6a28386-bc89-4839-b4b1-9115a8ca0807 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_service_created_with_suspicious_service_path +environment: attack_range +directory: windows_service_created_with_suspicious_service_path +mitre_technique: +- T1569.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control.yml b/datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control_old.yml similarity index 100% rename from datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control.yml rename to datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control_old.yml diff --git a/datasets/attack_techniques/T1570/remcom/remcom.yml b/datasets/attack_techniques/T1570/remcom/remcom.yml index 14c348230..905d3588c 100644 --- a/datasets/attack_techniques/T1570/remcom/remcom.yml +++ b/datasets/attack_techniques/T1570/remcom/remcom.yml @@ -1,13 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2023-03-20' -description: 'Atomic Testing of Remcom' +description: Atomic Testing of Remcom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1570 \ No newline at end of file +directory: remcom +mitre_technique: +- T1570 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml b/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml index 1dde9b20d..cd1ddfd9b 100644 --- a/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml +++ b/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml @@ -5,14 +5,11 @@ description: DNS Beaconing using Cobalt Strike 4.2. Activity was generated using Range and Kali Linux. DNS Beaconing was performed using TXT and A records using the domain - getbobspizza.com. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/stream_events_zeek.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/streams_dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log -sourcetypes: -- bro:dns:json -- stream:dns -- suricata -references: -- https://attack.mitre.org/techniques/T1572 -- https://cobaltstrike.com/help-dns-beacon +directory: cobalt_strike +mitre_technique: +- T1572 +datasets: +- name: suricata_events + path: /datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1572/ngrok/ngrok.yml b/datasets/attack_techniques/T1572/ngrok/ngrok.yml index bba57ec37..366a98964 100644 --- a/datasets/attack_techniques/T1572/ngrok/ngrok.yml +++ b/datasets/attack_techniques/T1572/ngrok/ngrok.yml @@ -3,12 +3,11 @@ id: 24608f3f-bc86-43e1-ab46-4625f94a6cdf date: '2022-11-16' description: ngrok.exe execution on windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1572 -- https://ngrok.com \ No newline at end of file +directory: ngrok +mitre_technique: +- T1572 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/plink/plink.yml b/datasets/attack_techniques/T1572/plink/plink.yml index 431c583c0..e83aea6d4 100644 --- a/datasets/attack_techniques/T1572/plink/plink.yml +++ b/datasets/attack_techniques/T1572/plink/plink.yml @@ -3,12 +3,19 @@ id: cc9b2667-efc9-11eb-926b-660bf0943fbb date: '2021-11-15' description: Simulation of plink activity. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/4688-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1572 +directory: plink +mitre_technique: +- T1572 +datasets: +- name: plink-windows-sysmon + path: /datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/plink/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-windows-security + path: /datasets/attack_techniques/T1572/plink/4688-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml deleted file mode 100644 index f2e5d4675..000000000 --- a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: cc9b2667-efc9-11eb-926b-660bf0943fbb -date: '2021-11-15' -description: Simulation of plink activity. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1572 diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml new file mode 100644 index 000000000..88ec55b02 --- /dev/null +++ b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml @@ -0,0 +1,13 @@ +author: Michael Haag +id: cc9b2667-efc9-11eb-926b-660bf0943fbb +date: '2021-11-15' +description: Simulation of plink activity. +environment: attack_range +directory: ssh_proxy_command +mitre_technique: +- T1572 +datasets: +- name: sshproxycommand_windows-sysmon + path: /datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml index 6fa93260e..98a74439a 100644 --- a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml @@ -1,11 +1,13 @@ author: Michael Haag -id: cc9bv5d6-wfc9-11eb-926b-550bf0943faz +id: d623f17e-f97d-4ce9-9cf6-6f6b76b14ba4 date: '2022-08-18' description: 'Atomic Test Results: Successful Execution of test T1574.001' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/001/ \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1574.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml b/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml index 4003ae344..ae3c41eb4 100644 --- a/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml +++ b/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml @@ -3,9 +3,11 @@ id: e90865ba-72ac-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for firewall api path in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: firewall_api_path +mitre_technique: +- T1574.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml b/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml index cdaa454d1..6e243298f 100644 --- a/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml +++ b/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml @@ -1,13 +1,13 @@ author: Michael Haag id: aa9b2664-efc9-11eb-926b-550bfe94334b date: '2020-12-08' -description: 'This behavior is related to the POC for iscsicpl.exe.' +description: This behavior is related to the POC for iscsicpl.exe. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsi-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/001 -- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC -- https://github.com/422926799/csplugin/tree/master/bypassUAC +directory: iscsicpl +mitre_technique: +- T1574.001 +datasets: +- name: iscsicpl-windows-sysmon + path: /datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml b/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml index 4e94bdd5f..f00c221a8 100644 --- a/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml +++ b/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml @@ -1,14 +1,14 @@ -author: Steven Dick -id: 9c084d2d-ab99-4bda-875f-cf565afee2fe -date: '2024-2-19' -description: 'Detection of suspicious usage of DLLs commonly used in sideloading and search order hijacking.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/002/ -- https://hijacklibs.net/api/ -- https://wietze.github.io/blog/hijacking-dlls-in-windows -- https://github.com/olafhartong/sysmon-modular/pull/195/files \ No newline at end of file +author: Steven Dick +id: 9c084d2d-ab99-4bda-875f-cf565afee2fe +date: 2024-2-19 +description: Detection of suspicious usage of DLLs commonly used in sideloading and + search order hijacking. +environment: attack_range +directory: hijacklibs +mitre_technique: +- T1574.002 +datasets: +- name: hijacklibs_sysmon + path: /datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml b/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml index d7693f4fd..85ca3b435 100644 --- a/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml +++ b/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml @@ -1,12 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2020-12-08' -description: 'This behavior is related to the POC for InstallerFileTakeOver.' +description: This behavior is related to the POC for InstallerFileTakeOver. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/002 -- https://github.com/klinix5/InstallerFileTakeOver/tree/main/InstallerFileTakeOver \ No newline at end of file +directory: msi_module_load +mitre_technique: +- T1574.002 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules.yml b/datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules.yml rename to datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules_old.yml diff --git a/datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load.yml b/datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load.yml rename to datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load_old.yml diff --git a/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path.yml b/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path.yml rename to datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path_old.yml diff --git a/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml b/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml index 6492f0c5c..9b41ccca7 100644 --- a/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml +++ b/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml @@ -2,11 +2,12 @@ author: Michael Haag, Teoderick Contreras, Splunk id: cd06d28d-f107-434f-ba16-c7e0729aaa19 date: '2023-12-18' description: Generated datasets for loaded modules in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties -- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader +environment: attack_range +directory: wineloader +mitre_technique: +- T1574.002 +datasets: +- name: sqlwriter_sqldumper_sideload_windows-sysmon + path: /datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml b/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml index 10854f2a2..69bdf20b3 100644 --- a/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml +++ b/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml @@ -3,9 +3,11 @@ id: 52fa6e8a-632c-11ec-9174-acde48001122 date: '2021-12-22' description: Generated datasets for lib hijack in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 \ No newline at end of file +directory: lib_hijack +mitre_technique: +- T1574.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml index cd0945250..b73148181 100644 --- a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml +++ b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml @@ -3,9 +3,15 @@ id: 1bcc82b0-ef9f-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd ldpreload in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log -sourcetypes: -- 'auditd' -references: -- https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 \ No newline at end of file +directory: linux_auditd_ldpreload +mitre_technique: +- T1574.006 +datasets: +- name: auditd_execve_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log + sourcetype: auditd + source: auditd +- name: linux_auditd_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml index 64eb324fe..141d48687 100644 --- a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml +++ b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml @@ -3,9 +3,11 @@ id: 9e682288-45d5-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd preload file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_preload_file +mitre_technique: +- T1574.006 +datasets: +- name: linux_auditd_preload_file + path: /datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml index 7ca386dac..2e05b2749 100644 --- a/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml @@ -4,17 +4,11 @@ date: '2020-10-09' description: 'Atomic Test Results: Successful Execution of test T1574.009-1 Execution of program.exe as service with unquoted service path ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1574/009/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md -- https://github.com/splunk/security-content/blob/develop/tests/T1574_009.yml +directory: atomic_red_team +mitre_technique: +- T1574.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml b/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml index 7f7d4529e..4937e9870 100644 --- a/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml +++ b/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml @@ -3,15 +3,11 @@ id: cc9b262b-efc9-11eb-926b-550bf0943fbb date: '2020-11-26' description: change serice ImagePath with reg.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1574/011/ +directory: change_registry_path_service +mitre_technique: +- T1574.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml index 9c7636cf9..888360127 100644 --- a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml +++ b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml @@ -3,9 +3,11 @@ id: cc9b262b-efc9-22eb-922b-550bf2943fbb date: '2024-02-21' description: Contains dataset for AWS security group changes environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1578/005/ \ No newline at end of file +directory: aws_authorize_security_group +mitre_technique: +- T1578.005 +datasets: +- name: aws_authorize_security_group-json + path: /datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures_old.yml similarity index 100% rename from datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml rename to datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures_old.yml diff --git a/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml new file mode 100644 index 000000000..1307e315b --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: f92a9a8e-2f9b-42ef-a85b-0145c886145a +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_accessdenied_discovery_events +environment: attack_range +directory: aws_iam_accessdenied_discovery_events +mitre_technique: +- T1580 +datasets: +- name: aws_iam_accessdenied_discovery_events-json + path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml b/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml new file mode 100644 index 000000000..176dd5fbe --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e1e9c986-8c3b-443b-86d7-f82ce29180f9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_assume_role_policy_brute_force +environment: attack_range +directory: aws_iam_assume_role_policy_brute_force +mitre_technique: +- T1580 +datasets: +- name: aws_iam_assume_role_policy_brute_force-json + path: /datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml b/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml new file mode 100644 index 000000000..254037e53 --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f58c4e4c-7961-4731-a01a-3b8b7838ffd1 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_excessive_list_command_usage +environment: attack_range +directory: aws_iam_excessive_list_command_usage +mitre_technique: +- T1580 +datasets: +- name: aws_iam_excessive_list_command_usage-json + path: /datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/aws_iam_excessive_list_command_usage.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1580/aws_iam.yml b/datasets/attack_techniques/T1580/aws_iam_old.yml similarity index 100% rename from datasets/attack_techniques/T1580/aws_iam.yml rename to datasets/attack_techniques/T1580/aws_iam_old.yml diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml index 9d7b9c3b1..5129c0179 100644 --- a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml +++ b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml @@ -3,9 +3,11 @@ id: a398a202-5b62-4043-9286-647fde220dca date: '2025-07-08' description: 'Sample of ESXi syslog events showing dormant VMs being activated.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1584 +directory: esxi_dormant_vm_started +mitre_technique: +- T1584 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation.yml b/datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation_old.yml similarity index 100% rename from datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation.yml rename to datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation_old.yml diff --git a/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips.yml b/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips_old.yml similarity index 100% rename from datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips.yml rename to datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips_old.yml diff --git a/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml b/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml index 81721dfdf..ade166ff1 100644 --- a/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml +++ b/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml @@ -1,11 +1,14 @@ author: Bhavin Patel id: cc922674-efc9-11eb-926b-550bf0943f33 date: '2024-03-07' -description: This dataset is synthetically generated using by simulating events in a lab -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.json -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1586.003 +description: This dataset is synthetically generated using by simulating events in + a lab +environment: attack_range +directory: okta_multiple_city +mitre_technique: +- T1586.003 +datasets: +- name: okta_multiple_city_im2 + path: /datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml new file mode 100644 index 000000000..669a90633 --- /dev/null +++ b/datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml @@ -0,0 +1,14 @@ +author: Michael Haag +id: cc9b2634-efc9-11eb-834c-550bf09133cb +date: '2022-03-31' +description: This behavior is related to a root certificate being added to the CurrentUser + store. +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1587.002 +datasets: +- name: certblob_windows-sysmon + path: /datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml b/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml deleted file mode 100644 index 5b140ba62..000000000 --- a/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: cc9b2634-efc9-11eb-834c-550bf09133cb -date: '2022-03-31' -description: 'This behavior is related to a root certificate being added to the CurrentUser store.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec \ No newline at end of file diff --git a/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml b/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml index 581b8db30..59ae7c3aa 100644 --- a/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml +++ b/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml @@ -3,9 +3,11 @@ id: 28f730ce-72ae-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for add store cert in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: add_store_cert +mitre_technique: +- T1587.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.yml b/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd_old.yml similarity index 100% rename from datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.yml rename to datasets/attack_techniques/T1587.003/splunk_fwder/splunkd_old.yml diff --git a/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml b/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml deleted file mode 100644 index cbffec874..000000000 --- a/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag -id: cc9b2664-efc9-11eb-834c-550bf094334b -date: '2021-01-24' -description: 'This behavior is related to the advancedrun.exe.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1588/002 -- http://www.nirsoft.net/utils/advanced_run.html -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml new file mode 100644 index 000000000..57342b6b5 --- /dev/null +++ b/datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml @@ -0,0 +1,13 @@ +author: Michael Haag +id: cc9b2664-efc9-11eb-834c-550bf094334b +date: '2021-01-24' +description: This behavior is related to the advancedrun.exe. +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1588.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml b/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml new file mode 100644 index 000000000..2061d639c --- /dev/null +++ b/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 159f3ef4-f460-4e52-9911-2591df2923f1 +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_user_enumeration +environment: attack_range +directory: kerberos_user_enumeration +mitre_technique: +- T1589.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1589.002/kerbrute/kerbrute.yml b/datasets/attack_techniques/T1589.002/kerbrute/kerbrute_old.yml similarity index 100% rename from datasets/attack_techniques/T1589.002/kerbrute/kerbrute.yml rename to datasets/attack_techniques/T1589.002/kerbrute/kerbrute_old.yml diff --git a/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml b/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml index 624ca554e..b2502c2d5 100644 --- a/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml +++ b/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: ed9a4df5-515e-49f3-9068-23b87f389fe9 date: '2023-04-11' description: Generated datasets for enum dns record in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://cert.gov.ua/article/3718487 +environment: attack_range +directory: enum_dns_record +mitre_technique: +- T1590.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1590.005/data.yml b/datasets/attack_techniques/T1590.005/data.yml new file mode 100644 index 000000000..8ada1375a --- /dev/null +++ b/datasets/attack_techniques/T1590.005/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a0d62a4b-0b4d-41f7-a769-0b2ec4ff119a +date: '2025-08-12' +description: Automatically categorized datasets in directory T1590.005 +environment: attack_range +directory: T1590.005 +mitre_technique: +- T1590.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1590.005/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml b/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml index a10e26f07..ce3dabd95 100644 --- a/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml +++ b/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml @@ -3,11 +3,16 @@ id: cc9b260b-efc9-11eb-926b-550bf0943fbb date: '2021-06-25' description: This dataset contains execution of commonly used attacker tool found in HoneyPot for XMRig, specifically- MassScan_GUI.exe and masscan.exe -environment: attack_range_honeypot -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1595 +environment: attack_range +directory: attacker_scan_tools +mitre_technique: +- T1595 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml b/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml index 182bb41e9..72a995789 100644 --- a/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml +++ b/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml @@ -1,11 +1,13 @@ -author: Steven Dick -id: 981a2657-3ed0-46e9-b9f4-8a59a6442cb3 -date: '2024-12-26' -description: 'A set of events related generic powershell/sysmon network enumeration.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1595 \ No newline at end of file +author: Steven Dick +id: 981a2657-3ed0-46e9-b9f4-8a59a6442cb3 +date: '2024-12-26' +description: A set of events related generic powershell/sysmon network enumeration. +environment: attack_range +directory: sysmon_scanning_events +mitre_technique: +- T1595 +datasets: +- name: sysmon_scanning_events + path: /datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1598.002/rdp/rdp.yml b/datasets/attack_techniques/T1598.002/rdp/rdp.yml index 850941da8..cc4933139 100644 --- a/datasets/attack_techniques/T1598.002/rdp/rdp.yml +++ b/datasets/attack_techniques/T1598.002/rdp/rdp.yml @@ -3,9 +3,11 @@ id: 119b260b-efc9-11eb-926b-550bf3943f2b date: '2024-11-25' description: This dataset contains RDP file execution events from Windows Sysmon logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1598/002 \ No newline at end of file +directory: rdp +mitre_technique: +- T1598.002 +datasets: +- name: mstsc_rdpfile-windows-sysmon + path: /datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml index 261e8853e..4cb056777 100644 --- a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml +++ b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml @@ -3,9 +3,11 @@ id: 39edc074-9898-4de9-8296-45c51b7e18dd date: '2025-07-08' description: 'Sample of ESXi syslog events showing failed attempts to install malicious VIBs.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1601/001 +directory: esxi_download_errors +mitre_technique: +- T1601.001 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml b/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml index a3d2c0067..2a0b5ac2a 100644 --- a/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml +++ b/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 67f59d0d-34e2-4a9a-9829-2198e4826e07 date: '2023-02-23' -description: Manually using Nimplant to execute Rubeus using the execute-assembly function. +description: Manually using Nimplant to execute Rubeus using the execute-assembly + function. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1620/ -- https://www.cobaltstrike.com/blog/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -- https://github.com/chvancooten/NimPlant +directory: common_language_runtim_loaded +mitre_technique: +- T1620 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa.yml b/datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa_old.yml similarity index 100% rename from datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa.yml rename to datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa_old.yml diff --git a/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml b/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml index 4fa8c0d11..4723b4554 100644 --- a/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml +++ b/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml @@ -1,14 +1,14 @@ author: Bhavin Patel id: 1c9b1174-efc9-11eb-111b-550bf0943fbb date: '2022-10-03' -description: This dataset contains an cloudtrail events of disabling and deactivating MFA challenge. -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1621 +description: This dataset contains an cloudtrail events of disabling and deactivating + MFA challenge. +environment: attack_range +directory: aws_mfa_disabled +mitre_technique: +- T1621 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml index c542e336c..71586dc9a 100644 --- a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 5a6ed21a-ea34-4950-b09b-0b0bf369269e date: '2022-10-31' -description: 'Manually authenticated to the Azure AD Portal failed to pass MFA challenge by denying it. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks +description: Manually authenticated to the Azure AD Portal failed to pass MFA challenge + by denying it. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_multiple_denied_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure_ad_multiple_denied_mfa_requests + path: /datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/azuread/azuread.yml b/datasets/attack_techniques/T1621/azuread/azuread.yml index c9148ff31..04ad814a4 100644 --- a/datasets/attack_techniques/T1621/azuread/azuread.yml +++ b/datasets/attack_techniques/T1621/azuread/azuread.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: b0db79c9-1e82-4a32-9f69-998dc33508a9 date: '2022-07-14' -description: 'Manually authenticated to the Azure AD Portal failed to pass MFA challenge by denying it or letting it timeout. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks +description: Manually authenticated to the Azure AD Portal failed to pass MFA challenge + by denying it or letting it timeout. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azuread +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml b/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml index 9ffb3ea80..3b4e93feb 100644 --- a/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml +++ b/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 6edb20af-362b-417b-87e4-fa1d7aa8ca2c date: '2022-10-14' -description: 'Manually authenticated to the GCP portal and failed to pass MFA challenge by typing in a wrong code. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ \ No newline at end of file +description: Manually authenticated to the GCP portal and failed to pass MFA challenge + by typing in a wrong code. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: gcp_failed_mfa +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml index 554b17ad0..5673821d5 100644 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 8fa3d1ff-5d16-4e3a-8a0b-3f1afdf14c49 date: '2022-10-17' -description: 'Manually generated multple MFA requests for a user leveraging the Google CLoud Console portal and submitting wrong codes. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraging the Google + CLoud Console portal and submitting wrong codes. Tenant specific details have been + replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: multiple_failed_mfa_gws +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml index 284012ceb..5a58cfb5a 100644 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 63af0495-3a3a-4d38-9658-96d3c1872ea8 date: '2022-08-25' -description: 'Manually generated multple MFA requests for a user leveraing the Azure AD Portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraing the Azure + AD Portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml index 6dc37298b..f60c599a2 100644 --- a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: f76a30f9-7ac3-4e4d-95d7-c55e65012040 date: '2023-10-19' -description: 'Manually generated multple MFA requests for a user leveraing the Outlook portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraing the Outlook + portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: o365_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml b/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml index b6357db5a..5dc23a1a4 100644 --- a/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml +++ b/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml @@ -1,14 +1,15 @@ author: Bhavin Patel id: 6a21e46e-d759-11e0-bbd6-932611ee01ad date: '2024-03-05' -description: 'Manually generated multple failed MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple failed MFA requests for a user in Okta. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: okta_mfa_login_failed +mitre_technique: +- T1621 +datasets: +- name: okta_mfa_login_failed + path: /datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml b/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml index 7c1403ea6..cc909be67 100644 --- a/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml +++ b/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml @@ -1,14 +1,15 @@ author: Bhavin Patel id: 6ab28666-327b-4c39-8b30-b717b04763ec date: '2024-11-19' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://research.splunk.com/application/8085b79b-9b85-4e67-ad63-351c9e9a5e9a/ \ No newline at end of file +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_mismatch +mitre_technique: +- T1621 +datasets: +- name: okta_mismatch + path: /datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml index 628fce2e6..8ba8f4ae6 100644 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 6ab28c66-327b-4c39-8b30-b727b04763ec date: '2024-03-18' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_multiple_failed_mfa_pushes +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_pushes + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml index 110ac3357..2ff50c10c 100644 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 6a21e46e-d759-4be0-bbd6-932601ee01ad date: '2024-03-05' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/pingid/pingid.yml b/datasets/attack_techniques/T1621/pingid/pingid.yml new file mode 100644 index 000000000..b4c902684 --- /dev/null +++ b/datasets/attack_techniques/T1621/pingid/pingid.yml @@ -0,0 +1,17 @@ +author: Steven Dick +id: 050d14b8-455d-43a8-9d99-9c38f8afd73c +date: '2023-09-26' +description: Detection of a few common MFA abuse scenarios with datasets from pindID +environment: attack_range +directory: pingid +mitre_technique: +- T1621 +datasets: +- name: pingid + path: /datasets/attack_techniques/T1621/pingid/pingid.log + sourcetype: __json + source: PINGID +- name: windows_pw_reset + path: /datasets/attack_techniques/T1621/pingid/windows_pw_reset.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml b/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml deleted file mode 100644 index 678f2a88f..000000000 --- a/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Steven Dick -id: 050d14b8-455d-43a8-9d99-9c38f8afd73c -date: '2023-09-26' -description: 'Detection of a few common MFA abuse scenarios with datasets from pindID' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log -sourcetypes: -- _json -- WinEventLog:Security -references: -- https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677 -- https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/ -- https://twitter.com/jhencinski/status/1618660062352007174 -- https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA diff --git a/datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml index e4de3483b..eeec94245 100644 --- a/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml @@ -1,26 +1,46 @@ author: Michael Haag id: 43136df7-63f7-46d5-97af-a18d2a5f9e74 date: '2023-02-01' -description: Generation of Atomic Red Team techniques that create and export a certificate on Windows, simulating an adversary stealing certificates. +description: Generation of Atomic Red Team techniques that create and export a certificate + on Windows, simulating an adversary stealing certificates. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_certificate.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1649 \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1649 +datasets: +- name: export_certificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: certwrite_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4876_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: export_pfxcertificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4104_export_pfx-windows-powershell + path: /datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: backupdb_certutil_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4887_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4886_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4688_certutil_backupdb-windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml b/datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml new file mode 100644 index 000000000..286dbb5ea --- /dev/null +++ b/datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml @@ -0,0 +1,15 @@ +author: Steven Dick +id: a6e1c749-e7b0-401e-9ce7-de9f38e7113f +date: '2023-06-30' +description: Detection of common behaviors when certify/certipy tools are used to + exploit AD CS for the ESC1 vulnerablity. Manual testing using standard compiled + versions of both tools +environment: attack_range +directory: certify_abuse +mitre_technique: +- T1649 +datasets: +- name: certify_esc1_abuse_sysmon + path: /datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml b/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml deleted file mode 100644 index 1fc1463a9..000000000 --- a/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Steven Dick -id: a6e1c749-e7b0-401e-9ce7-de9f38e7113f -date: '2023-06-30' -description: 'Detection of common behaviors when certify/certipy tools are used to exploit AD CS for the ESC1 vulnerablity. Manual testing using standard compiled versions of both tools' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf -- https://github.com/ly4k/Certipy#esc1 -- https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml b/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration_old.yml similarity index 100% rename from datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml rename to datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration_old.yml diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml index 0a876e68e..531c2cc19 100644 --- a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml +++ b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: d3f26d3a-3ae5-4e3d-a9b3-567622b6fb1d date: '2025-07-09' -description: 'Sample of ESXi syslog events VM discovery commands." +description: 'Sample of ESXi syslog events VM discovery commands.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1673 +directory: esxi_vm_discovery +mitre_technique: +- T1673 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml index 6609a4a5b..9ee830994 100644 --- a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml +++ b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: f4f24c8e-3019-42c7-8a7e-093c5f657711 date: '2021-09-29' -description: manual activesetup stubpath registry modification datasets for persistence and privilege escalation. +description: manual activesetup stubpath registry modification datasets for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: active_setup_stubpath +mitre_technique: +- T1547.014 +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml index f18c6b1f3..6478b3df0 100644 --- a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml +++ b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: ee6ee414-4666-42fd-be3a-81da24e174ed date: '2021-11-19' -description: 'simulated remcos dxdiag execution for host information gathering' +description: simulated remcos dxdiag execution for host information gathering environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: host_info_dxdiag +mitre_technique: +- T1592 +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml index a0cd0bd8d..390924027 100644 --- a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml +++ b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml @@ -3,9 +3,11 @@ id: a7c7fe4a-aa0e-11ec-a505-acde48001122 date: '2022-03-22' description: Generated datasets for pwh av recon in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1592/pwh_av_recon/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ \ No newline at end of file +directory: pwh_av_recon +mitre_technique: +- T1592 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.yml b/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata_old.yml similarity index 100% rename from datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.yml rename to datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml b/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml rename to datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml b/datasets/cisco_secure_firewall_threat_defense/file_event/file_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml rename to datasets/cisco_secure_firewall_threat_defense/file_event/file_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml b/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml rename to datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml b/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml rename to datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events_old.yml diff --git a/datasets/malware/acidrain/acidrain.yml b/datasets/malware/acidrain/acidrain.yml index b26aa1509..9bb6b7ed4 100644 --- a/datasets/malware/acidrain/acidrain.yml +++ b/datasets/malware/acidrain/acidrain.yml @@ -3,9 +3,10 @@ id: bcab43fc-ba40-11ec-9840-acde48001122 date: '2022-04-12' description: Generated datasets for acidrain in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ \ No newline at end of file +directory: acidrain +mitre_technique: [] +datasets: +- name: sysmon_linux + path: /datasets/malware/acidrain/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml index 68f1ff7ff..1a612e8ae 100644 --- a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 46c3910f-e139-4e97-a065-5537b28b5fa8 date: '2022-09-21' description: Generated datasets for agent tesla ftp in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_ftp +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml index 03899a941..9671b6c92 100644 --- a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: c82fd5f0-8876-4b0a-bcec-230ff31bf058 date: '2022-09-21' description: Generated datasets for agent tesla smtp in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_smtp +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml index deebc4f96..35d4aa330 100644 --- a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml +++ b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 11c22ca3-0392-4221-a8f8-7d39df80b9a0 date: '2022-09-21' description: Generated datasets for agent tesla tor dns query in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_tor_dns_query +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml index 62c278395..cb6e68679 100644 --- a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml +++ b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 275677fa-df36-426e-ab9f-9f130da29b1f date: '2022-09-21' description: Generated datasets for chm powershell in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://isc.sans.edu/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675 +environment: attack_range +directory: chm_powershell +datasets: +- name: windows-powershell-xml + path: /datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/amadey/access_permission/access_permission.yml b/datasets/malware/amadey/access_permission/access_permission.yml index 21e9c41f5..007027a3a 100644 --- a/datasets/malware/amadey/access_permission/access_permission.yml +++ b/datasets/malware/amadey/access_permission/access_permission.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 1eb71f8b-d23c-4447-a371-4328dd05bc1c date: '2023-06-13' description: Generated datasets for access permission in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey +environment: attack_range +directory: access_permission +datasets: +- name: amadey_sysmon2 + path: /datasets/malware/amadey/access_permission/amadey_sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/amadey/shell_regrun/shell_regrun.yml b/datasets/malware/amadey/shell_regrun/shell_regrun_old.yml similarity index 100% rename from datasets/malware/amadey/shell_regrun/shell_regrun.yml rename to datasets/malware/amadey/shell_regrun/shell_regrun_old.yml diff --git a/datasets/malware/awfulshred/test1/test1.yml b/datasets/malware/awfulshred/test1/test1.yml index 614dd388b..456998609 100644 --- a/datasets/malware/awfulshred/test1/test1.yml +++ b/datasets/malware/awfulshred/test1/test1.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: faf182a1-016e-42c0-8150-3f1f4f0c2606 date: '2023-02-08' description: Generated datasets for test1 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test1 +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test1/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test2/test2.yml b/datasets/malware/awfulshred/test2/test2.yml index 7231c5a30..9a5f802d0 100644 --- a/datasets/malware/awfulshred/test2/test2.yml +++ b/datasets/malware/awfulshred/test2/test2.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 8aca3e92-a6cb-4aa5-9eb5-3f63585681a8 date: '2023-02-08' description: Generated datasets for test2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test2 +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test2/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test3/test3.yml b/datasets/malware/awfulshred/test3/test3.yml index 6a964bace..05d89940b 100644 --- a/datasets/malware/awfulshred/test3/test3.yml +++ b/datasets/malware/awfulshred/test3/test3.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 29167716-e0c5-44ec-af4d-12b57ace49ac date: '2023-02-09' description: Generated datasets for test3 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test3 +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/azorult/azorult.yml b/datasets/malware/azorult/azorult.yml index 18abef371..c140f9c3a 100644 --- a/datasets/malware/azorult/azorult.yml +++ b/datasets/malware/azorult/azorult.yml @@ -3,9 +3,9 @@ id: c5f4387e-f21c-11ec-9f67-acde48001122 date: '2022-06-22' description: Generated datasets for azorult in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ \ No newline at end of file +directory: azorult +datasets: +- name: sysmon + path: /datasets/malware/azorult/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml index d4f9e1baf..7820b959c 100644 --- a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml +++ b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 0878ab9a-69e0-4d0e-a2c8-366889310425 date: '2022-09-01' description: Generated datasets for brute duplicate token in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: brute_duplicate_token +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml index 810eb4a71..582211dc6 100644 --- a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml +++ b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: df76ce73-7258-41ae-ba31-aa96729ab442 date: '2022-09-05' description: Generated datasets for create remote thread in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: create_remote_thread +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/create_remote_thread/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml index 69ffa7515..7ae7685a2 100644 --- a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml +++ b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: a82706f1-b01d-4474-bd3c-fbf3a20207bd date: '2022-08-30' description: Generated datasets for iso version dll campaign in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: iso_version_dll_campaign +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml index aa0bc9d1e..20b5336e3 100644 --- a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml +++ b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: ab382976-dff6-41f3-bfa9-1bffee40a426 date: '2022-08-31' description: Generated datasets for loading samlib in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: loading_samlib +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/loading_samlib/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token.yml b/datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token_old.yml similarity index 100% rename from datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token.yml rename to datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token_old.yml diff --git a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml index d2912d1a6..6af11da4e 100644 --- a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml +++ b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 4b0e2bb8-d5ae-4c8e-a6ad-ed71ea3cbb2f date: '2022-09-01' description: Generated datasets for service deletion in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: service_deletion +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/service_deletion/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml index 4f09272ba..c1a6d3d5b 100644 --- a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml +++ b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 24cbdc61-c864-40aa-a121-0a1ff9b88f8f date: '2022-09-05' description: Generated datasets for wallpaper via transcodedwallpaper in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: wallpaper_via_transcodedwallpaper +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/chaos_ransomware.yml b/datasets/malware/chaos_ransomware/chaos_ransomware.yml index cc272882e..7128971b7 100644 --- a/datasets/malware/chaos_ransomware/chaos_ransomware.yml +++ b/datasets/malware/chaos_ransomware/chaos_ransomware.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 09b72e6e-b405-488e-a0b2-7e22ad442ccf date: '2023-01-12' description: Generated datasets for chaos ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html +environment: attack_range +directory: chaos_ransomware +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml index 538e00c59..20abed67e 100644 --- a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml +++ b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 5b8e6074-8f56-40c2-954a-94d906bd0ae7 date: '2023-01-17' description: Generated datasets for spread in root drives in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia +environment: attack_range +directory: spread_in_root_drives +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_a/clop_a.yml b/datasets/malware/clop/clop_a/clop_a.yml index a8f003129..5c5fabce1 100644 --- a/datasets/malware/clop/clop_a/clop_a.yml +++ b/datasets/malware/clop/clop_a/clop_a.yml @@ -4,12 +4,13 @@ date: '2021-03-22' description: Execution of CLOP malware on Windows 10 endpoint and simulated service name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog -references: -- https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html -- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html/ +directory: clop_a +datasets: +- name: windows-xml + path: /datasets/malware/clop/clop_a/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: windows-sysmon + path: /datasets/malware/clop/clop_a/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_b/clop_b.yml b/datasets/malware/clop/clop_b/clop_b.yml index d96b2f68b..97ee166fe 100644 --- a/datasets/malware/clop/clop_b/clop_b.yml +++ b/datasets/malware/clop/clop_b/clop_b.yml @@ -3,10 +3,9 @@ id: cc9b266e-efc9-11eb-926b-550bf0943fbb date: '2021-03-22' description: Execution of CLOP malware on Windows 10 endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html -- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html/ +directory: clop_b +datasets: +- name: windows-sysmon + path: /datasets/malware/clop/clop_b/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/conti/conti-cobalt/data.yml b/datasets/malware/conti/conti-cobalt/data.yml new file mode 100644 index 000000000..98e10eaae --- /dev/null +++ b/datasets/malware/conti/conti-cobalt/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: cad4c2c9-3eb5-436d-a2fb-e054ff43adb0 +date: '2025-08-12' +description: Automatically categorized datasets in directory conti-cobalt +environment: attack_range +directory: conti-cobalt +datasets: +- name: windows-sysmon + path: /datasets/malware/conti/conti-cobalt/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/conti/conti_leak/conti_leak.yml b/datasets/malware/conti/conti_leak/conti_leak.yml index c4b8e4369..e22436e02 100644 --- a/datasets/malware/conti/conti_leak/conti_leak.yml +++ b/datasets/malware/conti/conti_leak/conti_leak.yml @@ -3,13 +3,17 @@ id: a9915722-bab6-426c-a66e-acc561ed1ce8 date: '2021-08-10' description: simulated Execution of conti leak malware in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- wineventlog -references: -- https://threadreaderapp.com/thread/1423361119926816776.html +directory: conti_leak +datasets: +- name: windows-sysmon_7z + path: /datasets/malware/conti/conti_leak/windows-sysmon_7z.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/malware/conti/conti_leak/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/malware/conti/conti_leak/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/malware/conti/inf1/data.yml b/datasets/malware/conti/inf1/data.yml new file mode 100644 index 000000000..9897702bd --- /dev/null +++ b/datasets/malware/conti/inf1/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 87b91832-7f22-4306-b3a5-eb82fb19ac65 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf1 +environment: attack_range +directory: inf1 +datasets: +- name: windows-sysmon + path: /datasets/malware/conti/inf1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/cyclopsblink/cyclopsblink.yml b/datasets/malware/cyclopsblink/cyclopsblink.yml index 28cc3e3b3..88300dd7d 100644 --- a/datasets/malware/cyclopsblink/cyclopsblink.yml +++ b/datasets/malware/cyclopsblink/cyclopsblink.yml @@ -3,9 +3,9 @@ id: 80f8ff9e-b670-11ec-bdcb-acde48001122 date: '2022-04-07' description: Generated datasets for cyclopsblink in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf \ No newline at end of file +directory: cyclopsblink +datasets: +- name: sysmon_linux + path: /datasets/malware/cyclopsblink/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml index 9496c4b2b..fd7d1cfaf 100644 --- a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml +++ b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml @@ -3,9 +3,9 @@ id: 6e822ef6-0e74-11ed-b114-acde48001122 date: '2022-07-28' description: Generated datasets for dcrat delay execution in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_delay_execution +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_delay_execution/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml index f5fef3aef..2903992ae 100644 --- a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml +++ b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml @@ -3,9 +3,9 @@ id: 3ae30a30-0f18-11ed-8df2-acde48001122 date: '2022-07-29' description: Generated datasets for dcrat enum camera in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_enum_camera +datasets: +- name: windows-powershell-xml + path: /datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml index fd3f5e66f..4955f393c 100644 --- a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml +++ b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml @@ -3,9 +3,9 @@ id: f1e16b7e-1192-11ed-9fa5-acde48001122 date: '2022-08-01' description: Generated datasets for dcrat explorer url in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_explorer_url +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_explorer_url/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml index 17e6a8170..00caf4d20 100644 --- a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml +++ b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml @@ -3,9 +3,9 @@ id: e98fe846-0e73-11ed-8ac5-acde48001122 date: '2022-07-28' description: Generated datasets for dcrat forkbomb in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat \ No newline at end of file +directory: dcrat_forkbomb +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_forkbomb/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml index 011cae91e..11fe21df2 100644 --- a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml +++ b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml @@ -1,12 +1,11 @@ -author: Teoderick Contreras -id: ddebec6c-0da9-11ed-a3fd-acde48001122 -date: '2022-07-27' -description: Generated datasets for reboot logoff commandline in attack range. +author: Generated by dataset_analyzer.py +id: 1ca9bec8-3032-47cb-8f3f-373da4f03a71 +date: '2025-08-12' +description: Automatically categorized datasets in directory reboot_logoff_commandline environment: attack_range -dataset: -- -https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor +directory: reboot_logoff_commandline +datasets: +- name: sysmon + path: /datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml index cff35aa36..a064392c3 100644 --- a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml +++ b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml @@ -3,9 +3,9 @@ id: 29eaf4c8-0daa-11ed-a9e1-acde48001122 date: '2022-07-27' description: Generated datasets for shutdown commandline in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: shutdown_commandline +datasets: +- name: sysmon + path: /datasets/malware/dcrat/shutdown_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/doublezero_wiper/doublezero_wiper.yml b/datasets/malware/doublezero_wiper/doublezero_wiper.yml index da512da44..ca45b4c2f 100644 --- a/datasets/malware/doublezero_wiper/doublezero_wiper.yml +++ b/datasets/malware/doublezero_wiper/doublezero_wiper.yml @@ -3,9 +3,9 @@ id: 0781d036-ae79-11ec-b37d-acde48001122 date: '2022-03-28' description: Generated datasets for doublezero wiper in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html \ No newline at end of file +directory: doublezero_wiper +datasets: +- name: sysmon + path: /datasets/malware/doublezero_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml index bddd75fa4..56b9d255b 100644 --- a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml +++ b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml @@ -3,10 +3,17 @@ id: a81ffedc-b040-4055-b13d-eeb837380c7d date: '2021-09-14' description: fin7 js implant data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: fin7_js_2 +datasets: +- name: wmi_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ldap_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/fin7/fin7_js_2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml index 97cadf1c0..2210b1bdb 100644 --- a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml +++ b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml @@ -3,7 +3,9 @@ id: 148f9a52-05bd-4d44-b6cb-17aa7131ab49 date: '2021-09-14' description: fin7 macro and js implant data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: fin7_macro_js_1 +datasets: +- name: sysmon + path: /datasets/malware/fin7/fin7_macro_js_1/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_sacl/fin7_sacl.yml b/datasets/malware/fin7/fin7_sacl/fin7_sacl_old.yml similarity index 100% rename from datasets/malware/fin7/fin7_sacl/fin7_sacl.yml rename to datasets/malware/fin7/fin7_sacl/fin7_sacl_old.yml diff --git a/datasets/malware/fin7/jssloader/jssloader.yml b/datasets/malware/fin7/jssloader/jssloader.yml index 416c76f29..df9f1f780 100644 --- a/datasets/malware/fin7/jssloader/jssloader.yml +++ b/datasets/malware/fin7/jssloader/jssloader.yml @@ -3,7 +3,9 @@ id: 6fd684f5-6bbd-4706-bd50-5efb4d79a194 date: '2021-09-14' description: fin7 jssloader dataset. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: jssloader +datasets: +- name: sysmon + path: /datasets/malware/fin7/jssloader/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/gootloader/partial_ttps/gootloader.yml b/datasets/malware/gootloader/partial_ttps/gootloader.yml deleted file mode 100644 index 6f8e37ba9..000000000 --- a/datasets/malware/gootloader/partial_ttps/gootloader.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Steven Dick -id: 82ce58ec-f2cb-4570-9a7c-b666362c5ebb -date: '2023-06-15' -description: 'Detection of gootloader common behaviors sourced from manual malware testing in Q1 2023' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations -- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -- https://redcanary.com/blog/gootloader/ \ No newline at end of file diff --git a/datasets/malware/gootloader/partial_ttps/partial_ttps.yml b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml new file mode 100644 index 000000000..6165584eb --- /dev/null +++ b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml @@ -0,0 +1,16 @@ +author: Steven Dick +id: 82ce58ec-f2cb-4570-9a7c-b666362c5ebb +date: '2023-06-15' +description: Detection of gootloader common behaviors sourced from manual malware + testing in Q1 2023 +environment: attack_range +directory: partial_ttps +datasets: +- name: windows-powershell-xml + path: /datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/malware/gootloader/partial_ttps/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml index 029a4de9b..a38dfa59b 100644 --- a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml +++ b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml @@ -3,9 +3,9 @@ id: 35b9ddaa-9a14-11ec-aec5-acde48001122 date: '2022-03-02' description: Generated datasets for globalfolderoptions reg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html \ No newline at end of file +directory: globalfolderoptions_reg +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/hermetic_wiper.yml b/datasets/malware/hermetic_wiper/hermetic_wiper.yml index 94fddbc93..1b6718c38 100644 --- a/datasets/malware/hermetic_wiper/hermetic_wiper.yml +++ b/datasets/malware/hermetic_wiper/hermetic_wiper.yml @@ -3,9 +3,9 @@ id: 7f55b95a-9642-11ec-ba7c-acde48001122 date: '2022-02-25' description: Generated datasets for hermetic wiper in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html \ No newline at end of file +directory: hermetic_wiper +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml index cd2c13329..01e048745 100644 --- a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml +++ b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml @@ -3,7 +3,9 @@ id: cca625ab-da97-4206-8800-e56676c2075d date: '2021-10-21' description: cmd carry out string command parameter data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: cmd_carry_str_param +datasets: +- name: sysmon + path: /datasets/malware/icedid/cmd_carry_str_param/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_av/disable_av.yml b/datasets/malware/icedid/disable_av/disable_av.yml index b13e7dcd1..5e410e7e3 100644 --- a/datasets/malware/icedid/disable_av/disable_av.yml +++ b/datasets/malware/icedid/disable_av/disable_av.yml @@ -1,11 +1,15 @@ author: Teoderick Contreras id: bedd30e3-3a7a-4ba3-8138-4f1d9c9dfadb date: '2021-10-18' -description: icedid disable windows defender malware in attack range - name. +description: icedid disable windows defender malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: disable_av +datasets: +- name: sysmon2 + path: /datasets/malware/icedid/disable_av/sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/icedid/disable_av/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_schtask/disable_schtask.yml b/datasets/malware/icedid/disable_schtask/disable_schtask.yml index e21ececa8..de8bbf090 100644 --- a/datasets/malware/icedid/disable_schtask/disable_schtask.yml +++ b/datasets/malware/icedid/disable_schtask/disable_schtask.yml @@ -1,10 +1,11 @@ author: Teoderick Contreras id: f67f0c95-c850-4303-b65d-bcd99e87c520 date: '2021-10-18' -description: icedid disable schedule task malware in attack range - name. +description: icedid disable schedule task malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: disable_schtask +datasets: +- name: sysmon + path: /datasets/malware/icedid/disable_schtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/inf_icedid/inf_icedid.yml b/datasets/malware/icedid/inf_icedid/inf_icedid.yml index bd61c5ef4..253f4c766 100644 --- a/datasets/malware/icedid/inf_icedid/inf_icedid.yml +++ b/datasets/malware/icedid/inf_icedid/inf_icedid.yml @@ -1,13 +1,11 @@ author: Teoderick Contreras id: 1500f3aa-332a-496c-9f2a-9d7fbe8f7f03 date: '2021-07-29' -description: Execution of icedid malware in attack range - name. +description: Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ - +directory: inf_icedid +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/inf_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/phish_icedid/phish_icedid.yml b/datasets/malware/icedid/phish_icedid/phish_icedid.yml index f5ea5fce8..8c21d21c0 100644 --- a/datasets/malware/icedid/phish_icedid/phish_icedid.yml +++ b/datasets/malware/icedid/phish_icedid/phish_icedid.yml @@ -1,13 +1,11 @@ author: Teoderick Contreras id: ed600555-e180-42eb-b8a7-532bafcd448b date: '2021-07-29' -description: Execution of icedid malware in attack range - name. +description: Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ - +directory: phish_icedid +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/phish_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml index 782db25d9..b62dc9ec5 100644 --- a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml +++ b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml @@ -1,12 +1,11 @@ author: Teoderick Contreras id: 745613c6-c475-4743-9cac-9a314ea33618 date: '2021-08-05' -description: simulated Execution of icedid malware in attack range - name. +description: simulated Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ +directory: simulated_icedid +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/simulated_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/industroyer2/industroyer2.yml b/datasets/malware/industroyer2/industroyer2.yml index c48838369..8bac8d097 100644 --- a/datasets/malware/industroyer2/industroyer2.yml +++ b/datasets/malware/industroyer2/industroyer2.yml @@ -3,9 +3,9 @@ id: d3197692-c245-11ec-b39f-acde48001122 date: '2022-04-22' description: Generated datasets for industroyer2 in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: industroyer2 +datasets: +- name: sysmon + path: /datasets/malware/industroyer2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml index 561207b0d..ebe42e238 100644 --- a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml +++ b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: cb28b767-140b-4375-bb89-85cb6d836f02 date: '2023-01-16' description: Generated datasets for lockbit ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html +environment: attack_range +directory: lockbit_ransomware +datasets: +- name: sysmon + path: /datasets/malware/lockbit_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/minergate/data.yml b/datasets/malware/minergate/data.yml new file mode 100644 index 000000000..e004ad996 --- /dev/null +++ b/datasets/malware/minergate/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 496eee5a-a4db-4761-9cb7-404827cf59fa +date: '2025-08-12' +description: Automatically categorized datasets in directory minergate +environment: attack_range +directory: minergate +datasets: +- name: windows-sysmon + path: /datasets/malware/minergate/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/olympic_destroyer/olympic_destroyer.yml b/datasets/malware/olympic_destroyer/olympic_destroyer.yml index 7d3a8c807..8c8f34d5f 100644 --- a/datasets/malware/olympic_destroyer/olympic_destroyer.yml +++ b/datasets/malware/olympic_destroyer/olympic_destroyer.yml @@ -3,13 +3,9 @@ id: acb8ab82-94a3-11ec-961b-acde48001122 date: '2022-02-23' description: Generated datasets for olympic destroyer in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:system -- WinEventLog:Security -references: -- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html \ No newline at end of file +directory: olympic_destroyer +datasets: +- name: sysmon + path: /datasets/malware/olympic_destroyer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/prestige_ransomware/prestige_ransomware.yml b/datasets/malware/prestige_ransomware/prestige_ransomware.yml index 77e52606e..d06865845 100644 --- a/datasets/malware/prestige_ransomware/prestige_ransomware.yml +++ b/datasets/malware/prestige_ransomware/prestige_ransomware.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: f8e41440-5e29-4478-a4e4-50937ba66f45 date: '2022-11-30' description: Generated datasets for prestige ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: prestige_ransomware +datasets: +- name: sysmon + path: /datasets/malware/prestige_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qakbot.yml b/datasets/malware/qakbot/qakbot.yml index 822f3cd3a..07c9de82e 100644 --- a/datasets/malware/qakbot/qakbot.yml +++ b/datasets/malware/qakbot/qakbot.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 0ced1e29-5390-4a9a-bd97-6a09cb604a0d date: '2022-10-20' description: Generated datasets for qakbot in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot +environment: attack_range +directory: qakbot +datasets: +- name: sysmon + path: /datasets/malware/qakbot/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot2/qbot2.yml b/datasets/malware/qakbot/qbot2/qbot2.yml index 57f9f7e74..0831a015c 100644 --- a/datasets/malware/qakbot/qbot2/qbot2.yml +++ b/datasets/malware/qakbot/qbot2/qbot2.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: c3fb027f-b61d-4c24-a7db-923eb340d1fd date: '2022-10-24' description: Generated datasets for qbot2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ +environment: attack_range +directory: qbot2 +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_3/qbot_3.yml b/datasets/malware/qakbot/qbot_3/qbot_3.yml index 46d186dd6..57d2b64a5 100644 --- a/datasets/malware/qakbot/qbot_3/qbot_3.yml +++ b/datasets/malware/qakbot/qbot_3/qbot_3.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 3e8a23a9-237c-4bfc-9fce-926ff7af0d1b date: '2022-10-27' description: Generated datasets for qbot 3 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_3 +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot_3/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml index a517cad75..8545b000a 100644 --- a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml +++ b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: c61b9839-5dc6-43e6-a743-8307aa995e18 date: '2022-10-27' description: Generated datasets for qbot wermgr in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_wermgr +datasets: +- name: sysmon_wermgr + path: /datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml index d901cc13d..7e168db79 100644 --- a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml +++ b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 8b988b47-53f3-4152-b8c1-071bcafe672f date: '2022-10-27' description: Generated datasets for qbot wermgr2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_wermgr2 +datasets: +- name: sysmon_wermgr2 + path: /datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/remote_thread/remote_thread.yml b/datasets/malware/qakbot/remote_thread/remote_thread.yml index a0c38ccf6..2e2bf2bc5 100644 --- a/datasets/malware/qakbot/remote_thread/remote_thread.yml +++ b/datasets/malware/qakbot/remote_thread/remote_thread.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 04394a47-b925-4c07-9f4e-55f5ed6fe113 date: '2022-10-28' description: Generated datasets for remote thread in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/ +environment: attack_range +directory: remote_thread +datasets: +- name: sysmon_wermgr_remote + path: /datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ransomware_ttp/data1/data.yml b/datasets/malware/ransomware_ttp/data1/data.yml new file mode 100644 index 000000000..bed16fde2 --- /dev/null +++ b/datasets/malware/ransomware_ttp/data1/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: dd0f91c3-d962-4e76-bea8-994f108b924b +date: '2025-08-12' +description: Automatically categorized datasets in directory data1 +environment: attack_range +directory: data1 +datasets: +- name: windows-sysmon + path: /datasets/malware/ransomware_ttp/data1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ransomware_ttp/data2/data.yml b/datasets/malware/ransomware_ttp/data2/data.yml new file mode 100644 index 000000000..31a2beef1 --- /dev/null +++ b/datasets/malware/ransomware_ttp/data2/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 6f4e39a0-c1a5-4e9e-bde6-fd26c4af04d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory data2 +environment: attack_range +directory: data2 +datasets: +- name: windows-sysmon + path: /datasets/malware/ransomware_ttp/data2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/redline/browser_ext_access/browser_ext_access.yml b/datasets/malware/redline/browser_ext_access/browser_ext_access_old.yml similarity index 100% rename from datasets/malware/redline/browser_ext_access/browser_ext_access.yml rename to datasets/malware/redline/browser_ext_access/browser_ext_access_old.yml diff --git a/datasets/malware/redline/browser_list/browser_list.yml b/datasets/malware/redline/browser_list/browser_list_old.yml similarity index 100% rename from datasets/malware/redline/browser_list/browser_list.yml rename to datasets/malware/redline/browser_list/browser_list_old.yml diff --git a/datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access.yml b/datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access_old.yml similarity index 100% rename from datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access.yml rename to datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access_old.yml diff --git a/datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access.yml b/datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access_old.yml similarity index 100% rename from datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access.yml rename to datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access_old.yml diff --git a/datasets/malware/redline/modify_registry/modify_registry.yml b/datasets/malware/redline/modify_registry/modify_registry.yml index c28d952b6..52295dfdc 100644 --- a/datasets/malware/redline/modify_registry/modify_registry.yml +++ b/datasets/malware/redline/modify_registry/modify_registry.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: d22bdc15-a39d-41ef-b718-0fe1959188e6 date: '2023-04-24' description: Generated datasets for modify registry in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer +environment: attack_range +directory: modify_registry +datasets: +- name: sysmon + path: /datasets/malware/redline/modify_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/redline/recon_registry/recon_registry.yml b/datasets/malware/redline/recon_registry/recon_registry_old.yml similarity index 100% rename from datasets/malware/redline/recon_registry/recon_registry.yml rename to datasets/malware/redline/recon_registry/recon_registry_old.yml diff --git a/datasets/malware/redline/win_update_services_stop/win_update_services_stop.yml b/datasets/malware/redline/win_update_services_stop/win_update_services_stop_old.yml similarity index 100% rename from datasets/malware/redline/win_update_services_stop/win_update_services_stop.yml rename to datasets/malware/redline/win_update_services_stop/win_update_services_stop_old.yml diff --git a/datasets/malware/remcos/remcos/remcos.yml b/datasets/malware/remcos/remcos/remcos.yml index 6eac10c39..4d06fe06a 100644 --- a/datasets/malware/remcos/remcos/remcos.yml +++ b/datasets/malware/remcos/remcos/remcos.yml @@ -3,7 +3,9 @@ id: e9a69082-58e2-47c4-b93b-d68ada5b7444 date: '2021-10-05' description: Remcos Sample -https://tria.ge/210929-ap75vsddan, https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_agent/remcos_agent.yml b/datasets/malware/remcos/remcos_agent/remcos_agent.yml index 6d8ab39e1..809cb8d8a 100644 --- a/datasets/malware/remcos/remcos_agent/remcos_agent.yml +++ b/datasets/malware/remcos/remcos_agent/remcos_agent.yml @@ -3,11 +3,13 @@ id: e9a69082-58e2-47c4-b93b-d68ada5b7444 date: '2021-09-22' description: remcos RAT agent data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/security.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog \ No newline at end of file +directory: remcos_agent +datasets: +- name: sysmon_wav + path: /datasets/malware/remcos/remcos_agent/sysmon_wav.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_agent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml index 9f23b9b8d..e930d49e0 100644 --- a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml +++ b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml @@ -1,12 +1,19 @@ author: Teoderick Contreras id: 8cbe30d9-0a2e-43e4-b07f-2a8a3dd402b9 date: '2021-11-18' -description: 'simulated remcos script loading dynwrapx.dll for shellcode execution' +description: simulated remcos script loading dynwrapx.dll for shellcode execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos_dynwrapx +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_dynwraper + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_panel_client/remcos_panel_client.yml b/datasets/malware/remcos/remcos_panel_client/remcos_panel_client_old.yml similarity index 100% rename from datasets/malware/remcos/remcos_panel_client/remcos_panel_client.yml rename to datasets/malware/remcos/remcos_panel_client/remcos_panel_client_old.yml diff --git a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml index f2b899a22..d0be13c43 100644 --- a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml +++ b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml @@ -1,9 +1,11 @@ author: Teoderick Contreras id: 22ee6dae-30e6-44a4-affc-88b070d96c20 date: '2021-11-18' -description: 'simulated remcos script download malicious stager in pastebin or discord.' +description: simulated remcos script download malicious stager in pastebin or discord. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos_pastebin_download +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_pastebin_download/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_registry/remcos_registry.yml b/datasets/malware/remcos/remcos_registry/remcos_registry.yml index c7c0ed530..8af436cee 100644 --- a/datasets/malware/remcos/remcos_registry/remcos_registry.yml +++ b/datasets/malware/remcos/remcos_registry/remcos_registry.yml @@ -3,9 +3,9 @@ id: dfcbf9ec-a8ef-11ec-871d-acde48001122 date: '2022-03-21' description: Generated datasets for remcos registry in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/ \ No newline at end of file +directory: remcos_registry +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/inf1/data.yml b/datasets/malware/revil/inf1/data.yml new file mode 100644 index 000000000..7a9266134 --- /dev/null +++ b/datasets/malware/revil/inf1/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 7f5f611c-0480-4d17-a791-9f3eeb889231 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf1 +environment: attack_range +directory: inf1 +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/inf1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/inf2/data.yml b/datasets/malware/revil/inf2/data.yml new file mode 100644 index 000000000..f08ef43f4 --- /dev/null +++ b/datasets/malware/revil/inf2/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 1ce5665a-34ad-4b40-bc49-8cc912d6f7e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf2 +environment: attack_range +directory: inf2 +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/inf2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml index 18ee639f8..879c2f097 100644 --- a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml +++ b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml @@ -3,10 +3,9 @@ id: cc9b266d-efc9-11eb-926b-550bf0943fbb date: '2021-07-05' description: side loading dll to load evil ransomware using msmpeng.exe application environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: msmpeng_side +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/msmpeng_side/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ryuk/ryuk.yml b/datasets/malware/ryuk/ryuk.yml index 1dcc02e99..7ef63c1e1 100644 --- a/datasets/malware/ryuk/ryuk.yml +++ b/datasets/malware/ryuk/ryuk.yml @@ -3,10 +3,9 @@ id: cc9b2671-efc9-11eb-926b-550bf0943fbb date: '2020-11-30' description: Execution of ryuk malware on Windows 10 endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ -- https://www.malwarebytes.com/ryuk-ransomware/ +directory: ryuk +datasets: +- name: windows-sysmon + path: /datasets/malware/ryuk/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/snakemalware/snake.yml b/datasets/malware/snakemalware/snake.yml deleted file mode 100644 index bed95e706..000000000 --- a/datasets/malware/snakemalware/snake.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Michael Haag -id: cef7f8d2-10bb-49ff-ba67-4dc25f927e86 -date: '2023-05-11' -description: Simulation of Snake Malware endpoint artifacts. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -references: -- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/datasets/malware/snakemalware/snakemalware.yml b/datasets/malware/snakemalware/snakemalware.yml new file mode 100644 index 000000000..e3de16b90 --- /dev/null +++ b/datasets/malware/snakemalware/snakemalware.yml @@ -0,0 +1,23 @@ +author: Michael Haag +id: cef7f8d2-10bb-49ff-ba67-4dc25f927e86 +date: '2023-05-11' +description: Simulation of Snake Malware endpoint artifacts. +environment: attack_range +directory: snakemalware +datasets: +- name: snake-service-windows-system + path: /datasets/malware/snakemalware/snake-service-windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: snake_crmlog-windows-sysmon + path: /datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: comadmin_windows-sysmon + path: /datasets/malware/snakemalware/comadmin_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: snake_malware_regblob-windows-sysmon + path: /datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/swift_slicer/swift_slicer.yml b/datasets/malware/swift_slicer/swift_slicer.yml index 14b94553e..3dfce1d17 100644 --- a/datasets/malware/swift_slicer/swift_slicer.yml +++ b/datasets/malware/swift_slicer/swift_slicer.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: fc0e1d4d-d8e7-4007-bd29-a0d05384d4cc date: '2023-02-02' description: Generated datasets for swift slicer in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/ +environment: attack_range +directory: swift_slicer +datasets: +- name: sysmon + path: /datasets/malware/swift_slicer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/exe_smbshare/data.yml b/datasets/malware/trickbot/exe_smbshare/data.yml new file mode 100644 index 000000000..d08a7f23f --- /dev/null +++ b/datasets/malware/trickbot/exe_smbshare/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 449bb7fa-ebe6-4e18-87cb-6c894ee087ad +date: '2025-08-12' +description: Automatically categorized datasets in directory exe_smbshare +environment: attack_range +directory: exe_smbshare +datasets: +- name: windows-xml + path: /datasets/malware/trickbot/exe_smbshare/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/malware/trickbot/infection/data.yml b/datasets/malware/trickbot/infection/data.yml new file mode 100644 index 000000000..ca60462dd --- /dev/null +++ b/datasets/malware/trickbot/infection/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: 6a5af2f0-7155-40fd-b3c8-a472c6af4f7d +date: '2025-08-12' +description: Automatically categorized datasets in directory infection +environment: attack_range +directory: infection +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/infection/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/namedpipe/data.yml b/datasets/malware/trickbot/namedpipe/data.yml new file mode 100644 index 000000000..ba4136772 --- /dev/null +++ b/datasets/malware/trickbot/namedpipe/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: eeb7e54f-a581-4299-a4e4-02994fa5f060 +date: '2025-08-12' +description: Automatically categorized datasets in directory namedpipe +environment: attack_range +directory: namedpipe +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/namedpipe/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/spear_phish/spear_phish.yml b/datasets/malware/trickbot/spear_phish/spear_phish.yml index cee7869b6..d8fcd6322 100644 --- a/datasets/malware/trickbot/spear_phish/spear_phish.yml +++ b/datasets/malware/trickbot/spear_phish/spear_phish.yml @@ -4,9 +4,9 @@ date: '2021-07-19' description: Spear Phishing Technique of trickbot using regsvr32, mshta, office product and rundll32.. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 +directory: spear_phish +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/spear_phish/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/vilsel/vilse.yml b/datasets/malware/vilsel/vilse.yml deleted file mode 100644 index b9cd654d8..000000000 --- a/datasets/malware/vilsel/vilse.yml +++ /dev/null @@ -1,9 +0,0 @@ -author: Teoderick Contreras -id: a8d7ae24-f24b-4913-a8d8-9db9794175ad -date: '2021-11-12' -description: simulated ioc from vilsel malware. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/malware/vilsel/vilsel.yml b/datasets/malware/vilsel/vilsel.yml new file mode 100644 index 000000000..954c68461 --- /dev/null +++ b/datasets/malware/vilsel/vilsel.yml @@ -0,0 +1,15 @@ +author: Teoderick Contreras +id: a8d7ae24-f24b-4913-a8d8-9db9794175ad +date: '2021-11-12' +description: simulated ioc from vilsel malware. +environment: attack_range +directory: vilsel +datasets: +- name: windows-xml + path: /datasets/malware/vilsel/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: sysmon + path: /datasets/malware/vilsel/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver.yml b/datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver_old.yml similarity index 100% rename from datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver.yml rename to datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver_old.yml diff --git a/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass.yml b/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass_old.yml similarity index 100% rename from datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass.yml rename to datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass_old.yml diff --git a/datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded.yml b/datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded_old.yml similarity index 100% rename from datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded.yml rename to datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded_old.yml diff --git a/datasets/malware/winpeas/powershell/powershell.yml b/datasets/malware/winpeas/powershell/powershell.yml index af75c80e3..4ce1847f9 100644 --- a/datasets/malware/winpeas/powershell/powershell.yml +++ b/datasets/malware/winpeas/powershell/powershell.yml @@ -2,10 +2,14 @@ author: Teoderick Contreras, Splunk id: 43ba5a2c-de77-43c4-818f-ea7239e78dbc date: '2022-12-01' description: Generated datasets for powershell in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: powershell +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winpeas/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/malware/winpeas/powershell/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winpeas/winpeas.yml b/datasets/malware/winpeas/winpeas.yml index c74bce219..079f611d5 100644 --- a/datasets/malware/winpeas/winpeas.yml +++ b/datasets/malware/winpeas/winpeas.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 76ff87b3-e383-42a3-a1a0-15f97e414b97 date: '2022-12-01' description: Generated datasets for winpeas in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas +datasets: +- name: sysmon + path: /datasets/malware/winpeas/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml index f89fd2d7a..f7b86772a 100644 --- a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml +++ b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 0ee6da63-312c-4bc3-82fd-1814f4e39db3 date: '2022-12-01' description: Generated datasets for winpeas cmdkeylist in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_cmdkeylist +datasets: +- name: cmdkey-sysmon + path: /datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml index 99c0200f5..50430706e 100644 --- a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml +++ b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 39b35e91-b3a6-4e07-8025-bd207b6fd433 date: '2022-12-01' description: Generated datasets for winpeas fsutil in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_fsutil +datasets: +- name: fsutil-fsinfo-sysmon + path: /datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml index d503362e3..bf73995ce 100644 --- a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml +++ b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: dc44c54e-8c73-4352-a55b-d7e97e7e83b2 date: '2022-12-01' description: Generated datasets for winpeas search private key in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_private_key +datasets: +- name: dir-private-sysmon + path: /datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml index 48348f7c6..76b57601a 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 6a758cd5-24c2-4008-9e59-8e90c8eb5e94 date: '2022-12-01' description: Generated datasets for winpeas search pwd in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_pwd +datasets: +- name: query-putty-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml index ee29e41f6..c837e7c07 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 0e7d9bf7-a6d8-44df-a137-1a3f27b05cfb date: '2022-12-01' description: Generated datasets for winpeas search pwd db in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_pwd_db +datasets: +- name: dir-db-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml index d7cf41337..3c2a1e563 100644 --- a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml +++ b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: b2602a30-e0a9-4ab9-b770-54faed4bf0d4 date: '2023-02-21' description: Generated datasets for pwh exfiltration in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: pwh_exfiltration +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml index af450f454..4b30cb2c9 100644 --- a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml +++ b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 9614341e-a5ee-4b30-8ca2-648438d13a3f date: '2023-02-21' description: Generated datasets for pwh uploadstring in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: pwh_uploadstring +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml index 9760e43b5..c183639d6 100644 --- a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml +++ b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml @@ -2,10 +2,10 @@ author: Teoderick Contreras, Splunk id: 10c0003d-f2dc-4b79-a388-6d7382879412 date: '2023-02-21' description: Generated datasets for scheduledtask in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: scheduledtask +datasets: +- name: sysmon + path: /datasets/malware/winter-vivern/scheduledtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/xmrig_miner/data.yml b/datasets/malware/xmrig_miner/data.yml new file mode 100644 index 000000000..19652bb09 --- /dev/null +++ b/datasets/malware/xmrig_miner/data.yml @@ -0,0 +1,11 @@ +author: Generated by dataset_analyzer.py +id: a99282ac-ea15-4392-bb8e-e6d81532e7b6 +date: '2025-08-12' +description: Automatically categorized datasets in directory xmrig_miner +environment: attack_range +directory: xmrig_miner +datasets: +- name: windows-sysmon + path: /datasets/malware/xmrig_miner/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched.yml b/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched_old.yml similarity index 100% rename from datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched.yml rename to datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched_old.yml diff --git a/datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts.yml b/datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts.yml rename to datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts_old.yml diff --git a/datasets/suspicious_behaviour/alerts/defender_incident_alerts.yml b/datasets/suspicious_behaviour/alerts/defender_incident_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/alerts/defender_incident_alerts.yml rename to datasets/suspicious_behaviour/alerts/defender_incident_alerts_old.yml diff --git a/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml b/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml similarity index 100% rename from datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml rename to datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml diff --git a/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.yml b/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.yml rename to datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.yml b/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password_old.yml diff --git a/datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis.yml b/datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis_old.yml similarity index 100% rename from datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis.yml rename to datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis_old.yml diff --git a/datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service.yml b/datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service_old.yml similarity index 100% rename from datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service.yml rename to datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service_old.yml diff --git a/datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation.yml b/datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation.yml rename to datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation_old.yml diff --git a/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation.yml b/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation.yml rename to datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation_old.yml diff --git a/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.yml b/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk_old.yml similarity index 100% rename from datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.yml rename to datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk_old.yml diff --git a/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.yml b/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike_old.yml similarity index 100% rename from datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.yml rename to datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike_old.yml diff --git a/datasets/suspicious_behaviour/windows_lolbas_risk/replay.yml b/datasets/suspicious_behaviour/windows_lolbas_risk/replay_old.yml similarity index 100% rename from datasets/suspicious_behaviour/windows_lolbas_risk/replay.yml rename to datasets/suspicious_behaviour/windows_lolbas_risk/replay_old.yml diff --git a/datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk.yml b/datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk_old.yml similarity index 100% rename from datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk.yml rename to datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk_old.yml