From 2c1ce022e385adfc536b07687cbd39ab887bc531 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Fri, 8 Aug 2025 15:16:44 +0200 Subject: [PATCH 01/18] dataset analyzer --- bin/add_uuid.py | 64 - bin/dataset_analyzer.py | 1041 +++++++++++++++++ bin/replay.py | 332 +++--- bin/replay.yml | 27 - bin/requirements.txt | 16 +- bin/run_escu_detections.py | 612 ++++++++++ bin/write_dataset_url.py | 73 -- .../windows-security-events_ssa.log | 3 - 8 files changed, 1806 insertions(+), 362 deletions(-) delete mode 100644 bin/add_uuid.py create mode 100644 bin/dataset_analyzer.py delete mode 100644 bin/replay.yml create mode 100644 bin/run_escu_detections.py delete mode 100644 bin/write_dataset_url.py delete mode 100644 datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log diff --git a/bin/add_uuid.py b/bin/add_uuid.py deleted file mode 100644 index 12745dea2..000000000 --- a/bin/add_uuid.py +++ /dev/null @@ -1,64 +0,0 @@ -import yaml -import sys -import argparse -import uuid -from os import path, walk - -def add_uuid(REPO_PATH, content_part, VERBOSE): - manifest_files = [] - - types = ["attack_techniques", "malware", "suspicious_behaviour"] - for t in types: - for root, dirs, files in walk(REPO_PATH + "/" + content_part + '/' + t): - for file in files: - if file.endswith(".yml"): - manifest_files.append((path.join(root, file))) - - for manifest_file in manifest_files: - pretty_yaml = dict() - if VERBOSE: - print("processing manifest {0}".format(manifest_file)) - - with open(manifest_file, 'r') as stream: - try: - object = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - print("Error reading {0}".format(manifest_file)) - error = True - continue - - pretty_yaml['author'] = object['author'] - pretty_yaml['id'] = str(uuid.uuid1()) - pretty_yaml['date'] = object['date'] - pretty_yaml['description'] = object['description'] - pretty_yaml['environment'] = object['environment'] - pretty_yaml['dataset'] = object['dataset'] - pretty_yaml['sourcetypes'] = object['sourcetypes'] - if 'references' in object: - pretty_yaml['references'] = object['references'] - else: - pretty_yaml['references'] = [] - - with open(manifest_file, 'w') as file: - documents = yaml.dump(pretty_yaml, file, sort_keys=False) - - return manifest_files - -def main(args): - parser = argparse.ArgumentParser(description="adds uuid") - parser.add_argument("-p", "--path", required=True, help="path to security_content repo") - parser.add_argument("-v", "--verbose", required=False, default=False, action='store_true', help="prints verbose output") - - args = parser.parse_args() - REPO_PATH = args.path - VERBOSE = args.verbose - output = [] - content_part = 'datasets' - manifest_files = add_uuid(REPO_PATH, content_part, VERBOSE) - - print("process {0} attack data files".format(len(manifest_files))) - - -if __name__ == "__main__": - main(sys.argv[1:]) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py new file mode 100644 index 000000000..2670208ba --- /dev/null +++ b/bin/dataset_analyzer.py @@ -0,0 +1,1041 @@ +#!/usr/bin/env python3 +""" +Dataset Analyzer for Attack Data Repository + +This script analyzes datasets in the attack_data repository and categorizes them +based on filename patterns and content types. It recursively searches through +directories to find data files and creates data.yml files in the same directories +as the data files. + +Features: +- Recursive analysis of all directories containing data files (default behavior) +- Analyze a specific folder and its subdirectories +- Generic directory structure support (not tied to specific naming conventions) +- Automatic categorization based on filename patterns and content detection +- Automatic creation of data.yml files in directories containing data files +- Summary report generation + +Usage Examples: + # Analyze all directories recursively + python dataset_analyzer.py + + # Analyze a specific directory and its subdirectories + python dataset_analyzer.py --folder datasets/attack_techniques/T1003.001 + + # Analyze a specific folder (malware, honeypots, etc.) + python dataset_analyzer.py --folder datasets/malware + + # Use custom base path + python dataset_analyzer.py --base-path /path/to/data + +Author: Generated for attack_data repository analysis +""" + +import re +import logging +import argparse +from pathlib import Path +from typing import Dict, List, Tuple, Optional +from dataclasses import dataclass +from datetime import datetime + +try: + import yaml +except ImportError: + print("Warning: PyYAML not installed. Install with: pip install PyYAML") + yaml = None + +# Configure logging +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s' +) +logger = logging.getLogger(__name__) + + +@dataclass +class DatasetInfo: + """Information about a dataset file""" + name: str + path: str + sourcetype: str + source: Optional[str] = None + + +@dataclass +class CategoryRule: + """Rule for categorizing datasets""" + pattern: str + sourcetype: str + source: Optional[str] = None + content_check: Optional[str] = None + description: str = "" + + +class DatasetAnalyzer: + """Analyzes and categorizes datasets in the attack_data repository""" + + def __init__(self, base_path: str = "datasets"): + self.base_path = Path(base_path) + self.rules = self._initialize_rules() + + def _initialize_rules(self) -> List[CategoryRule]: + """Initialize categorization rules based on common patterns""" + return [ + # Windows Event Logs - XML format + CategoryRule( + pattern=r".*windows-sysmon.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", + content_check="xml", + description="Windows Sysmon logs in XML format" + ), + CategoryRule( + pattern=r".*sysmon.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", + content_check="xml", + description="Sysmon logs in XML format" + ), + CategoryRule( + pattern=r".*windows-security.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Security", + content_check="xml", + description="Windows Security Event logs in XML format" + ), + CategoryRule( + pattern=r".*windows-system.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:System", + content_check="xml", + description="Windows System Event logs in XML format" + ), + CategoryRule( + pattern=r".*windows-powershell.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", + content_check="xml", + description="Windows PowerShell logs in XML format" + ), + CategoryRule( + pattern=r".*windows-application.*\.log$", + sourcetype="XmlWinEventLog", + source="XmlWinEventLog:Application", + content_check="xml", + description="Windows Application Event logs in XML format" + ), + + # CrowdStrike Falcon + CategoryRule( + pattern=r".*crowdstrike.*\.log$", + sourcetype="crowdstrike:events:sensor", + content_check="json", + description="CrowdStrike Falcon sensor events" + ), + CategoryRule( + pattern=r".*falcon.*\.log$", + sourcetype="crowdstrike:events:sensor", + content_check="json", + description="CrowdStrike Falcon sensor events" + ), + + # Linux/Unix logs + CategoryRule( + pattern=r".*syslog.*\.log$", + sourcetype="syslog", + source="syslog", + description="Linux/Unix syslog files" + ), + CategoryRule( + pattern=r".*auth.*\.log$", + sourcetype="linux_secure", + source="linux_secure", + description="Linux authentication logs" + ), + CategoryRule( + pattern=r".*secure.*\.log$", + sourcetype="linux_secure", + source="linux_secure", + description="Linux secure logs" + ), + + # Network and Firewall logs + CategoryRule( + pattern=r".*firewall.*\.log$", + sourcetype="firewall", + description="Firewall logs" + ), + CategoryRule( + pattern=r".*palo.*alto.*\.log$", + sourcetype="pan:traffic", + description="Palo Alto firewall logs" + ), + CategoryRule( + pattern=r".*cisco.*\.log$", + sourcetype="cisco:asa", + description="Cisco network device logs" + ), + + # Web server logs + CategoryRule( + pattern=r".*access.*\.log$", + sourcetype="access_combined", + description="Web server access logs" + ), + CategoryRule( + pattern=r".*apache.*\.log$", + sourcetype="access_combined", + description="Apache web server logs" + ), + CategoryRule( + pattern=r".*nginx.*\.log$", + sourcetype="nginx:plus:access", + description="Nginx web server logs" + ), + CategoryRule( + pattern=r".*iis.*\.log$", + sourcetype="iis", + description="IIS web server logs" + ), + + # Cloud and container logs + CategoryRule( + pattern=r".*aws.*\.log$", + sourcetype="aws:cloudtrail", + description="AWS CloudTrail logs" + ), + CategoryRule( + pattern=r".*azure.*\.log$", + sourcetype="azure:monitor:aad", + description="Azure activity logs" + ), + CategoryRule( + pattern=r".*docker.*\.log$", + sourcetype="docker", + description="Docker container logs" + ), + CategoryRule( + pattern=r".*kubernetes.*\.log$", + sourcetype="kube:container", + description="Kubernetes container logs" + ), + + # Database logs + CategoryRule( + pattern=r".*mysql.*\.log$", + sourcetype="mysql:error", + description="MySQL database logs" + ), + CategoryRule( + pattern=r".*postgres.*\.log$", + sourcetype="postgresql", + description="PostgreSQL database logs" + ), + CategoryRule( + pattern=r".*mssql.*\.log$", + sourcetype="mssql:errorlog", + description="Microsoft SQL Server logs" + ), + + # Application logs + CategoryRule( + pattern=r".*exchange.*\.log$", + sourcetype="MSExchange:Management", + description="Microsoft Exchange logs" + ), + CategoryRule( + pattern=r".*sharepoint.*\.log$", + sourcetype="sharepoint:uls", + description="SharePoint logs" + ), + CategoryRule( + pattern=r".*jboss.*\.log$", + sourcetype="jboss", + description="JBoss application server logs" + ), + CategoryRule( + pattern=r".*tomcat.*\.log$", + sourcetype="catalina", + description="Apache Tomcat logs" + ), + + # JSON format logs (generic) + CategoryRule( + pattern=r".*\.json\.log$", + sourcetype="json", + content_check="json", + description="JSON formatted logs" + ), + + # CSV format logs + CategoryRule( + pattern=r".*\.csv\.log$", + sourcetype="csv", + description="CSV formatted logs" + ), + CategoryRule( + pattern=r".*\.csv$", + sourcetype="csv", + description="CSV data files" + ), + + # Text files + CategoryRule( + pattern=r".*\.txt$", + sourcetype="text", + description="Plain text files" + ), + + # Generic log file fallback + CategoryRule( + pattern=r".*\.log$", + sourcetype="generic_log", + description="Generic log files" + ) + ] + + def _detect_content_type(self, file_path: Path) -> str: + """Detect the content type of a file by examining its contents""" + try: + # Read first few lines to determine format + with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: + first_lines = [] + for i, line in enumerate(f): + if i >= 10: # Read first 10 lines + break + first_lines.append(line.strip()) + + content = '\n'.join(first_lines) + + # Check for XML (Windows Event Log format) + if (' 1: + # Simple heuristic: if most lines have similar comma count + comma_counts = [line.count(',') for line in first_lines + if line] + if comma_counts and len(set(comma_counts)) <= 2: + return 'csv' + + return 'text' + + except Exception as e: + logger.warning(f"Could not detect content type for {file_path}: {e}") + return 'unknown' + + def _apply_rules(self, file_path: Path) -> Optional[ + Tuple[str, Optional[str], bool] + ]: + """Apply categorization rules and return (sourcetype, source, is_specific_rule)""" + filename = file_path.name.lower() + content_type = self._detect_content_type(file_path) + + for i, rule in enumerate(self.rules): + if re.match(rule.pattern.lower(), filename): + # If rule has content check, verify it matches + if rule.content_check and rule.content_check != content_type: + continue + + # Check if this is the generic log fallback rule (last rule) + is_specific_rule = i < len(self.rules) - 1 + + logger.debug( + f"Applied rule '{rule.description}' to {filename} " + f"(specific: {is_specific_rule})" + ) + return rule.sourcetype, rule.source, is_specific_rule + + logger.warning(f"No matching rule found for {filename}") + return None + + def _is_data_file(self, file_path: Path) -> bool: + """Check if a file is a data file (not .yml or .zip)""" + excluded_extensions = {'.yml', '.yaml', '.zip', '.tar', '.gz', + '.rar', '.7z'} + return file_path.suffix.lower() not in excluded_extensions + + def _find_datasets(self, technique_path: Path) -> List[Path]: + """Find all dataset files in a technique directory""" + datasets = [] + + for item in technique_path.rglob('*'): + if item.is_file() and self._is_data_file(item): + datasets.append(item) + + return datasets + + def _get_mitre_technique(self, technique_path: Path) -> str: + """Extract MITRE technique ID from path""" + # Extract technique ID from path like "datasets/attack_techniques/T1003.001/..." + parts = technique_path.parts + for part in parts: + if part.startswith('T') and ('.' in part or part[1:].isdigit()): + return part + return "unknown" + + def _generate_dataset_info( + self, datasets: List[Path], base_path: Path + ) -> Tuple[List[DatasetInfo], List[Dict]]: + """Generate dataset information with categorization and track ignored files""" + dataset_infos = [] + ignored_files = [] + + for dataset_path in datasets: + # Create relative path from base directory + try: + relative_path = dataset_path.relative_to(base_path.parent) + web_path = f"/datasets/{relative_path.as_posix()}" + except ValueError: + # Fallback if relative path fails + web_path = f"/datasets/{dataset_path.name}" + + # Apply categorization rules + result = self._apply_rules(dataset_path) + if result: + sourcetype, source, is_specific_rule = result + + if is_specific_rule: + # Only include files that match specific rules + dataset_info = DatasetInfo( + name=dataset_path.name, + path=web_path, + sourcetype=sourcetype, + source=source + ) + dataset_infos.append(dataset_info) + logger.info(f"Categorized {dataset_path.name} as {sourcetype}") + else: + # Track files that only match generic fallback rules + ignored_files.append({ + 'name': dataset_path.name, + 'path': web_path, + 'sourcetype': sourcetype, + 'reason': 'generic_fallback_rule' + }) + logger.info( + f"Ignored {dataset_path.name} (generic rule: {sourcetype})" + ) + else: + # Track files that don't match any rule + ignored_files.append({ + 'name': dataset_path.name, + 'path': web_path, + 'sourcetype': 'unknown', + 'reason': 'no_matching_rule' + }) + logger.error(f"Could not categorize {dataset_path.name}") + + return dataset_infos, ignored_files + + def analyze_technique_directory(self, technique_path: Path) -> Optional[Dict]: + """Analyze a single technique directory and generate YAML structure""" + if not technique_path.is_dir(): + return None + + datasets = self._find_datasets(technique_path) + if not datasets: + logger.info(f"No datasets found in {technique_path}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info( + datasets, self.base_path + ) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {technique_path}") + return None + + # Extract technique information + mitre_technique = self._get_mitre_technique(technique_path) + + # Generate YAML structure + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': (f'generated-{mitre_technique.lower()}-' + f'{datetime.now().strftime("%Y%m%d")}'), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets for technique ' + f'{mitre_technique}'), + 'environment': 'attack_range', + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_specific_folder(self, folder_path: str) -> Dict[str, Dict]: + """Analyze a specific folder recursively and return results""" + results = {} + target_path = Path(folder_path) + + if not target_path.exists(): + logger.error(f"Folder not found: {target_path}") + return results + + if not target_path.is_dir(): + logger.error(f"Path is not a directory: {target_path}") + return results + + logger.info(f"Analyzing specific folder: {target_path}") + + # Initialize ignored files tracking + self._ignored_files = [] + + # Store the analysis base path for later use in creating data.yml files + self._analysis_base_path = target_path.resolve() + + # Find all directories that contain data files within the target path + data_directories = self._find_directories_with_data(target_path) + + if not data_directories: + logger.warning(f"No directories with data files found in {target_path}") + return results + + logger.info(f"Found {len(data_directories)} directories containing data files") + + for data_dir in data_directories: + logger.info(f"Analyzing {data_dir}...") + yaml_data = self._analyze_data_directory(data_dir) + + if yaml_data: + # Store the actual directory path in the yaml_data for later use + yaml_data['_source_directory'] = str(data_dir.resolve()) + + # Use relative path from target_path as key for uniqueness + try: + rel_path = data_dir.relative_to(target_path) + results[str(rel_path)] = yaml_data + except ValueError: + # Fallback if relative path fails + results[data_dir.name] = yaml_data + logger.info(f"Successfully analyzed {data_dir}") + else: + logger.info(f"No analyzable data in {data_dir}") + + return results + + def _find_directories_with_data(self, base_path: Path) -> List[Path]: + """Find all directories that contain data files (recursively)""" + data_directories = [] + + # First, check if the base_path itself contains data files + has_data_files = False + for file_item in base_path.iterdir(): + if file_item.is_file() and self._is_data_file(file_item): + has_data_files = True + break + + if has_data_files: + data_directories.append(base_path) + + # Then use rglob to find subdirectories that contain data files + for item in base_path.rglob('*'): + if item.is_dir(): + # Check if this directory contains any data files (non-recursive check) + has_data_files = False + for file_item in item.iterdir(): + if file_item.is_file() and self._is_data_file(file_item): + has_data_files = True + break + + if has_data_files: + data_directories.append(item) + + return data_directories + + def _analyze_data_directory(self, data_dir: Path) -> Optional[Dict]: + """Analyze a directory containing data files""" + if not data_dir.is_dir(): + return None + + # Find data files in this specific directory (not recursive) + datasets = [] + for item in data_dir.iterdir(): + if item.is_file() and self._is_data_file(item): + datasets.append(item) + + if not datasets: + logger.info(f"No data files found in {data_dir}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info(datasets, data_dir) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {data_dir}") + return None + + # Generate YAML structure for data directory + try: + relative_path = data_dir.relative_to(self.base_path) + directory_str = str(relative_path) + except ValueError: + # Fallback if relative path fails (e.g., when target is outside base_path) + relative_path = data_dir + directory_str = str(data_dir.name) + + # Extract MITRE technique from directory path + mitre_technique = self._get_mitre_technique(data_dir) + + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': (f'generated-{data_dir.name.lower()}-' + f'{datetime.now().strftime("%Y%m%d")}'), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets in directory ' + f'{directory_str}'), + 'environment': 'attack_range', + 'directory': directory_str, + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_generic_directory(self, directory_path: Path) -> Optional[Dict]: + """Analyze a generic directory that doesn't follow technique naming""" + if not directory_path.is_dir(): + return None + + datasets = self._find_datasets(directory_path) + if not datasets: + logger.info(f"No datasets found in {directory_path}") + return None + + dataset_infos, ignored_files = self._generate_dataset_info( + datasets, directory_path + ) + + # Store ignored files for summary reporting + if not hasattr(self, '_ignored_files'): + self._ignored_files = [] + self._ignored_files.extend(ignored_files) + + if not dataset_infos: + logger.warning(f"No categorizable datasets found in {directory_path}") + return None + + # Generate YAML structure for generic directory + # Extract MITRE technique from directory path + mitre_technique = self._get_mitre_technique(directory_path) + + yaml_data = { + 'author': 'Generated by dataset_analyzer.py', + 'id': (f'generated-{directory_path.name.lower()}-' + f'{datetime.now().strftime("%Y%m%d")}'), + 'date': datetime.now().strftime('%Y-%m-%d'), + 'description': (f'Automatically categorized datasets in directory ' + f'{directory_path.name}'), + 'environment': 'attack_range', + 'directory': directory_path.name, + 'mitre_technique': [mitre_technique], + 'datasets': [] + } + + # Add dataset entries + for dataset_info in dataset_infos: + dataset_entry = { + 'name': dataset_info.name.replace('.log', '').replace('.', '-'), + 'path': dataset_info.path, + 'sourcetype': dataset_info.sourcetype + } + + if dataset_info.source: + dataset_entry['source'] = dataset_info.source + + yaml_data['datasets'].append(dataset_entry) + + return yaml_data + + def analyze_all_directories(self) -> Dict[str, Dict]: + """Analyze all directories recursively and return results""" + results = {} + + if not self.base_path.exists(): + logger.error(f"Base path not found: {self.base_path}") + return results + + logger.info(f"Starting recursive analysis from: {self.base_path}") + + # Initialize ignored files tracking + self._ignored_files = [] + + # Find all directories that contain data files + data_directories = self._find_directories_with_data(self.base_path) + + logger.info(f"Found {len(data_directories)} directories containing data files") + + for data_dir in data_directories: + logger.info(f"Analyzing {data_dir}...") + yaml_data = self._analyze_data_directory(data_dir) + + if yaml_data: + # Store the actual directory path in the yaml_data for later use + yaml_data['_source_directory'] = str(data_dir.resolve()) + + # Use relative path as key for uniqueness + rel_path = data_dir.relative_to(self.base_path) + results[str(rel_path)] = yaml_data + logger.info(f"Successfully analyzed {data_dir}") + else: + logger.info(f"No analyzable data in {data_dir}") + + return results + + def create_data_yaml_files(self, results: Dict[str, Dict]): + """Create data.yml files in the same directories as the datasets""" + if yaml is None: + logger.error("PyYAML not available. Cannot create data.yml files.") + return + + for directory_key, yaml_data in results.items(): + if 'datasets' not in yaml_data or not yaml_data['datasets']: + continue + + # Check if we have the actual source directory stored + if '_source_directory' in yaml_data: + directory_path = Path(yaml_data['_source_directory']) + + # Remove the internal metadata before saving + yaml_data_clean = yaml_data.copy() + del yaml_data_clean['_source_directory'] + + if directory_path.exists() and directory_path.is_dir(): + data_yml_path = directory_path / "data.yml" + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data_clean, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + logger.info(f"Created data.yml in {directory_path}") + except Exception as e: + logger.error(f"Failed to create data.yml in {directory_path}: " + f"{e}") + else: + logger.warning(f"Source directory does not exist: {directory_path}") + continue + + # Fallback to the old method for backward compatibility + first_dataset = yaml_data['datasets'][0] + dataset_path = first_dataset.get('path', '') + + if dataset_path.startswith('/datasets/'): + # Convert web path to local path + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_file_path = self.base_path / local_path + directory_path = full_file_path.parent + + if directory_path.exists() and directory_path.is_dir(): + data_yml_path = directory_path / "data.yml" + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + logger.info(f"Created data.yml in {directory_path}") + except Exception as e: + logger.error(f"Failed to create data.yml in {directory_path}: " + f"{e}") + else: + logger.warning(f"Directory does not exist: {directory_path}") + else: + logger.warning(f"Invalid dataset path format: {dataset_path}") + + def _find_technique_directory(self, technique_id: str) -> Optional[Path]: + """Find the directory path for a given technique ID""" + attack_techniques_path = self.base_path / "attack_techniques" + technique_path = attack_techniques_path / technique_id + + if technique_path.exists() and technique_path.is_dir(): + return technique_path + return None + + def _find_generic_directory(self, directory_name: str, + yaml_data: Dict) -> Optional[Path]: + """Find a generic directory based on dataset paths""" + if 'datasets' not in yaml_data or not yaml_data['datasets']: + return None + + # Get the first dataset path and extract the directory + first_dataset = yaml_data['datasets'][0] + dataset_path = first_dataset.get('path', '') + + # Convert web path back to local path + if dataset_path.startswith('/datasets/'): + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_path = self.base_path / local_path + + # Get the directory containing the file + directory_path = full_path.parent + if directory_path.exists() and directory_path.is_dir(): + return directory_path + + return None + + def _create_data_yml_from_paths(self, base_directory: Path, yaml_data: Dict): + """Create data.yml files based on dataset paths""" + if 'datasets' not in yaml_data: + return + + # Group datasets by their directory + datasets_by_dir = {} + + for dataset in yaml_data['datasets']: + dataset_path = dataset.get('path', '') + if dataset_path.startswith('/datasets/'): + local_path = dataset_path[10:] # Remove '/datasets/' prefix + full_path = self.base_path / local_path + dataset_dir = full_path.parent + + if dataset_dir not in datasets_by_dir: + datasets_by_dir[dataset_dir] = [] + datasets_by_dir[dataset_dir].append(dataset) + + # Create data.yml in each directory that has datasets + for directory, datasets in datasets_by_dir.items(): + if directory.exists() and directory.is_dir(): + dir_yaml_data = yaml_data.copy() + dir_yaml_data['datasets'] = datasets + self._create_data_yml_in_directory(directory, dir_yaml_data) + + def _find_subdirs_with_datasets(self, technique_path: Path) -> List[Path]: + """Find subdirectories that contain dataset files""" + subdirs_with_datasets = [] + + for item in technique_path.iterdir(): + if item.is_dir(): + # Check if this subdirectory contains dataset files + datasets = self._find_datasets(item) + if datasets: + subdirs_with_datasets.append(item) + + return subdirs_with_datasets + + def _get_datasets_for_directory(self, directory: Path, + yaml_data: Dict) -> List[Dict]: + """Get datasets that belong to a specific directory""" + directory_datasets = [] + dir_name = directory.name + + for dataset in yaml_data['datasets']: + # Check if the dataset path contains this directory name + if f"/{dir_name}/" in dataset['path']: + directory_datasets.append(dataset) + + return directory_datasets + + def _create_data_yml_in_directory(self, directory: Path, yaml_data: Dict): + """Create a data.yml file in the specified directory""" + data_yml_path = directory / "data.yml" + + try: + with open(data_yml_path, 'w', encoding='utf-8') as f: + yaml.dump(yaml_data, f, default_flow_style=False, + allow_unicode=True, sort_keys=False) + + logger.info(f"Created data.yml in {directory}") + + except Exception as e: + logger.error(f"Failed to create data.yml in {directory}: {e}") + + def generate_summary_report(self, results: Dict[str, Dict]) -> str: + """Generate a summary report of the analysis""" + total_techniques = len(results) + total_datasets = sum(len(data['datasets']) for data in results.values()) + + # Count sourcetypes for included datasets + sourcetype_counts = {} + for data in results.values(): + for dataset in data['datasets']: + sourcetype = dataset['sourcetype'] + sourcetype_counts[sourcetype] = ( + sourcetype_counts.get(sourcetype, 0) + 1 + ) + + # Count ignored files + ignored_files = getattr(self, '_ignored_files', []) + total_ignored = len(ignored_files) + ignored_sourcetype_counts = {} + + for ignored_file in ignored_files: + sourcetype = ignored_file['sourcetype'] + ignored_sourcetype_counts[sourcetype] = ( + ignored_sourcetype_counts.get(sourcetype, 0) + 1 + ) + + report = f""" +Dataset Analysis Summary Report +============================== + +Total Techniques Analyzed: {total_techniques} +Total Datasets Categorized: {total_datasets} +Total Files Ignored: {total_ignored} + +Sourcetype Distribution (Included in data.yml): +{'-' * 50} +""" + + for sourcetype, count in sorted(sourcetype_counts.items(), + key=lambda x: x[1], reverse=True): + report += f"{sourcetype:<40} {count:>6}\n" + + if ignored_files: + report += f"\nIgnored Files (Generic/No Rules):\n{'-' * 50}\n" + for sourcetype, count in sorted(ignored_sourcetype_counts.items(), + key=lambda x: x[1], reverse=True): + report += f"{sourcetype:<40} {count:>6}\n" + + report += f"\nIgnored File Details:\n{'-' * 50}\n" + for ignored_file in ignored_files: + reason = ignored_file['reason'].replace('_', ' ').title() + report += f"{ignored_file['name']:<50} {reason}\n" + + report += f"\n{'-' * 50}\n" + report += (f"Report generated on: " + f"{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n") + + return report + + +def parse_arguments(): + """Parse command line arguments""" + parser = argparse.ArgumentParser( + description="Dataset Analyzer for Attack Data Repository", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + # Analyze all directories recursively (creates data.yml files automatically) + python dataset_analyzer.py + + # Analyze a specific directory and its subdirectories + python dataset_analyzer.py --folder datasets/attack_techniques/T1003.001 + + # Analyze any custom folder + python dataset_analyzer.py --folder /path/to/custom/folder + + # Use custom base path + python dataset_analyzer.py --base-path /path/to/data + """ + ) + + parser.add_argument( + "--folder", "-f", + type=str, + help="Specific folder to analyze (default: analyze all directories recursively)" + ) + + parser.add_argument( + "--base-path", "-b", + type=str, + default="datasets", + help="Base path for the datasets directory (default: datasets)" + ) + + parser.add_argument( + "--verbose", "-v", + action="store_true", + help="Enable verbose logging" + ) + + return parser.parse_args() + + +def main(): + """Main execution function""" + args = parse_arguments() + + # Configure logging level + if args.verbose: + logging.getLogger().setLevel(logging.DEBUG) + + print("Dataset Analyzer for Attack Data Repository") + print("=" * 50) + + # Initialize analyzer with custom base path if provided + analyzer = DatasetAnalyzer(base_path=args.base_path) + + # Determine analysis mode + if args.folder: + # Analyze specific folder + print(f"Starting analysis of specific folder: {args.folder}") + results = analyzer.analyze_specific_folder(args.folder) + analysis_type = "folder" + else: + # Analyze all directories (default behavior) + print("Starting analysis of all directories...") + results = analyzer.analyze_all_directories() + analysis_type = "all directories" + + if not results: + print(f"No results found for {analysis_type}. " + f"Please check the path and directory structure.") + return + + # Create data.yml files in dataset directories + print("\nCreating data.yml files in dataset directories...") + analyzer.create_data_yaml_files(results) + + # Generate and save summary report + report = analyzer.generate_summary_report(results) + print(report) + + # Save report to file + report_filename = (f"dataset_analysis_report_" + f"{datetime.now().strftime('%Y%m%d_%H%M%S')}.txt") + with open(report_filename, "w", encoding="utf-8") as f: + f.write(report) + + print("Analysis complete!") + print(f"- Summary report saved to: {report_filename}") + print("- data.yml files created in dataset directories") + + if args.folder: + print(f"- Analyzed folder: {args.folder}") + else: + print(f"- Analyzed {len(results)} directories with data files") + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/bin/replay.py b/bin/replay.py index 8064624ce..5462c6688 100644 --- a/bin/replay.py +++ b/bin/replay.py @@ -1,196 +1,154 @@ -import argparse -import sys -import yaml -import os -import re -import io -import json -import fileinput -from datetime import datetime -from datetime import timedelta -import splunklib.client as client - - -class DataManipulation: - - def manipulate_timestamp(self, file_path, sourcetype, source): - # check that we support the source or sourcetype sent for manipulation - SUPPORTED = ['WinEventLog:System', 'WinEventLog:Security', 'exchange', 'aws:cloudtrail'] - if (sourcetype in SUPPORTED) or (source in SUPPORTED): - print("updating timestamps before replaying for file: {0}".format(file_path)) - else: - print("WARNING - cannot manipulate the timestamp for file: {0}, sourcetype: `{1}` or source: `{2}` it is not currently supported.".format(file_path, sourcetype, source)) - return - - if sourcetype == 'aws:cloudtrail': - self.manipulate_timestamp_cloudtrail(file_path) - - if source == 'WinEventLog:System' or source == 'WinEventLog:Security': - self.manipulate_timestamp_windows_event_log_raw(file_path) - - if source == 'exchange': - self.manipulate_timestamp_exchange_logs(file_path) - - - def manipulate_timestamp_exchange_logs(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%S") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S") - - difference = now - latest_event - f.close() - - for line in fileinput.input(path, inplace=True): - d = json.loads(line) - original_time = datetime.strptime(d["CreationTime"],"%Y-%m-%dT%H:%M:%S") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S") - print (line.replace(original_time, new_time),end ='') - - - def manipulate_timestamp_windows_event_log_raw(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") - self.now = datetime.now() - self.now = self.now.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - self.now = datetime.strptime(self.now,"%Y-%m-%dT%H:%M:%S.%fZ") - - # read raw logs - regex = r'\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} [AP]M' - data = f.read() - lst_matches = re.findall(regex, data) - if len(lst_matches) > 0: - latest_event = datetime.strptime(lst_matches[-1],"%m/%d/%Y %I:%M:%S %p") - self.difference = self.now - latest_event - f.close() - - result = re.sub(regex, self.replacement_function, data) +#!/usr/bin/env python3 - with io.open(file_path, "w+", encoding='utf8') as f: - f.write(result) - else: - f.close() - return - - - def replacement_function(self, match): +import os +import sys +import argparse +import glob +import uuid +import urllib +import requests +from urllib3 import disable_warnings + + +def load_environment_variables(): + """Load required environment variables for Splunk connection.""" + required_vars = ['SPLUNK_HOST', 'SPLUNK_HEC_TOKEN'] + env_vars = {} + for var in required_vars: + value = os.environ.get(var) + if not value: + raise ValueError(f"Environment variable {var} is required but not set") + env_vars[var.lower().replace('splunk_', '')] = value + return env_vars + + +def find_data_files(folder_path): + """Find all data files in the specified folder (supports .log, .json, .txt).""" + files = [] + for ext in ("*.log", "*.json", "*.txt"): + files.extend(glob.glob(os.path.join(folder_path, ext))) + if not files: + print(f"Warning: No data files found in {folder_path}") + return files + + +def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, + index="test", source="test", sourcetype="test", + verify_ssl=False): + """Send a data file to Splunk HEC.""" + if not verify_ssl: + disable_warnings() + hec_channel = str(uuid.uuid4()) + headers = { + "Authorization": f"Splunk {hec_token}", + "X-Splunk-Request-Channel": hec_channel, + } + url_params = { + "index": index, + "source": source, + "sourcetype": sourcetype, + "host": event_host_uuid, + } + url = urllib.parse.urljoin( + f"https://{splunk_host}:8088", + "services/collector/raw" + ) + with open(file_path, "rb") as datafile: try: - event_time = datetime.strptime(match.group(),"%m/%d/%Y %I:%M:%S %p") - new_time = self.difference + event_time - return new_time.strftime("%m/%d/%Y %I:%M:%S %p") + res = requests.post( + url, + params=url_params, + data=datafile.read(), + allow_redirects=True, + headers=headers, + verify=verify_ssl, + ) + res.raise_for_status() + print(f":white_check_mark: Sent {file_path} to Splunk HEC") except Exception as e: - print("ERROR - in timestamp replacement occured: " + str(e)) - return match.group() - - - def manipulate_timestamp_cloudtrail(self, file_path): - f = io.open(file_path, "r", encoding="utf-8") + print(f":x: Error sending {file_path} to Splunk HEC: {e}") + + +def main(): + parser = argparse.ArgumentParser( + description="Replay data files to Splunk via HTTP Event Collector (HEC)", + epilog=""" +Environment Variables Required: + SPLUNK_HOST - Splunk server hostname/IP + SPLUNK_HEC_TOKEN - Splunk HEC token + +Example usage: + python replay.py /path/to/data/folder + python replay.py /path/to/data/file.log --host-uuid 12345678-abcd-efgh + export SPLUNK_HOST="192.168.1.100" + export SPLUNK_HEC_TOKEN="your-hec-token" + """, + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + parser.add_argument( + 'path', + help='Path to a data file or folder containing data files' + ) + parser.add_argument( + '--source', + default='test', + help='Source field for Splunk events (default: test)' + ) + parser.add_argument( + '--sourcetype', + default='test', + help='Sourcetype field for Splunk events (default: test)' + ) + parser.add_argument( + '--index', + default='test', + help='Splunk index to send events to (default: test)' + ) + parser.add_argument( + '--no-verify-ssl', + action='store_true', + help='Disable SSL verification for Splunk HEC' + ) + parser.add_argument( + '--host-uuid', + help='UUID to use as the host field for Splunk events ' + '(generates random UUID if not provided)' + ) + args = parser.parse_args() - try: - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%S.%fZ") - except ValueError: - first_line = f.readline() - d = json.loads(first_line) - latest_event = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") - - now = datetime.now() - now = now.strftime("%Y-%m-%dT%H:%M:%SZ") - now = datetime.strptime(now,"%Y-%m-%dT%H:%M:%SZ") - - difference = now - latest_event - f.close() - - for line in fileinput.input(file_path, inplace=True): - try: - d = json.loads(line) - original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%S.%fZ") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") - print (line.replace(original_time, new_time),end ='') - except ValueError: - d = json.loads(line) - original_time = datetime.strptime(d["eventTime"],"%Y-%m-%dT%H:%M:%SZ") - new_time = (difference + original_time) - - original_time = original_time.strftime("%Y-%m-%dT%H:%M:%SZ") - new_time = new_time.strftime("%Y-%m-%dT%H:%M:%SZ") - print (line.replace(original_time, new_time),end ='') - - -def send_to_splunk(settings): - # connect to splunk try: - service = client.connect(host=settings['splunk']['host'], port=8089, username=settings['splunk']['username'], password=settings['splunk']['password']) - except ConnectionRefusedError as e: - print("ERROR - could not connect to the splunk server {}:8089".format(settings['splunk']['host'])) - sys.exit(1) - - # go through all datasets - for dataset in settings['datasets']: - # check dataset is enabled - if dataset['enabled']: - # does the index exists? - if dataset['replay_parameters']['index'] not in service.indexes: - print("ERROR - index {0} does not exist on splunk server {1}.".format(dataset['replay_parameters']['index'], settings['splunk']['host'])) - sys.exit(1) - # set index - index = service.indexes[dataset['replay_parameters']['index']] - fullpath = os.path.abspath(dataset['path']) - - # update timestamps before replay - if 'update_timestamp' in dataset['replay_parameters']: - if dataset['replay_parameters']['update_timestamp'] == True: - data_manipulation = DataManipulation() - data_manipulation.manipulate_timestamp(fullpath, dataset['replay_parameters']['sourcetype'], dataset['replay_parameters']['source']) - - # upload file - kwargs_submit = dict() - kwargs_submit['sourcetype'] = dataset['replay_parameters']['sourcetype'] - kwargs_submit['rename-source'] = dataset['replay_parameters']['source'] - results = index.upload(fullpath, **kwargs_submit) - return True - -def parse_config(CONFIG_PATH, VERBOSE): - with open(CONFIG_PATH, 'r') as stream: - try: - settings = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - print("ERROR: reading configuration file {0}".format(CONFIG_PATH)) + env_vars = load_environment_variables() + splunk_host = env_vars['host'] + hec_token = env_vars['hec_token'] + + # Generate UUID for host field if not provided + event_host_uuid = args.host_uuid or str(uuid.uuid4()) + print(f"Using host UUID: {event_host_uuid}") + + if os.path.isdir(args.path): + files = find_data_files(args.path) + elif os.path.isfile(args.path): + files = [args.path] + else: + print(f"Error: {args.path} is not a valid file or directory") sys.exit(1) - return settings + + for file_path in files: + send_data_to_splunk( + file_path=file_path, + splunk_host=splunk_host, + hec_token=hec_token, + event_host_uuid=event_host_uuid, + index=args.index, + source=args.source, + sourcetype=args.sourcetype, + verify_ssl=not args.no_verify_ssl, + ) + + except Exception as e: + print(f"Error: {e}") + sys.exit(1) if __name__ == "__main__": - # grab arguments - parser = argparse.ArgumentParser(description="replays attack_data datasets into a configured splunk server", epilog=""" - replay.py requires you to have a running splunk instance and username/password set under replay.yml in order to function.""") - parser.add_argument("-c", "--config", required=False, default="replay.yml", - help="path to the configuration file of replay.py, defaults to replay.yml") - parser.add_argument("-v", "--verbose", required=False, action='store_true', help="prints verbose output") - - # parse them - args = parser.parse_args() - CONFIG_PATH = args.config - verbose = args.verbose - settings = parse_config(CONFIG_PATH, verbose) - status = send_to_splunk(settings) - - if status: - print("successfully indexed {0} dataset on splunk server {1}".format(len(settings['datasets']), settings['splunk']['host'])) - else: - print("ERROR - issue replaying desired datasets on splunk server {0}".format(settings['splunk']['host'])) + main() diff --git a/bin/replay.yml b/bin/replay.yml deleted file mode 100644 index e6c45057d..000000000 --- a/bin/replay.yml +++ /dev/null @@ -1,27 +0,0 @@ -splunk: - # connects to host on port 8089 make sure you have access to :8089 - host: localhost - username: admin - password: changeme - -datasets: -#name of data set to replay -- name: T1003.002_windows_security -# relative path of raw file ... NOTE: this path/file has to exist locally on the Splunk server - path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log -# splunk parameters to pass - replay_parameters: - source: WinEventLog:Security - sourcetype: WinEventLog - index: main - # updates timestamp of the dataset to current time. - update_timestamp: True - enabled: True - -- name: T1003.002_sysmon - path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log - replay_parameters: - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog - index: main - enabled: True diff --git a/bin/requirements.txt b/bin/requirements.txt index 235849b6d..c235e601e 100644 --- a/bin/requirements.txt +++ b/bin/requirements.txt @@ -1,8 +1,8 @@ -certifi==2021.5.30 -chardet==5.2.0 -idna==2.10 -pathlib==1.0.1; python_version < '3.4' -PyYAML==6.0 -requests==2.25.1 -splunk-sdk==2.0.2 -urllib3==2.3.0 +requests +urllib3 +pyyaml +splunk-sdk +gitpython +tqdm +colorama +pyyaml \ No newline at end of file diff --git a/bin/run_escu_detections.py b/bin/run_escu_detections.py new file mode 100644 index 000000000..385aa1cf7 --- /dev/null +++ b/bin/run_escu_detections.py @@ -0,0 +1,612 @@ +#!/usr/bin/env python3 + +""" +Splunk ESCU Detection Runner + +This script clones the Splunk security_content repository and runs all ESCU detections +against a Splunk instance. It parses detection YAML files and executes the searches +via Splunk's REST API. + +Author: Attack Data Team +Dependencies: See requirements.txt +""" + +import os +import sys +import argparse +import yaml +import json +import time +import logging +from pathlib import Path +from typing import List, Dict, Any, Optional +from datetime import datetime + +import splunklib.client as client +import splunklib.results as results +from git import Repo +from tqdm import tqdm +from colorama import init, Fore, Style + +# Initialize colorama for colored output +init(autoreset=True) + +# Configure logging +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s', + handlers=[ + logging.FileHandler('escu_detections.log'), + logging.StreamHandler() + ] +) +logger = logging.getLogger(__name__) + + +class SecurityContentManager: + """Manages the security_content repository operations.""" + + def __init__(self, repo_path: str = "./security_content"): + self.repo_path = Path(repo_path) + self.repo_url = "https://github.com/splunk/security_content.git" + + def clone_or_update_repo(self) -> bool: + """Clone or update the security_content repository.""" + try: + if self.repo_path.exists() and (self.repo_path / ".git").exists(): + logger.info(f"Updating existing repository at {self.repo_path}") + repo = Repo(self.repo_path) + origin = repo.remotes.origin + origin.pull() + logger.info("Repository updated successfully") + else: + logger.info(f"Cloning repository to {self.repo_path}") + self.repo_path.parent.mkdir(parents=True, exist_ok=True) + Repo.clone_from(self.repo_url, self.repo_path) + logger.info("Repository cloned successfully") + return True + except Exception as e: + logger.error(f"Failed to clone/update repository: {e}") + return False + + def find_detection_files(self) -> List[Path]: + """Find all detection YAML files in the repository.""" + detections_dir = self.repo_path / "detections" + if not detections_dir.exists(): + logger.error(f"Detections directory not found: {detections_dir}") + return [] + + detection_files = [] + for yaml_file in detections_dir.rglob("*.yml"): + detection_files.append(yaml_file) + + logger.info(f"Found {len(detection_files)} detection files") + return detection_files + + +class DetectionParser: + """Parses detection YAML files and extracts relevant information.""" + + @staticmethod + def parse_detection_file(file_path: Path) -> Optional[Dict[str, Any]]: + """Parse a detection YAML file and extract detection information.""" + try: + with open(file_path, 'r', encoding='utf-8') as f: + detection_data = yaml.safe_load(f) + + if not detection_data: + logger.warning(f"Empty detection file: {file_path}") + return None + + # Validate required fields + required_fields = ['name', 'search', 'type'] + for field in required_fields: + if field not in detection_data: + logger.warning(f"Missing required field '{field}' in {file_path}") + return None + + # Extract key information + detection = { + 'file_path': str(file_path), + 'name': detection_data.get('name', ''), + 'id': detection_data.get('id', ''), + 'description': detection_data.get('description', ''), + 'search': detection_data.get('search', ''), + 'type': detection_data.get('type', ''), + 'data_source': detection_data.get('data_source', []), + 'mitre_attack_id': detection_data.get('tags', {}).get('mitre_attack_id', []), + 'analytic_story': detection_data.get('tags', {}).get('analytic_story', []), + 'asset_type': detection_data.get('tags', {}).get('asset_type', ''), + 'security_domain': detection_data.get('tags', {}).get('security_domain', ''), + 'risk_score': detection_data.get('rba', {}).get('risk_objects', []), + 'status': detection_data.get('status', 'unknown') + } + + return detection + + except yaml.YAMLError as e: + logger.error(f"YAML parsing error in {file_path}: {e}") + return None + except Exception as e: + logger.error(f"Error parsing {file_path}: {e}") + return None + + +class SplunkConnector: + """Handles connection and search execution with Splunk.""" + + def __init__(self, host: str, port: int, username: str, password: str, + verify_ssl: bool = False): + self.host = host + self.port = port + self.username = username + self.password = password + self.verify_ssl = verify_ssl + self.service = None + + def connect(self) -> bool: + """Establish connection to Splunk.""" + try: + self.service = client.connect( + host=self.host, + port=self.port, + username=self.username, + password=self.password, + verify=self.verify_ssl + ) + logger.info(f"Successfully connected to Splunk at {self.host}:{self.port}") + return True + except Exception as e: + logger.error(f"Failed to connect to Splunk: {e}") + return False + + def run_search(self, search_query: str, earliest_time: str = "-24h", + latest_time: str = "now", max_results: int = 1000) -> Dict[str, Any]: + """Execute a search query on Splunk.""" + if not self.service: + raise Exception("Not connected to Splunk") + + try: + # Prepare search parameters + search_kwargs = { + 'earliest_time': earliest_time, + 'latest_time': latest_time, + 'max_count': max_results, + 'output_mode': 'json' + } + + # Execute the search + logger.debug(f"Executing search: {search_query[:100]}...") + job = self.service.jobs.create(search_query, **search_kwargs) + + # Wait for the job to complete + while not job.is_done(): + time.sleep(0.5) + + # Get results + results_stream = job.results(output_mode='json') + results_data = results.JSONResultsReader(results_stream) + + search_results = [] + for result in results_data: + if isinstance(result, dict): + search_results.append(result) + + # Get job statistics + job_stats = { + 'result_count': len(search_results), + 'scan_count': job.content.get('scanCount', 0), + 'event_count': job.content.get('eventCount', 0), + 'run_duration': job.content.get('runDuration', 0), + 'is_finalized': job.content.get('isFinalized', False), + 'dispatch_state': job.content.get('dispatchState', 'UNKNOWN') + } + + return { + 'success': True, + 'results': search_results, + 'stats': job_stats, + 'message': f"Search completed successfully with {len(search_results)} results" + } + + except Exception as e: + logger.error(f"Search execution failed: {e}") + return { + 'success': False, + 'results': [], + 'stats': {}, + 'message': f"Search failed: {str(e)}" + } + + +class ESCUDetectionRunner: + """Main class for running ESCU detections.""" + + def __init__(self, splunk_host: str, splunk_port: int, splunk_username: str, + splunk_password: str, repo_path: str = "./security_content", + verify_ssl: bool = False): + self.repo_manager = SecurityContentManager(repo_path) + self.splunk = SplunkConnector(splunk_host, splunk_port, splunk_username, + splunk_password, verify_ssl) + self.results = [] + + def setup(self) -> bool: + """Setup the environment and connections.""" + logger.info("Setting up ESCU Detection Runner...") + + # Clone/update repository + if not self.repo_manager.clone_or_update_repo(): + return False + + # Connect to Splunk + if not self.splunk.connect(): + return False + + logger.info("Setup completed successfully") + return True + + def run_all_detections(self, detection_filter: Optional[Dict[str, Any]] = None, + earliest_time: str = "-24h", latest_time: str = "now", + max_results: int = 1000, parallel: bool = False) -> List[Dict[str, Any]]: + """Run all detection searches and collect results.""" + + # Find detection files + detection_files = self.repo_manager.find_detection_files() + if not detection_files: + logger.error("No detection files found") + return [] + + # Parse detections + detections = [] + logger.info("Parsing detection files...") + for file_path in tqdm(detection_files, desc="Parsing detections"): + detection = DetectionParser.parse_detection_file(file_path) + if detection: + # Apply filters if provided + if detection_filter: + if self._should_include_detection(detection, detection_filter): + detections.append(detection) + else: + detections.append(detection) + + logger.info(f"Parsed {len(detections)} valid detections") + + # Execute detections + results = [] + logger.info("Executing detections...") + + for detection in tqdm(detections, desc="Running detections"): + try: + start_time = time.time() + + # Execute the search + search_result = self.splunk.run_search( + detection['search'], + earliest_time=earliest_time, + latest_time=latest_time, + max_results=max_results + ) + + execution_time = time.time() - start_time + + # Compile result + result = { + 'detection_name': detection['name'], + 'detection_id': detection['id'], + 'detection_type': detection['type'], + 'file_path': detection['file_path'], + 'execution_time': execution_time, + 'timestamp': datetime.now().isoformat(), + 'search_query': detection['search'], + 'mitre_attack_id': detection['mitre_attack_id'], + 'analytic_story': detection['analytic_story'], + 'success': search_result['success'], + 'result_count': search_result['stats'].get('result_count', 0), + 'event_count': search_result['stats'].get('event_count', 0), + 'scan_count': search_result['stats'].get('scan_count', 0), + 'message': search_result['message'], + 'results_preview': search_result['results'][:5] if search_result['results'] else [] + } + + results.append(result) + + # Log result + status_color = Fore.GREEN if search_result['success'] else Fore.RED + logger.info(f"{status_color}Detection: {detection['name']} - " + f"Results: {result['result_count']} - " + f"Time: {execution_time:.2f}s{Style.RESET_ALL}") + + except Exception as e: + logger.error(f"Failed to execute detection {detection['name']}: {e}") + results.append({ + 'detection_name': detection['name'], + 'detection_id': detection['id'], + 'success': False, + 'message': f"Execution failed: {str(e)}", + 'timestamp': datetime.now().isoformat() + }) + + self.results = results + return results + + def _should_include_detection(self, detection: Dict[str, Any], + filters: Dict[str, Any]) -> bool: + """Check if detection should be included based on filters.""" + + # Filter by type + if 'type' in filters and detection['type'] not in filters['type']: + return False + + # Filter by MITRE ATT&CK ID + if 'mitre_attack_id' in filters: + if not any(attack_id in detection['mitre_attack_id'] + for attack_id in filters['mitre_attack_id']): + return False + + # Filter by analytic story + if 'analytic_story' in filters: + if not any(story in detection['analytic_story'] + for story in filters['analytic_story']): + return False + + # Filter by security domain + if 'security_domain' in filters: + if detection['security_domain'] not in filters['security_domain']: + return False + + # Filter by status + if 'status' in filters: + if detection['status'] not in filters['status']: + return False + + return True + + def generate_report(self, output_file: str = None) -> str: + """Generate a comprehensive report of detection results.""" + if not self.results: + return "No results to report" + + # Calculate statistics + total_detections = len(self.results) + successful_detections = sum(1 for r in self.results if r['success']) + failed_detections = total_detections - successful_detections + total_results = sum(r.get('result_count', 0) for r in self.results) + + # Group by MITRE ATT&CK + mitre_stats = {} + for result in self.results: + for attack_id in result.get('mitre_attack_id', []): + if attack_id not in mitre_stats: + mitre_stats[attack_id] = {'total': 0, 'with_results': 0} + mitre_stats[attack_id]['total'] += 1 + if result.get('result_count', 0) > 0: + mitre_stats[attack_id]['with_results'] += 1 + + # Generate report + report_lines = [ + "=" * 80, + "SPLUNK ESCU DETECTION EXECUTION REPORT", + "=" * 80, + f"Report Generated: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}", + "", + "SUMMARY:", + f" Total Detections Executed: {total_detections}", + f" Successful Executions: {successful_detections}", + f" Failed Executions: {failed_detections}", + f" Success Rate: {(successful_detections/total_detections)*100:.1f}%", + f" Total Results Found: {total_results}", + "", + "TOP MITRE ATT&CK TECHNIQUES BY RESULTS:", + ] + + # Sort MITRE techniques by results + sorted_mitre = sorted(mitre_stats.items(), + key=lambda x: x[1]['with_results'], reverse=True) + + for attack_id, stats in sorted_mitre[:10]: + report_lines.append(f" {attack_id}: {stats['with_results']}/{stats['total']} detections with results") + + report_lines.extend([ + "", + "DETECTIONS WITH RESULTS:", + ]) + + # Show detections that found results + detections_with_results = [r for r in self.results if r.get('result_count', 0) > 0] + detections_with_results.sort(key=lambda x: x.get('result_count', 0), reverse=True) + + for result in detections_with_results[:20]: # Top 20 + report_lines.append(f" {result['detection_name']}: {result['result_count']} results") + + if len(detections_with_results) > 20: + report_lines.append(f" ... and {len(detections_with_results) - 20} more") + + report_lines.extend([ + "", + "FAILED DETECTIONS:", + ]) + + failed_results = [r for r in self.results if not r['success']] + for result in failed_results[:10]: # Show first 10 failures + report_lines.append(f" {result['detection_name']}: {result.get('message', 'Unknown error')}") + + if len(failed_results) > 10: + report_lines.append(f" ... and {len(failed_results) - 10} more failures") + + report_lines.append("=" * 80) + + report_text = "\n".join(report_lines) + + # Save to file if specified + if output_file: + with open(output_file, 'w') as f: + f.write(report_text) + logger.info(f"Report saved to {output_file}") + + return report_text + + def export_results(self, output_file: str = "escu_results.json"): + """Export detailed results to JSON file.""" + with open(output_file, 'w') as f: + json.dump(self.results, f, indent=2, default=str) + logger.info(f"Detailed results exported to {output_file}") + + +def load_environment_variables(): + """Load required environment variables for Splunk connection.""" + required_vars = ['SPLUNK_HOST', 'SPLUNK_USERNAME', 'SPLUNK_PASSWORD'] + env_vars = {} + + for var in required_vars: + value = os.environ.get(var) + if not value: + raise ValueError(f"Environment variable {var} is required but not set") + env_vars[var.lower().replace('splunk_', '')] = value + + # Optional variables with defaults + env_vars['port'] = int(os.environ.get('SPLUNK_PORT', '8089')) + env_vars['verify_ssl'] = os.environ.get('SPLUNK_VERIFY_SSL', 'false').lower() == 'true' + + return env_vars + + +def main(): + parser = argparse.ArgumentParser( + description="Run all Splunk ESCU detections from security_content repository", + epilog=""" +Environment Variables Required: + SPLUNK_HOST - Splunk server hostname/IP + SPLUNK_USERNAME - Splunk username + SPLUNK_PASSWORD - Splunk password + SPLUNK_PORT - Splunk management port (default: 8089) + SPLUNK_VERIFY_SSL - Verify SSL certificates (default: false) + +Example usage: + export SPLUNK_HOST="192.168.1.100" + export SPLUNK_USERNAME="admin" + export SPLUNK_PASSWORD="changeme" + python run_escu_detections.py --time-range "-7d,now" + """, + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + + parser.add_argument( + '--repo-path', + default='./security_content', + help='Path to clone/find security_content repository (default: ./security_content)' + ) + + parser.add_argument( + '--time-range', + default='-24h,now', + help='Time range for searches in format "earliest,latest" (default: -24h,now)' + ) + + parser.add_argument( + '--max-results', + type=int, + default=1000, + help='Maximum results per detection (default: 1000)' + ) + + parser.add_argument( + '--filter-type', + nargs='+', + help='Filter detections by type (e.g., TTP Hunting Correlation)' + ) + + parser.add_argument( + '--filter-mitre', + nargs='+', + help='Filter detections by MITRE ATT&CK ID (e.g., T1003 T1059)' + ) + + parser.add_argument( + '--filter-status', + nargs='+', + default=['production'], + help='Filter detections by status (default: production)' + ) + + parser.add_argument( + '--output-report', + default='escu_detection_report.txt', + help='Output file for summary report (default: escu_detection_report.txt)' + ) + + parser.add_argument( + '--output-json', + default='escu_detection_results.json', + help='Output file for detailed JSON results (default: escu_detection_results.json)' + ) + + parser.add_argument( + '--verbose', + action='store_true', + help='Enable verbose logging' + ) + + args = parser.parse_args() + + if args.verbose: + logging.getLogger().setLevel(logging.DEBUG) + + try: + # Load environment variables + env_vars = load_environment_variables() + + # Parse time range + time_parts = args.time_range.split(',') + if len(time_parts) != 2: + raise ValueError("Time range must be in format 'earliest,latest'") + earliest_time, latest_time = time_parts + + # Create filters + filters = {} + if args.filter_type: + filters['type'] = args.filter_type + if args.filter_mitre: + filters['mitre_attack_id'] = args.filter_mitre + if args.filter_status: + filters['status'] = args.filter_status + + # Initialize runner + runner = ESCUDetectionRunner( + splunk_host=env_vars['host'], + splunk_port=env_vars['port'], + splunk_username=env_vars['username'], + splunk_password=env_vars['password'], + repo_path=args.repo_path, + verify_ssl=env_vars['verify_ssl'] + ) + + # Setup environment + if not runner.setup(): + logger.error("Setup failed") + sys.exit(1) + + # Run detections + logger.info("Starting detection execution...") + results = runner.run_all_detections( + detection_filter=filters if filters else None, + earliest_time=earliest_time, + latest_time=latest_time, + max_results=args.max_results + ) + + # Generate reports + logger.info("Generating reports...") + report = runner.generate_report(args.output_report) + print(report) + + runner.export_results(args.output_json) + + logger.info(f"Detection execution completed. Processed {len(results)} detections.") + + except Exception as e: + logger.error(f"Error: {e}") + sys.exit(1) + + +if __name__ == "__main__": + main() diff --git a/bin/write_dataset_url.py b/bin/write_dataset_url.py deleted file mode 100644 index 690d4db28..000000000 --- a/bin/write_dataset_url.py +++ /dev/null @@ -1,73 +0,0 @@ -import yaml -import glob -import os -import sys -import requests -import argparse -from os import path, walk -from pathlib import Path -import pathlib -from urllib.parse import urlparse - - -def load_file(file_path): - with open(file_path, 'r', encoding="utf-8") as stream: - try: - file = list(yaml.safe_load_all(stream))[0] - except yaml.YAMLError as exc: - print(exc) - sys.exit("ERROR: reading {0}".format(file_path)) - return file - - -def write_file(obj, file_path): - with open(os.path.join(os.path.dirname(__file__), '../datasets/', file_path), 'w+' ) as outfile: - yaml.dump(obj, outfile , default_flow_style=False, sort_keys=False) - - -def write_new_object(obj, relative_path, branch): - new_obj = obj.copy() - new_obj['dataset'] = [] - for dataset in obj['dataset']: - a = urlparse(dataset) - data_file_name = os.path.basename(a.path) - new_obj['dataset'].append('https://media.githubusercontent.com/media/splunk/attack_data/' + branch + '/datasets/' + os.path.dirname(relative_path) + '/' + data_file_name) - - write_file(new_obj, relative_path) - - -def load_objects(relative_path): - files = [] - objs = [] - manifest_files = os.path.join(os.path.dirname(__file__), '../', relative_path) - for file in sorted(glob.glob(manifest_files)): - p = pathlib.Path(file) - rel_path = str(pathlib.Path(*p.parts[2:])) - objs.append(load_file(file)) - files.append(rel_path) - return objs, files - - -def convert_attack_data_objects(relative_path, branch): - attack_data_objs, attack_data_files = load_objects(relative_path) - - counter = 0 - for attack_data_obj in attack_data_objs: - write_new_object(attack_data_obj, attack_data_files[counter], branch) - counter += 1 - - -def main(args): - parser = argparse.ArgumentParser(description="changes url links to datasets") - parser.add_argument("-b", "--branch", required=True, help="new branch") - - args = parser.parse_args() - branch = args.branch - - convert_attack_data_objects('datasets/attack_techniques/*/*/*.yml', branch) - convert_attack_data_objects('datasets/malware/*/*.yml', branch) - convert_attack_data_objects('datasets/suspicious_behaviour/*/*.yml', branch) - - -if __name__ == "__main__": - main(sys.argv[1:]) diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log b/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log deleted file mode 100644 index e7df7a031..000000000 --- a/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security-events_ssa.log +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4df6844399f561cdcf9a8429babd79f643e0b0173aef9e522589815ec0da4094 -size 14733218 From 528f585c233653d4694d7946ae5982c465f28adc Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Fri, 8 Aug 2025 15:40:01 +0200 Subject: [PATCH 02/18] changes --- bin/dataset_analyzer.py | 273 ++++++++++++++++++++++++++-------------- 1 file changed, 181 insertions(+), 92 deletions(-) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py index 2670208ba..b8b2ae64a 100644 --- a/bin/dataset_analyzer.py +++ b/bin/dataset_analyzer.py @@ -35,8 +35,8 @@ import logging import argparse from pathlib import Path -from typing import Dict, List, Tuple, Optional -from dataclasses import dataclass +from typing import Dict, List, Tuple, Optional, Callable, Any +from dataclasses import dataclass, field from datetime import datetime try: @@ -70,6 +70,8 @@ class CategoryRule: source: Optional[str] = None content_check: Optional[str] = None description: str = "" + field_checks: Dict[str, Any] = field(default_factory=dict) + data_checker: Optional[Callable[[Path], Tuple[Optional[str], Optional[str]]]] = None class DatasetAnalyzer: @@ -78,63 +80,172 @@ class DatasetAnalyzer: def __init__(self, base_path: str = "datasets"): self.base_path = Path(base_path) self.rules = self._initialize_rules() + self.provider_mappings = self._initialize_provider_mappings() + + def _initialize_provider_mappings(self) -> Dict[str, Dict[str, str]]: + """Initialize Windows Event Log provider name to source/sourcetype mappings""" + return { + "Microsoft-Windows-Sysmon": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" + }, + "Microsoft-Windows-PowerShell": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" + }, + "Microsoft-Windows-Security-Auditing": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Security" + }, + "Microsoft-Windows-Kernel-General": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Microsoft-Windows-Kernel-Power": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Service Control Manager": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:System" + }, + "Microsoft-Windows-Windows Defender": { + "sourcetype": "XmlWinEventLog", + "source": ("XmlWinEventLog:Microsoft-Windows-Windows " + "Defender/Operational") + }, + "Microsoft-Windows-WinLogon": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Security" + }, + "Microsoft-Windows-TerminalServices-LocalSessionManager": { + "sourcetype": "XmlWinEventLog", + "source": ("XmlWinEventLog:Microsoft-Windows-" + "TerminalServices-LocalSessionManager/Operational") + }, + "Microsoft-Windows-Application-Experience": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Application" + }, + "Application Error": { + "sourcetype": "XmlWinEventLog", + "source": "XmlWinEventLog:Application" + } + } + + def _check_windows_xml_provider(self, file_path: Path) -> ( + Tuple[Optional[str], Optional[str]]): + """Check Windows XML logs for Provider name and return source/sourcetype""" + try: + with open(file_path, 'r', encoding='utf-8', errors='ignore') as f: + # Read first few events to find provider + content = f.read(8192) # Read first 8KB + + # Look for Provider Name pattern + provider_pattern = r' List[CategoryRule]: """Initialize categorization rules based on common patterns""" return [ - # Windows Event Logs - XML format + # Windows Event Logs - XML format with provider-based detection + CategoryRule( + pattern=r".*windows.*", + # Default, will be overridden by data_checker + sourcetype="XmlWinEventLog", + source=None, # Will be set by data_checker + content_check="xml", + description=("Windows Event logs in XML format " + "(provider-based detection)"), + data_checker=self._check_windows_xml_provider + ), + CategoryRule( + pattern=r".*\.xml.*", + sourcetype="XmlWinEventLog", + source=None, + content_check="xml", + description="XML Event logs (provider-based detection)", + data_checker=self._check_windows_xml_provider + ), + # Legacy specific Windows log patterns (lower priority) CategoryRule( - pattern=r".*windows-sysmon.*\.log$", + pattern=r".*windows-sysmon.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", content_check="xml", - description="Windows Sysmon logs in XML format" + description=("Windows Sysmon logs in XML format " + "(legacy pattern)") ), CategoryRule( - pattern=r".*sysmon.*\.log$", + pattern=r".*sysmon.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", content_check="xml", - description="Sysmon logs in XML format" + description=("Sysmon logs in XML format " + "(legacy pattern)") ), CategoryRule( - pattern=r".*windows-security.*\.log$", + pattern=r".*windows-security.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:Security", content_check="xml", - description="Windows Security Event logs in XML format" + description=("Windows Security Event logs in XML format " + "(legacy pattern)") ), CategoryRule( - pattern=r".*windows-system.*\.log$", + pattern=r".*windows-system.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:System", content_check="xml", - description="Windows System Event logs in XML format" + description=("Windows System Event logs in XML format " + "(legacy pattern)") ), CategoryRule( - pattern=r".*windows-powershell.*\.log$", + pattern=r".*windows-powershell.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", content_check="xml", - description="Windows PowerShell logs in XML format" + description=("Windows PowerShell logs in XML format " + "(legacy pattern)") ), CategoryRule( - pattern=r".*windows-application.*\.log$", + pattern=r".*windows-application.*", sourcetype="XmlWinEventLog", source="XmlWinEventLog:Application", content_check="xml", - description="Windows Application Event logs in XML format" + description=("Windows Application Event logs in XML " + "format (legacy pattern)") ), # CrowdStrike Falcon CategoryRule( - pattern=r".*crowdstrike.*\.log$", + pattern=r".*crowdstrike.*", sourcetype="crowdstrike:events:sensor", content_check="json", description="CrowdStrike Falcon sensor events" ), CategoryRule( - pattern=r".*falcon.*\.log$", + pattern=r".*falcon.*", sourcetype="crowdstrike:events:sensor", content_check="json", description="CrowdStrike Falcon sensor events" @@ -142,157 +253,111 @@ def _initialize_rules(self) -> List[CategoryRule]: # Linux/Unix logs CategoryRule( - pattern=r".*syslog.*\.log$", + pattern=r".*syslog.*", sourcetype="syslog", source="syslog", description="Linux/Unix syslog files" ), CategoryRule( - pattern=r".*auth.*\.log$", + pattern=r".*auth.*", sourcetype="linux_secure", source="linux_secure", description="Linux authentication logs" ), CategoryRule( - pattern=r".*secure.*\.log$", + pattern=r".*secure.*", sourcetype="linux_secure", source="linux_secure", description="Linux secure logs" ), + CategoryRule( + pattern=r".*auditd.*", + sourcetype="auditd", + source="auditd", + description="Linux auditd logs" + ), # Network and Firewall logs CategoryRule( - pattern=r".*firewall.*\.log$", + pattern=r".*firewall.*", sourcetype="firewall", description="Firewall logs" ), CategoryRule( - pattern=r".*palo.*alto.*\.log$", + pattern=r".*palo.*alto.*", sourcetype="pan:traffic", description="Palo Alto firewall logs" ), CategoryRule( - pattern=r".*cisco.*\.log$", + pattern=r".*cisco.*", sourcetype="cisco:asa", description="Cisco network device logs" ), # Web server logs CategoryRule( - pattern=r".*access.*\.log$", + pattern=r".*access.*", sourcetype="access_combined", description="Web server access logs" ), CategoryRule( - pattern=r".*apache.*\.log$", + pattern=r".*apache.*", sourcetype="access_combined", description="Apache web server logs" ), CategoryRule( - pattern=r".*nginx.*\.log$", + pattern=r".*nginx.*", sourcetype="nginx:plus:access", description="Nginx web server logs" ), CategoryRule( - pattern=r".*iis.*\.log$", + pattern=r".*iis.*", sourcetype="iis", description="IIS web server logs" ), # Cloud and container logs CategoryRule( - pattern=r".*aws.*\.log$", + pattern=r".*aws.*", sourcetype="aws:cloudtrail", description="AWS CloudTrail logs" ), CategoryRule( - pattern=r".*azure.*\.log$", + pattern=r".*azure.*", sourcetype="azure:monitor:aad", description="Azure activity logs" ), CategoryRule( - pattern=r".*docker.*\.log$", + pattern=r".*docker.*", sourcetype="docker", description="Docker container logs" ), CategoryRule( - pattern=r".*kubernetes.*\.log$", - sourcetype="kube:container", + pattern=r".*kubernetes.*", + sourcetype="aws:cloudwatchlogs", description="Kubernetes container logs" ), - # Database logs - CategoryRule( - pattern=r".*mysql.*\.log$", - sourcetype="mysql:error", - description="MySQL database logs" - ), - CategoryRule( - pattern=r".*postgres.*\.log$", - sourcetype="postgresql", - description="PostgreSQL database logs" - ), - CategoryRule( - pattern=r".*mssql.*\.log$", - sourcetype="mssql:errorlog", - description="Microsoft SQL Server logs" - ), - # Application logs CategoryRule( - pattern=r".*exchange.*\.log$", + pattern=r".*exchange.*", sourcetype="MSExchange:Management", description="Microsoft Exchange logs" ), CategoryRule( - pattern=r".*sharepoint.*\.log$", + pattern=r".*sharepoint.*", sourcetype="sharepoint:uls", description="SharePoint logs" ), - CategoryRule( - pattern=r".*jboss.*\.log$", - sourcetype="jboss", - description="JBoss application server logs" - ), - CategoryRule( - pattern=r".*tomcat.*\.log$", - sourcetype="catalina", - description="Apache Tomcat logs" - ), # JSON format logs (generic) CategoryRule( - pattern=r".*\.json\.log$", + pattern=r".*\.json.*", sourcetype="json", content_check="json", description="JSON formatted logs" ), - # CSV format logs - CategoryRule( - pattern=r".*\.csv\.log$", - sourcetype="csv", - description="CSV formatted logs" - ), - CategoryRule( - pattern=r".*\.csv$", - sourcetype="csv", - description="CSV data files" - ), - - # Text files - CategoryRule( - pattern=r".*\.txt$", - sourcetype="text", - description="Plain text files" - ), - - # Generic log file fallback - CategoryRule( - pattern=r".*\.log$", - sourcetype="generic_log", - description="Generic log files" - ) ] def _detect_content_type(self, file_path: Path) -> str: @@ -335,7 +400,8 @@ def _detect_content_type(self, file_path: Path) -> str: def _apply_rules(self, file_path: Path) -> Optional[ Tuple[str, Optional[str], bool] ]: - """Apply categorization rules and return (sourcetype, source, is_specific_rule)""" + """Apply categorization rules and return (sourcetype, source, + is_specific_rule)""" filename = file_path.name.lower() content_type = self._detect_content_type(file_path) @@ -345,14 +411,37 @@ def _apply_rules(self, file_path: Path) -> Optional[ if rule.content_check and rule.content_check != content_type: continue - # Check if this is the generic log fallback rule (last rule) + # Check if rule has a data checker + # (for field-based detection) + sourcetype = rule.sourcetype + source = rule.source + if rule.data_checker: + try: + checked_sourcetype, checked_source = ( + rule.data_checker(file_path)) + if checked_sourcetype: + sourcetype = checked_sourcetype + logger.info( + f"Data checker updated sourcetype to " + f"'{sourcetype}' for {filename}") + if checked_source: + source = checked_source + logger.info( + f"Data checker updated source to " + f"'{source}' for {filename}") + except Exception as e: + logger.warning(f"Data checker failed for {filename}: {e}") + # Continue with original rule values if + # checker fails + + # Check if this is the generic fallback rule (last rule) is_specific_rule = i < len(self.rules) - 1 logger.debug( f"Applied rule '{rule.description}' to {filename} " - f"(specific: {is_specific_rule})" - ) - return rule.sourcetype, rule.source, is_specific_rule + f"(specific: {is_specific_rule}, sourcetype: {sourcetype}, " + f"source: {source})") + return sourcetype, source, is_specific_rule logger.warning(f"No matching rule found for {filename}") return None From 8b9591e6d1786d7099c1fb136d1ab18fad013cf6 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 11 Aug 2025 08:55:11 +0200 Subject: [PATCH 03/18] update --- bin/dataset_analyzer.py | 100 +++++++++++++++++++++++++++++++++++----- 1 file changed, 89 insertions(+), 11 deletions(-) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py index b8b2ae64a..70c2b92df 100644 --- a/bin/dataset_analyzer.py +++ b/bin/dataset_analyzer.py @@ -241,12 +241,14 @@ def _initialize_rules(self) -> List[CategoryRule]: CategoryRule( pattern=r".*crowdstrike.*", sourcetype="crowdstrike:events:sensor", + source="crowdstrike", content_check="json", description="CrowdStrike Falcon sensor events" ), CategoryRule( pattern=r".*falcon.*", sourcetype="crowdstrike:events:sensor", + source="crowdstrike", content_check="json", description="CrowdStrike Falcon sensor events" ), @@ -276,6 +278,12 @@ def _initialize_rules(self) -> List[CategoryRule]: source="auditd", description="Linux auditd logs" ), + CategoryRule( + pattern=r".*sysmon_linux.*", + sourcetype="sysmon:linux", + source="Syslog:Linux-Sysmon/Operational", + description="Linux Sysmon logs" + ), # Network and Firewall logs CategoryRule( @@ -289,8 +297,9 @@ def _initialize_rules(self) -> List[CategoryRule]: description="Palo Alto firewall logs" ), CategoryRule( - pattern=r".*cisco.*", - sourcetype="cisco:asa", + pattern=r".*cisco_secure_firewall.*", + sourcetype="cisco:sfw:estreamer", + source="not_applicable", description="Cisco network device logs" ), @@ -313,6 +322,7 @@ def _initialize_rules(self) -> List[CategoryRule]: CategoryRule( pattern=r".*iis.*", sourcetype="iis", + source="iis", description="IIS web server logs" ), @@ -320,28 +330,87 @@ def _initialize_rules(self) -> List[CategoryRule]: CategoryRule( pattern=r".*aws.*", sourcetype="aws:cloudtrail", + source="aws_cloudtrail", description="AWS CloudTrail logs" ), + CategoryRule( + pattern=r".*asl.*", + sourcetype="aws:cloudtrail:lake", + source="aws_asl", + description="AWS ASL logs" + ), CategoryRule( pattern=r".*azure.*", sourcetype="azure:monitor:aad", + source="azure", description="Azure activity logs" ), - CategoryRule( - pattern=r".*docker.*", - sourcetype="docker", - description="Docker container logs" - ), CategoryRule( pattern=r".*kubernetes.*", - sourcetype="aws:cloudwatchlogs", + sourcetype="__json", + source="kubernetes", description="Kubernetes container logs" ), # Application logs + CategoryRule( + pattern=r".*okta.*", + sourcetype="OktaIM2:log", + source="Okta", + description="Okta logs" + ), + CategoryRule( + pattern=r".*pingid.*", + sourcetype="__json", + source="PINGID", + description="PingID logs" + ), + CategoryRule( + pattern=r".*gws.*", + sourcetype="gws:reports:login", + source="gws:reports:login", + description="Google Workspace logs" + ), + CategoryRule( + pattern=r".*gsuite.*", + sourcetype="gsuite:gmail:bigquery", + source="http:gsuite", + description="GSuite logs" + ), + CategoryRule( + pattern=r".*o365.*", + sourcetype="o365:management:activity", + source="o365", + description="O365 logs" + ), + CategoryRule( + pattern=r".*cisco_duo.*", + sourcetype="cisco:duo:administrator", + source="duo", + description="Cisco Duo logs" + ), + CategoryRule( + pattern=r".*esxi.*", + sourcetype="vmw-syslog", + source="vmware:esxlog", + description="VMware ESXi logs" + ), + CategoryRule( + pattern=r".*zscalar.*", + sourcetype="zscalernss-web", + source="zscaler", + description="Zscaler logs" + ), + CategoryRule( + pattern=r".*suricata.*", + sourcetype="suricata", + source="suricata", + description="Suricata logs" + ), CategoryRule( pattern=r".*exchange.*", sourcetype="MSExchange:Management", + source="MSExchange:Management", description="Microsoft Exchange logs" ), CategoryRule( @@ -349,6 +418,12 @@ def _initialize_rules(self) -> List[CategoryRule]: sourcetype="sharepoint:uls", description="SharePoint logs" ), + CategoryRule( + pattern=r".*crushftp.*", + sourcetype="crushftp:sessionlogs", + source="crushftp", + description="CrushFTP logs" + ), # JSON format logs (generic) CategoryRule( @@ -447,10 +522,13 @@ def _apply_rules(self, file_path: Path) -> Optional[ return None def _is_data_file(self, file_path: Path) -> bool: - """Check if a file is a data file (not .yml or .zip)""" + """Check if a file is a data file (not .yml, .zip, or system files)""" excluded_extensions = {'.yml', '.yaml', '.zip', '.tar', '.gz', '.rar', '.7z'} - return file_path.suffix.lower() not in excluded_extensions + excluded_filenames = {'.ds_store'} + + return (file_path.suffix.lower() not in excluded_extensions and + file_path.name.lower() not in excluded_filenames) def _find_datasets(self, technique_path: Path) -> List[Path]: """Find all dataset files in a technique directory""" @@ -1019,7 +1097,7 @@ def generate_summary_report(self, results: Dict[str, Dict]) -> str: report += f"\nIgnored File Details:\n{'-' * 50}\n" for ignored_file in ignored_files: reason = ignored_file['reason'].replace('_', ' ').title() - report += f"{ignored_file['name']:<50} {reason}\n" + report += f"{ignored_file['path']:<80} {reason}\n" report += f"\n{'-' * 50}\n" report += (f"Report generated on: " From 9f108d52d27be3f7c3428d003936e2b60272b53a Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 11 Aug 2025 09:16:39 +0200 Subject: [PATCH 04/18] search_activity.log --- bin/dataset_analyzer.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py index 70c2b92df..814e863ef 100644 --- a/bin/dataset_analyzer.py +++ b/bin/dataset_analyzer.py @@ -557,10 +557,22 @@ def _generate_dataset_info( ignored_files = [] for dataset_path in datasets: - # Create relative path from base directory + # Create relative path from the datasets directory try: - relative_path = dataset_path.relative_to(base_path.parent) - web_path = f"/datasets/{relative_path.as_posix()}" + # Find the datasets root by looking for "datasets" in the path + datasets_root = None + for parent in dataset_path.parents: + if parent.name == "datasets": + datasets_root = parent + break + + if datasets_root: + relative_path = dataset_path.relative_to(datasets_root) + web_path = f"/datasets/{relative_path.as_posix()}" + else: + # If no datasets parent found, try the original base_path + relative_path = dataset_path.relative_to(self.base_path) + web_path = f"/datasets/{relative_path.as_posix()}" except ValueError: # Fallback if relative path fails web_path = f"/datasets/{dataset_path.name}" From ccc10f8d7a6aecdb5cb6ef2c6d35ba50b6afea5f Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 11 Aug 2025 12:20:06 +0200 Subject: [PATCH 05/18] update --- bin/dataset_analyzer.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/bin/dataset_analyzer.py b/bin/dataset_analyzer.py index 814e863ef..c616278b8 100644 --- a/bin/dataset_analyzer.py +++ b/bin/dataset_analyzer.py @@ -34,6 +34,7 @@ import re import logging import argparse +import uuid from pathlib import Path from typing import Dict, List, Tuple, Optional, Callable, Any from dataclasses import dataclass, field @@ -407,6 +408,12 @@ def _initialize_rules(self) -> List[CategoryRule]: source="suricata", description="Suricata logs" ), + CategoryRule( + pattern=r".*zeek_conn.*", + sourcetype="bro:conn:json", + source="bro", + description="Zeek conn logs" + ), CategoryRule( pattern=r".*exchange.*", sourcetype="MSExchange:Management", @@ -644,8 +651,7 @@ def analyze_technique_directory(self, technique_path: Path) -> Optional[Dict]: # Generate YAML structure yaml_data = { 'author': 'Generated by dataset_analyzer.py', - 'id': (f'generated-{mitre_technique.lower()}-' - f'{datetime.now().strftime("%Y%m%d")}'), + 'id': str(uuid.uuid4()), 'date': datetime.now().strftime('%Y-%m-%d'), 'description': (f'Automatically categorized datasets for technique ' f'{mitre_technique}'), @@ -789,8 +795,7 @@ def _analyze_data_directory(self, data_dir: Path) -> Optional[Dict]: yaml_data = { 'author': 'Generated by dataset_analyzer.py', - 'id': (f'generated-{data_dir.name.lower()}-' - f'{datetime.now().strftime("%Y%m%d")}'), + 'id': str(uuid.uuid4()), 'date': datetime.now().strftime('%Y-%m-%d'), 'description': (f'Automatically categorized datasets in directory ' f'{directory_str}'), @@ -844,8 +849,7 @@ def analyze_generic_directory(self, directory_path: Path) -> Optional[Dict]: yaml_data = { 'author': 'Generated by dataset_analyzer.py', - 'id': (f'generated-{directory_path.name.lower()}-' - f'{datetime.now().strftime("%Y%m%d")}'), + 'id': str(uuid.uuid4()), 'date': datetime.now().strftime('%Y-%m-%d'), 'description': (f'Automatically categorized datasets in directory ' f'{directory_path.name}'), From 6704d5f6d1c5c7d993ad9b5d76ef835dec7c2514 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 12 Aug 2025 13:29:55 +0200 Subject: [PATCH 06/18] updates to replay script --- bin/replay.py | 154 ----------------------------- bin/replay_all.py | 243 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 243 insertions(+), 154 deletions(-) delete mode 100644 bin/replay.py create mode 100644 bin/replay_all.py diff --git a/bin/replay.py b/bin/replay.py deleted file mode 100644 index 5462c6688..000000000 --- a/bin/replay.py +++ /dev/null @@ -1,154 +0,0 @@ -#!/usr/bin/env python3 - -import os -import sys -import argparse -import glob -import uuid -import urllib -import requests -from urllib3 import disable_warnings - - -def load_environment_variables(): - """Load required environment variables for Splunk connection.""" - required_vars = ['SPLUNK_HOST', 'SPLUNK_HEC_TOKEN'] - env_vars = {} - for var in required_vars: - value = os.environ.get(var) - if not value: - raise ValueError(f"Environment variable {var} is required but not set") - env_vars[var.lower().replace('splunk_', '')] = value - return env_vars - - -def find_data_files(folder_path): - """Find all data files in the specified folder (supports .log, .json, .txt).""" - files = [] - for ext in ("*.log", "*.json", "*.txt"): - files.extend(glob.glob(os.path.join(folder_path, ext))) - if not files: - print(f"Warning: No data files found in {folder_path}") - return files - - -def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, - index="test", source="test", sourcetype="test", - verify_ssl=False): - """Send a data file to Splunk HEC.""" - if not verify_ssl: - disable_warnings() - hec_channel = str(uuid.uuid4()) - headers = { - "Authorization": f"Splunk {hec_token}", - "X-Splunk-Request-Channel": hec_channel, - } - url_params = { - "index": index, - "source": source, - "sourcetype": sourcetype, - "host": event_host_uuid, - } - url = urllib.parse.urljoin( - f"https://{splunk_host}:8088", - "services/collector/raw" - ) - with open(file_path, "rb") as datafile: - try: - res = requests.post( - url, - params=url_params, - data=datafile.read(), - allow_redirects=True, - headers=headers, - verify=verify_ssl, - ) - res.raise_for_status() - print(f":white_check_mark: Sent {file_path} to Splunk HEC") - except Exception as e: - print(f":x: Error sending {file_path} to Splunk HEC: {e}") - - -def main(): - parser = argparse.ArgumentParser( - description="Replay data files to Splunk via HTTP Event Collector (HEC)", - epilog=""" -Environment Variables Required: - SPLUNK_HOST - Splunk server hostname/IP - SPLUNK_HEC_TOKEN - Splunk HEC token - -Example usage: - python replay.py /path/to/data/folder - python replay.py /path/to/data/file.log --host-uuid 12345678-abcd-efgh - export SPLUNK_HOST="192.168.1.100" - export SPLUNK_HEC_TOKEN="your-hec-token" - """, - formatter_class=argparse.RawDescriptionHelpFormatter, - ) - parser.add_argument( - 'path', - help='Path to a data file or folder containing data files' - ) - parser.add_argument( - '--source', - default='test', - help='Source field for Splunk events (default: test)' - ) - parser.add_argument( - '--sourcetype', - default='test', - help='Sourcetype field for Splunk events (default: test)' - ) - parser.add_argument( - '--index', - default='test', - help='Splunk index to send events to (default: test)' - ) - parser.add_argument( - '--no-verify-ssl', - action='store_true', - help='Disable SSL verification for Splunk HEC' - ) - parser.add_argument( - '--host-uuid', - help='UUID to use as the host field for Splunk events ' - '(generates random UUID if not provided)' - ) - args = parser.parse_args() - - try: - env_vars = load_environment_variables() - splunk_host = env_vars['host'] - hec_token = env_vars['hec_token'] - - # Generate UUID for host field if not provided - event_host_uuid = args.host_uuid or str(uuid.uuid4()) - print(f"Using host UUID: {event_host_uuid}") - - if os.path.isdir(args.path): - files = find_data_files(args.path) - elif os.path.isfile(args.path): - files = [args.path] - else: - print(f"Error: {args.path} is not a valid file or directory") - sys.exit(1) - - for file_path in files: - send_data_to_splunk( - file_path=file_path, - splunk_host=splunk_host, - hec_token=hec_token, - event_host_uuid=event_host_uuid, - index=args.index, - source=args.source, - sourcetype=args.sourcetype, - verify_ssl=not args.no_verify_ssl, - ) - - except Exception as e: - print(f"Error: {e}") - sys.exit(1) - - -if __name__ == "__main__": - main() diff --git a/bin/replay_all.py b/bin/replay_all.py new file mode 100644 index 000000000..1898c152c --- /dev/null +++ b/bin/replay_all.py @@ -0,0 +1,243 @@ +#!/usr/bin/env python3 + +import os +import sys +import argparse +import glob +import uuid +import urllib +import requests +from urllib3 import disable_warnings +import yaml +from pathlib import Path + + +def load_environment_variables(): + """Load required environment variables for Splunk connection.""" + required_vars = ['SPLUNK_HOST', 'SPLUNK_HEC_TOKEN'] + env_vars = {} + for var in required_vars: + value = os.environ.get(var) + if not value: + raise ValueError(f"Environment variable {var} is required but not set") + env_vars[var.lower().replace('splunk_', '')] = value + return env_vars + + +def find_data_yml_files(folder_path): + """Find all data.yml files recursively in folder and subfolders.""" + data_yml_files = [] + folder_path = Path(folder_path) + + # Use pathlib to recursively find all data.yml files + for yml_file in folder_path.rglob("data.yml"): + data_yml_files.append(str(yml_file)) + + if not data_yml_files: + print(f"Warning: No data.yml files found in {folder_path}") + else: + print(f"Found {len(data_yml_files)} data.yml files") + + return data_yml_files + + +def parse_data_yml(yml_file_path): + """Parse a data.yml file and extract dataset information.""" + try: + with open(yml_file_path, 'r') as file: + data = yaml.safe_load(file) + + # Extract required fields + file_id = data.get('id', str(uuid.uuid4())) + datasets = data.get('datasets', []) + + # Return tuple of (id, datasets_list) + return file_id, datasets + + except Exception as e: + print(f"Error parsing {yml_file_path}: {e}") + return None, [] + + +def find_data_files(folder_path): + """Find all data files in the specified folder (supports .log, .json, .txt).""" + files = [] + for ext in ("*.log", "*.json", "*.txt"): + files.extend(glob.glob(os.path.join(folder_path, ext))) + if not files: + print(f"Warning: No data files found in {folder_path}") + return files + + +def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, + index="test", source="test", sourcetype="test"): + """Send a data file to Splunk HEC.""" + disable_warnings() + hec_channel = str(uuid.uuid4()) + headers = { + "Authorization": f"Splunk {hec_token}", + "X-Splunk-Request-Channel": hec_channel, + } + url_params = { + "index": index, + "source": source, + "sourcetype": sourcetype, + "host": event_host_uuid, + } + url = urllib.parse.urljoin( + f"https://{splunk_host}:8088", + "services/collector/raw" + ) + with open(file_path, "rb") as datafile: + try: + res = requests.post( + url, + params=url_params, + data=datafile.read(), + allow_redirects=True, + headers=headers, + verify=False, + ) + res.raise_for_status() + print(f":white_check_mark: Sent {file_path} to Splunk HEC") + except Exception as e: + print(f":x: Error sending {file_path} to Splunk HEC: {e}") + + +def main(): + parser = argparse.ArgumentParser( + description="Recursively find and replay datasets from data.yml files " + "to Splunk via HTTP Event Collector (HEC)", + epilog=""" +Environment Variables Required: + SPLUNK_HOST - Splunk server hostname/IP + SPLUNK_HEC_TOKEN - Splunk HEC token + +Example usage: + python replay_all.py /path/to/datasets/folder + python replay_all.py datasets/attack_techniques --host-uuid 12345678-abcd-efgh + export SPLUNK_HOST="192.168.1.100" + export SPLUNK_HEC_TOKEN="your-hec-token" + +This script will: +1. Recursively find all data.yml files in the specified directory +2. Parse each data.yml file to extract dataset information +3. Replay each dataset using the source and sourcetype from the yml file +4. Use the id field from data.yml as the host field for Splunk events + """, + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + parser.add_argument( + 'path', + help='Path to a directory containing data.yml files ' + '(searches recursively)' + ) + parser.add_argument( + '--source', + default='test', + help='Source field for Splunk events (default: test)' + ) + parser.add_argument( + '--sourcetype', + default='test', + help='Sourcetype field for Splunk events (default: test)' + ) + parser.add_argument( + '--index', + default='test', + help='Splunk index to send events to (default: test)' + ) + parser.add_argument( + '--host-uuid', + help='UUID to use as the host field for Splunk events ' + '(generates random UUID if not provided)' + ) + args = parser.parse_args() + + try: + env_vars = load_environment_variables() + splunk_host = env_vars['host'] + hec_token = env_vars['hec_token'] + + if not os.path.isdir(args.path): + print(f"Error: {args.path} is not a valid directory") + sys.exit(1) + + # Find all data.yml files recursively + data_yml_files = find_data_yml_files(args.path) + + if not data_yml_files: + print(f"No data.yml files found in {args.path}") + sys.exit(1) + + # Process each data.yml file + for yml_file in data_yml_files: + print(f"\nProcessing {yml_file}...") + file_id, datasets = parse_data_yml(yml_file) + + if not file_id or not datasets: + print(f"Skipping {yml_file} - no valid data found") + continue + + # Use the id from data.yml as host field (unless user provided one) + event_host_uuid = args.host_uuid or file_id + print(f"Using host UUID: {event_host_uuid}") + + # Process each dataset in the data.yml file + for dataset in datasets: + dataset_name = dataset.get('name', 'unknown') + dataset_path = dataset.get('path', '') + dataset_source = dataset.get('source', args.source) + dataset_sourcetype = dataset.get('sourcetype', args.sourcetype) + + if not dataset_path: + print(f"Warning: No path specified for dataset " + f"'{dataset_name}', skipping") + continue + + # Handle relative paths - relative to attack_data root + if dataset_path.startswith('/datasets/'): + # Convert to absolute path based on project structure + if Path(args.path).name == 'datasets': + base_dir = Path(args.path).parent + else: + base_dir = Path(args.path) + while (base_dir.name != 'attack_data' and + base_dir.parent != base_dir): + base_dir = base_dir.parent + + if base_dir.name == 'attack_data': + full_path = base_dir / dataset_path.lstrip('/') + else: + # Fallback: assume current working directory structure + full_path = Path.cwd() / dataset_path.lstrip('/') + else: + # Assume relative to yml file location + yml_dir = Path(yml_file).parent + full_path = yml_dir / dataset_path + + if not full_path.exists(): + print(f"Warning: Dataset file not found: {full_path}") + continue + + print(f" Sending dataset '{dataset_name}' from {full_path}") + print(f" source: {dataset_source}") + print(f" sourcetype: {dataset_sourcetype}") + + send_data_to_splunk( + file_path=str(full_path), + splunk_host=splunk_host, + hec_token=hec_token, + event_host_uuid=event_host_uuid, + index=args.index, + source=dataset_source, + sourcetype=dataset_sourcetype, + ) + + except Exception as e: + print(f"Error: {e}") + sys.exit(1) + + +if __name__ == "__main__": + main() From 3b9588b2f9d2536c3e3fe41f3e917aa83cb58d14 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 12 Aug 2025 16:00:37 +0200 Subject: [PATCH 07/18] Add data.yml files --- .../T1003.001/atomic_red_team/data.yml | 29 ++++++++++ .../T1003.002/atomic_red_team/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1003.002/serioussam/data.yml | 13 +++++ .../T1003.003/atomic_red_team/data.yml | 21 ++++++++ .../T1003.004/NoLMHash/data.yml | 13 +++++ .../T1003.006/impacket/data.yml | 13 +++++ .../T1003.006/mimikatz/data.yml | 13 +++++ .../T1003.008/copy_file_stdoutpipe/data.yml | 13 +++++ .../linux_auditd_access_credential/data.yml | 17 ++++++ .../T1003/credential_extraction/data.yml | 13 +++++ .../T1003/wdigest_enable/data.yml | 13 +++++ datasets/attack_techniques/T1014/data.yml | 17 ++++++ .../linux_net_discovery/data.yml | 13 +++++ .../T1016/discovery_commands/data.yml | 13 +++++ .../T1016/linux_auditd_net_tool/data.yml | 13 +++++ .../T1016/linux_auditd_net_tool_new/data.yml | 13 +++++ .../T1018/AD_discovery/data.yml | 13 +++++ .../T1018/atomic_red_team/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ datasets/attack_techniques/T1020/data.yml | 13 +++++ .../T1021.001/mstsc_rdp_cmd/data.yml | 13 +++++ .../remote_desktop_connection/data.yml | 13 +++++ .../T1021.002/atomic_red_team/data.yml | 36 +++++++++++++ .../T1021.002/executable_in_share/data.yml | 13 +++++ .../T1021.002/impacket_smbexec/data.yml | 13 +++++ .../T1021.002/impacket_wmiexec/data.yml | 13 +++++ .../T1021.003/impacket/data.yml | 13 +++++ .../T1021.003/lateral_movement/data.yml | 21 ++++++++ .../lateral_movement_lolbas/data.yml | 13 +++++ .../T1021.006/lateral_movement/data.yml | 13 +++++ .../lateral_movement_lolbas/data.yml | 13 +++++ .../T1021.006/lateral_movement_psh/data.yml | 17 ++++++ .../lateral_movement_pssession/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1027/FuckThatPacker/data.yml | 13 +++++ .../T1027/atomic_red_team/data.yml | 13 +++++ .../T1027/trickbot_drop/data.yml | 13 +++++ .../T1030/linux_auditd_split_b_exec/data.yml | 17 ++++++ .../T1030/linux_auditd_split_syscall/data.yml | 13 +++++ .../linux_auditd_split_syscall_new/data.yml | 13 +++++ .../T1033/AD_discovery/data.yml | 17 ++++++ .../T1033/atomic_red_team/data.yml | 13 +++++ .../T1033/linux_auditd_whoami/data.yml | 13 +++++ .../T1033/linux_auditd_whoami_new/data.yml | 13 +++++ .../T1033/qakbot_discovery_cmdline/data.yml | 13 +++++ .../T1033/whoami_priv/data.yml | 13 +++++ .../T1036.003/atomic_red_team/data.yml | 13 +++++ .../T1036.003/copy_sysmon/data.yml | 13 +++++ .../T1036.003/mpcmdrun/data.yml | 13 +++++ .../T1036.003/samsam_extension/data.yml | 13 +++++ .../T1036/msdtc_process_param/data.yml | 13 +++++ .../T1036/suspicious_process_path/data.yml | 13 +++++ .../T1036/write_to_recycle_bin/data.yml | 13 +++++ .../T1037.001/logonscript_reg/data.yml | 13 +++++ .../T1046/kubernetes_scanning/data.yml | 13 +++++ .../T1047/atomic_red_team/data.yml | 21 ++++++++ .../T1047/execution_scrcons/data.yml | 13 +++++ .../T1047/lateral_movement/data.yml | 13 +++++ .../T1047/lateral_movement_lolbas/data.yml | 13 +++++ .../T1047/wmi_impersonate/data.yml | 13 +++++ .../T1048.003/cve-2023-23397/data.yml | 13 +++++ .../T1048.003/long_dns_queries/data.yml | 13 +++++ .../T1048.003/mass_file_creation/data.yml | 13 +++++ .../T1048.003/nslookup_exfil/data.yml | 17 ++++++ .../T1048/ftp_connection/data.yml | 13 +++++ .../T1049/AD_discovery/data.yml | 13 +++++ .../T1053.002/at_execution/data.yml | 13 +++++ .../T1053.002/lateral_movement/data.yml | 13 +++++ .../T1053.002/linux_auditd_at/data.yml | 13 +++++ .../linux_auditd_chown_root/data.yml | 17 ++++++ .../T1053.002/linux_new_auditd_at/data.yml | 13 +++++ .../T1053.003/cronjobs_entry/data.yml | 17 ++++++ .../T1053.003/crontab_edit_parameter/data.yml | 13 +++++ .../T1053.003/crontab_list_parameter/data.yml | 13 +++++ .../linux_auditd_cron_file_audited/data.yml | 13 +++++ .../linux_auditd_crontab_edit/data.yml | 13 +++++ .../linux_auditd_crontab_edit_new/data.yml | 13 +++++ .../asyncrat_highest_priv_schtasks/data.yml | 13 +++++ .../T1053.005/atomic_red_team/data.yml | 21 ++++++++ .../T1053.005/lateral_movement/data.yml | 13 +++++ .../lateral_movement_lolbas/data.yml | 13 +++++ .../T1053.005/schtask_shutdown/data.yml | 13 +++++ .../T1053.005/schtask_system/data.yml | 13 +++++ .../T1053.005/schtasks/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1053.005/taskschedule/data.yml | 17 ++++++ .../T1053.005/windows_taskschedule/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1053.006/linux_services_restart/data.yml | 13 +++++ .../T1053.006/service_systemd/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1055.001/rasautou/data.yml | 13 +++++ .../T1055/cobalt_strike/data.yml | 21 ++++++++ .../attack_techniques/T1055/msra/data.yml | 17 ++++++ .../attack_techniques/T1055/sliver/data.yml | 21 ++++++++ .../T1055/trickbot_inf/data.yml | 13 +++++ .../process_commandline_discovery/data.yml | 13 +++++ .../asyncrat_crypto_pwh_namespace/data.yml | 13 +++++ .../T1059.001/atomic_red_team/data.yml | 41 ++++++++++++++ .../T1059.001/encoded_powershell/data.yml | 25 +++++++++ .../T1059.001/exchange/data.yml | 17 ++++++ .../T1059.001/hidden_powershell/data.yml | 13 +++++ .../import_applocker_policy/data.yml | 13 +++++ .../malicious_cmd_line_samples/data.yml | 13 +++++ .../T1059.001/obfuscated_powershell/data.yml | 13 +++++ .../powershell_execution_policy/data.yml | 13 +++++ .../powershell_remotesigned/data.yml | 21 ++++++++ .../powershell_script_block_logging/data.yml | 20 +++++++ .../T1059.001/powershell_testing/data.yml | 13 +++++ .../powershell_xml_requests/data.yml | 13 +++++ .../T1059.001/sharphound/data.yml | 13 +++++ .../T1059.001/soaphound/data.yml | 13 +++++ .../trickbot_cmd_powershell/data.yml | 13 +++++ .../unmanaged_powershell_execution/data.yml | 13 +++++ .../T1059.003/atomic_red_team/data.yml | 13 +++++ .../T1059.003/cmd_spawns_cscript/data.yml | 13 +++++ .../T1059.003/powershell_spawn_cmd/data.yml | 13 +++++ .../attack_techniques/T1059.003/ryuk/data.yml | 13 +++++ .../T1059.004/linux_discovery_tools/data.yml | 13 +++++ .../T1059.005/discord_dnsquery/data.yml | 13 +++++ .../T1059.005/vbs_wscript/data.yml | 13 +++++ .../attack_techniques/T1059/autoit/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1059/metasploit/data.yml | 13 +++++ .../T1059/path_traversal/data.yml | 13 +++++ .../suspiciously_named_executables/data.yml | 13 +++++ .../attack_techniques/T1068/drivers/data.yml | 17 ++++++ .../windows_escalation_behavior/data.yml | 13 +++++ .../T1068/zoom_child_process/data.yml | 13 +++++ .../T1069.001/atomic_red_team/data.yml | 17 ++++++ .../T1069.002/AD_discovery/data.yml | 33 ++++++++++++ .../data.yml | 13 +++++ .../T1070.001/atomic_red_team/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../windows_event_log_cleared/data.yml | 13 +++++ .../T1070.005/atomic_red_team/data.yml | 13 +++++ .../T1070/atomic_red_team/data.yml | 13 +++++ .../T1070/fsutil_file_zero/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1071.002/outbound_smb_traffic/data.yml | 13 +++++ .../T1078.002/account_lockout/data.yml | 21 ++++++++ .../powerview_acl_enumeration/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../azure_automation_runbook/data.yml | 13 +++++ .../T1078.004/azure_runbook_webhook/data.yml | 13 +++++ .../T1078.004/azuread/data.yml | 13 +++++ .../T1078.004/azuread_pws/data.yml | 13 +++++ .../T1078.004/gcp_single_factor_auth/data.yml | 13 +++++ .../data.yml | 13 +++++ .../okta_single_factor_auth/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1078/aws_create_policy_version/data.yml | 17 ++++++ .../T1078/aws_createaccesskey/data.yml | 17 ++++++ .../T1078/aws_createloginprofile/data.yml | 13 +++++ .../data.yml | 12 +++++ .../data.yml | 13 +++++ .../aws_setdefaultpolicyversion/data.yml | 13 +++++ .../T1078/aws_updateloginprofile/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1078/defaultaccount/data.yml | 13 +++++ .../o365_excessive_sso_logon_errors/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../special_logon_on_mulitple_hosts/data.yml | 13 +++++ .../T1078/update_saml_provider/data.yml | 13 +++++ .../T1082/atomic_red_team/data.yml | 13 +++++ .../T1082/linux_auditd_lsmod/data.yml | 13 +++++ .../T1082/linux_auditd_lsmod_new/data.yml | 13 +++++ .../T1083/linux_auditd_find_db/data.yml | 13 +++++ .../T1083/linux_auditd_find_document/data.yml | 17 ++++++ .../linux_auditd_find_virtual_disk/data.yml | 17 ++++++ .../T1083/linux_auditd_hidden_file/data.yml | 17 ++++++ .../attack_techniques/T1083/splunk/data.yml | 12 +++++ .../T1087.001/AD_discovery/data.yml | 17 ++++++ .../T1087.002/AD_discovery/data.yml | 33 ++++++++++++ .../T1087.002/adsi_discovery/data.yml | 21 ++++++++ .../T1087.002/blackmatter_schcache/data.yml | 13 +++++ .../T1087.004/azurehound/data.yml | 13 +++++ .../T1087.004/okta_unauth_access/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1090.001/netsh_portproxy/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../okta_new_api_token_created/data.yml | 13 +++++ .../data.yml | 12 +++++ .../data.yml | 12 +++++ .../o365_mailbox_folder_read_granted/data.yml | 13 +++++ .../T1098.003/azure_ad_admin_consent/data.yml | 13 +++++ .../data.yml | 13 +++++ .../azure_ad_assign_privileged_role/data.yml | 13 +++++ .../azure_ad_bypass_admin_consent/data.yml | 13 +++++ .../azure_ad_pim_role_activated/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1098.003/azure_ad_spn_privesc/data.yml | 13 +++++ .../T1098.003/o365_admin_consent/data.yml | 13 +++++ .../o365_bypass_admin_consent/data.yml | 13 +++++ .../T1098.003/o365_grant_mail_read/data.yml | 13 +++++ .../o365_high_priv_role_assigned/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1098.003/o365_spn_privesc/data.yml | 13 +++++ .../T1098.004/linux_auditd_nopasswd/data.yml | 13 +++++ .../T1098.004/ssh_authorized_keys/data.yml | 17 ++++++ .../azure_ad_register_new_mfa_method/data.yml | 13 +++++ .../o365_register_new_mfa_method/data.yml | 13 +++++ .../okta_new_device_enrolled/data.yml | 13 +++++ .../T1098/account_manipulation/data.yml | 13 +++++ .../T1098/aws_iam_delete_policy/data.yml | 17 ++++++ .../aws_iam_failure_group_deletion/data.yml | 17 ++++++ .../data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1098/azure_ad_enable_and_reset/data.yml | 13 +++++ .../T1098/azure_ad_set_immutableid/data.yml | 13 +++++ .../T1098/dnsadmins_member_added/data.yml | 13 +++++ .../T1098/dsrm_account/data.yml | 17 ++++++ .../o365_add_app_registration_owner/data.yml | 13 +++++ .../T1098/o365_azure_workload_events/data.yml | 13 +++++ .../service_principal_name_added/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1105/atomic_red_team/data.yml | 25 +++++++++ .../T1110.001/aws_login_failure/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1110.001/rdp_brute_sysmon/data.yml | 13 +++++ .../T1110.002/aws_rds_password_reset/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../azure_ad_distributed_spray/data.yml | 13 +++++ .../T1110.003/azuread_highrisk/data.yml | 13 +++++ .../gcp_gws_multiple_login_failure/data.yml | 13 +++++ .../T1110.003/o365_distributed_spray/data.yml | 13 +++++ .../o365_multiple_users_from_ip/data.yml | 13 +++++ .../okta_multiple_users_from_ip/data.yml | 13 +++++ .../password_spraying_azuread/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../purplesharp_remote_spray_xml/data.yml | 13 +++++ .../data.yml | 13 +++++ .../purplesharp_valid_users_ntlm_xml/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1110/azure_mfasweep_events/data.yml | 13 +++++ .../T1110/o365_brute_force_login/data.yml | 13 +++++ .../okta_multiple_accounts_lockout/data.yml | 13 +++++ .../AuthenticationLevelOverride/data.yml | 13 +++++ .../T1112/atomic_red_team/data.yml | 25 +++++++++ .../enablelinkedconnections/data.yml | 13 +++++ .../T1112/blackbyte/longpathsenabled/data.yml | 13 +++++ .../T1112/disable_notif_center/data.yml | 13 +++++ .../T1112/firewall_modify_delete/data.yml | 15 ++++++ .../T1112/minint_reg/data.yml | 13 +++++ .../T1112/ransomware_disable_reg/data.yml | 13 +++++ .../T1112/shimcache_flush/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../o365_inbox_shared_with_all_users/data.yml | 13 +++++ .../data.yml | 12 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../o365_mailbox_forwarding_enabled/data.yml | 13 +++++ .../T1114/o365_export_pst_file/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1114/o365_suspect_email_actions/data.yml | 17 ++++++ .../T1115/linux_auditd_xclip/data.yml | 17 ++++++ datasets/attack_techniques/T1127.001/data.yml | 13 +++++ .../T1127.001/regsvr32_silent/data.yml | 13 +++++ .../T1127/atomic_red_team/data.yml | 13 +++++ .../T1127/etw_disable/data.yml | 13 +++++ .../T1134.005/mimikatz/data.yml | 13 +++++ .../T1134.005/sid_history2/data.yml | 13 +++++ .../T1135/ipc_share_accessed/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1135/net_share/data.yml | 13 +++++ .../net_share_discovery_via_dir/data.yml | 15 ++++++ .../T1135/powerview_sharefinder/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1136.001/atomic_red_team/data.yml | 33 ++++++++++++ .../T1136.001/linux_auditd_add_user/data.yml | 17 ++++++ .../linux_auditd_add_user_type/data.yml | 13 +++++ .../azure_ad_add_service_principal/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../azure_automation_account/data.yml | 13 +++++ .../data.yml | 13 +++++ .../o365_add_service_principal/data.yml | 13 +++++ .../o365_added_service_principal/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../o365_new_federated_domain/data.yml | 13 +++++ .../o365_new_federated_domain_added/data.yml | 17 ++++++ .../T1136.003/o365_new_federation/data.yml | 13 +++++ .../T1140/atomic_red_team/data.yml | 13 +++++ .../T1140/linux_auditd_base64/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1187/petitpotam/data.yml | 17 ++++++ .../T1189/dyn_dns_site/data.yml | 13 +++++ .../attack_techniques/T1189/splunk/data.yml | 24 +++++++++ datasets/attack_techniques/T1189/xss/data.yml | 12 +++++ .../attack_techniques/T1190/citrix/data.yml | 19 +++++++ .../T1190/confluence/data.yml | 22 ++++++++ .../attack_techniques/T1190/crushftp/data.yml | 21 ++++++++ datasets/attack_techniques/T1190/data.yml | 13 +++++ .../attack_techniques/T1190/ivanti/data.yml | 39 ++++++++++++++ .../attack_techniques/T1190/java/data.yml | 12 +++++ .../attack_techniques/T1190/jenkins/data.yml | 12 +++++ .../attack_techniques/T1190/juniper/data.yml | 13 +++++ .../attack_techniques/T1190/magento/data.yml | 12 +++++ .../T1190/outbound_java/data.yml | 13 +++++ .../attack_techniques/T1190/papercut/data.yml | 17 ++++++ .../T1190/proxyshell/data.yml | 13 +++++ .../attack_techniques/T1190/pswa/data.yml | 12 +++++ datasets/attack_techniques/T1190/sap/data.yml | 17 ++++++ .../T1190/screenconnect/data.yml | 20 +++++++ .../T1190/sharepoint/data.yml | 12 +++++ .../attack_techniques/T1190/splunk/data.yml | 12 +++++ .../T1190/spring4shell/data.yml | 12 +++++ .../T1190/text4shell/data.yml | 12 +++++ .../attack_techniques/T1190/tomcat/data.yml | 12 +++++ .../attack_techniques/T1195.002/3CX/data.yml | 21 ++++++++ .../T1197/atomic_red_team/data.yml | 17 ++++++ .../T1200/linux_auditd_swapoff/data.yml | 17 ++++++ .../T1200/sysmon_usb_use_execution/data.yml | 13 +++++ .../T1201/pwd_policy_discovery/data.yml | 17 ++++++ .../T1202/atomic_red_team/data.yml | 17 ++++++ .../T1204.002/atomic_red_team/data.yml | 13 +++++ .../T1204.002/batch_file_in_system32/data.yml | 13 +++++ .../T1204.002/single_letter_exe/data.yml | 13 +++++ .../aws_ecr_container_upload/data.yml | 17 ++++++ .../T1204.003/aws_ecr_image_scanning/data.yml | 13 +++++ .../T1204.003/risk_dataset/data.yml | 13 +++++ .../aws_updatelambdafunctioncode/data.yml | 13 +++++ .../failed_login_service_account_ad/data.yml | 13 +++++ .../data.yml | 13 +++++ .../kubernetes_falco_shell_spawned/data.yml | 13 +++++ .../T1204/kubernetes_privileged_pod/data.yml | 13 +++++ .../kubernetes_unauthorized_access/data.yml | 13 +++++ .../T1204/rare_executables/data.yml | 13 +++++ .../attack_techniques/T1207/dc_promo/data.yml | 13 +++++ .../attack_techniques/T1207/mimikatz/data.yml | 13 +++++ .../T1207/short_lived_server_object/data.yml | 13 +++++ .../attack_techniques/T1210/splunk/data.yml | 22 ++++++++ .../kubernetes_nginx_lfi_attack/data.yml | 12 +++++ .../kuberntest_nginx_rfi_attack/data.yml | 12 +++++ .../o365_sus_sharepoint_search/data.yml | 13 +++++ .../T1216/atomic_red_team/data.yml | 17 ++++++ .../T1218.001/atomic_red_team/data.yml | 21 ++++++++ .../T1218.002/atomic_red_team/data.yml | 13 +++++ .../T1218.004/atomic_red_team/data.yml | 17 ++++++ .../T1218.005/atomic_red_team/data.yml | 17 ++++++ .../T1218.005/mshta_in_registry/data.yml | 17 ++++++ .../T1218.007/atomic_red_team/data.yml | 17 ++++++ .../T1218.008/atomic_red_team/data.yml | 21 ++++++++ .../T1218.009/atomic_red_team/data.yml | 13 +++++ .../T1218.010/atomic_red_team/data.yml | 13 +++++ .../T1218.011/atomic_red_team/data.yml | 17 ++++++ .../T1218.012/verclsid_exec/data.yml | 13 +++++ .../T1218.013/atomic_red_team/data.yml | 13 +++++ .../T1218/bitlockertogo/data.yml | 17 ++++++ .../T1218/diskshadow/data.yml | 13 +++++ .../attack_techniques/T1218/eviltwin/data.yml | 13 +++++ .../T1219/atomic_red_team/data.yml | 13 +++++ .../T1219/screenconnect/data.yml | 13 +++++ .../T1219/teamviewer/data.yml | 13 +++++ .../T1220/atomic_red_team/data.yml | 13 +++++ .../T1222.001/atomic_red_team/data.yml | 13 +++++ .../T1222.001/dacl_abuse/data.yml | 41 ++++++++++++++ .../T1222.001/subinacl/data.yml | 13 +++++ .../T1222.002/linux_auditd_chattr_i/data.yml | 17 ++++++ .../linux_auditd_chmod_exec_attrib/data.yml | 17 ++++++ .../T1482/atomic_red_team/data.yml | 13 +++++ .../T1482/discovery/data.yml | 17 ++++++ .../default_domain_policy_modified/data.yml | 13 +++++ .../T1484.001/gpo_modification/data.yml | 13 +++++ .../T1484.001/group_policy_created/data.yml | 13 +++++ .../T1484.001/group_policy_deleted/data.yml | 13 +++++ .../T1484.001/group_policy_disabled/data.yml | 13 +++++ .../T1484.001/group_policy_new_cse/data.yml | 13 +++++ .../T1484.002/new_federated_domain/data.yml | 13 +++++ .../T1484/DCShadowPermissions/data.yml | 13 +++++ .../T1484/aclmodification/data.yml | 13 +++++ .../T1485/atomic_red_team/data.yml | 13 +++++ .../T1485/decommissioned_buckets/data.yml | 12 +++++ .../data.yml | 13 +++++ .../T1485/excessive_file_deletions/data.yml | 13 +++++ .../T1485/linux_auditd_dd_overwrite/data.yml | 17 ++++++ .../linux_auditd_no_preserve_root/data.yml | 17 ++++++ .../T1485/linux_auditd_shred/data.yml | 17 ++++++ .../T1485/linux_dd_file_overwrite/data.yml | 13 +++++ .../T1485/ransomware_extensions/data.yml | 13 +++++ .../T1485/ransomware_notes/data.yml | 17 ++++++ .../T1485/rm_boot_dir/data.yml | 13 +++++ .../T1485/rm_shred_critical_dir/data.yml | 13 +++++ .../attack_techniques/T1485/sdelete/data.yml | 13 +++++ .../T1486/aws_kms_key/data.yml | 17 ++++++ .../attack_techniques/T1486/dcrypt/data.yml | 13 +++++ .../T1486/s3_file_encryption/data.yml | 13 +++++ .../T1486/sam_sam_note/data.yml | 13 +++++ .../linux_auditd_auditd_service_stop/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1489/linux_auditd_service_stop/data.yml | 13 +++++ .../linux_auditd_sysmon_service_stop/data.yml | 13 +++++ .../T1489/linux_service_stop_disable/data.yml | 13 +++++ .../T1490/atomic_red_team/data.yml | 17 ++++++ .../T1490/aws_bucket_version/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1490/ransomware_notes/data.yml | 13 +++++ .../T1490/shadowcopy_del/data.yml | 13 +++++ .../T1497.003/ping_sleep/data.yml | 13 +++++ .../T1505.001/simulation/data.yml | 25 +++++++++ datasets/attack_techniques/T1505.003/data.yml | 25 +++++++++ datasets/attack_techniques/T1505.004/data.yml | 53 +++++++++++++++++++ .../T1526/aws_security_scanner/data.yml | 13 +++++ .../kubernetes_audit_pull_image/data.yml | 13 +++++ .../T1526/kubernetes_kube_hunter/data.yml | 13 +++++ .../azure_ad_user_consent_blocked/data.yml | 13 +++++ .../azure_ad_user_consent_declined/data.yml | 13 +++++ .../azure_ad_user_consent_granted/data.yml | 13 +++++ .../T1528/device_code_authentication/data.yml | 13 +++++ .../T1528/o365_user_consent_blocked/data.yml | 13 +++++ .../T1528/o365_user_consent_declined/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1530/aws_s3_public_bucket/data.yml | 13 +++++ .../T1531/atomic_red_team/data.yml | 13 +++++ .../T1537/aws_ami_shared_public/data.yml | 13 +++++ .../T1537/aws_exfil_risk_events/data.yml | 13 +++++ .../T1537/aws_snapshot_exfil/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../okta_web_session_multiple_ip/data.yml | 13 +++++ .../T1542.003/bootkits/data.yml | 13 +++++ .../T1543.003/atomic_red_team/data.yml | 29 ++++++++++ .../T1543.003/lateral_movement/data.yml | 13 +++++ .../lateral_movement_lolbas/data.yml | 13 +++++ .../lateral_movement_powershell/data.yml | 13 +++++ .../services_lolbas_execution/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1546.001/txtfile_reg/data.yml | 13 +++++ .../T1546.002/scrnsave_reg/data.yml | 13 +++++ .../T1546.003/atomic_red_team/data.yml | 13 +++++ .../T1546.003/wmi_event_subscription/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1546.004/linux_init_profile/data.yml | 13 +++++ .../T1546.008/atomic_red_team/data.yml | 13 +++++ .../T1546.011/atomic_red_team/data.yml | 13 +++++ .../T1546.012/atomic_red_team/data.yml | 17 ++++++ .../T1546.015/atomic_red_team/data.yml | 21 ++++++++ .../T1546.015/pwh_com_object/data.yml | 13 +++++ .../T1546.015/uac_colorui/data.yml | 13 +++++ .../T1546/adminsdholder_modified/data.yml | 13 +++++ .../T1547.001/atomic_red_team/data.yml | 17 ++++++ .../T1547.003/timeprovider_reg/data.yml | 13 +++++ .../T1547.005/malicious_ssp/data.yml | 17 ++++++ .../T1547.006/linux_auditd_insmod/data.yml | 13 +++++ .../linux_auditd_insmod_new/data.yml | 13 +++++ .../T1547.006/linux_auditd_modprobe/data.yml | 13 +++++ .../linux_auditd_modprobe_new/data.yml | 13 +++++ .../data.yml | 17 ++++++ .../T1547.006/linux_auditd_rmmod/data.yml | 13 +++++ .../T1547.006/linux_auditd_rmmod_new/data.yml | 13 +++++ .../loading_linux_kernel_module/data.yml | 13 +++++ .../T1547.008/atomic_red_team/data.yml | 13 +++++ .../T1547.010/atomic_red_team/data.yml | 17 ++++++ .../T1547.012/print_reg/data.yml | 21 ++++++++ .../T1547.012/printnightmare/data.yml | 17 ++++++ .../T1548.001/chmod_uid/data.yml | 13 +++++ .../T1548.001/linux_auditd_setuid/data.yml | 25 +++++++++ .../T1548.001/linux_setcap/data.yml | 13 +++++ .../LocalAccountTokenFilterPolicy/data.yml | 13 +++++ .../T1548.002/atomic_red_team/data.yml | 17 ++++++ .../attack_techniques/T1548.002/slui/data.yml | 13 +++++ .../T1548.002/ssa_eventvwr/data.yml | 13 +++++ .../T1548.002/uac_behavior/data.yml | 13 +++++ .../attack_techniques/T1548.003/doas/data.yml | 13 +++++ .../T1548.003/doas_exec/data.yml | 13 +++++ .../T1548.003/linux_adduser/data.yml | 13 +++++ .../T1548.003/linux_auditd_doas/data.yml | 13 +++++ .../T1548.003/linux_auditd_doas_new/data.yml | 13 +++++ .../T1548.003/linux_auditd_nopasswd/data.yml | 17 ++++++ .../T1548.003/linux_auditd_sudo_su/data.yml | 17 ++++++ .../linux_auditd_sudoers_access/data.yml | 13 +++++ .../T1548.003/nopasswd_sudoers/data.yml | 13 +++++ .../T1548.003/sudo_su/data.yml | 13 +++++ .../T1548.003/sudoers_temp/data.yml | 13 +++++ .../T1548.003/visudo/data.yml | 13 +++++ datasets/attack_techniques/T1548/apt/data.yml | 13 +++++ .../attack_techniques/T1548/apt_get/data.yml | 13 +++++ datasets/attack_techniques/T1548/awk/data.yml | 13 +++++ .../attack_techniques/T1548/busybox/data.yml | 13 +++++ datasets/attack_techniques/T1548/c89/data.yml | 13 +++++ datasets/attack_techniques/T1548/c99/data.yml | 13 +++++ .../attack_techniques/T1548/composer/data.yml | 13 +++++ .../attack_techniques/T1548/cpulimit/data.yml | 13 +++++ .../attack_techniques/T1548/csvtool/data.yml | 13 +++++ .../T1548/darkside_cmstp_com/data.yml | 13 +++++ .../attack_techniques/T1548/docker/data.yml | 13 +++++ .../attack_techniques/T1548/emacs/data.yml | 13 +++++ .../attack_techniques/T1548/find/data.yml | 13 +++++ .../attack_techniques/T1548/gawk/data.yml | 13 +++++ datasets/attack_techniques/T1548/gdb/data.yml | 13 +++++ datasets/attack_techniques/T1548/gem/data.yml | 13 +++++ .../attack_techniques/T1548/make/data.yml | 13 +++++ .../attack_techniques/T1548/mysql/data.yml | 13 +++++ .../attack_techniques/T1548/node/data.yml | 13 +++++ .../attack_techniques/T1548/octave/data.yml | 13 +++++ .../attack_techniques/T1548/openvpn/data.yml | 13 +++++ datasets/attack_techniques/T1548/php/data.yml | 13 +++++ .../attack_techniques/T1548/puppet/data.yml | 13 +++++ datasets/attack_techniques/T1548/rpm/data.yml | 13 +++++ .../attack_techniques/T1548/ruby/data.yml | 13 +++++ .../attack_techniques/T1548/splunk/data.yml | 13 +++++ .../attack_techniques/T1548/sqlite3/data.yml | 13 +++++ .../T1548/uac_bypass/data.yml | 17 ++++++ .../T1550.002/atomic_red_team/data.yml | 13 +++++ .../T1550.003/mimikatz/data.yml | 13 +++++ .../T1550.003/rubeus/data.yml | 13 +++++ .../data.yml | 13 +++++ .../attack_techniques/T1550/rubeus/data.yml | 13 +++++ .../T1552.001/password_in_username/data.yml | 13 +++++ .../T1552.002/autoadminlogon/data.yml | 13 +++++ .../T1552.004/linux_auditd_find_gpg/data.yml | 17 ++++++ .../linux_auditd_find_ssh_files/data.yml | 17 ++++++ .../T1552.006/findstr_gpp_discovery/data.yml | 17 ++++++ .../T1552/aws_getpassworddata/data.yml | 17 ++++++ .../attack_techniques/T1553.003/sip/data.yml | 13 +++++ .../T1553.004/atomic_red_team/data.yml | 13 +++++ .../linux_auditd_find_credentials/data.yml | 17 ++++++ .../linux_auditd_find_password_db/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1555/web_browser_pass_view/data.yml | 13 +++++ .../T1556.001/atomic_red_team/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../okta_mfa_method_disabled/data.yml | 13 +++++ .../attack_techniques/T1556/azuread/data.yml | 13 +++++ .../cisco_duo_bulk_policy_deletion/data.yml | 13 +++++ .../T1556/cisco_duo_bypass_2FA/data.yml | 13 +++++ .../T1556/cisco_duo_bypass_code/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../cisco_duo_policy_bypass_2FA/data.yml | 13 +++++ .../data.yml | 13 +++++ .../cisco_duo_policy_deny_access/data.yml | 13 +++++ .../cisco_duo_unusual_admin_login/data.yml | 13 +++++ .../T1556/disable_credential_guard/data.yml | 13 +++++ .../T1556/disable_lsa_protection/data.yml | 13 +++++ .../T1556/gcp_disable_mfa/data.yml | 13 +++++ .../T1556/o365_disable_mfa/data.yml | 13 +++++ .../T1556/o365_sso_logon_errors/data.yml | 17 ++++++ .../attack_techniques/T1556/okta_idp/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1558.003/atomic_red_team/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1558.003/powerview-2/data.yml | 13 +++++ .../T1558.003/powerview/data.yml | 13 +++++ .../T1558.003/rubeus/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1558.004/powershell/data.yml | 17 ++++++ .../T1558/diamond_ticket/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1560.001/archive_utility/data.yml | 13 +++++ .../T1561.002/mbr_raw_access/data.yml | 13 +++++ .../T1562.001/atomic_red_team/data.yml | 29 ++++++++++ .../defender_exclusion_sysmon/data.yml | 13 +++++ .../delete_win_defender_context_menu/data.yml | 13 +++++ .../data.yml | 13 +++++ .../disable_defender_logging/data.yml | 13 +++++ .../T1562.001/disable_gpo/data.yml | 13 +++++ .../hotkey_disabled_hidden_user/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1562.001/pwh_defender_disabling/data.yml | 13 +++++ .../sc_service_start_disabled/data.yml | 13 +++++ .../T1562.001/unload_sysmon/data.yml | 13 +++++ .../win_app_defender_disabling/data.yml | 17 ++++++ .../win_defend_service_stop/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1562.002/auditpol_tampering/data.yml | 13 +++++ .../eventlog_sddl_tampering/data.yml | 13 +++++ .../T1562.004/atomic_red_team/data.yml | 13 +++++ .../linux_auditd_disable_firewall/data.yml | 13 +++++ .../njrat_add_firewall_rule/data.yml | 16 ++++++ .../T1562.004/njrat_delete_firewall/data.yml | 12 +++++ .../T1562.007/aws_create_acl/data.yml | 17 ++++++ .../T1562.007/aws_delete_acl/data.yml | 17 ++++++ .../o365_bypass_mfa_via_trusted_ip/data.yml | 13 +++++ .../aws_delete_security_services/data.yml | 17 ++++++ .../delete_cloudwatch_log_group/data.yml | 17 ++++++ .../o365_advanced_audit_disabled/data.yml | 13 +++++ .../T1562.008/put_bucketlifecycle/data.yml | 17 ++++++ .../T1562.008/stop_delete_cloudtrail/data.yml | 21 ++++++++ .../T1562.008/update_cloudtrail/data.yml | 17 ++++++ .../T1562.012/auditd_daemon_type/data.yml | 13 +++++ .../data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1563.002/rdphijack/data.yml | 17 ++++++ .../data.yml | 13 +++++ .../linux_auditd_hidden_file/data.yml | 13 +++++ .../T1564.004/ads_abuse/data.yml | 13 +++++ .../attack_techniques/T1564.008/o365/data.yml | 13 +++++ .../T1564/sc_sdset_tampering/data.yml | 13 +++++ .../T1566.001/datasets/data.yml | 13 +++++ .../T1566.001/datasets2/data.yml | 13 +++++ .../data.yml | 13 +++++ .../gsuite_susp_attachment_ext/data.yml | 13 +++++ .../T1566.001/gsuite_susp_subj/data.yml | 13 +++++ .../T1566.001/gsuite_susp_url/data.yml | 13 +++++ .../T1566.001/macro/data.yml | 41 ++++++++++++++ .../T1566.001/office_doc_abuses_rels/data.yml | 13 +++++ .../T1566.001/onenote_spear_phishing/data.yml | 13 +++++ .../T1566.001/phishing_pdf_uri/data.yml | 13 +++++ .../T1566.002/atomic_red_team/data.yml | 17 ++++++ .../T1566.002/lnk_file_temp_folder/data.yml | 13 +++++ .../T1566/cve-2024-21378/data.yml | 13 +++++ .../T1566/o365_various_alerts/data.yml | 13 +++++ .../T1566/zscalar_web_proxy/data.yml | 13 +++++ .../T1567/o365_sus_file_activity/data.yml | 13 +++++ .../T1567/web_upload_nginx/data.yml | 12 +++++ .../T1569.002/atomic_red_team/data.yml | 13 +++++ .../T1569.002/linux_service_start/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1569.002/remcom/data.yml | 17 ++++++ .../T1569.002/scmanager_sddl_tamper/data.yml | 13 +++++ .../data.yml | 13 +++++ .../attack_techniques/T1570/remcom/data.yml | 17 ++++++ .../T1572/cobalt_strike/data.yml | 13 +++++ .../attack_techniques/T1572/ngrok/data.yml | 13 +++++ .../attack_techniques/T1572/plink/data.yml | 21 ++++++++ .../T1572/ssh_proxy_command/data.yml | 13 +++++ .../T1574.001/atomic_red_team/data.yml | 13 +++++ .../T1574.001/iscsicpl/data.yml | 13 +++++ .../T1574.002/hijacklibs/data.yml | 13 +++++ .../T1574.002/msi_module_load/data.yml | 17 ++++++ .../T1574.002/wineloader/data.yml | 13 +++++ .../T1574.006/lib_hijack/data.yml | 13 +++++ .../T1574.006/linux_auditd_ldpreload/data.yml | 17 ++++++ .../linux_auditd_preload_file/data.yml | 13 +++++ .../T1574.009/atomic_red_team/data.yml | 13 +++++ .../change_registry_path_service/data.yml | 13 +++++ .../aws_authorize_security_group/data.yml | 13 +++++ .../data.yml | 16 ++++++ .../data.yml | 17 ++++++ .../data.yml | 13 +++++ .../T1586.003/okta_multiple_city/data.yml | 13 +++++ .../T1587.002/atomic_red_team/data.yml | 13 +++++ .../T1588.002/atomic_red_team/data.yml | 13 +++++ .../kerberos_user_enumeration/data.yml | 13 +++++ .../T1590.002/enum_dns_record/data.yml | 13 +++++ datasets/attack_techniques/T1590.005/data.yml | 13 +++++ .../T1595/attacker_scan_tools/data.yml | 17 ++++++ .../T1595/sysmon_scanning_events/data.yml | 13 +++++ .../attack_techniques/T1598.002/rdp/data.yml | 13 +++++ .../common_language_runtim_loaded/data.yml | 13 +++++ .../T1621/aws_mfa_disabled/data.yml | 13 +++++ .../data.yml | 13 +++++ .../attack_techniques/T1621/azuread/data.yml | 13 +++++ .../T1621/gcp_failed_mfa/data.yml | 13 +++++ .../T1621/multiple_failed_mfa_gws/data.yml | 13 +++++ .../multiple_failed_mfa_requests/data.yml | 13 +++++ .../data.yml | 13 +++++ .../T1621/okta_mfa_login_failed/data.yml | 13 +++++ .../T1621/okta_mismatch/data.yml | 13 +++++ .../okta_multiple_failed_mfa_pushes/data.yml | 13 +++++ .../data.yml | 13 +++++ .../attack_techniques/T1621/pingid/data.yml | 17 ++++++ .../T1649/atomic_red_team/data.yml | 45 ++++++++++++++++ .../T1649/certify_abuse/data.yml | 13 +++++ .../t1547.014/active_setup_stubpath/data.yml | 13 +++++ .../t1592/host_info_dxdiag/data.yml | 13 +++++ .../t1592/pwh_av_recon/data.yml | 13 +++++ datasets/malware/acidrain/data.yml | 13 +++++ .../agent_tesla/agent_tesla_ftp/data.yml | 13 +++++ .../agent_tesla/agent_tesla_smtp/data.yml | 13 +++++ .../agent_tesla_tor_dns_query/data.yml | 13 +++++ .../agent_tesla/chm_powershell/data.yml | 13 +++++ .../malware/amadey/access_permission/data.yml | 13 +++++ datasets/malware/awfulshred/test1/data.yml | 13 +++++ datasets/malware/awfulshred/test2/data.yml | 13 +++++ datasets/malware/awfulshred/test3/data.yml | 13 +++++ datasets/malware/azorult/data.yml | 13 +++++ .../brute_duplicate_token/data.yml | 13 +++++ .../brute_ratel/create_remote_thread/data.yml | 13 +++++ .../iso_version_dll_campaign/data.yml | 13 +++++ .../brute_ratel/loading_samlib/data.yml | 13 +++++ .../brute_ratel/service_deletion/data.yml | 13 +++++ .../data.yml | 13 +++++ datasets/malware/chaos_ransomware/data.yml | 13 +++++ .../spread_in_root_drives/data.yml | 13 +++++ datasets/malware/clop/clop_a/data.yml | 17 ++++++ datasets/malware/clop/clop_b/data.yml | 13 +++++ datasets/malware/conti/conti-cobalt/data.yml | 13 +++++ datasets/malware/conti/conti_leak/data.yml | 21 ++++++++ datasets/malware/conti/inf1/data.yml | 13 +++++ datasets/malware/cyclopsblink/data.yml | 13 +++++ .../dcrat/dcrat_delay_execution/data.yml | 13 +++++ .../malware/dcrat/dcrat_enum_camera/data.yml | 13 +++++ .../malware/dcrat/dcrat_explorer_url/data.yml | 13 +++++ .../malware/dcrat/dcrat_forkbomb/data.yml | 13 +++++ .../dcrat/reboot_logoff_commandline/data.yml | 13 +++++ .../dcrat/shutdown_commandline/data.yml | 13 +++++ datasets/malware/doublezero_wiper/data.yml | 13 +++++ datasets/malware/fin7/fin7_js_2/data.yml | 21 ++++++++ .../malware/fin7/fin7_macro_js_1/data.yml | 13 +++++ datasets/malware/fin7/jssloader/data.yml | 13 +++++ .../malware/gootloader/partial_ttps/data.yml | 17 ++++++ datasets/malware/hermetic_wiper/data.yml | 13 +++++ .../globalfolderoptions_reg/data.yml | 13 +++++ .../icedid/cmd_carry_str_param/data.yml | 13 +++++ datasets/malware/icedid/disable_av/data.yml | 17 ++++++ .../malware/icedid/disable_schtask/data.yml | 13 +++++ datasets/malware/icedid/inf_icedid/data.yml | 13 +++++ datasets/malware/icedid/phish_icedid/data.yml | 13 +++++ .../malware/icedid/simulated_icedid/data.yml | 13 +++++ datasets/malware/industroyer2/data.yml | 13 +++++ datasets/malware/lockbit_ransomware/data.yml | 13 +++++ datasets/malware/minergate/data.yml | 13 +++++ datasets/malware/olympic_destroyer/data.yml | 13 +++++ datasets/malware/prestige_ransomware/data.yml | 13 +++++ datasets/malware/qakbot/data.yml | 13 +++++ datasets/malware/qakbot/qbot2/data.yml | 13 +++++ datasets/malware/qakbot/qbot_3/data.yml | 13 +++++ datasets/malware/qakbot/qbot_wermgr/data.yml | 13 +++++ datasets/malware/qakbot/qbot_wermgr2/data.yml | 13 +++++ .../malware/qakbot/remote_thread/data.yml | 13 +++++ .../malware/ransomware_ttp/data1/data.yml | 13 +++++ .../malware/ransomware_ttp/data2/data.yml | 13 +++++ .../malware/redline/modify_registry/data.yml | 13 +++++ datasets/malware/remcos/remcos/data.yml | 13 +++++ datasets/malware/remcos/remcos_agent/data.yml | 17 ++++++ .../malware/remcos/remcos_dynwrapx/data.yml | 21 ++++++++ .../remcos/remcos_pastebin_download/data.yml | 13 +++++ .../malware/remcos/remcos_registry/data.yml | 13 +++++ datasets/malware/revil/inf1/data.yml | 13 +++++ datasets/malware/revil/inf2/data.yml | 13 +++++ datasets/malware/revil/msmpeng_side/data.yml | 13 +++++ datasets/malware/ryuk/data.yml | 13 +++++ datasets/malware/snakemalware/data.yml | 25 +++++++++ datasets/malware/swift_slicer/data.yml | 13 +++++ .../malware/trickbot/exe_smbshare/data.yml | 13 +++++ datasets/malware/trickbot/infection/data.yml | 13 +++++ datasets/malware/trickbot/namedpipe/data.yml | 13 +++++ .../malware/trickbot/spear_phish/data.yml | 13 +++++ datasets/malware/vilsel/data.yml | 17 ++++++ datasets/malware/winpeas/data.yml | 13 +++++ datasets/malware/winpeas/powershell/data.yml | 17 ++++++ .../winpeas/winpeas_cmdkeylist/data.yml | 13 +++++ .../malware/winpeas/winpeas_fsutil/data.yml | 13 +++++ .../winpeas_search_private_key/data.yml | 13 +++++ .../winpeas/winpeas_search_pwd/data.yml | 13 +++++ .../winpeas/winpeas_search_pwd_db/data.yml | 13 +++++ .../winter-vivern/pwh_exfiltration/data.yml | 13 +++++ .../winter-vivern/pwh_uploadstring/data.yml | 13 +++++ .../winter-vivern/scheduledtask/data.yml | 13 +++++ datasets/malware/xmrig_miner/data.yml | 13 +++++ 771 files changed, 11015 insertions(+) create mode 100644 datasets/attack_techniques/T1003.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1003.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml create mode 100644 datasets/attack_techniques/T1003.002/serioussam/data.yml create mode 100644 datasets/attack_techniques/T1003.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1003.004/NoLMHash/data.yml create mode 100644 datasets/attack_techniques/T1003.006/impacket/data.yml create mode 100644 datasets/attack_techniques/T1003.006/mimikatz/data.yml create mode 100644 datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml create mode 100644 datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml create mode 100644 datasets/attack_techniques/T1003/credential_extraction/data.yml create mode 100644 datasets/attack_techniques/T1003/wdigest_enable/data.yml create mode 100644 datasets/attack_techniques/T1014/data.yml create mode 100644 datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml create mode 100644 datasets/attack_techniques/T1016/discovery_commands/data.yml create mode 100644 datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml create mode 100644 datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml create mode 100644 datasets/attack_techniques/T1018/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1018/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml create mode 100644 datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml create mode 100644 datasets/attack_techniques/T1020/data.yml create mode 100644 datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml create mode 100644 datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml create mode 100644 datasets/attack_techniques/T1021.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1021.002/executable_in_share/data.yml create mode 100644 datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml create mode 100644 datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml create mode 100644 datasets/attack_techniques/T1021.003/impacket/data.yml create mode 100644 datasets/attack_techniques/T1021.003/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml create mode 100644 datasets/attack_techniques/T1021.006/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml create mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml create mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml create mode 100644 datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml create mode 100644 datasets/attack_techniques/T1027/FuckThatPacker/data.yml create mode 100644 datasets/attack_techniques/T1027/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1027/trickbot_drop/data.yml create mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml create mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml create mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml create mode 100644 datasets/attack_techniques/T1033/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1033/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml create mode 100644 datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml create mode 100644 datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml create mode 100644 datasets/attack_techniques/T1033/whoami_priv/data.yml create mode 100644 datasets/attack_techniques/T1036.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1036.003/copy_sysmon/data.yml create mode 100644 datasets/attack_techniques/T1036.003/mpcmdrun/data.yml create mode 100644 datasets/attack_techniques/T1036.003/samsam_extension/data.yml create mode 100644 datasets/attack_techniques/T1036/msdtc_process_param/data.yml create mode 100644 datasets/attack_techniques/T1036/suspicious_process_path/data.yml create mode 100644 datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml create mode 100644 datasets/attack_techniques/T1037.001/logonscript_reg/data.yml create mode 100644 datasets/attack_techniques/T1046/kubernetes_scanning/data.yml create mode 100644 datasets/attack_techniques/T1047/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1047/execution_scrcons/data.yml create mode 100644 datasets/attack_techniques/T1047/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml create mode 100644 datasets/attack_techniques/T1047/wmi_impersonate/data.yml create mode 100644 datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml create mode 100644 datasets/attack_techniques/T1048.003/long_dns_queries/data.yml create mode 100644 datasets/attack_techniques/T1048.003/mass_file_creation/data.yml create mode 100644 datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml create mode 100644 datasets/attack_techniques/T1048/ftp_connection/data.yml create mode 100644 datasets/attack_techniques/T1049/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1053.002/at_execution/data.yml create mode 100644 datasets/attack_techniques/T1053.002/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml create mode 100644 datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml create mode 100644 datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml create mode 100644 datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml create mode 100644 datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml create mode 100644 datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml create mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml create mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml create mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml create mode 100644 datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml create mode 100644 datasets/attack_techniques/T1053.005/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1053.005/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml create mode 100644 datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml create mode 100644 datasets/attack_techniques/T1053.005/schtask_system/data.yml create mode 100644 datasets/attack_techniques/T1053.005/schtasks/data.yml create mode 100644 datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml create mode 100644 datasets/attack_techniques/T1053.005/taskschedule/data.yml create mode 100644 datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml create mode 100644 datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml create mode 100644 datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml create mode 100644 datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml create mode 100644 datasets/attack_techniques/T1053.006/linux_services_restart/data.yml create mode 100644 datasets/attack_techniques/T1053.006/service_systemd/data.yml create mode 100644 datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml create mode 100644 datasets/attack_techniques/T1055.001/rasautou/data.yml create mode 100644 datasets/attack_techniques/T1055/cobalt_strike/data.yml create mode 100644 datasets/attack_techniques/T1055/msra/data.yml create mode 100644 datasets/attack_techniques/T1055/sliver/data.yml create mode 100644 datasets/attack_techniques/T1055/trickbot_inf/data.yml create mode 100644 datasets/attack_techniques/T1057/process_commandline_discovery/data.yml create mode 100644 datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml create mode 100644 datasets/attack_techniques/T1059.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1059.001/encoded_powershell/data.yml create mode 100644 datasets/attack_techniques/T1059.001/exchange/data.yml create mode 100644 datasets/attack_techniques/T1059.001/hidden_powershell/data.yml create mode 100644 datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml create mode 100644 datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml create mode 100644 datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml create mode 100644 datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml create mode 100644 datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml create mode 100644 datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml create mode 100644 datasets/attack_techniques/T1059.001/powershell_testing/data.yml create mode 100644 datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml create mode 100644 datasets/attack_techniques/T1059.001/sharphound/data.yml create mode 100644 datasets/attack_techniques/T1059.001/soaphound/data.yml create mode 100644 datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml create mode 100644 datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml create mode 100644 datasets/attack_techniques/T1059.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml create mode 100644 datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml create mode 100644 datasets/attack_techniques/T1059.003/ryuk/data.yml create mode 100644 datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml create mode 100644 datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml create mode 100644 datasets/attack_techniques/T1059.005/vbs_wscript/data.yml create mode 100644 datasets/attack_techniques/T1059/autoit/data.yml create mode 100644 datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml create mode 100644 datasets/attack_techniques/T1059/metasploit/data.yml create mode 100644 datasets/attack_techniques/T1059/path_traversal/data.yml create mode 100644 datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml create mode 100644 datasets/attack_techniques/T1068/drivers/data.yml create mode 100644 datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml create mode 100644 datasets/attack_techniques/T1068/zoom_child_process/data.yml create mode 100644 datasets/attack_techniques/T1069.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1069.002/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml create mode 100644 datasets/attack_techniques/T1070.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml create mode 100644 datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml create mode 100644 datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml create mode 100644 datasets/attack_techniques/T1070.005/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1070/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1070/fsutil_file_zero/data.yml create mode 100644 datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml create mode 100644 datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml create mode 100644 datasets/attack_techniques/T1078.002/account_lockout/data.yml create mode 100644 datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml create mode 100644 datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml create mode 100644 datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml create mode 100644 datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml create mode 100644 datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml create mode 100644 datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml create mode 100644 datasets/attack_techniques/T1078.004/azuread/data.yml create mode 100644 datasets/attack_techniques/T1078.004/azuread_pws/data.yml create mode 100644 datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml create mode 100644 datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml create mode 100644 datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml create mode 100644 datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_create_policy_version/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_createaccesskey/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_createloginprofile/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml create mode 100644 datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml create mode 100644 datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml create mode 100644 datasets/attack_techniques/T1078/defaultaccount/data.yml create mode 100644 datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml create mode 100644 datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml create mode 100644 datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml create mode 100644 datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml create mode 100644 datasets/attack_techniques/T1078/update_saml_provider/data.yml create mode 100644 datasets/attack_techniques/T1082/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml create mode 100644 datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml create mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml create mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml create mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml create mode 100644 datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml create mode 100644 datasets/attack_techniques/T1083/splunk/data.yml create mode 100644 datasets/attack_techniques/T1087.001/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1087.002/AD_discovery/data.yml create mode 100644 datasets/attack_techniques/T1087.002/adsi_discovery/data.yml create mode 100644 datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml create mode 100644 datasets/attack_techniques/T1087.004/azurehound/data.yml create mode 100644 datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml create mode 100644 datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml create mode 100644 datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml create mode 100644 datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml create mode 100644 datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml create mode 100644 datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml create mode 100644 datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml create mode 100644 datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml create mode 100644 datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml create mode 100644 datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml create mode 100644 datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml create mode 100644 datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml create mode 100644 datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml create mode 100644 datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml create mode 100644 datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml create mode 100644 datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml create mode 100644 datasets/attack_techniques/T1098/account_manipulation/data.yml create mode 100644 datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml create mode 100644 datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml create mode 100644 datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml create mode 100644 datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml create mode 100644 datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml create mode 100644 datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml create mode 100644 datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml create mode 100644 datasets/attack_techniques/T1098/dsrm_account/data.yml create mode 100644 datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml create mode 100644 datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml create mode 100644 datasets/attack_techniques/T1098/service_principal_name_added/data.yml create mode 100644 datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml create mode 100644 datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml create mode 100644 datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml create mode 100644 datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml create mode 100644 datasets/attack_techniques/T1105/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1110.001/aws_login_failure/data.yml create mode 100644 datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml create mode 100644 datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml create mode 100644 datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml create mode 100644 datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml create mode 100644 datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml create mode 100644 datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml create mode 100644 datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml create mode 100644 datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml create mode 100644 datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml create mode 100644 datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml create mode 100644 datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml create mode 100644 datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml create mode 100644 datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml create mode 100644 datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml create mode 100644 datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml create mode 100644 datasets/attack_techniques/T1110/o365_brute_force_login/data.yml create mode 100644 datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml create mode 100644 datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml create mode 100644 datasets/attack_techniques/T1112/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml create mode 100644 datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml create mode 100644 datasets/attack_techniques/T1112/disable_notif_center/data.yml create mode 100644 datasets/attack_techniques/T1112/firewall_modify_delete/data.yml create mode 100644 datasets/attack_techniques/T1112/minint_reg/data.yml create mode 100644 datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml create mode 100644 datasets/attack_techniques/T1112/shimcache_flush/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml create mode 100644 datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml create mode 100644 datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml create mode 100644 datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml create mode 100644 datasets/attack_techniques/T1114/o365_export_pst_file/data.yml create mode 100644 datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml create mode 100644 datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml create mode 100644 datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml create mode 100644 datasets/attack_techniques/T1127.001/data.yml create mode 100644 datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml create mode 100644 datasets/attack_techniques/T1127/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1127/etw_disable/data.yml create mode 100644 datasets/attack_techniques/T1134.005/mimikatz/data.yml create mode 100644 datasets/attack_techniques/T1134.005/sid_history2/data.yml create mode 100644 datasets/attack_techniques/T1135/ipc_share_accessed/data.yml create mode 100644 datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml create mode 100644 datasets/attack_techniques/T1135/net_share/data.yml create mode 100644 datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml create mode 100644 datasets/attack_techniques/T1135/powerview_sharefinder/data.yml create mode 100644 datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml create mode 100644 datasets/attack_techniques/T1136.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml create mode 100644 datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml create mode 100644 datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml create mode 100644 datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml create mode 100644 datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml create mode 100644 datasets/attack_techniques/T1136.003/azure_automation_account/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml create mode 100644 datasets/attack_techniques/T1136.003/o365_new_federation/data.yml create mode 100644 datasets/attack_techniques/T1140/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1140/linux_auditd_base64/data.yml create mode 100644 datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml create mode 100644 datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml create mode 100644 datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml create mode 100644 datasets/attack_techniques/T1187/petitpotam/data.yml create mode 100644 datasets/attack_techniques/T1189/dyn_dns_site/data.yml create mode 100644 datasets/attack_techniques/T1189/splunk/data.yml create mode 100644 datasets/attack_techniques/T1189/xss/data.yml create mode 100644 datasets/attack_techniques/T1190/citrix/data.yml create mode 100644 datasets/attack_techniques/T1190/confluence/data.yml create mode 100644 datasets/attack_techniques/T1190/crushftp/data.yml create mode 100644 datasets/attack_techniques/T1190/data.yml create mode 100644 datasets/attack_techniques/T1190/ivanti/data.yml create mode 100644 datasets/attack_techniques/T1190/java/data.yml create mode 100644 datasets/attack_techniques/T1190/jenkins/data.yml create mode 100644 datasets/attack_techniques/T1190/juniper/data.yml create mode 100644 datasets/attack_techniques/T1190/magento/data.yml create mode 100644 datasets/attack_techniques/T1190/outbound_java/data.yml create mode 100644 datasets/attack_techniques/T1190/papercut/data.yml create mode 100644 datasets/attack_techniques/T1190/proxyshell/data.yml create mode 100644 datasets/attack_techniques/T1190/pswa/data.yml create mode 100644 datasets/attack_techniques/T1190/sap/data.yml create mode 100644 datasets/attack_techniques/T1190/screenconnect/data.yml create mode 100644 datasets/attack_techniques/T1190/sharepoint/data.yml create mode 100644 datasets/attack_techniques/T1190/splunk/data.yml create mode 100644 datasets/attack_techniques/T1190/spring4shell/data.yml create mode 100644 datasets/attack_techniques/T1190/text4shell/data.yml create mode 100644 datasets/attack_techniques/T1190/tomcat/data.yml create mode 100644 datasets/attack_techniques/T1195.002/3CX/data.yml create mode 100644 datasets/attack_techniques/T1197/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml create mode 100644 datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml create mode 100644 datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml create mode 100644 datasets/attack_techniques/T1202/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1204.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml create mode 100644 datasets/attack_techniques/T1204.002/single_letter_exe/data.yml create mode 100644 datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml create mode 100644 datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml create mode 100644 datasets/attack_techniques/T1204.003/risk_dataset/data.yml create mode 100644 datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml create mode 100644 datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml create mode 100644 datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml create mode 100644 datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml create mode 100644 datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml create mode 100644 datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml create mode 100644 datasets/attack_techniques/T1204/rare_executables/data.yml create mode 100644 datasets/attack_techniques/T1207/dc_promo/data.yml create mode 100644 datasets/attack_techniques/T1207/mimikatz/data.yml create mode 100644 datasets/attack_techniques/T1207/short_lived_server_object/data.yml create mode 100644 datasets/attack_techniques/T1210/splunk/data.yml create mode 100644 datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml create mode 100644 datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml create mode 100644 datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml create mode 100644 datasets/attack_techniques/T1216/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.004/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.005/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml create mode 100644 datasets/attack_techniques/T1218.007/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.008/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.009/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.010/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.011/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218.012/verclsid_exec/data.yml create mode 100644 datasets/attack_techniques/T1218.013/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1218/bitlockertogo/data.yml create mode 100644 datasets/attack_techniques/T1218/diskshadow/data.yml create mode 100644 datasets/attack_techniques/T1218/eviltwin/data.yml create mode 100644 datasets/attack_techniques/T1219/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1219/screenconnect/data.yml create mode 100644 datasets/attack_techniques/T1219/teamviewer/data.yml create mode 100644 datasets/attack_techniques/T1220/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1222.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1222.001/dacl_abuse/data.yml create mode 100644 datasets/attack_techniques/T1222.001/subinacl/data.yml create mode 100644 datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml create mode 100644 datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml create mode 100644 datasets/attack_techniques/T1482/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1482/discovery/data.yml create mode 100644 datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml create mode 100644 datasets/attack_techniques/T1484.001/gpo_modification/data.yml create mode 100644 datasets/attack_techniques/T1484.001/group_policy_created/data.yml create mode 100644 datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml create mode 100644 datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml create mode 100644 datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml create mode 100644 datasets/attack_techniques/T1484.002/new_federated_domain/data.yml create mode 100644 datasets/attack_techniques/T1484/DCShadowPermissions/data.yml create mode 100644 datasets/attack_techniques/T1484/aclmodification/data.yml create mode 100644 datasets/attack_techniques/T1485/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/data.yml create mode 100644 datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml create mode 100644 datasets/attack_techniques/T1485/excessive_file_deletions/data.yml create mode 100644 datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml create mode 100644 datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml create mode 100644 datasets/attack_techniques/T1485/linux_auditd_shred/data.yml create mode 100644 datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml create mode 100644 datasets/attack_techniques/T1485/ransomware_extensions/data.yml create mode 100644 datasets/attack_techniques/T1485/ransomware_notes/data.yml create mode 100644 datasets/attack_techniques/T1485/rm_boot_dir/data.yml create mode 100644 datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml create mode 100644 datasets/attack_techniques/T1485/sdelete/data.yml create mode 100644 datasets/attack_techniques/T1486/aws_kms_key/data.yml create mode 100644 datasets/attack_techniques/T1486/dcrypt/data.yml create mode 100644 datasets/attack_techniques/T1486/s3_file_encryption/data.yml create mode 100644 datasets/attack_techniques/T1486/sam_sam_note/data.yml create mode 100644 datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml create mode 100644 datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml create mode 100644 datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml create mode 100644 datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml create mode 100644 datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml create mode 100644 datasets/attack_techniques/T1490/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1490/aws_bucket_version/data.yml create mode 100644 datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml create mode 100644 datasets/attack_techniques/T1490/ransomware_notes/data.yml create mode 100644 datasets/attack_techniques/T1490/shadowcopy_del/data.yml create mode 100644 datasets/attack_techniques/T1497.003/ping_sleep/data.yml create mode 100644 datasets/attack_techniques/T1505.001/simulation/data.yml create mode 100644 datasets/attack_techniques/T1505.003/data.yml create mode 100644 datasets/attack_techniques/T1505.004/data.yml create mode 100644 datasets/attack_techniques/T1526/aws_security_scanner/data.yml create mode 100644 datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml create mode 100644 datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml create mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml create mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml create mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml create mode 100644 datasets/attack_techniques/T1528/device_code_authentication/data.yml create mode 100644 datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml create mode 100644 datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml create mode 100644 datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml create mode 100644 datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml create mode 100644 datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml create mode 100644 datasets/attack_techniques/T1531/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml create mode 100644 datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml create mode 100644 datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml create mode 100644 datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml create mode 100644 datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml create mode 100644 datasets/attack_techniques/T1542.003/bootkits/data.yml create mode 100644 datasets/attack_techniques/T1543.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1543.003/lateral_movement/data.yml create mode 100644 datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml create mode 100644 datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml create mode 100644 datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml create mode 100644 datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml create mode 100644 datasets/attack_techniques/T1546.001/txtfile_reg/data.yml create mode 100644 datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml create mode 100644 datasets/attack_techniques/T1546.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml create mode 100644 datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml create mode 100644 datasets/attack_techniques/T1546.004/linux_init_profile/data.yml create mode 100644 datasets/attack_techniques/T1546.008/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1546.011/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1546.012/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1546.015/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1546.015/pwh_com_object/data.yml create mode 100644 datasets/attack_techniques/T1546.015/uac_colorui/data.yml create mode 100644 datasets/attack_techniques/T1546/adminsdholder_modified/data.yml create mode 100644 datasets/attack_techniques/T1547.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml create mode 100644 datasets/attack_techniques/T1547.005/malicious_ssp/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml create mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml create mode 100644 datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml create mode 100644 datasets/attack_techniques/T1547.008/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1547.010/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1547.012/print_reg/data.yml create mode 100644 datasets/attack_techniques/T1547.012/printnightmare/data.yml create mode 100644 datasets/attack_techniques/T1548.001/chmod_uid/data.yml create mode 100644 datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml create mode 100644 datasets/attack_techniques/T1548.001/linux_setcap/data.yml create mode 100644 datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml create mode 100644 datasets/attack_techniques/T1548.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1548.002/slui/data.yml create mode 100644 datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml create mode 100644 datasets/attack_techniques/T1548.002/uac_behavior/data.yml create mode 100644 datasets/attack_techniques/T1548.003/doas/data.yml create mode 100644 datasets/attack_techniques/T1548.003/doas_exec/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_adduser/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml create mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml create mode 100644 datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml create mode 100644 datasets/attack_techniques/T1548.003/sudo_su/data.yml create mode 100644 datasets/attack_techniques/T1548.003/sudoers_temp/data.yml create mode 100644 datasets/attack_techniques/T1548.003/visudo/data.yml create mode 100644 datasets/attack_techniques/T1548/apt/data.yml create mode 100644 datasets/attack_techniques/T1548/apt_get/data.yml create mode 100644 datasets/attack_techniques/T1548/awk/data.yml create mode 100644 datasets/attack_techniques/T1548/busybox/data.yml create mode 100644 datasets/attack_techniques/T1548/c89/data.yml create mode 100644 datasets/attack_techniques/T1548/c99/data.yml create mode 100644 datasets/attack_techniques/T1548/composer/data.yml create mode 100644 datasets/attack_techniques/T1548/cpulimit/data.yml create mode 100644 datasets/attack_techniques/T1548/csvtool/data.yml create mode 100644 datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml create mode 100644 datasets/attack_techniques/T1548/docker/data.yml create mode 100644 datasets/attack_techniques/T1548/emacs/data.yml create mode 100644 datasets/attack_techniques/T1548/find/data.yml create mode 100644 datasets/attack_techniques/T1548/gawk/data.yml create mode 100644 datasets/attack_techniques/T1548/gdb/data.yml create mode 100644 datasets/attack_techniques/T1548/gem/data.yml create mode 100644 datasets/attack_techniques/T1548/make/data.yml create mode 100644 datasets/attack_techniques/T1548/mysql/data.yml create mode 100644 datasets/attack_techniques/T1548/node/data.yml create mode 100644 datasets/attack_techniques/T1548/octave/data.yml create mode 100644 datasets/attack_techniques/T1548/openvpn/data.yml create mode 100644 datasets/attack_techniques/T1548/php/data.yml create mode 100644 datasets/attack_techniques/T1548/puppet/data.yml create mode 100644 datasets/attack_techniques/T1548/rpm/data.yml create mode 100644 datasets/attack_techniques/T1548/ruby/data.yml create mode 100644 datasets/attack_techniques/T1548/splunk/data.yml create mode 100644 datasets/attack_techniques/T1548/sqlite3/data.yml create mode 100644 datasets/attack_techniques/T1548/uac_bypass/data.yml create mode 100644 datasets/attack_techniques/T1550.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1550.003/mimikatz/data.yml create mode 100644 datasets/attack_techniques/T1550.003/rubeus/data.yml create mode 100644 datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml create mode 100644 datasets/attack_techniques/T1550/rubeus/data.yml create mode 100644 datasets/attack_techniques/T1552.001/password_in_username/data.yml create mode 100644 datasets/attack_techniques/T1552.002/autoadminlogon/data.yml create mode 100644 datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml create mode 100644 datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml create mode 100644 datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml create mode 100644 datasets/attack_techniques/T1552/aws_getpassworddata/data.yml create mode 100644 datasets/attack_techniques/T1553.003/sip/data.yml create mode 100644 datasets/attack_techniques/T1553.004/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml create mode 100644 datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml create mode 100644 datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml create mode 100644 datasets/attack_techniques/T1555/web_browser_pass_view/data.yml create mode 100644 datasets/attack_techniques/T1556.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml create mode 100644 datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml create mode 100644 datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml create mode 100644 datasets/attack_techniques/T1556/azuread/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml create mode 100644 datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml create mode 100644 datasets/attack_techniques/T1556/disable_credential_guard/data.yml create mode 100644 datasets/attack_techniques/T1556/disable_lsa_protection/data.yml create mode 100644 datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml create mode 100644 datasets/attack_techniques/T1556/o365_disable_mfa/data.yml create mode 100644 datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml create mode 100644 datasets/attack_techniques/T1556/okta_idp/data.yml create mode 100644 datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml create mode 100644 datasets/attack_techniques/T1558.003/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml create mode 100644 datasets/attack_techniques/T1558.003/powerview-2/data.yml create mode 100644 datasets/attack_techniques/T1558.003/powerview/data.yml create mode 100644 datasets/attack_techniques/T1558.003/rubeus/data.yml create mode 100644 datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml create mode 100644 datasets/attack_techniques/T1558.004/powershell/data.yml create mode 100644 datasets/attack_techniques/T1558/diamond_ticket/data.yml create mode 100644 datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml create mode 100644 datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml create mode 100644 datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml create mode 100644 datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml create mode 100644 datasets/attack_techniques/T1560.001/archive_utility/data.yml create mode 100644 datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml create mode 100644 datasets/attack_techniques/T1562.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml create mode 100644 datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml create mode 100644 datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml create mode 100644 datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml create mode 100644 datasets/attack_techniques/T1562.001/disable_gpo/data.yml create mode 100644 datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml create mode 100644 datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml create mode 100644 datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml create mode 100644 datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml create mode 100644 datasets/attack_techniques/T1562.001/unload_sysmon/data.yml create mode 100644 datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml create mode 100644 datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml create mode 100644 datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml create mode 100644 datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml create mode 100644 datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml create mode 100644 datasets/attack_techniques/T1562.004/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml create mode 100644 datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml create mode 100644 datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml create mode 100644 datasets/attack_techniques/T1562.007/aws_create_acl/data.yml create mode 100644 datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml create mode 100644 datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml create mode 100644 datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml create mode 100644 datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml create mode 100644 datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml create mode 100644 datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml create mode 100644 datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml create mode 100644 datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml create mode 100644 datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml create mode 100644 datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml create mode 100644 datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml create mode 100644 datasets/attack_techniques/T1563.002/rdphijack/data.yml create mode 100644 datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml create mode 100644 datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml create mode 100644 datasets/attack_techniques/T1564.004/ads_abuse/data.yml create mode 100644 datasets/attack_techniques/T1564.008/o365/data.yml create mode 100644 datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml create mode 100644 datasets/attack_techniques/T1566.001/datasets/data.yml create mode 100644 datasets/attack_techniques/T1566.001/datasets2/data.yml create mode 100644 datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml create mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml create mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml create mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml create mode 100644 datasets/attack_techniques/T1566.001/macro/data.yml create mode 100644 datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml create mode 100644 datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml create mode 100644 datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml create mode 100644 datasets/attack_techniques/T1566.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml create mode 100644 datasets/attack_techniques/T1566/cve-2024-21378/data.yml create mode 100644 datasets/attack_techniques/T1566/o365_various_alerts/data.yml create mode 100644 datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml create mode 100644 datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml create mode 100644 datasets/attack_techniques/T1567/web_upload_nginx/data.yml create mode 100644 datasets/attack_techniques/T1569.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1569.002/linux_service_start/data.yml create mode 100644 datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml create mode 100644 datasets/attack_techniques/T1569.002/remcom/data.yml create mode 100644 datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml create mode 100644 datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml create mode 100644 datasets/attack_techniques/T1570/remcom/data.yml create mode 100644 datasets/attack_techniques/T1572/cobalt_strike/data.yml create mode 100644 datasets/attack_techniques/T1572/ngrok/data.yml create mode 100644 datasets/attack_techniques/T1572/plink/data.yml create mode 100644 datasets/attack_techniques/T1572/ssh_proxy_command/data.yml create mode 100644 datasets/attack_techniques/T1574.001/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1574.001/iscsicpl/data.yml create mode 100644 datasets/attack_techniques/T1574.002/hijacklibs/data.yml create mode 100644 datasets/attack_techniques/T1574.002/msi_module_load/data.yml create mode 100644 datasets/attack_techniques/T1574.002/wineloader/data.yml create mode 100644 datasets/attack_techniques/T1574.006/lib_hijack/data.yml create mode 100644 datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml create mode 100644 datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml create mode 100644 datasets/attack_techniques/T1574.009/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml create mode 100644 datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml create mode 100644 datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml create mode 100644 datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml create mode 100644 datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml create mode 100644 datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml create mode 100644 datasets/attack_techniques/T1587.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1588.002/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml create mode 100644 datasets/attack_techniques/T1590.002/enum_dns_record/data.yml create mode 100644 datasets/attack_techniques/T1590.005/data.yml create mode 100644 datasets/attack_techniques/T1595/attacker_scan_tools/data.yml create mode 100644 datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml create mode 100644 datasets/attack_techniques/T1598.002/rdp/data.yml create mode 100644 datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml create mode 100644 datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml create mode 100644 datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml create mode 100644 datasets/attack_techniques/T1621/azuread/data.yml create mode 100644 datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml create mode 100644 datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml create mode 100644 datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml create mode 100644 datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml create mode 100644 datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml create mode 100644 datasets/attack_techniques/T1621/okta_mismatch/data.yml create mode 100644 datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml create mode 100644 datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml create mode 100644 datasets/attack_techniques/T1621/pingid/data.yml create mode 100644 datasets/attack_techniques/T1649/atomic_red_team/data.yml create mode 100644 datasets/attack_techniques/T1649/certify_abuse/data.yml create mode 100644 datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml create mode 100644 datasets/attack_techniques/t1592/host_info_dxdiag/data.yml create mode 100644 datasets/attack_techniques/t1592/pwh_av_recon/data.yml create mode 100644 datasets/malware/acidrain/data.yml create mode 100644 datasets/malware/agent_tesla/agent_tesla_ftp/data.yml create mode 100644 datasets/malware/agent_tesla/agent_tesla_smtp/data.yml create mode 100644 datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml create mode 100644 datasets/malware/agent_tesla/chm_powershell/data.yml create mode 100644 datasets/malware/amadey/access_permission/data.yml create mode 100644 datasets/malware/awfulshred/test1/data.yml create mode 100644 datasets/malware/awfulshred/test2/data.yml create mode 100644 datasets/malware/awfulshred/test3/data.yml create mode 100644 datasets/malware/azorult/data.yml create mode 100644 datasets/malware/brute_ratel/brute_duplicate_token/data.yml create mode 100644 datasets/malware/brute_ratel/create_remote_thread/data.yml create mode 100644 datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml create mode 100644 datasets/malware/brute_ratel/loading_samlib/data.yml create mode 100644 datasets/malware/brute_ratel/service_deletion/data.yml create mode 100644 datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml create mode 100644 datasets/malware/chaos_ransomware/data.yml create mode 100644 datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml create mode 100644 datasets/malware/clop/clop_a/data.yml create mode 100644 datasets/malware/clop/clop_b/data.yml create mode 100644 datasets/malware/conti/conti-cobalt/data.yml create mode 100644 datasets/malware/conti/conti_leak/data.yml create mode 100644 datasets/malware/conti/inf1/data.yml create mode 100644 datasets/malware/cyclopsblink/data.yml create mode 100644 datasets/malware/dcrat/dcrat_delay_execution/data.yml create mode 100644 datasets/malware/dcrat/dcrat_enum_camera/data.yml create mode 100644 datasets/malware/dcrat/dcrat_explorer_url/data.yml create mode 100644 datasets/malware/dcrat/dcrat_forkbomb/data.yml create mode 100644 datasets/malware/dcrat/reboot_logoff_commandline/data.yml create mode 100644 datasets/malware/dcrat/shutdown_commandline/data.yml create mode 100644 datasets/malware/doublezero_wiper/data.yml create mode 100644 datasets/malware/fin7/fin7_js_2/data.yml create mode 100644 datasets/malware/fin7/fin7_macro_js_1/data.yml create mode 100644 datasets/malware/fin7/jssloader/data.yml create mode 100644 datasets/malware/gootloader/partial_ttps/data.yml create mode 100644 datasets/malware/hermetic_wiper/data.yml create mode 100644 datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml create mode 100644 datasets/malware/icedid/cmd_carry_str_param/data.yml create mode 100644 datasets/malware/icedid/disable_av/data.yml create mode 100644 datasets/malware/icedid/disable_schtask/data.yml create mode 100644 datasets/malware/icedid/inf_icedid/data.yml create mode 100644 datasets/malware/icedid/phish_icedid/data.yml create mode 100644 datasets/malware/icedid/simulated_icedid/data.yml create mode 100644 datasets/malware/industroyer2/data.yml create mode 100644 datasets/malware/lockbit_ransomware/data.yml create mode 100644 datasets/malware/minergate/data.yml create mode 100644 datasets/malware/olympic_destroyer/data.yml create mode 100644 datasets/malware/prestige_ransomware/data.yml create mode 100644 datasets/malware/qakbot/data.yml create mode 100644 datasets/malware/qakbot/qbot2/data.yml create mode 100644 datasets/malware/qakbot/qbot_3/data.yml create mode 100644 datasets/malware/qakbot/qbot_wermgr/data.yml create mode 100644 datasets/malware/qakbot/qbot_wermgr2/data.yml create mode 100644 datasets/malware/qakbot/remote_thread/data.yml create mode 100644 datasets/malware/ransomware_ttp/data1/data.yml create mode 100644 datasets/malware/ransomware_ttp/data2/data.yml create mode 100644 datasets/malware/redline/modify_registry/data.yml create mode 100644 datasets/malware/remcos/remcos/data.yml create mode 100644 datasets/malware/remcos/remcos_agent/data.yml create mode 100644 datasets/malware/remcos/remcos_dynwrapx/data.yml create mode 100644 datasets/malware/remcos/remcos_pastebin_download/data.yml create mode 100644 datasets/malware/remcos/remcos_registry/data.yml create mode 100644 datasets/malware/revil/inf1/data.yml create mode 100644 datasets/malware/revil/inf2/data.yml create mode 100644 datasets/malware/revil/msmpeng_side/data.yml create mode 100644 datasets/malware/ryuk/data.yml create mode 100644 datasets/malware/snakemalware/data.yml create mode 100644 datasets/malware/swift_slicer/data.yml create mode 100644 datasets/malware/trickbot/exe_smbshare/data.yml create mode 100644 datasets/malware/trickbot/infection/data.yml create mode 100644 datasets/malware/trickbot/namedpipe/data.yml create mode 100644 datasets/malware/trickbot/spear_phish/data.yml create mode 100644 datasets/malware/vilsel/data.yml create mode 100644 datasets/malware/winpeas/data.yml create mode 100644 datasets/malware/winpeas/powershell/data.yml create mode 100644 datasets/malware/winpeas/winpeas_cmdkeylist/data.yml create mode 100644 datasets/malware/winpeas/winpeas_fsutil/data.yml create mode 100644 datasets/malware/winpeas/winpeas_search_private_key/data.yml create mode 100644 datasets/malware/winpeas/winpeas_search_pwd/data.yml create mode 100644 datasets/malware/winpeas/winpeas_search_pwd_db/data.yml create mode 100644 datasets/malware/winter-vivern/pwh_exfiltration/data.yml create mode 100644 datasets/malware/winter-vivern/pwh_uploadstring/data.yml create mode 100644 datasets/malware/winter-vivern/scheduledtask/data.yml create mode 100644 datasets/malware/xmrig_miner/data.yml diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml new file mode 100644 index 000000000..f44d7dfaa --- /dev/null +++ b/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml @@ -0,0 +1,29 @@ +author: Generated by dataset_analyzer.py +id: aebdb3f2-5df9-486b-8b73-87a9a5e51cc0 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1003.001 +datasets: +- name: windows-sysmon_creddump + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: procdump_windows-security + path: /datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: createdump_windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml new file mode 100644 index 000000000..c0db9140e --- /dev/null +++ b/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c1560e15-24a3-41ef-8c8b-98caaa6d13cc +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1003.002 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml b/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml new file mode 100644 index 000000000..bb1e66244 --- /dev/null +++ b/datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1805765d-d6b1-4877-bd35-9520939dae1f +date: '2025-08-12' +description: Automatically categorized datasets in directory detect_copy_of_shadowcopy_with_script_block_logging +environment: attack_range +directory: detect_copy_of_shadowcopy_with_script_block_logging +mitre_technique: +- T1003.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1003.002/detect_copy_of_shadowcopy_with_script_block_logging/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1003.002/serioussam/data.yml b/datasets/attack_techniques/T1003.002/serioussam/data.yml new file mode 100644 index 000000000..4f64f44d3 --- /dev/null +++ b/datasets/attack_techniques/T1003.002/serioussam/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1a6789ed-c2ab-4937-939c-03eb41a8c653 +date: '2025-08-12' +description: Automatically categorized datasets in directory serioussam +environment: attack_range +directory: serioussam +mitre_technique: +- T1003.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml new file mode 100644 index 000000000..054d62e8a --- /dev/null +++ b/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 75688df7-5503-4cb0-9218-aa8951c11f39 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1003.003 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: 4688_windows-security + path: /datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.004/NoLMHash/data.yml b/datasets/attack_techniques/T1003.004/NoLMHash/data.yml new file mode 100644 index 000000000..9174abfea --- /dev/null +++ b/datasets/attack_techniques/T1003.004/NoLMHash/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c4b3c930-dbea-4a6c-a98f-5f26fd2bbabe +date: '2025-08-12' +description: Automatically categorized datasets in directory NoLMHash +environment: attack_range +directory: NoLMHash +mitre_technique: +- T1003.004 +datasets: +- name: lsa-reg-settings-sysmon + path: /datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.006/impacket/data.yml b/datasets/attack_techniques/T1003.006/impacket/data.yml new file mode 100644 index 000000000..f5f1913af --- /dev/null +++ b/datasets/attack_techniques/T1003.006/impacket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e3e707b3-664d-4597-b749-f13cc8d3fdb5 +date: '2025-08-12' +description: Automatically categorized datasets in directory impacket +environment: attack_range +directory: impacket +mitre_technique: +- T1003.006 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.006/mimikatz/data.yml b/datasets/attack_techniques/T1003.006/mimikatz/data.yml new file mode 100644 index 000000000..cb804047a --- /dev/null +++ b/datasets/attack_techniques/T1003.006/mimikatz/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c65ce500-ac9e-4f01-a4d1-7b59eef7c07c +date: '2025-08-12' +description: Automatically categorized datasets in directory mimikatz +environment: attack_range +directory: mimikatz +mitre_technique: +- T1003.006 +datasets: +- name: xml-windows-security + path: /datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml new file mode 100644 index 000000000..d3fd5f8fa --- /dev/null +++ b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 84ddc704-c5a6-4964-86c9-cc11cca6e530 +date: '2025-08-12' +description: Automatically categorized datasets in directory copy_file_stdoutpipe +environment: attack_range +directory: copy_file_stdoutpipe +mitre_technique: +- T1003.008 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml new file mode 100644 index 000000000..0035f7ba3 --- /dev/null +++ b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: aacf4255-ce77-43da-9705-ad794ecccf61 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_access_credential +environment: attack_range +directory: linux_auditd_access_credential +mitre_technique: +- T1003.008 +datasets: +- name: auditd_proctitle_access_cred + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log + sourcetype: auditd + source: auditd +- name: linux_auditd_access_credential + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1003/credential_extraction/data.yml b/datasets/attack_techniques/T1003/credential_extraction/data.yml new file mode 100644 index 000000000..c75567b8a --- /dev/null +++ b/datasets/attack_techniques/T1003/credential_extraction/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 33834b27-ceee-4686-acf2-57eff4d2b891 +date: '2025-08-12' +description: Automatically categorized datasets in directory credential_extraction +environment: attack_range +directory: credential_extraction +mitre_technique: +- T1003 +datasets: +- name: mimikatzwindows-sysmon + path: /datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003/wdigest_enable/data.yml b/datasets/attack_techniques/T1003/wdigest_enable/data.yml new file mode 100644 index 000000000..533cd3999 --- /dev/null +++ b/datasets/attack_techniques/T1003/wdigest_enable/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9d0f9fa3-61a5-4956-9480-bf35ead67ddd +date: '2025-08-12' +description: Automatically categorized datasets in directory wdigest_enable +environment: attack_range +directory: wdigest_enable +mitre_technique: +- T1003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1003/wdigest_enable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1014/data.yml b/datasets/attack_techniques/T1014/data.yml new file mode 100644 index 000000000..99ce217b8 --- /dev/null +++ b/datasets/attack_techniques/T1014/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 07f8dba3-4141-463d-b7a6-fc86a6594067 +date: '2025-08-12' +description: Automatically categorized datasets in directory T1014 +environment: attack_range +directory: T1014 +mitre_technique: +- T1014 +datasets: +- name: windows-system + path: /datasets/attack_techniques/T1014/windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: windows-sysmon + path: /datasets/attack_techniques/T1014/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml new file mode 100644 index 000000000..909867469 --- /dev/null +++ b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4be7f772-9d23-48db-a390-518ed9d32f3d +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_net_discovery +environment: attack_range +directory: linux_net_discovery +mitre_technique: +- T1016 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/discovery_commands/data.yml b/datasets/attack_techniques/T1016/discovery_commands/data.yml new file mode 100644 index 000000000..cd6f24ed3 --- /dev/null +++ b/datasets/attack_techniques/T1016/discovery_commands/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5ef093fd-17cd-4947-9646-c388e7e08d54 +date: '2025-08-12' +description: Automatically categorized datasets in directory discovery_commands +environment: attack_range +directory: discovery_commands +mitre_technique: +- T1016 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml new file mode 100644 index 000000000..7ce5c01a5 --- /dev/null +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 650a428f-3907-4658-9528-dd7a32c9dd1f +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_net_tool +environment: attack_range +directory: linux_auditd_net_tool +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml new file mode 100644 index 000000000..a1749a99b --- /dev/null +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cc95f5bc-508e-4bd1-99b5-04b8257f23b2 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_net_tool_new +environment: attack_range +directory: linux_auditd_net_tool_new +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool_bucket_new + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1018/AD_discovery/data.yml b/datasets/attack_techniques/T1018/AD_discovery/data.yml new file mode 100644 index 000000000..9bf566bb1 --- /dev/null +++ b/datasets/attack_techniques/T1018/AD_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a8d36093-fbdd-487f-a0fc-ef32acc80dd5 +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/atomic_red_team/data.yml b/datasets/attack_techniques/T1018/atomic_red_team/data.yml new file mode 100644 index 000000000..2982e73a7 --- /dev/null +++ b/datasets/attack_techniques/T1018/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7b4c2c13-c889-474b-995c-8a8fd6f31cc9 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml b/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml new file mode 100644 index 000000000..46fd79d83 --- /dev/null +++ b/datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 44b5d16b-fa31-411d-92f9-076961c78516 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_get_adcomputer_unconstrained_delegation_discovery +environment: attack_range +directory: windows_get_adcomputer_unconstrained_delegation_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1018/windows_get_adcomputer_unconstrained_delegation_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml b/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml new file mode 100644 index 000000000..3c354a766 --- /dev/null +++ b/datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2067686c-38db-4751-b494-e7a1fe59ac7c +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_powerview_constrained_delegation_discovery +environment: attack_range +directory: windows_powerview_constrained_delegation_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1018/windows_powerview_constrained_delegation_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1020/data.yml b/datasets/attack_techniques/T1020/data.yml new file mode 100644 index 000000000..e35246e02 --- /dev/null +++ b/datasets/attack_techniques/T1020/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8a675718-3d41-4c56-8f65-df4836e8052c +date: '2025-08-12' +description: Automatically categorized datasets in directory T1020 +environment: attack_range +directory: T1020 +mitre_technique: +- T1020 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1020/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml new file mode 100644 index 000000000..40177bb27 --- /dev/null +++ b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1e0ad510-5b63-4cfc-a371-76d0c015702f +date: '2025-08-12' +description: Automatically categorized datasets in directory mstsc_rdp_cmd +environment: attack_range +directory: mstsc_rdp_cmd +mitre_technique: +- T1021.001 +datasets: +- name: mstsc_sysmon + path: /datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml b/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml new file mode 100644 index 000000000..4a8b1d02f --- /dev/null +++ b/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: aef4f39c-5b61-45f2-9c59-23b48b3f81c5 +date: '2025-08-12' +description: Automatically categorized datasets in directory remote_desktop_connection +environment: attack_range +directory: remote_desktop_connection +mitre_technique: +- T1021.001 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml new file mode 100644 index 000000000..9b4586f31 --- /dev/null +++ b/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml @@ -0,0 +1,36 @@ +author: Generated by dataset_analyzer.py +id: f88a22eb-901e-4a56-a4dc-30eecbdb5ea5 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1021.002 +datasets: +- name: smbexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: wmiexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_smbexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: firewall-powershell + path: /datasets/attack_techniques/T1021.002/atomic_red_team/firewall-powershell.log + sourcetype: firewall +- name: 4688_wmiexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.002/executable_in_share/data.yml b/datasets/attack_techniques/T1021.002/executable_in_share/data.yml new file mode 100644 index 000000000..a92ae05b6 --- /dev/null +++ b/datasets/attack_techniques/T1021.002/executable_in_share/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 55fb92e2-467b-4be9-bff1-85241d8bd47b +date: '2025-08-12' +description: Automatically categorized datasets in directory executable_in_share +environment: attack_range +directory: executable_in_share +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml b/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml new file mode 100644 index 000000000..f1f5e9fbd --- /dev/null +++ b/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7f6d4f8a-87b2-48f7-a10e-8e7696dc0acc +date: '2025-08-12' +description: Automatically categorized datasets in directory impacket_smbexec +environment: attack_range +directory: impacket_smbexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml b/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml new file mode 100644 index 000000000..e993b41e6 --- /dev/null +++ b/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: da63ec5e-8a85-4ee2-8cfd-1f359f1718be +date: '2025-08-12' +description: Automatically categorized datasets in directory impacket_wmiexec +environment: attack_range +directory: impacket_wmiexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.003/impacket/data.yml b/datasets/attack_techniques/T1021.003/impacket/data.yml new file mode 100644 index 000000000..5bccc1903 --- /dev/null +++ b/datasets/attack_techniques/T1021.003/impacket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e2b24e1c-29a0-428e-9af1-4bad64a16b51 +date: '2025-08-12' +description: Automatically categorized datasets in directory impacket +environment: attack_range +directory: impacket +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement/data.yml b/datasets/attack_techniques/T1021.003/lateral_movement/data.yml new file mode 100644 index 000000000..8bacd1738 --- /dev/null +++ b/datasets/attack_techniques/T1021.003/lateral_movement/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 289855a2-dae7-4cc2-bd8d-a2155f322873 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1021.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml new file mode 100644 index 000000000..d63ffdaf3 --- /dev/null +++ b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7422173f-e6b4-4b80-93e8-4f00f4567d54 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_lolbas +environment: attack_range +directory: lateral_movement_lolbas +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement/data.yml new file mode 100644 index 000000000..208404109 --- /dev/null +++ b/datasets/attack_techniques/T1021.006/lateral_movement/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0bd01523-e301-47e4-92aa-38d25acbc569 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml new file mode 100644 index 000000000..51253b886 --- /dev/null +++ b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e7998bca-66d9-4513-abff-978ee19fc091 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_lolbas +environment: attack_range +directory: lateral_movement_lolbas +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml new file mode 100644 index 000000000..2a6787c49 --- /dev/null +++ b/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 15942573-891a-44d9-ae97-1b99a33b401d +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_psh +environment: attack_range +directory: lateral_movement_psh +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml new file mode 100644 index 000000000..fbc0a40d1 --- /dev/null +++ b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 74ae79de-df80-467d-89ac-4f71c636114a +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_pssession +environment: attack_range +directory: lateral_movement_pssession +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml b/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml new file mode 100644 index 000000000..f61fb0c73 --- /dev/null +++ b/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 84c0e5ff-5ee7-424d-9b86-dd4e4d434a90 +date: '2025-08-12' +description: Automatically categorized datasets in directory allow_inbound_traffic_in_firewall_rule +environment: attack_range +directory: allow_inbound_traffic_in_firewall_rule +mitre_technique: +- T1021 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/FuckThatPacker/data.yml b/datasets/attack_techniques/T1027/FuckThatPacker/data.yml new file mode 100644 index 000000000..90e026d29 --- /dev/null +++ b/datasets/attack_techniques/T1027/FuckThatPacker/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3dc9c71d-aef6-4638-a27e-b6941d5bdfb5 +date: '2025-08-12' +description: Automatically categorized datasets in directory FuckThatPacker +environment: attack_range +directory: FuckThatPacker +mitre_technique: +- T1027 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/atomic_red_team/data.yml b/datasets/attack_techniques/T1027/atomic_red_team/data.yml new file mode 100644 index 000000000..afaacb6ad --- /dev/null +++ b/datasets/attack_techniques/T1027/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 98be0207-f04c-41b7-a7b3-9faa859d96f6 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1027 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1027/trickbot_drop/data.yml b/datasets/attack_techniques/T1027/trickbot_drop/data.yml new file mode 100644 index 000000000..c1619099f --- /dev/null +++ b/datasets/attack_techniques/T1027/trickbot_drop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 998ecdcb-5d17-4d08-b35d-83eb1d84f7e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_drop +environment: attack_range +directory: trickbot_drop +mitre_technique: +- T1027 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1027/trickbot_drop/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml new file mode 100644 index 000000000..c7fd390b7 --- /dev/null +++ b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 794c0c61-8ec3-45d2-8a39-03b1ff4d486a +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_split_b_exec +environment: attack_range +directory: linux_auditd_split_b_exec +mitre_technique: +- T1030 +datasets: +- name: auditd_execve_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log + sourcetype: auditd + source: auditd +- name: linux_auditd_split_b_exec + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml new file mode 100644 index 000000000..451f44be2 --- /dev/null +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0d62e93d-8911-4f8c-b3cf-4e5dad2eb96a +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_split_syscall +environment: attack_range +directory: linux_auditd_split_syscall +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_split_syscall + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml new file mode 100644 index 000000000..dfbe8a46a --- /dev/null +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0b98040e-f8b9-45f0-bd84-cd4465585c39 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_split_syscall_new +environment: attack_range +directory: linux_auditd_split_syscall_new +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_new_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/AD_discovery/data.yml b/datasets/attack_techniques/T1033/AD_discovery/data.yml new file mode 100644 index 000000000..dc9cb7ac9 --- /dev/null +++ b/datasets/attack_techniques/T1033/AD_discovery/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 4920627d-b3ba-42e3-8d88-302cd0dde5fa +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1033 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/atomic_red_team/data.yml b/datasets/attack_techniques/T1033/atomic_red_team/data.yml new file mode 100644 index 000000000..edeea5bd1 --- /dev/null +++ b/datasets/attack_techniques/T1033/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ee12546e-7348-44f5-8ee8-b5ec338a7dc6 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1033 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml new file mode 100644 index 000000000..b8f059af8 --- /dev/null +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: be2f1789-b222-40d7-a96f-2fea7dc799e7 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_whoami +environment: attack_range +directory: linux_auditd_whoami +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml new file mode 100644 index 000000000..409501aac --- /dev/null +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c2aaa4fe-2a9d-45c8-82c1-e97d943acd9c +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_whoami_new +environment: attack_range +directory: linux_auditd_whoami_new +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_new_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml new file mode 100644 index 000000000..ce7425c3d --- /dev/null +++ b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dcffd06e-033a-4c63-a344-1e8e65845dfa +date: '2025-08-12' +description: Automatically categorized datasets in directory qakbot_discovery_cmdline +environment: attack_range +directory: qakbot_discovery_cmdline +mitre_technique: +- T1033 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/whoami_priv/data.yml b/datasets/attack_techniques/T1033/whoami_priv/data.yml new file mode 100644 index 000000000..1181439b7 --- /dev/null +++ b/datasets/attack_techniques/T1033/whoami_priv/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a108e47e-b480-428b-acf3-df1a5496d00f +date: '2025-08-12' +description: Automatically categorized datasets in directory whoami_priv +environment: attack_range +directory: whoami_priv +mitre_technique: +- T1033 +datasets: +- name: whoami-priv-sysmon + path: /datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml new file mode 100644 index 000000000..7e82ee38e --- /dev/null +++ b/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5a2c32fc-0098-4d03-91c2-d74169a210bf +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml b/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml new file mode 100644 index 000000000..a44a386d6 --- /dev/null +++ b/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ca227966-adc5-4e63-83e0-2cdc7b599030 +date: '2025-08-12' +description: Automatically categorized datasets in directory copy_sysmon +environment: attack_range +directory: copy_sysmon +mitre_technique: +- T1036.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml b/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml new file mode 100644 index 000000000..a667b956b --- /dev/null +++ b/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a7244c9a-3bd6-4a66-b4fc-fd7b48da00ec +date: '2025-08-12' +description: Automatically categorized datasets in directory mpcmdrun +environment: attack_range +directory: mpcmdrun +mitre_technique: +- T1036.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1036.003/samsam_extension/data.yml b/datasets/attack_techniques/T1036.003/samsam_extension/data.yml new file mode 100644 index 000000000..a58ffb6a2 --- /dev/null +++ b/datasets/attack_techniques/T1036.003/samsam_extension/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: aaade5a2-e9c6-43df-89ed-ae717ece1c7f +date: '2025-08-12' +description: Automatically categorized datasets in directory samsam_extension +environment: attack_range +directory: samsam_extension +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/data.yml b/datasets/attack_techniques/T1036/msdtc_process_param/data.yml new file mode 100644 index 000000000..b9d59aad3 --- /dev/null +++ b/datasets/attack_techniques/T1036/msdtc_process_param/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5181fc4f-6d3f-4d04-8703-433f86b4074a +date: '2025-08-12' +description: Automatically categorized datasets in directory msdtc_process_param +environment: attack_range +directory: msdtc_process_param +mitre_technique: +- T1036 +datasets: +- name: msdtc_a_sysmon + path: /datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/suspicious_process_path/data.yml b/datasets/attack_techniques/T1036/suspicious_process_path/data.yml new file mode 100644 index 000000000..af6275b65 --- /dev/null +++ b/datasets/attack_techniques/T1036/suspicious_process_path/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8a7dbac1-547b-4087-9d63-5733c96988f7 +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_process_path +environment: attack_range +directory: suspicious_process_path +mitre_technique: +- T1036 +datasets: +- name: susp_path_sysmon1 + path: /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml b/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml new file mode 100644 index 000000000..3404b88c8 --- /dev/null +++ b/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 20d85c8d-f6a2-415b-9d62-2a2a515f278b +date: '2025-08-12' +description: Automatically categorized datasets in directory write_to_recycle_bin +environment: attack_range +directory: write_to_recycle_bin +mitre_technique: +- T1036 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml b/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml new file mode 100644 index 000000000..93c7e1dd9 --- /dev/null +++ b/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: abc59778-d37c-4b01-8a2e-ce48dc7b0618 +date: '2025-08-12' +description: Automatically categorized datasets in directory logonscript_reg +environment: attack_range +directory: logonscript_reg +mitre_technique: +- T1037.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml b/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml new file mode 100644 index 000000000..808143a2e --- /dev/null +++ b/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 110503e8-342b-4228-9fdf-5bf9d6d0934a +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_scanning +environment: attack_range +directory: kubernetes_scanning +mitre_technique: +- T1046 +datasets: +- name: kubernetes_scanning-json + path: /datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1047/atomic_red_team/data.yml b/datasets/attack_techniques/T1047/atomic_red_team/data.yml new file mode 100644 index 000000000..2a817eeb9 --- /dev/null +++ b/datasets/attack_techniques/T1047/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 322bf09c-b040-4e39-a5ea-04703068aa57 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1047 +datasets: +- name: 4104-cimmethod-windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: invokewmiexec_windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/execution_scrcons/data.yml b/datasets/attack_techniques/T1047/execution_scrcons/data.yml new file mode 100644 index 000000000..2dac05760 --- /dev/null +++ b/datasets/attack_techniques/T1047/execution_scrcons/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e14dfa31-d87a-4981-98bd-16026ece8a90 +date: '2025-08-12' +description: Automatically categorized datasets in directory execution_scrcons +environment: attack_range +directory: execution_scrcons +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement/data.yml b/datasets/attack_techniques/T1047/lateral_movement/data.yml new file mode 100644 index 000000000..b41f2739b --- /dev/null +++ b/datasets/attack_techniques/T1047/lateral_movement/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 768c7697-5997-4121-9a22-4da3391d7ed2 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml new file mode 100644 index 000000000..f8c7c0e5b --- /dev/null +++ b/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a93e774e-52c3-4b57-ae80-9e4d976c433a +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_lolbas +environment: attack_range +directory: lateral_movement_lolbas +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/wmi_impersonate/data.yml b/datasets/attack_techniques/T1047/wmi_impersonate/data.yml new file mode 100644 index 000000000..f8e86ce74 --- /dev/null +++ b/datasets/attack_techniques/T1047/wmi_impersonate/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c8fb4c1d-0285-4abc-a18d-e287a20e31ee +date: '2025-08-12' +description: Automatically categorized datasets in directory wmi_impersonate +environment: attack_range +directory: wmi_impersonate +mitre_technique: +- T1047 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml b/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml new file mode 100644 index 000000000..a8e985fd7 --- /dev/null +++ b/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9bc6e15a-05b7-42c6-8d13-79ec100f2d27 +date: '2025-08-12' +description: Automatically categorized datasets in directory cve-2023-23397 +environment: attack_range +directory: cve-2023-23397 +mitre_technique: +- T1048.003 +datasets: +- name: webdav_windows-sysmon + path: /datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml b/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml new file mode 100644 index 000000000..7c15dabda --- /dev/null +++ b/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ea963b83-d4d6-460e-ae47-460b3783b21e +date: '2025-08-12' +description: Automatically categorized datasets in directory long_dns_queries +environment: attack_range +directory: long_dns_queries +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml b/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml new file mode 100644 index 000000000..29c37e38c --- /dev/null +++ b/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cd1271c8-d094-4aa0-92fc-8ef292a33f28 +date: '2025-08-12' +description: Automatically categorized datasets in directory mass_file_creation +environment: attack_range +directory: mass_file_creation +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml b/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml new file mode 100644 index 000000000..66e806451 --- /dev/null +++ b/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e3d1b675-da75-4ec4-a4b9-5b9ce0202373 +date: '2025-08-12' +description: Automatically categorized datasets in directory nslookup_exfil +environment: attack_range +directory: nslookup_exfil +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048/ftp_connection/data.yml b/datasets/attack_techniques/T1048/ftp_connection/data.yml new file mode 100644 index 000000000..f55829e82 --- /dev/null +++ b/datasets/attack_techniques/T1048/ftp_connection/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c2c1a0e5-588d-4a23-b35e-45e996c7e056 +date: '2025-08-12' +description: Automatically categorized datasets in directory ftp_connection +environment: attack_range +directory: ftp_connection +mitre_technique: +- T1048 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1049/AD_discovery/data.yml b/datasets/attack_techniques/T1049/AD_discovery/data.yml new file mode 100644 index 000000000..66327ba20 --- /dev/null +++ b/datasets/attack_techniques/T1049/AD_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f43b11f2-fd52-47fa-8a69-9583dea1b899 +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1049 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/at_execution/data.yml b/datasets/attack_techniques/T1053.002/at_execution/data.yml new file mode 100644 index 000000000..fb9176b40 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/at_execution/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0a4925dc-dfee-4df6-9204-e8344fa86d65 +date: '2025-08-12' +description: Automatically categorized datasets in directory at_execution +environment: attack_range +directory: at_execution +mitre_technique: +- T1053.002 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/lateral_movement/data.yml b/datasets/attack_techniques/T1053.002/lateral_movement/data.yml new file mode 100644 index 000000000..a8de0b361 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/lateral_movement/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 828e76f6-f651-4bf7-b2da-006e17091ba8 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1053.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml b/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml new file mode 100644 index 000000000..89a362017 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fffea33f-afe6-41e0-853d-71ee79cef424 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_at +environment: attack_range +directory: linux_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_at_execution + path: /datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml new file mode 100644 index 000000000..3cba5d543 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 96b4deff-7577-4ced-98d7-05cdf4e41db9 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_chown_root +environment: attack_range +directory: linux_auditd_chown_root +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml new file mode 100644 index 000000000..4d11a73e1 --- /dev/null +++ b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d5419f4c-d700-4b53-a7f8-e831279313f8 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_new_auditd_at +environment: attack_range +directory: linux_new_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_new_at + path: /datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml b/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml new file mode 100644 index 000000000..67ffd6ae5 --- /dev/null +++ b/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: b58e809c-4000-4e3a-97d0-cecf8c988a8d +date: '2025-08-12' +description: Automatically categorized datasets in directory cronjobs_entry +environment: attack_range +directory: cronjobs_entry +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux_cron_append + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml new file mode 100644 index 000000000..146a2a9da --- /dev/null +++ b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fee5eabb-06bf-4dc7-ab93-18ae96879454 +date: '2025-08-12' +description: Automatically categorized datasets in directory crontab_edit_parameter +environment: attack_range +directory: crontab_edit_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml b/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml new file mode 100644 index 000000000..573e85a6e --- /dev/null +++ b/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c8413fd6-6b41-4b4e-99e0-8879a5c607a7 +date: '2025-08-12' +description: Automatically categorized datasets in directory crontab_list_parameter +environment: attack_range +directory: crontab_list_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml new file mode 100644 index 000000000..77ab20a26 --- /dev/null +++ b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 349544ac-af78-4c4c-8c53-18e4af01b920 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_cron_file_audited +environment: attack_range +directory: linux_auditd_cron_file_audited +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_cron_file_audited2 + path: /datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml new file mode 100644 index 000000000..d365b0788 --- /dev/null +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 252174b3-4f2a-4832-b4a4-ef69334fa7ac +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_crontab_edit +environment: attack_range +directory: linux_auditd_crontab_edit +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_crontab_edit + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml new file mode 100644 index 000000000..abec88e7b --- /dev/null +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 709b267c-1030-421b-81b7-25e0e46a970b +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_crontab_edit_new +environment: attack_range +directory: linux_auditd_crontab_edit_new +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_new_crontab + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml new file mode 100644 index 000000000..65df7eab8 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 66dd3590-b499-4f4e-bff4-1c7728e9a298 +date: '2025-08-12' +description: Automatically categorized datasets in directory asyncrat_highest_priv_schtasks +environment: attack_range +directory: asyncrat_highest_priv_schtasks +mitre_technique: +- T1053.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml new file mode 100644 index 000000000..65a85df77 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 10c6660a-7320-4f47-bfcb-7ad48c1d5112 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1053.005 +datasets: +- name: 4698_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4698_shell_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement/data.yml b/datasets/attack_techniques/T1053.005/lateral_movement/data.yml new file mode 100644 index 000000000..2a49db1e7 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/lateral_movement/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d0232e6f-ca69-4d10-a03b-3d189b4a9e81 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml new file mode 100644 index 000000000..ffcbbc441 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4a45d53e-3b55-4ac1-81a1-74b1930fc64d +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_lolbas +environment: attack_range +directory: lateral_movement_lolbas +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml b/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml new file mode 100644 index 000000000..912c19e20 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3bc53df6-a781-465c-a840-bf3cabf2c4ce +date: '2025-08-12' +description: Automatically categorized datasets in directory schtask_shutdown +environment: attack_range +directory: schtask_shutdown +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_system/data.yml b/datasets/attack_techniques/T1053.005/schtask_system/data.yml new file mode 100644 index 000000000..79aca24b8 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/schtask_system/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a8bee247-a5ae-4c48-a88b-6dd893f4931c +date: '2025-08-12' +description: Automatically categorized datasets in directory schtask_system +environment: attack_range +directory: schtask_system +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtasks/data.yml b/datasets/attack_techniques/T1053.005/schtasks/data.yml new file mode 100644 index 000000000..b7f8b01c4 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/schtasks/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 021c165d-1674-4c13-87b1-2c909d41896e +date: '2025-08-12' +description: Automatically categorized datasets in directory schtasks +environment: attack_range +directory: schtasks +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml b/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml new file mode 100644 index 000000000..963298fff --- /dev/null +++ b/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5e4c4946-43cb-4caa-be45-9a4186664aa0 +date: '2025-08-12' +description: Automatically categorized datasets in directory svchost_lolbas_execution_process_spawn +environment: attack_range +directory: svchost_lolbas_execution_process_spawn +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/taskschedule/data.yml b/datasets/attack_techniques/T1053.005/taskschedule/data.yml new file mode 100644 index 000000000..bdf557722 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/taskschedule/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 937c5f7d-7188-4f31-ba6a-83c5044dd92c +date: '2025-08-12' +description: Automatically categorized datasets in directory taskschedule +environment: attack_range +directory: taskschedule +mitre_technique: +- T1053.005 +datasets: +- name: sd_delete_windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml b/datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml new file mode 100644 index 000000000..704b63f5e --- /dev/null +++ b/datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d6b8b963-f65f-49a1-818e-7bf4bbe349f9 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_taskschedule +environment: attack_range +directory: windows_taskschedule +mitre_technique: +- T1053.005 +datasets: +- name: windows-taskschedule_xml + path: /datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TaskScheduler diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml new file mode 100644 index 000000000..f5757fb4b --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0b41d7cf-ba30-4267-9e21-f71f33e236bb +date: '2025-08-12' +description: Automatically categorized datasets in directory winevent_scheduled_task_created_to_spawn_shell +environment: attack_range +directory: winevent_scheduled_task_created_to_spawn_shell +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml new file mode 100644 index 000000000..088f2ef74 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 514bf396-1fb6-4350-b33d-3a120b7da85e +date: '2025-08-12' +description: Automatically categorized datasets in directory winevent_scheduled_task_with_suspect_name +environment: attack_range +directory: winevent_scheduled_task_with_suspect_name +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml new file mode 100644 index 000000000..b94421ca1 --- /dev/null +++ b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: aed2ac9a-81af-43ad-a2d0-7172f0670b53 +date: '2025-08-12' +description: Automatically categorized datasets in directory winevent_windows_task_scheduler_event_action_started +environment: attack_range +directory: winevent_windows_task_scheduler_event_action_started +mitre_technique: +- T1053.005 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TaskScheduler diff --git a/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml b/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml new file mode 100644 index 000000000..81936cff6 --- /dev/null +++ b/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3b2859fc-8aa8-4c16-a64c-543870fb2b11 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_services_restart +environment: attack_range +directory: linux_services_restart +mitre_technique: +- T1053.006 +datasets: +- name: auditd_proctitle_service_restart + path: /datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.006/service_systemd/data.yml b/datasets/attack_techniques/T1053.006/service_systemd/data.yml new file mode 100644 index 000000000..994a3d20e --- /dev/null +++ b/datasets/attack_techniques/T1053.006/service_systemd/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7ca3f450-9d9e-4063-8537-e029f474db0d +date: '2025-08-12' +description: Automatically categorized datasets in directory service_systemd +environment: attack_range +directory: service_systemd +mitre_technique: +- T1053.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml new file mode 100644 index 000000000..788fea4ef --- /dev/null +++ b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c68904ce-c6e0-4a22-a06c-7d293c08e410 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_audit_cron_job_creation +environment: attack_range +directory: kubernetes_audit_cron_job_creation +mitre_technique: +- T1053.007 +datasets: +- name: kubernetes_audit_cron_job_creation-json + path: /datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1055.001/rasautou/data.yml b/datasets/attack_techniques/T1055.001/rasautou/data.yml new file mode 100644 index 000000000..9c18ede72 --- /dev/null +++ b/datasets/attack_techniques/T1055.001/rasautou/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 388e7194-b12d-4ae2-813c-42f56ce17ea6 +date: '2025-08-12' +description: Automatically categorized datasets in directory rasautou +environment: attack_range +directory: rasautou +mitre_technique: +- T1055.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/cobalt_strike/data.yml b/datasets/attack_techniques/T1055/cobalt_strike/data.yml new file mode 100644 index 000000000..7b4928e50 --- /dev/null +++ b/datasets/attack_techniques/T1055/cobalt_strike/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 96c24640-8263-4496-847c-0a9cd78ad923 +date: '2025-08-12' +description: Automatically categorized datasets in directory cobalt_strike +environment: attack_range +directory: cobalt_strike +mitre_technique: +- T1055 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_searchprotocolhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_dllhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/msra/data.yml b/datasets/attack_techniques/T1055/msra/data.yml new file mode 100644 index 000000000..1f2dcf807 --- /dev/null +++ b/datasets/attack_techniques/T1055/msra/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 78117c4a-d2ea-4973-9285-41868cc68e4c +date: '2025-08-12' +description: Automatically categorized datasets in directory msra +environment: attack_range +directory: msra +mitre_technique: +- T1055 +datasets: +- name: msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: raw-msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/sliver/data.yml b/datasets/attack_techniques/T1055/sliver/data.yml new file mode 100644 index 000000000..5f612746f --- /dev/null +++ b/datasets/attack_techniques/T1055/sliver/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 77f4acbf-6233-4a0d-ba5c-811a8868e9e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory sliver +environment: attack_range +directory: sliver +mitre_technique: +- T1055 +datasets: +- name: notepad_windows-sysmon + path: /datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sliver_windows-system + path: /datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: T1055_windows-sysmon + path: /datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/trickbot_inf/data.yml b/datasets/attack_techniques/T1055/trickbot_inf/data.yml new file mode 100644 index 000000000..1f1cff52c --- /dev/null +++ b/datasets/attack_techniques/T1055/trickbot_inf/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 739ec99c-d1b2-43e3-bcf2-6538a6f67f96 +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_inf +environment: attack_range +directory: trickbot_inf +mitre_technique: +- T1055 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055/trickbot_inf/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml b/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml new file mode 100644 index 000000000..3e146f7a0 --- /dev/null +++ b/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9878be5b-b285-41de-9166-3b38a1495aeb +date: '2025-08-12' +description: Automatically categorized datasets in directory process_commandline_discovery +environment: attack_range +directory: process_commandline_discovery +mitre_technique: +- T1057 +datasets: +- name: wmic-cmdline-sysmon + path: /datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml new file mode 100644 index 000000000..2db2c158c --- /dev/null +++ b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b6e42f20-0e34-465e-a5e8-6ec7fa12b7f2 +date: '2025-08-12' +description: Automatically categorized datasets in directory asyncrat_crypto_pwh_namespace +environment: attack_range +directory: asyncrat_crypto_pwh_namespace +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml new file mode 100644 index 000000000..eb5a0937c --- /dev/null +++ b/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml @@ -0,0 +1,41 @@ +author: Generated by dataset_analyzer.py +id: 63c3b531-99ed-47fb-8de6-f2a21aad0402 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1059.001 +datasets: +- name: captcha_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: get_ciminstance_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: start_stop_service_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-2 + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4104-psremoting-windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: win32_scheduledjob_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: enableat_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml b/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml new file mode 100644 index 000000000..f9a6a4c0d --- /dev/null +++ b/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: 94fd3544-5f2f-42e7-baad-d3ca721880e3 +date: '2025-08-12' +description: Automatically categorized datasets in directory encoded_powershell +environment: attack_range +directory: encoded_powershell +mitre_technique: +- T1059.001 +datasets: +- name: explorer_spawns_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: padded_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059.001/exchange/data.yml b/datasets/attack_techniques/T1059.001/exchange/data.yml new file mode 100644 index 000000000..c8415ae5a --- /dev/null +++ b/datasets/attack_techniques/T1059.001/exchange/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: dc9eacf8-bdca-4492-9eb4-846c333c7066 +date: '2025-08-12' +description: Automatically categorized datasets in directory exchange +environment: attack_range +directory: exchange +mitre_technique: +- T1059.001 +datasets: +- name: msexchangemanagement + path: /datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log + sourcetype: MSExchange:Management + source: MSExchange:Management +- name: windows-powershell + path: /datasets/attack_techniques/T1059.001/exchange/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml b/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml new file mode 100644 index 000000000..eeac57bba --- /dev/null +++ b/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e9212ccf-f228-4aaa-9f36-e56a455c5c68 +date: '2025-08-12' +description: Automatically categorized datasets in directory hidden_powershell +environment: attack_range +directory: hidden_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml b/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml new file mode 100644 index 000000000..34e0a5fc5 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 541a987b-26a0-493d-b3a1-ff4e11d04fd6 +date: '2025-08-12' +description: Automatically categorized datasets in directory import_applocker_policy +environment: attack_range +directory: import_applocker_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml new file mode 100644 index 000000000..ccc22381d --- /dev/null +++ b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 53cc4b6c-4ecc-4dea-bf27-b4c23de8ab36 +date: '2025-08-12' +description: Automatically categorized datasets in directory malicious_cmd_line_samples +environment: attack_range +directory: malicious_cmd_line_samples +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml b/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml new file mode 100644 index 000000000..11081c69b --- /dev/null +++ b/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c6f3a18d-665d-4659-b8ca-bdc98d0a103a +date: '2025-08-12' +description: Automatically categorized datasets in directory obfuscated_powershell +environment: attack_range +directory: obfuscated_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml b/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml new file mode 100644 index 000000000..430328963 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: acf87f64-2767-4598-845e-181fd1fa3058 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_execution_policy +environment: attack_range +directory: powershell_execution_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml b/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml new file mode 100644 index 000000000..de5d0858c --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 924b7c52-e87e-4590-8f7c-5aefc78e8317 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_remotesigned +environment: attack_range +directory: powershell_remotesigned +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: remotesigned_sysmon + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-remote-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml new file mode 100644 index 000000000..86f4f4246 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml @@ -0,0 +1,20 @@ +author: Generated by dataset_analyzer.py +id: fad082c8-3e85-45df-9887-0c8ae350f738 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_script_block_logging +environment: attack_range +directory: powershell_script_block_logging +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: credaccess-powershell + path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1059.001/powershell_testing/data.yml b/datasets/attack_techniques/T1059.001/powershell_testing/data.yml new file mode 100644 index 000000000..8bfc816fa --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_testing/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5536af58-dd7f-40b1-9c7c-a0d1b61a25c0 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_testing +environment: attack_range +directory: powershell_testing +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml b/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml new file mode 100644 index 000000000..d1f6c73e3 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4cf8e29f-97d2-4067-a688-4a64b51df3e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_xml_requests +environment: attack_range +directory: powershell_xml_requests +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/sharphound/data.yml b/datasets/attack_techniques/T1059.001/sharphound/data.yml new file mode 100644 index 000000000..1143734e6 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/sharphound/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ac6e208a-16b2-40bf-af82-d66be993205c +date: '2025-08-12' +description: Automatically categorized datasets in directory sharphound +environment: attack_range +directory: sharphound +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/soaphound/data.yml b/datasets/attack_techniques/T1059.001/soaphound/data.yml new file mode 100644 index 000000000..d61255c30 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/soaphound/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7d7d5f46-b100-4fd7-b314-f1928db22ca4 +date: '2025-08-12' +description: Automatically categorized datasets in directory soaphound +environment: attack_range +directory: soaphound +mitre_technique: +- T1059.001 +datasets: +- name: sysmon_soaphound + path: /datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml b/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml new file mode 100644 index 000000000..90747e7bb --- /dev/null +++ b/datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6034b5b7-b19c-435b-9d30-03cafde3f66a +date: '2025-08-12' +description: Automatically categorized datasets in directory trickbot_cmd_powershell +environment: attack_range +directory: trickbot_cmd_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/trickbot_cmd_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml new file mode 100644 index 000000000..80c9306e5 --- /dev/null +++ b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: adf3ed40-f5ae-408b-aad7-5a89c708ea3e +date: '2025-08-12' +description: Automatically categorized datasets in directory unmanaged_powershell_execution +environment: attack_range +directory: unmanaged_powershell_execution +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml new file mode 100644 index 000000000..d4848f8ad --- /dev/null +++ b/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 51ef15eb-17d5-42d3-886b-4a92d7179902 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1059.003 +datasets: +- name: sqlcmd_windows_sysmon + path: /datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml new file mode 100644 index 000000000..ae631ff27 --- /dev/null +++ b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1227eaa0-5c54-4479-9c5c-3856c285572f +date: '2025-08-12' +description: Automatically categorized datasets in directory cmd_spawns_cscript +environment: attack_range +directory: cmd_spawns_cscript +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml new file mode 100644 index 000000000..d9a687d65 --- /dev/null +++ b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d41be634-0c4c-4b87-90a0-63ed510a936e +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_spawn_cmd +environment: attack_range +directory: powershell_spawn_cmd +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/ryuk/data.yml b/datasets/attack_techniques/T1059.003/ryuk/data.yml new file mode 100644 index 000000000..1edf4475e --- /dev/null +++ b/datasets/attack_techniques/T1059.003/ryuk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2fdde836-18de-4543-8197-382a76c50332 +date: '2025-08-12' +description: Automatically categorized datasets in directory ryuk +environment: attack_range +directory: ryuk +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/ryuk/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml b/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml new file mode 100644 index 000000000..a543a9843 --- /dev/null +++ b/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 60cf3621-dcb7-44e9-a446-9592932c56de +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_discovery_tools +environment: attack_range +directory: linux_discovery_tools +mitre_technique: +- T1059.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml b/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml new file mode 100644 index 000000000..a47da2b2d --- /dev/null +++ b/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 52ff8ca6-89fe-46e0-aa23-065448df115e +date: '2025-08-12' +description: Automatically categorized datasets in directory discord_dnsquery +environment: attack_range +directory: discord_dnsquery +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml b/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml new file mode 100644 index 000000000..d8dd4983f --- /dev/null +++ b/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c85eaa02-ad6a-48ca-9b23-d47a51421c02 +date: '2025-08-12' +description: Automatically categorized datasets in directory vbs_wscript +environment: attack_range +directory: vbs_wscript +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/autoit/data.yml b/datasets/attack_techniques/T1059/autoit/data.yml new file mode 100644 index 000000000..315d109bc --- /dev/null +++ b/datasets/attack_techniques/T1059/autoit/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b9cb405e-410a-49ca-b967-58e9fa231d97 +date: '2025-08-12' +description: Automatically categorized datasets in directory autoit +environment: attack_range +directory: autoit +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/autoit/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml b/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml new file mode 100644 index 000000000..cd234ff1a --- /dev/null +++ b/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1790d351-021e-4824-bddb-0fbfa1efbc9a +date: '2025-08-12' +description: Automatically categorized datasets in directory excessive_distinct_processes_from_windows_temp +environment: attack_range +directory: excessive_distinct_processes_from_windows_temp +mitre_technique: +- T1059 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059/metasploit/data.yml b/datasets/attack_techniques/T1059/metasploit/data.yml new file mode 100644 index 000000000..981505870 --- /dev/null +++ b/datasets/attack_techniques/T1059/metasploit/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d4fda369-7a81-4da5-878f-26d2d0ac5eeb +date: '2025-08-12' +description: Automatically categorized datasets in directory metasploit +environment: attack_range +directory: metasploit +mitre_technique: +- T1059 +datasets: +- name: apachebench_windows-sysmon + path: /datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/path_traversal/data.yml b/datasets/attack_techniques/T1059/path_traversal/data.yml new file mode 100644 index 000000000..a08784291 --- /dev/null +++ b/datasets/attack_techniques/T1059/path_traversal/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a9d06e21-252a-4667-8578-9c3cc12fee09 +date: '2025-08-12' +description: Automatically categorized datasets in directory path_traversal +environment: attack_range +directory: path_traversal +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/path_traversal/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml b/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml new file mode 100644 index 000000000..7c7936c94 --- /dev/null +++ b/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 329b8786-ee83-42a2-b0a8-206f2dd18e1a +date: '2025-08-12' +description: Automatically categorized datasets in directory suspiciously_named_executables +environment: attack_range +directory: suspiciously_named_executables +mitre_technique: +- T1059 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/drivers/data.yml b/datasets/attack_techniques/T1068/drivers/data.yml new file mode 100644 index 000000000..bdb375930 --- /dev/null +++ b/datasets/attack_techniques/T1068/drivers/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0342ab67-2ca9-49e9-8a70-bd36a934e6ed +date: '2025-08-12' +description: Automatically categorized datasets in directory drivers +environment: attack_range +directory: drivers +mitre_technique: +- T1068 +datasets: +- name: sysmon_sys_filemod + path: /datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: xml7045_windows-system + path: /datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml b/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml new file mode 100644 index 000000000..7dbaa05c2 --- /dev/null +++ b/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0ff11e72-45d8-42a2-8b78-c83f61770b4b +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_escalation_behavior +environment: attack_range +directory: windows_escalation_behavior +mitre_technique: +- T1068 +datasets: +- name: windows_escalation_behavior_sysmon + path: /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/zoom_child_process/data.yml b/datasets/attack_techniques/T1068/zoom_child_process/data.yml new file mode 100644 index 000000000..d9ed26cba --- /dev/null +++ b/datasets/attack_techniques/T1068/zoom_child_process/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 58e90c17-12be-43b9-a378-4da5533a6a06 +date: '2025-08-12' +description: Automatically categorized datasets in directory zoom_child_process +environment: attack_range +directory: zoom_child_process +mitre_technique: +- T1068 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1069.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1069.001/atomic_red_team/data.yml new file mode 100644 index 000000000..1aa0508f2 --- /dev/null +++ b/datasets/attack_techniques/T1069.001/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 17d965c5-9704-40aa-b8ef-47ea913eb76a +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1069.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1069.002/AD_discovery/data.yml b/datasets/attack_techniques/T1069.002/AD_discovery/data.yml new file mode 100644 index 000000000..e5ce274b9 --- /dev/null +++ b/datasets/attack_techniques/T1069.002/AD_discovery/data.yml @@ -0,0 +1,33 @@ +author: Generated by dataset_analyzer.py +id: 18d5d7b5-1364-4e26-b551-95c7c059a7c0 +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1069.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: ldifde_4688_windows-security + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: ldifde_windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-xml-powerview + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml b/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml new file mode 100644 index 000000000..fb4f348a1 --- /dev/null +++ b/datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 212f3e49-f79e-4f08-94e2-d5038d45afed +date: '2025-08-12' +description: Automatically categorized datasets in directory domain_group_discovery_with_adsisearcher +environment: attack_range +directory: domain_group_discovery_with_adsisearcher +mitre_technique: +- T1069.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.002/domain_group_discovery_with_adsisearcher/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml new file mode 100644 index 000000000..26aa4a28c --- /dev/null +++ b/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: df55e3ed-8d0d-4364-92fa-46bbd1360dcd +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1070.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml b/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml new file mode 100644 index 000000000..627c1e98d --- /dev/null +++ b/datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 551fb2cd-6b46-4da2-b424-13816cf36e49 +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_event_log_service_behavior +environment: attack_range +directory: suspicious_event_log_service_behavior +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/suspicious_event_log_service_behavior/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml b/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml new file mode 100644 index 000000000..496bf00c7 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 17c57915-4d82-4671-9abb-354bbbff107c +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_kerberos_service_ticket_request +environment: attack_range +directory: suspicious_kerberos_service_ticket_request +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/suspicious_kerberos_service_ticket_request/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml new file mode 100644 index 000000000..8db767b2c --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9c17ce79-5056-42e9-a614-4c2087471b67 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_event_log_cleared +environment: attack_range +directory: windows_event_log_cleared +mitre_technique: +- T1070.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml new file mode 100644 index 000000000..5fb5d74b1 --- /dev/null +++ b/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 92a2c3ca-3419-48f0-abcc-7206c9269b00 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1070.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/atomic_red_team/data.yml b/datasets/attack_techniques/T1070/atomic_red_team/data.yml new file mode 100644 index 000000000..ba8349f79 --- /dev/null +++ b/datasets/attack_techniques/T1070/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5588e0bd-7f49-4bdb-b559-b67665e4b599 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml b/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml new file mode 100644 index 000000000..2478bd87e --- /dev/null +++ b/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b1564f87-9636-4ef7-a2e7-272b5eb63ae2 +date: '2025-08-12' +description: Automatically categorized datasets in directory fsutil_file_zero +environment: attack_range +directory: fsutil_file_zero +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml b/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml new file mode 100644 index 000000000..ced8f4584 --- /dev/null +++ b/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2377f199-4b88-4893-b19d-2763452b75a3 +date: '2025-08-12' +description: Automatically categorized datasets in directory remove_windows_security_event_log +environment: attack_range +directory: remove_windows_security_event_log +mitre_technique: +- T1070 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml new file mode 100644 index 000000000..aad745186 --- /dev/null +++ b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1341203e-1b52-4536-b6bb-f637a8b62989 +date: '2025-08-12' +description: Automatically categorized datasets in directory outbound_smb_traffic +environment: attack_range +directory: outbound_smb_traffic +mitre_technique: +- T1071.002 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1078.002/account_lockout/data.yml b/datasets/attack_techniques/T1078.002/account_lockout/data.yml new file mode 100644 index 000000000..ede6c10f2 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/account_lockout/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 28584690-3ad6-4752-af92-7ac7f9e153ae +date: '2025-08-12' +description: Automatically categorized datasets in directory account_lockout +environment: attack_range +directory: account_lockout +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml new file mode 100644 index 000000000..bf095a243 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 10c3ba02-9051-4d71-89f2-d4ea5bcd104f +date: '2025-08-12' +description: Automatically categorized datasets in directory powerview_acl_enumeration +environment: attack_range +directory: powerview_acl_enumeration +mitre_technique: +- T1078.002 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml b/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml new file mode 100644 index 000000000..2789f6e45 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f1bc213c-49d0-43cb-96c8-7b29a95431bb +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_computer_account_name_change +environment: attack_range +directory: suspicious_computer_account_name_change +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/suspicious_computer_account_name_change/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml b/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml new file mode 100644 index 000000000..610712ed4 --- /dev/null +++ b/datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d744f41d-c676-4aee-adad-ae7b65e2d543 +date: '2025-08-12' +description: Automatically categorized datasets in directory suspicious_ticket_granting_ticket_request +environment: attack_range +directory: suspicious_ticket_granting_ticket_request +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/suspicious_ticket_granting_ticket_request/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml new file mode 100644 index 000000000..39f9af552 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7674105c-1ff1-41fc-8958-dd784a8580d0 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_service_principal_authentication +environment: attack_range +directory: azure_ad_service_principal_authentication +mitre_technique: +- T1078.004 +datasets: +- name: azure_ad_service_principal_authentication + path: /datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml b/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml new file mode 100644 index 000000000..2ba159874 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4acfb721-a9c4-4563-b10c-b2d7b848a499 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_automation_runbook +environment: attack_range +directory: azure_automation_runbook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml new file mode 100644 index 000000000..41cbf7f93 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a1f5a6c-9806-450f-972b-e3401b241a13 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_runbook_webhook +environment: attack_range +directory: azure_runbook_webhook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread/data.yml b/datasets/attack_techniques/T1078.004/azuread/data.yml new file mode 100644 index 000000000..26604d27a --- /dev/null +++ b/datasets/attack_techniques/T1078.004/azuread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0f6b7cee-88ac-466b-b913-a0748c4932ba +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread +environment: attack_range +directory: azuread +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread_pws/data.yml b/datasets/attack_techniques/T1078.004/azuread_pws/data.yml new file mode 100644 index 000000000..214893f3f --- /dev/null +++ b/datasets/attack_techniques/T1078.004/azuread_pws/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: db9e69e8-61c9-4245-86f8-1007d077957c +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread_pws +environment: attack_range +directory: azuread_pws +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml new file mode 100644 index 000000000..b4a53406e --- /dev/null +++ b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a53f6f0f-4997-4c7f-bbfb-a06c03fafa93 +date: '2025-08-12' +description: Automatically categorized datasets in directory gcp_single_factor_auth +environment: attack_range +directory: gcp_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml new file mode 100644 index 000000000..2f90bbc96 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8ec328c1-a2d8-443a-a170-e5974f914d4d +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_security_and_compliance_alert_triggered +environment: attack_range +directory: o365_security_and_compliance_alert_triggered +mitre_technique: +- T1078.004 +datasets: +- name: o365_security_and_compliance_alert_triggered + path: /datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml new file mode 100644 index 000000000..1c83e4857 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 022227b1-b740-4cdc-9a09-87574d6753d7 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_single_factor_auth +environment: attack_range +directory: okta_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: okta_single_factor_auth + path: /datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml new file mode 100644 index 000000000..6bd58bbc0 --- /dev/null +++ b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 23858ffb-cff5-4a2e-895b-8f88c69b6462 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_threatinsight_threat_detected +environment: attack_range +directory: okta_threatinsight_threat_detected +mitre_technique: +- T1078.004 +datasets: +- name: okta_threatinsight_threat_detected + path: /datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml b/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml new file mode 100644 index 000000000..4d3a64a94 --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a6045118-a7d2-4c32-a2c1-b679747b2d05 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_create_policy_version +environment: attack_range +directory: aws_create_policy_version +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml b/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml new file mode 100644 index 000000000..820028cf0 --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 6ef15d47-5b6a-466f-962e-cb9b97eb662b +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_createaccesskey +environment: attack_range +directory: aws_createaccesskey +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml b/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml new file mode 100644 index 000000000..5203b2b0e --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 96c87adb-e09f-404c-8586-3132a9c2f949 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_createloginprofile +environment: attack_range +directory: aws_createloginprofile +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml new file mode 100644 index 000000000..0e339ca6c --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: a41f6b7e-971c-4cd1-a022-6aa79bfd9e07 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_saml_access_by_provider_user_and_principal +environment: attack_range +directory: aws_saml_access_by_provider_user_and_principal +mitre_technique: +- T1078 +datasets: +- name: aws_saml_access_by_provider_user_and_principal-json + path: /datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml new file mode 100644 index 000000000..ba5abb24b --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 63485f75-a269-4f88-bdbe-351bf3829a99 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_saml_update_identity_provider +environment: attack_range +directory: aws_saml_update_identity_provider +mitre_technique: +- T1078 +datasets: +- name: aws_saml_update_identity_provider-json + path: /datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml new file mode 100644 index 000000000..78c62007a --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1629e1c3-9ab0-4180-83b9-31e3eb31dae6 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_setdefaultpolicyversion +environment: attack_range +directory: aws_setdefaultpolicyversion +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml b/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml new file mode 100644 index 000000000..8ab9dfad2 --- /dev/null +++ b/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: b536b13c-545f-4f6c-949d-ae4aa390568b +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_updateloginprofile +environment: attack_range +directory: aws_updateloginprofile +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml new file mode 100644 index 000000000..a7ab7d9b5 --- /dev/null +++ b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0f7e31fc-65b5-425a-b44d-b62a799b5157 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_multiple_appids_and_useragents_auth +environment: attack_range +directory: azure_ad_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: azure_ad_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/defaultaccount/data.yml b/datasets/attack_techniques/T1078/defaultaccount/data.yml new file mode 100644 index 000000000..7580a0590 --- /dev/null +++ b/datasets/attack_techniques/T1078/defaultaccount/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 54cc223d-f35d-4470-8fe6-d0275c027e20 +date: '2025-08-12' +description: Automatically categorized datasets in directory defaultaccount +environment: attack_range +directory: defaultaccount +mitre_technique: +- T1078 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml new file mode 100644 index 000000000..6f2ebab95 --- /dev/null +++ b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f6c74da5-0244-465c-94ec-d2c1cd8d5429 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_excessive_sso_logon_errors +environment: attack_range +directory: o365_excessive_sso_logon_errors +mitre_technique: +- T1078 +datasets: +- name: o365_excessive_sso_logon_errors-json + path: /datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml new file mode 100644 index 000000000..bd7473e40 --- /dev/null +++ b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 45ffa889-143e-4114-884f-53c65de39bc2 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_multiple_appids_and_useragents_auth +environment: attack_range +directory: o365_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: o365_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml new file mode 100644 index 000000000..91fd53a53 --- /dev/null +++ b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 93683ac1-555c-41d2-8106-87f17538b383 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_suspicious_activity_reported_by_user +environment: attack_range +directory: okta_suspicious_activity_reported_by_user +mitre_technique: +- T1078 +datasets: +- name: okta_suspicious_activity_reported_by_user + path: /datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml new file mode 100644 index 000000000..935e9c7cb --- /dev/null +++ b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5f859434-b8ba-445c-9d2d-c013bfb86803 +date: '2025-08-12' +description: Automatically categorized datasets in directory special_logon_on_mulitple_hosts +environment: attack_range +directory: special_logon_on_mulitple_hosts +mitre_technique: +- T1078 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078/update_saml_provider/data.yml b/datasets/attack_techniques/T1078/update_saml_provider/data.yml new file mode 100644 index 000000000..0b2e61712 --- /dev/null +++ b/datasets/attack_techniques/T1078/update_saml_provider/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1f797bf0-3c5a-482d-8eb5-541ffffc638f +date: '2025-08-12' +description: Automatically categorized datasets in directory update_saml_provider +environment: attack_range +directory: update_saml_provider +mitre_technique: +- T1078 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1082/atomic_red_team/data.yml b/datasets/attack_techniques/T1082/atomic_red_team/data.yml new file mode 100644 index 000000000..ba9678e0e --- /dev/null +++ b/datasets/attack_techniques/T1082/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 85905af3-630b-4f0b-8822-6e8ae5a1d5d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1082 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml new file mode 100644 index 000000000..9914d0fdc --- /dev/null +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f971d022-aa38-4a69-b58f-b7a4cd046782 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_lsmod +environment: attack_range +directory: linux_auditd_lsmod +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml new file mode 100644 index 000000000..6ac96f8b2 --- /dev/null +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a4f93422-1606-4c9f-ad49-80edd933b682 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_lsmod_new +environment: attack_range +directory: linux_auditd_lsmod_new +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_new_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml new file mode 100644 index 000000000..1d1d0cd9e --- /dev/null +++ b/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d6263e7b-d553-4106-9bb2-61cb113dadac +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_db +environment: attack_range +directory: linux_auditd_find_db +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_db + path: /datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml new file mode 100644 index 000000000..1888ab557 --- /dev/null +++ b/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 8427c286-6d72-490a-a072-ecaa9c8c3ab2 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_document +environment: attack_range +directory: linux_auditd_find_document +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_file_dir_discovery + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_document + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml new file mode 100644 index 000000000..a9052a026 --- /dev/null +++ b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 4f4bc9cc-8d12-40d7-9efd-c1ba3dbbe05c +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_virtual_disk +environment: attack_range +directory: linux_auditd_find_virtual_disk +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_virtual_disk + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log + sourcetype: auditd + source: auditd +- name: auditd_execve_find_vhd + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml new file mode 100644 index 000000000..6e2e9317c --- /dev/null +++ b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c6423fa9-073e-4d36-b915-9b18c80a4c03 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_hidden_file +environment: attack_range +directory: linux_auditd_hidden_file +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log + sourcetype: auditd + source: auditd +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/splunk/data.yml b/datasets/attack_techniques/T1083/splunk/data.yml new file mode 100644 index 000000000..474d6426f --- /dev/null +++ b/datasets/attack_techniques/T1083/splunk/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 18dbb58f-e14c-4b62-aa7d-9c03cbd7f1d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1083 +datasets: +- name: SVD-2024-0711_web_access_splunk_web_access + path: /datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1087.001/AD_discovery/data.yml b/datasets/attack_techniques/T1087.001/AD_discovery/data.yml new file mode 100644 index 000000000..7e6925981 --- /dev/null +++ b/datasets/attack_techniques/T1087.001/AD_discovery/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 042999cf-2575-4a65-9a4f-61d018d374d7 +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1087.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/AD_discovery/data.yml b/datasets/attack_techniques/T1087.002/AD_discovery/data.yml new file mode 100644 index 000000000..4a3faa4f2 --- /dev/null +++ b/datasets/attack_techniques/T1087.002/AD_discovery/data.yml @@ -0,0 +1,33 @@ +author: Generated by dataset_analyzer.py +id: 254e95f3-458c-498a-94d9-abc224a83b8e +date: '2025-08-12' +description: Automatically categorized datasets in directory AD_discovery +environment: attack_range +directory: AD_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-LocalAdminAccess-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-DomainOU-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-ForestDomain-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-interestingACL-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml b/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml new file mode 100644 index 000000000..d7a49c0d7 --- /dev/null +++ b/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 01a26885-f465-4b6f-81fa-e1d37b095361 +date: '2025-08-12' +description: Automatically categorized datasets in directory adsi_discovery +environment: attack_range +directory: adsi_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml1 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml b/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml new file mode 100644 index 000000000..7be649bd2 --- /dev/null +++ b/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 04eeec5b-b22e-4d08-9a4f-14e374d38c73 +date: '2025-08-12' +description: Automatically categorized datasets in directory blackmatter_schcache +environment: attack_range +directory: blackmatter_schcache +mitre_technique: +- T1087.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.004/azurehound/data.yml b/datasets/attack_techniques/T1087.004/azurehound/data.yml new file mode 100644 index 000000000..061c423f1 --- /dev/null +++ b/datasets/attack_techniques/T1087.004/azurehound/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dcc3c2e1-d08c-4472-9800-1b78f1751533 +date: '2025-08-12' +description: Automatically categorized datasets in directory azurehound +environment: attack_range +directory: azurehound +mitre_technique: +- T1087.004 +datasets: +- name: azurehound + path: /datasets/attack_techniques/T1087.004/azurehound/azurehound.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml b/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml new file mode 100644 index 000000000..931460447 --- /dev/null +++ b/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4e648a9d-119b-4235-8758-f4d2ffc5d2f3 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_unauth_access +environment: attack_range +directory: okta_unauth_access +mitre_technique: +- T1087.004 +datasets: +- name: okta_unauth_access + path: /datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml b/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml new file mode 100644 index 000000000..f213edc07 --- /dev/null +++ b/datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a8798432-c057-489c-a8f3-310728397f62 +date: '2025-08-12' +description: Automatically categorized datasets in directory enumerate_users_local_group_using_telegram +environment: attack_range +directory: enumerate_users_local_group_using_telegram +mitre_technique: +- T1087 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1087/enumerate_users_local_group_using_telegram/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml b/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml new file mode 100644 index 000000000..c93740463 --- /dev/null +++ b/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bfa5963c-e21b-452d-be1d-55862c1a1220 +date: '2025-08-12' +description: Automatically categorized datasets in directory netsh_portproxy +environment: attack_range +directory: netsh_portproxy +mitre_technique: +- T1090.001 +datasets: +- name: volt_sysmon + path: /datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml new file mode 100644 index 000000000..4e197bab3 --- /dev/null +++ b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cdc836ce-07d1-413e-a2b2-78b73c8b14ba +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_service_principal_credentials +environment: attack_range +directory: azure_ad_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml new file mode 100644 index 000000000..5bd818914 --- /dev/null +++ b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ac409ab3-6832-41f9-8230-61ce1804938b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_service_principal_credentials +environment: attack_range +directory: o365_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: o365_service_principal_credentials + path: /datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml new file mode 100644 index 000000000..ee934c282 --- /dev/null +++ b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b9cee146-0964-4236-ac48-be5297625365 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_new_api_token_created +environment: attack_range +directory: okta_new_api_token_created +mitre_technique: +- T1098.001 +datasets: +- name: okta_new_api_token_created + path: /datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml new file mode 100644 index 000000000..f60aaa466 --- /dev/null +++ b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: fe1a376a-7b9b-43da-91a4-a9741eb03593 +date: '2025-08-12' +description: Automatically categorized datasets in directory full_access_as_app_permission_assigned +environment: attack_range +directory: full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml new file mode 100644 index 000000000..bfd1b90db --- /dev/null +++ b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 31594c7e-d10f-4be6-b912-6f69cb846b38 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_full_access_as_app_permission_assigned +environment: attack_range +directory: o365_full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: o365_full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml new file mode 100644 index 000000000..6588bb130 --- /dev/null +++ b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 85028914-f48b-4ede-a8f6-2f14a8214b2c +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_mailbox_folder_read_granted +environment: attack_range +directory: o365_mailbox_folder_read_granted +mitre_technique: +- T1098.002 +datasets: +- name: o365_mailbox_folder_read_granted + path: /datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml new file mode 100644 index 000000000..c2920e7ac --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 90840699-5421-4169-aea0-b524a2166cb3 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_admin_consent +environment: attack_range +directory: azure_ad_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml new file mode 100644 index 000000000..765aee6d5 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 38bd0ab1-7b94-41df-ac7d-2b30da315293 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_assign_global_administrator +environment: attack_range +directory: azure_ad_assign_global_administrator +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml new file mode 100644 index 000000000..d5e164368 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f119a707-829b-4926-aaa8-5c37e8f63228 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_assign_privileged_role +environment: attack_range +directory: azure_ad_assign_privileged_role +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml new file mode 100644 index 000000000..63fb5af70 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9aad84d9-3152-40e5-a341-b429905c4025 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_bypass_admin_consent +environment: attack_range +directory: azure_ad_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml new file mode 100644 index 000000000..145c662ce --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 255a6192-05f1-4b0f-9c09-038bd224ad11 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_pim_role_activated +environment: attack_range +directory: azure_ad_pim_role_activated +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml new file mode 100644 index 000000000..7ff537ba1 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f65bc8d8-fde7-4b50-b4ef-0650a2b06afc +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_privileged_graph_perm_assigned +environment: attack_range +directory: azure_ad_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml new file mode 100644 index 000000000..c8466e04d --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 72f9d1a8-f242-466f-a1a8-3cb072c51303 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_privileged_role_serviceprincipal +environment: attack_range +directory: azure_ad_privileged_role_serviceprincipal +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml new file mode 100644 index 000000000..df6b871cf --- /dev/null +++ b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 91f05378-20bf-417e-a05a-f55187d8dfc5 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_spn_privesc +environment: attack_range +directory: azure_ad_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_spn_privesc + path: /datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml new file mode 100644 index 000000000..72c702995 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e4964ec0-2d01-43d8-a8c1-1dd0452d2b65 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_admin_consent +environment: attack_range +directory: o365_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml new file mode 100644 index 000000000..675f3ac10 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b8ad3e83-ee25-4de9-9411-7f6370deaab0 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_bypass_admin_consent +environment: attack_range +directory: o365_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml new file mode 100644 index 000000000..eb0ce01d2 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7ba3e58b-6323-4c88-b74f-31e453964934 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_grant_mail_read +environment: attack_range +directory: o365_grant_mail_read +mitre_technique: +- T1098.003 +datasets: +- name: o365_grant_mail_read + path: /datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml new file mode 100644 index 000000000..eb08b42c3 --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7ee5fda7-a5bf-4313-a2f5-6058136b0359 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_high_priv_role_assigned +environment: attack_range +directory: o365_high_priv_role_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_high_priv_role_assigned + path: /datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml new file mode 100644 index 000000000..8e0fc7cbe --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1331f17b-925a-4923-98fe-31c68de596fd +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_privileged_graph_perm_assigned +environment: attack_range +directory: o365_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml b/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml new file mode 100644 index 000000000..c02121c5e --- /dev/null +++ b/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4f58fbb6-4aa6-495c-80d7-ca32a49ebfce +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_spn_privesc +environment: attack_range +directory: o365_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: o365_spn_privesc + path: /datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml new file mode 100644 index 000000000..4876c435d --- /dev/null +++ b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2184524b-f780-4be7-a0cc-52521dc6da8e +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_nopasswd +environment: attack_range +directory: linux_auditd_nopasswd +mitre_technique: +- T1098.004 +datasets: +- name: linux_auditd_ssh_config + path: /datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml new file mode 100644 index 000000000..d18814c39 --- /dev/null +++ b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5ef748ad-bc2e-46fa-b195-e6ab16379a22 +date: '2025-08-12' +description: Automatically categorized datasets in directory ssh_authorized_keys +environment: attack_range +directory: ssh_authorized_keys +mitre_technique: +- T1098.004 +datasets: +- name: authkey_linux-sysmon + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log + sourcetype: linux_secure + source: linux_secure +- name: sysmon_linux + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml new file mode 100644 index 000000000..ec5d438bc --- /dev/null +++ b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2f924cc7-390e-40f1-9fec-0e6878eb22e9 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_register_new_mfa_method +environment: attack_range +directory: azure_ad_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: azure_ad_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml new file mode 100644 index 000000000..cde7a2cfe --- /dev/null +++ b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e98e38f9-e030-4315-a05e-cee4b9ca5ce5 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_register_new_mfa_method +environment: attack_range +directory: o365_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: o365_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml new file mode 100644 index 000000000..aab7f698d --- /dev/null +++ b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 64b4dc83-e63c-40f1-8fda-009333150b55 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_new_device_enrolled +environment: attack_range +directory: okta_new_device_enrolled +mitre_technique: +- T1098.005 +datasets: +- name: okta_new_device_enrolled + path: /datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098/account_manipulation/data.yml b/datasets/attack_techniques/T1098/account_manipulation/data.yml new file mode 100644 index 000000000..decdbeeee --- /dev/null +++ b/datasets/attack_techniques/T1098/account_manipulation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f40b46f3-ec02-4359-ac27-af12626a5ec1 +date: '2025-08-12' +description: Automatically categorized datasets in directory account_manipulation +environment: attack_range +directory: account_manipulation +mitre_technique: +- T1098 +datasets: +- name: xml-windows-security + path: /datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml b/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml new file mode 100644 index 000000000..2ab76fb5e --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_delete_policy/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a3a9b580-0784-4205-952b-53c71752832d +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_delete_policy +environment: attack_range +directory: aws_iam_delete_policy +mitre_technique: +- T1098 +datasets: +- name: aws_iam_delete_policy-json + path: /datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_delete_policy/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml b/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml new file mode 100644 index 000000000..27fe479e5 --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: f00793d6-bbb7-446e-b78c-35b86cb6f0cc +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_failure_group_deletion +environment: attack_range +directory: aws_iam_failure_group_deletion +mitre_technique: +- T1098 +datasets: +- name: aws_iam_failure_group_deletion-json + path: /datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml b/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml new file mode 100644 index 000000000..b11c2b21c --- /dev/null +++ b/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: af15eeb9-cadd-4e69-8346-3e83f7d988c0 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_successful_group_deletion +environment: attack_range +directory: aws_iam_successful_group_deletion +mitre_technique: +- T1098 +datasets: +- name: aws_iam_successful_group_deletion-json + path: /datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml new file mode 100644 index 000000000..75d999631 --- /dev/null +++ b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e2e7aa02-bd94-47bc-8650-c725d677eae0 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_add_serviceprincipal_owner +environment: attack_range +directory: azure_ad_add_serviceprincipal_owner +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml new file mode 100644 index 000000000..11ac77a00 --- /dev/null +++ b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c13f9141-9055-44c3-82c1-26007b96808d +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_enable_and_reset +environment: attack_range +directory: azure_ad_enable_and_reset +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml new file mode 100644 index 000000000..e6ac7f0a2 --- /dev/null +++ b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 144042cb-af0b-48c0-9177-3980ad207998 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_set_immutableid +environment: attack_range +directory: azure_ad_set_immutableid +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml b/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml new file mode 100644 index 000000000..f90523831 --- /dev/null +++ b/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f294d056-6000-4480-8f4e-a4af011ff925 +date: '2025-08-12' +description: Automatically categorized datasets in directory dnsadmins_member_added +environment: attack_range +directory: dnsadmins_member_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1098/dsrm_account/data.yml b/datasets/attack_techniques/T1098/dsrm_account/data.yml new file mode 100644 index 000000000..6245451f3 --- /dev/null +++ b/datasets/attack_techniques/T1098/dsrm_account/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: b7046be5-9b64-42a1-94cd-1a31d6fcf096 +date: '2025-08-12' +description: Automatically categorized datasets in directory dsrm_account +environment: attack_range +directory: dsrm_account +mitre_technique: +- T1098 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml new file mode 100644 index 000000000..03da0c7de --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3939ff82-aba6-4d3f-9ea0-f5c4e693bd2e +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_add_app_registration_owner +environment: attack_range +directory: o365_add_app_registration_owner +mitre_technique: +- T1098 +datasets: +- name: o365_add_app_registration_owner + path: /datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml new file mode 100644 index 000000000..211dab92b --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 09fcddde-2acd-4b6e-9f95-033864ee040b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_azure_workload_events +environment: attack_range +directory: o365_azure_workload_events +mitre_technique: +- T1098 +datasets: +- name: o365_azure_workload_events + path: /datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/service_principal_name_added/data.yml b/datasets/attack_techniques/T1098/service_principal_name_added/data.yml new file mode 100644 index 000000000..b3711b78a --- /dev/null +++ b/datasets/attack_techniques/T1098/service_principal_name_added/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 423bc30c-b2ea-4ba4-a2bc-4e1de67b3118 +date: '2025-08-12' +description: Automatically categorized datasets in directory service_principal_name_added +environment: attack_range +directory: service_principal_name_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml b/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml new file mode 100644 index 000000000..1a6111ae1 --- /dev/null +++ b/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0e1542b8-405c-44b7-b7b2-11ca135c22bd +date: '2025-08-12' +description: Automatically categorized datasets in directory short_lived_service_principal_name +environment: attack_range +directory: short_lived_service_principal_name +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml new file mode 100644 index 000000000..d7edd6f42 --- /dev/null +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 61efd61f-650e-4ad4-aead-e3ff4f47c972 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_multiple_accounts_deleted +environment: attack_range +directory: windows_multiple_accounts_deleted +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_deleted + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml new file mode 100644 index 000000000..9ba8755ef --- /dev/null +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a819b24c-eab4-4b15-9218-d30d75ddfc9f +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_multiple_accounts_disabled +environment: attack_range +directory: windows_multiple_accounts_disabled +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_disabled + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml new file mode 100644 index 000000000..fb0759ffd --- /dev/null +++ b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d7fa018f-9e94-4704-afab-3c79877d0526 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_multiple_passwords_changed +environment: attack_range +directory: windows_multiple_passwords_changed +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_passwords_changed + path: /datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1105/atomic_red_team/data.yml b/datasets/attack_techniques/T1105/atomic_red_team/data.yml new file mode 100644 index 000000000..84ce4bd35 --- /dev/null +++ b/datasets/attack_techniques/T1105/atomic_red_team/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: 7512722f-e173-4806-a8e8-8ffa4c528dc5 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1105 +datasets: +- name: T1105_explorer-windows-security + path: /datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon_curl_upload + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_curl + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml b/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml new file mode 100644 index 000000000..12531744c --- /dev/null +++ b/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 12cfe9c9-5539-4ebc-8fb8-ca7b4bdf00f9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_login_failure +environment: attack_range +directory: aws_login_failure +mitre_technique: +- T1110.001 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml new file mode 100644 index 000000000..1ed01be1b --- /dev/null +++ b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9cb9637d-6e94-4f91-824c-efb287e596a6 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_high_number_of_failed_authentications_for_user +environment: attack_range +directory: azure_ad_high_number_of_failed_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml new file mode 100644 index 000000000..94ea1ef24 --- /dev/null +++ b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a977f115-aa3b-4e65-bb69-8aea123fcb01 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_successful_authentication_from_different_ips +environment: attack_range +directory: azure_ad_successful_authentication_from_different_ips +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml new file mode 100644 index 000000000..6fc08c4ef --- /dev/null +++ b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b4c1f9bf-2a3e-43ff-ba45-6bf1f0b194a5 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_high_number_authentications_for_user +environment: attack_range +directory: o365_high_number_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: o365_high_number_authentications_for_user + path: /datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml new file mode 100644 index 000000000..f4d31cf6d --- /dev/null +++ b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d417fa07-8088-4df8-ac0d-0646dbe2f844 +date: '2025-08-12' +description: Automatically categorized datasets in directory rdp_brute_sysmon +environment: attack_range +directory: rdp_brute_sysmon +mitre_technique: +- T1110.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml new file mode 100644 index 000000000..8f74dcdff --- /dev/null +++ b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: aefcc4f1-593a-4648-af6c-b93ffa89daa4 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_rds_password_reset +environment: attack_range +directory: aws_rds_password_reset +mitre_technique: +- T1110.002 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml new file mode 100644 index 000000000..2bac2a02c --- /dev/null +++ b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 319bb8f6-e8ba-4f6e-bad4-9b84d5199f0c +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_mulitple_failed_console_login +environment: attack_range +directory: aws_mulitple_failed_console_login +mitre_technique: +- T1110.003 +datasets: +- name: aws_cloudtrail-json + path: /datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml new file mode 100644 index 000000000..9bd5e6534 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a5169e72-9b94-4ac9-91f6-e48f9ef786f2 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_distributed_spray +environment: attack_range +directory: azure_ad_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: azure_ad_distributed_spray + path: /datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml b/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml new file mode 100644 index 000000000..fbfd66aa8 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3853e2f2-b71e-4183-b3bf-0c6e15a0daca +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread_highrisk +environment: attack_range +directory: azuread_highrisk +mitre_technique: +- T1110.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml new file mode 100644 index 000000000..5bc7f57f0 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 83406381-62c2-46ea-b120-608baf73adcb +date: '2025-08-12' +description: Automatically categorized datasets in directory gcp_gws_multiple_login_failure +environment: attack_range +directory: gcp_gws_multiple_login_failure +mitre_technique: +- T1110.003 +datasets: +- name: gws_login-json + path: /datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml b/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml new file mode 100644 index 000000000..273a63932 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 52bb39c1-f8ff-4b30-90fe-78f9994bd509 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_distributed_spray +environment: attack_range +directory: o365_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: o365_distributed_spray + path: /datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml new file mode 100644 index 000000000..8f9f9dffc --- /dev/null +++ b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d4111065-141a-4948-8445-ee67d847f59c +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_multiple_users_from_ip +environment: attack_range +directory: o365_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: o365_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml new file mode 100644 index 000000000..71ef359d0 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 00a4e3f4-f539-4d6a-be77-a0757050b392 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_multiple_users_from_ip +environment: attack_range +directory: okta_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: okta_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml b/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml new file mode 100644 index 000000000..9befdeef4 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5cad5aa0-d028-4cf1-9e5f-b576a1e1322b +date: '2025-08-12' +description: Automatically categorized datasets in directory password_spraying_azuread +environment: attack_range +directory: password_spraying_azuread +mitre_technique: +- T1110.003 +datasets: +- name: azuread_signin + path: /datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml new file mode 100644 index 000000000..45c880f7e --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9cd97ff0-127c-449a-90e2-018bf7f533fb +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_disabled_users_kerberos_xml +environment: attack_range +directory: purplesharp_disabled_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml new file mode 100644 index 000000000..043edb284 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 74af3586-6d65-440d-9251-a67f25f73284 +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_explicit_credential_spray_xml +environment: attack_range +directory: purplesharp_explicit_credential_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml new file mode 100644 index 000000000..915c3d623 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 81cfe442-f75f-4e5b-9360-f7e68efb17d5 +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_invalid_users_kerberos_xml +environment: attack_range +directory: purplesharp_invalid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml new file mode 100644 index 000000000..c74ffed39 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8d7c3e0e-59a5-4475-9e66-2aadf86ab7bd +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_invalid_users_ntlm_xml +environment: attack_range +directory: purplesharp_invalid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml new file mode 100644 index 000000000..45ec8b72d --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 214af9a4-6d2f-4f32-b7c0-5ba391a5cfad +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_multiple_users_from_process_xml +environment: attack_range +directory: purplesharp_multiple_users_from_process_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml new file mode 100644 index 000000000..6a2e8ea94 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5c866966-7003-412f-9481-6cebd5ba2dab +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_remote_spray_xml +environment: attack_range +directory: purplesharp_remote_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml new file mode 100644 index 000000000..3944678eb --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4e439e36-62cf-4546-91b5-deeb63c221b8 +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_valid_users_kerberos_xml +environment: attack_range +directory: purplesharp_valid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml new file mode 100644 index 000000000..f5ae928c4 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ee420c8c-c34b-4ee1-b50b-ff5131a5e658 +date: '2025-08-12' +description: Automatically categorized datasets in directory purplesharp_valid_users_ntlm_xml +environment: attack_range +directory: purplesharp_valid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml new file mode 100644 index 000000000..4c530e0f4 --- /dev/null +++ b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5a50589f-9dfa-4339-b66a-85fdcde2303e +date: '2025-08-12' +description: Automatically categorized datasets in directory local_administrator_cred_stuffing +environment: attack_range +directory: local_administrator_cred_stuffing +mitre_technique: +- T1110.004 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml new file mode 100644 index 000000000..19c25cb8a --- /dev/null +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 69276bcf-c04d-42e9-97ed-59800c2eedfb +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_mfasweep_events +environment: attack_range +directory: azure_mfasweep_events +mitre_technique: +- T1110 +datasets: +- name: azure_mfasweep_events + path: /datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml b/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml new file mode 100644 index 000000000..4fe93623e --- /dev/null +++ b/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6be9e363-56af-4114-90a6-675063bf4a99 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_brute_force_login +environment: attack_range +directory: o365_brute_force_login +mitre_technique: +- T1110 +datasets: +- name: o365_brute_force_login-json + path: /datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml new file mode 100644 index 000000000..7f1197210 --- /dev/null +++ b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7a64eed4-64e2-4b03-9f3d-08ed987f7bf8 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_multiple_accounts_lockout +environment: attack_range +directory: okta_multiple_accounts_lockout +mitre_technique: +- T1110 +datasets: +- name: okta_multiple_accounts_lockout + path: /datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml new file mode 100644 index 000000000..6ddfb52c0 --- /dev/null +++ b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9e5a3b2f-0be3-4b71-a546-bfd489b99b4c +date: '2025-08-12' +description: Automatically categorized datasets in directory AuthenticationLevelOverride +environment: attack_range +directory: AuthenticationLevelOverride +mitre_technique: +- T1112 +datasets: +- name: auth_sys + path: /datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1112/atomic_red_team/data.yml b/datasets/attack_techniques/T1112/atomic_red_team/data.yml new file mode 100644 index 000000000..f4337137f --- /dev/null +++ b/datasets/attack_techniques/T1112/atomic_red_team/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: 834c0ade-18de-4bd5-9753-d8e52e5b7f9e +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1112 +datasets: +- name: wdigest_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: safemode_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-webview + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml new file mode 100644 index 000000000..e488ba8fb --- /dev/null +++ b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ab7faa6e-5a25-45c3-9681-a847b3c09576 +date: '2025-08-12' +description: Automatically categorized datasets in directory enablelinkedconnections +environment: attack_range +directory: enablelinkedconnections +mitre_technique: +- T1112 +datasets: +- name: blackbyte_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml new file mode 100644 index 000000000..a6586efcd --- /dev/null +++ b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dc912ec6-ba89-45a7-b790-c66eee08a3c6 +date: '2025-08-12' +description: Automatically categorized datasets in directory longpathsenabled +environment: attack_range +directory: longpathsenabled +mitre_technique: +- T1112 +datasets: +- name: longpath_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/disable_notif_center/data.yml b/datasets/attack_techniques/T1112/disable_notif_center/data.yml new file mode 100644 index 000000000..605769962 --- /dev/null +++ b/datasets/attack_techniques/T1112/disable_notif_center/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2ac6316e-645e-4e93-90dd-4fc9ac45e4a2 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_notif_center +environment: attack_range +directory: disable_notif_center +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/disable_notif_center/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml new file mode 100644 index 000000000..4b6a82cfa --- /dev/null +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml @@ -0,0 +1,15 @@ +author: Generated by dataset_analyzer.py +id: c059177b-60bd-4bc1-8673-7bc2a7cfa84d +date: '2025-08-12' +description: Automatically categorized datasets in directory firewall_modify_delete +environment: attack_range +directory: firewall_modify_delete +mitre_technique: +- T1112 +datasets: +- name: firewall-mod-delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log + sourcetype: firewall +- name: firewall_mod_delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log + sourcetype: firewall diff --git a/datasets/attack_techniques/T1112/minint_reg/data.yml b/datasets/attack_techniques/T1112/minint_reg/data.yml new file mode 100644 index 000000000..8f507c8d9 --- /dev/null +++ b/datasets/attack_techniques/T1112/minint_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 39dd03c8-2fdb-4e36-8234-4db62d9cc021 +date: '2025-08-12' +description: Automatically categorized datasets in directory minint_reg +environment: attack_range +directory: minint_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/minint_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml b/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml new file mode 100644 index 000000000..832eb5311 --- /dev/null +++ b/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ede65fe8-53b4-4428-a39a-d4d54ddb56ae +date: '2025-08-12' +description: Automatically categorized datasets in directory ransomware_disable_reg +environment: attack_range +directory: ransomware_disable_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/shimcache_flush/data.yml b/datasets/attack_techniques/T1112/shimcache_flush/data.yml new file mode 100644 index 000000000..9f84ab2dd --- /dev/null +++ b/datasets/attack_techniques/T1112/shimcache_flush/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a51ed069-eae4-40d6-9f5f-979b6f7a5726 +date: '2025-08-12' +description: Automatically categorized datasets in directory shimcache_flush +environment: attack_range +directory: shimcache_flush +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/shimcache_flush/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml new file mode 100644 index 000000000..61ec711be --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f377516d-b052-483f-a0fa-f6d63846b106 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_compliance_content_search_exported +environment: attack_range +directory: o365_compliance_content_search_exported +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_exported + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml new file mode 100644 index 000000000..dc3425184 --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 85eac7a7-a1d7-4629-9ff9-537051fded0b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_compliance_content_search_started +environment: attack_range +directory: o365_compliance_content_search_started +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_started + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml new file mode 100644 index 000000000..f8db2597a --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 85187821-3b80-4b82-83f2-04bddb887af1 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_inbox_shared_with_all_users +environment: attack_range +directory: o365_inbox_shared_with_all_users +mitre_technique: +- T1114.002 +datasets: +- name: o365_inbox_shared_with_all_users + path: /datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml new file mode 100644 index 000000000..51643b520 --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 37c875dc-0df0-4abc-9e13-56d4d6caf83b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_multiple_mailboxes_accessed_via_api +environment: attack_range +directory: o365_multiple_mailboxes_accessed_via_api +mitre_technique: +- T1114.002 +datasets: +- name: o365_multiple_mailboxes_accessed_via_api + path: /datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml new file mode 100644 index 000000000..9312e6189 --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a328b822-216c-444d-a25c-31b6cdc9af55 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_oauth_app_ews_mailbox_access +environment: attack_range +directory: o365_oauth_app_ews_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_ews_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml new file mode 100644 index 000000000..64652f092 --- /dev/null +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 49657c18-7317-4e0f-b6fd-73275edda22a +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_oauth_app_graph_mailbox_access +environment: attack_range +directory: o365_oauth_app_graph_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_graph_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml new file mode 100644 index 000000000..d09dae350 --- /dev/null +++ b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f6c1781c-cd78-48f2-813d-4535d3e28ce7 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_email_forwarding_rule_created +environment: attack_range +directory: o365_email_forwarding_rule_created +mitre_technique: +- T1114.003 +datasets: +- name: o365_email_forwarding_rule_created + path: /datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml new file mode 100644 index 000000000..24ce5bfbd --- /dev/null +++ b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ea375a4c-9684-4391-8f82-decda578585b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_mailbox_forwarding_enabled +environment: attack_range +directory: o365_mailbox_forwarding_enabled +mitre_technique: +- T1114.003 +datasets: +- name: o365_mailbox_forwarding_enabled-json + path: /datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml b/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml new file mode 100644 index 000000000..43d46d648 --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4eb50ba5-614b-46e7-b732-740f3a063c71 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_export_pst_file +environment: attack_range +directory: o365_export_pst_file +mitre_technique: +- T1114 +datasets: +- name: o365_export_pst_file-json + path: /datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml new file mode 100644 index 000000000..a4c42ae5e --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e67627d0-1b0a-45d6-9037-4f6303dd5d7f +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_new_forwarding_mailflow_rule_created +environment: attack_range +directory: o365_new_forwarding_mailflow_rule_created +mitre_technique: +- T1114 +datasets: +- name: o365_new_forwarding_mailflow_rule_created + path: /datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml new file mode 100644 index 000000000..391323b4f --- /dev/null +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 16bfceea-a344-4013-8c6d-8a5ffe7fd5eb +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_suspect_email_actions +environment: attack_range +directory: o365_suspect_email_actions +mitre_technique: +- T1114 +datasets: +- name: o365_messagetrace_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + sourcetype: o365:management:activity + source: o365 +- name: o365_exchange_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml b/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml new file mode 100644 index 000000000..0026dde30 --- /dev/null +++ b/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e2ff4658-2634-4c04-b544-a5c5d6ab2da9 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_xclip +environment: attack_range +directory: linux_auditd_xclip +mitre_technique: +- T1115 +datasets: +- name: linux_auditd_xclip + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log + sourcetype: auditd + source: auditd +- name: linux_auditd_xclip2 + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1127.001/data.yml b/datasets/attack_techniques/T1127.001/data.yml new file mode 100644 index 000000000..aa558ebda --- /dev/null +++ b/datasets/attack_techniques/T1127.001/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a9944c1f-4fba-4aa4-984a-0ee62820b552 +date: '2025-08-12' +description: Automatically categorized datasets in directory T1127.001 +environment: attack_range +directory: T1127.001 +mitre_technique: +- T1127.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1127.001/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml b/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml new file mode 100644 index 000000000..80d21b306 --- /dev/null +++ b/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 823c0d90-a2c5-4105-9a96-4f42871b6a00 +date: '2025-08-12' +description: Automatically categorized datasets in directory regsvr32_silent +environment: attack_range +directory: regsvr32_silent +mitre_technique: +- T1127.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/atomic_red_team/data.yml b/datasets/attack_techniques/T1127/atomic_red_team/data.yml new file mode 100644 index 000000000..414bb65b4 --- /dev/null +++ b/datasets/attack_techniques/T1127/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: eca61b09-23fb-4cf1-bd98-5e930837417f +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1127 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/etw_disable/data.yml b/datasets/attack_techniques/T1127/etw_disable/data.yml new file mode 100644 index 000000000..b4ff8e72f --- /dev/null +++ b/datasets/attack_techniques/T1127/etw_disable/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0dd99d60-429a-4fda-a881-7403fe207d3b +date: '2025-08-12' +description: Automatically categorized datasets in directory etw_disable +environment: attack_range +directory: etw_disable +mitre_technique: +- T1127 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127/etw_disable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1134.005/mimikatz/data.yml b/datasets/attack_techniques/T1134.005/mimikatz/data.yml new file mode 100644 index 000000000..bfc321ee8 --- /dev/null +++ b/datasets/attack_techniques/T1134.005/mimikatz/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f4b19386-93a3-477b-aec8-95f10804833f +date: '2025-08-12' +description: Automatically categorized datasets in directory mimikatz +environment: attack_range +directory: mimikatz +mitre_technique: +- T1134.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134.005/sid_history2/data.yml b/datasets/attack_techniques/T1134.005/sid_history2/data.yml new file mode 100644 index 000000000..f96b04f1e --- /dev/null +++ b/datasets/attack_techniques/T1134.005/sid_history2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a5480298-f24f-4ddc-ae5c-1b47f069ce75 +date: '2025-08-12' +description: Automatically categorized datasets in directory sid_history2 +environment: attack_range +directory: sid_history2 +mitre_technique: +- T1134.005 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1134.005/sid_history2/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml b/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml new file mode 100644 index 000000000..0f07e1001 --- /dev/null +++ b/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c85fa4ee-d852-4319-9a49-4d021057e4a6 +date: '2025-08-12' +description: Automatically categorized datasets in directory ipc_share_accessed +environment: attack_range +directory: ipc_share_accessed +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml new file mode 100644 index 000000000..d368c30b0 --- /dev/null +++ b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bfc43e75-09f7-4aa5-94a2-32ae1e39070a +date: '2025-08-12' +description: Automatically categorized datasets in directory large_number_computer_service_tickets +environment: attack_range +directory: large_number_computer_service_tickets +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/net_share/data.yml b/datasets/attack_techniques/T1135/net_share/data.yml new file mode 100644 index 000000000..578b74759 --- /dev/null +++ b/datasets/attack_techniques/T1135/net_share/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 071a9f91-6897-46ef-bcd2-f610aab61873 +date: '2025-08-12' +description: Automatically categorized datasets in directory net_share +environment: attack_range +directory: net_share +mitre_technique: +- T1135 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1135/net_share/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml new file mode 100644 index 000000000..c03459597 --- /dev/null +++ b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml @@ -0,0 +1,15 @@ +author: Generated by dataset_analyzer.py +id: 54f162f1-7eec-4b75-9125-a2edef956d52 +date: '2025-08-12' +description: Automatically categorized datasets in directory net_share_discovery_via_dir +environment: attack_range +directory: net_share_discovery_via_dir +mitre_technique: +- T1135 +datasets: +- name: smb_access_security_xml + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + sourcetype: access_combined +- name: smbaccess-5140-security-xml2 + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml b/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml new file mode 100644 index 000000000..1c2f08606 --- /dev/null +++ b/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a1e41771-8d3c-4dbb-aff9-f56f7a7c7762 +date: '2025-08-12' +description: Automatically categorized datasets in directory powerview_sharefinder +environment: attack_range +directory: powerview_sharefinder +mitre_technique: +- T1135 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml new file mode 100644 index 000000000..2e28662a7 --- /dev/null +++ b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9c2b1fb4-e5cc-4b4a-b137-fdcd965b5e5f +date: '2025-08-12' +description: Automatically categorized datasets in directory rapid_authentication_multiple_hosts +environment: attack_range +directory: rapid_authentication_multiple_hosts +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml new file mode 100644 index 000000000..faf4eab75 --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml @@ -0,0 +1,33 @@ +author: Generated by dataset_analyzer.py +id: 0cc09e75-1681-45de-8f63-ae5e6e915303 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1136.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: xml-windows-security + path: /datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml new file mode 100644 index 000000000..a2755acbf --- /dev/null +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e6462693-e800-44f1-a999-9c4fa0f8976e +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_add_user +environment: attack_range +directory: linux_auditd_add_user +mitre_technique: +- T1136.001 +datasets: +- name: auditd_proctitle_user_add + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log + sourcetype: auditd + source: auditd +- name: linux_auditd_add_user + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml new file mode 100644 index 000000000..19eeef31b --- /dev/null +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 08585d30-4711-42ee-b9dd-b3657a2c14bf +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_add_user_type +environment: attack_range +directory: linux_auditd_add_user_type +mitre_technique: +- T1136.001 +datasets: +- name: linux_auditd_add_user_type + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml new file mode 100644 index 000000000..d581ba2da --- /dev/null +++ b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ffcbdc28-9bdc-496b-83cc-5d91708a5c97 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_add_service_principal +environment: attack_range +directory: azure_ad_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml new file mode 100644 index 000000000..ae177a59c --- /dev/null +++ b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 62780cfe-cabf-41e3-8906-986260335cc1 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_external_guest_user_invited +environment: attack_range +directory: azure_ad_external_guest_user_invited +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml new file mode 100644 index 000000000..1a8ee73aa --- /dev/null +++ b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3a2d80aa-8799-44cb-91d4-e199b6eb5046 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_multiple_service_principals_created +environment: attack_range +directory: azure_ad_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: azure_ad_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml b/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml new file mode 100644 index 000000000..7b7410e5b --- /dev/null +++ b/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d1812cac-e631-4c10-8209-64d708d68d94 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_automation_account +environment: attack_range +directory: azure_automation_account +mitre_technique: +- T1136.003 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml new file mode 100644 index 000000000..78a93979e --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5dc77dca-4646-4452-98f1-30d2b38ea5bc +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_add_app_role_assignment_grant_user +environment: attack_range +directory: o365_add_app_role_assignment_grant_user +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_app_role_assignment_grant_user-json + path: /datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml b/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml new file mode 100644 index 000000000..9851c76db --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6d48b50b-95e6-4869-bcb6-33a7aa3b83d3 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_add_service_principal +environment: attack_range +directory: o365_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml b/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml new file mode 100644 index 000000000..590f5aa34 --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e3b45ae6-80d6-4e90-91c8-631cd15ed165 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_added_service_principal +environment: attack_range +directory: o365_added_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log + sourcetype: o365:management:activity + source: o365 +- name: o365_added_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml new file mode 100644 index 000000000..c1a36272f --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a77fa7c5-6982-4dc5-987e-98868c07ba16 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_multiple_service_principals_created +environment: attack_range +directory: o365_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: o365_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml new file mode 100644 index 000000000..a82c3c700 --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e5d0bbeb-4f07-42cb-b3f3-bc04813ff173 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_new_federated_domain +environment: attack_range +directory: o365_new_federated_domain +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federated_domain-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml new file mode 100644 index 000000000..a0c44e3f0 --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 625c69c8-5c40-469f-9ea7-d802ff288d9a +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_new_federated_domain_added +environment: attack_range +directory: o365_new_federated_domain_added +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_federated_domain + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log + sourcetype: o365:management:activity + source: o365 +- name: o365_new_federated_domain_added-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml new file mode 100644 index 000000000..f7a8c1553 --- /dev/null +++ b/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: eb513e32-35a3-47a1-92ab-ace785ea71f4 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_new_federation +environment: attack_range +directory: o365_new_federation +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federation-json + path: /datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1140/atomic_red_team/data.yml b/datasets/attack_techniques/T1140/atomic_red_team/data.yml new file mode 100644 index 000000000..7a394d0fd --- /dev/null +++ b/datasets/attack_techniques/T1140/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a5f21bd8-f694-44b3-90c0-e910105a1cfa +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1140 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml b/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml new file mode 100644 index 000000000..b62e1d490 --- /dev/null +++ b/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 07e83507-36aa-42a9-b033-bb27fe35cc9b +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_base64 +environment: attack_range +directory: linux_auditd_base64 +mitre_technique: +- T1140 +datasets: +- name: auditd_execve_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log + sourcetype: auditd + source: auditd +- name: linux_auditd_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml new file mode 100644 index 000000000..2046f04e8 --- /dev/null +++ b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 435b6235-6698-4a81-a223-65a941b67b18 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_concurrent_sessions_from_different_ips +environment: attack_range +directory: aws_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml new file mode 100644 index 000000000..e0a83bb51 --- /dev/null +++ b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 80545b63-4a6a-4620-8968-3bdee04d01ab +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_concurrent_sessions_from_different_ips +environment: attack_range +directory: azure_ad_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml new file mode 100644 index 000000000..41f9a5d90 --- /dev/null +++ b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dde6a707-7db1-4680-b223-5a1199cd69ae +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_concurrent_sessions_from_different_ips +environment: attack_range +directory: o365_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: o365_concurrent_sessions_from_different_ips + path: /datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1187/petitpotam/data.yml b/datasets/attack_techniques/T1187/petitpotam/data.yml new file mode 100644 index 000000000..dd067c68b --- /dev/null +++ b/datasets/attack_techniques/T1187/petitpotam/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: ba5255e6-9f8b-41b6-892f-192a98c7776f +date: '2025-08-12' +description: Automatically categorized datasets in directory petitpotam +environment: attack_range +directory: petitpotam +mitre_technique: +- T1187 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1189/dyn_dns_site/data.yml b/datasets/attack_techniques/T1189/dyn_dns_site/data.yml new file mode 100644 index 000000000..e424fe79c --- /dev/null +++ b/datasets/attack_techniques/T1189/dyn_dns_site/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f0da1bdf-a6f4-4802-ba8f-7f3c64a76371 +date: '2025-08-12' +description: Automatically categorized datasets in directory dyn_dns_site +environment: attack_range +directory: dyn_dns_site +mitre_technique: +- T1189 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1189/splunk/data.yml b/datasets/attack_techniques/T1189/splunk/data.yml new file mode 100644 index 000000000..fe7ec7006 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/data.yml @@ -0,0 +1,24 @@ +author: Generated by dataset_analyzer.py +id: 3ebaf8b0-2f34-4a4c-a607-047f6485b04c +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1189 +datasets: +- name: splunk_xss_in_highlighted_json_events_splunkd_ui_access + path: /datasets/attack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log + sourcetype: access_combined +- name: splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access + path: /datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access.log + sourcetype: access_combined +- name: SVD-2024-0712_splunkd_ui_access_splunk_ui_access + path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log + sourcetype: access_combined +- name: SVD-2024-0714_web_access_splunk_web_access + path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log + sourcetype: access_combined +- name: SVD-2024-0715_splunkd_splunkd_access + path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1189/xss/data.yml b/datasets/attack_techniques/T1189/xss/data.yml new file mode 100644 index 000000000..e13d2aab6 --- /dev/null +++ b/datasets/attack_techniques/T1189/xss/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: f977953b-5a95-4cf0-aafe-de2727bb93b4 +date: '2025-08-12' +description: Automatically categorized datasets in directory xss +environment: attack_range +directory: xss +mitre_technique: +- T1189 +datasets: +- name: splunk_web_access + path: /datasets/attack_techniques/T1189/xss/splunk_web_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/citrix/data.yml b/datasets/attack_techniques/T1190/citrix/data.yml new file mode 100644 index 000000000..4ed59b974 --- /dev/null +++ b/datasets/attack_techniques/T1190/citrix/data.yml @@ -0,0 +1,19 @@ +author: Generated by dataset_analyzer.py +id: bbe637ed-44bd-432c-a9ff-e17ebe7ca538 +date: '2025-08-12' +description: Automatically categorized datasets in directory citrix +environment: attack_range +directory: citrix +mitre_technique: +- T1190 +datasets: +- name: suricata_citrixbleed2 + path: /datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log + sourcetype: suricata + source: suricata +- name: nginx_kv_citrixbleed2_startwebview + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log + sourcetype: nginx:plus:access +- name: nginx_kv_cve_2023-4966-citrix + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/confluence/data.yml b/datasets/attack_techniques/T1190/confluence/data.yml new file mode 100644 index 000000000..7ee750ba6 --- /dev/null +++ b/datasets/attack_techniques/T1190/confluence/data.yml @@ -0,0 +1,22 @@ +author: Generated by dataset_analyzer.py +id: e40a6bb6-a73b-4d0b-8220-26d6c6d60094 +date: '2025-08-12' +description: Automatically categorized datasets in directory confluence +environment: attack_range +directory: confluence +mitre_technique: +- T1190 +datasets: +- name: nginx_plus_kv_confluence + path: /datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + sourcetype: nginx:plus:access +- name: nginx_kv_confluence_CVE-2024-21683 + path: /datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log + sourcetype: nginx:plus:access +- name: suricata_confluence_cve-2023-22527 + path: /datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log + sourcetype: suricata + source: suricata +- name: nginx_shellservlet + path: /datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/crushftp/data.yml b/datasets/attack_techniques/T1190/crushftp/data.yml new file mode 100644 index 000000000..4fd616af2 --- /dev/null +++ b/datasets/attack_techniques/T1190/crushftp/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 36ed41d1-4e95-49ab-8996-ca295a1fdccf +date: '2025-08-12' +description: Automatically categorized datasets in directory crushftp +environment: attack_range +directory: crushftp +mitre_technique: +- T1190 +datasets: +- name: crushftp + path: /datasets/attack_techniques/T1190/crushftp/crushftp.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: crushftp11_session + path: /datasets/attack_techniques/T1190/crushftp/crushftp11_session.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/crushftp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/data.yml b/datasets/attack_techniques/T1190/data.yml new file mode 100644 index 000000000..7a6a61129 --- /dev/null +++ b/datasets/attack_techniques/T1190/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2bd2f212-9f34-4da0-b18f-de5558badad9 +date: '2025-08-12' +description: Automatically categorized datasets in directory T1190 +environment: attack_range +directory: T1190 +mitre_technique: +- T1190 +datasets: +- name: exchange_events-json + path: /datasets/attack_techniques/T1190/exchange_events.json + sourcetype: MSExchange:Management + source: MSExchange:Management diff --git a/datasets/attack_techniques/T1190/ivanti/data.yml b/datasets/attack_techniques/T1190/ivanti/data.yml new file mode 100644 index 000000000..bf1726aa5 --- /dev/null +++ b/datasets/attack_techniques/T1190/ivanti/data.yml @@ -0,0 +1,39 @@ +author: Generated by dataset_analyzer.py +id: ee7b8a13-3682-430a-8e53-a71ad887ec5c +date: '2025-08-12' +description: Automatically categorized datasets in directory ivanti +environment: attack_range +directory: ivanti +mitre_technique: +- T1190 +datasets: +- name: suricata_ivanti_secure_connect_checkphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_saml + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_secure_connect_exploitphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_epm + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_CVE202335078 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log + sourcetype: suricata + source: suricata +- name: ivanti_bookmark_web_access + path: /datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log + sourcetype: access_combined +- name: suricata_ivanti_CVE202335082 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log + sourcetype: suricata + source: suricata +- name: ivanti_vtm_nginxproxy + path: /datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/java/data.yml b/datasets/attack_techniques/T1190/java/data.yml new file mode 100644 index 000000000..6a310bc61 --- /dev/null +++ b/datasets/attack_techniques/T1190/java/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 512bec22-b4ed-4510-8a1e-ff602bd0f326 +date: '2025-08-12' +description: Automatically categorized datasets in directory java +environment: attack_range +directory: java +mitre_technique: +- T1190 +datasets: +- name: log4shell-nginx + path: /datasets/attack_techniques/T1190/java/log4shell-nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/jenkins/data.yml b/datasets/attack_techniques/T1190/jenkins/data.yml new file mode 100644 index 000000000..fd7376459 --- /dev/null +++ b/datasets/attack_techniques/T1190/jenkins/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: f000a442-7809-41de-bfd1-f3d8974d08f3 +date: '2025-08-12' +description: Automatically categorized datasets in directory jenkins +environment: attack_range +directory: jenkins +mitre_technique: +- T1190 +datasets: +- name: nginx_jenkins_cve_2023_23897 + path: /datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/juniper/data.yml b/datasets/attack_techniques/T1190/juniper/data.yml new file mode 100644 index 000000000..941e86092 --- /dev/null +++ b/datasets/attack_techniques/T1190/juniper/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 50ce13ad-96c0-4111-82b1-0f777143cd69 +date: '2025-08-12' +description: Automatically categorized datasets in directory juniper +environment: attack_range +directory: juniper +mitre_technique: +- T1190 +datasets: +- name: suricata_junos_cvemegazord + path: /datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/magento/data.yml b/datasets/attack_techniques/T1190/magento/data.yml new file mode 100644 index 000000000..a3b0e1d6a --- /dev/null +++ b/datasets/attack_techniques/T1190/magento/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 9a5e8b12-c7f1-4653-ba79-b333a60cf4cd +date: '2025-08-12' +description: Automatically categorized datasets in directory magento +environment: attack_range +directory: magento +mitre_technique: +- T1190 +datasets: +- name: magento_access_filtered + path: /datasets/attack_techniques/T1190/magento/magento_access_filtered.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/outbound_java/data.yml b/datasets/attack_techniques/T1190/outbound_java/data.yml new file mode 100644 index 000000000..7ea0b4a14 --- /dev/null +++ b/datasets/attack_techniques/T1190/outbound_java/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2b56e287-f7c5-4459-b07f-ee9fade5b739 +date: '2025-08-12' +description: Automatically categorized datasets in directory outbound_java +environment: attack_range +directory: outbound_java +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/papercut/data.yml b/datasets/attack_techniques/T1190/papercut/data.yml new file mode 100644 index 000000000..2d22d4707 --- /dev/null +++ b/datasets/attack_techniques/T1190/papercut/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 27303865-acee-413b-bd49-db4e2781adb3 +date: '2025-08-12' +description: Automatically categorized datasets in directory papercut +environment: attack_range +directory: papercut +mitre_technique: +- T1190 +datasets: +- name: papercutng-suricata + path: /datasets/attack_techniques/T1190/papercut/papercutng-suricata.log + sourcetype: suricata + source: suricata +- name: papercutng-app-spawn_windows-sysmon + path: /datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/proxyshell/data.yml b/datasets/attack_techniques/T1190/proxyshell/data.yml new file mode 100644 index 000000000..cefcc28e2 --- /dev/null +++ b/datasets/attack_techniques/T1190/proxyshell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8d236e76-d50e-4fb1-a62f-779f44e70903 +date: '2025-08-12' +description: Automatically categorized datasets in directory proxyshell +environment: attack_range +directory: proxyshell +mitre_technique: +- T1190 +datasets: +- name: msexchangehmworker_windows-sysmon + path: /datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/pswa/data.yml b/datasets/attack_techniques/T1190/pswa/data.yml new file mode 100644 index 000000000..03804e70e --- /dev/null +++ b/datasets/attack_techniques/T1190/pswa/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: e9b883f8-624d-477b-a7d3-b59bdb17b25f +date: '2025-08-12' +description: Automatically categorized datasets in directory pswa +environment: attack_range +directory: pswa +mitre_technique: +- T1190 +datasets: +- name: iis_pswaaccess + path: /datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/sap/data.yml b/datasets/attack_techniques/T1190/sap/data.yml new file mode 100644 index 000000000..960aeadbb --- /dev/null +++ b/datasets/attack_techniques/T1190/sap/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: cebf0750-449b-4abf-9d28-55137474ec5c +date: '2025-08-12' +description: Automatically categorized datasets in directory sap +environment: attack_range +directory: sap +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/sap/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: suricata_sapnetweaver + path: /datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/screenconnect/data.yml b/datasets/attack_techniques/T1190/screenconnect/data.yml new file mode 100644 index 000000000..f3034b38f --- /dev/null +++ b/datasets/attack_techniques/T1190/screenconnect/data.yml @@ -0,0 +1,20 @@ +author: Generated by dataset_analyzer.py +id: f6590333-8589-40aa-ab4a-0652526d0e95 +date: '2025-08-12' +description: Automatically categorized datasets in directory screenconnect +environment: attack_range +directory: screenconnect +mitre_technique: +- T1190 +datasets: +- name: sysmon_app_extensions + path: /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: nginx_screenconnect + path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log + sourcetype: nginx:plus:access +- name: connectwise_auth_suricata + path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1190/sharepoint/data.yml b/datasets/attack_techniques/T1190/sharepoint/data.yml new file mode 100644 index 000000000..63e3989f7 --- /dev/null +++ b/datasets/attack_techniques/T1190/sharepoint/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: f4c63e96-4ce3-4e37-ae50-a28f051cca6b +date: '2025-08-12' +description: Automatically categorized datasets in directory sharepoint +environment: attack_range +directory: sharepoint +mitre_technique: +- T1190 +datasets: +- name: sharepointeop + path: /datasets/attack_techniques/T1190/sharepoint/sharepointeop.log + sourcetype: sharepoint:uls diff --git a/datasets/attack_techniques/T1190/splunk/data.yml b/datasets/attack_techniques/T1190/splunk/data.yml new file mode 100644 index 000000000..8a1f5aff6 --- /dev/null +++ b/datasets/attack_techniques/T1190/splunk/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 12d444fc-e341-4403-bbe7-26d1964eb793 +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1190 +datasets: +- name: web_access + path: /datasets/attack_techniques/T1190/splunk/web_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/spring4shell/data.yml b/datasets/attack_techniques/T1190/spring4shell/data.yml new file mode 100644 index 000000000..68a28802b --- /dev/null +++ b/datasets/attack_techniques/T1190/spring4shell/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: f2ecb9d2-7ace-4769-b6d5-9a78f51563b5 +date: '2025-08-12' +description: Automatically categorized datasets in directory spring4shell +environment: attack_range +directory: spring4shell +mitre_technique: +- T1190 +datasets: +- name: spring4shell_nginx + path: /datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/text4shell/data.yml b/datasets/attack_techniques/T1190/text4shell/data.yml new file mode 100644 index 000000000..4b7163429 --- /dev/null +++ b/datasets/attack_techniques/T1190/text4shell/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 86904e3f-e22e-4d3a-a300-eba3e2cfafd8 +date: '2025-08-12' +description: Automatically categorized datasets in directory text4shell +environment: attack_range +directory: text4shell +mitre_technique: +- T1190 +datasets: +- name: text4shell_nginx + path: /datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/tomcat/data.yml b/datasets/attack_techniques/T1190/tomcat/data.yml new file mode 100644 index 000000000..9ab02e1ff --- /dev/null +++ b/datasets/attack_techniques/T1190/tomcat/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 23665d8c-07ba-40e7-8f5a-46097ffc9e75 +date: '2025-08-12' +description: Automatically categorized datasets in directory tomcat +environment: attack_range +directory: tomcat +mitre_technique: +- T1190 +datasets: +- name: tomcat_nginx_access + path: /datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1195.002/3CX/data.yml b/datasets/attack_techniques/T1195.002/3CX/data.yml new file mode 100644 index 000000000..60c41ad02 --- /dev/null +++ b/datasets/attack_techniques/T1195.002/3CX/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 550dda16-c722-4c8d-ba0e-488b8bb10535 +date: '2025-08-12' +description: Automatically categorized datasets in directory 3CX +environment: attack_range +directory: 3CX +mitre_technique: +- T1195.002 +datasets: +- name: 3cx_network-windows-sysmon + path: /datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 3cx_4688_windows-security + path: /datasets/attack_techniques/T1195.002/3CX/3cx_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 3cx_windows-sysmon + path: /datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1197/atomic_red_team/data.yml b/datasets/attack_techniques/T1197/atomic_red_team/data.yml new file mode 100644 index 000000000..12dc7b7c8 --- /dev/null +++ b/datasets/attack_techniques/T1197/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5d49236e-23f9-402b-92b7-5b6f152f5b5c +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1197 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml b/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml new file mode 100644 index 000000000..a4fd063e5 --- /dev/null +++ b/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c62702e4-8da0-4e9f-b8f9-e8cd574eaf69 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_swapoff +environment: attack_range +directory: linux_auditd_swapoff +mitre_technique: +- T1200 +datasets: +- name: linux_auditd_swapoff2 + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log + sourcetype: auditd + source: auditd +- name: linux_auditd_swapoff + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml new file mode 100644 index 000000000..d2e416700 --- /dev/null +++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 601cb045-401e-445e-9d03-ce778313fb25 +date: '2025-08-12' +description: Automatically categorized datasets in directory sysmon_usb_use_execution +environment: attack_range +directory: sysmon_usb_use_execution +mitre_technique: +- T1200 +datasets: +- name: sysmon_usb_use_execution + path: /datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml b/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml new file mode 100644 index 000000000..c54ce361c --- /dev/null +++ b/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: df83873f-fc03-465e-9044-c61da950afa3 +date: '2025-08-12' +description: Automatically categorized datasets in directory pwd_policy_discovery +environment: attack_range +directory: pwd_policy_discovery +mitre_technique: +- T1201 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1202/atomic_red_team/data.yml b/datasets/attack_techniques/T1202/atomic_red_team/data.yml new file mode 100644 index 000000000..3751d5551 --- /dev/null +++ b/datasets/attack_techniques/T1202/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a726d142-d6df-4465-9f6c-840beaf20e9d +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1202 +datasets: +- name: windows-sysmon_runmru + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml new file mode 100644 index 000000000..a8ff7536c --- /dev/null +++ b/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0586f997-b5c4-43bb-a300-db3c008113e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml b/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml new file mode 100644 index 000000000..d19b85d00 --- /dev/null +++ b/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d60dcd01-8e16-473f-bd8e-87de6687b413 +date: '2025-08-12' +description: Automatically categorized datasets in directory batch_file_in_system32 +environment: attack_range +directory: batch_file_in_system32 +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml b/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml new file mode 100644 index 000000000..169cb39e0 --- /dev/null +++ b/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d2ab14ca-3c53-4eeb-a176-974d3e10a380 +date: '2025-08-12' +description: Automatically categorized datasets in directory single_letter_exe +environment: attack_range +directory: single_letter_exe +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml new file mode 100644 index 000000000..03b8ab40b --- /dev/null +++ b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5d33772b-4beb-46dc-a85e-6e8003a7aa09 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_ecr_container_upload +environment: attack_range +directory: aws_ecr_container_upload +mitre_technique: +- T1204.003 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: aws_ecr_container_upload-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml new file mode 100644 index 000000000..c07f70e20 --- /dev/null +++ b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b722f054-f014-4f79-b826-410d03e06baf +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_ecr_image_scanning +environment: attack_range +directory: aws_ecr_image_scanning +mitre_technique: +- T1204.003 +datasets: +- name: aws_ecr_scanning_findings_events-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/risk_dataset/data.yml b/datasets/attack_techniques/T1204.003/risk_dataset/data.yml new file mode 100644 index 000000000..c65ea452d --- /dev/null +++ b/datasets/attack_techniques/T1204.003/risk_dataset/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d105763e-b421-484d-87ac-9a3189e9f93d +date: '2025-08-12' +description: Automatically categorized datasets in directory risk_dataset +environment: attack_range +directory: risk_dataset +mitre_technique: +- T1204.003 +datasets: +- name: aws_ecr_risk_dataset + path: /datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml new file mode 100644 index 000000000..564bfabde --- /dev/null +++ b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 07324041-a95b-40a0-be0f-379a3ea55a73 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_updatelambdafunctioncode +environment: attack_range +directory: aws_updatelambdafunctioncode +mitre_technique: +- T1204 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml b/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml new file mode 100644 index 000000000..bf6de6e90 --- /dev/null +++ b/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8cef32da-2960-4ea7-abd8-dfe77d6d4c77 +date: '2025-08-12' +description: Automatically categorized datasets in directory failed_login_service_account_ad +environment: attack_range +directory: failed_login_service_account_ad +mitre_technique: +- T1204 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml new file mode 100644 index 000000000..94bf8a825 --- /dev/null +++ b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5268a968-0ff2-48b4-9f90-f1e561cdeb80 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_audit_daemonset_created +environment: attack_range +directory: kubernetes_audit_daemonset_created +mitre_technique: +- T1204 +datasets: +- name: kubernetes_audit_daemonset_created-json + path: /datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml new file mode 100644 index 000000000..0c15d0305 --- /dev/null +++ b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ce64ce8d-4eab-47de-ab51-1eee0bb82e1a +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_falco_shell_spawned +environment: attack_range +directory: kubernetes_falco_shell_spawned +mitre_technique: +- T1204 +datasets: +- name: kubernetes_falco_shell_spawned + path: /datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml new file mode 100644 index 000000000..fd0304369 --- /dev/null +++ b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 48b16de7-5aeb-48bc-822c-55b17e96be41 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_privileged_pod +environment: attack_range +directory: kubernetes_privileged_pod +mitre_technique: +- T1204 +datasets: +- name: kubernetes_privileged_pod-json + path: /datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml new file mode 100644 index 000000000..4952fdfa2 --- /dev/null +++ b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2f5f7d33-2ee7-456b-95d4-34d59b0bf882 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_unauthorized_access +environment: attack_range +directory: kubernetes_unauthorized_access +mitre_technique: +- T1204 +datasets: +- name: kubernetes_unauthorized_access-json + path: /datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1204/rare_executables/data.yml b/datasets/attack_techniques/T1204/rare_executables/data.yml new file mode 100644 index 000000000..a5d9c4c99 --- /dev/null +++ b/datasets/attack_techniques/T1204/rare_executables/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a62e0e5b-fb2d-4e28-b8eb-7448d13300f6 +date: '2025-08-12' +description: Automatically categorized datasets in directory rare_executables +environment: attack_range +directory: rare_executables +mitre_technique: +- T1204 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1207/dc_promo/data.yml b/datasets/attack_techniques/T1207/dc_promo/data.yml new file mode 100644 index 000000000..dae86758d --- /dev/null +++ b/datasets/attack_techniques/T1207/dc_promo/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 48f153b6-9474-41f3-b9a1-9f5a6e83ec34 +date: '2025-08-12' +description: Automatically categorized datasets in directory dc_promo +environment: attack_range +directory: dc_promo +mitre_technique: +- T1207 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/mimikatz/data.yml b/datasets/attack_techniques/T1207/mimikatz/data.yml new file mode 100644 index 000000000..a552027d4 --- /dev/null +++ b/datasets/attack_techniques/T1207/mimikatz/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ae741f50-4aba-4cc5-8214-aa140d5e1b83 +date: '2025-08-12' +description: Automatically categorized datasets in directory mimikatz +environment: attack_range +directory: mimikatz +mitre_technique: +- T1207 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/short_lived_server_object/data.yml b/datasets/attack_techniques/T1207/short_lived_server_object/data.yml new file mode 100644 index 000000000..66b4c4974 --- /dev/null +++ b/datasets/attack_techniques/T1207/short_lived_server_object/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 697a22bd-c0ef-4516-b88e-4e90cc7d18e3 +date: '2025-08-12' +description: Automatically categorized datasets in directory short_lived_server_object +environment: attack_range +directory: short_lived_server_object +mitre_technique: +- T1207 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1210/splunk/data.yml b/datasets/attack_techniques/T1210/splunk/data.yml new file mode 100644 index 000000000..c1bfb435d --- /dev/null +++ b/datasets/attack_techniques/T1210/splunk/data.yml @@ -0,0 +1,22 @@ +author: Generated by dataset_analyzer.py +id: c07c0b21-2a31-478e-a244-3872c392d7c8 +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1210 +datasets: +- name: svd-2024-1003-index_internal_sourcetype_splunkd_access + path: /datasets/attack_techniques/T1210/splunk/svd-2024-1003-index_internal_sourcetype_splunkd_access.log + sourcetype: access_combined +- name: splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature + path: /datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.log + sourcetype: linux_secure + source: linux_secure +- name: svd-2024-1001-index_internal_sourcetype_splunkd_access + path: /datasets/attack_techniques/T1210/splunk/svd-2024-1001-index_internal_sourcetype_splunkd_access.log + sourcetype: access_combined +- name: splunk_rce_via_user_xslt_splunkd_ui_access + path: /datasets/attack_techniques/T1210/splunk/splunk_rce_via_user_xslt_splunkd_ui_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml new file mode 100644 index 000000000..f8726f05a --- /dev/null +++ b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 40f823dc-14c2-498e-a67d-fd1f71533aab +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_nginx_lfi_attack +environment: attack_range +directory: kubernetes_nginx_lfi_attack +mitre_technique: +- T1212 +datasets: +- name: kubernetes_nginx_lfi_attack + path: /datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml new file mode 100644 index 000000000..2b144149e --- /dev/null +++ b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 80df73df-a189-473f-b26e-78be1e8502e7 +date: '2025-08-12' +description: Automatically categorized datasets in directory kuberntest_nginx_rfi_attack +environment: attack_range +directory: kuberntest_nginx_rfi_attack +mitre_technique: +- T1212 +datasets: +- name: kubernetes_nginx_rfi_attack + path: /datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml new file mode 100644 index 000000000..6eff26294 --- /dev/null +++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6c859651-b825-4b6e-aa65-8a27ac8f84d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_sus_sharepoint_search +environment: attack_range +directory: o365_sus_sharepoint_search +mitre_technique: +- T1213.002 +datasets: +- name: o365_sus_sharepoint_search + path: /datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1216/atomic_red_team/data.yml b/datasets/attack_techniques/T1216/atomic_red_team/data.yml new file mode 100644 index 000000000..216468090 --- /dev/null +++ b/datasets/attack_techniques/T1216/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 08124714-65e8-4c55-9362-08fcaa33d3d4 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1216 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml new file mode 100644 index 000000000..e409de2ab --- /dev/null +++ b/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 1579c588-4de3-4818-96fd-a15ba8708877 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.001 +datasets: +- name: 4688_windows-security + path: /datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: hh_decom_windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml new file mode 100644 index 000000000..357aec2e3 --- /dev/null +++ b/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 30a8d3a7-267a-499b-9be1-e8d615156ea4 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml new file mode 100644 index 000000000..adfb83720 --- /dev/null +++ b/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: f96536a6-2792-40d7-9236-873b05e9e0d4 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_installutil_path + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml new file mode 100644 index 000000000..b1e0e86d7 --- /dev/null +++ b/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0778f707-cfd2-437b-a76f-5043849912e6 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: mshta_tasks_windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml b/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml new file mode 100644 index 000000000..349555271 --- /dev/null +++ b/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: d47e7693-af4a-4f25-a3bf-43cbae002f04 +date: '2025-08-12' +description: Automatically categorized datasets in directory mshta_in_registry +environment: attack_range +directory: mshta_in_registry +mitre_technique: +- T1218.005 +datasets: +- name: sysmon3 + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml new file mode 100644 index 000000000..6076cedf6 --- /dev/null +++ b/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: efe33d17-ce1b-4648-9552-6f9bf24f09cc +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.007 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_msiexec-windows-security + path: /datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml new file mode 100644 index 000000000..cbf87b12d --- /dev/null +++ b/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 50f1380a-cd49-43f5-a7a8-fd6c167f3e96 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.008 +datasets: +- name: odbcconf-windows-security + path: /datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-odbc-rsp + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-odbc-regsvr + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml new file mode 100644 index 000000000..3b86f3f91 --- /dev/null +++ b/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9be966a9-4695-46c6-af97-9e126347d0e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml new file mode 100644 index 000000000..e94937e27 --- /dev/null +++ b/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fc8098a0-f10b-490b-b21a-d1b5aa4b9f20 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml new file mode 100644 index 000000000..f4e270e11 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a102a9f3-175d-4a9e-b062-7669b4b8fdf2 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ordinal_windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml b/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml new file mode 100644 index 000000000..f9cb36052 --- /dev/null +++ b/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a00d9a09-8716-407d-b28a-5e2434c8982f +date: '2025-08-12' +description: Automatically categorized datasets in directory verclsid_exec +environment: attack_range +directory: verclsid_exec +mitre_technique: +- T1218.012 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml new file mode 100644 index 000000000..59a04125d --- /dev/null +++ b/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3094171d-7ff5-46a6-bbce-2cc1892c3a04 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1218.013 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/bitlockertogo/data.yml b/datasets/attack_techniques/T1218/bitlockertogo/data.yml new file mode 100644 index 000000000..154107688 --- /dev/null +++ b/datasets/attack_techniques/T1218/bitlockertogo/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 2a5a7579-df94-4f22-a5d9-57c3496a7145 +date: '2025-08-12' +description: Automatically categorized datasets in directory bitlockertogo +environment: attack_range +directory: bitlockertogo +mitre_technique: +- T1218 +datasets: +- name: 4688_bitlockertogo_windows-security + path: /datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: bitlockertogo_windows-sysmon + path: /datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/diskshadow/data.yml b/datasets/attack_techniques/T1218/diskshadow/data.yml new file mode 100644 index 000000000..5e31ec7a6 --- /dev/null +++ b/datasets/attack_techniques/T1218/diskshadow/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a91e98af-269f-4827-9ea9-3ebe261b28a6 +date: '2025-08-12' +description: Automatically categorized datasets in directory diskshadow +environment: attack_range +directory: diskshadow +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/eviltwin/data.yml b/datasets/attack_techniques/T1218/eviltwin/data.yml new file mode 100644 index 000000000..f71553fc4 --- /dev/null +++ b/datasets/attack_techniques/T1218/eviltwin/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0c425709-546a-472b-9546-f871a1585c07 +date: '2025-08-12' +description: Automatically categorized datasets in directory eviltwin +environment: attack_range +directory: eviltwin +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/atomic_red_team/data.yml b/datasets/attack_techniques/T1219/atomic_red_team/data.yml new file mode 100644 index 000000000..0f4626161 --- /dev/null +++ b/datasets/attack_techniques/T1219/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0a1e0573-f65b-48ce-94bf-340c796d5e96 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1219 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/screenconnect/data.yml b/datasets/attack_techniques/T1219/screenconnect/data.yml new file mode 100644 index 000000000..df36d853e --- /dev/null +++ b/datasets/attack_techniques/T1219/screenconnect/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7d715348-25ee-4db9-8c2f-d1598828516a +date: '2025-08-12' +description: Automatically categorized datasets in directory screenconnect +environment: attack_range +directory: screenconnect +mitre_technique: +- T1219 +datasets: +- name: screenconnect_sysmon + path: /datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/teamviewer/data.yml b/datasets/attack_techniques/T1219/teamviewer/data.yml new file mode 100644 index 000000000..612a64873 --- /dev/null +++ b/datasets/attack_techniques/T1219/teamviewer/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f939d9c5-6dbf-4fea-b53c-e5c193402afd +date: '2025-08-12' +description: Automatically categorized datasets in directory teamviewer +environment: attack_range +directory: teamviewer +mitre_technique: +- T1219 +datasets: +- name: windows_security + path: /datasets/attack_techniques/T1219/teamviewer/windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1220/atomic_red_team/data.yml b/datasets/attack_techniques/T1220/atomic_red_team/data.yml new file mode 100644 index 000000000..c18f53083 --- /dev/null +++ b/datasets/attack_techniques/T1220/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f5e06bbd-8df3-4bc8-be67-9f79d8094118 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1220 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml new file mode 100644 index 000000000..c49ee7eb3 --- /dev/null +++ b/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b1b1e31a-9f0c-488f-ad9e-67dc505287e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1222.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml new file mode 100644 index 000000000..6e7c02a5c --- /dev/null +++ b/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml @@ -0,0 +1,41 @@ +author: Generated by dataset_analyzer.py +id: 1eb5e793-72c5-4536-b7b7-dd786b0f51cf +date: '2025-08-12' +description: Automatically categorized datasets in directory dacl_abuse +environment: attack_range +directory: dacl_abuse +mitre_technique: +- T1222.001 +datasets: +- name: group_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: owner_updated_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_deletion_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: suspicious_acl_modification-windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_ou_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: user_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_object_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1222.001/subinacl/data.yml b/datasets/attack_techniques/T1222.001/subinacl/data.yml new file mode 100644 index 000000000..fee97ecf2 --- /dev/null +++ b/datasets/attack_techniques/T1222.001/subinacl/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 734e922e-c531-4d08-9f07-6cfed766652b +date: '2025-08-12' +description: Automatically categorized datasets in directory subinacl +environment: attack_range +directory: subinacl +mitre_technique: +- T1222.001 +datasets: +- name: subinacl_sysmon + path: /datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml new file mode 100644 index 000000000..0c8003213 --- /dev/null +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: a568867c-2d28-4af2-a70a-ebc5082e2a44 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_chattr_i +environment: attack_range +directory: linux_auditd_chattr_i +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chattr + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chattr_i + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml new file mode 100644 index 000000000..f6426a9c9 --- /dev/null +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 2692a8c8-8b44-4c1b-ba3d-95c928d45b1c +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_chmod_exec_attrib +environment: attack_range +directory: linux_auditd_chmod_exec_attrib +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chmod + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chmod_exec_attrib + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1482/atomic_red_team/data.yml b/datasets/attack_techniques/T1482/atomic_red_team/data.yml new file mode 100644 index 000000000..fc6a482be --- /dev/null +++ b/datasets/attack_techniques/T1482/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a92b3e24-3df3-4e58-947c-372da10efdf4 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1482 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1482/discovery/data.yml b/datasets/attack_techniques/T1482/discovery/data.yml new file mode 100644 index 000000000..56dbfce82 --- /dev/null +++ b/datasets/attack_techniques/T1482/discovery/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c8cb4031-ed28-4fbc-90ed-ce8aec69102a +date: '2025-08-12' +description: Automatically categorized datasets in directory discovery +environment: attack_range +directory: discovery +mitre_technique: +- T1482 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1482/discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1482/discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml new file mode 100644 index 000000000..bdf67b0bd --- /dev/null +++ b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6dbdb11c-9897-484e-8d98-249bb1be94b6 +date: '2025-08-12' +description: Automatically categorized datasets in directory default_domain_policy_modified +environment: attack_range +directory: default_domain_policy_modified +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/data.yml b/datasets/attack_techniques/T1484.001/gpo_modification/data.yml new file mode 100644 index 000000000..c513b2a54 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/gpo_modification/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 73543f1c-1973-4376-9826-940b0428ac9e +date: '2025-08-12' +description: Automatically categorized datasets in directory gpo_modification +environment: attack_range +directory: gpo_modification +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_created/data.yml b/datasets/attack_techniques/T1484.001/group_policy_created/data.yml new file mode 100644 index 000000000..bb537da08 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_created/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1397e488-3ee2-4639-92e8-5ed8939ee65c +date: '2025-08-12' +description: Automatically categorized datasets in directory group_policy_created +environment: attack_range +directory: group_policy_created +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml new file mode 100644 index 000000000..e9338ff9e --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b035d284-d295-49ce-8be9-d6f4856eed78 +date: '2025-08-12' +description: Automatically categorized datasets in directory group_policy_deleted +environment: attack_range +directory: group_policy_deleted +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml new file mode 100644 index 000000000..f92d4baa7 --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 31cd349a-1966-4277-a1c4-4a0002df0baf +date: '2025-08-12' +description: Automatically categorized datasets in directory group_policy_disabled +environment: attack_range +directory: group_policy_disabled +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml new file mode 100644 index 000000000..963f684db --- /dev/null +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2b075917-cd2d-4b04-8f01-4e536d8cd1fe +date: '2025-08-12' +description: Automatically categorized datasets in directory group_policy_new_cse +environment: attack_range +directory: group_policy_new_cse +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml b/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml new file mode 100644 index 000000000..17234945c --- /dev/null +++ b/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 20ee411d-975e-4ed4-a19f-05090cf16795 +date: '2025-08-12' +description: Automatically categorized datasets in directory new_federated_domain +environment: attack_range +directory: new_federated_domain +mitre_technique: +- T1484.002 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml b/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml new file mode 100644 index 000000000..4c36e8023 --- /dev/null +++ b/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cab2042f-5a34-4856-94da-63f5c94197ab +date: '2025-08-12' +description: Automatically categorized datasets in directory DCShadowPermissions +environment: attack_range +directory: DCShadowPermissions +mitre_technique: +- T1484 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484/aclmodification/data.yml b/datasets/attack_techniques/T1484/aclmodification/data.yml new file mode 100644 index 000000000..13bf70e9b --- /dev/null +++ b/datasets/attack_techniques/T1484/aclmodification/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 078b5e62-f817-4f33-8070-343e8883e72e +date: '2025-08-12' +description: Automatically categorized datasets in directory aclmodification +environment: attack_range +directory: aclmodification +mitre_technique: +- T1484 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1485/atomic_red_team/data.yml b/datasets/attack_techniques/T1485/atomic_red_team/data.yml new file mode 100644 index 000000000..0935fb085 --- /dev/null +++ b/datasets/attack_techniques/T1485/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 133766a4-8579-4f4b-a395-125ab3b87dc9 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml new file mode 100644 index 000000000..01601584a --- /dev/null +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 78225b09-7510-4a8a-b2bb-dfd20da047bd +date: '2025-08-12' +description: Automatically categorized datasets in directory decommissioned_buckets +environment: attack_range +directory: decommissioned_buckets +mitre_technique: +- T1485 +datasets: +- name: web_cloudfront_access + path: /datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml new file mode 100644 index 000000000..471a1f3bc --- /dev/null +++ b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f0fd2205-79a2-48cd-a575-0ca0dbf63c00 +date: '2025-08-12' +description: Automatically categorized datasets in directory excessive_file_del_in_windefender_dir +environment: attack_range +directory: excessive_file_del_in_windefender_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml b/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml new file mode 100644 index 000000000..253387531 --- /dev/null +++ b/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6e2d96e2-be06-4e16-b582-2b984c1452d5 +date: '2025-08-12' +description: Automatically categorized datasets in directory excessive_file_deletions +environment: attack_range +directory: excessive_file_deletions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml new file mode 100644 index 000000000..6d7454c4e --- /dev/null +++ b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 162f024d-f23c-4495-86bf-9fc6a71b2518 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_dd_overwrite +environment: attack_range +directory: linux_auditd_dd_overwrite +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml new file mode 100644 index 000000000..491cfcc6c --- /dev/null +++ b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 4eba62de-b5c8-4fb7-bef8-870f81290312 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_no_preserve_root +environment: attack_range +directory: linux_auditd_no_preserve_root +mitre_technique: +- T1485 +datasets: +- name: auditd_proctitle_rm_rf + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log + sourcetype: auditd + source: auditd +- name: linux_auditd_no_preserve_root + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml b/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml new file mode 100644 index 000000000..65777c309 --- /dev/null +++ b/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 413e0b6a-60c3-4f5c-85b7-9a67d2987eec +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_shred +environment: attack_range +directory: linux_auditd_shred +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml new file mode 100644 index 000000000..0751fe611 --- /dev/null +++ b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 829163ec-f9dc-411e-b913-3c9a4f1269c7 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_dd_file_overwrite +environment: attack_range +directory: linux_dd_file_overwrite +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_extensions/data.yml b/datasets/attack_techniques/T1485/ransomware_extensions/data.yml new file mode 100644 index 000000000..4ecaac2e8 --- /dev/null +++ b/datasets/attack_techniques/T1485/ransomware_extensions/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0106b18b-2be5-4e07-9d51-ccf8e2d443b5 +date: '2025-08-12' +description: Automatically categorized datasets in directory ransomware_extensions +environment: attack_range +directory: ransomware_extensions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_notes/data.yml b/datasets/attack_techniques/T1485/ransomware_notes/data.yml new file mode 100644 index 000000000..7ee9b4e88 --- /dev/null +++ b/datasets/attack_techniques/T1485/ransomware_notes/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: eeadd6ae-a0ac-4d4e-ada2-5d5af5aa7339 +date: '2025-08-12' +description: Automatically categorized datasets in directory ransomware_notes +environment: attack_range +directory: ransomware_notes +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ransom-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_boot_dir/data.yml b/datasets/attack_techniques/T1485/rm_boot_dir/data.yml new file mode 100644 index 000000000..25f8a189f --- /dev/null +++ b/datasets/attack_techniques/T1485/rm_boot_dir/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 75b422b7-e863-4a6e-8fa7-b3df73945570 +date: '2025-08-12' +description: Automatically categorized datasets in directory rm_boot_dir +environment: attack_range +directory: rm_boot_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml b/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml new file mode 100644 index 000000000..4f7e49496 --- /dev/null +++ b/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 24f8617a-de51-4343-bea2-21442cfd750d +date: '2025-08-12' +description: Automatically categorized datasets in directory rm_shred_critical_dir +environment: attack_range +directory: rm_shred_critical_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/sdelete/data.yml b/datasets/attack_techniques/T1485/sdelete/data.yml new file mode 100644 index 000000000..d67db76b2 --- /dev/null +++ b/datasets/attack_techniques/T1485/sdelete/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a2fb0b2a-6bcf-409a-b98d-493c8f32aefc +date: '2025-08-12' +description: Automatically categorized datasets in directory sdelete +environment: attack_range +directory: sdelete +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/sdelete/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/aws_kms_key/data.yml b/datasets/attack_techniques/T1486/aws_kms_key/data.yml new file mode 100644 index 000000000..1a06cbad3 --- /dev/null +++ b/datasets/attack_techniques/T1486/aws_kms_key/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 9f396f78-167b-4652-bb07-a582b6dc6a54 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_kms_key +environment: attack_range +directory: aws_kms_key +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1486/dcrypt/data.yml b/datasets/attack_techniques/T1486/dcrypt/data.yml new file mode 100644 index 000000000..5ece99889 --- /dev/null +++ b/datasets/attack_techniques/T1486/dcrypt/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ba9b58cf-e637-433b-aa1c-77ba5c22f9e3 +date: '2025-08-12' +description: Automatically categorized datasets in directory dcrypt +environment: attack_range +directory: dcrypt +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/s3_file_encryption/data.yml b/datasets/attack_techniques/T1486/s3_file_encryption/data.yml new file mode 100644 index 000000000..e380a940c --- /dev/null +++ b/datasets/attack_techniques/T1486/s3_file_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a6e2b14c-ffd6-4c3b-84d6-d3e7a69b92c2 +date: '2025-08-12' +description: Automatically categorized datasets in directory s3_file_encryption +environment: attack_range +directory: s3_file_encryption +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1486/sam_sam_note/data.yml b/datasets/attack_techniques/T1486/sam_sam_note/data.yml new file mode 100644 index 000000000..3e9e8cd9b --- /dev/null +++ b/datasets/attack_techniques/T1486/sam_sam_note/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 562f5409-7cf3-4ffd-a994-5e32750587a7 +date: '2025-08-12' +description: Automatically categorized datasets in directory sam_sam_note +environment: attack_range +directory: sam_sam_note +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml new file mode 100644 index 000000000..3ead66f1e --- /dev/null +++ b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 12707eeb-cdbf-49e5-a17e-b81762628bf7 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_auditd_service_stop +environment: attack_range +directory: linux_auditd_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml new file mode 100644 index 000000000..407f75db9 --- /dev/null +++ b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8b2032de-bb95-4fec-8e5a-fed537499948 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_osquerd_service_stop +environment: attack_range +directory: linux_auditd_osquerd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_osquerd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml new file mode 100644 index 000000000..97d3ec2cf --- /dev/null +++ b/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e04311d9-a0f0-4039-9c20-cc8ac7141282 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_service_stop +environment: attack_range +directory: linux_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml new file mode 100644 index 000000000..0b440727e --- /dev/null +++ b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ec178259-6e26-445b-9c1a-8680be48a85b +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_sysmon_service_stop +environment: attack_range +directory: linux_auditd_sysmon_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_sysmon_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml b/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml new file mode 100644 index 000000000..cf293f79b --- /dev/null +++ b/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 60abb680-986b-4799-84df-003fe66c1bb3 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_service_stop_disable +environment: attack_range +directory: linux_service_stop_disable +mitre_technique: +- T1489 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/atomic_red_team/data.yml b/datasets/attack_techniques/T1490/atomic_red_team/data.yml new file mode 100644 index 000000000..786c5af71 --- /dev/null +++ b/datasets/attack_techniques/T1490/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e29ae475-9a1f-491a-9d3d-134a7e07999e +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_xml_windows_security_delete_shadow + path: /datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1490/aws_bucket_version/data.yml b/datasets/attack_techniques/T1490/aws_bucket_version/data.yml new file mode 100644 index 000000000..f53cf96a8 --- /dev/null +++ b/datasets/attack_techniques/T1490/aws_bucket_version/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7265e1cd-50c7-499e-8901-d75a25741241 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_bucket_version +environment: attack_range +directory: aws_bucket_version +mitre_technique: +- T1490 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml b/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml new file mode 100644 index 000000000..4403148d1 --- /dev/null +++ b/datasets/attack_techniques/T1490/known_services_killed_by_ransomware/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3bdc7ffb-27f6-4ab7-8145-4615922f319c +date: '2025-08-12' +description: Automatically categorized datasets in directory known_services_killed_by_ransomware +environment: attack_range +directory: known_services_killed_by_ransomware +mitre_technique: +- T1490 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1490/known_services_killed_by_ransomware/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1490/ransomware_notes/data.yml b/datasets/attack_techniques/T1490/ransomware_notes/data.yml new file mode 100644 index 000000000..abfefc69e --- /dev/null +++ b/datasets/attack_techniques/T1490/ransomware_notes/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 88a62f79-a1bb-4def-8f37-21154f4e6dd4 +date: '2025-08-12' +description: Automatically categorized datasets in directory ransomware_notes +environment: attack_range +directory: ransomware_notes +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/shadowcopy_del/data.yml b/datasets/attack_techniques/T1490/shadowcopy_del/data.yml new file mode 100644 index 000000000..e9bd53e75 --- /dev/null +++ b/datasets/attack_techniques/T1490/shadowcopy_del/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 51cfa0a7-e93c-41ab-906d-57c198f697d8 +date: '2025-08-12' +description: Automatically categorized datasets in directory shadowcopy_del +environment: attack_range +directory: shadowcopy_del +mitre_technique: +- T1490 +datasets: +- name: wmicshadowcopydelete_sysmon + path: /datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1497.003/ping_sleep/data.yml b/datasets/attack_techniques/T1497.003/ping_sleep/data.yml new file mode 100644 index 000000000..bf15c9648 --- /dev/null +++ b/datasets/attack_techniques/T1497.003/ping_sleep/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 64046204-d1d1-44d1-937f-2033ed24df90 +date: '2025-08-12' +description: Automatically categorized datasets in directory ping_sleep +environment: attack_range +directory: ping_sleep +mitre_technique: +- T1497.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1505.001/simulation/data.yml b/datasets/attack_techniques/T1505.001/simulation/data.yml new file mode 100644 index 000000000..e6c1c8a6d --- /dev/null +++ b/datasets/attack_techniques/T1505.001/simulation/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: dd59d7f0-66dd-4db1-ae5d-f4601c2233e9 +date: '2025-08-12' +description: Automatically categorized datasets in directory simulation +environment: attack_range +directory: simulation +mitre_technique: +- T1505.001 +datasets: +- name: adhocdq_windows_application + path: /datasets/attack_techniques/T1505.001/simulation/adhocdq_windows_application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:MSSQLSERVER +- name: dllprocedureload_windows-application + path: /datasets/attack_techniques/T1505.001/simulation/dllprocedureload_windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:MSSQLSERVER +- name: sqlservr-windows_sysmon + path: /datasets/attack_techniques/T1505.001/simulation/sqlservr-windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-application + path: /datasets/attack_techniques/T1505.001/simulation/windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Security-SPP diff --git a/datasets/attack_techniques/T1505.003/data.yml b/datasets/attack_techniques/T1505.003/data.yml new file mode 100644 index 000000000..cb9ca9644 --- /dev/null +++ b/datasets/attack_techniques/T1505.003/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: ad3ce362-e5b1-4eb7-b6f1-b76962b12889 +date: '2025-08-12' +description: Automatically categorized datasets in directory T1505.003 +environment: attack_range +directory: T1505.003 +mitre_technique: +- T1505.003 +datasets: +- name: windows-sysmon_proxylogon + path: /datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_umservices + path: /datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1505.003/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: moveit_windows-sysmon + path: /datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1505.004/data.yml b/datasets/attack_techniques/T1505.004/data.yml new file mode 100644 index 000000000..f0c94d9a5 --- /dev/null +++ b/datasets/attack_techniques/T1505.004/data.yml @@ -0,0 +1,53 @@ +author: Generated by dataset_analyzer.py +id: f6d6fcae-e312-4ac2-964b-992dcbba57dd +date: '2025-08-12' +description: Automatically categorized datasets in directory T1505.004 +environment: attack_range +directory: T1505.004 +mitre_technique: +- T1505.004 +datasets: +- name: pwsh_installediismodules + path: /datasets/attack_techniques/T1505.004/pwsh_installediismodules.log + sourcetype: iis + source: iis +- name: IIS-Configuration-Operational + path: /datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log + sourcetype: iis + source: iis +- name: 4688_disable_http_logging-windows-security + path: /datasets/attack_techniques/T1505.004/4688_disable_http_logging-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: appcmd_install-windows-sysmon + path: /datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 2282_windows-application + path: /datasets/attack_techniques/T1505.004/2282_windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-IIS-W3SVC-WP +- name: 4104_disable_http_logging_windows-powershell + path: /datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: gacutil_windows-sysmon + path: /datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4104_windows-powershell + path: /datasets/attack_techniques/T1505.004/4104_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: gacutil_4688_windows-security + path: /datasets/attack_techniques/T1505.004/gacutil_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: disable_http_logging_windows-sysmon + path: /datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: appcmd_4688-windows-security + path: /datasets/attack_techniques/T1505.004/appcmd_4688-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1526/aws_security_scanner/data.yml b/datasets/attack_techniques/T1526/aws_security_scanner/data.yml new file mode 100644 index 000000000..e498ed95a --- /dev/null +++ b/datasets/attack_techniques/T1526/aws_security_scanner/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5a1b22cd-feed-453d-9925-3a02906ad026 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_security_scanner +environment: attack_range +directory: aws_security_scanner +mitre_technique: +- T1526 +datasets: +- name: aws_security_scanner-json + path: /datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml new file mode 100644 index 000000000..035b5e45e --- /dev/null +++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6ba5781e-033b-47a0-9f92-a386226a74b8 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_audit_pull_image +environment: attack_range +directory: kubernetes_audit_pull_image +mitre_technique: +- T1526 +datasets: +- name: kubernetes_audit_pull_image-json + path: /datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml new file mode 100644 index 000000000..a1445cb2f --- /dev/null +++ b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 58ed8c63-e779-4244-a631-27d12aff8c82 +date: '2025-08-12' +description: Automatically categorized datasets in directory kubernetes_kube_hunter +environment: attack_range +directory: kubernetes_kube_hunter +mitre_technique: +- T1526 +datasets: +- name: kubernetes_kube_hunter-json + path: /datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml new file mode 100644 index 000000000..be6362025 --- /dev/null +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b78e3ee4-d7e6-4be5-934e-2a4431cdc543 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_user_consent_blocked +environment: attack_range +directory: azure_ad_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_blocked + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml new file mode 100644 index 000000000..423fcd889 --- /dev/null +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 24f2b50f-c5d4-49d1-9b3d-9b7b46a81132 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_user_consent_declined +environment: attack_range +directory: azure_ad_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_declined + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml new file mode 100644 index 000000000..d07590923 --- /dev/null +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1ed0262c-12b4-4bcb-a38e-ef4823e3cd58 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_user_consent_granted +environment: attack_range +directory: azure_ad_user_consent_granted +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_granted + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/device_code_authentication/data.yml b/datasets/attack_techniques/T1528/device_code_authentication/data.yml new file mode 100644 index 000000000..1e7526312 --- /dev/null +++ b/datasets/attack_techniques/T1528/device_code_authentication/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 67ded8fb-af33-4b18-bd48-71b592636893 +date: '2025-08-12' +description: Automatically categorized datasets in directory device_code_authentication +environment: attack_range +directory: device_code_authentication +mitre_technique: +- T1528 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml new file mode 100644 index 000000000..8065462f3 --- /dev/null +++ b/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 164b88ab-9236-4ee4-ace2-26678bad4530 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_user_consent_blocked +environment: attack_range +directory: o365_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_blocked + path: /datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml new file mode 100644 index 000000000..c65734ad9 --- /dev/null +++ b/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 658a395c-be8a-4876-a1a3-fbff5cca4943 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_user_consent_declined +environment: attack_range +directory: o365_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_declined + path: /datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml new file mode 100644 index 000000000..76988b7a0 --- /dev/null +++ b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 18399e92-d80c-499a-8e92-2732e31ab2af +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_user_consent_file_permissions +environment: attack_range +directory: o365_user_consent_file_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_file_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml new file mode 100644 index 000000000..3b272c3fb --- /dev/null +++ b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 08e31c5b-3a54-40e1-a2e5-7bed47ca6637 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_user_consent_mail_permissions +environment: attack_range +directory: o365_user_consent_mail_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_mail_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml b/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml new file mode 100644 index 000000000..ff7cde6f1 --- /dev/null +++ b/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 73a793df-58fb-4ed8-a4fe-35b808225de9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_s3_public_bucket +environment: attack_range +directory: aws_s3_public_bucket +mitre_technique: +- T1530 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1531/atomic_red_team/data.yml b/datasets/attack_techniques/T1531/atomic_red_team/data.yml new file mode 100644 index 000000000..eb1ca440b --- /dev/null +++ b/datasets/attack_techniques/T1531/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3ea7232a-9176-4840-861e-625d076897d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1531 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1531/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml b/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml new file mode 100644 index 000000000..9034aef79 --- /dev/null +++ b/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 366044b4-8354-4859-80d1-b9e8ac2f5896 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_ami_shared_public +environment: attack_range +directory: aws_ami_shared_public +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml b/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml new file mode 100644 index 000000000..a65eb52e6 --- /dev/null +++ b/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7336c166-f292-439b-abc8-1275c2e457a9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_exfil_risk_events +environment: attack_range +directory: aws_exfil_risk_events +mitre_technique: +- T1537 +datasets: +- name: aws_risk + path: /datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml b/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml new file mode 100644 index 000000000..ae110b936 --- /dev/null +++ b/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0436771e-a141-4da1-8f51-6752f1b030e3 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_snapshot_exfil +environment: attack_range +directory: aws_snapshot_exfil +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml b/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml new file mode 100644 index 000000000..f4290a20e --- /dev/null +++ b/datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2c94f423-56b0-4f7b-ac98-0e10692f9bea +date: '2025-08-12' +description: Automatically categorized datasets in directory high_frequency_copy_of_files_in_network_share +environment: attack_range +directory: high_frequency_copy_of_files_in_network_share +mitre_technique: +- T1537 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1537/high_frequency_copy_of_files_in_network_share/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml new file mode 100644 index 000000000..0442f01ea --- /dev/null +++ b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cdbbbe96-9152-4113-ba57-bdcc67c3dfc0 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_web_session_multiple_ip +environment: attack_range +directory: okta_web_session_multiple_ip +mitre_technique: +- T1539 +datasets: +- name: okta_web_session_multiple_ip + path: /datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1542.003/bootkits/data.yml b/datasets/attack_techniques/T1542.003/bootkits/data.yml new file mode 100644 index 000000000..3775af35d --- /dev/null +++ b/datasets/attack_techniques/T1542.003/bootkits/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1dde0d18-5cbd-4115-b412-99d6e61e5098 +date: '2025-08-12' +description: Automatically categorized datasets in directory bootkits +environment: attack_range +directory: bootkits +mitre_technique: +- T1542.003 +datasets: +- name: network-winlogon-windows-sysmon + path: /datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml new file mode 100644 index 000000000..9c1481056 --- /dev/null +++ b/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml @@ -0,0 +1,29 @@ +author: Generated by dataset_analyzer.py +id: ac41d77d-0760-4659-9187-b756920928e7 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1543.003 +datasets: +- name: 4688-remcom-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-remote-service-create-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-system + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: remote_service_create_windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement/data.yml new file mode 100644 index 000000000..206b6586a --- /dev/null +++ b/datasets/attack_techniques/T1543.003/lateral_movement/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 961318f6-4baf-4b77-9328-901a0da416c3 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement +environment: attack_range +directory: lateral_movement +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml new file mode 100644 index 000000000..0ed577ad4 --- /dev/null +++ b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 235dd031-6d02-42c1-affe-123ec3577f4a +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_lolbas +environment: attack_range +directory: lateral_movement_lolbas +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml new file mode 100644 index 000000000..638a5c20d --- /dev/null +++ b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 12aa7591-f308-4c4a-9f96-1f0091348949 +date: '2025-08-12' +description: Automatically categorized datasets in directory lateral_movement_powershell +environment: attack_range +directory: lateral_movement_powershell +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml b/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml new file mode 100644 index 000000000..a27275911 --- /dev/null +++ b/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 56560e17-fbc8-4234-97ae-d206267db41e +date: '2025-08-12' +description: Automatically categorized datasets in directory services_lolbas_execution +environment: attack_range +directory: services_lolbas_execution +mitre_technique: +- T1543.003 +datasets: +- name: 4688_xml_windows_security + path: /datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml b/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml new file mode 100644 index 000000000..801e3147b --- /dev/null +++ b/datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 45486064-f0b3-4290-9ca4-d97342972e90 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_krbrelayup_service_creation +environment: attack_range +directory: windows_krbrelayup_service_creation +mitre_technique: +- T1543.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1543.003/windows_krbrelayup_service_creation/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml b/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml new file mode 100644 index 000000000..3a1acd159 --- /dev/null +++ b/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cf547925-52e2-4cf1-84f5-5f7e5d69646d +date: '2025-08-12' +description: Automatically categorized datasets in directory txtfile_reg +environment: attack_range +directory: txtfile_reg +mitre_technique: +- T1546.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml b/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml new file mode 100644 index 000000000..d359b99ca --- /dev/null +++ b/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8629b7f9-5357-411f-bc6e-fc93a036d94d +date: '2025-08-12' +description: Automatically categorized datasets in directory scrnsave_reg +environment: attack_range +directory: scrnsave_reg +mitre_technique: +- T1546.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml new file mode 100644 index 000000000..2ed5d71ea --- /dev/null +++ b/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4475a793-d061-4d59-b67a-e46fde796702 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml b/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml new file mode 100644 index 000000000..ee18c4386 --- /dev/null +++ b/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 023da78e-423b-4937-bdc4-82143004171f +date: '2025-08-12' +description: Automatically categorized datasets in directory wmi_event_subscription +environment: attack_range +directory: wmi_event_subscription +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml new file mode 100644 index 000000000..f18327300 --- /dev/null +++ b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f732a4d4-3cc8-4494-9137-1bc2c676a6af +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_unix_shell_mod_config +environment: attack_range +directory: linux_auditd_unix_shell_mod_config +mitre_technique: +- T1546.004 +datasets: +- name: linux_auditd_unix_shell_mod_config + path: /datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml b/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml new file mode 100644 index 000000000..cda13d10e --- /dev/null +++ b/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e1822070-a603-47b8-aa47-695a9ef5e1bc +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_init_profile +environment: attack_range +directory: linux_init_profile +mitre_technique: +- T1546.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml new file mode 100644 index 000000000..3d1d1df4a --- /dev/null +++ b/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: afb6ffde-d288-4f9d-abb0-beb5facb25cf +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1546.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml new file mode 100644 index 000000000..c305b70da --- /dev/null +++ b/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a7893d69-e08f-4db9-a5eb-6cab89242fb0 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1546.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml new file mode 100644 index 000000000..f026b8e9f --- /dev/null +++ b/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0b1bf2de-5f62-46a1-a88d-c01c0d8434e7 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1546.012 +datasets: +- name: windows-application + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-ProcessExitMonitor +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml new file mode 100644 index 000000000..0b683ec3b --- /dev/null +++ b/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 68bee785-3f0d-433f-8848-9c158c87372e +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml b/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml new file mode 100644 index 000000000..a641018e2 --- /dev/null +++ b/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 874cd43a-7676-4689-9d0b-5bd32c86a7a9 +date: '2025-08-12' +description: Automatically categorized datasets in directory pwh_com_object +environment: attack_range +directory: pwh_com_object +mitre_technique: +- T1546.015 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/uac_colorui/data.yml b/datasets/attack_techniques/T1546.015/uac_colorui/data.yml new file mode 100644 index 000000000..77cf7df0f --- /dev/null +++ b/datasets/attack_techniques/T1546.015/uac_colorui/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bb9a522e-0b7b-4ce7-b3af-90d25542f5a6 +date: '2025-08-12' +description: Automatically categorized datasets in directory uac_colorui +environment: attack_range +directory: uac_colorui +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml b/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml new file mode 100644 index 000000000..fba321753 --- /dev/null +++ b/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 72d7f6a2-7cda-4a0d-ac0c-94bc71c3121f +date: '2025-08-12' +description: Automatically categorized datasets in directory adminsdholder_modified +environment: attack_range +directory: adminsdholder_modified +mitre_technique: +- T1546 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml new file mode 100644 index 000000000..9c7ef2d06 --- /dev/null +++ b/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5824674e-1223-406e-8f1a-aba3024ac094 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1547.001 +datasets: +- name: bootexecute-windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml b/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml new file mode 100644 index 000000000..5e864a453 --- /dev/null +++ b/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6cb1adbb-cc26-43a9-b8d9-e23c92d984f7 +date: '2025-08-12' +description: Automatically categorized datasets in directory timeprovider_reg +environment: attack_range +directory: timeprovider_reg +mitre_technique: +- T1547.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml b/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml new file mode 100644 index 000000000..cfe65f112 --- /dev/null +++ b/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: da28bf9c-c1e1-4cb8-819a-460ce5e78ff2 +date: '2025-08-12' +description: Automatically categorized datasets in directory malicious_ssp +environment: attack_range +directory: malicious_ssp +mitre_technique: +- T1547.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml new file mode 100644 index 000000000..84c6e3841 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3a0d58c8-22dd-4fd3-92aa-896c538daeb3 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_insmod +environment: attack_range +directory: linux_auditd_insmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml new file mode 100644 index 000000000..8c03e73a8 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5b1810bc-fb03-4d67-92ff-a638cba5c82e +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_insmod_new +environment: attack_range +directory: linux_auditd_insmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml new file mode 100644 index 000000000..bf23c28a8 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 46f43a79-5ee7-44b9-9b30-55e6283eb342 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_modprobe +environment: attack_range +directory: linux_auditd_modprobe +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml new file mode 100644 index 000000000..6d48ae484 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a2931ada-6410-4567-a613-95d3de336c8f +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_modprobe_new +environment: attack_range +directory: linux_auditd_modprobe_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml new file mode 100644 index 000000000..c540af639 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 12fcbdde-d62b-402a-815d-8ae421a8b802 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_modprobe_unload_module +environment: attack_range +directory: linux_auditd_modprobe_unload_module +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe_unload_module + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log + sourcetype: auditd + source: auditd +- name: auditd_execve_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml new file mode 100644 index 000000000..7ccbcb641 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 34826bd2-9181-4e17-808a-a3e82ff59de6 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_rmmod +environment: attack_range +directory: linux_auditd_rmmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml new file mode 100644 index 000000000..be05226cb --- /dev/null +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 42a93ebb-914d-4a9e-a997-d9ba40fb7016 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_rmmod_new +environment: attack_range +directory: linux_auditd_rmmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml new file mode 100644 index 000000000..df85e7984 --- /dev/null +++ b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5ad0d1f8-147a-43d6-9886-db4ae9f30284 +date: '2025-08-12' +description: Automatically categorized datasets in directory loading_linux_kernel_module +environment: attack_range +directory: loading_linux_kernel_module +mitre_technique: +- T1547.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml new file mode 100644 index 000000000..721d5c232 --- /dev/null +++ b/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 246ed053-0c69-4971-869a-56e7aeaf63b2 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1547.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml new file mode 100644 index 000000000..9ee1d9a03 --- /dev/null +++ b/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 076ce53c-f065-4c7a-883a-aa48bb208dd0 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1547.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/print_reg/data.yml b/datasets/attack_techniques/T1547.012/print_reg/data.yml new file mode 100644 index 000000000..ef4b58084 --- /dev/null +++ b/datasets/attack_techniques/T1547.012/print_reg/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: d524d660-dd07-4564-ae78-b2bf44fc0bac +date: '2025-08-12' +description: Automatically categorized datasets in directory print_reg +environment: attack_range +directory: print_reg +mitre_technique: +- T1547.012 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1547.012/print_reg/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_print + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/printnightmare/data.yml b/datasets/attack_techniques/T1547.012/printnightmare/data.yml new file mode 100644 index 000000000..a8f77a281 --- /dev/null +++ b/datasets/attack_techniques/T1547.012/printnightmare/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 826eb620-41b7-4661-a2fa-14d2f2b6a5fd +date: '2025-08-12' +description: Automatically categorized datasets in directory printnightmare +environment: attack_range +directory: printnightmare +mitre_technique: +- T1547.012 +datasets: +- name: mimikatz-windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/chmod_uid/data.yml b/datasets/attack_techniques/T1548.001/chmod_uid/data.yml new file mode 100644 index 000000000..afb529bf7 --- /dev/null +++ b/datasets/attack_techniques/T1548.001/chmod_uid/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: eb8e1ee0-bb1d-4550-961c-8ad227e01ae2 +date: '2025-08-12' +description: Automatically categorized datasets in directory chmod_uid +environment: attack_range +directory: chmod_uid +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml new file mode 100644 index 000000000..e8ff30349 --- /dev/null +++ b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: 50ce101e-82d5-4f3c-bcf2-636600c53a46 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_setuid +environment: attack_range +directory: linux_auditd_setuid +mitre_technique: +- T1548.001 +datasets: +- name: linux_auditd_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_proctitle_setuid.log + sourcetype: auditd + source: auditd +- name: linux_auditd_setcap_priv + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log + sourcetype: auditd + source: auditd +- name: auditd_execve_setcap + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.001/linux_setcap/data.yml b/datasets/attack_techniques/T1548.001/linux_setcap/data.yml new file mode 100644 index 000000000..ff2f9adde --- /dev/null +++ b/datasets/attack_techniques/T1548.001/linux_setcap/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cd6620c0-4e69-48bf-bd71-6f97b7625b6f +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_setcap +environment: attack_range +directory: linux_setcap +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml new file mode 100644 index 000000000..69c28ad9b --- /dev/null +++ b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e26c9115-ea12-4347-ae18-bea02132aa1a +date: '2025-08-12' +description: Automatically categorized datasets in directory LocalAccountTokenFilterPolicy +environment: attack_range +directory: LocalAccountTokenFilterPolicy +mitre_technique: +- T1548.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml new file mode 100644 index 000000000..6f08e1636 --- /dev/null +++ b/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c6678a14-2bab-43e0-9778-2118616072ea +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1548.002 +datasets: +- name: dism_pswa_4688_windows-security + path: /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/slui/data.yml b/datasets/attack_techniques/T1548.002/slui/data.yml new file mode 100644 index 000000000..94fbe181a --- /dev/null +++ b/datasets/attack_techniques/T1548.002/slui/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8af2a457-f8e2-4720-9be3-fa7807bc4357 +date: '2025-08-12' +description: Automatically categorized datasets in directory slui +environment: attack_range +directory: slui +mitre_technique: +- T1548.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml b/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml new file mode 100644 index 000000000..17bcb36f1 --- /dev/null +++ b/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 03e98791-5f8c-434e-b434-a6995e5d8a6a +date: '2025-08-12' +description: Automatically categorized datasets in directory ssa_eventvwr +environment: attack_range +directory: ssa_eventvwr +mitre_technique: +- T1548.002 +datasets: +- name: windows-sysmon-registry + path: /datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/data.yml b/datasets/attack_techniques/T1548.002/uac_behavior/data.yml new file mode 100644 index 000000000..1ce2af5f1 --- /dev/null +++ b/datasets/attack_techniques/T1548.002/uac_behavior/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a29f33eb-5498-4926-9fad-e5585f3ffbdf +date: '2025-08-12' +description: Automatically categorized datasets in directory uac_behavior +environment: attack_range +directory: uac_behavior +mitre_technique: +- T1548.002 +datasets: +- name: uac_behavior_sysmon + path: /datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas/data.yml b/datasets/attack_techniques/T1548.003/doas/data.yml new file mode 100644 index 000000000..f4fb01d83 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/doas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: de9bbee7-eeaa-4469-ac98-53bba895c6fd +date: '2025-08-12' +description: Automatically categorized datasets in directory doas +environment: attack_range +directory: doas +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas_exec/data.yml b/datasets/attack_techniques/T1548.003/doas_exec/data.yml new file mode 100644 index 000000000..552024588 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/doas_exec/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c756bb13-def2-4843-9291-f3a8984ee1b1 +date: '2025-08-12' +description: Automatically categorized datasets in directory doas_exec +environment: attack_range +directory: doas_exec +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_adduser/data.yml b/datasets/attack_techniques/T1548.003/linux_adduser/data.yml new file mode 100644 index 000000000..a783b5a0b --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_adduser/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 36e23b44-949c-4745-9c58-c8afd782e824 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_adduser +environment: attack_range +directory: linux_adduser +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml new file mode 100644 index 000000000..2acec716e --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6c3c5aaf-88f3-4132-9acc-27f9cef7d8de +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_doas +environment: attack_range +directory: linux_auditd_doas +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml new file mode 100644 index 000000000..081d4440c --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dd0fe634-9b2d-4ecc-97f3-ab59d44fd289 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_doas_new +environment: attack_range +directory: linux_auditd_doas_new +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_new_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml new file mode 100644 index 000000000..245803ca7 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: c4eb82ce-c698-46dd-ba6e-716324177ca8 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_nopasswd +environment: attack_range +directory: linux_auditd_nopasswd +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_nopasswd + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log + sourcetype: auditd + source: auditd +- name: linux_auditd_nopasswd2 + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml new file mode 100644 index 000000000..a49398d54 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 4db2b6d7-4b14-49ad-b64a-bcaf57f27baf +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_sudo_su +environment: attack_range +directory: linux_auditd_sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: auditd_proctitle_sudo + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log + sourcetype: auditd + source: auditd +- name: linux_auditd_sudo_su + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml new file mode 100644 index 000000000..71016bf5d --- /dev/null +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: be32d097-bda9-4968-99fd-37d75e66ad1b +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_sudoers_access +environment: attack_range +directory: linux_auditd_sudoers_access +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_sudoers_access + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml new file mode 100644 index 000000000..da14f50ed --- /dev/null +++ b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a045bb3c-4462-41ee-932c-9583c406552a +date: '2025-08-12' +description: Automatically categorized datasets in directory nopasswd_sudoers +environment: attack_range +directory: nopasswd_sudoers +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudo_su/data.yml b/datasets/attack_techniques/T1548.003/sudo_su/data.yml new file mode 100644 index 000000000..c5dc09c29 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/sudo_su/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4a8fc4f9-93e5-428a-9e9f-52cecdea968a +date: '2025-08-12' +description: Automatically categorized datasets in directory sudo_su +environment: attack_range +directory: sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml b/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml new file mode 100644 index 000000000..1672f8140 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 58a1c487-e83c-41dd-b308-65c4dcdc241c +date: '2025-08-12' +description: Automatically categorized datasets in directory sudoers_temp +environment: attack_range +directory: sudoers_temp +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/visudo/data.yml b/datasets/attack_techniques/T1548.003/visudo/data.yml new file mode 100644 index 000000000..681f074f5 --- /dev/null +++ b/datasets/attack_techniques/T1548.003/visudo/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: de19d3cb-4769-4617-9297-076fa48f6c71 +date: '2025-08-12' +description: Automatically categorized datasets in directory visudo +environment: attack_range +directory: visudo +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt/data.yml b/datasets/attack_techniques/T1548/apt/data.yml new file mode 100644 index 000000000..84635d037 --- /dev/null +++ b/datasets/attack_techniques/T1548/apt/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dd83f383-1de9-40e6-be9f-300553196148 +date: '2025-08-12' +description: Automatically categorized datasets in directory apt +environment: attack_range +directory: apt +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt_get/data.yml b/datasets/attack_techniques/T1548/apt_get/data.yml new file mode 100644 index 000000000..65a725a91 --- /dev/null +++ b/datasets/attack_techniques/T1548/apt_get/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fdd4a2e9-de8b-4caa-93fc-6581fb25e5ce +date: '2025-08-12' +description: Automatically categorized datasets in directory apt_get +environment: attack_range +directory: apt_get +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt_get/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/awk/data.yml b/datasets/attack_techniques/T1548/awk/data.yml new file mode 100644 index 000000000..7664523c0 --- /dev/null +++ b/datasets/attack_techniques/T1548/awk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1e63112b-1654-4ca2-a487-ad055e356fa4 +date: '2025-08-12' +description: Automatically categorized datasets in directory awk +environment: attack_range +directory: awk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/awk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/busybox/data.yml b/datasets/attack_techniques/T1548/busybox/data.yml new file mode 100644 index 000000000..3250fcc00 --- /dev/null +++ b/datasets/attack_techniques/T1548/busybox/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7cc455d0-b36f-436f-9a2f-c5743a58d0b2 +date: '2025-08-12' +description: Automatically categorized datasets in directory busybox +environment: attack_range +directory: busybox +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/busybox/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c89/data.yml b/datasets/attack_techniques/T1548/c89/data.yml new file mode 100644 index 000000000..2a4d699a1 --- /dev/null +++ b/datasets/attack_techniques/T1548/c89/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5406e23f-ed05-4b7a-8bf3-671ca5e4d8ef +date: '2025-08-12' +description: Automatically categorized datasets in directory c89 +environment: attack_range +directory: c89 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c89/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c99/data.yml b/datasets/attack_techniques/T1548/c99/data.yml new file mode 100644 index 000000000..d35d57eed --- /dev/null +++ b/datasets/attack_techniques/T1548/c99/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2dcade8b-581a-457e-8bf9-2d7567cf589b +date: '2025-08-12' +description: Automatically categorized datasets in directory c99 +environment: attack_range +directory: c99 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c99/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/composer/data.yml b/datasets/attack_techniques/T1548/composer/data.yml new file mode 100644 index 000000000..c295dc51e --- /dev/null +++ b/datasets/attack_techniques/T1548/composer/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b5595dec-ad57-4f4c-b6f3-1bc50b075144 +date: '2025-08-12' +description: Automatically categorized datasets in directory composer +environment: attack_range +directory: composer +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/composer/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/cpulimit/data.yml b/datasets/attack_techniques/T1548/cpulimit/data.yml new file mode 100644 index 000000000..7fb5cf589 --- /dev/null +++ b/datasets/attack_techniques/T1548/cpulimit/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dc597588-268a-450b-834d-05c8182a1ce9 +date: '2025-08-12' +description: Automatically categorized datasets in directory cpulimit +environment: attack_range +directory: cpulimit +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/csvtool/data.yml b/datasets/attack_techniques/T1548/csvtool/data.yml new file mode 100644 index 000000000..63834d835 --- /dev/null +++ b/datasets/attack_techniques/T1548/csvtool/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 88bc713c-5a47-4a41-9761-2dda288a059c +date: '2025-08-12' +description: Automatically categorized datasets in directory csvtool +environment: attack_range +directory: csvtool +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/csvtool/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml b/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml new file mode 100644 index 000000000..90ad72d8d --- /dev/null +++ b/datasets/attack_techniques/T1548/darkside_cmstp_com/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 66b7227d-7c95-431e-951b-1930959ddc73 +date: '2025-08-12' +description: Automatically categorized datasets in directory darkside_cmstp_com +environment: attack_range +directory: darkside_cmstp_com +mitre_technique: +- T1548 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/docker/data.yml b/datasets/attack_techniques/T1548/docker/data.yml new file mode 100644 index 000000000..3996b33c9 --- /dev/null +++ b/datasets/attack_techniques/T1548/docker/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 796f4601-47da-4299-bfec-924e66a7e65a +date: '2025-08-12' +description: Automatically categorized datasets in directory docker +environment: attack_range +directory: docker +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/docker/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/emacs/data.yml b/datasets/attack_techniques/T1548/emacs/data.yml new file mode 100644 index 000000000..563cf240e --- /dev/null +++ b/datasets/attack_techniques/T1548/emacs/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a57ed9db-ec15-46a4-abff-a5f96b20829b +date: '2025-08-12' +description: Automatically categorized datasets in directory emacs +environment: attack_range +directory: emacs +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/emacs/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/find/data.yml b/datasets/attack_techniques/T1548/find/data.yml new file mode 100644 index 000000000..d085f083f --- /dev/null +++ b/datasets/attack_techniques/T1548/find/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0ab02249-96ed-4274-a288-29f6e6078279 +date: '2025-08-12' +description: Automatically categorized datasets in directory find +environment: attack_range +directory: find +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/find/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gawk/data.yml b/datasets/attack_techniques/T1548/gawk/data.yml new file mode 100644 index 000000000..5821a27e1 --- /dev/null +++ b/datasets/attack_techniques/T1548/gawk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 485f5b87-615b-4967-a58b-57265b4c4ba5 +date: '2025-08-12' +description: Automatically categorized datasets in directory gawk +environment: attack_range +directory: gawk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gawk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gdb/data.yml b/datasets/attack_techniques/T1548/gdb/data.yml new file mode 100644 index 000000000..1e348d581 --- /dev/null +++ b/datasets/attack_techniques/T1548/gdb/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3d25c98f-cdd5-4575-be3e-7f6400fa8417 +date: '2025-08-12' +description: Automatically categorized datasets in directory gdb +environment: attack_range +directory: gdb +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gdb/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gem/data.yml b/datasets/attack_techniques/T1548/gem/data.yml new file mode 100644 index 000000000..9cbb7177b --- /dev/null +++ b/datasets/attack_techniques/T1548/gem/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5fa0b74d-ff0f-43c3-b2d5-218488f8617d +date: '2025-08-12' +description: Automatically categorized datasets in directory gem +environment: attack_range +directory: gem +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gem/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/make/data.yml b/datasets/attack_techniques/T1548/make/data.yml new file mode 100644 index 000000000..e233f322e --- /dev/null +++ b/datasets/attack_techniques/T1548/make/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e50fda40-c860-420b-b4dd-1249adf6bdd6 +date: '2025-08-12' +description: Automatically categorized datasets in directory make +environment: attack_range +directory: make +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/make/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/mysql/data.yml b/datasets/attack_techniques/T1548/mysql/data.yml new file mode 100644 index 000000000..de9248107 --- /dev/null +++ b/datasets/attack_techniques/T1548/mysql/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 08c2e44e-757e-4f75-8058-ff20e9b0b32f +date: '2025-08-12' +description: Automatically categorized datasets in directory mysql +environment: attack_range +directory: mysql +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/mysql/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/node/data.yml b/datasets/attack_techniques/T1548/node/data.yml new file mode 100644 index 000000000..677f38535 --- /dev/null +++ b/datasets/attack_techniques/T1548/node/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 08f488c5-ae63-478a-9892-80c250aef768 +date: '2025-08-12' +description: Automatically categorized datasets in directory node +environment: attack_range +directory: node +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/node/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/octave/data.yml b/datasets/attack_techniques/T1548/octave/data.yml new file mode 100644 index 000000000..9f7651070 --- /dev/null +++ b/datasets/attack_techniques/T1548/octave/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 91789434-3628-47ff-b762-5cbfbe3aa64a +date: '2025-08-12' +description: Automatically categorized datasets in directory octave +environment: attack_range +directory: octave +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/octave/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/openvpn/data.yml b/datasets/attack_techniques/T1548/openvpn/data.yml new file mode 100644 index 000000000..5b751617d --- /dev/null +++ b/datasets/attack_techniques/T1548/openvpn/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4146ef23-5387-494f-9556-c2578bd68fe2 +date: '2025-08-12' +description: Automatically categorized datasets in directory openvpn +environment: attack_range +directory: openvpn +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/openvpn/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/php/data.yml b/datasets/attack_techniques/T1548/php/data.yml new file mode 100644 index 000000000..2c7e21555 --- /dev/null +++ b/datasets/attack_techniques/T1548/php/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f272d6a6-44c6-4ec9-ad3b-022d97cc0764 +date: '2025-08-12' +description: Automatically categorized datasets in directory php +environment: attack_range +directory: php +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/php/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/puppet/data.yml b/datasets/attack_techniques/T1548/puppet/data.yml new file mode 100644 index 000000000..0c25dd3a6 --- /dev/null +++ b/datasets/attack_techniques/T1548/puppet/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6d26fbf0-6ccc-4934-b2b5-dde73ba1770e +date: '2025-08-12' +description: Automatically categorized datasets in directory puppet +environment: attack_range +directory: puppet +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/puppet/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/rpm/data.yml b/datasets/attack_techniques/T1548/rpm/data.yml new file mode 100644 index 000000000..e70436f77 --- /dev/null +++ b/datasets/attack_techniques/T1548/rpm/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fe50425e-8666-4709-a9c1-7d12a74ad0da +date: '2025-08-12' +description: Automatically categorized datasets in directory rpm +environment: attack_range +directory: rpm +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/rpm/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/ruby/data.yml b/datasets/attack_techniques/T1548/ruby/data.yml new file mode 100644 index 000000000..577638569 --- /dev/null +++ b/datasets/attack_techniques/T1548/ruby/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 96576d3b-4d34-4c26-8b02-088c801b2230 +date: '2025-08-12' +description: Automatically categorized datasets in directory ruby +environment: attack_range +directory: ruby +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/ruby/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/splunk/data.yml b/datasets/attack_techniques/T1548/splunk/data.yml new file mode 100644 index 000000000..55efa1fd9 --- /dev/null +++ b/datasets/attack_techniques/T1548/splunk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9a65518c-c739-4d21-a710-b368d8d5dc4d +date: '2025-08-12' +description: Automatically categorized datasets in directory splunk +environment: attack_range +directory: splunk +mitre_technique: +- T1548 +datasets: +- name: splunk_enterprise_kv_store_incorrect_authorization_splunkd_access + path: /datasets/attack_techniques/T1548/splunk/splunk_enterprise_kv_store_incorrect_authorization_splunkd_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1548/sqlite3/data.yml b/datasets/attack_techniques/T1548/sqlite3/data.yml new file mode 100644 index 000000000..507e683dc --- /dev/null +++ b/datasets/attack_techniques/T1548/sqlite3/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8e2562e4-511a-463c-a4e4-360c4875b718 +date: '2025-08-12' +description: Automatically categorized datasets in directory sqlite3 +environment: attack_range +directory: sqlite3 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/uac_bypass/data.yml b/datasets/attack_techniques/T1548/uac_bypass/data.yml new file mode 100644 index 000000000..d93eec355 --- /dev/null +++ b/datasets/attack_techniques/T1548/uac_bypass/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 996c4b6b-5b4c-41df-bc80-d3de2de86829 +date: '2025-08-12' +description: Automatically categorized datasets in directory uac_bypass +environment: attack_range +directory: uac_bypass +mitre_technique: +- T1548 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml new file mode 100644 index 000000000..d2d4faa72 --- /dev/null +++ b/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1a631cf3-6109-4f75-99b7-4e9a221f0e52 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1550.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.003/mimikatz/data.yml b/datasets/attack_techniques/T1550.003/mimikatz/data.yml new file mode 100644 index 000000000..c5bf5da44 --- /dev/null +++ b/datasets/attack_techniques/T1550.003/mimikatz/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 957a035d-4fa7-47f9-ab76-8cc25490a68f +date: '2025-08-12' +description: Automatically categorized datasets in directory mimikatz +environment: attack_range +directory: mimikatz +mitre_technique: +- T1550.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.003/rubeus/data.yml b/datasets/attack_techniques/T1550.003/rubeus/data.yml new file mode 100644 index 000000000..6fda0d40c --- /dev/null +++ b/datasets/attack_techniques/T1550.003/rubeus/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 44621d16-89cf-48ca-89e1-1472527c1e86 +date: '2025-08-12' +description: Automatically categorized datasets in directory rubeus +environment: attack_range +directory: rubeus +mitre_technique: +- T1550.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml b/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml new file mode 100644 index 000000000..68f8aadf9 --- /dev/null +++ b/datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 95fd0ecc-639e-41ff-b517-fadd88c9da97 +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_tgt_request_using_rc4_encryption +environment: attack_range +directory: kerberos_tgt_request_using_rc4_encryption +mitre_technique: +- T1550 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1550/kerberos_tgt_request_using_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1550/rubeus/data.yml b/datasets/attack_techniques/T1550/rubeus/data.yml new file mode 100644 index 000000000..e6b8b9f09 --- /dev/null +++ b/datasets/attack_techniques/T1550/rubeus/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bd6116d4-7605-463e-b45e-4a2fb4be5118 +date: '2025-08-12' +description: Automatically categorized datasets in directory rubeus +environment: attack_range +directory: rubeus +mitre_technique: +- T1550 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.001/password_in_username/data.yml b/datasets/attack_techniques/T1552.001/password_in_username/data.yml new file mode 100644 index 000000000..53166fae6 --- /dev/null +++ b/datasets/attack_techniques/T1552.001/password_in_username/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f23df0d4-ef53-4e0c-a746-868b586ae291 +date: '2025-08-12' +description: Automatically categorized datasets in directory password_in_username +environment: attack_range +directory: password_in_username +mitre_technique: +- T1552.001 +datasets: +- name: linux_secure + path: /datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml b/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml new file mode 100644 index 000000000..a48933318 --- /dev/null +++ b/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 062ef41e-87b7-415a-8cbf-63dc7d7e7740 +date: '2025-08-12' +description: Automatically categorized datasets in directory autoadminlogon +environment: attack_range +directory: autoadminlogon +mitre_technique: +- T1552.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml new file mode 100644 index 000000000..800bb4e37 --- /dev/null +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: d2d974c3-1492-4a98-a6b2-d84a25c0dbe9 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_gpg +environment: attack_range +directory: linux_auditd_find_gpg +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml new file mode 100644 index 000000000..062f87903 --- /dev/null +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: f47e34f8-1a74-4c3b-8611-b925be2555fe +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_ssh_files +environment: attack_range +directory: linux_auditd_find_ssh_files +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_ssh + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_ssh_files + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml new file mode 100644 index 000000000..ed5e0f99f --- /dev/null +++ b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 451d2b6a-bd0d-4427-a26c-9b7133e5d949 +date: '2025-08-12' +description: Automatically categorized datasets in directory findstr_gpp_discovery +environment: attack_range +directory: findstr_gpp_discovery +mitre_technique: +- T1552.006 +datasets: +- name: windows-4688 + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml b/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml new file mode 100644 index 000000000..c8180e221 --- /dev/null +++ b/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5a01d722-30cb-4138-9311-e53f76912938 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_getpassworddata +environment: attack_range +directory: aws_getpassworddata +mitre_technique: +- T1552 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1553.003/sip/data.yml b/datasets/attack_techniques/T1553.003/sip/data.yml new file mode 100644 index 000000000..e0f8f28c2 --- /dev/null +++ b/datasets/attack_techniques/T1553.003/sip/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 66a8b6b1-9df5-468b-a7f9-1f2daf58b90a +date: '2025-08-12' +description: Automatically categorized datasets in directory sip +environment: attack_range +directory: sip +mitre_technique: +- T1553.003 +datasets: +- name: sip_windows-sysmon + path: /datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml new file mode 100644 index 000000000..080162783 --- /dev/null +++ b/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1587bd09-a874-4262-9a83-2ce3f62a75b3 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1553.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml new file mode 100644 index 000000000..0973df9f6 --- /dev/null +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e790ff3f-0157-4dd9-9c85-d48d212e7883 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_credentials +environment: attack_range +directory: linux_auditd_find_credentials +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_find_creds + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_credentials + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml new file mode 100644 index 000000000..3766c1ee0 --- /dev/null +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e1f9bef4-220d-42c1-b268-c77e3f425bf9 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_find_password_db +environment: attack_range +directory: linux_auditd_find_password_db +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_pwd_mgr + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_password_db + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml b/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml new file mode 100644 index 000000000..a24f85439 --- /dev/null +++ b/datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b195cbca-2297-4bfd-998d-c3a4081cb0ca +date: '2025-08-12' +description: Automatically categorized datasets in directory non_chrome_process_accessing_chrome_default_dir +environment: attack_range +directory: non_chrome_process_accessing_chrome_default_dir +mitre_technique: +- T1555 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1555/non_chrome_process_accessing_chrome_default_dir/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml b/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml new file mode 100644 index 000000000..e61cae756 --- /dev/null +++ b/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 172a8e06-fad0-4cb3-beb5-7076f3dd3a72 +date: '2025-08-12' +description: Automatically categorized datasets in directory web_browser_pass_view +environment: attack_range +directory: web_browser_pass_view +mitre_technique: +- T1555 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml new file mode 100644 index 000000000..7393c5a04 --- /dev/null +++ b/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ba1a56e1-43ee-4899-88d4-d72efb4570b0 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1556.001 +datasets: +- name: iso_windows-sysmon + path: /datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml new file mode 100644 index 000000000..1c74bf040 --- /dev/null +++ b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e077e0c0-0467-4a1b-ad04-4d459a5ecbb9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_new_mfa_method_registered_for_user +environment: attack_range +directory: aws_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml new file mode 100644 index 000000000..33f6d4262 --- /dev/null +++ b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2c96fad9-2e4f-4a71-939a-28d62cf82bff +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_new_mfa_method_registered_for_user +environment: attack_range +directory: azure_ad_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml new file mode 100644 index 000000000..340c70eb3 --- /dev/null +++ b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e62c09b1-4efa-4a84-83a1-5fb3e530a7ce +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_mfa_method_disabled +environment: attack_range +directory: okta_mfa_method_disabled +mitre_technique: +- T1556.006 +datasets: +- name: okta_mfa_method_disabled + path: /datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1556/azuread/data.yml b/datasets/attack_techniques/T1556/azuread/data.yml new file mode 100644 index 000000000..6d799dd16 --- /dev/null +++ b/datasets/attack_techniques/T1556/azuread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cd1405fd-b93c-4a6f-b2a9-0b53686f2433 +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread +environment: attack_range +directory: azuread +mitre_technique: +- T1556 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1556/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml new file mode 100644 index 000000000..c7964a871 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0d7e70f9-9e88-47d6-96be-a99ec7575c3b +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_bulk_policy_deletion +environment: attack_range +directory: cisco_duo_bulk_policy_deletion +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml new file mode 100644 index 000000000..58ac3fac9 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6be87cd6-7c22-4d5b-943c-280e247b513b +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_bypass_2FA +environment: attack_range +directory: cisco_duo_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml new file mode 100644 index 000000000..4935988e3 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 939ea572-9e7c-4ae9-a836-617784164af1 +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_bypass_code +environment: attack_range +directory: cisco_duo_bypass_code +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml new file mode 100644 index 000000000..647d81b7c --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 071be2b7-ab82-4cf2-9936-8e8f18cbd5b3 +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_allow_devices_without_screen_lock +environment: attack_range +directory: cisco_duo_policy_allow_devices_without_screen_lock +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml new file mode 100644 index 000000000..d1c39166b --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ddd9ffce-4138-41a6-9303-9b633243aa75 +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_allow_network_bypass_2fa +environment: attack_range +directory: cisco_duo_policy_allow_network_bypass_2fa +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml new file mode 100644 index 000000000..a1c918eea --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5f3d2064-96f4-4005-b4fe-60419e730c90 +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_allow_old_flash_and_java +environment: attack_range +directory: cisco_duo_policy_allow_old_flash_and_java +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml new file mode 100644 index 000000000..4f5e9d60a --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ec7ccf81-dd65-4165-86f2-b6944d78a88f +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_allow_tampered_devices +environment: attack_range +directory: cisco_duo_policy_allow_tampered_devices +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml new file mode 100644 index 000000000..6847614fc --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 053ebc2a-2710-4f75-81df-b9a65944533f +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_bypass_2FA +environment: attack_range +directory: cisco_duo_policy_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml new file mode 100644 index 000000000..81cb6b340 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cfcb4f50-ccb5-47e8-abe2-c08ba1afccfe +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_bypass_2FA_other_countries +environment: attack_range +directory: cisco_duo_policy_bypass_2FA_other_countries +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml new file mode 100644 index 000000000..e05354e13 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4236f200-67d0-4e81-94aa-ce1118a21b67 +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_policy_deny_access +environment: attack_range +directory: cisco_duo_policy_deny_access +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml new file mode 100644 index 000000000..ec522a774 --- /dev/null +++ b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b79ca3b3-cc3a-4939-be70-52ea168a9b9d +date: '2025-08-12' +description: Automatically categorized datasets in directory cisco_duo_unusual_admin_login +environment: attack_range +directory: cisco_duo_unusual_admin_login +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/disable_credential_guard/data.yml b/datasets/attack_techniques/T1556/disable_credential_guard/data.yml new file mode 100644 index 000000000..9a4276058 --- /dev/null +++ b/datasets/attack_techniques/T1556/disable_credential_guard/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6f242979-0056-4757-b94a-78e66b227fc4 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_credential_guard +environment: attack_range +directory: disable_credential_guard +mitre_technique: +- T1556 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1556/disable_credential_guard/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection/data.yml b/datasets/attack_techniques/T1556/disable_lsa_protection/data.yml new file mode 100644 index 000000000..f4f5c6feb --- /dev/null +++ b/datasets/attack_techniques/T1556/disable_lsa_protection/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 570ad81c-9a71-467b-b35e-0401e26e32ff +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_lsa_protection +environment: attack_range +directory: disable_lsa_protection +mitre_technique: +- T1556 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml b/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml new file mode 100644 index 000000000..2c7002109 --- /dev/null +++ b/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e5814663-c3fa-41fb-bbf5-3d1cd4289c26 +date: '2025-08-12' +description: Automatically categorized datasets in directory gcp_disable_mfa +environment: attack_range +directory: gcp_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: gws_admin + path: /datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml b/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml new file mode 100644 index 000000000..d4b43115c --- /dev/null +++ b/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3b6a5f7e-baad-4d6e-8bfb-cd3132131c00 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_disable_mfa +environment: attack_range +directory: o365_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: o365_disable_mfa-json + path: /datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml b/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml new file mode 100644 index 000000000..3eb2a0c4c --- /dev/null +++ b/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: eb3e3dbc-83c7-4441-8453-e565eabcd63c +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_sso_logon_errors +environment: attack_range +directory: o365_sso_logon_errors +mitre_technique: +- T1556 +datasets: +- name: o365_sso_logon_errors2-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json + sourcetype: o365:management:activity + source: o365 +- name: o365_sso_logon_errors-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/okta_idp/data.yml b/datasets/attack_techniques/T1556/okta_idp/data.yml new file mode 100644 index 000000000..c50cb451e --- /dev/null +++ b/datasets/attack_techniques/T1556/okta_idp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b10d5453-11cd-4c0e-b54a-bd39a9a378b2 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_idp +environment: attack_range +directory: okta_idp +mitre_technique: +- T1556 +datasets: +- name: okta + path: /datasets/attack_techniques/T1556/okta_idp/okta.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml b/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml new file mode 100644 index 000000000..33bd216c0 --- /dev/null +++ b/datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3ac4ee14-73a9-403e-92c8-75fa97aae21f +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_service_ticket_request_using_rc4_encryption +environment: attack_range +directory: kerberos_service_ticket_request_using_rc4_encryption +mitre_technique: +- T1558.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.001/kerberos_service_ticket_request_using_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml new file mode 100644 index 000000000..4bdb45888 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e1c8b999-8e87-4649-9afe-277aa7cb3eb2 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_setspn + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml b/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml new file mode 100644 index 000000000..b76b6dd10 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ebe1692b-a442-49b0-b092-1263aef5a82b +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberoasting_spn_request_with_rc4_encryption +environment: attack_range +directory: kerberoasting_spn_request_with_rc4_encryption +mitre_technique: +- T1558.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.003/kerberoasting_spn_request_with_rc4_encryption/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.003/powerview-2/data.yml b/datasets/attack_techniques/T1558.003/powerview-2/data.yml new file mode 100644 index 000000000..5c84a4f50 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/powerview-2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 70f96415-e191-491d-8e60-78bbe77ce27e +date: '2025-08-12' +description: Automatically categorized datasets in directory powerview-2 +environment: attack_range +directory: powerview-2 +mitre_technique: +- T1558.003 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/powerview/data.yml b/datasets/attack_techniques/T1558.003/powerview/data.yml new file mode 100644 index 000000000..226d08e3a --- /dev/null +++ b/datasets/attack_techniques/T1558.003/powerview/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 75ef962f-17d4-41a4-812c-b261aad2112b +date: '2025-08-12' +description: Automatically categorized datasets in directory powerview +environment: attack_range +directory: powerview +mitre_technique: +- T1558.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/rubeus/data.yml b/datasets/attack_techniques/T1558.003/rubeus/data.yml new file mode 100644 index 000000000..5d06bb099 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/rubeus/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 31260f5f-691e-4d5c-8eef-38f89bb214b6 +date: '2025-08-12' +description: Automatically categorized datasets in directory rubeus +environment: attack_range +directory: rubeus +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml b/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml new file mode 100644 index 000000000..201959e45 --- /dev/null +++ b/datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e49e0fe4-28b7-42b1-b1be-ed5e32e888f8 +date: '2025-08-12' +description: Automatically categorized datasets in directory unusual_number_of_kerberos_service_tickets_requested +environment: attack_range +directory: unusual_number_of_kerberos_service_tickets_requested +mitre_technique: +- T1558.003 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558.003/unusual_number_of_kerberos_service_tickets_requested/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.004/powershell/data.yml b/datasets/attack_techniques/T1558.004/powershell/data.yml new file mode 100644 index 000000000..875e0a373 --- /dev/null +++ b/datasets/attack_techniques/T1558.004/powershell/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 015dddbe-14cb-46b3-8a64-2224cc236746 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell +environment: attack_range +directory: powershell +mitre_technique: +- T1558.004 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/diamond_ticket/data.yml b/datasets/attack_techniques/T1558/diamond_ticket/data.yml new file mode 100644 index 000000000..6b25980ed --- /dev/null +++ b/datasets/attack_techniques/T1558/diamond_ticket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 46f9b6f5-699f-4cd0-bc05-3f99ca6b4213 +date: '2025-08-12' +description: Automatically categorized datasets in directory diamond_ticket +environment: attack_range +directory: diamond_ticket +mitre_technique: +- T1558 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1558/diamond_ticket/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml new file mode 100644 index 000000000..8af257156 --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 37bab6dd-de37-411e-8043-25a0f26bbec6 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_created_by_computer_account +environment: attack_range +directory: windows_computer_account_created_by_computer_account +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_created_by_computer_account/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml new file mode 100644 index 000000000..8bc9cfeec --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 372ef4e6-0cbb-4e17-836f-7627ecd09e92 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_requesting_kerberos_ticket +environment: attack_range +directory: windows_computer_account_requesting_kerberos_ticket +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_requesting_kerberos_ticket/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml b/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml new file mode 100644 index 000000000..878b4b0db --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_computer_account_with_spn/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 07d678dd-1431-448c-8ab0-162d8b1d864a +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_computer_account_with_spn +environment: attack_range +directory: windows_computer_account_with_spn +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_computer_account_with_spn/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml b/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml new file mode 100644 index 000000000..70b55a865 --- /dev/null +++ b/datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 44b3de11-5b5e-41fb-9ef8-8613d271e73d +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_kerberos_local_successful_logon +environment: attack_range +directory: windows_kerberos_local_successful_logon +mitre_technique: +- T1558 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1558/windows_kerberos_local_successful_logon/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1560.001/archive_utility/data.yml b/datasets/attack_techniques/T1560.001/archive_utility/data.yml new file mode 100644 index 000000000..44b03c5b3 --- /dev/null +++ b/datasets/attack_techniques/T1560.001/archive_utility/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4088cfe5-7d90-48ed-8457-e891fd89c657 +date: '2025-08-12' +description: Automatically categorized datasets in directory archive_utility +environment: attack_range +directory: archive_utility +mitre_technique: +- T1560.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml b/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml new file mode 100644 index 000000000..5b587ae39 --- /dev/null +++ b/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3499f381-d325-4982-838b-7b8c007a7744 +date: '2025-08-12' +description: Automatically categorized datasets in directory mbr_raw_access +environment: attack_range +directory: mbr_raw_access +mitre_technique: +- T1561.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml new file mode 100644 index 000000000..8e6fa7ed1 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml @@ -0,0 +1,29 @@ +author: Generated by dataset_analyzer.py +id: a10db232-4e8c-43b7-8101-5211d144404b +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1562.001 +datasets: +- name: hvci_windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_raccine + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: Disable-WindowsOptionalFeature-powershell + path: /datasets/attack_techniques/T1562.001/atomic_red_team/Disable-WindowsOptionalFeature-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon_dism + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml new file mode 100644 index 000000000..0a8e5d120 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 372889f4-9c31-4d32-8345-fa82ff853935 +date: '2025-08-12' +description: Automatically categorized datasets in directory defender_exclusion_sysmon +environment: attack_range +directory: defender_exclusion_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml new file mode 100644 index 000000000..35be14752 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dd350e59-696a-47f7-bca4-2d6033008b82 +date: '2025-08-12' +description: Automatically categorized datasets in directory delete_win_defender_context_menu +environment: attack_range +directory: delete_win_defender_context_menu +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml new file mode 100644 index 000000000..f00302be3 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 19fd310f-7591-4da9-a4da-2310e3c9c1e6 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable-windows-security-defender-features +environment: attack_range +directory: disable-windows-security-defender-features +mitre_technique: +- T1562.001 +datasets: +- name: windefender-bypas-2-sysmon + path: /datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml b/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml new file mode 100644 index 000000000..c91b04853 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9824ee14-df2d-424f-8657-8eee1e19a063 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_defender_logging +environment: attack_range +directory: disable_defender_logging +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_gpo/data.yml b/datasets/attack_techniques/T1562.001/disable_gpo/data.yml new file mode 100644 index 000000000..383f728f2 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/disable_gpo/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7b84dcaf-feff-41f2-b51f-a3f51b250daf +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_gpo +environment: attack_range +directory: disable_gpo +mitre_technique: +- T1562.001 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml b/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml new file mode 100644 index 000000000..8215116df --- /dev/null +++ b/datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ecce8ed2-9f39-4ff9-9179-e2e3c749be92 +date: '2025-08-12' +description: Automatically categorized datasets in directory hotkey_disabled_hidden_user +environment: attack_range +directory: hotkey_disabled_hidden_user +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/hotkey_disabled_hidden_user/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml b/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml new file mode 100644 index 000000000..725e00f7c --- /dev/null +++ b/datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5c7963bf-5ccd-4d7c-9e74-1472a8c3f5ea +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell_windows_defender_exclusion_commands +environment: attack_range +directory: powershell_windows_defender_exclusion_commands +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/powershell_windows_defender_exclusion_commands/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml new file mode 100644 index 000000000..30102dd88 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bde29817-f9c2-47b4-be4b-a2478027dade +date: '2025-08-12' +description: Automatically categorized datasets in directory pwh_defender_disabling +environment: attack_range +directory: pwh_defender_disabling +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml new file mode 100644 index 000000000..122008b0c --- /dev/null +++ b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 40be2ce2-01a0-4210-8733-2e0b9e466df5 +date: '2025-08-12' +description: Automatically categorized datasets in directory sc_service_start_disabled +environment: attack_range +directory: sc_service_start_disabled +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml b/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml new file mode 100644 index 000000000..b74eaf645 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a73e8662-76e0-4d8a-a3d6-e6037bc69355 +date: '2025-08-12' +description: Automatically categorized datasets in directory unload_sysmon +environment: attack_range +directory: unload_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml b/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml new file mode 100644 index 000000000..e6914921e --- /dev/null +++ b/datasets/attack_techniques/T1562.001/win_app_defender_disabling/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 00860277-5bb2-4d92-b5c8-cb1693610ec0 +date: '2025-08-12' +description: Automatically categorized datasets in directory win_app_defender_disabling +environment: attack_range +directory: win_app_defender_disabling +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml b/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml new file mode 100644 index 000000000..c0c38520a --- /dev/null +++ b/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a3f44cd-8ab1-4cb5-8a3d-439718002aa6 +date: '2025-08-12' +description: Automatically categorized datasets in directory win_defend_service_stop +environment: attack_range +directory: win_defend_service_stop +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml b/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml new file mode 100644 index 000000000..37f451df8 --- /dev/null +++ b/datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1aa70841-03ef-421a-84cc-7bedfeddf5bc +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_excessive_disabled_services_event +environment: attack_range +directory: windows_excessive_disabled_services_event +mitre_technique: +- T1562.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1562.001/windows_excessive_disabled_services_event/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml b/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml new file mode 100644 index 000000000..9540a4bbf --- /dev/null +++ b/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 729d6285-f78d-42ee-9d7f-d106ddfa2e8b +date: '2025-08-12' +description: Automatically categorized datasets in directory auditpol_tampering +environment: attack_range +directory: auditpol_tampering +mitre_technique: +- T1562.002 +datasets: +- name: auditpol_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml new file mode 100644 index 000000000..f1b2a2569 --- /dev/null +++ b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0be7f057-b844-48e3-a29f-75d356a113d6 +date: '2025-08-12' +description: Automatically categorized datasets in directory eventlog_sddl_tampering +environment: attack_range +directory: eventlog_sddl_tampering +mitre_technique: +- T1562.002 +datasets: +- name: eventlog_sddl_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml new file mode 100644 index 000000000..fa0b444dd --- /dev/null +++ b/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8066fb51-6b8c-41ff-bb2b-44c281ea5ee4 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1562.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml new file mode 100644 index 000000000..f6dd69b1c --- /dev/null +++ b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5836d3ab-af99-4d0f-b581-2ba02f02218e +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_disable_firewall +environment: attack_range +directory: linux_auditd_disable_firewall +mitre_technique: +- T1562.004 +datasets: +- name: linux_auditd_disable_firewall + path: /datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml new file mode 100644 index 000000000..193160065 --- /dev/null +++ b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml @@ -0,0 +1,16 @@ +author: Generated by dataset_analyzer.py +id: 0d4c92cc-7fdb-4be8-8d3f-4d534b0a63bb +date: '2025-08-12' +description: Automatically categorized datasets in directory njrat_add_firewall_rule +environment: attack_range +directory: njrat_add_firewall_rule +mitre_technique: +- T1562.004 +datasets: +- name: njrat_firewall_security + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_security.log + sourcetype: firewall +- name: njrat_firewall_sysmon + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml new file mode 100644 index 000000000..665cc1a1f --- /dev/null +++ b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 8ede05b0-984b-4f03-b38c-cbe50cf3d099 +date: '2025-08-12' +description: Automatically categorized datasets in directory njrat_delete_firewall +environment: attack_range +directory: njrat_delete_firewall +mitre_technique: +- T1562.004 +datasets: +- name: njrat_delete_firewall + path: /datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + sourcetype: firewall diff --git a/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml b/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml new file mode 100644 index 000000000..a521e5ca8 --- /dev/null +++ b/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: fbefb83d-e977-4caa-9393-fba61356307e +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_create_acl +environment: attack_range +directory: aws_create_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml b/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml new file mode 100644 index 000000000..bc1d65040 --- /dev/null +++ b/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 046587da-976e-471a-9c3d-5b68b68c469a +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_delete_acl +environment: attack_range +directory: aws_delete_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml new file mode 100644 index 000000000..30bb2dd44 --- /dev/null +++ b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cb588559-62f1-482d-b539-1b6d40060ae9 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_bypass_mfa_via_trusted_ip +environment: attack_range +directory: o365_bypass_mfa_via_trusted_ip +mitre_technique: +- T1562.007 +datasets: +- name: o365_bypass_mfa_via_trusted_ip-json + path: /datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml b/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml new file mode 100644 index 000000000..011f9d243 --- /dev/null +++ b/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: ad803cd5-2e1d-4105-b61e-5d0e3bb68e2c +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_delete_security_services +environment: attack_range +directory: aws_delete_security_services +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml new file mode 100644 index 000000000..09cd03358 --- /dev/null +++ b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 1fd4c241-885f-4059-8772-a91a30278e66 +date: '2025-08-12' +description: Automatically categorized datasets in directory delete_cloudwatch_log_group +environment: attack_range +directory: delete_cloudwatch_log_group +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml new file mode 100644 index 000000000..134e93c0e --- /dev/null +++ b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f2810dc1-4d61-48fd-9a0d-1ee402d4b7fc +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_advanced_audit_disabled +environment: attack_range +directory: o365_advanced_audit_disabled +mitre_technique: +- T1562.008 +datasets: +- name: o365_advanced_audit_disabled + path: /datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml new file mode 100644 index 000000000..f9bb388b9 --- /dev/null +++ b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 6637182b-0d1c-4b24-a1bd-189963f05a62 +date: '2025-08-12' +description: Automatically categorized datasets in directory put_bucketlifecycle +environment: attack_range +directory: put_bucketlifecycle +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml new file mode 100644 index 000000000..74a28ec5e --- /dev/null +++ b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 5e115b1d-75e1-47fd-a84d-11fccbe3ec4f +date: '2025-08-12' +description: Automatically categorized datasets in directory stop_delete_cloudtrail +environment: attack_range +directory: stop_delete_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail_2-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml b/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml new file mode 100644 index 000000000..e7d47953e --- /dev/null +++ b/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 14fe3de9-3546-43a2-920d-d50e11d6f8a3 +date: '2025-08-12' +description: Automatically categorized datasets in directory update_cloudtrail +environment: attack_range +directory: update_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml new file mode 100644 index 000000000..07591c1c8 --- /dev/null +++ b/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5d05a094-c1c3-47f9-a3a1-6727ed219352 +date: '2025-08-12' +description: Automatically categorized datasets in directory auditd_daemon_type +environment: attack_range +directory: auditd_daemon_type +mitre_technique: +- T1562.012 +datasets: +- name: linux_auditd_daemon + path: /datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml new file mode 100644 index 000000000..e0757d756 --- /dev/null +++ b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d69fb192-8868-41b2-b881-1f899b2f1c17 +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread_disable_blockconsent_for_riskapps +environment: attack_range +directory: azuread_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: azuread_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml new file mode 100644 index 000000000..97ba45f97 --- /dev/null +++ b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1a51e505-1ace-4c6f-88dd-d3f8fd48ca4b +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_disable_blockconsent_for_riskapps +environment: attack_range +directory: o365_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: o365_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1563.002/rdphijack/data.yml b/datasets/attack_techniques/T1563.002/rdphijack/data.yml new file mode 100644 index 000000000..05a77aef9 --- /dev/null +++ b/datasets/attack_techniques/T1563.002/rdphijack/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 6a010aa0-842d-4d3c-b0be-31953032cb17 +date: '2025-08-12' +description: Automatically categorized datasets in directory rdphijack +environment: attack_range +directory: rdphijack +mitre_technique: +- T1563.002 +datasets: +- name: tscon_windows-sysmon + path: /datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_tscon_windows-security + path: /datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml b/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml new file mode 100644 index 000000000..ad0815bb5 --- /dev/null +++ b/datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9d629f1c-3bf1-4fc8-93ec-ff9cdd7d5a8e +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_rdp_connection_successful +environment: attack_range +directory: windows_rdp_connection_successful +mitre_technique: +- T1563.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1563.002/windows_rdp_connection_successful/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager diff --git a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml new file mode 100644 index 000000000..697f3b729 --- /dev/null +++ b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 211cd784-64d5-4836-9141-34ab7ea6f3e1 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_hidden_file +environment: attack_range +directory: linux_auditd_hidden_file +mitre_technique: +- T1564.001 +datasets: +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1564.004/ads_abuse/data.yml b/datasets/attack_techniques/T1564.004/ads_abuse/data.yml new file mode 100644 index 000000000..66d6ce14b --- /dev/null +++ b/datasets/attack_techniques/T1564.004/ads_abuse/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c9e7505f-824a-49b6-bc70-539050e33952 +date: '2025-08-12' +description: Automatically categorized datasets in directory ads_abuse +environment: attack_range +directory: ads_abuse +mitre_technique: +- T1564.004 +datasets: +- name: ads_abuse_sysmon + path: /datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1564.008/o365/data.yml b/datasets/attack_techniques/T1564.008/o365/data.yml new file mode 100644 index 000000000..ea199d6c1 --- /dev/null +++ b/datasets/attack_techniques/T1564.008/o365/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d5c5cb0e-4e19-4935-acfc-55f2223673c1 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365 +environment: attack_range +directory: o365 +mitre_technique: +- T1564.008 +datasets: +- name: o365_suspicious_mailbox_rule + path: /datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml b/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml new file mode 100644 index 000000000..18ae20cb8 --- /dev/null +++ b/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 21faed17-8cd1-4fee-9043-31b5286bea9e +date: '2025-08-12' +description: Automatically categorized datasets in directory sc_sdset_tampering +environment: attack_range +directory: sc_sdset_tampering +mitre_technique: +- T1564 +datasets: +- name: sc_sdset_tampering_sysmon + path: /datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/datasets/data.yml b/datasets/attack_techniques/T1566.001/datasets/data.yml new file mode 100644 index 000000000..16bfc1c67 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/datasets/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3b759a93-f7ca-4584-a6db-b92c673a87ee +date: '2025-08-12' +description: Automatically categorized datasets in directory datasets +environment: attack_range +directory: datasets +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon + path: /datasets/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/datasets2/data.yml b/datasets/attack_techniques/T1566.001/datasets2/data.yml new file mode 100644 index 000000000..e50b53997 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/datasets2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a409f6a-5382-4977-9055-b66aec6033ee +date: '2025-08-12' +description: Automatically categorized datasets in directory datasets2 +environment: attack_range +directory: datasets2 +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.001/datasets2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml new file mode 100644 index 000000000..ec33f2459 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c56b4682-41dc-42f8-abb7-a8f5ce5c2e24 +date: '2025-08-12' +description: Automatically categorized datasets in directory gsuite_outbound_email_to_external +environment: attack_range +directory: gsuite_outbound_email_to_external +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_external_domain + path: /datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml new file mode 100644 index 000000000..95cadbda8 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bb71bda0-8f31-48e6-b6c7-626903bdcbac +date: '2025-08-12' +description: Automatically categorized datasets in directory gsuite_susp_attachment_ext +environment: attack_range +directory: gsuite_susp_attachment_ext +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_gmail_file_ext + path: /datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml new file mode 100644 index 000000000..adcd42078 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0647b470-d070-46ee-93d1-832ab83e1303 +date: '2025-08-12' +description: Automatically categorized datasets in directory gsuite_susp_subj +environment: attack_range +directory: gsuite_susp_subj +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_subj_attach + path: /datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml new file mode 100644 index 000000000..ee9bb4dfe --- /dev/null +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f690652a-2387-4c92-80aa-dbaa453c2dd8 +date: '2025-08-12' +description: Automatically categorized datasets in directory gsuite_susp_url +environment: attack_range +directory: gsuite_susp_url +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_url + path: /datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/macro/data.yml b/datasets/attack_techniques/T1566.001/macro/data.yml new file mode 100644 index 000000000..8a9ed48ce --- /dev/null +++ b/datasets/attack_techniques/T1566.001/macro/data.yml @@ -0,0 +1,41 @@ +author: Generated by dataset_analyzer.py +id: ba7b0acc-bda0-4a17-92bc-17daf956901d +date: '2025-08-12' +description: Automatically categorized datasets in directory macro +environment: attack_range +directory: macro +mitre_technique: +- T1566.001 +datasets: +- name: windows-sysmon_mshtml + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_cabinf + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_control + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_icedid + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_macros + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_wsh + path: /datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: msdt-windows-security + path: /datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml new file mode 100644 index 000000000..cb5b221fe --- /dev/null +++ b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dc075a3a-7e62-4b66-900a-d721c498f295 +date: '2025-08-12' +description: Automatically categorized datasets in directory office_doc_abuses_rels +environment: attack_range +directory: office_doc_abuses_rels +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml new file mode 100644 index 000000000..5d49281b6 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5e2671e7-3e6d-41b8-8bf0-c69c2216a70b +date: '2025-08-12' +description: Automatically categorized datasets in directory onenote_spear_phishing +environment: attack_range +directory: onenote_spear_phishing +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml new file mode 100644 index 000000000..9d1515908 --- /dev/null +++ b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 376de3c6-d9f5-440c-9784-a58e39d57368 +date: '2025-08-12' +description: Automatically categorized datasets in directory phishing_pdf_uri +environment: attack_range +directory: phishing_pdf_uri +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml new file mode 100644 index 000000000..68e1641f4 --- /dev/null +++ b/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 4020d6ef-6824-45ce-8aa7-7956c6e3a79c +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml new file mode 100644 index 000000000..e31708f0d --- /dev/null +++ b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a6452d37-fec0-4c2a-9ef9-8c96afa0c1dc +date: '2025-08-12' +description: Automatically categorized datasets in directory lnk_file_temp_folder +environment: attack_range +directory: lnk_file_temp_folder +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/cve-2024-21378/data.yml b/datasets/attack_techniques/T1566/cve-2024-21378/data.yml new file mode 100644 index 000000000..803db5df9 --- /dev/null +++ b/datasets/attack_techniques/T1566/cve-2024-21378/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0d4a9070-07f0-4f51-8913-65d07abbea48 +date: '2025-08-12' +description: Automatically categorized datasets in directory cve-2024-21378 +environment: attack_range +directory: cve-2024-21378 +mitre_technique: +- T1566 +datasets: +- name: inprocserver32_windows-sysmon + path: /datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/data.yml b/datasets/attack_techniques/T1566/o365_various_alerts/data.yml new file mode 100644 index 000000000..2f7f9e6c2 --- /dev/null +++ b/datasets/attack_techniques/T1566/o365_various_alerts/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f8381aee-343b-4a90-a256-d58e930ec897 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_various_alerts +environment: attack_range +directory: o365_various_alerts +mitre_technique: +- T1566 +datasets: +- name: o365_various_alerts + path: /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml b/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml new file mode 100644 index 000000000..816e562c1 --- /dev/null +++ b/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9e137269-cf8f-4a47-8db3-99fca7085c79 +date: '2025-08-12' +description: Automatically categorized datasets in directory zscalar_web_proxy +environment: attack_range +directory: zscalar_web_proxy +mitre_technique: +- T1566 +datasets: +- name: zscalar_web_proxy-json + path: /datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + sourcetype: zscalernss-web + source: zscaler diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml new file mode 100644 index 000000000..39311b675 --- /dev/null +++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: eeaecc01-574e-4f4a-83e8-15b88f912187 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_sus_file_activity +environment: attack_range +directory: o365_sus_file_activity +mitre_technique: +- T1567 +datasets: +- name: o365_sus_file_activity + path: /datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1567/web_upload_nginx/data.yml b/datasets/attack_techniques/T1567/web_upload_nginx/data.yml new file mode 100644 index 000000000..82218986b --- /dev/null +++ b/datasets/attack_techniques/T1567/web_upload_nginx/data.yml @@ -0,0 +1,12 @@ +author: Generated by dataset_analyzer.py +id: 2d747d1c-9e53-402e-ac8f-03f422e9587d +date: '2025-08-12' +description: Automatically categorized datasets in directory web_upload_nginx +environment: attack_range +directory: web_upload_nginx +mitre_technique: +- T1567 +datasets: +- name: web_upload_nginx + path: /datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml new file mode 100644 index 000000000..150a9d75e --- /dev/null +++ b/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7bbef5a0-f455-41d2-8db9-2696c63c5fea +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1569.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/linux_service_start/data.yml b/datasets/attack_techniques/T1569.002/linux_service_start/data.yml new file mode 100644 index 000000000..8a0f09b6e --- /dev/null +++ b/datasets/attack_techniques/T1569.002/linux_service_start/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 87321017-c5ed-4e41-843f-09026f46614d +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_service_start +environment: attack_range +directory: linux_service_start +mitre_technique: +- T1569.002 +datasets: +- name: auditd_proctitle_service_start + path: /datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml b/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml new file mode 100644 index 000000000..e816dff2d --- /dev/null +++ b/datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f57d04bb-4610-4104-b39d-4efed71165be +date: '2025-08-12' +description: Automatically categorized datasets in directory malicious_powershell_executed_as_a_service +environment: attack_range +directory: malicious_powershell_executed_as_a_service +mitre_technique: +- T1569.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1569.002/malicious_powershell_executed_as_a_service/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1569.002/remcom/data.yml b/datasets/attack_techniques/T1569.002/remcom/data.yml new file mode 100644 index 000000000..6b962f405 --- /dev/null +++ b/datasets/attack_techniques/T1569.002/remcom/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 7803414a-3d43-48e9-8c55-a869097d59be +date: '2025-08-12' +description: Automatically categorized datasets in directory remcom +environment: attack_range +directory: remcom +mitre_technique: +- T1569.002 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml new file mode 100644 index 000000000..71f873a5d --- /dev/null +++ b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fccb9484-f15b-4aef-a210-b1e398a93aa6 +date: '2025-08-12' +description: Automatically categorized datasets in directory scmanager_sddl_tamper +environment: attack_range +directory: scmanager_sddl_tamper +mitre_technique: +- T1569.002 +datasets: +- name: scmanager_sddl_tamper_sysmon + path: /datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml b/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml new file mode 100644 index 000000000..7a44c4728 --- /dev/null +++ b/datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d6a28386-bc89-4839-b4b1-9115a8ca0807 +date: '2025-08-12' +description: Automatically categorized datasets in directory windows_service_created_with_suspicious_service_path +environment: attack_range +directory: windows_service_created_with_suspicious_service_path +mitre_technique: +- T1569.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1569.002/windows_service_created_with_suspicious_service_path/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1570/remcom/data.yml b/datasets/attack_techniques/T1570/remcom/data.yml new file mode 100644 index 000000000..cc43fe872 --- /dev/null +++ b/datasets/attack_techniques/T1570/remcom/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 13439b43-e480-418b-8f2e-2ce59e5a4f4c +date: '2025-08-12' +description: Automatically categorized datasets in directory remcom +environment: attack_range +directory: remcom +mitre_technique: +- T1570 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/cobalt_strike/data.yml b/datasets/attack_techniques/T1572/cobalt_strike/data.yml new file mode 100644 index 000000000..9563bc1a1 --- /dev/null +++ b/datasets/attack_techniques/T1572/cobalt_strike/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1149f3ef-73bb-4c41-91e0-4a280b7ea6df +date: '2025-08-12' +description: Automatically categorized datasets in directory cobalt_strike +environment: attack_range +directory: cobalt_strike +mitre_technique: +- T1572 +datasets: +- name: suricata_events + path: /datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1572/ngrok/data.yml b/datasets/attack_techniques/T1572/ngrok/data.yml new file mode 100644 index 000000000..e943896a8 --- /dev/null +++ b/datasets/attack_techniques/T1572/ngrok/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 80a0bbee-e39f-40f2-ac4b-d92c0c2f7d65 +date: '2025-08-12' +description: Automatically categorized datasets in directory ngrok +environment: attack_range +directory: ngrok +mitre_technique: +- T1572 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/plink/data.yml b/datasets/attack_techniques/T1572/plink/data.yml new file mode 100644 index 000000000..712198738 --- /dev/null +++ b/datasets/attack_techniques/T1572/plink/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: bde63a27-d046-475c-b7fa-463e11a7a5b1 +date: '2025-08-12' +description: Automatically categorized datasets in directory plink +environment: attack_range +directory: plink +mitre_technique: +- T1572 +datasets: +- name: plink-windows-sysmon + path: /datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/plink/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-windows-security + path: /datasets/attack_techniques/T1572/plink/4688-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/data.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/data.yml new file mode 100644 index 000000000..49bb6a282 --- /dev/null +++ b/datasets/attack_techniques/T1572/ssh_proxy_command/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fd427487-e339-4b24-bd79-8fb585beb8c0 +date: '2025-08-12' +description: Automatically categorized datasets in directory ssh_proxy_command +environment: attack_range +directory: ssh_proxy_command +mitre_technique: +- T1572 +datasets: +- name: sshproxycommand_windows-sysmon + path: /datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml new file mode 100644 index 000000000..18c2bbfaf --- /dev/null +++ b/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 339befb8-64be-472f-b84a-86f27d399116 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1574.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/iscsicpl/data.yml b/datasets/attack_techniques/T1574.001/iscsicpl/data.yml new file mode 100644 index 000000000..fa1ab3e1e --- /dev/null +++ b/datasets/attack_techniques/T1574.001/iscsicpl/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e7346b8b-c764-4fa8-af96-b3fe37fb514b +date: '2025-08-12' +description: Automatically categorized datasets in directory iscsicpl +environment: attack_range +directory: iscsicpl +mitre_technique: +- T1574.001 +datasets: +- name: iscsicpl-windows-sysmon + path: /datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/hijacklibs/data.yml b/datasets/attack_techniques/T1574.002/hijacklibs/data.yml new file mode 100644 index 000000000..9dfc55208 --- /dev/null +++ b/datasets/attack_techniques/T1574.002/hijacklibs/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 16951ab8-44c0-4e6f-b097-f35c6aa4050b +date: '2025-08-12' +description: Automatically categorized datasets in directory hijacklibs +environment: attack_range +directory: hijacklibs +mitre_technique: +- T1574.002 +datasets: +- name: hijacklibs_sysmon + path: /datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/msi_module_load/data.yml b/datasets/attack_techniques/T1574.002/msi_module_load/data.yml new file mode 100644 index 000000000..a5cff34ef --- /dev/null +++ b/datasets/attack_techniques/T1574.002/msi_module_load/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e25838e0-474c-4968-88d5-3ad214e22404 +date: '2025-08-12' +description: Automatically categorized datasets in directory msi_module_load +environment: attack_range +directory: msi_module_load +mitre_technique: +- T1574.002 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/wineloader/data.yml b/datasets/attack_techniques/T1574.002/wineloader/data.yml new file mode 100644 index 000000000..40cd153cc --- /dev/null +++ b/datasets/attack_techniques/T1574.002/wineloader/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c73f0cf4-0bd3-4cd7-b4de-918f716e4082 +date: '2025-08-12' +description: Automatically categorized datasets in directory wineloader +environment: attack_range +directory: wineloader +mitre_technique: +- T1574.002 +datasets: +- name: sqlwriter_sqldumper_sideload_windows-sysmon + path: /datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/lib_hijack/data.yml b/datasets/attack_techniques/T1574.006/lib_hijack/data.yml new file mode 100644 index 000000000..4814c73bc --- /dev/null +++ b/datasets/attack_techniques/T1574.006/lib_hijack/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2fa58667-88ed-4a19-87ec-7d3d78a4b6ba +date: '2025-08-12' +description: Automatically categorized datasets in directory lib_hijack +environment: attack_range +directory: lib_hijack +mitre_technique: +- T1574.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml new file mode 100644 index 000000000..9138e5e89 --- /dev/null +++ b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 137ad8d3-d4b0-419d-814a-578bd4a9b268 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_ldpreload +environment: attack_range +directory: linux_auditd_ldpreload +mitre_technique: +- T1574.006 +datasets: +- name: auditd_execve_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log + sourcetype: auditd + source: auditd +- name: linux_auditd_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml new file mode 100644 index 000000000..dc1df8546 --- /dev/null +++ b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7e24977d-0de1-43f7-9ad1-4a94c27e3030 +date: '2025-08-12' +description: Automatically categorized datasets in directory linux_auditd_preload_file +environment: attack_range +directory: linux_auditd_preload_file +mitre_technique: +- T1574.006 +datasets: +- name: linux_auditd_preload_file + path: /datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml b/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml new file mode 100644 index 000000000..67f4dcbbe --- /dev/null +++ b/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c42d4802-1849-4769-9c9f-e4a692835909 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1574.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml b/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml new file mode 100644 index 000000000..b5395f85f --- /dev/null +++ b/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 258a7559-c06b-430c-b66b-e0d6aa73188d +date: '2025-08-12' +description: Automatically categorized datasets in directory change_registry_path_service +environment: attack_range +directory: change_registry_path_service +mitre_technique: +- T1574.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml new file mode 100644 index 000000000..d0934616b --- /dev/null +++ b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 865ea0a0-f890-4e58-a4dd-24aeb07e4ff9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_authorize_security_group +environment: attack_range +directory: aws_authorize_security_group +mitre_technique: +- T1578.005 +datasets: +- name: aws_authorize_security_group-json + path: /datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml new file mode 100644 index 000000000..b4d1248e6 --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml @@ -0,0 +1,16 @@ +author: Generated by dataset_analyzer.py +id: f92a9a8e-2f9b-42ef-a85b-0145c886145a +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_accessdenied_discovery_events +environment: attack_range +directory: aws_iam_accessdenied_discovery_events +mitre_technique: +- T1580 +datasets: +- name: aws_iam_accessdenied_discovery_events-json + path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json + sourcetype: access_combined +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml b/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml new file mode 100644 index 000000000..176dd5fbe --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: e1e9c986-8c3b-443b-86d7-f82ce29180f9 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_assume_role_policy_brute_force +environment: attack_range +directory: aws_iam_assume_role_policy_brute_force +mitre_technique: +- T1580 +datasets: +- name: aws_iam_assume_role_policy_brute_force-json + path: /datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/aws_iam_assume_role_policy_brute_force.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1580/aws_iam_assume_role_policy_brute_force/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml b/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml new file mode 100644 index 000000000..254037e53 --- /dev/null +++ b/datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f58c4e4c-7961-4731-a01a-3b8b7838ffd1 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_iam_excessive_list_command_usage +environment: attack_range +directory: aws_iam_excessive_list_command_usage +mitre_technique: +- T1580 +datasets: +- name: aws_iam_excessive_list_command_usage-json + path: /datasets/attack_techniques/T1580/aws_iam_excessive_list_command_usage/aws_iam_excessive_list_command_usage.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml b/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml new file mode 100644 index 000000000..538cd49e4 --- /dev/null +++ b/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 3b221d0b-cf5b-43e8-b354-05b9f6210f9e +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_multiple_city +environment: attack_range +directory: okta_multiple_city +mitre_technique: +- T1586.003 +datasets: +- name: okta_multiple_city_im2 + path: /datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1587.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1587.002/atomic_red_team/data.yml new file mode 100644 index 000000000..ce0daa4b5 --- /dev/null +++ b/datasets/attack_techniques/T1587.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e6475497-6ba2-46d8-8a73-bf0d3b650f21 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1587.002 +datasets: +- name: certblob_windows-sysmon + path: /datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1588.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1588.002/atomic_red_team/data.yml new file mode 100644 index 000000000..bcf0ec9d9 --- /dev/null +++ b/datasets/attack_techniques/T1588.002/atomic_red_team/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 43d74648-ed9a-40b8-b9d7-7cc63c5c1c07 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1588.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml b/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml new file mode 100644 index 000000000..2061d639c --- /dev/null +++ b/datasets/attack_techniques/T1589.002/kerberos_user_enumeration/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 159f3ef4-f460-4e52-9911-2591df2923f1 +date: '2025-08-12' +description: Automatically categorized datasets in directory kerberos_user_enumeration +environment: attack_range +directory: kerberos_user_enumeration +mitre_technique: +- T1589.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1589.002/kerberos_user_enumeration/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml b/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml new file mode 100644 index 000000000..64fec00ce --- /dev/null +++ b/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8c5890b6-344a-4942-8eff-2201f0ef8000 +date: '2025-08-12' +description: Automatically categorized datasets in directory enum_dns_record +environment: attack_range +directory: enum_dns_record +mitre_technique: +- T1590.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1590.005/data.yml b/datasets/attack_techniques/T1590.005/data.yml new file mode 100644 index 000000000..8ada1375a --- /dev/null +++ b/datasets/attack_techniques/T1590.005/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a0d62a4b-0b4d-41f7-a769-0b2ec4ff119a +date: '2025-08-12' +description: Automatically categorized datasets in directory T1590.005 +environment: attack_range +directory: T1590.005 +mitre_technique: +- T1590.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1590.005/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml b/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml new file mode 100644 index 000000000..e26fdf77b --- /dev/null +++ b/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0af0637f-a100-4d96-ad8a-42f96cad1dcb +date: '2025-08-12' +description: Automatically categorized datasets in directory attacker_scan_tools +environment: attack_range +directory: attacker_scan_tools +mitre_technique: +- T1595 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml b/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml new file mode 100644 index 000000000..57e2dc618 --- /dev/null +++ b/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d853ffcb-a638-4cd5-bbaa-ddf17f0b4bd8 +date: '2025-08-12' +description: Automatically categorized datasets in directory sysmon_scanning_events +environment: attack_range +directory: sysmon_scanning_events +mitre_technique: +- T1595 +datasets: +- name: sysmon_scanning_events + path: /datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1598.002/rdp/data.yml b/datasets/attack_techniques/T1598.002/rdp/data.yml new file mode 100644 index 000000000..6e424b903 --- /dev/null +++ b/datasets/attack_techniques/T1598.002/rdp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 5d19d164-ecdc-4095-9e23-5dacf819915f +date: '2025-08-12' +description: Automatically categorized datasets in directory rdp +environment: attack_range +directory: rdp +mitre_technique: +- T1598.002 +datasets: +- name: mstsc_rdpfile-windows-sysmon + path: /datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml b/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml new file mode 100644 index 000000000..f77664de5 --- /dev/null +++ b/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 97f3e434-cbe2-48b6-bdb7-2f7ab63fd14a +date: '2025-08-12' +description: Automatically categorized datasets in directory common_language_runtim_loaded +environment: attack_range +directory: common_language_runtim_loaded +mitre_technique: +- T1620 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml b/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml new file mode 100644 index 000000000..c719926b5 --- /dev/null +++ b/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b68e7ac9-5bc8-42f0-a559-ac40fc9ba721 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_mfa_disabled +environment: attack_range +directory: aws_mfa_disabled +mitre_technique: +- T1621 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml new file mode 100644 index 000000000..68eb77e5e --- /dev/null +++ b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d2346b4e-9a58-4458-89de-974b9b41a693 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_multiple_denied_mfa_requests +environment: attack_range +directory: azure_ad_multiple_denied_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure_ad_multiple_denied_mfa_requests + path: /datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/azuread/data.yml b/datasets/attack_techniques/T1621/azuread/data.yml new file mode 100644 index 000000000..ccf664982 --- /dev/null +++ b/datasets/attack_techniques/T1621/azuread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: decec97f-a2ca-46d4-bcaf-fe8db9d1ba27 +date: '2025-08-12' +description: Automatically categorized datasets in directory azuread +environment: attack_range +directory: azuread +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml b/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml new file mode 100644 index 000000000..1e27231be --- /dev/null +++ b/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d6b865b9-6e68-4f03-b973-fc1fb9ed4694 +date: '2025-08-12' +description: Automatically categorized datasets in directory gcp_failed_mfa +environment: attack_range +directory: gcp_failed_mfa +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml new file mode 100644 index 000000000..590065b54 --- /dev/null +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0f41727a-b3e0-41a9-a387-205470659a77 +date: '2025-08-12' +description: Automatically categorized datasets in directory multiple_failed_mfa_gws +environment: attack_range +directory: multiple_failed_mfa_gws +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml new file mode 100644 index 000000000..80e7e392f --- /dev/null +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6cd5695e-549e-45dd-8e5a-7ad5100f758d +date: '2025-08-12' +description: Automatically categorized datasets in directory multiple_failed_mfa_requests +environment: attack_range +directory: multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml new file mode 100644 index 000000000..c88a3d49a --- /dev/null +++ b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 4afcbe95-23e1-4ade-9f72-84bf9275ec51 +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_multiple_failed_mfa_requests +environment: attack_range +directory: o365_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: o365_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml b/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml new file mode 100644 index 000000000..17e88efca --- /dev/null +++ b/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 88990979-9fd5-4d56-9760-d83b30fc940c +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_mfa_login_failed +environment: attack_range +directory: okta_mfa_login_failed +mitre_technique: +- T1621 +datasets: +- name: okta_mfa_login_failed + path: /datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_mismatch/data.yml b/datasets/attack_techniques/T1621/okta_mismatch/data.yml new file mode 100644 index 000000000..4a501f5a2 --- /dev/null +++ b/datasets/attack_techniques/T1621/okta_mismatch/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c67e371f-db71-4782-ad34-3df24bcb3100 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_mismatch +environment: attack_range +directory: okta_mismatch +mitre_technique: +- T1621 +datasets: +- name: okta_mismatch + path: /datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml new file mode 100644 index 000000000..0e0a07b7f --- /dev/null +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 613e1fb2-33ff-45c6-b266-804347535574 +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_multiple_failed_mfa_pushes +environment: attack_range +directory: okta_multiple_failed_mfa_pushes +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_pushes + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml new file mode 100644 index 000000000..4a329681c --- /dev/null +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1a6a1dac-1956-4c4f-8223-85b2d6c2e2aa +date: '2025-08-12' +description: Automatically categorized datasets in directory okta_multiple_failed_mfa_requests +environment: attack_range +directory: okta_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/pingid/data.yml b/datasets/attack_techniques/T1621/pingid/data.yml new file mode 100644 index 000000000..93d73f709 --- /dev/null +++ b/datasets/attack_techniques/T1621/pingid/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: d117fd5b-b249-4ed4-abd0-52eb21cbf0a2 +date: '2025-08-12' +description: Automatically categorized datasets in directory pingid +environment: attack_range +directory: pingid +mitre_technique: +- T1621 +datasets: +- name: pingid + path: /datasets/attack_techniques/T1621/pingid/pingid.log + sourcetype: __json + source: PINGID +- name: windows_pw_reset + path: /datasets/attack_techniques/T1621/pingid/windows_pw_reset.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1649/atomic_red_team/data.yml b/datasets/attack_techniques/T1649/atomic_red_team/data.yml new file mode 100644 index 000000000..70fbe0cfe --- /dev/null +++ b/datasets/attack_techniques/T1649/atomic_red_team/data.yml @@ -0,0 +1,45 @@ +author: Generated by dataset_analyzer.py +id: 923fb4aa-0090-4b25-af11-83d604a58300 +date: '2025-08-12' +description: Automatically categorized datasets in directory atomic_red_team +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1649 +datasets: +- name: export_certificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: certwrite_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4876_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: export_pfxcertificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4104_export_pfx-windows-powershell + path: /datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: backupdb_certutil_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4887_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4886_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4688_certutil_backupdb-windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1649/certify_abuse/data.yml b/datasets/attack_techniques/T1649/certify_abuse/data.yml new file mode 100644 index 000000000..4a2777e6b --- /dev/null +++ b/datasets/attack_techniques/T1649/certify_abuse/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9a6caf5e-09e5-4c5a-a205-761f53510999 +date: '2025-08-12' +description: Automatically categorized datasets in directory certify_abuse +environment: attack_range +directory: certify_abuse +mitre_technique: +- T1649 +datasets: +- name: certify_esc1_abuse_sysmon + path: /datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml b/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml new file mode 100644 index 000000000..5bc52b835 --- /dev/null +++ b/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a154bdc5-4271-4c4b-b664-b9adbfe7f96c +date: '2025-08-12' +description: Automatically categorized datasets in directory active_setup_stubpath +environment: attack_range +directory: active_setup_stubpath +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml b/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml new file mode 100644 index 000000000..9ce5f2074 --- /dev/null +++ b/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2c9c47c0-d6fa-40de-9db4-cda43227aff8 +date: '2025-08-12' +description: Automatically categorized datasets in directory host_info_dxdiag +environment: attack_range +directory: host_info_dxdiag +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/pwh_av_recon/data.yml b/datasets/attack_techniques/t1592/pwh_av_recon/data.yml new file mode 100644 index 000000000..2d1716f6e --- /dev/null +++ b/datasets/attack_techniques/t1592/pwh_av_recon/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fce26f89-aa9f-4463-98d8-424393a7e3e3 +date: '2025-08-12' +description: Automatically categorized datasets in directory pwh_av_recon +environment: attack_range +directory: pwh_av_recon +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/acidrain/data.yml b/datasets/malware/acidrain/data.yml new file mode 100644 index 000000000..af189e60b --- /dev/null +++ b/datasets/malware/acidrain/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b0309de3-26b7-40ef-81c4-453d60e64363 +date: '2025-08-12' +description: Automatically categorized datasets in directory acidrain +environment: attack_range +directory: acidrain +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/acidrain/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml b/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml new file mode 100644 index 000000000..566345bbd --- /dev/null +++ b/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f7d4ad99-16bf-4550-8c41-9906bcbeda6e +date: '2025-08-12' +description: Automatically categorized datasets in directory agent_tesla_ftp +environment: attack_range +directory: agent_tesla_ftp +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml b/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml new file mode 100644 index 000000000..fc890b9fd --- /dev/null +++ b/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 23f63d4a-bb54-454f-baa8-66094799088e +date: '2025-08-12' +description: Automatically categorized datasets in directory agent_tesla_smtp +environment: attack_range +directory: agent_tesla_smtp +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml new file mode 100644 index 000000000..9f9b8ca49 --- /dev/null +++ b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 22f85ca0-1adf-4a62-9efd-dd6a1d990253 +date: '2025-08-12' +description: Automatically categorized datasets in directory agent_tesla_tor_dns_query +environment: attack_range +directory: agent_tesla_tor_dns_query +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/chm_powershell/data.yml b/datasets/malware/agent_tesla/chm_powershell/data.yml new file mode 100644 index 000000000..39103506e --- /dev/null +++ b/datasets/malware/agent_tesla/chm_powershell/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 10dc1693-4be5-468d-b9e1-15b1b6f4caa3 +date: '2025-08-12' +description: Automatically categorized datasets in directory chm_powershell +environment: attack_range +directory: chm_powershell +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/amadey/access_permission/data.yml b/datasets/malware/amadey/access_permission/data.yml new file mode 100644 index 000000000..1046f66c7 --- /dev/null +++ b/datasets/malware/amadey/access_permission/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d1651ba2-1249-484c-ae0b-e891946484ea +date: '2025-08-12' +description: Automatically categorized datasets in directory access_permission +environment: attack_range +directory: access_permission +mitre_technique: +- unknown +datasets: +- name: amadey_sysmon2 + path: /datasets/malware/amadey/access_permission/amadey_sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test1/data.yml b/datasets/malware/awfulshred/test1/data.yml new file mode 100644 index 000000000..dfd8a26b3 --- /dev/null +++ b/datasets/malware/awfulshred/test1/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 64315eea-76f6-48f0-a85a-083f9e306ef1 +date: '2025-08-12' +description: Automatically categorized datasets in directory test1 +environment: attack_range +directory: test1 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test1/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test2/data.yml b/datasets/malware/awfulshred/test2/data.yml new file mode 100644 index 000000000..2038f59fd --- /dev/null +++ b/datasets/malware/awfulshred/test2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 46e507b4-4af4-4c13-8a7d-5bcf59a35072 +date: '2025-08-12' +description: Automatically categorized datasets in directory test2 +environment: attack_range +directory: test2 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test2/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test3/data.yml b/datasets/malware/awfulshred/test3/data.yml new file mode 100644 index 000000000..2c133e1e1 --- /dev/null +++ b/datasets/malware/awfulshred/test3/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 20d4b9a4-0b35-4a99-ad8c-d6b258c3e46a +date: '2025-08-12' +description: Automatically categorized datasets in directory test3 +environment: attack_range +directory: test3 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/azorult/data.yml b/datasets/malware/azorult/data.yml new file mode 100644 index 000000000..32b0111bc --- /dev/null +++ b/datasets/malware/azorult/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 10e1ba77-db09-4ee6-8609-19555c477d8a +date: '2025-08-12' +description: Automatically categorized datasets in directory azorult +environment: attack_range +directory: azorult +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/azorult/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/brute_duplicate_token/data.yml b/datasets/malware/brute_ratel/brute_duplicate_token/data.yml new file mode 100644 index 000000000..faf00add7 --- /dev/null +++ b/datasets/malware/brute_ratel/brute_duplicate_token/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bd3a4ce9-1206-444a-b498-0e278c38075f +date: '2025-08-12' +description: Automatically categorized datasets in directory brute_duplicate_token +environment: attack_range +directory: brute_duplicate_token +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/create_remote_thread/data.yml b/datasets/malware/brute_ratel/create_remote_thread/data.yml new file mode 100644 index 000000000..82d0756f1 --- /dev/null +++ b/datasets/malware/brute_ratel/create_remote_thread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 75c59f86-16ba-4be0-b8a5-88d117503bd0 +date: '2025-08-12' +description: Automatically categorized datasets in directory create_remote_thread +environment: attack_range +directory: create_remote_thread +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/create_remote_thread/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml b/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml new file mode 100644 index 000000000..c367e4ebf --- /dev/null +++ b/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1c747d24-1259-451e-ab1a-c5451fefdcd5 +date: '2025-08-12' +description: Automatically categorized datasets in directory iso_version_dll_campaign +environment: attack_range +directory: iso_version_dll_campaign +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/loading_samlib/data.yml b/datasets/malware/brute_ratel/loading_samlib/data.yml new file mode 100644 index 000000000..5eb6ea762 --- /dev/null +++ b/datasets/malware/brute_ratel/loading_samlib/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: efffb7c4-c273-49de-8e96-0e6c595c4ef9 +date: '2025-08-12' +description: Automatically categorized datasets in directory loading_samlib +environment: attack_range +directory: loading_samlib +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/loading_samlib/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/service_deletion/data.yml b/datasets/malware/brute_ratel/service_deletion/data.yml new file mode 100644 index 000000000..e5253d2ec --- /dev/null +++ b/datasets/malware/brute_ratel/service_deletion/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 774b8a4f-8f5d-4428-b156-5523e370220b +date: '2025-08-12' +description: Automatically categorized datasets in directory service_deletion +environment: attack_range +directory: service_deletion +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/service_deletion/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml new file mode 100644 index 000000000..40804d753 --- /dev/null +++ b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 46b8cc94-ea39-4d6c-9e36-55839202e880 +date: '2025-08-12' +description: Automatically categorized datasets in directory wallpaper_via_transcodedwallpaper +environment: attack_range +directory: wallpaper_via_transcodedwallpaper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/data.yml b/datasets/malware/chaos_ransomware/data.yml new file mode 100644 index 000000000..6c90ae82d --- /dev/null +++ b/datasets/malware/chaos_ransomware/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 129a18ab-f2c5-4e1d-8d18-04e3020fc37a +date: '2025-08-12' +description: Automatically categorized datasets in directory chaos_ransomware +environment: attack_range +directory: chaos_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml b/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml new file mode 100644 index 000000000..f649e0e40 --- /dev/null +++ b/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 14c235ce-3c75-4d41-8968-12e60bc5d65d +date: '2025-08-12' +description: Automatically categorized datasets in directory spread_in_root_drives +environment: attack_range +directory: spread_in_root_drives +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_a/data.yml b/datasets/malware/clop/clop_a/data.yml new file mode 100644 index 000000000..ea4aa61d8 --- /dev/null +++ b/datasets/malware/clop/clop_a/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0e34c4de-338a-42ae-bd2d-db175e8e6efa +date: '2025-08-12' +description: Automatically categorized datasets in directory clop_a +environment: attack_range +directory: clop_a +mitre_technique: +- unknown +datasets: +- name: windows-xml + path: /datasets/malware/clop/clop_a/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: windows-sysmon + path: /datasets/malware/clop/clop_a/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_b/data.yml b/datasets/malware/clop/clop_b/data.yml new file mode 100644 index 000000000..e3e260147 --- /dev/null +++ b/datasets/malware/clop/clop_b/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 60fa4b9a-3181-410b-add4-fea2a3d69e5a +date: '2025-08-12' +description: Automatically categorized datasets in directory clop_b +environment: attack_range +directory: clop_b +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/clop/clop_b/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/conti/conti-cobalt/data.yml b/datasets/malware/conti/conti-cobalt/data.yml new file mode 100644 index 000000000..2c689bcd8 --- /dev/null +++ b/datasets/malware/conti/conti-cobalt/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cad4c2c9-3eb5-436d-a2fb-e054ff43adb0 +date: '2025-08-12' +description: Automatically categorized datasets in directory conti-cobalt +environment: attack_range +directory: conti-cobalt +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/conti/conti-cobalt/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/conti/conti_leak/data.yml b/datasets/malware/conti/conti_leak/data.yml new file mode 100644 index 000000000..8ff0c36c8 --- /dev/null +++ b/datasets/malware/conti/conti_leak/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: fd03530f-4f01-41c7-9096-05eb6f99368f +date: '2025-08-12' +description: Automatically categorized datasets in directory conti_leak +environment: attack_range +directory: conti_leak +mitre_technique: +- unknown +datasets: +- name: windows-sysmon_7z + path: /datasets/malware/conti/conti_leak/windows-sysmon_7z.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/malware/conti/conti_leak/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/malware/conti/conti_leak/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/malware/conti/inf1/data.yml b/datasets/malware/conti/inf1/data.yml new file mode 100644 index 000000000..152c26766 --- /dev/null +++ b/datasets/malware/conti/inf1/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 87b91832-7f22-4306-b3a5-eb82fb19ac65 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf1 +environment: attack_range +directory: inf1 +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/conti/inf1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/cyclopsblink/data.yml b/datasets/malware/cyclopsblink/data.yml new file mode 100644 index 000000000..f45935df0 --- /dev/null +++ b/datasets/malware/cyclopsblink/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 57ce07fe-e424-4f8b-8d2c-e3fcd9fff385 +date: '2025-08-12' +description: Automatically categorized datasets in directory cyclopsblink +environment: attack_range +directory: cyclopsblink +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/cyclopsblink/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_delay_execution/data.yml b/datasets/malware/dcrat/dcrat_delay_execution/data.yml new file mode 100644 index 000000000..1f57556ea --- /dev/null +++ b/datasets/malware/dcrat/dcrat_delay_execution/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bb3f3d8a-f0f3-4ff7-9501-603f05ddc375 +date: '2025-08-12' +description: Automatically categorized datasets in directory dcrat_delay_execution +environment: attack_range +directory: dcrat_delay_execution +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_delay_execution/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_enum_camera/data.yml b/datasets/malware/dcrat/dcrat_enum_camera/data.yml new file mode 100644 index 000000000..7821a7566 --- /dev/null +++ b/datasets/malware/dcrat/dcrat_enum_camera/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 758f68df-4281-4564-a451-31aea1a9a05d +date: '2025-08-12' +description: Automatically categorized datasets in directory dcrat_enum_camera +environment: attack_range +directory: dcrat_enum_camera +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/dcrat/dcrat_explorer_url/data.yml b/datasets/malware/dcrat/dcrat_explorer_url/data.yml new file mode 100644 index 000000000..4511c30d0 --- /dev/null +++ b/datasets/malware/dcrat/dcrat_explorer_url/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8db3c16d-9df0-4306-87bf-6cecca36ac93 +date: '2025-08-12' +description: Automatically categorized datasets in directory dcrat_explorer_url +environment: attack_range +directory: dcrat_explorer_url +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_explorer_url/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_forkbomb/data.yml b/datasets/malware/dcrat/dcrat_forkbomb/data.yml new file mode 100644 index 000000000..707f9c06e --- /dev/null +++ b/datasets/malware/dcrat/dcrat_forkbomb/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fb854396-703c-4726-82fa-07c99b206b00 +date: '2025-08-12' +description: Automatically categorized datasets in directory dcrat_forkbomb +environment: attack_range +directory: dcrat_forkbomb +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_forkbomb/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/reboot_logoff_commandline/data.yml b/datasets/malware/dcrat/reboot_logoff_commandline/data.yml new file mode 100644 index 000000000..dc57d355e --- /dev/null +++ b/datasets/malware/dcrat/reboot_logoff_commandline/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1ca9bec8-3032-47cb-8f3f-373da4f03a71 +date: '2025-08-12' +description: Automatically categorized datasets in directory reboot_logoff_commandline +environment: attack_range +directory: reboot_logoff_commandline +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/shutdown_commandline/data.yml b/datasets/malware/dcrat/shutdown_commandline/data.yml new file mode 100644 index 000000000..d24ec2a4f --- /dev/null +++ b/datasets/malware/dcrat/shutdown_commandline/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e0e8e514-c156-4bf1-b5c1-7cca60ae7dc4 +date: '2025-08-12' +description: Automatically categorized datasets in directory shutdown_commandline +environment: attack_range +directory: shutdown_commandline +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/shutdown_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/doublezero_wiper/data.yml b/datasets/malware/doublezero_wiper/data.yml new file mode 100644 index 000000000..6d716ff12 --- /dev/null +++ b/datasets/malware/doublezero_wiper/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 597b0994-e706-4420-bea4-6a3e1f023c0b +date: '2025-08-12' +description: Automatically categorized datasets in directory doublezero_wiper +environment: attack_range +directory: doublezero_wiper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/doublezero_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_js_2/data.yml b/datasets/malware/fin7/fin7_js_2/data.yml new file mode 100644 index 000000000..5f99afc6e --- /dev/null +++ b/datasets/malware/fin7/fin7_js_2/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 91f6a4e9-53b3-4a14-b19f-a8a88b7a9d9d +date: '2025-08-12' +description: Automatically categorized datasets in directory fin7_js_2 +environment: attack_range +directory: fin7_js_2 +mitre_technique: +- unknown +datasets: +- name: wmi_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ldap_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/fin7/fin7_js_2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_macro_js_1/data.yml b/datasets/malware/fin7/fin7_macro_js_1/data.yml new file mode 100644 index 000000000..a8f9f51de --- /dev/null +++ b/datasets/malware/fin7/fin7_macro_js_1/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a7f53f9-83d6-4d4a-90b7-a0ae44185e9a +date: '2025-08-12' +description: Automatically categorized datasets in directory fin7_macro_js_1 +environment: attack_range +directory: fin7_macro_js_1 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/fin7/fin7_macro_js_1/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/jssloader/data.yml b/datasets/malware/fin7/jssloader/data.yml new file mode 100644 index 000000000..22837e981 --- /dev/null +++ b/datasets/malware/fin7/jssloader/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 33fe2d9b-87ee-4b8a-9230-06bc5d3a8228 +date: '2025-08-12' +description: Automatically categorized datasets in directory jssloader +environment: attack_range +directory: jssloader +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/fin7/jssloader/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/gootloader/partial_ttps/data.yml b/datasets/malware/gootloader/partial_ttps/data.yml new file mode 100644 index 000000000..b4727eee2 --- /dev/null +++ b/datasets/malware/gootloader/partial_ttps/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 5674a31a-3456-4d68-ba30-e0a8257ebd84 +date: '2025-08-12' +description: Automatically categorized datasets in directory partial_ttps +environment: attack_range +directory: partial_ttps +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/malware/gootloader/partial_ttps/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/data.yml b/datasets/malware/hermetic_wiper/data.yml new file mode 100644 index 000000000..e99f7fabf --- /dev/null +++ b/datasets/malware/hermetic_wiper/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: fd9db676-1512-472c-a0d4-a77381891197 +date: '2025-08-12' +description: Automatically categorized datasets in directory hermetic_wiper +environment: attack_range +directory: hermetic_wiper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml new file mode 100644 index 000000000..beb89efc8 --- /dev/null +++ b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f394d5b3-f57b-4919-ab36-6ca55ecd968d +date: '2025-08-12' +description: Automatically categorized datasets in directory globalfolderoptions_reg +environment: attack_range +directory: globalfolderoptions_reg +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/cmd_carry_str_param/data.yml b/datasets/malware/icedid/cmd_carry_str_param/data.yml new file mode 100644 index 000000000..4fac4d4e9 --- /dev/null +++ b/datasets/malware/icedid/cmd_carry_str_param/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8546612d-f4bb-4465-9bfc-6dee096ce79a +date: '2025-08-12' +description: Automatically categorized datasets in directory cmd_carry_str_param +environment: attack_range +directory: cmd_carry_str_param +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/icedid/cmd_carry_str_param/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_av/data.yml b/datasets/malware/icedid/disable_av/data.yml new file mode 100644 index 000000000..7a228e329 --- /dev/null +++ b/datasets/malware/icedid/disable_av/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 52564d17-a509-45d5-8e27-91a097d394b4 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_av +environment: attack_range +directory: disable_av +mitre_technique: +- unknown +datasets: +- name: sysmon2 + path: /datasets/malware/icedid/disable_av/sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/icedid/disable_av/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_schtask/data.yml b/datasets/malware/icedid/disable_schtask/data.yml new file mode 100644 index 000000000..771ba88c6 --- /dev/null +++ b/datasets/malware/icedid/disable_schtask/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 93bc9750-219d-4514-a3c1-e0f29c68eff7 +date: '2025-08-12' +description: Automatically categorized datasets in directory disable_schtask +environment: attack_range +directory: disable_schtask +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/icedid/disable_schtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/inf_icedid/data.yml b/datasets/malware/icedid/inf_icedid/data.yml new file mode 100644 index 000000000..12c12153b --- /dev/null +++ b/datasets/malware/icedid/inf_icedid/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 2773df7b-8370-4a2a-b265-95eef2530ec5 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf_icedid +environment: attack_range +directory: inf_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/inf_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/phish_icedid/data.yml b/datasets/malware/icedid/phish_icedid/data.yml new file mode 100644 index 000000000..c1313e001 --- /dev/null +++ b/datasets/malware/icedid/phish_icedid/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 62a5717f-b084-4008-b35a-4fb0eb620fc6 +date: '2025-08-12' +description: Automatically categorized datasets in directory phish_icedid +environment: attack_range +directory: phish_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/phish_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/simulated_icedid/data.yml b/datasets/malware/icedid/simulated_icedid/data.yml new file mode 100644 index 000000000..68286c6dc --- /dev/null +++ b/datasets/malware/icedid/simulated_icedid/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0b143f10-2f28-467d-8c77-295907e0e109 +date: '2025-08-12' +description: Automatically categorized datasets in directory simulated_icedid +environment: attack_range +directory: simulated_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/simulated_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/industroyer2/data.yml b/datasets/malware/industroyer2/data.yml new file mode 100644 index 000000000..be18658e6 --- /dev/null +++ b/datasets/malware/industroyer2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f837d03a-3057-47a9-b7d8-73ac2f61c1ec +date: '2025-08-12' +description: Automatically categorized datasets in directory industroyer2 +environment: attack_range +directory: industroyer2 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/industroyer2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/lockbit_ransomware/data.yml b/datasets/malware/lockbit_ransomware/data.yml new file mode 100644 index 000000000..30a770621 --- /dev/null +++ b/datasets/malware/lockbit_ransomware/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 0071c47b-4433-4902-b736-6383efea85a1 +date: '2025-08-12' +description: Automatically categorized datasets in directory lockbit_ransomware +environment: attack_range +directory: lockbit_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/lockbit_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/minergate/data.yml b/datasets/malware/minergate/data.yml new file mode 100644 index 000000000..fcc4d0e67 --- /dev/null +++ b/datasets/malware/minergate/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 496eee5a-a4db-4761-9cb7-404827cf59fa +date: '2025-08-12' +description: Automatically categorized datasets in directory minergate +environment: attack_range +directory: minergate +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/minergate/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/olympic_destroyer/data.yml b/datasets/malware/olympic_destroyer/data.yml new file mode 100644 index 000000000..cabb90975 --- /dev/null +++ b/datasets/malware/olympic_destroyer/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 37266d13-945c-444c-9c4c-1e540bdcb93a +date: '2025-08-12' +description: Automatically categorized datasets in directory olympic_destroyer +environment: attack_range +directory: olympic_destroyer +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/olympic_destroyer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/prestige_ransomware/data.yml b/datasets/malware/prestige_ransomware/data.yml new file mode 100644 index 000000000..e06c0b774 --- /dev/null +++ b/datasets/malware/prestige_ransomware/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: caf28c2c-8e27-4335-9bc2-4d3b31aa09b3 +date: '2025-08-12' +description: Automatically categorized datasets in directory prestige_ransomware +environment: attack_range +directory: prestige_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/prestige_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/data.yml b/datasets/malware/qakbot/data.yml new file mode 100644 index 000000000..f3d3118fd --- /dev/null +++ b/datasets/malware/qakbot/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ed355916-9ae6-4710-bfe1-ba0bdd34792b +date: '2025-08-12' +description: Automatically categorized datasets in directory qakbot +environment: attack_range +directory: qakbot +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot2/data.yml b/datasets/malware/qakbot/qbot2/data.yml new file mode 100644 index 000000000..0c1c6fd64 --- /dev/null +++ b/datasets/malware/qakbot/qbot2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 55d090b2-ff85-4936-a2eb-ed01406f595d +date: '2025-08-12' +description: Automatically categorized datasets in directory qbot2 +environment: attack_range +directory: qbot2 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_3/data.yml b/datasets/malware/qakbot/qbot_3/data.yml new file mode 100644 index 000000000..119a7d228 --- /dev/null +++ b/datasets/malware/qakbot/qbot_3/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: b06bf290-3d5c-4248-b2ae-94e07c646192 +date: '2025-08-12' +description: Automatically categorized datasets in directory qbot_3 +environment: attack_range +directory: qbot_3 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot_3/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr/data.yml b/datasets/malware/qakbot/qbot_wermgr/data.yml new file mode 100644 index 000000000..74182a81d --- /dev/null +++ b/datasets/malware/qakbot/qbot_wermgr/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d3d1656c-40ff-4a73-9894-d572bb4a88a6 +date: '2025-08-12' +description: Automatically categorized datasets in directory qbot_wermgr +environment: attack_range +directory: qbot_wermgr +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr + path: /datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr2/data.yml b/datasets/malware/qakbot/qbot_wermgr2/data.yml new file mode 100644 index 000000000..603003b77 --- /dev/null +++ b/datasets/malware/qakbot/qbot_wermgr2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e21bf308-0966-4d84-98db-e1c5c5a66503 +date: '2025-08-12' +description: Automatically categorized datasets in directory qbot_wermgr2 +environment: attack_range +directory: qbot_wermgr2 +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr2 + path: /datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/remote_thread/data.yml b/datasets/malware/qakbot/remote_thread/data.yml new file mode 100644 index 000000000..34a58cab0 --- /dev/null +++ b/datasets/malware/qakbot/remote_thread/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cb2cc98c-b7cd-4cab-9a5b-a6cd90902c76 +date: '2025-08-12' +description: Automatically categorized datasets in directory remote_thread +environment: attack_range +directory: remote_thread +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr_remote + path: /datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ransomware_ttp/data1/data.yml b/datasets/malware/ransomware_ttp/data1/data.yml new file mode 100644 index 000000000..82e70e03a --- /dev/null +++ b/datasets/malware/ransomware_ttp/data1/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: dd0f91c3-d962-4e76-bea8-994f108b924b +date: '2025-08-12' +description: Automatically categorized datasets in directory data1 +environment: attack_range +directory: data1 +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/ransomware_ttp/data1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ransomware_ttp/data2/data.yml b/datasets/malware/ransomware_ttp/data2/data.yml new file mode 100644 index 000000000..424447ce2 --- /dev/null +++ b/datasets/malware/ransomware_ttp/data2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6f4e39a0-c1a5-4e9e-bde6-fd26c4af04d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory data2 +environment: attack_range +directory: data2 +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/ransomware_ttp/data2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/redline/modify_registry/data.yml b/datasets/malware/redline/modify_registry/data.yml new file mode 100644 index 000000000..d5a2cdf8e --- /dev/null +++ b/datasets/malware/redline/modify_registry/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: c1ec5665-aa8b-499b-9319-dd94c8321a9b +date: '2025-08-12' +description: Automatically categorized datasets in directory modify_registry +environment: attack_range +directory: modify_registry +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/redline/modify_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos/data.yml b/datasets/malware/remcos/remcos/data.yml new file mode 100644 index 000000000..affbfd1b5 --- /dev/null +++ b/datasets/malware/remcos/remcos/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9cc46179-1fd6-470e-b6f5-dbe2ebbc6fd6 +date: '2025-08-12' +description: Automatically categorized datasets in directory remcos +environment: attack_range +directory: remcos +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_agent/data.yml b/datasets/malware/remcos/remcos_agent/data.yml new file mode 100644 index 000000000..920bab8fa --- /dev/null +++ b/datasets/malware/remcos/remcos_agent/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 679039ca-936a-462f-99ee-409ae6dbe14c +date: '2025-08-12' +description: Automatically categorized datasets in directory remcos_agent +environment: attack_range +directory: remcos_agent +mitre_technique: +- unknown +datasets: +- name: sysmon_wav + path: /datasets/malware/remcos/remcos_agent/sysmon_wav.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_agent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_dynwrapx/data.yml b/datasets/malware/remcos/remcos_dynwrapx/data.yml new file mode 100644 index 000000000..c5e9d219e --- /dev/null +++ b/datasets/malware/remcos/remcos_dynwrapx/data.yml @@ -0,0 +1,21 @@ +author: Generated by dataset_analyzer.py +id: 52f9736e-39de-4d07-b9ff-0f333b199949 +date: '2025-08-12' +description: Automatically categorized datasets in directory remcos_dynwrapx +environment: attack_range +directory: remcos_dynwrapx +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_dynwraper + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_pastebin_download/data.yml b/datasets/malware/remcos/remcos_pastebin_download/data.yml new file mode 100644 index 000000000..ffac0989c --- /dev/null +++ b/datasets/malware/remcos/remcos_pastebin_download/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: e9cbc26f-1c8c-46ab-a5b0-3470a2abd621 +date: '2025-08-12' +description: Automatically categorized datasets in directory remcos_pastebin_download +environment: attack_range +directory: remcos_pastebin_download +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_pastebin_download/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_registry/data.yml b/datasets/malware/remcos/remcos_registry/data.yml new file mode 100644 index 000000000..3dc9883bb --- /dev/null +++ b/datasets/malware/remcos/remcos_registry/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: ec0b4102-04fb-4148-988a-c2452c5f8cbd +date: '2025-08-12' +description: Automatically categorized datasets in directory remcos_registry +environment: attack_range +directory: remcos_registry +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/inf1/data.yml b/datasets/malware/revil/inf1/data.yml new file mode 100644 index 000000000..b77fc81a9 --- /dev/null +++ b/datasets/malware/revil/inf1/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 7f5f611c-0480-4d17-a791-9f3eeb889231 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf1 +environment: attack_range +directory: inf1 +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/inf1/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/inf2/data.yml b/datasets/malware/revil/inf2/data.yml new file mode 100644 index 000000000..ee5d30793 --- /dev/null +++ b/datasets/malware/revil/inf2/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 1ce5665a-34ad-4b40-bc49-8cc912d6f7e8 +date: '2025-08-12' +description: Automatically categorized datasets in directory inf2 +environment: attack_range +directory: inf2 +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/inf2/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/msmpeng_side/data.yml b/datasets/malware/revil/msmpeng_side/data.yml new file mode 100644 index 000000000..4046249c5 --- /dev/null +++ b/datasets/malware/revil/msmpeng_side/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: cdb59580-27e5-4981-967d-787c294a197a +date: '2025-08-12' +description: Automatically categorized datasets in directory msmpeng_side +environment: attack_range +directory: msmpeng_side +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/msmpeng_side/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ryuk/data.yml b/datasets/malware/ryuk/data.yml new file mode 100644 index 000000000..6b8c9c503 --- /dev/null +++ b/datasets/malware/ryuk/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f7c6917e-9802-4aa3-8827-5eea353e3718 +date: '2025-08-12' +description: Automatically categorized datasets in directory ryuk +environment: attack_range +directory: ryuk +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/ryuk/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/snakemalware/data.yml b/datasets/malware/snakemalware/data.yml new file mode 100644 index 000000000..c3b9d520e --- /dev/null +++ b/datasets/malware/snakemalware/data.yml @@ -0,0 +1,25 @@ +author: Generated by dataset_analyzer.py +id: aa8e0ddb-5a15-4c51-8144-b8e7376885d9 +date: '2025-08-12' +description: Automatically categorized datasets in directory snakemalware +environment: attack_range +directory: snakemalware +mitre_technique: +- unknown +datasets: +- name: snake-service-windows-system + path: /datasets/malware/snakemalware/snake-service-windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: snake_crmlog-windows-sysmon + path: /datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: comadmin_windows-sysmon + path: /datasets/malware/snakemalware/comadmin_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: snake_malware_regblob-windows-sysmon + path: /datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/swift_slicer/data.yml b/datasets/malware/swift_slicer/data.yml new file mode 100644 index 000000000..bdcfd7b7f --- /dev/null +++ b/datasets/malware/swift_slicer/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 00309112-e1aa-46be-b58f-b63b5e1c6c81 +date: '2025-08-12' +description: Automatically categorized datasets in directory swift_slicer +environment: attack_range +directory: swift_slicer +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/swift_slicer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/exe_smbshare/data.yml b/datasets/malware/trickbot/exe_smbshare/data.yml new file mode 100644 index 000000000..8a28afb0d --- /dev/null +++ b/datasets/malware/trickbot/exe_smbshare/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 449bb7fa-ebe6-4e18-87cb-6c894ee087ad +date: '2025-08-12' +description: Automatically categorized datasets in directory exe_smbshare +environment: attack_range +directory: exe_smbshare +mitre_technique: +- unknown +datasets: +- name: windows-xml + path: /datasets/malware/trickbot/exe_smbshare/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/malware/trickbot/infection/data.yml b/datasets/malware/trickbot/infection/data.yml new file mode 100644 index 000000000..bdf65c95f --- /dev/null +++ b/datasets/malware/trickbot/infection/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 6a5af2f0-7155-40fd-b3c8-a472c6af4f7d +date: '2025-08-12' +description: Automatically categorized datasets in directory infection +environment: attack_range +directory: infection +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/infection/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/namedpipe/data.yml b/datasets/malware/trickbot/namedpipe/data.yml new file mode 100644 index 000000000..cd3826965 --- /dev/null +++ b/datasets/malware/trickbot/namedpipe/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: eeb7e54f-a581-4299-a4e4-02994fa5f060 +date: '2025-08-12' +description: Automatically categorized datasets in directory namedpipe +environment: attack_range +directory: namedpipe +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/namedpipe/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/spear_phish/data.yml b/datasets/malware/trickbot/spear_phish/data.yml new file mode 100644 index 000000000..f0db4052a --- /dev/null +++ b/datasets/malware/trickbot/spear_phish/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a3884890-e6a1-4fb5-a8ca-8e7f1cd4ced1 +date: '2025-08-12' +description: Automatically categorized datasets in directory spear_phish +environment: attack_range +directory: spear_phish +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/spear_phish/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/vilsel/data.yml b/datasets/malware/vilsel/data.yml new file mode 100644 index 000000000..925ee155c --- /dev/null +++ b/datasets/malware/vilsel/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: cdf3ca88-386a-4e0b-8bdc-bf9fb3d8f954 +date: '2025-08-12' +description: Automatically categorized datasets in directory vilsel +environment: attack_range +directory: vilsel +mitre_technique: +- unknown +datasets: +- name: windows-xml + path: /datasets/malware/vilsel/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: sysmon + path: /datasets/malware/vilsel/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/data.yml b/datasets/malware/winpeas/data.yml new file mode 100644 index 000000000..f8ab21f1f --- /dev/null +++ b/datasets/malware/winpeas/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 37287379-35fc-42c5-ae44-93be3a2d56ce +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas +environment: attack_range +directory: winpeas +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/winpeas/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/powershell/data.yml b/datasets/malware/winpeas/powershell/data.yml new file mode 100644 index 000000000..22c30cdb0 --- /dev/null +++ b/datasets/malware/winpeas/powershell/data.yml @@ -0,0 +1,17 @@ +author: Generated by dataset_analyzer.py +id: 0250c2e0-5319-4c34-bb07-96ee3e073478 +date: '2025-08-12' +description: Automatically categorized datasets in directory powershell +environment: attack_range +directory: powershell +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winpeas/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/malware/winpeas/powershell/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml b/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml new file mode 100644 index 000000000..2652a8445 --- /dev/null +++ b/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9fa6376e-abde-4b50-9772-9eb598d26b07 +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas_cmdkeylist +environment: attack_range +directory: winpeas_cmdkeylist +mitre_technique: +- unknown +datasets: +- name: cmdkey-sysmon + path: /datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_fsutil/data.yml b/datasets/malware/winpeas/winpeas_fsutil/data.yml new file mode 100644 index 000000000..ae16df2e0 --- /dev/null +++ b/datasets/malware/winpeas/winpeas_fsutil/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 8e39b5c9-5029-4316-a71c-b8f2eddd65af +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas_fsutil +environment: attack_range +directory: winpeas_fsutil +mitre_technique: +- unknown +datasets: +- name: fsutil-fsinfo-sysmon + path: /datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_private_key/data.yml b/datasets/malware/winpeas/winpeas_search_private_key/data.yml new file mode 100644 index 000000000..9ea4a80c9 --- /dev/null +++ b/datasets/malware/winpeas/winpeas_search_private_key/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 9103a09a-2a18-4684-a12d-1a9da9bd95c9 +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas_search_private_key +environment: attack_range +directory: winpeas_search_private_key +mitre_technique: +- unknown +datasets: +- name: dir-private-sysmon + path: /datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd/data.yml b/datasets/malware/winpeas/winpeas_search_pwd/data.yml new file mode 100644 index 000000000..7954eacaa --- /dev/null +++ b/datasets/malware/winpeas/winpeas_search_pwd/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: f83c84fd-9e69-4f6b-9864-cdf8abab4c5b +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas_search_pwd +environment: attack_range +directory: winpeas_search_pwd +mitre_technique: +- unknown +datasets: +- name: query-putty-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml b/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml new file mode 100644 index 000000000..7b71dbbd4 --- /dev/null +++ b/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: bacd1013-9944-4e34-a832-c998a0bfe57f +date: '2025-08-12' +description: Automatically categorized datasets in directory winpeas_search_pwd_db +environment: attack_range +directory: winpeas_search_pwd_db +mitre_technique: +- unknown +datasets: +- name: dir-db-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winter-vivern/pwh_exfiltration/data.yml b/datasets/malware/winter-vivern/pwh_exfiltration/data.yml new file mode 100644 index 000000000..e414a39f6 --- /dev/null +++ b/datasets/malware/winter-vivern/pwh_exfiltration/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d0187188-8f9b-4d20-9937-623fe7efbfd7 +date: '2025-08-12' +description: Automatically categorized datasets in directory pwh_exfiltration +environment: attack_range +directory: pwh_exfiltration +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/pwh_uploadstring/data.yml b/datasets/malware/winter-vivern/pwh_uploadstring/data.yml new file mode 100644 index 000000000..2e3aba3d8 --- /dev/null +++ b/datasets/malware/winter-vivern/pwh_uploadstring/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: 973b0e6e-b7e1-43d2-96b4-09ed980dd680 +date: '2025-08-12' +description: Automatically categorized datasets in directory pwh_uploadstring +environment: attack_range +directory: pwh_uploadstring +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/scheduledtask/data.yml b/datasets/malware/winter-vivern/scheduledtask/data.yml new file mode 100644 index 000000000..6a113f49c --- /dev/null +++ b/datasets/malware/winter-vivern/scheduledtask/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: d1f08808-6d55-4b49-a474-3eaebc198b72 +date: '2025-08-12' +description: Automatically categorized datasets in directory scheduledtask +environment: attack_range +directory: scheduledtask +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/winter-vivern/scheduledtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/xmrig_miner/data.yml b/datasets/malware/xmrig_miner/data.yml new file mode 100644 index 000000000..236d4132a --- /dev/null +++ b/datasets/malware/xmrig_miner/data.yml @@ -0,0 +1,13 @@ +author: Generated by dataset_analyzer.py +id: a99282ac-ea15-4392-bb8e-e6d81532e7b6 +date: '2025-08-12' +description: Automatically categorized datasets in directory xmrig_miner +environment: attack_range +directory: xmrig_miner +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/xmrig_miner/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 6432baab58de1571117d866b85e180250aeb8a77 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 12 Aug 2025 16:08:10 +0200 Subject: [PATCH 08/18] testing --- bin/rename_data.py | 216 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 216 insertions(+) create mode 100644 bin/rename_data.py diff --git a/bin/rename_data.py b/bin/rename_data.py new file mode 100644 index 000000000..053b25be4 --- /dev/null +++ b/bin/rename_data.py @@ -0,0 +1,216 @@ +#!/usr/bin/env python3 +""" +Script to analyze folders recursively and rename data.yml files. + +When a folder contains: +- A data.yml file +- Another yml file with a different name + +The script will: +1. Remove the other yml file first +2. Rename data.yml to match the folder name (folder_name.yml) +""" + +import argparse +import logging +from pathlib import Path +from typing import List, Tuple, Optional + + +def setup_logging(verbose: bool = False) -> None: + """Setup logging configuration.""" + level = logging.DEBUG if verbose else logging.INFO + logging.basicConfig( + level=level, + format='%(asctime)s - %(levelname)s - %(message)s', + datefmt='%Y-%m-%d %H:%M:%S' + ) + + +def find_yml_files(directory: Path) -> List[Path]: + """Find all yml/yaml files in a directory (not recursive).""" + yml_files = [] + for file_path in directory.iterdir(): + if file_path.is_file() and file_path.suffix.lower() in ['.yml', '.yaml']: + yml_files.append(file_path) + return yml_files + + +def analyze_directory(directory: Path) -> Optional[Tuple[Path, List[Path]]]: + """ + Analyze a directory for data.yml and other yml files. + + Returns: + Tuple of (data_yml_path, other_yml_files) if conditions are met, None otherwise + """ + yml_files = find_yml_files(directory) + + if len(yml_files) < 2: + return None + + data_yml = None + other_yml_files = [] + + for yml_file in yml_files: + if yml_file.name.lower() == 'data.yml': + data_yml = yml_file + else: + other_yml_files.append(yml_file) + + # Return only if we have data.yml and at least one other yml file + if data_yml and other_yml_files: + return (data_yml, other_yml_files) + + return None + + +def process_directory(directory: Path, dry_run: bool = False) -> bool: + """ + Process a directory that meets our criteria. + + Args: + directory: The directory to process + dry_run: If True, only log what would be done without actually doing it + + Returns: + True if processing was successful, False otherwise + """ + logger = logging.getLogger(__name__) + + result = analyze_directory(directory) + if not result: + return False + + data_yml, other_yml_files = result + folder_name = directory.name + new_yml_name = f"{folder_name}.yml" + new_yml_path = directory / new_yml_name + + logger.info(f"Processing directory: {directory}") + logger.info(f"Found data.yml: {data_yml}") + logger.info(f"Found other yml files: {[str(f) for f in other_yml_files]}") + + try: + # Step 1: Remove other yml files + for other_yml in other_yml_files: + if dry_run: + logger.info(f"[DRY RUN] Would remove: {other_yml}") + else: + logger.info(f"Removing: {other_yml}") + other_yml.unlink() + + # Step 2: Rename data.yml to folder name + if dry_run: + logger.info(f"[DRY RUN] Would rename {data_yml} to {new_yml_path}") + else: + logger.info(f"Renaming {data_yml} to {new_yml_path}") + data_yml.rename(new_yml_path) + + logger.info(f"Successfully processed directory: {directory}") + return True + + except Exception as e: + logger.error(f"Error processing directory {directory}: {e}") + return False + + +def scan_directory_recursive(root_directory: Path, dry_run: bool = False) -> \ + Tuple[int, int]: + """ + Recursively scan directories and process them. + + Returns: + Tuple of (directories_processed, errors_encountered) + """ + logger = logging.getLogger(__name__) + processed_count = 0 + error_count = 0 + + logger.info(f"Starting recursive scan of: {root_directory}") + + # Walk through all directories recursively + for current_dir in root_directory.rglob('*'): + if current_dir.is_dir(): + logger.debug(f"Checking directory: {current_dir}") + + try: + if process_directory(current_dir, dry_run): + processed_count += 1 + except Exception as e: + logger.error(f"Unexpected error processing {current_dir}: {e}") + error_count += 1 + + return processed_count, error_count + + +def main(): + """Main function to handle command line arguments and execute the script.""" + parser = argparse.ArgumentParser( + description="Recursively analyze folders and rename data.yml files", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + python rename_data.py /path/to/folder + python rename_data.py /path/to/folder --dry-run + python rename_data.py /path/to/folder --verbose + """ + ) + parser.add_argument( + 'folder', + type=str, + help='Path to the root folder to analyze' + ) + + parser.add_argument( + '--dry-run', + action='store_true', + help='Show what would be done without actually making changes' + ) + + parser.add_argument( + '--verbose', + action='store_true', + help='Enable verbose logging' + ) + + args = parser.parse_args() + + # Setup logging + setup_logging(args.verbose) + logger = logging.getLogger(__name__) + + # Validate input folder + root_path = Path(args.folder).resolve() + if not root_path.exists(): + logger.error(f"Error: The specified folder does not exist: {root_path}") + return 1 + + if not root_path.is_dir(): + logger.error(f"Error: The specified path is not a directory: {root_path}") + return 1 + + logger.info(f"Analyzing folder: {root_path}") + if args.dry_run: + logger.info("DRY RUN MODE - No changes will be made") + + # Process the directories + try: + processed_count, error_count = scan_directory_recursive(root_path, args.dry_run) + + logger.info("Scan completed!") + logger.info(f"Directories processed: {processed_count}") + if error_count > 0: + logger.warning(f"Errors encountered: {error_count}") + + return 0 if error_count == 0 else 1 + + except KeyboardInterrupt: + logger.info("Operation cancelled by user") + return 1 + except Exception as e: + logger.error(f"Unexpected error: {e}") + return 1 + + +if __name__ == "__main__": + exit(main()) From f8fac8e48733394978a40f87cab7dc36c18fe049 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 12 Aug 2025 16:14:16 +0200 Subject: [PATCH 09/18] testing --- bin/rename_data.py | 100 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 95 insertions(+), 5 deletions(-) diff --git a/bin/rename_data.py b/bin/rename_data.py index 053b25be4..fb1b36299 100644 --- a/bin/rename_data.py +++ b/bin/rename_data.py @@ -7,14 +7,16 @@ - Another yml file with a different name The script will: -1. Remove the other yml file first -2. Rename data.yml to match the folder name (folder_name.yml) +1. Copy metadata (author, id, date, description) from the other yml file to data.yml +2. Remove the other yml file +3. Rename data.yml to match the folder name (folder_name.yml) """ import argparse import logging +import yaml from pathlib import Path -from typing import List, Tuple, Optional +from typing import List, Tuple, Optional, Dict, Any def setup_logging(verbose: bool = False) -> None: @@ -36,6 +38,69 @@ def find_yml_files(directory: Path) -> List[Path]: return yml_files +def load_yaml_file(file_path: Path) -> Optional[Dict[str, Any]]: + """ + Load and parse a YAML file. + + Returns: + Dictionary containing the YAML data, or None if there was an error + """ + logger = logging.getLogger(__name__) + try: + with open(file_path, 'r', encoding='utf-8') as f: + return yaml.safe_load(f) + except Exception as e: + logger.error(f"Error loading YAML file {file_path}: {e}") + return None + + +def save_yaml_file(file_path: Path, data: Dict[str, Any]) -> bool: + """ + Save data to a YAML file. + + Returns: + True if successful, False otherwise + """ + logger = logging.getLogger(__name__) + try: + with open(file_path, 'w', encoding='utf-8') as f: + yaml.dump(data, f, default_flow_style=False, sort_keys=False, + allow_unicode=True) + return True + except Exception as e: + logger.error(f"Error saving YAML file {file_path}: {e}") + return False + + +def copy_metadata_fields(source_data: Dict[str, Any], target_data: Dict[str, Any]) \ + -> Dict[str, Any]: + """ + Copy metadata fields (author, id, date, description) from source to target. + + Args: + source_data: YAML data from the other yml file + target_data: YAML data from data.yml file + + Returns: + Updated target data with copied metadata + """ + logger = logging.getLogger(__name__) + metadata_fields = ['author', 'id', 'date', 'description'] + + updated_data = target_data.copy() + + for field in metadata_fields: + if field in source_data: + old_value = updated_data.get(field, 'N/A') + new_value = source_data[field] + logger.info(f"Copying {field}: '{old_value}' -> '{new_value}'") + updated_data[field] = new_value + else: + logger.warning(f"Field '{field}' not found in source file") + + return updated_data + + def analyze_directory(directory: Path) -> Optional[Tuple[Path, List[Path]]]: """ Analyze a directory for data.yml and other yml files. @@ -91,7 +156,32 @@ def process_directory(directory: Path, dry_run: bool = False) -> bool: logger.info(f"Found other yml files: {[str(f) for f in other_yml_files]}") try: - # Step 1: Remove other yml files + # Step 1: Copy metadata from other yml files to data.yml + data_yml_content = load_yaml_file(data_yml) + if not data_yml_content: + logger.error(f"Failed to load data.yml: {data_yml}") + return False + + # Process each other yml file and copy metadata + for other_yml in other_yml_files: + other_yml_content = load_yaml_file(other_yml) + if other_yml_content: + logger.info(f"Copying metadata from {other_yml.name} to data.yml") + data_yml_content = copy_metadata_fields( + other_yml_content, data_yml_content) + else: + logger.warning(f"Failed to load other yml file: {other_yml}") + + # Save the updated data.yml + if dry_run: + logger.info("[DRY RUN] Would update data.yml with copied metadata") + else: + logger.info("Updating data.yml with copied metadata") + if not save_yaml_file(data_yml, data_yml_content): + logger.error(f"Failed to save updated data.yml: {data_yml}") + return False + + # Step 2: Remove other yml files for other_yml in other_yml_files: if dry_run: logger.info(f"[DRY RUN] Would remove: {other_yml}") @@ -99,7 +189,7 @@ def process_directory(directory: Path, dry_run: bool = False) -> bool: logger.info(f"Removing: {other_yml}") other_yml.unlink() - # Step 2: Rename data.yml to folder name + # Step 3: Rename data.yml to folder name if dry_run: logger.info(f"[DRY RUN] Would rename {data_yml} to {new_yml_path}") else: From 269c98382624249521c9a985647283a355ac908b Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 12 Aug 2025 16:17:38 +0200 Subject: [PATCH 10/18] renaming data yml files --- bin/rename_data.py | 306 ------------------ .../atomic_red_team/atomic_red_team.yml | 43 +-- .../T1003.001/atomic_red_team/data.yml | 29 -- .../atomic_red_team/atomic_red_team.yml | 31 +- .../T1003.002/atomic_red_team/data.yml | 17 - .../T1003.002/serioussam/data.yml | 13 - .../T1003.002/serioussam/serioussam.yml | 16 +- .../atomic_red_team/atomic_red_team.yml | 34 +- .../T1003.003/atomic_red_team/data.yml | 21 -- .../T1003.004/NoLMHash/NoLMHash.yml | 16 +- .../T1003.004/NoLMHash/data.yml | 13 - .../impacket/{data.yml => impacket.yml} | 9 +- .../T1003.006/impacket/secretsdump.yml | 16 - .../T1003.006/mimikatz/dcsync.yml | 17 - .../mimikatz/{data.yml => mimikatz.yml} | 8 +- .../copy_file_stdoutpipe.yml | 14 +- .../T1003.008/copy_file_stdoutpipe/data.yml | 13 - .../linux_auditd_access_credential/data.yml | 17 - .../linux_auditd_access_credential.yml | 18 +- .../credential_extraction.yml | 24 +- .../T1003/credential_extraction/data.yml | 13 - .../T1003/wdigest_enable/data.yml | 13 - .../T1003/wdigest_enable/wdigest_enable.yml | 12 +- .../T1014/{data.yml => T1014.yml} | 8 +- datasets/attack_techniques/T1014/drivers.yml | 15 - .../linux_net_discovery/data.yml | 13 - .../linux_net_discovery.yml | 14 +- .../T1016/discovery_commands/data.yml | 13 - .../discovery_commands/discovery_commands.yml | 20 +- .../T1016/linux_auditd_net_tool/data.yml | 13 - .../linux_auditd_net_tool.yml | 14 +- .../T1016/linux_auditd_net_tool_new/data.yml | 13 - .../linux_auditd_net_tool_new.yml | 14 +- .../T1018/AD_discovery/AD_discovery.yml | 18 +- .../T1018/AD_discovery/data.yml | 13 - .../T1018/atomic_red_team/atomic_red_team.yml | 21 +- .../T1018/atomic_red_team/data.yml | 13 - .../T1020/{data.yml => T1020.yml} | 8 +- datasets/attack_techniques/T1020/rclone.yml | 16 - .../T1021.001/mstsc_rdp_cmd/data.yml | 13 - .../T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml | 14 +- .../remote_desktop_connection/data.yml | 13 - .../remote_desktop_connection.yml | 16 +- .../atomic_red_team/atomic_red_team.yml | 48 ++- .../T1021.002/atomic_red_team/data.yml | 36 --- .../T1021.002/executable_in_share/data.yml | 13 - .../executable_in_share.yml | 16 +- .../T1021.002/impacket_smbexec/data.yml | 13 - .../impacket_smbexec/impacket_smbexec.yml | 16 +- .../T1021.002/impacket_wmiexec/data.yml | 13 - .../impacket_wmiexec/impacket_wmiexec.yml | 16 +- .../T1021.003/impacket/data.yml | 13 - .../T1021.003/impacket/impacket.yml | 20 +- .../T1021.003/lateral_movement/data.yml | 21 -- .../lateral_movement/lateral_movement.yml | 32 +- .../lateral_movement_lolbas/data.yml | 13 - .../lateral_movement_lolbas.yml | 23 +- .../T1021.006/lateral_movement/data.yml | 13 - .../lateral_movement/lateral_movement.yml | 20 +- .../lateral_movement_lolbas/data.yml | 13 - .../lateral_movement_lolbas.yml | 22 +- .../T1021.006/lateral_movement_psh/data.yml | 17 - .../lateral_movement_psh.yml | 27 +- .../lateral_movement_pssession/data.yml | 13 - .../lateral_movement_pssession.yml | 18 +- .../T1027/FuckThatPacker/FuckThatPacker.yml | 24 +- .../T1027/FuckThatPacker/data.yml | 13 - .../T1027/atomic_red_team/atomic_red_team.yml | 26 +- .../T1027/atomic_red_team/data.yml | 13 - .../T1030/linux_auditd_split_b_exec/data.yml | 17 - .../linux_auditd_split_b_exec.yml | 18 +- .../T1030/linux_auditd_split_syscall/data.yml | 13 - .../linux_auditd_split_syscall.yml | 14 +- .../linux_auditd_split_syscall_new/data.yml | 13 - .../linux_auditd_split_syscall_new.yml | 14 +- .../T1033/AD_discovery/AD_discovery.yml | 23 +- .../T1033/AD_discovery/data.yml | 17 - .../T1033/atomic_red_team/atomic_red_team.yml | 20 +- .../T1033/atomic_red_team/data.yml | 13 - .../T1033/linux_auditd_whoami/data.yml | 13 - .../linux_auditd_whoami.yml | 14 +- .../T1033/linux_auditd_whoami_new/data.yml | 13 - .../linux_auditd_whoami_new.yml | 14 +- .../T1033/qakbot_discovery_cmdline/data.yml | 13 - .../qakbot_discovery_cmdline.yml | 16 +- .../T1033/whoami_priv/data.yml | 13 - .../T1033/whoami_priv/whoami_priv.yml | 16 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1036.003/atomic_red_team/data.yml | 13 - .../T1036.003/copy_sysmon/copy_sysmon.yml | 12 +- .../T1036.003/copy_sysmon/data.yml | 13 - .../T1036.003/mpcmdrun/data.yml | 13 - .../T1036.003/mpcmdrun/mpcmdrun.yml | 12 +- .../T1036.003/samsam_extension/data.yml | 13 - .../samsam_extension/samsam_extension.yml | 21 +- .../T1036/msdtc_process_param/data.yml | 13 - .../msdtc_process_param.yml | 16 +- .../T1036/suspicious_process_path/data.yml | 13 - .../suspicious_process_path.yml | 14 +- .../T1036/write_to_recycle_bin/data.yml | 13 - .../write_to_recycle_bin.yml | 20 +- .../T1037.001/logonscript_reg/data.yml | 13 - .../logonscript_reg/logonscript_reg.yml | 16 +- .../T1046/kubernetes_scanning/data.yml | 13 - .../kubernetes_scanning.yml | 14 +- .../T1047/atomic_red_team/atomic_red_team.yml | 33 +- .../T1047/atomic_red_team/data.yml | 21 -- .../T1047/execution_scrcons/data.yml | 13 - .../execution_scrcons/execution_scrcons.yml | 20 +- .../T1047/lateral_movement/data.yml | 13 - .../lateral_movement/lateral_movement.yml | 22 +- .../T1047/lateral_movement_lolbas/data.yml | 13 - .../lateral_movement_lolbas.yml | 21 +- .../T1047/wmi_impersonate/data.yml | 13 - .../T1047/wmi_impersonate/wmi_impersonate.yml | 16 +- .../cve-2023-23397/cve-2023-23397.yml | 14 +- .../T1048.003/cve-2023-23397/data.yml | 13 - .../T1048.003/long_dns_queries/data.yml | 13 - .../long_dns_queries/long_dns_queries.yml | 14 +- .../T1048.003/mass_file_creation/data.yml | 13 - .../mass_file_creation/mass_file_creation.yml | 14 +- .../T1048.003/nslookup_exfil/data.yml | 17 - .../nslookup_exfil/nslookup_exfil.yml | 18 +- .../T1048/ftp_connection/data.yml | 13 - .../T1048/ftp_connection/ftp_connection.yml | 13 +- .../T1049/AD_discovery/AD_discovery.yml | 19 +- .../T1049/AD_discovery/data.yml | 13 - .../T1053.002/at_execution/at_execution.yml | 14 +- .../T1053.002/at_execution/data.yml | 13 - .../{data.yml => lateral_movement.yml} | 9 +- .../lateral_movement/lateral_movemet.yml | 14 - .../T1053.002/linux_auditd_at/data.yml | 13 - .../linux_auditd_at/linux_auditd_at.yml | 14 +- .../linux_auditd_chown_root/data.yml | 17 - .../linux_auditd_chown_root.yml | 18 +- .../T1053.002/linux_new_auditd_at/data.yml | 13 - .../linux_new_auditd_at.yml | 14 +- .../cronjobs_entry/cronjobs_entry.yml | 18 +- .../T1053.003/cronjobs_entry/data.yml | 17 - .../crontab_edit_parameter.yml | 14 +- .../T1053.003/crontab_edit_parameter/data.yml | 13 - .../crontab_list_parameter.yml | 14 +- .../T1053.003/crontab_list_parameter/data.yml | 13 - .../linux_auditd_cron_file_audited/data.yml | 13 - .../linux_auditd_cron_file_audited.yml | 14 +- .../linux_auditd_crontab_edit/data.yml | 13 - .../linux_auditd_crontab_edit.yml | 14 +- .../linux_auditd_crontab_edit_new/data.yml | 13 - .../linux_auditd_crontab_edit_new.yml | 14 +- .../asyncrat_highest_priv_schtasks.yml | 16 +- .../asyncrat_highest_priv_schtasks/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 32 +- .../T1053.005/atomic_red_team/data.yml | 21 -- .../T1053.005/lateral_movement/data.yml | 13 - .../lateral_movement/lateral_movement.yml | 20 +- .../lateral_movement_lolbas/data.yml | 13 - .../lateral_movement_lolbas.yml | 20 +- .../T1053.005/schtask_shutdown/data.yml | 13 - .../schtask_shutdown/schtask_shutdown.yml | 20 +- .../T1053.005/schtask_system/data.yml | 13 - .../schtask_system/schtask_system.yml | 14 +- .../T1053.005/schtasks/schtask.yml | 14 - .../schtasks/{data.yml => schtasks.yml} | 9 +- .../T1053.005/taskschedule/data.yml | 17 - .../T1053.005/taskschedule/taskschedule.yml | 22 +- .../windows_taskschedule/taskschedule.yml | 13 - .../{data.yml => windows_taskschedule.yml} | 8 +- .../windows-xml.yml | 14 - ...vent_scheduled_task_with_suspect_name.yml} | 8 +- .../T1053.006/linux_services_restart/data.yml | 13 - .../linux_services_restart.yml | 14 +- .../T1053.006/service_systemd/data.yml | 13 - .../service_systemd/service_systemd.yml | 14 +- .../data.yml | 13 - .../kubernetes_audit_cron_job_creation.yml | 14 +- .../T1055.001/rasautou/data.yml | 13 - .../T1055.001/rasautou/rasautou.yml | 17 +- .../T1055/cobalt_strike/cobalt_strike.yml | 25 +- .../T1055/cobalt_strike/data.yml | 21 -- .../attack_techniques/T1055/msra/data.yml | 17 - .../attack_techniques/T1055/msra/msra.yml | 21 +- .../T1055/sliver/{data.yml => sliver.yml} | 8 +- .../T1055/sliver/sliverc2.yml | 17 - .../process_commandline_discovery/data.yml | 13 - .../process_commandline_discovery.yml | 16 +- .../asyncrat_crypto_pwh_namespace.yml | 16 +- .../asyncrat_crypto_pwh_namespace/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 57 ++-- .../T1059.001/atomic_red_team/data.yml | 41 --- .../T1059.001/encoded_powershell/data.yml | 25 -- .../encoded_powershell/encoded_powershell.yml | 29 +- .../T1059.001/exchange/data.yml | 17 - .../T1059.001/exchange/exchange.yml | 23 +- .../T1059.001/hidden_powershell/data.yml | 13 - .../hidden_powershell/hidden_powershell.yml | 21 +- .../import_applocker_policy/data.yml | 13 - .../import_applocker_policy.yml | 14 +- .../malicious_cmd_line_samples/data.yml | 13 - .../malicious_cmd_line_samples.yml | 14 +- .../T1059.001/obfuscated_powershell/data.yml | 13 - .../obfuscated_powershell.yml | 15 +- .../powershell_execution_policy/data.yml | 13 - .../powershell_execution_policy.yml | 20 +- .../powershell_remotesigned/data.yml | 21 -- .../powershell_remotesigned.yml | 25 +- ...ml => powershell_script_block_logging.yml} | 8 +- .../script_block_logging.yml | 19 -- .../T1059.001/powershell_testing/data.yml | 13 - .../powershell_testing/powershell_testing.yml | 21 +- .../powershell_xml_requests/data.yml | 13 - .../powershell_xml_requests.yml | 20 +- .../T1059.001/sharphound/data.yml | 13 - .../T1059.001/sharphound/sharphound.yml | 16 +- .../T1059.001/soaphound/data.yml | 13 - .../T1059.001/soaphound/soaphound.yml | 14 +- .../unmanaged_powershell_execution/data.yml | 13 - .../unmanaged_powershell_execution.yml | 19 +- .../atomic_red_team/atomic_red_team.yml | 16 +- .../T1059.003/atomic_red_team/data.yml | 13 - .../cmd_spawns_cscript/cmd_spawns_cscript.yml | 20 +- .../T1059.003/cmd_spawns_cscript/data.yml | 13 - .../T1059.003/powershell_spawn_cmd/data.yml | 13 - .../powershell_spawn_cmd.yml | 20 +- .../T1059.003/ryuk/{data.yml => ryuk.yml} | 9 +- .../T1059.003/ryuk/ryuk_cmdline.yml | 12 - .../T1059.004/linux_discovery_tools/data.yml | 13 - .../linux_discovery_tools.yml | 18 +- .../T1059.005/discord_dnsquery/data.yml | 13 - .../discord_dnsquery/discord_dnsquery.yml | 14 +- .../T1059.005/vbs_wscript/data.yml | 13 - .../T1059.005/vbs_wscript/vbs_wscript.yml | 16 +- .../attack_techniques/T1059/autoit/autoit.yml | 16 +- .../attack_techniques/T1059/autoit/data.yml | 13 - .../T1059/metasploit/data.yml | 13 - .../T1059/metasploit/metasploit.yml | 19 +- .../T1059/path_traversal/data.yml | 13 - .../T1059/path_traversal/path_traversal.yml | 14 +- .../suspiciously_named_executables/data.yml | 13 - .../suspiciously_named_executables.yml | 17 +- .../attack_techniques/T1068/drivers/data.yml | 17 - .../T1068/drivers/drivers.yml | 26 +- .../windows_escalation_behavior/data.yml | 13 - .../windows_escalation_behavior.yml | 27 +- .../T1068/zoom_child_process/data.yml | 13 - .../zoom_child_process/zoom_child_process.yml | 20 +- .../{data.yml => atomic_red_team.yml} | 8 +- .../atomic_red_team/local_groups.yml | 11 - .../T1069.002/AD_discovery/AD_discovery.yml | 42 ++- .../T1069.002/AD_discovery/data.yml | 33 -- .../atomic_red_team/atomic_red_team.yml | 22 +- .../T1070.001/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 20 +- .../T1070.005/atomic_red_team/data.yml | 13 - .../T1070/atomic_red_team/atomic_red_team.yml | 20 +- .../T1070/atomic_red_team/data.yml | 13 - .../T1070/fsutil_file_zero/data.yml | 13 - .../fsutil_file_zero/fsutil_file_zero.yml | 14 +- .../data.yml | 13 - .../remove_windows_security_event_log.yml | 16 +- .../T1071.002/outbound_smb_traffic/data.yml | 13 - .../outbound_smb_traffic.yml | 16 +- .../account_lockout/account_lockout.yml | 29 +- .../T1078.002/account_lockout/data.yml | 21 -- .../powerview_acl_enumeration/data.yml | 13 - .../powerview_acl_enumeration.yml | 20 +- ...re_ad_service_principal_authentication.yml | 22 +- .../data.yml | 13 - .../azure_automation_runbook.yml | 22 +- .../azure_automation_runbook/data.yml | 13 - .../azure_runbook_webhook.yml | 24 +- .../T1078.004/azure_runbook_webhook/data.yml | 13 - .../T1078.004/azuread/azuread.yml | 23 +- .../T1078.004/azuread/data.yml | 13 - .../T1078.004/azuread_pws/azuread_pws.yml | 22 +- .../T1078.004/azuread_pws/data.yml | 13 - .../T1078.004/gcp_single_factor_auth/data.yml | 13 - .../gcp_single_factor_auth.yml | 21 +- .../data.yml | 13 - ...ecurity_and_compliance_alert_triggered.yml | 20 +- .../okta_single_factor_auth/data.yml | 13 - .../okta_single_factor_auth.yml | 18 +- .../data.yml | 13 - .../okta_threatinsight_threat_detected.yml | 19 +- .../aws_create_policy_version.yml | 22 +- .../T1078/aws_create_policy_version/data.yml | 17 - .../aws_createaccesskey.yml | 24 +- .../T1078/aws_createaccesskey/data.yml | 17 - .../aws_createloginprofile.yml | 23 +- .../T1078/aws_createloginprofile/data.yml | 13 - ..._access_by_provider_user_and_principal.yml | 16 +- .../data.yml | 12 - .../aws_saml_update_identity_provider.yml | 17 +- .../data.yml | 13 - .../aws_setdefaultpolicyversion.yml | 17 +- .../aws_setdefaultpolicyversion/data.yml | 13 - .../aws_updateloginprofile.yml | 21 +- .../T1078/aws_updateloginprofile/data.yml | 17 - ...ad_multiple_appids_and_useragents_auth.yml | 16 +- .../data.yml | 13 - .../T1078/defaultaccount/data.yml | 13 - .../T1078/defaultaccount/defaultaccount.yml | 14 +- .../o365_excessive_sso_logon_errors/data.yml | 13 - .../o365_excessive_sso_logon_errors.yml | 17 +- .../data.yml | 13 - ...65_multiple_appids_and_useragents_auth.yml | 16 +- .../data.yml | 13 - ...a_suspicious_activity_reported_by_user.yml | 19 +- .../special_logon_on_mulitple_hosts/data.yml | 13 - .../special_logon_on_mulitple_hosts.yml | 20 +- .../T1078/update_saml_provider/data.yml | 13 - .../update_saml_provider.yml | 16 +- .../T1082/atomic_red_team/atomic_red_team.yml | 23 +- .../T1082/atomic_red_team/data.yml | 13 - .../T1082/linux_auditd_lsmod/data.yml | 13 - .../linux_auditd_lsmod/linux_auditd_lsmod.yml | 14 +- .../T1082/linux_auditd_lsmod_new/data.yml | 13 - .../linux_auditd_lsmod_new.yml | 14 +- .../T1083/linux_auditd_find_db/data.yml | 13 - .../linux_auditd_find_db.yml | 14 +- .../T1083/linux_auditd_find_document/data.yml | 17 - .../linux_auditd_find_document.yml | 18 +- .../linux_auditd_find_virtual_disk/data.yml | 17 - .../linux_auditd_find_virtual_disk.yml | 18 +- .../T1083/linux_auditd_hidden_file/data.yml | 17 - .../linux_auditd_hidden_file.yml | 18 +- .../T1087.001/AD_discovery/AD_discovery.yml | 22 +- .../T1087.001/AD_discovery/data.yml | 17 - .../T1087.002/AD_discovery/AD_discovery.yml | 40 ++- .../T1087.002/AD_discovery/data.yml | 33 -- .../adsi_discovery/adsi_discovery.yml | 22 +- .../T1087.002/adsi_discovery/data.yml | 21 -- .../blackmatter_schcache.yml | 15 +- .../T1087.002/blackmatter_schcache/data.yml | 13 - .../T1087.004/azurehound/azurehound.yml | 16 +- .../T1087.004/azurehound/data.yml | 13 - .../T1087.004/okta_unauth_access/data.yml | 13 - .../okta_unauth_access/okta_unauth_access.yml | 19 +- .../T1090.001/netsh_portproxy/data.yml | 13 - .../netsh_portproxy/netsh_portproxy.yml | 16 +- ...azure_ad_service_principal_credentials.yml | 24 +- .../data.yml | 13 - .../data.yml | 13 - .../o365_service_principal_credentials.yml | 24 +- .../okta_new_api_token_created/data.yml | 13 - .../okta_new_api_token_created.yml | 21 +- .../data.yml | 12 - ...full_access_as_app_permission_assigned.yml | 16 +- .../data.yml | 12 - ...full_access_as_app_permission_assigned.yml | 16 +- .../o365_mailbox_folder_read_granted/data.yml | 13 - .../o365_mailbox_folder_read_granted.yml | 19 +- .../azure_ad_admin_consent.yml | 25 +- .../T1098.003/azure_ad_admin_consent/data.yml | 13 - .../azure_ad_assign_global_administrator.yml | 19 +- .../data.yml | 13 - .../azure_ad_assign_privileged_role.yml | 19 +- .../azure_ad_assign_privileged_role/data.yml | 13 - .../azure_ad_bypass_admin_consent.yml | 19 +- .../azure_ad_bypass_admin_consent/data.yml | 13 - .../azure_ad_pim_role_activated.yml | 17 +- .../azure_ad_pim_role_activated/data.yml | 13 - ...zure_ad_privileged_graph_perm_assigned.yml | 23 +- .../data.yml | 13 - ...re_ad_privileged_role_serviceprincipal.yml | 18 +- .../data.yml | 13 - .../azure_ad_spn_privesc.yml | 20 +- .../T1098.003/azure_ad_spn_privesc/data.yml | 13 - .../T1098.003/o365_admin_consent/data.yml | 13 - .../o365_admin_consent/o365_admin_consent.yml | 25 +- .../o365_bypass_admin_consent/data.yml | 13 - .../o365_bypass_admin_consent.yml | 19 +- .../T1098.003/o365_grant_mail_read/data.yml | 13 - .../o365_grant_mail_read.yml | 24 +- .../o365_high_priv_role_assigned/data.yml | 13 - .../o365_high_priv_role_assigned.yml | 24 +- .../data.yml | 13 - .../o365_privileged_graph_perm_assigned.yml | 23 +- .../T1098.003/o365_spn_privesc/data.yml | 13 - .../o365_spn_privesc/o365_spn_privesc.yml | 20 +- .../T1098.004/linux_auditd_nopasswd/data.yml | 13 - .../linux_auditd_nopasswd.yml | 14 +- .../T1098.004/ssh_authorized_keys/data.yml | 17 - .../ssh_authorized_keys.yml | 19 +- .../azure_ad_register_new_mfa_method.yml | 22 +- .../azure_ad_register_new_mfa_method/data.yml | 13 - .../o365_register_new_mfa_method/data.yml | 13 - .../o365_register_new_mfa_method.yml | 22 +- .../okta_new_device_enrolled/data.yml | 13 - .../okta_new_device_enrolled.yml | 21 +- .../account_manipulation.yml | 24 +- .../T1098/account_manipulation/data.yml | 13 - .../azure_ad_add_serviceprincipal_owner.yml | 21 +- .../data.yml | 13 - .../azure_ad_enable_and_reset.yml | 21 +- .../T1098/azure_ad_enable_and_reset/data.yml | 13 - .../azure_ad_set_immutableid.yml | 26 +- .../T1098/azure_ad_set_immutableid/data.yml | 13 - .../T1098/dnsadmins_member_added/data.yml | 13 - .../dnsadmins_member_added.yml | 16 +- .../{data.yml => dsrm_account.yml} | 11 +- .../dsrm_account_manipulation.yml | 16 - .../o365_add_app_registration_owner/data.yml | 13 - .../o365_add_app_registration_owner.yml | 22 +- .../T1098/o365_azure_workload_events/data.yml | 13 - .../o365_azure_workload_events.yml | 40 +-- .../service_principal_name_added/data.yml | 13 - .../service_principal_name_added.yml | 18 +- .../data.yml | 13 - .../short_lived_service_principal_name.yml | 18 +- .../data.yml | 13 - .../windows_multiple_accounts_deleted.yml | 14 +- .../data.yml | 13 - .../windows_multiple_accounts_disabled.yml | 14 +- .../data.yml | 13 - .../windows_multiple_passwords_changed.yml | 14 +- .../T1105/atomic_red_team/atomic_red_team.yml | 38 +-- .../T1105/atomic_red_team/data.yml | 25 -- .../aws_login_failure/aws_login_failure.yml | 14 +- .../T1110.001/aws_login_failure/data.yml | 13 - ...ber_of_failed_authentications_for_user.yml | 22 +- .../data.yml | 13 - ...sful_authentication_from_different_ips.yml | 22 +- .../data.yml | 13 - .../data.yml | 13 - ...5_high_number_authentications_for_user.yml | 22 +- .../T1110.001/rdp_brute_sysmon/data.yml | 13 - .../rdp_brute_sysmon/rdp_brute_sysmon.yml | 12 +- .../aws_rds_password_reset.yml | 21 +- .../T1110.002/aws_rds_password_reset/data.yml | 17 - .../aws_mulitple_failed_console_login.yml | 20 +- .../data.yml | 13 - .../azure_ad_distributed_spray.yml | 29 +- .../azure_ad_distributed_spray/data.yml | 13 - .../azuread_highrisk/azuread_highrisk.yml | 25 +- .../T1110.003/azuread_highrisk/data.yml | 13 - .../gcp_gws_multiple_login_failure/data.yml | 13 - .../gcp_gws_multiple_login_failure.yml | 19 +- .../T1110.003/o365_distributed_spray/data.yml | 13 - .../o365_distributed_spray.yml | 26 +- .../o365_multiple_users_from_ip/data.yml | 13 - .../o365_multiple_users_from_ip.yml | 23 +- .../okta_multiple_users_from_ip/data.yml | 13 - .../okta_multiple_users_from_ip.yml | 18 +- .../password_spraying_azuread/data.yml | 13 - .../password_spraying_azuread.yml | 23 +- .../data.yml | 13 - ...plesharp_explicit_credential_spray_xml.yml | 20 +- .../data.yml | 13 - ...purplesharp_invalid_users_kerberos_xml.yml | 18 +- .../data.yml | 13 - .../purplesharp_invalid_users_ntlm_xml.yml | 18 +- .../data.yml | 13 - ...esharp_multiple_users_from_process_xml.yml | 18 +- .../purplesharp_remote_spray_xml/data.yml | 13 - .../purplesharp_remote_spray_xml.yml | 18 +- .../data.yml | 13 - .../purplesharp_valid_users_kerberos_xml.yml | 18 +- .../purplesharp_valid_users_ntlm_xml/data.yml | 13 - .../purplesharp_valid_users_ntlm_xml.yml | 18 +- .../data.yml | 13 - .../local_administrator_cred_stuffing.yml | 19 +- .../azure_mfasweep_events.yml | 27 +- .../T1110/azure_mfasweep_events/data.yml | 13 - .../T1110/o365_brute_force_login/data.yml | 13 - .../o365_brute_force_login.yml | 15 +- .../okta_multiple_accounts_lockout/data.yml | 13 - .../okta_multiple_accounts_lockout.yml | 19 +- .../AuthenticationLevelOverride.yml | 16 +- .../AuthenticationLevelOverride/data.yml | 13 - .../T1112/atomic_red_team/atomic_red_team.yml | 37 ++- .../T1112/atomic_red_team/data.yml | 25 -- .../enablelinkedconnections/data.yml | 13 - .../enablelinkedconnections.yml | 16 +- .../T1112/blackbyte/longpathsenabled/data.yml | 13 - .../longpathsenabled/longpathsenabled.yml | 16 +- .../T1112/disable_notif_center/data.yml | 13 - .../disable_notif_center.yml | 14 +- .../T1112/firewall_modify_delete/data.yml | 15 - .../firewall_modify_delete.yml | 16 +- .../T1112/minint_reg/data.yml | 13 - .../T1112/minint_reg/minint_reg.yml | 12 +- .../T1112/ransomware_disable_reg/data.yml | 13 - .../ransomware_disable_reg.yml | 14 +- .../T1112/shimcache_flush/data.yml | 13 - .../T1112/shimcache_flush/shimcache_flush.yml | 12 +- .../data.yml | 13 - ...365_compliance_content_search_exported.yml | 18 +- .../data.yml | 13 - ...o365_compliance_content_search_started.yml | 18 +- .../o365_inbox_shared_with_all_users/data.yml | 13 - .../o365_inbox_shared_with_all_users.yml | 21 +- .../data.yml | 12 - ...65_multiple_mailboxes_accessed_via_api.yml | 20 +- .../data.yml | 13 - .../o365_oauth_app_ews_mailbox_access.yml | 21 +- .../data.yml | 13 - .../o365_oauth_app_graph_mailbox_access.yml | 21 +- .../data.yml | 13 - .../o365_email_forwarding_rule_created.yml | 20 +- .../o365_email_forwarding_rule.yml | 12 - ...ml => o365_mailbox_forwarding_enabled.yml} | 8 +- .../T1114/o365_export_pst_file/data.yml | 13 - .../o365_export_pst_file.yml | 15 +- .../data.yml | 13 - ...5_new_forwarding_mailflow_rule_created.yml | 17 +- .../T1114/o365_suspect_email_actions/data.yml | 17 - .../o365_suspect_email_actions.yml | 32 +- .../T1115/linux_auditd_xclip/data.yml | 17 - .../linux_auditd_xclip/linux_auditd_xclip.yml | 18 +- .../T1127.001/{data.yml => T1127.001.yml} | 8 +- .../T1127.001/atomic_red_team.yml | 13 - .../T1127.001/regsvr32_silent/data.yml | 13 - .../regsvr32_silent/regsvr32_silent.yml | 14 +- .../T1127/atomic_red_team/atomic_red_team.yml | 16 +- .../T1127/atomic_red_team/data.yml | 13 - .../T1127/etw_disable/data.yml | 13 - .../T1127/etw_disable/etw_disable.yml | 12 +- .../T1134.005/mimikatz/data.yml | 13 - .../T1134.005/mimikatz/mimikatz.yml | 15 + .../T1134.005/mimikatz/sid_history.yml | 12 - .../T1134.005/sid_history2/data.yml | 13 - .../T1134.005/sid_history2/sid_history2.yml | 19 +- .../T1135/ipc_share_accessed/data.yml | 13 - .../ipc_share_accessed/ipc_share_accessed.yml | 19 +- .../data.yml | 13 - .../large_number_computer_service_tickets.yml | 20 +- .../T1135/net_share/data.yml | 13 - .../T1135/net_share/net_share.yml | 19 +- .../net_share_discovery_via_dir/data.yml | 15 - .../net_share_discovery_via_dir.yml | 18 +- .../T1135/powerview_sharefinder/data.yml | 13 - .../powerview_sharefinder.yml | 19 +- .../data.yml | 13 - .../rapid_authentication_multiple_hosts.yml | 19 +- .../atomic_red_team/atomic_red_team.yml | 48 +-- .../T1136.001/atomic_red_team/data.yml | 33 -- .../T1136.001/linux_auditd_add_user/data.yml | 17 - .../linux_auditd_add_user.yml | 18 +- .../linux_auditd_add_user_type/data.yml | 13 - .../linux_auditd_add_user_type.yml | 14 +- .../azure_ad_add_service_principal.yml | 20 +- .../azure_ad_add_service_principal/data.yml | 13 - .../azure_ad_external_guest_user_invited.yml | 21 +- .../data.yml | 13 - ...ad_multiple_service_principals_created.yml | 19 +- .../data.yml | 13 - .../azure_automation_account.yml | 22 +- .../azure_automation_account/data.yml | 13 - .../data.yml | 13 - ...365_add_app_role_assignment_grant_user.yml | 17 +- .../o365_add_service_principal/data.yml | 13 - .../o365_add_service_principal.yml | 16 +- .../o365_added_service_principal/data.yml | 17 - .../o365_added_service_principal.yml | 21 +- .../data.yml | 13 - ...65_multiple_service_principals_created.yml | 19 +- .../o365_new_federated_domain/data.yml | 13 - .../o365_new_federated_domain.yml | 16 +- .../o365_new_federated_domain_added/data.yml | 17 - .../o365_new_federated_domain_added.yml | 21 +- .../T1136.003/o365_new_federation/data.yml | 13 - .../o365_new_federation.yml | 16 +- .../T1140/atomic_red_team/atomic_red_team.yml | 17 +- .../T1140/atomic_red_team/data.yml | 13 - .../T1140/linux_auditd_base64/data.yml | 17 - .../linux_auditd_base64.yml | 18 +- ...concurrent_sessions_from_different_ips.yml | 24 +- .../data.yml | 13 - ...concurrent_sessions_from_different_ips.yml | 24 +- .../data.yml | 13 - .../data.yml | 13 - ...concurrent_sessions_from_different_ips.yml | 24 +- .../T1187/petitpotam/data.yml | 17 - .../T1187/petitpotam/petitpotam.yml | 23 +- .../T1189/dyn_dns_site/data.yml | 13 - .../T1189/dyn_dns_site/dyn_dns_site.yml | 14 +- .../T1189/splunk/{data.yml => splunk.yml} | 8 +- .../T1189/splunk/svd-2024-1011.yml | 11 - .../T1189/xss/splunk_web_access.yml | 11 - .../T1189/xss/{data.yml => xss.yml} | 9 +- .../T1190/{data.yml => T1190.yml} | 8 +- .../attack_techniques/T1190/citrix/citrix.yml | 28 +- .../attack_techniques/T1190/citrix/data.yml | 19 -- .../T1190/confluence/confluence.yml | 32 +- .../T1190/confluence/data.yml | 22 -- .../T1190/crushftp/crushftp.yml | 31 +- .../attack_techniques/T1190/crushftp/data.yml | 21 -- .../attack_techniques/T1190/ivanti/data.yml | 39 --- .../attack_techniques/T1190/ivanti/ivanti.yml | 54 ++-- .../attack_techniques/T1190/java/data.yml | 12 - .../attack_techniques/T1190/java/java.yml | 19 +- .../attack_techniques/T1190/jenkins/data.yml | 12 - .../T1190/jenkins/jenkins.yml | 22 +- .../attack_techniques/T1190/juniper/data.yml | 13 - .../T1190/juniper/juniper.yml | 18 +- .../attack_techniques/T1190/magento/data.yml | 12 - .../T1190/magento/magento.yml | 13 +- .../T1190/outbound_java/data.yml | 13 - .../T1190/outbound_java/outbound_java.yml | 18 +- .../attack_techniques/T1190/papercut/data.yml | 17 - .../T1190/papercut/papercut.yml | 25 +- .../attack_techniques/T1190/proxyshell.yml | 14 - .../T1190/proxyshell/data.yml | 13 - .../T1190/proxyshell/proxyshell.yml | 28 +- .../attack_techniques/T1190/pswa/data.yml | 12 - .../attack_techniques/T1190/pswa/pswa.yml | 18 +- datasets/attack_techniques/T1190/sap/data.yml | 17 - datasets/attack_techniques/T1190/sap/sap.yml | 20 +- .../T1190/screenconnect/data.yml | 20 -- .../T1190/screenconnect/screenconnect.yml | 29 +- .../T1190/sharepoint/data.yml | 12 - .../T1190/sharepoint/sharepoint.yml | 16 +- .../attack_techniques/T1190/splunk/data.yml | 12 - .../T1190/splunk/log_injection.yml | 12 - .../attack_techniques/T1190/splunk/splunk.yml | 16 + .../T1190/spring4shell/data.yml | 12 - .../T1190/spring4shell/spring4shell.yml | 21 +- .../T1190/text4shell/data.yml | 12 - .../T1190/text4shell/text4shell.yml | 18 +- .../attack_techniques/T1190/tomcat/data.yml | 12 - .../attack_techniques/T1190/tomcat/tomcat.yml | 15 +- .../T1195.002/3CX/{data.yml => 3CX.yml} | 8 +- .../T1195.002/3CX/3cx_supply_chain.yml | 14 - .../T1197/atomic_red_team/atomic_red_team.yml | 29 +- .../T1197/atomic_red_team/data.yml | 17 - .../T1200/linux_auditd_swapoff/data.yml | 17 - .../linux_auditd_swapoff.yml | 18 +- .../T1200/sysmon_usb_use_execution/data.yml | 13 - .../sysmon_usb_use_execution.yml | 27 +- .../T1201/pwd_policy_discovery/data.yml | 17 - .../pwd_policy_discovery.yml | 24 +- .../T1202/atomic_red_team/atomic_red_team.yml | 22 +- .../T1202/atomic_red_team/data.yml | 17 - .../atomic_red_team/atomic_red_team.yml | 20 +- .../T1204.002/atomic_red_team/data.yml | 13 - .../batch_file_in_system32.yml | 20 +- .../T1204.002/batch_file_in_system32/data.yml | 13 - .../T1204.002/single_letter_exe/data.yml | 13 - .../single_letter_exe/single_letter_exe.yml | 20 +- .../aws_ecr_container_upload.yml | 20 +- .../aws_ecr_container_upload/data.yml | 17 - .../aws_ecr_image_scanning.yml | 17 +- .../T1204.003/aws_ecr_image_scanning/data.yml | 13 - .../risk_dataset/aws_ecr_risk_dataset.yml | 11 - .../{data.yml => risk_dataset.yml} | 9 +- .../aws_updatelambdafunctioncode.yml | 15 +- .../aws_updatelambdafunctioncode/data.yml | 13 - .../failed_login_service_account_ad/data.yml | 13 - .../failed_login_service_account_ad.yml | 16 +- .../data.yml | 13 - .../kubernetes_audit_daemonset_created.yml | 14 +- .../kubernetes_falco_shell_spawned/data.yml | 13 - .../kubernetes_falco_shell_spawned.yml | 14 +- .../T1204/kubernetes_privileged_pod/data.yml | 13 - .../kubernetes_privileged_pod.yml | 14 +- .../kubernetes_unauthorized_access/data.yml | 13 - .../kubernetes_unauthorized_access.yml | 14 +- .../T1204/rare_executables/data.yml | 13 - .../rare_executables/rare_executables.yml | 16 +- .../attack_techniques/T1207/dc_promo/data.yml | 13 - .../T1207/dc_promo/dc_promo.yml | 16 +- .../T1207/mimikatz/dcshadow.yml | 16 - .../T1207/mimikatz/{data.yml => mimikatz.yml} | 8 +- .../T1207/short_lived_server_object/data.yml | 13 - .../short_lived_server_object.yml | 16 +- .../kubernetes_nginx_lfi_attack/data.yml | 12 - .../kubernetes_nginx_lfi_attack.yml | 16 +- .../kubernetes_nginx_rfi_attack.yml | 11 - ...ta.yml => kuberntest_nginx_rfi_attack.yml} | 9 +- .../o365_sus_sharepoint_search/data.yml | 13 - .../o365_sus_sharepoint_search.yml | 29 +- .../T1216/atomic_red_team/atomic_red_team.yml | 24 +- .../T1216/atomic_red_team/data.yml | 17 - .../atomic_red_team/atomic_red_team.yml | 28 +- .../T1218.001/atomic_red_team/data.yml | 21 -- .../atomic_red_team/atomic_red_team.yml | 17 +- .../T1218.002/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 19 +- .../T1218.004/atomic_red_team/data.yml | 17 - .../atomic_red_team/atomic_red_team.yml | 26 +- .../T1218.005/atomic_red_team/data.yml | 17 - .../T1218.005/mshta_in_registry/data.yml | 17 - .../mshta_in_registry/mshta_in_registry.yml | 20 +- .../atomic_red_team/atomic_red_team.yml | 26 +- .../T1218.007/atomic_red_team/data.yml | 17 - .../atomic_red_team/atomic_red_team.yml | 27 +- .../T1218.008/atomic_red_team/data.yml | 21 -- .../atomic_red_team/atomic_red_team.yml | 15 +- .../T1218.009/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1218.010/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 26 +- .../T1218.011/atomic_red_team/data.yml | 17 - .../T1218.012/verclsid_exec/data.yml | 13 - .../T1218.012/verclsid_exec/verclsid_exec.yml | 12 +- .../atomic_red_team/atomic_red_team.yml | 17 +- .../T1218.013/atomic_red_team/data.yml | 13 - .../T1218/bitlockertogo/bitlockertogo.yml | 21 +- .../T1218/bitlockertogo/data.yml | 17 - .../T1218/diskshadow/data.yml | 13 - .../T1218/diskshadow/diskshadow.yml | 16 +- .../attack_techniques/T1218/eviltwin/data.yml | 13 - .../T1218/eviltwin/eviltwin.yml | 14 +- .../T1219/atomic_red_team/atomic_red_team.yml | 17 +- .../T1219/atomic_red_team/data.yml | 13 - .../T1219/screenconnect/data.yml | 13 - .../T1219/screenconnect/screenconnect.yml | 33 +- .../T1219/teamviewer/data.yml | 13 - .../T1219/teamviewer/teamviewer.yml | 24 +- .../T1220/atomic_red_team/atomic_red_team.yml | 17 +- .../T1220/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1222.001/atomic_red_team/data.yml | 13 - .../T1222.001/dacl_abuse/dacl_abuse.yml | 53 ++- .../T1222.001/dacl_abuse/data.yml | 41 --- .../T1222.001/subinacl/data.yml | 13 - .../T1222.001/subinacl/subinacl.yml | 18 +- .../T1222.002/linux_auditd_chattr_i/data.yml | 17 - .../linux_auditd_chattr_i.yml | 18 +- .../linux_auditd_chmod_exec_attrib/data.yml | 17 - .../linux_auditd_chmod_exec_attrib.yml | 18 +- .../T1482/atomic_red_team/atomic_red_team.yml | 17 +- .../T1482/atomic_red_team/data.yml | 13 - .../discovery/{data.yml => discovery.yml} | 6 +- .../discovery/domain_trust_discovery.yml | 14 - .../default_domain_policy_modified/data.yml | 13 - .../default_domain_policy_modified.yml | 21 +- .../{data.yml => gpo_modification.yml} | 8 +- .../gpo_modification/group_policy_created.yml | 17 - .../T1484.001/group_policy_created/data.yml | 13 - .../group_policy_created.yml | 19 +- .../T1484.001/group_policy_deleted/data.yml | 13 - .../group_policy_deleted.yml | 19 +- .../T1484.001/group_policy_disabled/data.yml | 13 - .../group_policy_disabled.yml | 19 +- .../T1484.001/group_policy_new_cse/data.yml | 13 - .../group_policy_new_cse.yml | 19 +- .../T1484.002/new_federated_domain/data.yml | 13 - .../new_federated_domain.yml | 25 +- .../DCShadowPermissions.yml | 19 +- .../T1484/DCShadowPermissions/data.yml | 13 - .../aclmodification/acl_modification.yml | 12 - .../{data.yml => aclmodification.yml} | 9 +- .../T1485/atomic_red_team/atomic_red_team.yml | 20 +- .../T1485/atomic_red_team/data.yml | 13 - .../T1485/decommissioned_buckets/data.yml | 12 - .../decommissioned_buckets.yml | 26 +- .../data.yml | 13 - .../excessive_file_del_in_windefender_dir.yml | 17 +- .../T1485/excessive_file_deletions/data.yml | 13 - .../excessive_file_deletions.yml | 14 +- .../T1485/linux_auditd_dd_overwrite/data.yml | 17 - .../linux_auditd_dd_overwrite.yml | 18 +- .../linux_auditd_no_preserve_root/data.yml | 17 - .../linux_auditd_no_preserve_root.yml | 18 +- .../T1485/linux_auditd_shred/data.yml | 17 - .../linux_auditd_shred/linux_auditd_shred.yml | 18 +- .../T1485/linux_dd_file_overwrite/data.yml | 13 - .../linux_dd_file_overwrite.yml | 14 +- .../T1485/ransomware_extensions/data.yml | 13 - .../ransomware_extensions.yml | 20 +- .../T1485/ransomware_notes/data.yml | 17 - .../ransomware_notes/ransomware_notes.yml | 25 +- .../T1485/rm_boot_dir/data.yml | 13 - .../T1485/rm_boot_dir/rm_boot_dir.yml | 14 +- .../T1485/rm_shred_critical_dir/data.yml | 13 - .../rm_shred_critical_dir.yml | 14 +- .../attack_techniques/T1485/sdelete/data.yml | 13 - .../T1485/sdelete/sdelete.yml | 14 +- .../T1486/aws_kms_key/aws_kms_key.yml | 19 +- .../T1486/aws_kms_key/data.yml | 17 - .../attack_techniques/T1486/dcrypt/data.yml | 13 - .../attack_techniques/T1486/dcrypt/dcrypt.yml | 14 +- .../T1486/s3_file_encryption/data.yml | 13 - .../s3_file_encryption/s3_file_encryption.yml | 15 +- .../T1486/sam_sam_note/data.yml | 13 - .../T1486/sam_sam_note/sam_sam_note.yml | 20 +- .../linux_auditd_auditd_service_stop/data.yml | 13 - .../linux_auditd_auditd_service_stop.yml | 14 +- .../data.yml | 13 - .../linux_auditd_osquerd_service_stop.yml | 14 +- .../T1489/linux_auditd_service_stop/data.yml | 13 - .../linux_auditd_service_stop.yml | 14 +- .../linux_auditd_sysmon_service_stop/data.yml | 13 - .../linux_auditd_sysmon_service_stop.yml | 17 +- .../T1489/linux_service_stop_disable/data.yml | 13 - .../linux_service_stop_disable.yml | 14 +- .../T1490/atomic_red_team/atomic_red_team.yml | 26 +- .../T1490/atomic_red_team/data.yml | 17 - .../aws_bucket_version/aws_bucket_version.yml | 16 +- .../T1490/aws_bucket_version/data.yml | 13 - .../T1490/ransomware_notes/data.yml | 13 - .../ransomware_notes/ransomware_notes.yml | 21 +- .../T1490/shadowcopy_del/data.yml | 13 - .../T1490/shadowcopy_del/shadowcopy_del.yml | 20 +- .../T1497.003/ping_sleep/data.yml | 13 - .../T1497.003/ping_sleep/ping_sleep.yml | 14 +- .../simulation/{data.yml => simulation.yml} | 8 +- .../T1505.001/simulation/sql_server_abuse.yml | 17 - .../T1505.003/{data.yml => T1505.003.yml} | 13 +- .../exchange_web_shell_behavior_logs.yml | 22 -- .../T1505.004/{data.yml => T1505.004.yml} | 9 +- .../T1505.004/iis_modules.yml | 30 -- .../aws_security_scanner.yml | 15 +- .../T1526/aws_security_scanner/data.yml | 13 - .../kubernetes_audit_pull_image/data.yml | 13 - .../kubernetes_audit_pull_image.yml | 14 +- .../T1526/kubernetes_kube_hunter/data.yml | 13 - .../kubernetes_kube_hunter.yml | 15 +- .../azure_ad_user_consent_blocked.yml | 24 +- .../azure_ad_user_consent_blocked/data.yml | 13 - .../azure_ad_user_consent_declined.yml | 24 +- .../azure_ad_user_consent_declined/data.yml | 13 - .../azure_ad_user_consent_granted.yml | 24 +- .../azure_ad_user_consent_granted/data.yml | 13 - .../T1528/device_code_authentication/data.yml | 13 - .../device_code_authentication.yml | 22 +- .../T1528/o365_user_consent_blocked/data.yml | 13 - .../o365_user_consent_blocked.yml | 22 +- .../T1528/o365_user_consent_declined/data.yml | 13 - .../o365_user_consent_declined.yml | 22 +- .../data.yml | 13 - .../o365_user_consent_file_permissions.yml | 22 +- .../data.yml | 13 - .../o365_user_consent_mail_permissions.yml | 22 +- .../aws_s3_public_bucket.yml | 14 +- .../T1530/aws_s3_public_bucket/data.yml | 13 - .../T1531/atomic_red_team/atomic_red_team.yml | 14 +- .../T1531/atomic_red_team/data.yml | 13 - .../aws_ami_shared_public.yml | 22 +- .../T1537/aws_ami_shared_public/data.yml | 13 - .../aws_exfil_risk_events.yml | 19 +- .../T1537/aws_exfil_risk_events/data.yml | 13 - .../aws_snapshot_exfil/aws_snapshot_exfil.yml | 20 +- .../T1537/aws_snapshot_exfil/data.yml | 17 - .../okta_web_session_multiple_ip/data.yml | 13 - .../okta_web_session_multiple_ip.yml | 19 +- .../T1542.003/bootkits/bootkits.yml | 19 +- .../T1542.003/bootkits/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 40 ++- .../T1543.003/atomic_red_team/data.yml | 29 -- .../T1543.003/lateral_movement/data.yml | 13 - .../lateral_movement/lateral_movement.yml | 20 +- .../lateral_movement_lolbas/data.yml | 13 - .../lateral_movement_lolbas.yml | 21 +- .../lateral_movement_powershell/data.yml | 13 - .../lateral_movement_powershell.yml | 22 +- .../services_lolbas_execution/data.yml | 13 - .../services_lolbas_execution.yml | 17 +- .../T1546.001/txtfile_reg/data.yml | 13 - .../T1546.001/txtfile_reg/txtfile_reg.yml | 16 +- .../T1546.002/scrnsave_reg/data.yml | 13 - .../T1546.002/scrnsave_reg/scrnsave_reg.yml | 17 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1546.003/atomic_red_team/data.yml | 13 - .../T1546.003/wmi_event_subscription/data.yml | 13 - .../wmi_event_subscription.yml | 17 +- .../data.yml | 13 - .../linux_auditd_unix_shell_mod_config.yml | 14 +- .../T1546.004/linux_init_profile/data.yml | 13 - .../linux_init_profile/linux_init_profile.yml | 14 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1546.008/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1546.011/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 27 +- .../T1546.012/atomic_red_team/data.yml | 17 - .../atomic_red_team/atomic_red_team.yml | 30 +- .../T1546.015/atomic_red_team/data.yml | 21 -- .../T1546.015/pwh_com_object/data.yml | 13 - .../pwh_com_object/pwh_com_object.yml | 14 +- .../T1546.015/uac_colorui/data.yml | 13 - .../T1546.015/uac_colorui/uac_colorui.yml | 14 +- .../adminsdholder_modified.yml | 20 +- .../T1546/adminsdholder_modified/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 27 +- .../T1547.001/atomic_red_team/data.yml | 17 - .../T1547.003/timeprovider_reg/data.yml | 13 - .../timeprovider_reg/timeprovider_reg.yml | 15 +- .../T1547.005/malicious_ssp/data.yml | 17 - .../T1547.005/malicious_ssp/malicious_ssp.yml | 27 +- .../T1547.006/linux_auditd_insmod/data.yml | 13 - .../linux_auditd_insmod.yml | 14 +- .../linux_auditd_insmod_new/data.yml | 13 - .../linux_auditd_insmod_new.yml | 14 +- .../T1547.006/linux_auditd_modprobe/data.yml | 13 - .../linux_auditd_modprobe.yml | 14 +- .../linux_auditd_modprobe_new/data.yml | 13 - .../linux_auditd_modprobe_new.yml | 14 +- .../data.yml | 17 - .../linux_auditd_modprobe_unload_module.yml | 21 +- .../T1547.006/linux_auditd_rmmod/data.yml | 13 - .../linux_auditd_rmmod/linux_auditd_rmmod.yml | 14 +- .../T1547.006/linux_auditd_rmmod_new/data.yml | 13 - .../linux_auditd_rmmod_new.yml | 14 +- .../loading_linux_kernel_module/data.yml | 13 - .../loading_linux_kernel_module.yml | 14 +- .../atomic_red_team/atomic_red_team.yml | 14 +- .../T1547.008/atomic_red_team/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 25 +- .../T1547.010/atomic_red_team/data.yml | 17 - .../T1547.012/print_reg/data.yml | 21 -- .../T1547.012/print_reg/print_reg.yml | 24 +- .../T1547.012/printnightmare/data.yml | 17 - .../printnightmare/printnightmare.yml | 27 +- .../T1548.001/chmod_uid/chmod_uid.yml | 14 +- .../T1548.001/chmod_uid/data.yml | 13 - .../T1548.001/linux_auditd_setuid/data.yml | 25 -- .../linux_auditd_setuid.yml | 26 +- .../T1548.001/linux_setcap/data.yml | 13 - .../T1548.001/linux_setcap/linux_setcap.yml | 14 +- .../LocalAccountTokenFilterPolicy.yml | 15 +- .../LocalAccountTokenFilterPolicy/data.yml | 13 - .../atomic_red_team/atomic_red_team.yml | 25 +- .../T1548.002/atomic_red_team/data.yml | 17 - .../T1548.002/slui/{data.yml => slui.yml} | 8 +- .../T1548.002/slui/slui_uac_bypass.yml | 16 - .../T1548.002/ssa_eventvwr/data.yml | 13 - .../T1548.002/ssa_eventvwr/ssa_eventvwr.yml | 14 +- .../T1548.002/uac_behavior/data.yml | 13 - .../T1548.002/uac_behavior/uac_behavior.yml | 28 +- .../attack_techniques/T1548.003/doas/data.yml | 13 - .../attack_techniques/T1548.003/doas/doas.yml | 14 +- .../T1548.003/doas_exec/data.yml | 13 - .../T1548.003/doas_exec/doas_exec.yml | 14 +- .../T1548.003/linux_adduser/data.yml | 13 - .../T1548.003/linux_adduser/linux_adduser.yml | 14 +- .../T1548.003/linux_auditd_doas/data.yml | 13 - .../linux_auditd_doas/linux_auditd_doas.yml | 14 +- .../T1548.003/linux_auditd_doas_new/data.yml | 13 - .../linux_auditd_doas_new.yml | 14 +- .../T1548.003/linux_auditd_nopasswd/data.yml | 17 - .../linux_auditd_nopasswd.yml | 18 +- .../T1548.003/linux_auditd_sudo_su/data.yml | 17 - .../linux_auditd_sudo_su.yml | 18 +- .../linux_auditd_sudoers_access/data.yml | 13 - .../linux_auditd_sudoers_access.yml | 14 +- .../T1548.003/nopasswd_sudoers/data.yml | 13 - .../nopasswd_sudoers/nopasswd_sudoers.yml | 14 +- .../T1548.003/sudo_su/data.yml | 13 - .../T1548.003/sudo_su/sudo_su.yml | 14 +- .../T1548.003/sudoers_temp/data.yml | 13 - .../T1548.003/sudoers_temp/sudoers_temp.yml | 14 +- .../T1548.003/visudo/data.yml | 13 - .../T1548.003/visudo/visudo.yml | 14 +- datasets/attack_techniques/T1548/apt/apt.yml | 14 +- datasets/attack_techniques/T1548/apt/data.yml | 13 - .../T1548/apt_get/apt_get.yml | 14 +- .../attack_techniques/T1548/apt_get/data.yml | 13 - datasets/attack_techniques/T1548/awk/awk.yml | 14 +- datasets/attack_techniques/T1548/awk/data.yml | 13 - .../T1548/busybox/busybox.yml | 14 +- .../attack_techniques/T1548/busybox/data.yml | 13 - datasets/attack_techniques/T1548/c89/c89.yml | 14 +- datasets/attack_techniques/T1548/c89/data.yml | 13 - datasets/attack_techniques/T1548/c99/c99.yml | 14 +- datasets/attack_techniques/T1548/c99/data.yml | 13 - .../T1548/composer/composer.yml | 14 +- .../attack_techniques/T1548/composer/data.yml | 13 - .../T1548/cpulimit/cpulimit.yml | 14 +- .../attack_techniques/T1548/cpulimit/data.yml | 13 - .../T1548/csvtool/csvtool.yml | 14 +- .../attack_techniques/T1548/csvtool/data.yml | 13 - .../attack_techniques/T1548/docker/data.yml | 13 - .../attack_techniques/T1548/docker/docker.yml | 14 +- .../attack_techniques/T1548/emacs/data.yml | 13 - .../attack_techniques/T1548/emacs/emacs.yml | 14 +- .../attack_techniques/T1548/find/data.yml | 13 - .../attack_techniques/T1548/find/find.yml | 14 +- .../attack_techniques/T1548/gawk/data.yml | 13 - .../attack_techniques/T1548/gawk/gawk.yml | 14 +- datasets/attack_techniques/T1548/gdb/data.yml | 13 - datasets/attack_techniques/T1548/gdb/gdb.yml | 14 +- datasets/attack_techniques/T1548/gem/data.yml | 13 - datasets/attack_techniques/T1548/gem/gem.yml | 14 +- .../attack_techniques/T1548/make/data.yml | 13 - .../attack_techniques/T1548/make/make.yml | 14 +- .../attack_techniques/T1548/mysql/data.yml | 13 - .../attack_techniques/T1548/mysql/mysql.yml | 14 +- .../attack_techniques/T1548/node/data.yml | 13 - .../attack_techniques/T1548/node/node.yml | 14 +- .../attack_techniques/T1548/octave/data.yml | 13 - .../attack_techniques/T1548/octave/octave.yml | 14 +- .../attack_techniques/T1548/openvpn/data.yml | 13 - .../T1548/openvpn/openvpn.yml | 14 +- datasets/attack_techniques/T1548/php/data.yml | 13 - datasets/attack_techniques/T1548/php/php.yml | 14 +- .../attack_techniques/T1548/puppet/data.yml | 13 - .../attack_techniques/T1548/puppet/puppet.yml | 14 +- datasets/attack_techniques/T1548/rpm/data.yml | 13 - datasets/attack_techniques/T1548/rpm/rpm.yml | 14 +- .../attack_techniques/T1548/ruby/data.yml | 13 - .../attack_techniques/T1548/ruby/ruby.yml | 14 +- .../attack_techniques/T1548/sqlite3/data.yml | 13 - .../T1548/sqlite3/sqlite3.yml | 14 +- .../T1548/uac_bypass/data.yml | 17 - .../T1548/uac_bypass/uac_bypass.yml | 18 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1550.002/atomic_red_team/data.yml | 13 - .../mimikatz/{data.yml => mimikatz.yml} | 8 +- .../T1550.003/mimikatz/mimiktaz.yml | 13 - .../T1550.003/rubeus/data.yml | 13 - .../T1550.003/rubeus/rubeus.yml | 18 +- .../attack_techniques/T1550/rubeus/data.yml | 13 - .../attack_techniques/T1550/rubeus/rubeus.yml | 18 +- .../T1552.001/password_in_username/data.yml | 13 - .../password_in_username.yml | 17 +- .../autoadminlogon/autoadminlogon.yml | 16 +- .../T1552.002/autoadminlogon/data.yml | 13 - .../T1552.004/linux_auditd_find_gpg/data.yml | 17 - .../linux_auditd_find_gpg.yml | 18 +- .../linux_auditd_find_ssh_files/data.yml | 17 - .../linux_auditd_find_ssh_files.yml | 18 +- .../T1552.006/findstr_gpp_discovery/data.yml | 17 - .../findstr_gpp_discovery.yml | 22 +- .../aws_getpassworddata.yml | 18 +- .../T1552/aws_getpassworddata/data.yml | 17 - .../attack_techniques/T1553.003/sip/data.yml | 13 - .../attack_techniques/T1553.003/sip/sip.yml | 22 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1553.004/atomic_red_team/data.yml | 13 - .../linux_auditd_find_credentials/data.yml | 17 - .../linux_auditd_find_credentials.yml | 18 +- .../linux_auditd_find_password_db/data.yml | 17 - .../linux_auditd_find_password_db.yml | 18 +- .../T1555/web_browser_pass_view/data.yml | 13 - .../web_browser_pass_view.yml | 14 +- .../atomic_red_team/atomic_red_team.yml | 14 +- .../T1556.001/atomic_red_team/data.yml | 13 - ...aws_new_mfa_method_registered_for_user.yml | 20 +- .../data.yml | 13 - ..._ad_new_mfa_method_registered_for_user.yml | 19 +- .../data.yml | 13 - .../okta_mfa_method_disabled/data.yml | 13 - .../okta_mfa_method_disabled.yml | 18 +- .../T1556/azuread/azuread.yml | 18 +- .../attack_techniques/T1556/azuread/data.yml | 13 - .../cisco_duo_bulk_policy_deletion.yml | 18 +- .../cisco_duo_bulk_policy_deletion/data.yml | 13 - .../cisco_duo_bypass_2FA.yml | 18 +- .../T1556/cisco_duo_bypass_2FA/data.yml | 13 - .../cisco_duo_bypass_code.yml | 18 +- .../T1556/cisco_duo_bypass_code/data.yml | 13 - ...licy_allow_devices_without_screen_lock.yml | 18 +- .../data.yml | 13 - ...co_duo_policy_allow_network_bypass_2fa.yml | 18 +- .../data.yml | 13 - ...co_duo_policy_allow_old_flash_and_java.yml | 18 +- .../data.yml | 13 - ...isco_duo_policy_allow_tampered_devices.yml | 18 +- .../data.yml | 13 - .../cisco_duo_policy_bypass_2FA.yml | 18 +- .../cisco_duo_policy_bypass_2FA/data.yml | 13 - ..._duo_policy_bypass_2FA_other_countries.yml | 18 +- .../data.yml | 13 - .../cisco_duo_policy_deny_access.yml | 18 +- .../cisco_duo_policy_deny_access/data.yml | 13 - .../cisco_duo_unusual_admin_login.yml | 18 +- .../cisco_duo_unusual_admin_login/data.yml | 13 - ...{data.yml => disable_credential_guard.yml} | 9 +- .../disable_credential_guard/lsacfgflags.yml | 13 - .../{data.yml => disable_lsa_protection.yml} | 8 +- .../T1556/disable_lsa_protection/runasppl.yml | 13 - .../T1556/gcp_disable_mfa/data.yml | 13 - .../T1556/gcp_disable_mfa/gcp_disable_mfa.yml | 21 +- .../T1556/o365_disable_mfa/data.yml | 13 - .../o365_disable_mfa/o365_disable_mfa.yml | 15 +- .../T1556/o365_sso_logon_errors/data.yml | 17 - .../o365_sso_logon_errors.yml | 20 +- .../attack_techniques/T1556/okta_idp/data.yml | 13 - .../T1556/okta_idp/okta_idp.yml | 18 +- .../atomic_red_team/atomic_red_team.yml | 25 +- .../T1558.003/atomic_red_team/data.yml | 17 - .../powerview-2/{data.yml => powerview-2.yml} | 9 +- .../T1558.003/powerview-2/powerview.yml | 12 - .../T1558.003/powerview/data.yml | 13 - .../T1558.003/powerview/powerview.yml | 17 +- .../T1558.003/rubeus/data.yml | 13 - .../T1558.003/rubeus/rubeus.yml | 20 +- .../T1558.004/powershell/data.yml | 17 - .../T1558.004/powershell/powershell.yml | 24 +- .../T1558/diamond_ticket/data.yml | 13 - .../T1558/diamond_ticket/diamond_ticket.yml | 17 +- .../archive_utility/archive_utility.yml | 16 +- .../T1560.001/archive_utility/data.yml | 13 - .../T1561.002/mbr_raw_access/data.yml | 13 - .../mbr_raw_access/mbr_raw_access.yml | 14 +- .../atomic_red_team/atomic_red_team.yml | 41 ++- .../T1562.001/atomic_red_team/data.yml | 29 -- .../defender_exclusion_sysmon/data.yml | 13 - .../defender_exclusion_sysmon.yml | 14 +- .../delete_win_defender_context_menu/data.yml | 13 - .../delete_win_defender_context_menu.yml | 14 +- .../data.yml | 13 - ...ble-windows-security-defender-features.yml | 16 +- .../disable_defender_logging/data.yml | 13 - .../disable_defender_logging.yml | 14 +- .../T1562.001/disable_gpo/data.yml | 13 - .../T1562.001/disable_gpo/disable_gpo.yml | 16 +- .../T1562.001/pwh_defender_disabling/data.yml | 13 - .../pwh_defender_disabling.yml | 15 +- .../sc_service_start_disabled/data.yml | 13 - .../sc_service_start_disabled.yml | 23 +- .../T1562.001/unload_sysmon/data.yml | 13 - .../T1562.001/unload_sysmon/unload_sysmon.yml | 19 +- .../win_defend_service_stop/data.yml | 13 - .../win_defend_service_stop.yml | 21 +- .../auditpol_tampering/auditpol_tampering.yml | 23 +- .../T1562.002/auditpol_tampering/data.yml | 13 - .../eventlog_sddl_tampering/data.yml | 13 - .../eventlog_sddl_tampering.yml | 18 +- .../atomic_red_team/atomic_red_team.yml | 21 +- .../T1562.004/atomic_red_team/data.yml | 13 - .../linux_auditd_disable_firewall/data.yml | 13 - .../linux_auditd_disable_firewall.yml | 14 +- .../njrat_add_firewall_rule/data.yml | 16 - .../njrat_add_firewall_rule.yml | 19 +- .../T1562.004/njrat_delete_firewall/data.yml | 12 - .../njrat_delete_firewall.yml | 15 +- .../aws_create_acl/aws_create_acl.yml | 18 +- .../T1562.007/aws_create_acl/data.yml | 17 - .../aws_delete_acl/aws_delete_acl.yml | 18 +- .../T1562.007/aws_delete_acl/data.yml | 17 - .../o365_bypass_mfa_via_trusted_ip/data.yml | 13 - .../o365_bypass_mfa_via_trusted_ip.yml | 15 +- .../aws_delete_security_services.yml | 24 +- .../aws_delete_security_services/data.yml | 17 - .../delete_cloudwatch_log_group/data.yml | 17 - .../delete_cloudwatch_log_group.yml | 24 +- .../o365_advanced_audit_disabled/data.yml | 13 - .../o365_advanced_audit_disabled.yml | 23 +- .../T1562.008/put_bucketlifecycle/data.yml | 17 - .../put_bucketlifecycle.yml | 21 +- .../T1562.008/stop_delete_cloudtrail/data.yml | 21 -- .../stop_delete_cloudtrail.yml | 29 +- .../T1562.008/update_cloudtrail/data.yml | 17 - .../update_cloudtrail/update_cloudtrail.yml | 23 +- .../auditd_daemon_type/auditd_daemon_type.yml | 14 +- .../T1562.012/auditd_daemon_type/data.yml | 13 - ...read_disable_blockconsent_for_riskapps.yml | 17 +- .../data.yml | 13 - .../data.yml | 13 - ...o365_disable_blockconsent_for_riskapps.yml | 17 +- .../T1563.002/rdphijack/data.yml | 17 - .../T1563.002/rdphijack/rdphijack.yml | 23 +- .../linux_auditd_hidden_file/data.yml | 13 - .../linux_auditd_hidden_file.yml | 14 +- .../T1564.004/ads_abuse/ads_abuse.yml | 29 +- .../T1564.004/ads_abuse/data.yml | 13 - .../T1564.008/o365/{data.yml => o365.yml} | 8 +- .../o365/o365_suspicious_mailbox_rule.yml | 11 - .../T1564/sc_sdset_tampering/data.yml | 13 - .../sc_sdset_tampering/sc_sdset_tampering.yml | 18 +- .../data.yml | 13 - .../gsuite_outbound_email_to_external.yml | 15 +- .../gsuite_susp_attachment_ext/data.yml | 13 - .../gsuite_susp_attachment_ext.yml | 15 +- .../T1566.001/gsuite_susp_subj/data.yml | 13 - .../gsuite_susp_subj/gsuite_susp_subj.yml | 15 +- .../T1566.001/gsuite_susp_url/data.yml | 13 - .../gsuite_susp_url/gsuite_susp_url.yml | 14 +- .../T1566.001/office_doc_abuses_rels/data.yml | 13 - .../office_doc_abuses_rels.yml | 16 +- .../T1566.001/onenote_spear_phishing/data.yml | 13 - .../onenote_spear_phishing.yml | 16 +- .../T1566.001/phishing_pdf_uri/data.yml | 13 - .../phishing_pdf_uri/phishing_pdf_uri.yml | 16 +- .../atomic_red_team/atomic_red_team.yml | 25 +- .../T1566.002/atomic_red_team/data.yml | 17 - .../T1566.002/lnk_file_temp_folder/data.yml | 13 - .../lnk_file_temp_folder.yml | 20 +- .../T1566/cve-2024-21378/cve-2024-21378.yml | 16 +- .../T1566/cve-2024-21378/data.yml | 13 - .../T1566/o365_various_alerts/data.yml | 13 - .../o365_various_alerts.yml | 31 +- .../T1566/zscalar_web_proxy/data.yml | 13 - .../zscalar_web_proxy/zscalar_web_proxy.yml | 16 +- .../T1567/o365_sus_file_activity/data.yml | 13 - .../o365_sus_file_activity.yml | 27 +- .../T1567/web_upload_nginx/data.yml | 12 - .../web_upload_nginx/web_upload_nginx.yml | 13 +- .../atomic_red_team/atomic_red_team.yml | 22 +- .../T1569.002/atomic_red_team/data.yml | 13 - .../T1569.002/linux_service_start/data.yml | 13 - .../linux_service_start.yml | 14 +- .../T1569.002/remcom/data.yml | 17 - .../T1569.002/remcom/remcom.yml | 22 +- .../T1569.002/scmanager_sddl_tamper/data.yml | 13 - .../scmanager_sddl_tamper.yml | 17 +- .../attack_techniques/T1570/remcom/data.yml | 17 - .../attack_techniques/T1570/remcom/remcom.yml | 22 +- .../T1572/cobalt_strike/cobalt_strike.yml | 19 +- .../T1572/cobalt_strike/data.yml | 13 - .../attack_techniques/T1572/ngrok/data.yml | 13 - .../attack_techniques/T1572/ngrok/ngrok.yml | 17 +- .../attack_techniques/T1572/plink/data.yml | 21 -- .../attack_techniques/T1572/plink/plink.yml | 25 +- .../T1572/ssh_proxy_command/ssh.yml | 11 - .../{data.yml => ssh_proxy_command.yml} | 8 +- .../atomic_red_team/atomic_red_team.yml | 14 +- .../T1574.001/atomic_red_team/data.yml | 13 - .../T1574.001/iscsicpl/data.yml | 13 - .../T1574.001/iscsicpl/iscsicpl.yml | 18 +- .../T1574.002/hijacklibs/data.yml | 13 - .../T1574.002/hijacklibs/hijacklibs.yml | 28 +- .../T1574.002/msi_module_load/data.yml | 17 - .../msi_module_load/msi_module_load.yml | 21 +- .../T1574.002/wineloader/data.yml | 13 - .../T1574.002/wineloader/wineloader.yml | 17 +- .../T1574.006/lib_hijack/data.yml | 13 - .../T1574.006/lib_hijack/lib_hijack.yml | 14 +- .../T1574.006/linux_auditd_ldpreload/data.yml | 17 - .../linux_auditd_ldpreload.yml | 18 +- .../linux_auditd_preload_file/data.yml | 13 - .../linux_auditd_preload_file.yml | 14 +- .../atomic_red_team/atomic_red_team.yml | 22 +- .../T1574.009/atomic_red_team/data.yml | 13 - .../change_registry_path_service.yml | 20 +- .../change_registry_path_service/data.yml | 13 - .../aws_authorize_security_group.yml | 14 +- .../aws_authorize_security_group/data.yml | 13 - .../T1586.003/okta_multiple_city/data.yml | 13 - .../okta_multiple_city/okta_multiple_city.yml | 19 +- .../{data.yml => atomic_red_team.yml} | 9 +- .../atomic_red_team/certificates.yml | 11 - .../T1588.002/atomic_red_team/advancedrun.yml | 13 - .../{data.yml => atomic_red_team.yml} | 8 +- .../T1590.002/enum_dns_record/data.yml | 13 - .../enum_dns_record/enum_dns_record.yml | 16 +- .../attacker_scan_tools.yml | 21 +- .../T1595/attacker_scan_tools/data.yml | 17 - .../T1595/sysmon_scanning_events/data.yml | 13 - .../sysmon_scanning_events.yml | 24 +- .../attack_techniques/T1598.002/rdp/data.yml | 13 - .../attack_techniques/T1598.002/rdp/rdp.yml | 14 +- .../common_language_runtim_loaded.yml | 19 +- .../common_language_runtim_loaded/data.yml | 13 - .../aws_mfa_disabled/aws_mfa_disabled.yml | 22 +- .../T1621/aws_mfa_disabled/data.yml | 13 - .../azure_ad_multiple_denied_mfa_requests.yml | 23 +- .../data.yml | 13 - .../T1621/azuread/azuread.yml | 23 +- .../attack_techniques/T1621/azuread/data.yml | 13 - .../T1621/gcp_failed_mfa/data.yml | 13 - .../T1621/gcp_failed_mfa/gcp_failed_mfa.yml | 22 +- .../T1621/multiple_failed_mfa_gws/data.yml | 13 - .../multiple_failed_mfa_gws.yml | 24 +- .../multiple_failed_mfa_requests/data.yml | 13 - .../multiple_failed_mfa_requests.yml | 25 +- .../data.yml | 13 - .../o365_multiple_failed_mfa_requests.yml | 25 +- .../T1621/okta_mfa_login_failed/data.yml | 13 - .../okta_mfa_login_failed.yml | 23 +- .../T1621/okta_mismatch/data.yml | 13 - .../T1621/okta_mismatch/okta_mismatch.yml | 23 +- .../okta_multiple_failed_mfa_pushes/data.yml | 13 - .../okta_multiple_failed_mfa_pushes.yml | 23 +- .../data.yml | 13 - .../okta_multiple_failed_mfa_requests.yml | 23 +- .../T1621/pingid/{data.yml => pingid.yml} | 8 +- .../T1621/pingid/pingid_dataset.yml | 16 - .../T1649/atomic_red_team/atomic_red_team.yml | 64 ++-- .../T1649/atomic_red_team/data.yml | 45 --- .../{data.yml => certify_abuse.yml} | 10 +- .../certify_abuse/certify_esc1_abuse.yml | 17 - .../active_setup_stubpath.yml | 15 +- .../t1547.014/active_setup_stubpath/data.yml | 13 - .../t1592/host_info_dxdiag/data.yml | 13 - .../host_info_dxdiag/host_info_dxdiag.yml | 14 +- .../t1592/pwh_av_recon/data.yml | 13 - .../t1592/pwh_av_recon/pwh_av_recon.yml | 14 +- datasets/malware/acidrain/acidrain.yml | 14 +- datasets/malware/acidrain/data.yml | 13 - .../agent_tesla_ftp/agent_tesla_ftp.yml | 16 +- .../agent_tesla/agent_tesla_ftp/data.yml | 13 - .../agent_tesla_smtp/agent_tesla_smtp.yml | 16 +- .../agent_tesla/agent_tesla_smtp/data.yml | 13 - .../agent_tesla_tor_dns_query.yml | 16 +- .../agent_tesla_tor_dns_query/data.yml | 13 - .../chm_powershell/chm_powershell.yml | 16 +- .../agent_tesla/chm_powershell/data.yml | 13 - .../access_permission/access_permission.yml | 16 +- .../malware/amadey/access_permission/data.yml | 13 - datasets/malware/awfulshred/test1/data.yml | 13 - datasets/malware/awfulshred/test1/test1.yml | 16 +- datasets/malware/awfulshred/test2/data.yml | 13 - datasets/malware/awfulshred/test2/test2.yml | 16 +- datasets/malware/awfulshred/test3/data.yml | 13 - datasets/malware/awfulshred/test3/test3.yml | 16 +- datasets/malware/azorult/azorult.yml | 14 +- datasets/malware/azorult/data.yml | 13 - .../brute_duplicate_token.yml | 16 +- .../brute_duplicate_token/data.yml | 13 - .../create_remote_thread.yml | 16 +- .../brute_ratel/create_remote_thread/data.yml | 13 - .../iso_version_dll_campaign/data.yml | 13 - .../iso_version_dll_campaign.yml | 16 +- .../brute_ratel/loading_samlib/data.yml | 13 - .../loading_samlib/loading_samlib.yml | 16 +- .../brute_ratel/service_deletion/data.yml | 13 - .../service_deletion/service_deletion.yml | 16 +- .../data.yml | 13 - .../wallpaper_via_transcodedwallpaper.yml | 16 +- .../chaos_ransomware/chaos_ransomware.yml | 16 +- datasets/malware/chaos_ransomware/data.yml | 13 - .../spread_in_root_drives/data.yml | 13 - .../spread_in_root_drives.yml | 16 +- datasets/malware/clop/clop_a/clop_a.yml | 21 +- datasets/malware/clop/clop_a/data.yml | 17 - datasets/malware/clop/clop_b/clop_b.yml | 15 +- datasets/malware/clop/clop_b/data.yml | 13 - .../malware/conti/conti_leak/conti_leak.yml | 26 +- datasets/malware/conti/conti_leak/data.yml | 21 -- .../malware/cyclopsblink/cyclopsblink.yml | 14 +- datasets/malware/cyclopsblink/data.yml | 13 - .../dcrat/dcrat_delay_execution/data.yml | 13 - .../dcrat_delay_execution.yml | 14 +- .../malware/dcrat/dcrat_enum_camera/data.yml | 13 - .../dcrat_enum_camera/dcrat_enum_camera.yml | 14 +- .../malware/dcrat/dcrat_explorer_url/data.yml | 13 - .../dcrat_explorer_url/dcrat_explorer_url.yml | 14 +- .../malware/dcrat/dcrat_forkbomb/data.yml | 13 - .../dcrat/dcrat_forkbomb/dcrat_forkbomb.yml | 14 +- .../dcrat/reboot_logoff_commandline/data.yml | 13 - .../reboot_logoff_commandline.yml | 23 +- .../dcrat/shutdown_commandline/data.yml | 13 - .../shutdown_commandline.yml | 14 +- datasets/malware/doublezero_wiper/data.yml | 13 - .../doublezero_wiper/doublezero_wiper.yml | 14 +- datasets/malware/fin7/fin7_js_2/data.yml | 21 -- datasets/malware/fin7/fin7_js_2/fin7_js_2.yml | 23 +- .../malware/fin7/fin7_macro_js_1/data.yml | 13 - .../fin7/fin7_macro_js_1/fin7_macro_js_1.yml | 12 +- datasets/malware/fin7/jssloader/data.yml | 13 - datasets/malware/fin7/jssloader/jssloader.yml | 12 +- .../gootloader/partial_ttps/gootloader.yml | 15 - .../{data.yml => partial_ttps.yml} | 9 +- datasets/malware/hermetic_wiper/data.yml | 13 - .../globalfolderoptions_reg/data.yml | 13 - .../globalfolderoptions_reg.yml | 14 +- .../malware/hermetic_wiper/hermetic_wiper.yml | 14 +- .../cmd_carry_str_param.yml | 12 +- .../icedid/cmd_carry_str_param/data.yml | 13 - datasets/malware/icedid/disable_av/data.yml | 17 - .../malware/icedid/disable_av/disable_av.yml | 20 +- .../malware/icedid/disable_schtask/data.yml | 13 - .../disable_schtask/disable_schtask.yml | 15 +- datasets/malware/icedid/inf_icedid/data.yml | 13 - .../malware/icedid/inf_icedid/inf_icedid.yml | 18 +- datasets/malware/icedid/phish_icedid/data.yml | 13 - .../icedid/phish_icedid/phish_icedid.yml | 18 +- .../malware/icedid/simulated_icedid/data.yml | 13 - .../simulated_icedid/simulated_icedid.yml | 17 +- datasets/malware/industroyer2/data.yml | 13 - .../malware/industroyer2/industroyer2.yml | 14 +- datasets/malware/lockbit_ransomware/data.yml | 13 - .../lockbit_ransomware/lockbit_ransomware.yml | 16 +- datasets/malware/olympic_destroyer/data.yml | 13 - .../olympic_destroyer/olympic_destroyer.yml | 18 +- datasets/malware/prestige_ransomware/data.yml | 13 - .../prestige_ransomware.yml | 16 +- datasets/malware/qakbot/data.yml | 13 - datasets/malware/qakbot/qakbot.yml | 16 +- datasets/malware/qakbot/qbot2/data.yml | 13 - datasets/malware/qakbot/qbot2/qbot2.yml | 16 +- datasets/malware/qakbot/qbot_3/data.yml | 13 - datasets/malware/qakbot/qbot_3/qbot_3.yml | 16 +- datasets/malware/qakbot/qbot_wermgr/data.yml | 13 - .../qakbot/qbot_wermgr/qbot_wermgr.yml | 16 +- datasets/malware/qakbot/qbot_wermgr2/data.yml | 13 - .../qakbot/qbot_wermgr2/qbot_wermgr2.yml | 16 +- .../malware/qakbot/remote_thread/data.yml | 13 - .../qakbot/remote_thread/remote_thread.yml | 16 +- .../malware/redline/modify_registry/data.yml | 13 - .../modify_registry/modify_registry.yml | 16 +- datasets/malware/remcos/remcos/data.yml | 13 - datasets/malware/remcos/remcos/remcos.yml | 12 +- datasets/malware/remcos/remcos_agent/data.yml | 17 - .../remcos/remcos_agent/remcos_agent.yml | 20 +- .../malware/remcos/remcos_dynwrapx/data.yml | 21 -- .../remcos_dynwrapx/remcos_dynwrapx.yml | 25 +- .../remcos/remcos_pastebin_download/data.yml | 13 - .../remcos_pastebin_download.yml | 14 +- .../malware/remcos/remcos_registry/data.yml | 13 - .../remcos_registry/remcos_registry.yml | 14 +- datasets/malware/revil/msmpeng_side/data.yml | 13 - .../revil/msmpeng_side/msmpeng_side.yml | 15 +- datasets/malware/ryuk/data.yml | 13 - datasets/malware/ryuk/ryuk.yml | 15 +- datasets/malware/snakemalware/snake.yml | 15 - .../{data.yml => snakemalware.yml} | 8 +- datasets/malware/swift_slicer/data.yml | 13 - .../malware/swift_slicer/swift_slicer.yml | 16 +- .../malware/trickbot/spear_phish/data.yml | 13 - .../trickbot/spear_phish/spear_phish.yml | 14 +- datasets/malware/vilsel/vilse.yml | 9 - .../malware/vilsel/{data.yml => vilsel.yml} | 8 +- datasets/malware/winpeas/data.yml | 13 - datasets/malware/winpeas/powershell/data.yml | 17 - .../malware/winpeas/powershell/powershell.yml | 20 +- datasets/malware/winpeas/winpeas.yml | 16 +- .../winpeas/winpeas_cmdkeylist/data.yml | 13 - .../winpeas_cmdkeylist/winpeas_cmdkeylist.yml | 16 +- .../malware/winpeas/winpeas_fsutil/data.yml | 13 - .../winpeas/winpeas_fsutil/winpeas_fsutil.yml | 16 +- .../winpeas_search_private_key/data.yml | 13 - .../winpeas_search_private_key.yml | 16 +- .../winpeas/winpeas_search_pwd/data.yml | 13 - .../winpeas_search_pwd/winpeas_search_pwd.yml | 16 +- .../winpeas/winpeas_search_pwd_db/data.yml | 13 - .../winpeas_search_pwd_db.yml | 16 +- .../winter-vivern/pwh_exfiltration/data.yml | 13 - .../pwh_exfiltration/pwh_exfiltration.yml | 16 +- .../winter-vivern/pwh_uploadstring/data.yml | 13 - .../pwh_uploadstring/pwh_uploadstring.yml | 16 +- .../winter-vivern/scheduledtask/data.yml | 13 - .../scheduledtask/scheduledtask.yml | 16 +- 1417 files changed, 7088 insertions(+), 16277 deletions(-) delete mode 100644 bin/rename_data.py delete mode 100644 datasets/attack_techniques/T1003.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1003.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1003.002/serioussam/data.yml delete mode 100644 datasets/attack_techniques/T1003.003/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1003.004/NoLMHash/data.yml rename datasets/attack_techniques/T1003.006/impacket/{data.yml => impacket.yml} (53%) delete mode 100644 datasets/attack_techniques/T1003.006/impacket/secretsdump.yml delete mode 100644 datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml rename datasets/attack_techniques/T1003.006/mimikatz/{data.yml => mimikatz.yml} (60%) delete mode 100644 datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml delete mode 100644 datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml delete mode 100644 datasets/attack_techniques/T1003/credential_extraction/data.yml delete mode 100644 datasets/attack_techniques/T1003/wdigest_enable/data.yml rename datasets/attack_techniques/T1014/{data.yml => T1014.yml} (70%) delete mode 100644 datasets/attack_techniques/T1014/drivers.yml delete mode 100644 datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1016/discovery_commands/data.yml delete mode 100644 datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml delete mode 100644 datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml delete mode 100644 datasets/attack_techniques/T1018/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1018/atomic_red_team/data.yml rename datasets/attack_techniques/T1020/{data.yml => T1020.yml} (60%) delete mode 100644 datasets/attack_techniques/T1020/rclone.yml delete mode 100644 datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml delete mode 100644 datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml delete mode 100644 datasets/attack_techniques/T1021.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1021.002/executable_in_share/data.yml delete mode 100644 datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml delete mode 100644 datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml delete mode 100644 datasets/attack_techniques/T1021.003/impacket/data.yml delete mode 100644 datasets/attack_techniques/T1021.003/lateral_movement/data.yml delete mode 100644 datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml delete mode 100644 datasets/attack_techniques/T1021.006/lateral_movement/data.yml delete mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml delete mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml delete mode 100644 datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml delete mode 100644 datasets/attack_techniques/T1027/FuckThatPacker/data.yml delete mode 100644 datasets/attack_techniques/T1027/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml delete mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml delete mode 100644 datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml delete mode 100644 datasets/attack_techniques/T1033/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1033/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml delete mode 100644 datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml delete mode 100644 datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml delete mode 100644 datasets/attack_techniques/T1033/whoami_priv/data.yml delete mode 100644 datasets/attack_techniques/T1036.003/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1036.003/copy_sysmon/data.yml delete mode 100644 datasets/attack_techniques/T1036.003/mpcmdrun/data.yml delete mode 100644 datasets/attack_techniques/T1036.003/samsam_extension/data.yml delete mode 100644 datasets/attack_techniques/T1036/msdtc_process_param/data.yml delete mode 100644 datasets/attack_techniques/T1036/suspicious_process_path/data.yml delete mode 100644 datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml delete mode 100644 datasets/attack_techniques/T1037.001/logonscript_reg/data.yml delete mode 100644 datasets/attack_techniques/T1046/kubernetes_scanning/data.yml delete mode 100644 datasets/attack_techniques/T1047/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1047/execution_scrcons/data.yml delete mode 100644 datasets/attack_techniques/T1047/lateral_movement/data.yml delete mode 100644 datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml delete mode 100644 datasets/attack_techniques/T1047/wmi_impersonate/data.yml delete mode 100644 datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml delete mode 100644 datasets/attack_techniques/T1048.003/long_dns_queries/data.yml delete mode 100644 datasets/attack_techniques/T1048.003/mass_file_creation/data.yml delete mode 100644 datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml delete mode 100644 datasets/attack_techniques/T1048/ftp_connection/data.yml delete mode 100644 datasets/attack_techniques/T1049/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1053.002/at_execution/data.yml rename datasets/attack_techniques/T1053.002/lateral_movement/{data.yml => lateral_movement.yml} (54%) delete mode 100644 datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml delete mode 100644 datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml delete mode 100644 datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml delete mode 100644 datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml delete mode 100644 datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/lateral_movement/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/schtask_system/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/schtasks/schtask.yml rename datasets/attack_techniques/T1053.005/schtasks/{data.yml => schtasks.yml} (60%) delete mode 100644 datasets/attack_techniques/T1053.005/taskschedule/data.yml delete mode 100644 datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml rename datasets/attack_techniques/T1053.005/windows_taskschedule/{data.yml => windows_taskschedule.yml} (63%) delete mode 100644 datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml rename datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/{data.yml => winevent_scheduled_task_with_suspect_name.yml} (59%) delete mode 100644 datasets/attack_techniques/T1053.006/linux_services_restart/data.yml delete mode 100644 datasets/attack_techniques/T1053.006/service_systemd/data.yml delete mode 100644 datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml delete mode 100644 datasets/attack_techniques/T1055.001/rasautou/data.yml delete mode 100644 datasets/attack_techniques/T1055/cobalt_strike/data.yml delete mode 100644 datasets/attack_techniques/T1055/msra/data.yml rename datasets/attack_techniques/T1055/sliver/{data.yml => sliver.yml} (79%) delete mode 100644 datasets/attack_techniques/T1055/sliver/sliverc2.yml delete mode 100644 datasets/attack_techniques/T1057/process_commandline_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/encoded_powershell/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/exchange/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/hidden_powershell/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml rename datasets/attack_techniques/T1059.001/powershell_script_block_logging/{data.yml => powershell_script_block_logging.yml} (78%) delete mode 100644 datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml delete mode 100644 datasets/attack_techniques/T1059.001/powershell_testing/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/sharphound/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/soaphound/data.yml delete mode 100644 datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml delete mode 100644 datasets/attack_techniques/T1059.003/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml delete mode 100644 datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml rename datasets/attack_techniques/T1059.003/ryuk/{data.yml => ryuk.yml} (56%) delete mode 100644 datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml delete mode 100644 datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml delete mode 100644 datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml delete mode 100644 datasets/attack_techniques/T1059.005/vbs_wscript/data.yml delete mode 100644 datasets/attack_techniques/T1059/autoit/data.yml delete mode 100644 datasets/attack_techniques/T1059/metasploit/data.yml delete mode 100644 datasets/attack_techniques/T1059/path_traversal/data.yml delete mode 100644 datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml delete mode 100644 datasets/attack_techniques/T1068/drivers/data.yml delete mode 100644 datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml delete mode 100644 datasets/attack_techniques/T1068/zoom_child_process/data.yml rename datasets/attack_techniques/T1069.001/atomic_red_team/{data.yml => atomic_red_team.yml} (73%) delete mode 100644 datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml delete mode 100644 datasets/attack_techniques/T1069.002/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1070.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1070.005/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1070/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1070/fsutil_file_zero/data.yml delete mode 100644 datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml delete mode 100644 datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml delete mode 100644 datasets/attack_techniques/T1078.002/account_lockout/data.yml delete mode 100644 datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/azuread/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/azuread_pws/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml delete mode 100644 datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_create_policy_version/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_createaccesskey/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_createloginprofile/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml delete mode 100644 datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml delete mode 100644 datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml delete mode 100644 datasets/attack_techniques/T1078/defaultaccount/data.yml delete mode 100644 datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml delete mode 100644 datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml delete mode 100644 datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml delete mode 100644 datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml delete mode 100644 datasets/attack_techniques/T1078/update_saml_provider/data.yml delete mode 100644 datasets/attack_techniques/T1082/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml delete mode 100644 datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml delete mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml delete mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml delete mode 100644 datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml delete mode 100644 datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml delete mode 100644 datasets/attack_techniques/T1087.001/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1087.002/AD_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1087.002/adsi_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml delete mode 100644 datasets/attack_techniques/T1087.004/azurehound/data.yml delete mode 100644 datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml delete mode 100644 datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml delete mode 100644 datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml delete mode 100644 datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml delete mode 100644 datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml delete mode 100644 datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml delete mode 100644 datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml delete mode 100644 datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml delete mode 100644 datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml delete mode 100644 datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml delete mode 100644 datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml delete mode 100644 datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml delete mode 100644 datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml delete mode 100644 datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml delete mode 100644 datasets/attack_techniques/T1098/account_manipulation/data.yml delete mode 100644 datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml delete mode 100644 datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml delete mode 100644 datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml delete mode 100644 datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml rename datasets/attack_techniques/T1098/dsrm_account/{data.yml => dsrm_account.yml} (54%) delete mode 100644 datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml delete mode 100644 datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml delete mode 100644 datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml delete mode 100644 datasets/attack_techniques/T1098/service_principal_name_added/data.yml delete mode 100644 datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml delete mode 100644 datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml delete mode 100644 datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml delete mode 100644 datasets/attack_techniques/T1105/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1110.001/aws_login_failure/data.yml delete mode 100644 datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml delete mode 100644 datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml delete mode 100644 datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml delete mode 100644 datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml delete mode 100644 datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml delete mode 100644 datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml delete mode 100644 datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml delete mode 100644 datasets/attack_techniques/T1110/o365_brute_force_login/data.yml delete mode 100644 datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml delete mode 100644 datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml delete mode 100644 datasets/attack_techniques/T1112/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml delete mode 100644 datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml delete mode 100644 datasets/attack_techniques/T1112/disable_notif_center/data.yml delete mode 100644 datasets/attack_techniques/T1112/firewall_modify_delete/data.yml delete mode 100644 datasets/attack_techniques/T1112/minint_reg/data.yml delete mode 100644 datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml delete mode 100644 datasets/attack_techniques/T1112/shimcache_flush/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml delete mode 100644 datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml delete mode 100644 datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml delete mode 100644 datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml rename datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/{data.yml => o365_mailbox_forwarding_enabled.yml} (62%) delete mode 100644 datasets/attack_techniques/T1114/o365_export_pst_file/data.yml delete mode 100644 datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml delete mode 100644 datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml delete mode 100644 datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml rename datasets/attack_techniques/T1127.001/{data.yml => T1127.001.yml} (60%) delete mode 100644 datasets/attack_techniques/T1127.001/atomic_red_team.yml delete mode 100644 datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml delete mode 100644 datasets/attack_techniques/T1127/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1127/etw_disable/data.yml delete mode 100644 datasets/attack_techniques/T1134.005/mimikatz/data.yml create mode 100644 datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml delete mode 100644 datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml delete mode 100644 datasets/attack_techniques/T1134.005/sid_history2/data.yml delete mode 100644 datasets/attack_techniques/T1135/ipc_share_accessed/data.yml delete mode 100644 datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml delete mode 100644 datasets/attack_techniques/T1135/net_share/data.yml delete mode 100644 datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml delete mode 100644 datasets/attack_techniques/T1135/powerview_sharefinder/data.yml delete mode 100644 datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml delete mode 100644 datasets/attack_techniques/T1136.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml delete mode 100644 datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/azure_automation_account/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml delete mode 100644 datasets/attack_techniques/T1136.003/o365_new_federation/data.yml delete mode 100644 datasets/attack_techniques/T1140/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1140/linux_auditd_base64/data.yml delete mode 100644 datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml delete mode 100644 datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml delete mode 100644 datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml delete mode 100644 datasets/attack_techniques/T1187/petitpotam/data.yml delete mode 100644 datasets/attack_techniques/T1189/dyn_dns_site/data.yml rename datasets/attack_techniques/T1189/splunk/{data.yml => splunk.yml} (86%) delete mode 100644 datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml delete mode 100644 datasets/attack_techniques/T1189/xss/splunk_web_access.yml rename datasets/attack_techniques/T1189/xss/{data.yml => xss.yml} (52%) rename datasets/attack_techniques/T1190/{data.yml => T1190.yml} (58%) delete mode 100644 datasets/attack_techniques/T1190/citrix/data.yml delete mode 100644 datasets/attack_techniques/T1190/confluence/data.yml delete mode 100644 datasets/attack_techniques/T1190/crushftp/data.yml delete mode 100644 datasets/attack_techniques/T1190/ivanti/data.yml delete mode 100644 datasets/attack_techniques/T1190/java/data.yml delete mode 100644 datasets/attack_techniques/T1190/jenkins/data.yml delete mode 100644 datasets/attack_techniques/T1190/juniper/data.yml delete mode 100644 datasets/attack_techniques/T1190/magento/data.yml delete mode 100644 datasets/attack_techniques/T1190/outbound_java/data.yml delete mode 100644 datasets/attack_techniques/T1190/papercut/data.yml delete mode 100644 datasets/attack_techniques/T1190/proxyshell.yml delete mode 100644 datasets/attack_techniques/T1190/proxyshell/data.yml delete mode 100644 datasets/attack_techniques/T1190/pswa/data.yml delete mode 100644 datasets/attack_techniques/T1190/sap/data.yml delete mode 100644 datasets/attack_techniques/T1190/screenconnect/data.yml delete mode 100644 datasets/attack_techniques/T1190/sharepoint/data.yml delete mode 100644 datasets/attack_techniques/T1190/splunk/data.yml delete mode 100644 datasets/attack_techniques/T1190/splunk/log_injection.yml create mode 100644 datasets/attack_techniques/T1190/splunk/splunk.yml delete mode 100644 datasets/attack_techniques/T1190/spring4shell/data.yml delete mode 100644 datasets/attack_techniques/T1190/text4shell/data.yml delete mode 100644 datasets/attack_techniques/T1190/tomcat/data.yml rename datasets/attack_techniques/T1195.002/3CX/{data.yml => 3CX.yml} (79%) delete mode 100644 datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml delete mode 100644 datasets/attack_techniques/T1197/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml delete mode 100644 datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml delete mode 100644 datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1202/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1204.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml delete mode 100644 datasets/attack_techniques/T1204.002/single_letter_exe/data.yml delete mode 100644 datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml delete mode 100644 datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml delete mode 100644 datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml rename datasets/attack_techniques/T1204.003/risk_dataset/{data.yml => risk_dataset.yml} (58%) delete mode 100644 datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml delete mode 100644 datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml delete mode 100644 datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml delete mode 100644 datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml delete mode 100644 datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml delete mode 100644 datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml delete mode 100644 datasets/attack_techniques/T1204/rare_executables/data.yml delete mode 100644 datasets/attack_techniques/T1207/dc_promo/data.yml delete mode 100644 datasets/attack_techniques/T1207/mimikatz/dcshadow.yml rename datasets/attack_techniques/T1207/mimikatz/{data.yml => mimikatz.yml} (59%) delete mode 100644 datasets/attack_techniques/T1207/short_lived_server_object/data.yml delete mode 100644 datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml delete mode 100644 datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml rename datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/{data.yml => kuberntest_nginx_rfi_attack.yml} (56%) delete mode 100644 datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml delete mode 100644 datasets/attack_techniques/T1216/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.004/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.005/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml delete mode 100644 datasets/attack_techniques/T1218.007/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.008/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.009/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.010/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.011/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218.012/verclsid_exec/data.yml delete mode 100644 datasets/attack_techniques/T1218.013/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1218/bitlockertogo/data.yml delete mode 100644 datasets/attack_techniques/T1218/diskshadow/data.yml delete mode 100644 datasets/attack_techniques/T1218/eviltwin/data.yml delete mode 100644 datasets/attack_techniques/T1219/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1219/screenconnect/data.yml delete mode 100644 datasets/attack_techniques/T1219/teamviewer/data.yml delete mode 100644 datasets/attack_techniques/T1220/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1222.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1222.001/dacl_abuse/data.yml delete mode 100644 datasets/attack_techniques/T1222.001/subinacl/data.yml delete mode 100644 datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml delete mode 100644 datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml delete mode 100644 datasets/attack_techniques/T1482/atomic_red_team/data.yml rename datasets/attack_techniques/T1482/discovery/{data.yml => discovery.yml} (79%) delete mode 100644 datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml delete mode 100644 datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml rename datasets/attack_techniques/T1484.001/gpo_modification/{data.yml => gpo_modification.yml} (59%) delete mode 100644 datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml delete mode 100644 datasets/attack_techniques/T1484.001/group_policy_created/data.yml delete mode 100644 datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml delete mode 100644 datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml delete mode 100644 datasets/attack_techniques/T1484.002/new_federated_domain/data.yml delete mode 100644 datasets/attack_techniques/T1484/DCShadowPermissions/data.yml delete mode 100644 datasets/attack_techniques/T1484/aclmodification/acl_modification.yml rename datasets/attack_techniques/T1484/aclmodification/{data.yml => aclmodification.yml} (59%) delete mode 100644 datasets/attack_techniques/T1485/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1485/decommissioned_buckets/data.yml delete mode 100644 datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml delete mode 100644 datasets/attack_techniques/T1485/excessive_file_deletions/data.yml delete mode 100644 datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml delete mode 100644 datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml delete mode 100644 datasets/attack_techniques/T1485/linux_auditd_shred/data.yml delete mode 100644 datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml delete mode 100644 datasets/attack_techniques/T1485/ransomware_extensions/data.yml delete mode 100644 datasets/attack_techniques/T1485/ransomware_notes/data.yml delete mode 100644 datasets/attack_techniques/T1485/rm_boot_dir/data.yml delete mode 100644 datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml delete mode 100644 datasets/attack_techniques/T1485/sdelete/data.yml delete mode 100644 datasets/attack_techniques/T1486/aws_kms_key/data.yml delete mode 100644 datasets/attack_techniques/T1486/dcrypt/data.yml delete mode 100644 datasets/attack_techniques/T1486/s3_file_encryption/data.yml delete mode 100644 datasets/attack_techniques/T1486/sam_sam_note/data.yml delete mode 100644 datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml delete mode 100644 datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml delete mode 100644 datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml delete mode 100644 datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml delete mode 100644 datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml delete mode 100644 datasets/attack_techniques/T1490/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1490/aws_bucket_version/data.yml delete mode 100644 datasets/attack_techniques/T1490/ransomware_notes/data.yml delete mode 100644 datasets/attack_techniques/T1490/shadowcopy_del/data.yml delete mode 100644 datasets/attack_techniques/T1497.003/ping_sleep/data.yml rename datasets/attack_techniques/T1505.001/simulation/{data.yml => simulation.yml} (83%) delete mode 100644 datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml rename datasets/attack_techniques/T1505.003/{data.yml => T1505.003.yml} (60%) delete mode 100644 datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml rename datasets/attack_techniques/T1505.004/{data.yml => T1505.004.yml} (92%) delete mode 100644 datasets/attack_techniques/T1505.004/iis_modules.yml delete mode 100644 datasets/attack_techniques/T1526/aws_security_scanner/data.yml delete mode 100644 datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml delete mode 100644 datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml delete mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml delete mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml delete mode 100644 datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml delete mode 100644 datasets/attack_techniques/T1528/device_code_authentication/data.yml delete mode 100644 datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml delete mode 100644 datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml delete mode 100644 datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml delete mode 100644 datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml delete mode 100644 datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml delete mode 100644 datasets/attack_techniques/T1531/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml delete mode 100644 datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml delete mode 100644 datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml delete mode 100644 datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml delete mode 100644 datasets/attack_techniques/T1542.003/bootkits/data.yml delete mode 100644 datasets/attack_techniques/T1543.003/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1543.003/lateral_movement/data.yml delete mode 100644 datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml delete mode 100644 datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml delete mode 100644 datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml delete mode 100644 datasets/attack_techniques/T1546.001/txtfile_reg/data.yml delete mode 100644 datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml delete mode 100644 datasets/attack_techniques/T1546.003/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml delete mode 100644 datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml delete mode 100644 datasets/attack_techniques/T1546.004/linux_init_profile/data.yml delete mode 100644 datasets/attack_techniques/T1546.008/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1546.011/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1546.012/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1546.015/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1546.015/pwh_com_object/data.yml delete mode 100644 datasets/attack_techniques/T1546.015/uac_colorui/data.yml delete mode 100644 datasets/attack_techniques/T1546/adminsdholder_modified/data.yml delete mode 100644 datasets/attack_techniques/T1547.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml delete mode 100644 datasets/attack_techniques/T1547.005/malicious_ssp/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml delete mode 100644 datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml delete mode 100644 datasets/attack_techniques/T1547.008/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1547.010/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1547.012/print_reg/data.yml delete mode 100644 datasets/attack_techniques/T1547.012/printnightmare/data.yml delete mode 100644 datasets/attack_techniques/T1548.001/chmod_uid/data.yml delete mode 100644 datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml delete mode 100644 datasets/attack_techniques/T1548.001/linux_setcap/data.yml delete mode 100644 datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml delete mode 100644 datasets/attack_techniques/T1548.002/atomic_red_team/data.yml rename datasets/attack_techniques/T1548.002/slui/{data.yml => slui.yml} (61%) delete mode 100644 datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml delete mode 100644 datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml delete mode 100644 datasets/attack_techniques/T1548.002/uac_behavior/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/doas/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/doas_exec/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_adduser/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/sudo_su/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/sudoers_temp/data.yml delete mode 100644 datasets/attack_techniques/T1548.003/visudo/data.yml delete mode 100644 datasets/attack_techniques/T1548/apt/data.yml delete mode 100644 datasets/attack_techniques/T1548/apt_get/data.yml delete mode 100644 datasets/attack_techniques/T1548/awk/data.yml delete mode 100644 datasets/attack_techniques/T1548/busybox/data.yml delete mode 100644 datasets/attack_techniques/T1548/c89/data.yml delete mode 100644 datasets/attack_techniques/T1548/c99/data.yml delete mode 100644 datasets/attack_techniques/T1548/composer/data.yml delete mode 100644 datasets/attack_techniques/T1548/cpulimit/data.yml delete mode 100644 datasets/attack_techniques/T1548/csvtool/data.yml delete mode 100644 datasets/attack_techniques/T1548/docker/data.yml delete mode 100644 datasets/attack_techniques/T1548/emacs/data.yml delete mode 100644 datasets/attack_techniques/T1548/find/data.yml delete mode 100644 datasets/attack_techniques/T1548/gawk/data.yml delete mode 100644 datasets/attack_techniques/T1548/gdb/data.yml delete mode 100644 datasets/attack_techniques/T1548/gem/data.yml delete mode 100644 datasets/attack_techniques/T1548/make/data.yml delete mode 100644 datasets/attack_techniques/T1548/mysql/data.yml delete mode 100644 datasets/attack_techniques/T1548/node/data.yml delete mode 100644 datasets/attack_techniques/T1548/octave/data.yml delete mode 100644 datasets/attack_techniques/T1548/openvpn/data.yml delete mode 100644 datasets/attack_techniques/T1548/php/data.yml delete mode 100644 datasets/attack_techniques/T1548/puppet/data.yml delete mode 100644 datasets/attack_techniques/T1548/rpm/data.yml delete mode 100644 datasets/attack_techniques/T1548/ruby/data.yml delete mode 100644 datasets/attack_techniques/T1548/sqlite3/data.yml delete mode 100644 datasets/attack_techniques/T1548/uac_bypass/data.yml delete mode 100644 datasets/attack_techniques/T1550.002/atomic_red_team/data.yml rename datasets/attack_techniques/T1550.003/mimikatz/{data.yml => mimikatz.yml} (61%) delete mode 100644 datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml delete mode 100644 datasets/attack_techniques/T1550.003/rubeus/data.yml delete mode 100644 datasets/attack_techniques/T1550/rubeus/data.yml delete mode 100644 datasets/attack_techniques/T1552.001/password_in_username/data.yml delete mode 100644 datasets/attack_techniques/T1552.002/autoadminlogon/data.yml delete mode 100644 datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml delete mode 100644 datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml delete mode 100644 datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml delete mode 100644 datasets/attack_techniques/T1552/aws_getpassworddata/data.yml delete mode 100644 datasets/attack_techniques/T1553.003/sip/data.yml delete mode 100644 datasets/attack_techniques/T1553.004/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml delete mode 100644 datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml delete mode 100644 datasets/attack_techniques/T1555/web_browser_pass_view/data.yml delete mode 100644 datasets/attack_techniques/T1556.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml delete mode 100644 datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml delete mode 100644 datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1556/azuread/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml delete mode 100644 datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml rename datasets/attack_techniques/T1556/disable_credential_guard/{data.yml => disable_credential_guard.yml} (61%) delete mode 100644 datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml rename datasets/attack_techniques/T1556/disable_lsa_protection/{data.yml => disable_lsa_protection.yml} (61%) delete mode 100644 datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml delete mode 100644 datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml delete mode 100644 datasets/attack_techniques/T1556/o365_disable_mfa/data.yml delete mode 100644 datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml delete mode 100644 datasets/attack_techniques/T1556/okta_idp/data.yml delete mode 100644 datasets/attack_techniques/T1558.003/atomic_red_team/data.yml rename datasets/attack_techniques/T1558.003/powerview-2/{data.yml => powerview-2.yml} (61%) delete mode 100644 datasets/attack_techniques/T1558.003/powerview-2/powerview.yml delete mode 100644 datasets/attack_techniques/T1558.003/powerview/data.yml delete mode 100644 datasets/attack_techniques/T1558.003/rubeus/data.yml delete mode 100644 datasets/attack_techniques/T1558.004/powershell/data.yml delete mode 100644 datasets/attack_techniques/T1558/diamond_ticket/data.yml delete mode 100644 datasets/attack_techniques/T1560.001/archive_utility/data.yml delete mode 100644 datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/disable_gpo/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/unload_sysmon/data.yml delete mode 100644 datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml delete mode 100644 datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml delete mode 100644 datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml delete mode 100644 datasets/attack_techniques/T1562.004/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml delete mode 100644 datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml delete mode 100644 datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml delete mode 100644 datasets/attack_techniques/T1562.007/aws_create_acl/data.yml delete mode 100644 datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml delete mode 100644 datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml delete mode 100644 datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml delete mode 100644 datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml delete mode 100644 datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml delete mode 100644 datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml delete mode 100644 datasets/attack_techniques/T1563.002/rdphijack/data.yml delete mode 100644 datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml delete mode 100644 datasets/attack_techniques/T1564.004/ads_abuse/data.yml rename datasets/attack_techniques/T1564.008/o365/{data.yml => o365.yml} (60%) delete mode 100644 datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml delete mode 100644 datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml delete mode 100644 datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml delete mode 100644 datasets/attack_techniques/T1566.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml delete mode 100644 datasets/attack_techniques/T1566/cve-2024-21378/data.yml delete mode 100644 datasets/attack_techniques/T1566/o365_various_alerts/data.yml delete mode 100644 datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml delete mode 100644 datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml delete mode 100644 datasets/attack_techniques/T1567/web_upload_nginx/data.yml delete mode 100644 datasets/attack_techniques/T1569.002/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1569.002/linux_service_start/data.yml delete mode 100644 datasets/attack_techniques/T1569.002/remcom/data.yml delete mode 100644 datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml delete mode 100644 datasets/attack_techniques/T1570/remcom/data.yml delete mode 100644 datasets/attack_techniques/T1572/cobalt_strike/data.yml delete mode 100644 datasets/attack_techniques/T1572/ngrok/data.yml delete mode 100644 datasets/attack_techniques/T1572/plink/data.yml delete mode 100644 datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml rename datasets/attack_techniques/T1572/ssh_proxy_command/{data.yml => ssh_proxy_command.yml} (63%) delete mode 100644 datasets/attack_techniques/T1574.001/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1574.001/iscsicpl/data.yml delete mode 100644 datasets/attack_techniques/T1574.002/hijacklibs/data.yml delete mode 100644 datasets/attack_techniques/T1574.002/msi_module_load/data.yml delete mode 100644 datasets/attack_techniques/T1574.002/wineloader/data.yml delete mode 100644 datasets/attack_techniques/T1574.006/lib_hijack/data.yml delete mode 100644 datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml delete mode 100644 datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml delete mode 100644 datasets/attack_techniques/T1574.009/atomic_red_team/data.yml delete mode 100644 datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml delete mode 100644 datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml delete mode 100644 datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml rename datasets/attack_techniques/T1587.002/atomic_red_team/{data.yml => atomic_red_team.yml} (62%) delete mode 100644 datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml delete mode 100644 datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml rename datasets/attack_techniques/T1588.002/atomic_red_team/{data.yml => atomic_red_team.yml} (61%) delete mode 100644 datasets/attack_techniques/T1590.002/enum_dns_record/data.yml delete mode 100644 datasets/attack_techniques/T1595/attacker_scan_tools/data.yml delete mode 100644 datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml delete mode 100644 datasets/attack_techniques/T1598.002/rdp/data.yml delete mode 100644 datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml delete mode 100644 datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml delete mode 100644 datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml delete mode 100644 datasets/attack_techniques/T1621/azuread/data.yml delete mode 100644 datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml delete mode 100644 datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml delete mode 100644 datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml delete mode 100644 datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml delete mode 100644 datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml delete mode 100644 datasets/attack_techniques/T1621/okta_mismatch/data.yml delete mode 100644 datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml delete mode 100644 datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml rename datasets/attack_techniques/T1621/pingid/{data.yml => pingid.yml} (67%) delete mode 100644 datasets/attack_techniques/T1621/pingid/pingid_dataset.yml delete mode 100644 datasets/attack_techniques/T1649/atomic_red_team/data.yml rename datasets/attack_techniques/T1649/certify_abuse/{data.yml => certify_abuse.yml} (52%) delete mode 100644 datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml delete mode 100644 datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml delete mode 100644 datasets/attack_techniques/t1592/host_info_dxdiag/data.yml delete mode 100644 datasets/attack_techniques/t1592/pwh_av_recon/data.yml delete mode 100644 datasets/malware/acidrain/data.yml delete mode 100644 datasets/malware/agent_tesla/agent_tesla_ftp/data.yml delete mode 100644 datasets/malware/agent_tesla/agent_tesla_smtp/data.yml delete mode 100644 datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml delete mode 100644 datasets/malware/agent_tesla/chm_powershell/data.yml delete mode 100644 datasets/malware/amadey/access_permission/data.yml delete mode 100644 datasets/malware/awfulshred/test1/data.yml delete mode 100644 datasets/malware/awfulshred/test2/data.yml delete mode 100644 datasets/malware/awfulshred/test3/data.yml delete mode 100644 datasets/malware/azorult/data.yml delete mode 100644 datasets/malware/brute_ratel/brute_duplicate_token/data.yml delete mode 100644 datasets/malware/brute_ratel/create_remote_thread/data.yml delete mode 100644 datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml delete mode 100644 datasets/malware/brute_ratel/loading_samlib/data.yml delete mode 100644 datasets/malware/brute_ratel/service_deletion/data.yml delete mode 100644 datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml delete mode 100644 datasets/malware/chaos_ransomware/data.yml delete mode 100644 datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml delete mode 100644 datasets/malware/clop/clop_a/data.yml delete mode 100644 datasets/malware/clop/clop_b/data.yml delete mode 100644 datasets/malware/conti/conti_leak/data.yml delete mode 100644 datasets/malware/cyclopsblink/data.yml delete mode 100644 datasets/malware/dcrat/dcrat_delay_execution/data.yml delete mode 100644 datasets/malware/dcrat/dcrat_enum_camera/data.yml delete mode 100644 datasets/malware/dcrat/dcrat_explorer_url/data.yml delete mode 100644 datasets/malware/dcrat/dcrat_forkbomb/data.yml delete mode 100644 datasets/malware/dcrat/reboot_logoff_commandline/data.yml delete mode 100644 datasets/malware/dcrat/shutdown_commandline/data.yml delete mode 100644 datasets/malware/doublezero_wiper/data.yml delete mode 100644 datasets/malware/fin7/fin7_js_2/data.yml delete mode 100644 datasets/malware/fin7/fin7_macro_js_1/data.yml delete mode 100644 datasets/malware/fin7/jssloader/data.yml delete mode 100644 datasets/malware/gootloader/partial_ttps/gootloader.yml rename datasets/malware/gootloader/partial_ttps/{data.yml => partial_ttps.yml} (72%) delete mode 100644 datasets/malware/hermetic_wiper/data.yml delete mode 100644 datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml delete mode 100644 datasets/malware/icedid/cmd_carry_str_param/data.yml delete mode 100644 datasets/malware/icedid/disable_av/data.yml delete mode 100644 datasets/malware/icedid/disable_schtask/data.yml delete mode 100644 datasets/malware/icedid/inf_icedid/data.yml delete mode 100644 datasets/malware/icedid/phish_icedid/data.yml delete mode 100644 datasets/malware/icedid/simulated_icedid/data.yml delete mode 100644 datasets/malware/industroyer2/data.yml delete mode 100644 datasets/malware/lockbit_ransomware/data.yml delete mode 100644 datasets/malware/olympic_destroyer/data.yml delete mode 100644 datasets/malware/prestige_ransomware/data.yml delete mode 100644 datasets/malware/qakbot/data.yml delete mode 100644 datasets/malware/qakbot/qbot2/data.yml delete mode 100644 datasets/malware/qakbot/qbot_3/data.yml delete mode 100644 datasets/malware/qakbot/qbot_wermgr/data.yml delete mode 100644 datasets/malware/qakbot/qbot_wermgr2/data.yml delete mode 100644 datasets/malware/qakbot/remote_thread/data.yml delete mode 100644 datasets/malware/redline/modify_registry/data.yml delete mode 100644 datasets/malware/remcos/remcos/data.yml delete mode 100644 datasets/malware/remcos/remcos_agent/data.yml delete mode 100644 datasets/malware/remcos/remcos_dynwrapx/data.yml delete mode 100644 datasets/malware/remcos/remcos_pastebin_download/data.yml delete mode 100644 datasets/malware/remcos/remcos_registry/data.yml delete mode 100644 datasets/malware/revil/msmpeng_side/data.yml delete mode 100644 datasets/malware/ryuk/data.yml delete mode 100644 datasets/malware/snakemalware/snake.yml rename datasets/malware/snakemalware/{data.yml => snakemalware.yml} (83%) delete mode 100644 datasets/malware/swift_slicer/data.yml delete mode 100644 datasets/malware/trickbot/spear_phish/data.yml delete mode 100644 datasets/malware/vilsel/vilse.yml rename datasets/malware/vilsel/{data.yml => vilsel.yml} (68%) delete mode 100644 datasets/malware/winpeas/data.yml delete mode 100644 datasets/malware/winpeas/powershell/data.yml delete mode 100644 datasets/malware/winpeas/winpeas_cmdkeylist/data.yml delete mode 100644 datasets/malware/winpeas/winpeas_fsutil/data.yml delete mode 100644 datasets/malware/winpeas/winpeas_search_private_key/data.yml delete mode 100644 datasets/malware/winpeas/winpeas_search_pwd/data.yml delete mode 100644 datasets/malware/winpeas/winpeas_search_pwd_db/data.yml delete mode 100644 datasets/malware/winter-vivern/pwh_exfiltration/data.yml delete mode 100644 datasets/malware/winter-vivern/pwh_uploadstring/data.yml delete mode 100644 datasets/malware/winter-vivern/scheduledtask/data.yml diff --git a/bin/rename_data.py b/bin/rename_data.py deleted file mode 100644 index fb1b36299..000000000 --- a/bin/rename_data.py +++ /dev/null @@ -1,306 +0,0 @@ -#!/usr/bin/env python3 -""" -Script to analyze folders recursively and rename data.yml files. - -When a folder contains: -- A data.yml file -- Another yml file with a different name - -The script will: -1. Copy metadata (author, id, date, description) from the other yml file to data.yml -2. Remove the other yml file -3. Rename data.yml to match the folder name (folder_name.yml) -""" - -import argparse -import logging -import yaml -from pathlib import Path -from typing import List, Tuple, Optional, Dict, Any - - -def setup_logging(verbose: bool = False) -> None: - """Setup logging configuration.""" - level = logging.DEBUG if verbose else logging.INFO - logging.basicConfig( - level=level, - format='%(asctime)s - %(levelname)s - %(message)s', - datefmt='%Y-%m-%d %H:%M:%S' - ) - - -def find_yml_files(directory: Path) -> List[Path]: - """Find all yml/yaml files in a directory (not recursive).""" - yml_files = [] - for file_path in directory.iterdir(): - if file_path.is_file() and file_path.suffix.lower() in ['.yml', '.yaml']: - yml_files.append(file_path) - return yml_files - - -def load_yaml_file(file_path: Path) -> Optional[Dict[str, Any]]: - """ - Load and parse a YAML file. - - Returns: - Dictionary containing the YAML data, or None if there was an error - """ - logger = logging.getLogger(__name__) - try: - with open(file_path, 'r', encoding='utf-8') as f: - return yaml.safe_load(f) - except Exception as e: - logger.error(f"Error loading YAML file {file_path}: {e}") - return None - - -def save_yaml_file(file_path: Path, data: Dict[str, Any]) -> bool: - """ - Save data to a YAML file. - - Returns: - True if successful, False otherwise - """ - logger = logging.getLogger(__name__) - try: - with open(file_path, 'w', encoding='utf-8') as f: - yaml.dump(data, f, default_flow_style=False, sort_keys=False, - allow_unicode=True) - return True - except Exception as e: - logger.error(f"Error saving YAML file {file_path}: {e}") - return False - - -def copy_metadata_fields(source_data: Dict[str, Any], target_data: Dict[str, Any]) \ - -> Dict[str, Any]: - """ - Copy metadata fields (author, id, date, description) from source to target. - - Args: - source_data: YAML data from the other yml file - target_data: YAML data from data.yml file - - Returns: - Updated target data with copied metadata - """ - logger = logging.getLogger(__name__) - metadata_fields = ['author', 'id', 'date', 'description'] - - updated_data = target_data.copy() - - for field in metadata_fields: - if field in source_data: - old_value = updated_data.get(field, 'N/A') - new_value = source_data[field] - logger.info(f"Copying {field}: '{old_value}' -> '{new_value}'") - updated_data[field] = new_value - else: - logger.warning(f"Field '{field}' not found in source file") - - return updated_data - - -def analyze_directory(directory: Path) -> Optional[Tuple[Path, List[Path]]]: - """ - Analyze a directory for data.yml and other yml files. - - Returns: - Tuple of (data_yml_path, other_yml_files) if conditions are met, None otherwise - """ - yml_files = find_yml_files(directory) - - if len(yml_files) < 2: - return None - - data_yml = None - other_yml_files = [] - - for yml_file in yml_files: - if yml_file.name.lower() == 'data.yml': - data_yml = yml_file - else: - other_yml_files.append(yml_file) - - # Return only if we have data.yml and at least one other yml file - if data_yml and other_yml_files: - return (data_yml, other_yml_files) - - return None - - -def process_directory(directory: Path, dry_run: bool = False) -> bool: - """ - Process a directory that meets our criteria. - - Args: - directory: The directory to process - dry_run: If True, only log what would be done without actually doing it - - Returns: - True if processing was successful, False otherwise - """ - logger = logging.getLogger(__name__) - - result = analyze_directory(directory) - if not result: - return False - - data_yml, other_yml_files = result - folder_name = directory.name - new_yml_name = f"{folder_name}.yml" - new_yml_path = directory / new_yml_name - - logger.info(f"Processing directory: {directory}") - logger.info(f"Found data.yml: {data_yml}") - logger.info(f"Found other yml files: {[str(f) for f in other_yml_files]}") - - try: - # Step 1: Copy metadata from other yml files to data.yml - data_yml_content = load_yaml_file(data_yml) - if not data_yml_content: - logger.error(f"Failed to load data.yml: {data_yml}") - return False - - # Process each other yml file and copy metadata - for other_yml in other_yml_files: - other_yml_content = load_yaml_file(other_yml) - if other_yml_content: - logger.info(f"Copying metadata from {other_yml.name} to data.yml") - data_yml_content = copy_metadata_fields( - other_yml_content, data_yml_content) - else: - logger.warning(f"Failed to load other yml file: {other_yml}") - - # Save the updated data.yml - if dry_run: - logger.info("[DRY RUN] Would update data.yml with copied metadata") - else: - logger.info("Updating data.yml with copied metadata") - if not save_yaml_file(data_yml, data_yml_content): - logger.error(f"Failed to save updated data.yml: {data_yml}") - return False - - # Step 2: Remove other yml files - for other_yml in other_yml_files: - if dry_run: - logger.info(f"[DRY RUN] Would remove: {other_yml}") - else: - logger.info(f"Removing: {other_yml}") - other_yml.unlink() - - # Step 3: Rename data.yml to folder name - if dry_run: - logger.info(f"[DRY RUN] Would rename {data_yml} to {new_yml_path}") - else: - logger.info(f"Renaming {data_yml} to {new_yml_path}") - data_yml.rename(new_yml_path) - - logger.info(f"Successfully processed directory: {directory}") - return True - - except Exception as e: - logger.error(f"Error processing directory {directory}: {e}") - return False - - -def scan_directory_recursive(root_directory: Path, dry_run: bool = False) -> \ - Tuple[int, int]: - """ - Recursively scan directories and process them. - - Returns: - Tuple of (directories_processed, errors_encountered) - """ - logger = logging.getLogger(__name__) - processed_count = 0 - error_count = 0 - - logger.info(f"Starting recursive scan of: {root_directory}") - - # Walk through all directories recursively - for current_dir in root_directory.rglob('*'): - if current_dir.is_dir(): - logger.debug(f"Checking directory: {current_dir}") - - try: - if process_directory(current_dir, dry_run): - processed_count += 1 - except Exception as e: - logger.error(f"Unexpected error processing {current_dir}: {e}") - error_count += 1 - - return processed_count, error_count - - -def main(): - """Main function to handle command line arguments and execute the script.""" - parser = argparse.ArgumentParser( - description="Recursively analyze folders and rename data.yml files", - formatter_class=argparse.RawDescriptionHelpFormatter, - epilog=""" -Examples: - python rename_data.py /path/to/folder - python rename_data.py /path/to/folder --dry-run - python rename_data.py /path/to/folder --verbose - """ - ) - parser.add_argument( - 'folder', - type=str, - help='Path to the root folder to analyze' - ) - - parser.add_argument( - '--dry-run', - action='store_true', - help='Show what would be done without actually making changes' - ) - - parser.add_argument( - '--verbose', - action='store_true', - help='Enable verbose logging' - ) - - args = parser.parse_args() - - # Setup logging - setup_logging(args.verbose) - logger = logging.getLogger(__name__) - - # Validate input folder - root_path = Path(args.folder).resolve() - if not root_path.exists(): - logger.error(f"Error: The specified folder does not exist: {root_path}") - return 1 - - if not root_path.is_dir(): - logger.error(f"Error: The specified path is not a directory: {root_path}") - return 1 - - logger.info(f"Analyzing folder: {root_path}") - if args.dry_run: - logger.info("DRY RUN MODE - No changes will be made") - - # Process the directories - try: - processed_count, error_count = scan_directory_recursive(root_path, args.dry_run) - - logger.info("Scan completed!") - logger.info(f"Directories processed: {processed_count}") - if error_count > 0: - logger.warning(f"Errors encountered: {error_count}") - - return 0 if error_count == 0 else 1 - - except KeyboardInterrupt: - logger.info("Operation cancelled by user") - return 1 - except Exception as e: - logger.error(f"Unexpected error: {e}") - return 1 - - -if __name__ == "__main__": - exit(main()) diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml index a03c4885e..035258bfe 100644 --- a/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.001/atomic_red_team/atomic_red_team.yml @@ -9,22 +9,27 @@ description: 'Atomic Test Results: Successful Execution of test T1003.001-1 Wind Offline Credential Theft With Mimikatz Return value unclear for test T1003.001-7 LSASS read with pypykatz ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_001.yml +directory: atomic_red_team +mitre_technique: +- T1003.001 +datasets: +- name: windows-sysmon_creddump + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: procdump_windows-security + path: /datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: createdump_windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml deleted file mode 100644 index f44d7dfaa..000000000 --- a/datasets/attack_techniques/T1003.001/atomic_red_team/data.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Generated by dataset_analyzer.py -id: aebdb3f2-5df9-486b-8b73-87a9a5e51cc0 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1003.001 -datasets: -- name: windows-sysmon_creddump - path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon_creddump.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: procdump_windows-security - path: /datasets/attack_techniques/T1003.001/atomic_red_team/procdump_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: crowdstrike_falcon - path: /datasets/attack_techniques/T1003.001/atomic_red_team/crowdstrike_falcon.log - sourcetype: crowdstrike:events:sensor - source: crowdstrike -- name: createdump_windows-sysmon - path: /datasets/attack_techniques/T1003.001/atomic_red_team/createdump_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml index 30055e5f2..5b52451ba 100644 --- a/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.002/atomic_red_team/atomic_red_team.yml @@ -5,22 +5,15 @@ description: 'Atomic Test Results: Successful Execution of test T1003.002-1 Regi dump of SAM, creds, and secrets Return value unclear for test T1003.002-2 Registry parse with pypykatz Successful Execution of test T1003.002-3 esentutl.exe SAM copy ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/attack-range-windows-domain-controller.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/copy-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-security_ssa.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_002.yml +directory: atomic_red_team +mitre_technique: +- T1003.002 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml deleted file mode 100644 index c0db9140e..000000000 --- a/datasets/attack_techniques/T1003.002/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c1560e15-24a3-41ef-8c8b-98caaa6d13cc -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1003.002 -datasets: -- name: crowdstrike_falcon - path: /datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log - sourcetype: crowdstrike:events:sensor - source: crowdstrike -- name: windows-sysmon - path: /datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.002/serioussam/data.yml b/datasets/attack_techniques/T1003.002/serioussam/data.yml deleted file mode 100644 index 4f64f44d3..000000000 --- a/datasets/attack_techniques/T1003.002/serioussam/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1a6789ed-c2ab-4937-939c-03eb41a8c653 -date: '2025-08-12' -description: Automatically categorized datasets in directory serioussam -environment: attack_range -directory: serioussam -mitre_technique: -- T1003.002 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1003.002/serioussam/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml b/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml index 4c1823bf9..923e6da58 100644 --- a/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml +++ b/datasets/attack_techniques/T1003.002/serioussam/serioussam.yml @@ -4,11 +4,11 @@ date: '2021-07-21' description: CVE-2021-36934 exploitation using PowerShell to copy the SAM, SYSTEM and SECURITY hives from a Volume Shadow Copy to a temp folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 +directory: serioussam +mitre_technique: +- T1003.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1003.002/serioussam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml index 77ce3eeb5..0f2d7bbb3 100644 --- a/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1003.003/atomic_red_team/atomic_red_team.yml @@ -9,21 +9,19 @@ description: 'Atomic Test Results: Successful Execution of test T1003.003-1 Crea with Powershell Successful Execution of test T1003.003-6 Create Symlink to Volume Shadow Copy ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sec-events.out -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1003/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md -- https://github.com/splunk/security-content/blob/develop/tests/T1003_003.yml +directory: atomic_red_team +mitre_technique: +- T1003.003 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: 4688_windows-security + path: /datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml deleted file mode 100644 index 054d62e8a..000000000 --- a/datasets/attack_techniques/T1003.003/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 75688df7-5503-4cb0-9218-aa8951c11f39 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1003.003 -datasets: -- name: crowdstrike_falcon - path: /datasets/attack_techniques/T1003.003/atomic_red_team/crowdstrike_falcon.log - sourcetype: crowdstrike:events:sensor - source: crowdstrike -- name: 4688_windows-security - path: /datasets/attack_techniques/T1003.003/atomic_red_team/4688_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml b/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml index ae362a164..9683a3305 100644 --- a/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml +++ b/datasets/attack_techniques/T1003.004/NoLMHash/NoLMHash.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: e68c62ae-dc5b-4852-bfb1-860b104358b7 date: '2023-12-15' description: Generated datasets for NoLMHash in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: NoLMHash +mitre_technique: +- T1003.004 +datasets: +- name: lsa-reg-settings-sysmon + path: /datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.004/NoLMHash/data.yml b/datasets/attack_techniques/T1003.004/NoLMHash/data.yml deleted file mode 100644 index 9174abfea..000000000 --- a/datasets/attack_techniques/T1003.004/NoLMHash/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c4b3c930-dbea-4a6c-a98f-5f26fd2bbabe -date: '2025-08-12' -description: Automatically categorized datasets in directory NoLMHash -environment: attack_range -directory: NoLMHash -mitre_technique: -- T1003.004 -datasets: -- name: lsa-reg-settings-sysmon - path: /datasets/attack_techniques/T1003.004/NoLMHash/lsa-reg-settings-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.006/impacket/data.yml b/datasets/attack_techniques/T1003.006/impacket/impacket.yml similarity index 53% rename from datasets/attack_techniques/T1003.006/impacket/data.yml rename to datasets/attack_techniques/T1003.006/impacket/impacket.yml index f5f1913af..559786202 100644 --- a/datasets/attack_techniques/T1003.006/impacket/data.yml +++ b/datasets/attack_techniques/T1003.006/impacket/impacket.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: e3e707b3-664d-4597-b749-f13cc8d3fdb5 -date: '2025-08-12' -description: Automatically categorized datasets in directory impacket +author: Dean Luxton +id: 3529f540-4c07-44f5-8e9c-940ebf3af41a +date: '2022-07-20' +description: Manual execution of secretsdump.py to perform a DCSync attack using a + domain administrator account & also DC's computer account. environment: attack_range directory: impacket mitre_technique: diff --git a/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml b/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml deleted file mode 100644 index 6f011dce1..000000000 --- a/datasets/attack_techniques/T1003.006/impacket/secretsdump.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: 3529f540-4c07-44f5-8e9c-940ebf3af41a -date: '2022-07-20' -description: Manual execution of secretsdump.py to perform a DCSync attack using a domain administrator account & also DC's computer account. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/zeek-dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-directory_service.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -references: -- https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py -- https://attack.mitre.org/techniques/T1003/006 diff --git a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml b/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml deleted file mode 100644 index 67e4fb6e7..000000000 --- a/datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Dean Luxton -id: b8460129-8cfb-449a-9b69-ac1148698319 -date: '2022-07-20' -description: Manual execution of the mimikatz DCSync attack. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/zeek-dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-directory_service.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1729 -- https://attack.mitre.org/techniques/T1003/006 diff --git a/datasets/attack_techniques/T1003.006/mimikatz/data.yml b/datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml similarity index 60% rename from datasets/attack_techniques/T1003.006/mimikatz/data.yml rename to datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml index cb804047a..360846b90 100644 --- a/datasets/attack_techniques/T1003.006/mimikatz/data.yml +++ b/datasets/attack_techniques/T1003.006/mimikatz/mimikatz.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: c65ce500-ac9e-4f01-a4d1-7b59eef7c07c -date: '2025-08-12' -description: Automatically categorized datasets in directory mimikatz +author: Dean Luxton +id: b8460129-8cfb-449a-9b69-ac1148698319 +date: '2022-07-20' +description: Manual execution of the mimikatz DCSync attack. environment: attack_range directory: mimikatz mitre_technique: diff --git a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml index e4b273d66..1a2bd0ba5 100644 --- a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml +++ b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/copy_file_stdoutpipe.yml @@ -3,9 +3,11 @@ id: 55292554-6262-11ec-aae4-acde48001122 date: '2021-12-21' description: Generated datasets for copy file stdoutpipe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1003/008/ \ No newline at end of file +directory: copy_file_stdoutpipe +mitre_technique: +- T1003.008 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml b/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml deleted file mode 100644 index d3fd5f8fa..000000000 --- a/datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 84ddc704-c5a6-4964-86c9-cc11cca6e530 -date: '2025-08-12' -description: Automatically categorized datasets in directory copy_file_stdoutpipe -environment: attack_range -directory: copy_file_stdoutpipe -mitre_technique: -- T1003.008 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1003.008/copy_file_stdoutpipe/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml deleted file mode 100644 index 0035f7ba3..000000000 --- a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: aacf4255-ce77-43da-9705-ad794ecccf61 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_access_credential -environment: attack_range -directory: linux_auditd_access_credential -mitre_technique: -- T1003.008 -datasets: -- name: auditd_proctitle_access_cred - path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log - sourcetype: auditd - source: auditd -- name: linux_auditd_access_credential - path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml index a3fdc8e8d..db69774ca 100644 --- a/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml +++ b/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.yml @@ -3,9 +3,15 @@ id: 6c67fe1c-ef9e-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd access credential in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/445361/what-is-difference-between-etc-shadow-and-etc-passwd \ No newline at end of file +directory: linux_auditd_access_credential +mitre_technique: +- T1003.008 +datasets: +- name: auditd_proctitle_access_cred + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/auditd_proctitle_access_cred.log + sourcetype: auditd + source: auditd +- name: linux_auditd_access_credential + path: /datasets/attack_techniques/T1003.008/linux_auditd_access_credential/linux_auditd_access_credential.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml b/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml index f8b41c3a3..8320f70b4 100644 --- a/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml +++ b/datasets/attack_techniques/T1003/credential_extraction/credential_extraction.yml @@ -3,18 +3,12 @@ id: cc9b2669-efc9-11eb-926b-550bf0143fb1 date: '2021-02-23' description: Credential extraction via DSInternals and PowerSploit modules, as well as CacheDump, FGDump, Lazagne, Mimikatz, native Microsoft debugging tools -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllDSInternalsModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logFgdump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logPowerShellModule.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLazagneCredDump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllMimikatzModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logLiveKDFullKernelDump.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/logAllPowerSploitModulesWithOldNames.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log -sourcetypes: -- WinEventLog:Security -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1003/ \ No newline at end of file +environment: attack_range +directory: credential_extraction +mitre_technique: +- T1003 +datasets: +- name: mimikatzwindows-sysmon + path: /datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003/credential_extraction/data.yml b/datasets/attack_techniques/T1003/credential_extraction/data.yml deleted file mode 100644 index c75567b8a..000000000 --- a/datasets/attack_techniques/T1003/credential_extraction/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 33834b27-ceee-4686-acf2-57eff4d2b891 -date: '2025-08-12' -description: Automatically categorized datasets in directory credential_extraction -environment: attack_range -directory: credential_extraction -mitre_technique: -- T1003 -datasets: -- name: mimikatzwindows-sysmon - path: /datasets/attack_techniques/T1003/credential_extraction/mimikatzwindows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003/wdigest_enable/data.yml b/datasets/attack_techniques/T1003/wdigest_enable/data.yml deleted file mode 100644 index 533cd3999..000000000 --- a/datasets/attack_techniques/T1003/wdigest_enable/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9d0f9fa3-61a5-4956-9480-bf35ead67ddd -date: '2025-08-12' -description: Automatically categorized datasets in directory wdigest_enable -environment: attack_range -directory: wdigest_enable -mitre_technique: -- T1003 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1003/wdigest_enable/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml b/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml index cabbffe1e..b5174e2e5 100644 --- a/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml +++ b/datasets/attack_techniques/T1003/wdigest_enable/wdigest_enable.yml @@ -3,7 +3,11 @@ id: 63aa35fd-7ada-4d23-8cf1-070b8c5abd3f date: '2021-10-05' description: wdigest regsitry enable datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003/wdigest_enable/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: wdigest_enable +mitre_technique: +- T1003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1003/wdigest_enable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1014/data.yml b/datasets/attack_techniques/T1014/T1014.yml similarity index 70% rename from datasets/attack_techniques/T1014/data.yml rename to datasets/attack_techniques/T1014/T1014.yml index 99ce217b8..7a5eb4b43 100644 --- a/datasets/attack_techniques/T1014/data.yml +++ b/datasets/attack_techniques/T1014/T1014.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 07f8dba3-4141-463d-b7a6-fc86a6594067 -date: '2025-08-12' -description: Automatically categorized datasets in directory T1014 +author: Michael Haag +id: cc9b25f1-efc1-12eb-926b-550bf0943fbb +date: '2022-04-04' +description: Interesting drivers loading on Windows. environment: attack_range directory: T1014 mitre_technique: diff --git a/datasets/attack_techniques/T1014/drivers.yml b/datasets/attack_techniques/T1014/drivers.yml deleted file mode 100644 index 1ab551a6b..000000000 --- a/datasets/attack_techniques/T1014/drivers.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Michael Haag -id: cc9b25f1-efc1-12eb-926b-550bf0943fbb -date: '2022-04-04' -description: Interesting drivers loading on Windows. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- XmlWinEventLog:System -references: -- https://attack.mitre.org/techniques/T1014 diff --git a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml deleted file mode 100644 index 909867469..000000000 --- a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4be7f772-9d23-48db-a390-518ed9d32f3d -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_net_discovery -environment: attack_range -directory: linux_net_discovery -mitre_technique: -- T1016 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml index 2b6e26368..c81dd314b 100644 --- a/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml +++ b/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/linux_net_discovery.yml @@ -3,9 +3,11 @@ id: 93252b82-8d73-11ec-bb43-acde48001122 date: '2022-02-14' description: Generated datasets for linux net discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md \ No newline at end of file +directory: linux_net_discovery +mitre_technique: +- T1016 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/discovery_commands/data.yml b/datasets/attack_techniques/T1016/discovery_commands/data.yml deleted file mode 100644 index cd6f24ed3..000000000 --- a/datasets/attack_techniques/T1016/discovery_commands/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5ef093fd-17cd-4947-9646-c388e7e08d54 -date: '2025-08-12' -description: Automatically categorized datasets in directory discovery_commands -environment: attack_range -directory: discovery_commands -mitre_technique: -- T1016 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml b/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml index cf7007bd9..93c5b6db8 100644 --- a/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml +++ b/datasets/attack_techniques/T1016/discovery_commands/discovery_commands.yml @@ -3,15 +3,11 @@ id: cc9b25e5-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual execution of multiple discovery commands. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1016 +directory: discovery_commands +mitre_technique: +- T1016 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml deleted file mode 100644 index 7ce5c01a5..000000000 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 650a428f-3907-4658-9528-dd7a32c9dd1f -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_net_tool -environment: attack_range -directory: linux_auditd_net_tool -mitre_technique: -- T1016 -datasets: -- name: linux_auditd_net_tool - path: /datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml index 0cda382ee..9f93fc959 100644 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.yml @@ -3,9 +3,11 @@ id: 4655b948-5ef9-11ef-8b94-acde48001122 date: '2024-08-20' description: Generated datasets for linux auditd net tool in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log -sourcetypes: -- 'linux:audit' -references: -- https://attack.mitre.org/techniques/T1016/ \ No newline at end of file +directory: linux_auditd_net_tool +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool/linux_auditd_net_tool.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml deleted file mode 100644 index a1749a99b..000000000 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cc95f5bc-508e-4bd1-99b5-04b8257f23b2 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_net_tool_new -environment: attack_range -directory: linux_auditd_net_tool_new -mitre_technique: -- T1016 -datasets: -- name: linux_auditd_net_tool_bucket_new - path: /datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml index 52b0a7219..38a3ec9cc 100644 --- a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml +++ b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml @@ -3,9 +3,11 @@ id: 05399f54-1ab2-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd net tool new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_net_tool_new +mitre_technique: +- T1016 +datasets: +- name: linux_auditd_net_tool_bucket_new + path: /datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml index 63422e637..dc3081f10 100644 --- a/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1018/AD_discovery/AD_discovery.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: 82e395f1-71d8-4cfc-8757-2dd3ab527e77 date: '2021-09-07' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/AD_discovery/data.yml b/datasets/attack_techniques/T1018/AD_discovery/data.yml deleted file mode 100644 index 9bf566bb1..000000000 --- a/datasets/attack_techniques/T1018/AD_discovery/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a8d36093-fbdd-487f-a0fc-ef32acc80dd5 -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1018 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml index fd8a62523..b4ce177f3 100644 --- a/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1018/atomic_red_team/atomic_red_team.yml @@ -11,16 +11,11 @@ description: 'Atomic Test Results: Return value unclear for test T1018-1 Remote T1018-10 Adfind - Enumerate Active Directory Computer Objects Return value unclear for test T1018-11 Adfind - Enumerate Active Directory Domain Controller Objects ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1018/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +directory: atomic_red_team +mitre_technique: +- T1018 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1018/atomic_red_team/data.yml b/datasets/attack_techniques/T1018/atomic_red_team/data.yml deleted file mode 100644 index 2982e73a7..000000000 --- a/datasets/attack_techniques/T1018/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7b4c2c13-c889-474b-995c-8a8fd6f31cc9 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1018 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1020/data.yml b/datasets/attack_techniques/T1020/T1020.yml similarity index 60% rename from datasets/attack_techniques/T1020/data.yml rename to datasets/attack_techniques/T1020/T1020.yml index e35246e02..d89d29b26 100644 --- a/datasets/attack_techniques/T1020/data.yml +++ b/datasets/attack_techniques/T1020/T1020.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 8a675718-3d41-4c56-8f65-df4836e8052c -date: '2025-08-12' -description: Automatically categorized datasets in directory T1020 +author: Michael Haag, Splunk +id: cc9b2621-efc9-11eb-926b-550bf0943fbb +date: '2021-05-13' +description: Generation of rclone activity related to ransomware. environment: attack_range directory: T1020 mitre_technique: diff --git a/datasets/attack_techniques/T1020/rclone.yml b/datasets/attack_techniques/T1020/rclone.yml deleted file mode 100644 index 7bf00dc92..000000000 --- a/datasets/attack_techniques/T1020/rclone.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b2621-efc9-11eb-926b-550bf0943fbb -date: '2021-05-13' -description: Generation of rclone activity related to ransomware. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1020 -- https://redcanary.com/blog/rclone-mega-extortion/ -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html -- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ diff --git a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml deleted file mode 100644 index 40177bb27..000000000 --- a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1e0ad510-5b63-4cfc-a371-76d0c015702f -date: '2025-08-12' -description: Automatically categorized datasets in directory mstsc_rdp_cmd -environment: attack_range -directory: mstsc_rdp_cmd -mitre_technique: -- T1021.001 -datasets: -- name: mstsc_sysmon - path: /datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml index 27ccea159..dd8383bdd 100644 --- a/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml +++ b/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_rdp_cmd.yml @@ -3,9 +3,11 @@ id: 5886e632-0336-11f0-bf1c-629be3538069 date: '2025-03-17' description: Generated datasets for mstsc rdp cmd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a \ No newline at end of file +directory: mstsc_rdp_cmd +mitre_technique: +- T1021.001 +datasets: +- name: mstsc_sysmon + path: /datasets/attack_techniques/T1021.001/mstsc_rdp_cmd/mstsc_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml b/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml deleted file mode 100644 index 4a8b1d02f..000000000 --- a/datasets/attack_techniques/T1021.001/remote_desktop_connection/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: aef4f39c-5b61-45f2-9c59-23b48b3f81c5 -date: '2025-08-12' -description: Automatically categorized datasets in directory remote_desktop_connection -environment: attack_range -directory: remote_desktop_connection -mitre_technique: -- T1021.001 -datasets: -- name: zeek_conn - path: /datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log - sourcetype: bro:conn:json - source: bro diff --git a/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml b/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml index e377081b9..66e157f63 100644 --- a/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml +++ b/datasets/attack_techniques/T1021.001/remote_desktop_connection/remote_desktop_connection.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: b57a97b8-bf1c-48fd-990a-e82fc13dd7ed date: '2024-02-27' -description: 'Remote Desktop Connection' +description: Remote Desktop Connection environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log -sourcetypes: -- bro:conn:json -references: -- https://attack.mitre.org/techniques/T1021/001/ +directory: remote_desktop_connection +mitre_technique: +- T1021.001 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml index 951aa2be3..1bc21bcb4 100644 --- a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml @@ -6,20 +6,34 @@ description: 'Atomic Test Results: Return value unclear for test T1021.002-1 Map value unclear for test T1021.002-3 Copy and Execute File with PsExec Return value unclear for test T1021.002-4 Execute command writing output to local Admin Share ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: atomic_red_team +mitre_technique: +- T1021.002 +datasets: +- name: smbexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: wmiexec_windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_smbexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: firewall-powershell + path: /datasets/attack_techniques/T1021.002/atomic_red_team/firewall-powershell.log + sourcetype: firewall +- name: 4688_wmiexec_windows-security + path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml deleted file mode 100644 index 9b4586f31..000000000 --- a/datasets/attack_techniques/T1021.002/atomic_red_team/data.yml +++ /dev/null @@ -1,36 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f88a22eb-901e-4a56-a4dc-30eecbdb5ea5 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1021.002 -datasets: -- name: smbexec_windows-sysmon - path: /datasets/attack_techniques/T1021.002/atomic_red_team/smbexec_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security-xml - path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: wmiexec_windows-sysmon - path: /datasets/attack_techniques/T1021.002/atomic_red_team/wmiexec_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688_smbexec_windows-security - path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_smbexec_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: firewall-powershell - path: /datasets/attack_techniques/T1021.002/atomic_red_team/firewall-powershell.log - sourcetype: firewall -- name: 4688_wmiexec_windows-security - path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.002/executable_in_share/data.yml b/datasets/attack_techniques/T1021.002/executable_in_share/data.yml deleted file mode 100644 index a92ae05b6..000000000 --- a/datasets/attack_techniques/T1021.002/executable_in_share/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 55fb92e2-467b-4be9-bff1-85241d8bd47b -date: '2025-08-12' -description: Automatically categorized datasets in directory executable_in_share -environment: attack_range -directory: executable_in_share -mitre_technique: -- T1021.002 -datasets: -- name: windows_security_xml - path: /datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml b/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml index fbaf03e5b..8fafb04e3 100644 --- a/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml +++ b/datasets/attack_techniques/T1021.002/executable_in_share/executable_in_share.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 177bc2a6-ce86-4bb6-a73e-4a15f9377177 date: '2024-01-30' -description: 'Executable File in SMB File Share' +description: Executable File in SMB File Share environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: executable_in_share +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/executable_in_share/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml b/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml deleted file mode 100644 index f1f5e9fbd..000000000 --- a/datasets/attack_techniques/T1021.002/impacket_smbexec/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7f6d4f8a-87b2-48f7-a10e-8e7696dc0acc -date: '2025-08-12' -description: Automatically categorized datasets in directory impacket_smbexec -environment: attack_range -directory: impacket_smbexec -mitre_technique: -- T1021.002 -datasets: -- name: windows_security_xml - path: /datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml b/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml index 1299b9764..bbb3ebb58 100644 --- a/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml +++ b/datasets/attack_techniques/T1021.002/impacket_smbexec/impacket_smbexec.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 09ce0268-89f8-4029-8812-49383f8afd36 date: '2024-02-01' -description: 'Impacket smbexec execution' +description: Impacket smbexec execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: impacket_smbexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_smbexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml b/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml deleted file mode 100644 index e993b41e6..000000000 --- a/datasets/attack_techniques/T1021.002/impacket_wmiexec/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: da63ec5e-8a85-4ee2-8cfd-1f359f1718be -date: '2025-08-12' -description: Automatically categorized datasets in directory impacket_wmiexec -environment: attack_range -directory: impacket_wmiexec -mitre_technique: -- T1021.002 -datasets: -- name: windows_security_xml - path: /datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml b/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml index b8256b354..4009324df 100644 --- a/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml +++ b/datasets/attack_techniques/T1021.002/impacket_wmiexec/impacket_wmiexec.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 24447df7-2244-454e-9d8d-20d770c07f2a date: '2024-02-01' -description: 'Impacket wmiexec execution' +description: Impacket wmiexec execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1021/002/ +directory: impacket_wmiexec +mitre_technique: +- T1021.002 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.002/impacket_wmiexec/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1021.003/impacket/data.yml b/datasets/attack_techniques/T1021.003/impacket/data.yml deleted file mode 100644 index 5bccc1903..000000000 --- a/datasets/attack_techniques/T1021.003/impacket/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e2b24e1c-29a0-428e-9af1-4bad64a16b51 -date: '2025-08-12' -description: Automatically categorized datasets in directory impacket -environment: attack_range -directory: impacket -mitre_technique: -- T1021.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/impacket/impacket.yml b/datasets/attack_techniques/T1021.003/impacket/impacket.yml index cd117a877..3c20e42d5 100644 --- a/datasets/attack_techniques/T1021.003/impacket/impacket.yml +++ b/datasets/attack_techniques/T1021.003/impacket/impacket.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: d4dcde41-3544-46b9-a59d-fd5b8a4ad675 date: '2021-11-19' -description: Manually using the impacket tools to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the impacket tools to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/impacket/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://vk9-sec.com/impacket-remote-code-execution-rce-on-windows-from-linux/ +directory: impacket +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/impacket/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement/data.yml b/datasets/attack_techniques/T1021.003/lateral_movement/data.yml deleted file mode 100644 index 8bacd1738..000000000 --- a/datasets/attack_techniques/T1021.003/lateral_movement/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 289855a2-dae7-4cc2-bd8d-a2155f322873 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement -environment: attack_range -directory: lateral_movement -mitre_technique: -- T1021.003 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows_security_xml - path: /datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml index 55f1bb135..929a89eb6 100644 --- a/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1021.003/lateral_movement/lateral_movement.yml @@ -1,18 +1,22 @@ author: Mauricio Velazco id: dc188e4b-94ed-4e9f-82a1-c720657f94fc date: '2021-11-15' -description: Manually using the command line to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the command line to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://www.cybereason.com/blog/dcom-lateral-movement-techniques - - +directory: lateral_movement +mitre_technique: +- T1021.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows_security_xml + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml deleted file mode 100644 index d63ffdaf3..000000000 --- a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7422173f-e6b4-4b80-93e8-4f00f4567d54 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_lolbas -environment: attack_range -directory: lateral_movement_lolbas -mitre_technique: -- T1021.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml index f1c8eb0ed..76f39aa60 100644 --- a/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,17 +1,14 @@ author: Mauricio Velazco id: 1bacf0a4-52cc-47e3-85c5-a82dac07aa71 date: '2021-11-23' -description: Manually using the command line to start a process on a remote endpoint leveraging the DCOM protocol for lateral movement and remote code execution. +description: Manually using the command line to start a process on a remote endpoint + leveraging the DCOM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/003/ -- https://www.cybereason.com/blog/dcom-lateral-movement-techniques -- https://lolbas-project.github.io/ - - +directory: lateral_movement_lolbas +mitre_technique: +- T1021.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement/data.yml deleted file mode 100644 index 208404109..000000000 --- a/datasets/attack_techniques/T1021.006/lateral_movement/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0bd01523-e301-47e4-92aa-38d25acbc569 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement -environment: attack_range -directory: lateral_movement -mitre_technique: -- T1021.006 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml index 97429f06c..93628486e 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 39baeeae-8bf1-4ebc-8a0c-0d5613454288 date: '2021-11-12' -description: Manually using the winrs.exe binary to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using the winrs.exe binary to start a process on a remote endpoint + leveraging the WinRM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs +directory: lateral_movement +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml deleted file mode 100644 index 51253b886..000000000 --- a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e7998bca-66d9-4513-abff-978ee19fc091 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_lolbas -environment: attack_range -directory: lateral_movement_lolbas -mitre_technique: -- T1021.006 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml index 218bd5f6b..edfd511cb 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: cd2e9c68-828b-4d5d-bbd5-a69dcb1cb69a date: '2021-11-23' -description: Manually using PowerShell and the Invoke-Command commandlet to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using PowerShell and the Invoke-Command commandlet to start + a process on a remote endpoint leveraging the WinRM protocol for lateral movement + and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 - +directory: lateral_movement_lolbas +mitre_technique: +- T1021.006 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml deleted file mode 100644 index 2a6787c49..000000000 --- a/datasets/attack_techniques/T1021.006/lateral_movement_psh/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 15942573-891a-44d9-ae97-1b99a33b401d -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_psh -environment: attack_range -directory: lateral_movement_psh -mitre_technique: -- T1021.006 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml b/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml index f883dea1e..ef44c7eac 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_psh/lateral_movement_psh.yml @@ -1,16 +1,19 @@ author: Mauricio Velazco id: 97992f40-9110-40cb-b3c0-f9f615db6833 date: '2021-11-16' -description: Manually using the command line and powershell.exe to start a process on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using the command line and powershell.exe to start a process + on a remote endpoint leveraging the WinRM protocol for lateral movement and remote + code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ +directory: lateral_movement_psh +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml deleted file mode 100644 index fbc0a40d1..000000000 --- a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 74ae79de-df80-467d-89ac-4f71c636114a -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_pssession -environment: attack_range -directory: lateral_movement_pssession -mitre_technique: -- T1021.006 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml index 19bbdc979..0483d862f 100644 --- a/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml +++ b/datasets/attack_techniques/T1021.006/lateral_movement_pssession/lateral_movement_pssession.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: adb9ad41-df52-40f7-a500-3ce343c1bbde date: '2021-11-18' -description: Manually using PowerShell to start an interactive session on a remote endpoint leveraging the WinRM protocol for lateral movement and remote code execution. +description: Manually using PowerShell to start an interactive session on a remote + endpoint leveraging the WinRM protocol for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1021/006/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2 +directory: lateral_movement_pssession +mitre_technique: +- T1021.006 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml b/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml index d7f1e43b2..853660061 100644 --- a/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml +++ b/datasets/attack_techniques/T1027/FuckThatPacker/FuckThatPacker.yml @@ -1,16 +1,16 @@ author: Michael Haag, Jose Hernandez, Splunk id: 3192b298-3dfb-4d5c-b231-83edabd0d83f date: '2022-03-18' -description: 'Ran an obfuscated [payload](https://gist.github.com/MHaggis/ccd9848a52dc76e6aa0eb1da14bb7752?permalink_comment_id=4102502#gistcomment-4102502) using FuckThatPacker. These are the raw logs from both Aurora EDR Lite running default logging in json. - Also Splunk Windows Universal Forwarder with Windows TA and powershell EventCode 4101 script logging enabled.' +description: Ran an obfuscated [payload](https://gist.github.com/MHaggis/ccd9848a52dc76e6aa0eb1da14bb7752?permalink_comment_id=4102502#gistcomment-4102502) + using FuckThatPacker. These are the raw logs from both Aurora EDR Lite running default + logging in json. Also Splunk Windows Universal Forwarder with Windows TA and powershell + EventCode 4101 script logging enabled. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/FuckThatPacker/aurora-edr.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- aurora-edr -references: -- https://attack.mitre.org/techniques/T1027 -- https://www.nextron-systems.com/2021/11/13/aurora-sigma-based-edr-agent-preview/ -- https://github.com/Unknow101/FuckThatPacker +directory: FuckThatPacker +mitre_technique: +- T1027 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/FuckThatPacker/data.yml b/datasets/attack_techniques/T1027/FuckThatPacker/data.yml deleted file mode 100644 index 90e026d29..000000000 --- a/datasets/attack_techniques/T1027/FuckThatPacker/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3dc9c71d-aef6-4638-a27e-b6941d5bdfb5 -date: '2025-08-12' -description: Automatically categorized datasets in directory FuckThatPacker -environment: attack_range -directory: FuckThatPacker -mitre_technique: -- T1027 -datasets: -- name: windows-powershell - path: /datasets/attack_techniques/T1027/FuckThatPacker/windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml index 599d20ac8..48c5c7c1b 100644 --- a/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1027/atomic_red_team/atomic_red_team.yml @@ -6,21 +6,11 @@ description: 'Atomic Test Results: Successful Execution of test T1027-2 Execute from Windows Registry Return value unclear for test T1027-4 Execution from Compressed File ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/attack_data.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/attack_data.tar.gz -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1027 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md -- https://github.com/splunk/security-content/blob/develop/tests/T1027.yml +directory: atomic_red_team +mitre_technique: +- T1027 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1027/atomic_red_team/data.yml b/datasets/attack_techniques/T1027/atomic_red_team/data.yml deleted file mode 100644 index afaacb6ad..000000000 --- a/datasets/attack_techniques/T1027/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 98be0207-f04c-41b7-a7b3-9faa859d96f6 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1027 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml deleted file mode 100644 index c7fd390b7..000000000 --- a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 794c0c61-8ec3-45d2-8a39-03b1ff4d486a -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_split_b_exec -environment: attack_range -directory: linux_auditd_split_b_exec -mitre_technique: -- T1030 -datasets: -- name: auditd_execve_split - path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log - sourcetype: auditd - source: auditd -- name: linux_auditd_split_b_exec - path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml index 71abe3301..31321f1d9 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml @@ -3,9 +3,15 @@ id: a3e1c738-ef85-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd split b exec in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_b_exec +mitre_technique: +- T1030 +datasets: +- name: auditd_execve_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/auditd_execve_split.log + sourcetype: auditd + source: auditd +- name: linux_auditd_split_b_exec + path: /datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml deleted file mode 100644 index 451f44be2..000000000 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0d62e93d-8911-4f8c-b3cf-4e5dad2eb96a -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_split_syscall -environment: attack_range -directory: linux_auditd_split_syscall -mitre_technique: -- T1030 -datasets: -- name: linux_auditd_split_syscall - path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml index 52c35fac6..6a89a2f27 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml @@ -3,9 +3,11 @@ id: c6be94ea-5e01-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd split syscall in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_syscall +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_split_syscall + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml deleted file mode 100644 index dfbe8a46a..000000000 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0b98040e-f8b9-45f0-bd84-cd4465585c39 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_split_syscall_new -environment: attack_range -directory: linux_auditd_split_syscall_new -mitre_technique: -- T1030 -datasets: -- name: linux_auditd_new_split - path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml index e1d52dca3..ea411d2f2 100644 --- a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml +++ b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml @@ -3,9 +3,11 @@ id: 7d0ae338-1aaf-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd split syscall new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_split_syscall_new +mitre_technique: +- T1030 +datasets: +- name: linux_auditd_new_split + path: /datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml index 932841f7e..4b2277ec1 100644 --- a/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1033/AD_discovery/AD_discovery.yml @@ -1,13 +1,18 @@ author: Mauricio Velazco id: a382f0d7-3c76-42b3-90a8-8806b633226d date: '2021-09-13' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1033 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/AD_discovery/data.yml b/datasets/attack_techniques/T1033/AD_discovery/data.yml deleted file mode 100644 index dc9cb7ac9..000000000 --- a/datasets/attack_techniques/T1033/AD_discovery/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4920627d-b3ba-42e3-8d88-302cd0dde5fa -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1033 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1033/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml index afa943c59..5a2991ebc 100644 --- a/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1033/atomic_red_team/atomic_red_team.yml @@ -5,15 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1033-1 System Discovery Return value unclear for test T1033-3 Find computers where user has session - Stealth mode (PowerView) ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/atomic_red_team/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md +directory: atomic_red_team +mitre_technique: +- T1033 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/atomic_red_team/data.yml b/datasets/attack_techniques/T1033/atomic_red_team/data.yml deleted file mode 100644 index edeea5bd1..000000000 --- a/datasets/attack_techniques/T1033/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ee12546e-7348-44f5-8ee8-b5ec338a7dc6 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1033 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1033/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml deleted file mode 100644 index b8f059af8..000000000 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: be2f1789-b222-40d7-a96f-2fea7dc799e7 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_whoami -environment: attack_range -directory: linux_auditd_whoami -mitre_technique: -- T1033 -datasets: -- name: linux_auditd_whoami - path: /datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml index 9d494a96a..1f6174cb9 100644 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml @@ -3,9 +3,11 @@ id: 77d03c0c-5e07-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd whoami in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log -sourcetypes: -- 'linux:audit' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_whoami +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml deleted file mode 100644 index 409501aac..000000000 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c2aaa4fe-2a9d-45c8-82c1-e97d943acd9c -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_whoami_new -environment: attack_range -directory: linux_auditd_whoami_new -mitre_technique: -- T1033 -datasets: -- name: linux_auditd_new_whoami - path: /datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml index de1b8c2ee..48353d50d 100644 --- a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml +++ b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml @@ -3,9 +3,11 @@ id: 4cb6c050-1ab2-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd whoami new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_whoami_new +mitre_technique: +- T1033 +datasets: +- name: linux_auditd_new_whoami + path: /datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml deleted file mode 100644 index ce7425c3d..000000000 --- a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dcffd06e-033a-4c63-a344-1e8e65845dfa -date: '2025-08-12' -description: Automatically categorized datasets in directory qakbot_discovery_cmdline -environment: attack_range -directory: qakbot_discovery_cmdline -mitre_technique: -- T1033 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml index 4581e907b..73b80b340 100644 --- a/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml +++ b/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/qakbot_discovery_cmdline.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: bc42ab4c-bb02-479c-88da-b5b870bce9d0 date: '2022-10-21' description: Generated datasets for qakbot discovery cmdline in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://securelist.com/qakbot-technical-analysis/103931/ +environment: attack_range +directory: qakbot_discovery_cmdline +mitre_technique: +- T1033 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1033/qakbot_discovery_cmdline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/whoami_priv/data.yml b/datasets/attack_techniques/T1033/whoami_priv/data.yml deleted file mode 100644 index 1181439b7..000000000 --- a/datasets/attack_techniques/T1033/whoami_priv/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a108e47e-b480-428b-acf3-df1a5496d00f -date: '2025-08-12' -description: Automatically categorized datasets in directory whoami_priv -environment: attack_range -directory: whoami_priv -mitre_technique: -- T1033 -datasets: -- name: whoami-priv-sysmon - path: /datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml b/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml index dbf37520a..ae8916fac 100644 --- a/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml +++ b/datasets/attack_techniques/T1033/whoami_priv/whoami_priv.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: ea89e255-f54a-4627-a8de-10dcbd662993 date: '2023-12-15' description: Generated datasets for whoami priv in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: whoami_priv +mitre_technique: +- T1033 +datasets: +- name: whoami-priv-sysmon + path: /datasets/attack_techniques/T1033/whoami_priv/whoami-priv-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml index 2cfa8b3f0..b9f6800c3 100644 --- a/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1036.003/atomic_red_team/atomic_red_team.yml @@ -11,16 +11,11 @@ description: 'Atomic Test Results: Successful Execution of test T1036.003-1 Masq Execution of test T1036.003-8 Malicious process Masquerading as LSM.exe Successful Execution of test T1036.003-9 File Extension Masquerading ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +directory: atomic_red_team +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml deleted file mode 100644 index 7e82ee38e..000000000 --- a/datasets/attack_techniques/T1036.003/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5a2c32fc-0098-4d03-91c2-d74169a210bf -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1036.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1036.003/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml b/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml index 0a07d8213..83c3fa65f 100644 --- a/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml +++ b/datasets/attack_techniques/T1036.003/copy_sysmon/copy_sysmon.yml @@ -3,7 +3,11 @@ id: a025437b-078f-4377-a932-e081ff356fcd date: '2021-10-05' description: copy files form system32 or syswow64 folder datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: copy_sysmon +mitre_technique: +- T1036.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml b/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml deleted file mode 100644 index a44a386d6..000000000 --- a/datasets/attack_techniques/T1036.003/copy_sysmon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ca227966-adc5-4e63-83e0-2cdc7b599030 -date: '2025-08-12' -description: Automatically categorized datasets in directory copy_sysmon -environment: attack_range -directory: copy_sysmon -mitre_technique: -- T1036.003 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1036.003/copy_sysmon/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml b/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml deleted file mode 100644 index a667b956b..000000000 --- a/datasets/attack_techniques/T1036.003/mpcmdrun/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a7244c9a-3bd6-4a66-b4fc-fd7b48da00ec -date: '2025-08-12' -description: Automatically categorized datasets in directory mpcmdrun -environment: attack_range -directory: mpcmdrun -mitre_technique: -- T1036.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml b/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml index 6aa8c3e1c..a2bd7c84d 100644 --- a/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml +++ b/datasets/attack_techniques/T1036.003/mpcmdrun/mpcmdrun.yml @@ -3,7 +3,11 @@ id: a025437b-075a-43b7-a932-e081ff356fcd date: '2022-07-18' description: copy files form system32 or syswow64 folder datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log -sourcetypes: -- XmlWinEventLog +directory: mpcmdrun +mitre_technique: +- T1036.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1036.003/mpcmdrun/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1036.003/samsam_extension/data.yml b/datasets/attack_techniques/T1036.003/samsam_extension/data.yml deleted file mode 100644 index a58ffb6a2..000000000 --- a/datasets/attack_techniques/T1036.003/samsam_extension/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: aaade5a2-e9c6-43df-89ed-ae717ece1c7f -date: '2025-08-12' -description: Automatically categorized datasets in directory samsam_extension -environment: attack_range -directory: samsam_extension -mitre_technique: -- T1036.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml b/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml index 92a258c06..bd2704553 100644 --- a/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml +++ b/datasets/attack_techniques/T1036.003/samsam_extension/samsam_extension.yml @@ -3,16 +3,11 @@ id: cc9b2656-efc9-11eb-926b-550bf0943fbb date: '2020-11-19' description: Manual generation of samsam ransomware file extension environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036.003/samsam_extension/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md +directory: samsam_extension +mitre_technique: +- T1036.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/data.yml b/datasets/attack_techniques/T1036/msdtc_process_param/data.yml deleted file mode 100644 index b9d59aad3..000000000 --- a/datasets/attack_techniques/T1036/msdtc_process_param/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5181fc4f-6d3f-4d04-8703-433f86b4074a -date: '2025-08-12' -description: Automatically categorized datasets in directory msdtc_process_param -environment: attack_range -directory: msdtc_process_param -mitre_technique: -- T1036 -datasets: -- name: msdtc_a_sysmon - path: /datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml index 85e64fd41..b4fa367c3 100644 --- a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml +++ b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 70ab291a-0372-4d70-b256-1b0ec12076a5 date: '2023-11-21' description: Generated datasets for msdtc process param in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx +environment: attack_range +directory: msdtc_process_param +mitre_technique: +- T1036 +datasets: +- name: msdtc_a_sysmon + path: /datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/suspicious_process_path/data.yml b/datasets/attack_techniques/T1036/suspicious_process_path/data.yml deleted file mode 100644 index af6275b65..000000000 --- a/datasets/attack_techniques/T1036/suspicious_process_path/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8a7dbac1-547b-4087-9d63-5733c96988f7 -date: '2025-08-12' -description: Automatically categorized datasets in directory suspicious_process_path -environment: attack_range -directory: suspicious_process_path -mitre_technique: -- T1036 -datasets: -- name: susp_path_sysmon1 - path: /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml b/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml index 01ff456fd..d91b83bba 100644 --- a/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml +++ b/datasets/attack_techniques/T1036/suspicious_process_path/suspicious_process_path.yml @@ -3,9 +3,11 @@ id: 2fa5d1b2-dc97-11ef-8b8c-acde48001122 date: '2025-01-27' description: Generated datasets for suspicious process path in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat \ No newline at end of file +directory: suspicious_process_path +mitre_technique: +- T1036 +datasets: +- name: susp_path_sysmon1 + path: /datasets/attack_techniques/T1036/suspicious_process_path/susp_path_sysmon1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml b/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml deleted file mode 100644 index 3404b88c8..000000000 --- a/datasets/attack_techniques/T1036/write_to_recycle_bin/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 20d85c8d-f6a2-415b-9d62-2a2a515f278b -date: '2025-08-12' -description: Automatically categorized datasets in directory write_to_recycle_bin -environment: attack_range -directory: write_to_recycle_bin -mitre_technique: -- T1036 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml b/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml index 6346b2a03..54e59a862 100644 --- a/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml +++ b/datasets/attack_techniques/T1036/write_to_recycle_bin/write_to_recycle_bin.yml @@ -3,15 +3,11 @@ id: cc9b25f7-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual create file C:\$Recycle.Bin\test.ps1 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1036 +directory: write_to_recycle_bin +mitre_technique: +- T1036 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1036/write_to_recycle_bin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml b/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml deleted file mode 100644 index 93c7e1dd9..000000000 --- a/datasets/attack_techniques/T1037.001/logonscript_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: abc59778-d37c-4b01-8a2e-ce48dc7b0618 -date: '2025-08-12' -description: Automatically categorized datasets in directory logonscript_reg -environment: attack_range -directory: logonscript_reg -mitre_technique: -- T1037.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml b/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml index 2a92354d9..78583ec26 100644 --- a/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml +++ b/datasets/attack_techniques/T1037.001/logonscript_reg/logonscript_reg.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: 4226e60c-f258-4d8b-b91a-8a4d425074d2 date: '2021-09-28' -description: Manual generation of attack data for logonscript registry entry for persistence and privilege escalation. +description: Manual generation of attack data for logonscript registry entry for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: logonscript_reg +mitre_technique: +- T1037.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1037.001/logonscript_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml b/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml deleted file mode 100644 index 808143a2e..000000000 --- a/datasets/attack_techniques/T1046/kubernetes_scanning/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 110503e8-342b-4228-9fdf-5bf9d6d0934a -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_scanning -environment: attack_range -directory: kubernetes_scanning -mitre_technique: -- T1046 -datasets: -- name: kubernetes_scanning-json - path: /datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml index 3d2c69b79..0c88cc708 100644 --- a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml +++ b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml @@ -3,9 +3,11 @@ id: d8aaa455-a7ba-4bd8-a588-e09ef1dce552 date: '2023-12-07' description: Kubernetes scanning activity in Kubernetes audit logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1046 +directory: kubernetes_scanning +mitre_technique: +- T1046 +datasets: +- name: kubernetes_scanning-json + path: /datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml index 98d4adedf..5fdc07a45 100644 --- a/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1047/atomic_red_team/atomic_red_team.yml @@ -8,20 +8,19 @@ description: 'Atomic Test Results: Return value unclear for test T1047-1 WMI Rec test T1047-5 WMI Execute Local Process Return value unclear for test T1047-6 WMI Execute Remote Process ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/attack_data.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/attack_data.tar.gz -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md +directory: atomic_red_team +mitre_technique: +- T1047 +datasets: +- name: 4104-cimmethod-windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: invokewmiexec_windows-powershell + path: /datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/atomic_red_team/data.yml b/datasets/attack_techniques/T1047/atomic_red_team/data.yml deleted file mode 100644 index 2a817eeb9..000000000 --- a/datasets/attack_techniques/T1047/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 322bf09c-b040-4e39-a5ea-04703068aa57 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1047 -datasets: -- name: 4104-cimmethod-windows-powershell - path: /datasets/attack_techniques/T1047/atomic_red_team/4104-cimmethod-windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: invokewmiexec_windows-powershell - path: /datasets/attack_techniques/T1047/atomic_red_team/invokewmiexec_windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1047/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/execution_scrcons/data.yml b/datasets/attack_techniques/T1047/execution_scrcons/data.yml deleted file mode 100644 index 2dac05760..000000000 --- a/datasets/attack_techniques/T1047/execution_scrcons/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e14dfa31-d87a-4981-98bd-16026ece8a90 -date: '2025-08-12' -description: Automatically categorized datasets in directory execution_scrcons -environment: attack_range -directory: execution_scrcons -mitre_technique: -- T1047 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml b/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml index 791203d54..909f24b84 100644 --- a/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml +++ b/datasets/attack_techniques/T1047/execution_scrcons/execution_scrcons.yml @@ -3,15 +3,11 @@ id: cc9b25d4-efc9-11eb-926b-550bf0943fbb date: '2020-12-07' description: Manual execution of scrcons.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/execution_scrcons/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047 +directory: execution_scrcons +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/execution_scrcons/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement/data.yml b/datasets/attack_techniques/T1047/lateral_movement/data.yml deleted file mode 100644 index b41f2739b..000000000 --- a/datasets/attack_techniques/T1047/lateral_movement/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 768c7697-5997-4121-9a22-4da3391d7ed2 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement -environment: attack_range -directory: lateral_movement -mitre_technique: -- T1047 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml index c6606edfd..4be584bdf 100644 --- a/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1047/lateral_movement/lateral_movement.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 8b1880b0-3533-45a7-bbce-73f46d4636d4 date: '2021-11-15' -description: Manually using PowerShell to start a process on a remote endpoint abusing WMI and the Invoke-WmiMethod commandlet for - lateral movement and remote code execution. +description: Manually using PowerShell to start a process on a remote endpoint abusing + WMI and the Invoke-WmiMethod commandlet for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1047/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 +directory: lateral_movement +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml deleted file mode 100644 index f8c7c0e5b..000000000 --- a/datasets/attack_techniques/T1047/lateral_movement_lolbas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a93e774e-52c3-4b57-ae80-9e4d976c433a -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_lolbas -environment: attack_range -directory: lateral_movement_lolbas -mitre_technique: -- T1047 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml index caee3f243..35257d071 100644 --- a/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1047/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 0febf3ef-8284-4422-ba5f-08dd37f5ef25 date: '2021-11-23' -description: Manually using PowerShell to start a process on a remote endpoint abusing WMI and the Invoke-WmiMethod commandlet for - lateral movement and remote code execution. +description: Manually using PowerShell to start a process on a remote endpoint abusing + WMI and the Invoke-WmiMethod commandlet for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-securitylog -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1047/ -- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/invoke-wmimethod?view=powershell-5.1 +directory: lateral_movement_lolbas +mitre_technique: +- T1047 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1047/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/wmi_impersonate/data.yml b/datasets/attack_techniques/T1047/wmi_impersonate/data.yml deleted file mode 100644 index f8e86ce74..000000000 --- a/datasets/attack_techniques/T1047/wmi_impersonate/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c8fb4c1d-0285-4abc-a18d-e287a20e31ee -date: '2025-08-12' -description: Automatically categorized datasets in directory wmi_impersonate -environment: attack_range -directory: wmi_impersonate -mitre_technique: -- T1047 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml b/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml index 182c73cf0..ae6f67299 100644 --- a/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml +++ b/datasets/attack_techniques/T1047/wmi_impersonate/wmi_impersonate.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 702d7454-b111-4e1a-ac14-cf773e6a4fb5 date: '2022-10-24' description: Generated datasets for wmi impersonate in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.joesandbox.com/analysis/278341/0/html +environment: attack_range +directory: wmi_impersonate +mitre_technique: +- T1047 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1047/wmi_impersonate/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml b/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml index 38b90d250..02a7afc97 100644 --- a/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml +++ b/datasets/attack_techniques/T1048.003/cve-2023-23397/cve-2023-23397.yml @@ -3,9 +3,11 @@ id: 66247ba9-97d1-4c69-bc85-519354346315 date: '2023-03-16' description: Manual generation of attack data by access WebDav with rundll32.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: cve-2023-23397 +mitre_technique: +- T1048.003 +datasets: +- name: webdav_windows-sysmon + path: /datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml b/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml deleted file mode 100644 index a8e985fd7..000000000 --- a/datasets/attack_techniques/T1048.003/cve-2023-23397/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9bc6e15a-05b7-42c6-8d13-79ec100f2d27 -date: '2025-08-12' -description: Automatically categorized datasets in directory cve-2023-23397 -environment: attack_range -directory: cve-2023-23397 -mitre_technique: -- T1048.003 -datasets: -- name: webdav_windows-sysmon - path: /datasets/attack_techniques/T1048.003/cve-2023-23397/webdav_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml b/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml deleted file mode 100644 index 7c15dabda..000000000 --- a/datasets/attack_techniques/T1048.003/long_dns_queries/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ea963b83-d4d6-460e-ae47-460b3783b21e -date: '2025-08-12' -description: Automatically categorized datasets in directory long_dns_queries -environment: attack_range -directory: long_dns_queries -mitre_technique: -- T1048.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml b/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml index 0f6357dba..0b2de3aaf 100644 --- a/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml +++ b/datasets/attack_techniques/T1048.003/long_dns_queries/long_dns_queries.yml @@ -3,9 +3,11 @@ id: cc9b2614-efc9-11eb-926b-550bf0943fbb date: '2021-01-18' description: Manual generation of attack data by browsing to long urls. of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: long_dns_queries +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/long_dns_queries/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml b/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml deleted file mode 100644 index 29c37e38c..000000000 --- a/datasets/attack_techniques/T1048.003/mass_file_creation/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cd1271c8-d094-4aa0-92fc-8ef292a33f28 -date: '2025-08-12' -description: Automatically categorized datasets in directory mass_file_creation -environment: attack_range -directory: mass_file_creation -mitre_technique: -- T1048.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml b/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml index e473e0cf3..c25ab93c3 100644 --- a/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml +++ b/datasets/attack_techniques/T1048.003/mass_file_creation/mass_file_creation.yml @@ -3,9 +3,11 @@ id: 52fd86dd-5f85-4d16-b80f-31b87592829f date: '2021-12-08' description: Manual generation of attack data by generating 100 xls files environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1048/003 +directory: mass_file_creation +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/mass_file_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml b/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml deleted file mode 100644 index 66e806451..000000000 --- a/datasets/attack_techniques/T1048.003/nslookup_exfil/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e3d1b675-da75-4ec4-a4b9-5b9ce0202373 -date: '2025-08-12' -description: Automatically categorized datasets in directory nslookup_exfil -environment: attack_range -directory: nslookup_exfil -mitre_technique: -- T1048.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml b/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml index 8c71db4ff..e7f399084 100644 --- a/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml +++ b/datasets/attack_techniques/T1048.003/nslookup_exfil/nslookup_exfil.yml @@ -3,9 +3,15 @@ id: 83752ecc-e349-11ec-8e0c-acde48001122 date: '2022-06-03' description: Generated datasets for nslookup exfil in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ \ No newline at end of file +directory: nslookup_exfil +mitre_technique: +- T1048.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1048.003/nslookup_exfil/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1048/ftp_connection/data.yml b/datasets/attack_techniques/T1048/ftp_connection/data.yml deleted file mode 100644 index f55829e82..000000000 --- a/datasets/attack_techniques/T1048/ftp_connection/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c2c1a0e5-588d-4a23-b35e-45e996c7e056 -date: '2025-08-12' -description: Automatically categorized datasets in directory ftp_connection -environment: attack_range -directory: ftp_connection -mitre_technique: -- T1048 -datasets: -- name: zeek_conn - path: /datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log - sourcetype: bro:conn:json - source: bro diff --git a/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml b/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml index 6de308041..ae8fcfb30 100644 --- a/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml +++ b/datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml @@ -3,8 +3,11 @@ id: 83752ecc-e349-11ec-8e0c-acde48001123 date: '2024-02-27' description: ftp connection environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log -sourcetypes: -- bro:conn:json -references: [] \ No newline at end of file +directory: ftp_connection +mitre_technique: +- T1048 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml index e387d6d6f..745beeb77 100644 --- a/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1049/AD_discovery/AD_discovery.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 61da8e36-d038-4a92-900e-8f726bfc1b05 date: '2021-09-10' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1049 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1049/AD_discovery/data.yml b/datasets/attack_techniques/T1049/AD_discovery/data.yml deleted file mode 100644 index 66327ba20..000000000 --- a/datasets/attack_techniques/T1049/AD_discovery/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f43b11f2-fd52-47fa-8a69-9583dea1b899 -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1049 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1049/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml b/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml index 79db5168e..4a5f5c0e9 100644 --- a/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml +++ b/datasets/attack_techniques/T1053.002/at_execution/at_execution.yml @@ -3,9 +3,11 @@ id: 75f7d048-5f54-11ec-ba63-acde48001122 date: '2021-12-17' description: Generated datasets for at execution in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://linuxize.com/post/at-command-in-linux/ +directory: at_execution +mitre_technique: +- T1053.002 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/at_execution/data.yml b/datasets/attack_techniques/T1053.002/at_execution/data.yml deleted file mode 100644 index fb9176b40..000000000 --- a/datasets/attack_techniques/T1053.002/at_execution/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0a4925dc-dfee-4df6-9204-e8344fa86d65 -date: '2025-08-12' -description: Automatically categorized datasets in directory at_execution -environment: attack_range -directory: at_execution -mitre_technique: -- T1053.002 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1053.002/at_execution/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.002/lateral_movement/data.yml b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml similarity index 54% rename from datasets/attack_techniques/T1053.002/lateral_movement/data.yml rename to datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml index a8de0b361..9fbc4ab21 100644 --- a/datasets/attack_techniques/T1053.002/lateral_movement/data.yml +++ b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movement.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 828e76f6-f651-4bf7-b2da-006e17091ba8 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement +author: Mauricio Velazco +id: 1842051e-6efb-4fd8-8d5d-e82e14e6f493 +date: '2021-11-12' +description: Manually using the at.exe binary to create and start a Scheduled Task + on a remote endpoint for lateral movement and remote code execution. environment: attack_range directory: lateral_movement mitre_technique: diff --git a/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml b/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml deleted file mode 100644 index 1ef499bfe..000000000 --- a/datasets/attack_techniques/T1053.002/lateral_movement/lateral_movemet.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Mauricio Velazco -id: 1842051e-6efb-4fd8-8d5d-e82e14e6f493 -date: '2021-11-12' -description: Manually using the at.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/002/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/at diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml b/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml deleted file mode 100644 index 89a362017..000000000 --- a/datasets/attack_techniques/T1053.002/linux_auditd_at/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fffea33f-afe6-41e0-853d-71ee79cef424 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_at -environment: attack_range -directory: linux_auditd_at -mitre_technique: -- T1053.002 -datasets: -- name: linux_auditd_at_execution - path: /datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml b/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml index abb20beef..6acb96f8f 100644 --- a/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml +++ b/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at.yml @@ -3,9 +3,11 @@ id: 48cc7e46-562a-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd at in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log -sourcetypes: -- 'linux:audit' -references: -- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ \ No newline at end of file +directory: linux_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_at_execution + path: /datasets/attack_techniques/T1053.002/linux_auditd_at/linux_auditd_at_execution.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml deleted file mode 100644 index 3cba5d543..000000000 --- a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 96b4deff-7577-4ced-98d7-05cdf4e41db9 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_chown_root -environment: attack_range -directory: linux_auditd_chown_root -mitre_technique: -- T1053.002 -datasets: -- name: linux_auditd_chown_root - path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log - sourcetype: auditd - source: auditd -- name: auditd_proctitle_chown_root - path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml index 0bc9d4f6f..e4d66fda2 100644 --- a/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml +++ b/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.yml @@ -3,9 +3,15 @@ id: f27b4edc-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chown root in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/617850/changing-from-user-to-superuser \ No newline at end of file +directory: linux_auditd_chown_root +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/linux_auditd_chown_root.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_chown_root + path: /datasets/attack_techniques/T1053.002/linux_auditd_chown_root/auditd_proctitle_chown_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml deleted file mode 100644 index 4d11a73e1..000000000 --- a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d5419f4c-d700-4b53-a7f8-e831279313f8 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_new_auditd_at -environment: attack_range -directory: linux_new_auditd_at -mitre_technique: -- T1053.002 -datasets: -- name: linux_auditd_new_at - path: /datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml index c83405681..a92514956 100644 --- a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml +++ b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml @@ -3,9 +3,11 @@ id: efcf229a-1aae-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux new auditd at in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log -sourcetypes: -- 'auditd' -references: -- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/ \ No newline at end of file +directory: linux_new_auditd_at +mitre_technique: +- T1053.002 +datasets: +- name: linux_auditd_new_at + path: /datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml b/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml index ccebb848c..a122d5535 100644 --- a/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml +++ b/datasets/attack_techniques/T1053.003/cronjobs_entry/cronjobs_entry.yml @@ -3,9 +3,15 @@ id: e5ff2d94-5f51-11ec-ba52-acde48001122 date: '2021-12-17' description: Generated datasets for cronjobs entry in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: cronjobs_entry +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux_cron_append + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml b/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml deleted file mode 100644 index 67ffd6ae5..000000000 --- a/datasets/attack_techniques/T1053.003/cronjobs_entry/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b58e809c-4000-4e3a-97d0-cecf8c988a8d -date: '2025-08-12' -description: Automatically categorized datasets in directory cronjobs_entry -environment: attack_range -directory: cronjobs_entry -mitre_technique: -- T1053.003 -datasets: -- name: sysmon_linux_cron_append - path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational -- name: sysmon_linux - path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml index 3380b7513..f88dc9cee 100644 --- a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml +++ b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/crontab_edit_parameter.yml @@ -3,9 +3,11 @@ id: d18a1f12-5f52-11ec-a48e-acde48001122 date: '2021-12-17' description: Generated datasets for crontab edit parameter in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: crontab_edit_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml b/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml deleted file mode 100644 index 146a2a9da..000000000 --- a/datasets/attack_techniques/T1053.003/crontab_edit_parameter/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fee5eabb-06bf-4dc7-ab93-18ae96879454 -date: '2025-08-12' -description: Automatically categorized datasets in directory crontab_edit_parameter -environment: attack_range -directory: crontab_edit_parameter -mitre_technique: -- T1053.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1053.003/crontab_edit_parameter/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml b/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml index 02821dbca..a72e10a6c 100644 --- a/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml +++ b/datasets/attack_techniques/T1053.003/crontab_list_parameter/crontab_list_parameter.yml @@ -3,9 +3,11 @@ id: 3c9236a6-c537-11ec-bdfa-acde48001122 date: '2022-04-26' description: Generated datasets for crontab list parameter in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://cert.gov.ua/article/39518 \ No newline at end of file +directory: crontab_list_parameter +mitre_technique: +- T1053.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml b/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml deleted file mode 100644 index 573e85a6e..000000000 --- a/datasets/attack_techniques/T1053.003/crontab_list_parameter/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c8413fd6-6b41-4b4e-99e0-8879a5c607a7 -date: '2025-08-12' -description: Automatically categorized datasets in directory crontab_list_parameter -environment: attack_range -directory: crontab_list_parameter -mitre_technique: -- T1053.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1053.003/crontab_list_parameter/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml deleted file mode 100644 index 77ab20a26..000000000 --- a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 349544ac-af78-4c4c-8c53-18e4af01b920 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_cron_file_audited -environment: attack_range -directory: linux_auditd_cron_file_audited -mitre_technique: -- T1053.003 -datasets: -- name: linux_auditd_cron_file_audited2 - path: /datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml index cbd270cd5..cc983e56d 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml @@ -3,9 +3,11 @@ id: 6f8a621e-45d5-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd cron file audited in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log -sourcetypes: -- 'auditd' -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: linux_auditd_cron_file_audited +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_cron_file_audited2 + path: /datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml deleted file mode 100644 index d365b0788..000000000 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 252174b3-4f2a-4832-b4a4-ef69334fa7ac -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_crontab_edit -environment: attack_range -directory: linux_auditd_crontab_edit -mitre_technique: -- T1053.003 -datasets: -- name: linux_auditd_crontab_edit - path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml index 871f13b84..51c6ee6a2 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.yml @@ -3,9 +3,11 @@ id: 0a6dfea0-5647-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd crontab edit in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log -sourcetypes: -- 'linux:audit' -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: linux_auditd_crontab_edit +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_crontab_edit + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit/linux_auditd_crontab_edit.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml deleted file mode 100644 index abec88e7b..000000000 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 709b267c-1030-421b-81b7-25e0e46a970b -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_crontab_edit_new -environment: attack_range -directory: linux_auditd_crontab_edit_new -mitre_technique: -- T1053.003 -datasets: -- name: linux_auditd_new_crontab - path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml index 723d06f94..e61f0f3c4 100644 --- a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml +++ b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml @@ -3,9 +3,11 @@ id: 4bed5528-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd crontab edit new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1053/003/ \ No newline at end of file +directory: linux_auditd_crontab_edit_new +mitre_technique: +- T1053.003 +datasets: +- name: linux_auditd_new_crontab + path: /datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml index c6ba35e94..170359ce5 100644 --- a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml +++ b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/asyncrat_highest_priv_schtasks.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 7f4b9485-175d-49ce-9c43-fcd7abae3acd date: '2023-01-26' description: Generated datasets for asyncrat highest priv schtasks in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: asyncrat_highest_priv_schtasks +mitre_technique: +- T1053.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml b/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml deleted file mode 100644 index 65df7eab8..000000000 --- a/datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 66dd3590-b499-4f4e-bff4-1c7728e9a298 -date: '2025-08-12' -description: Automatically categorized datasets in directory asyncrat_highest_priv_schtasks -environment: attack_range -directory: asyncrat_highest_priv_schtasks -mitre_technique: -- T1053.005 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1053.005/asyncrat_highest_priv_schtasks/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml index 0a5e05304..6f178602d 100644 --- a/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1053.005/atomic_red_team/atomic_red_team.yml @@ -6,19 +6,19 @@ description: 'Atomic Test Results: Return value unclear for test T1053.005-1 Sch Return value unclear for test T1053.005-3 Scheduled task Remote Return value unclear for test T1053.005-4 Powershell Cmdlet Scheduled Task ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/4104_scheduledtaskcreation.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/atomic_red_team/pwsh_scheduledtask.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: atomic_red_team +mitre_technique: +- T1053.005 +datasets: +- name: 4698_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4698_shell_windows-security + path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml deleted file mode 100644 index 65a85df77..000000000 --- a/datasets/attack_techniques/T1053.005/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 10c6660a-7320-4f47-bfcb-7ad48c1d5112 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1053.005 -datasets: -- name: 4698_windows-security - path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: 4698_shell_windows-security - path: /datasets/attack_techniques/T1053.005/atomic_red_team/4698_shell_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement/data.yml b/datasets/attack_techniques/T1053.005/lateral_movement/data.yml deleted file mode 100644 index 2a49db1e7..000000000 --- a/datasets/attack_techniques/T1053.005/lateral_movement/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d0232e6f-ca69-4d10-a03b-3d189b4a9e81 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement -environment: attack_range -directory: lateral_movement -mitre_technique: -- T1053.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml index 2647f4cf5..805b75dac 100644 --- a/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1053.005/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a539c3bb-0652-47e5-94ba-3352329d7674 date: '2021-11-12' -description: Manually using the schtasks.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. +description: Manually using the schtasks.exe binary to create and start a Scheduled + Task on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/003/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +directory: lateral_movement +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml deleted file mode 100644 index ffcbbc441..000000000 --- a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4a45d53e-3b55-4ac1-81a1-74b1930fc64d -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_lolbas -environment: attack_range -directory: lateral_movement_lolbas -mitre_technique: -- T1053.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml index 4d6f5c9da..f94cf514b 100644 --- a/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: f2f37309-e4ee-47d2-95c6-e0c4aa5ac464 date: '2021-11-23' -description: Manually using the schtasks.exe binary to create and start a Scheduled Task on a remote endpoint for lateral movement and remote code execution. +description: Manually using the schtasks.exe binary to create and start a Scheduled + Task on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1053/003/ -- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks +directory: lateral_movement_lolbas +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml b/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml deleted file mode 100644 index 912c19e20..000000000 --- a/datasets/attack_techniques/T1053.005/schtask_shutdown/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3bc53df6-a781-465c-a840-bf3cabf2c4ce -date: '2025-08-12' -description: Automatically categorized datasets in directory schtask_shutdown -environment: attack_range -directory: schtask_shutdown -mitre_technique: -- T1053.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml b/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml index a770d76dc..ed6532d49 100644 --- a/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml +++ b/datasets/attack_techniques/T1053.005/schtask_shutdown/schtask_shutdown.yml @@ -3,15 +3,11 @@ id: cc9b265e-efc9-11eb-926b-550bf0943fbb date: '2020-12-07' description: Manual generation of schtask which will do a shutdown. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_shutdown/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: schtask_shutdown +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_shutdown/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_system/data.yml b/datasets/attack_techniques/T1053.005/schtask_system/data.yml deleted file mode 100644 index 79aca24b8..000000000 --- a/datasets/attack_techniques/T1053.005/schtask_system/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a8bee247-a5ae-4c48-a88b-6dd893f4931c -date: '2025-08-12' -description: Automatically categorized datasets in directory schtask_system -environment: attack_range -directory: schtask_system -mitre_technique: -- T1053.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml b/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml index 352f36426..f5892795c 100644 --- a/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml +++ b/datasets/attack_techniques/T1053.005/schtask_system/schtask_system.yml @@ -3,9 +3,11 @@ id: cc9b265e-efc9-11eb-926b-550bf0712cbb date: '2022-02-10' description: Manual generation of schtask meant to start as system. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md +directory: schtask_system +mitre_technique: +- T1053.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/schtask_system/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/schtasks/schtask.yml b/datasets/attack_techniques/T1053.005/schtasks/schtask.yml deleted file mode 100644 index 4d8a9f57f..000000000 --- a/datasets/attack_techniques/T1053.005/schtasks/schtask.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Patrick Bareiss -id: cc9b265f-efc9-11eb-926b-550bf0943fbb -date: '2020-12-07' -description: Manual generation of schtask registering a binary to run from non-standard - paths. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/schtasks/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md diff --git a/datasets/attack_techniques/T1053.005/schtasks/data.yml b/datasets/attack_techniques/T1053.005/schtasks/schtasks.yml similarity index 60% rename from datasets/attack_techniques/T1053.005/schtasks/data.yml rename to datasets/attack_techniques/T1053.005/schtasks/schtasks.yml index b7f8b01c4..00ddfd91b 100644 --- a/datasets/attack_techniques/T1053.005/schtasks/data.yml +++ b/datasets/attack_techniques/T1053.005/schtasks/schtasks.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 021c165d-1674-4c13-87b1-2c909d41896e -date: '2025-08-12' -description: Automatically categorized datasets in directory schtasks +author: Patrick Bareiss +id: cc9b265f-efc9-11eb-926b-550bf0943fbb +date: '2020-12-07' +description: Manual generation of schtask registering a binary to run from non-standard + paths. environment: attack_range directory: schtasks mitre_technique: diff --git a/datasets/attack_techniques/T1053.005/taskschedule/data.yml b/datasets/attack_techniques/T1053.005/taskschedule/data.yml deleted file mode 100644 index bdf557722..000000000 --- a/datasets/attack_techniques/T1053.005/taskschedule/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 937c5f7d-7188-4f31-ba6a-83c5044dd92c -date: '2025-08-12' -description: Automatically categorized datasets in directory taskschedule -environment: attack_range -directory: taskschedule -mitre_technique: -- T1053.005 -datasets: -- name: sd_delete_windows-sysmon - path: /datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml b/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml index 4ed2b912d..f05f446ae 100644 --- a/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml +++ b/datasets/attack_techniques/T1053.005/taskschedule/taskschedule.yml @@ -4,13 +4,15 @@ date: '2022-04-18' description: Manual generation of schtask registering a binary to run from non-standard path. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md -- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ +directory: taskschedule +mitre_technique: +- T1053.005 +datasets: +- name: sd_delete_windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/sd_delete_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1053.005/taskschedule/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml b/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml deleted file mode 100644 index 745146de0..000000000 --- a/datasets/attack_techniques/T1053.005/windows_taskschedule/taskschedule.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b2660-efc9-11eb-926b-550bf0943f23 -date: '2021-10-21' -description: Scheduled Tasks logs captured from Microsoft-Windows-TaskScheduler/Operational. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/windows_taskschedule/windows-taskschedule_xml.log -sourcetypes: -- WinEventLog:Microsoft-Windows-TaskScheduler/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md -- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml b/datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml similarity index 63% rename from datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml rename to datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml index 704b63f5e..1921bcb9d 100644 --- a/datasets/attack_techniques/T1053.005/windows_taskschedule/data.yml +++ b/datasets/attack_techniques/T1053.005/windows_taskschedule/windows_taskschedule.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: d6b8b963-f65f-49a1-818e-7bf4bbe349f9 -date: '2025-08-12' -description: Automatically categorized datasets in directory windows_taskschedule +author: Michael Haag, Splunk +id: cc9b2660-efc9-11eb-926b-550bf0943f23 +date: '2021-10-21' +description: Scheduled Tasks logs captured from Microsoft-Windows-TaskScheduler/Operational. environment: attack_range directory: windows_taskschedule mitre_technique: diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml deleted file mode 100644 index 76b5d5d04..000000000 --- a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Steven Dick -id: ea908665-bc39-4493-a20a-041543ba4f3b -date: '2025-01-28' -description: 'A sample event with a known malicous Task Name.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1053/005/ -- https://www.ic3.gov/CSA/2023/231213.pdf -- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ -- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv \ No newline at end of file diff --git a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml similarity index 59% rename from datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml rename to datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml index 088f2ef74..f7598e9a7 100644 --- a/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/data.yml +++ b/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/winevent_scheduled_task_with_suspect_name.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 514bf396-1fb6-4350-b33d-3a120b7da85e -date: '2025-08-12' -description: Automatically categorized datasets in directory winevent_scheduled_task_with_suspect_name +author: Steven Dick +id: ea908665-bc39-4493-a20a-041543ba4f3b +date: '2025-01-28' +description: A sample event with a known malicous Task Name. environment: attack_range directory: winevent_scheduled_task_with_suspect_name mitre_technique: diff --git a/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml b/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml deleted file mode 100644 index 81936cff6..000000000 --- a/datasets/attack_techniques/T1053.006/linux_services_restart/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3b2859fc-8aa8-4c16-a64c-543870fb2b11 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_services_restart -environment: attack_range -directory: linux_services_restart -mitre_technique: -- T1053.006 -datasets: -- name: auditd_proctitle_service_restart - path: /datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml b/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml index 86bff091d..d8cef32fe 100644 --- a/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml +++ b/datasets/attack_techniques/T1053.006/linux_services_restart/linux_services_restart.yml @@ -3,9 +3,11 @@ id: 98af8e7e-efa1-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux services restart in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1543/003/ \ No newline at end of file +directory: linux_services_restart +mitre_technique: +- T1053.006 +datasets: +- name: auditd_proctitle_service_restart + path: /datasets/attack_techniques/T1053.006/linux_services_restart/auditd_proctitle_service_restart.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1053.006/service_systemd/data.yml b/datasets/attack_techniques/T1053.006/service_systemd/data.yml deleted file mode 100644 index 994a3d20e..000000000 --- a/datasets/attack_techniques/T1053.006/service_systemd/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7ca3f450-9d9e-4063-8537-e029f474db0d -date: '2025-08-12' -description: Automatically categorized datasets in directory service_systemd -environment: attack_range -directory: service_systemd -mitre_technique: -- T1053.006 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml b/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml index 4e62b7695..b56ad253e 100644 --- a/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml +++ b/datasets/attack_techniques/T1053.006/service_systemd/service_systemd.yml @@ -3,9 +3,11 @@ id: 55096932-6242-11ec-bdd6-acde48001122 date: '2021-12-21' description: Generated datasets for service systemd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: service_systemd +mitre_technique: +- T1053.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1053.006/service_systemd/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml deleted file mode 100644 index 788fea4ef..000000000 --- a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c68904ce-c6e0-4a22-a06c-7d293c08e410 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_audit_cron_job_creation -environment: attack_range -directory: kubernetes_audit_cron_job_creation -mitre_technique: -- T1053.007 -datasets: -- name: kubernetes_audit_cron_job_creation-json - path: /datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml index 6c2585e23..3be0d141c 100644 --- a/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml +++ b/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.yml @@ -3,9 +3,11 @@ id: 18171239-e152-41f4-a1af-459d1b2aacb3 date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a cron job. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1053/007 +directory: kubernetes_audit_cron_job_creation +mitre_technique: +- T1053.007 +datasets: +- name: kubernetes_audit_cron_job_creation-json + path: /datasets/attack_techniques/T1053.007/kubernetes_audit_cron_job_creation/kubernetes_audit_cron_job_creation.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1055.001/rasautou/data.yml b/datasets/attack_techniques/T1055.001/rasautou/data.yml deleted file mode 100644 index 9c18ede72..000000000 --- a/datasets/attack_techniques/T1055.001/rasautou/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 388e7194-b12d-4ae2-813c-42f56ce17ea6 -date: '2025-08-12' -description: Automatically categorized datasets in directory rasautou -environment: attack_range -directory: rasautou -mitre_technique: -- T1055.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml b/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml index a6fc3517f..ec3e70cfe 100644 --- a/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml +++ b/datasets/attack_techniques/T1055.001/rasautou/rasautou.yml @@ -3,12 +3,11 @@ id: cc9b25f4-efc9-11eb-926b-660bf0943faa date: '2022-02-15' description: Testing using DueDLLigence. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055.001/rasautou/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055.001 -- https://github.com/MHaggis/notes/blob/master/utilities/Invoke-SPLDLLigence.ps1 +directory: rasautou +mitre_technique: +- T1055.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055.001/rasautou/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml b/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml index fd2cab8ec..913915104 100644 --- a/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml +++ b/datasets/attack_techniques/T1055/cobalt_strike/cobalt_strike.yml @@ -4,12 +4,19 @@ date: '2021-02-22' description: Manual generation of attack data using Cobalt Strike to generate default named pipes. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/cobalt_spawnto.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1055 +directory: cobalt_strike +mitre_technique: +- T1055 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_searchprotocolhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_dllhost + path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/cobalt_strike/data.yml b/datasets/attack_techniques/T1055/cobalt_strike/data.yml deleted file mode 100644 index 7b4928e50..000000000 --- a/datasets/attack_techniques/T1055/cobalt_strike/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 96c24640-8263-4496-847c-0a9cd78ad923 -date: '2025-08-12' -description: Automatically categorized datasets in directory cobalt_strike -environment: attack_range -directory: cobalt_strike -mitre_technique: -- T1055 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_searchprotocolhost - path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_searchprotocolhost.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_dllhost - path: /datasets/attack_techniques/T1055/cobalt_strike/windows-sysmon_dllhost.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/msra/data.yml b/datasets/attack_techniques/T1055/msra/data.yml deleted file mode 100644 index 1f2dcf807..000000000 --- a/datasets/attack_techniques/T1055/msra/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 78117c4a-d2ea-4973-9285-41868cc68e4c -date: '2025-08-12' -description: Automatically categorized datasets in directory msra -environment: attack_range -directory: msra -mitre_technique: -- T1055 -datasets: -- name: msra-windows-sysmon - path: /datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: raw-msra-windows-sysmon - path: /datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/msra/msra.yml b/datasets/attack_techniques/T1055/msra/msra.yml index 3bc534b55..0ac814df0 100644 --- a/datasets/attack_techniques/T1055/msra/msra.yml +++ b/datasets/attack_techniques/T1055/msra/msra.yml @@ -4,12 +4,15 @@ date: '2021-02-22' description: Manual generation of attack data using Cobalt Strike to generate default named pipes. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/msra/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055 +directory: msra +mitre_technique: +- T1055 +datasets: +- name: msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: raw-msra-windows-sysmon + path: /datasets/attack_techniques/T1055/msra/raw-msra-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1055/sliver/data.yml b/datasets/attack_techniques/T1055/sliver/sliver.yml similarity index 79% rename from datasets/attack_techniques/T1055/sliver/data.yml rename to datasets/attack_techniques/T1055/sliver/sliver.yml index 5f612746f..454bccdea 100644 --- a/datasets/attack_techniques/T1055/sliver/data.yml +++ b/datasets/attack_techniques/T1055/sliver/sliver.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 77f4acbf-6233-4a0d-ba5c-811a8868e9e8 -date: '2025-08-12' -description: Automatically categorized datasets in directory sliver +author: Michael Haag +id: 0cdc5c21-49af-47ed-a96a-84a0bb5070be +date: '2023-02-22' +description: Attack data generation using SliverC2 by BishopFox. environment: attack_range directory: sliver mitre_technique: diff --git a/datasets/attack_techniques/T1055/sliver/sliverc2.yml b/datasets/attack_techniques/T1055/sliver/sliverc2.yml deleted file mode 100644 index 7787cfb2d..000000000 --- a/datasets/attack_techniques/T1055/sliver/sliverc2.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Michael Haag -id: 0cdc5c21-49af-47ed-a96a-84a0bb5070be -date: '2023-02-22' -description: Attack data generation using SliverC2 by BishopFox. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/T1055_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/notepad_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1055 -- https://attack.mitre.org/techniques/T1569 diff --git a/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml b/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml deleted file mode 100644 index 3e146f7a0..000000000 --- a/datasets/attack_techniques/T1057/process_commandline_discovery/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9878be5b-b285-41de-9166-3b38a1495aeb -date: '2025-08-12' -description: Automatically categorized datasets in directory process_commandline_discovery -environment: attack_range -directory: process_commandline_discovery -mitre_technique: -- T1057 -datasets: -- name: wmic-cmdline-sysmon - path: /datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml b/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml index 813f165b4..22935f514 100644 --- a/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml +++ b/datasets/attack_techniques/T1057/process_commandline_discovery/process_commandline_discovery.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 1c2643c1-0837-4026-a0f1-62ede1415bab date: '2023-12-15' description: Generated datasets for process commandline discovery in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +environment: attack_range +directory: process_commandline_discovery +mitre_technique: +- T1057 +datasets: +- name: wmic-cmdline-sysmon + path: /datasets/attack_techniques/T1057/process_commandline_discovery/wmic-cmdline-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml index 8c28dc239..bad485c24 100644 --- a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml +++ b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/asyncrat_crypto_pwh_namespace.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 6ea89cfe-c6e2-4c77-9708-eef588178d15 date: '2023-01-26' description: Generated datasets for asyncrat crypto pwh namespace in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: asyncrat_crypto_pwh_namespace +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml b/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml deleted file mode 100644 index 2db2c158c..000000000 --- a/datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b6e42f20-0e34-465e-a5e8-6ec7fa12b7f2 -date: '2025-08-12' -description: Automatically categorized datasets in directory asyncrat_crypto_pwh_namespace -environment: attack_range -directory: asyncrat_crypto_pwh_namespace -mitre_technique: -- T1059.001 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1059.001/asyncrat_crypto_pwh_namespace/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml index c9d675c4b..c3413c5f9 100644 --- a/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml @@ -4,24 +4,39 @@ date: '2021-03-01' description: Invoke-atomictest T1059.001 of all Atomic Red Team T1059.001 PowerShell tests. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log/win32_scheduledjob_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/irm_powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -- bit9:carbonblack:json -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md +directory: atomic_red_team +mitre_technique: +- T1059.001 +datasets: +- name: captcha_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: get_ciminstance_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: start_stop_service_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-2 + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4104-psremoting-windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: win32_scheduledjob_windows-powershell + path: /datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: enableat_windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml deleted file mode 100644 index eb5a0937c..000000000 --- a/datasets/attack_techniques/T1059.001/atomic_red_team/data.yml +++ /dev/null @@ -1,41 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 63c3b531-99ed-47fb-8de6-f2a21aad0402 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1059.001 -datasets: -- name: captcha_windows-sysmon - path: /datasets/attack_techniques/T1059.001/atomic_red_team/captcha_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: get_ciminstance_windows-powershell - path: /datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: start_stop_service_windows-powershell - path: /datasets/attack_techniques/T1059.001/atomic_red_team/start_stop_service_windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-security-2 - path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-security-2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: 4104-psremoting-windows-powershell - path: /datasets/attack_techniques/T1059.001/atomic_red_team/4104-psremoting-windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: win32_scheduledjob_windows-powershell - path: /datasets/attack_techniques/T1059.001/atomic_red_team/win32_scheduledjob_windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: enableat_windows-sysmon - path: /datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml b/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml deleted file mode 100644 index f9a6a4c0d..000000000 --- a/datasets/attack_techniques/T1059.001/encoded_powershell/data.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 94fd3544-5f2f-42e7-baad-d3ca721880e3 -date: '2025-08-12' -description: Automatically categorized datasets in directory encoded_powershell -environment: attack_range -directory: encoded_powershell -mitre_technique: -- T1059.001 -datasets: -- name: explorer_spawns_windows-sysmon - path: /datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: padded_windows-sysmon - path: /datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml b/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml index f1db7126e..7d8f76000 100644 --- a/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml +++ b/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml @@ -3,12 +3,23 @@ id: cc9b264d-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Manual generation of encoded powershell command environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: encoded_powershell +mitre_technique: +- T1059.001 +datasets: +- name: explorer_spawns_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: padded_windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1059.001/exchange/data.yml b/datasets/attack_techniques/T1059.001/exchange/data.yml deleted file mode 100644 index c8415ae5a..000000000 --- a/datasets/attack_techniques/T1059.001/exchange/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dc9eacf8-bdca-4492-9eb4-846c333c7066 -date: '2025-08-12' -description: Automatically categorized datasets in directory exchange -environment: attack_range -directory: exchange -mitre_technique: -- T1059.001 -datasets: -- name: msexchangemanagement - path: /datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log - sourcetype: MSExchange:Management - source: MSExchange:Management -- name: windows-powershell - path: /datasets/attack_techniques/T1059.001/exchange/windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/exchange/exchange.yml b/datasets/attack_techniques/T1059.001/exchange/exchange.yml index 54c0de491..7e7199fcf 100644 --- a/datasets/attack_techniques/T1059.001/exchange/exchange.yml +++ b/datasets/attack_techniques/T1059.001/exchange/exchange.yml @@ -1,13 +1,18 @@ author: Michael Haag, Splunk id: 16c9ac54-d483-4ca6-9bea-662531eec469 date: '2022-10-05' -description: Manual generation suspicious PowerShell Exchange modules used in ProxyShell or ProxyNotShell based attacks. +description: Manual generation suspicious PowerShell Exchange modules used in ProxyShell + or ProxyNotShell based attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- MSExchange:management -references: -- https://attack.mitre.org/techniques/T1059/001 \ No newline at end of file +directory: exchange +mitre_technique: +- T1059.001 +datasets: +- name: msexchangemanagement + path: /datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log + sourcetype: MSExchange:Management + source: MSExchange:Management +- name: windows-powershell + path: /datasets/attack_techniques/T1059.001/exchange/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml b/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml deleted file mode 100644 index eeac57bba..000000000 --- a/datasets/attack_techniques/T1059.001/hidden_powershell/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e9212ccf-f228-4aaa-9f36-e56a455c5c68 -date: '2025-08-12' -description: Automatically categorized datasets in directory hidden_powershell -environment: attack_range -directory: hidden_powershell -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml b/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml index badd92bd5..79fa4736d 100644 --- a/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml +++ b/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_powershell.yml @@ -4,16 +4,11 @@ date: '2020-11-20' description: Manual generation of a download of a file with powershell using a hidden window environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001 \ No newline at end of file +directory: hidden_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/hidden_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml b/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml deleted file mode 100644 index 34e0a5fc5..000000000 --- a/datasets/attack_techniques/T1059.001/import_applocker_policy/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 541a987b-26a0-493d-b3a1-ff4e11d04fd6 -date: '2025-08-12' -description: Automatically categorized datasets in directory import_applocker_policy -environment: attack_range -directory: import_applocker_policy -mitre_technique: -- T1059.001 -datasets: -- name: windows-powershell-xml2 - path: /datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml b/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml index 19870793f..dc1213e3f 100644 --- a/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml +++ b/datasets/attack_techniques/T1059.001/import_applocker_policy/import_applocker_policy.yml @@ -3,9 +3,11 @@ id: 7c18915c-f85f-11ec-b8f1-acde48001122 date: '2022-06-30' description: Generated datasets for import applocker policy in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ \ No newline at end of file +directory: import_applocker_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml deleted file mode 100644 index ccc22381d..000000000 --- a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 53cc4b6c-4ecc-4dea-bf27-b4c23de8ab36 -date: '2025-08-12' -description: Automatically categorized datasets in directory malicious_cmd_line_samples -environment: attack_range -directory: malicious_cmd_line_samples -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml index a58a93766..6273a66b6 100644 --- a/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml +++ b/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/malicious_cmd_line_samples.yml @@ -3,9 +3,11 @@ id: c503c2fe-7936-11ec-a7f6-acde48001122 date: '2022-01-19' description: Observed example of adversaries abusing powershell commands for execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: malicious_cmd_line_samples +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/malicious_cmd_line_samples/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml b/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml deleted file mode 100644 index 11081c69b..000000000 --- a/datasets/attack_techniques/T1059.001/obfuscated_powershell/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c6f3a18d-665d-4659-b8ca-bdc98d0a103a -date: '2025-08-12' -description: Automatically categorized datasets in directory obfuscated_powershell -environment: attack_range -directory: obfuscated_powershell -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml b/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml index d7500ea29..1c94a7564 100644 --- a/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml +++ b/datasets/attack_techniques/T1059.001/obfuscated_powershell/obfuscated_powershell.yml @@ -3,10 +3,11 @@ id: cc9b2648-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Manual generation of obfuscated powershell commands using Invoke-Obfuscation environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ -- https://github.com/danielbohannon/Invoke-Obfuscation +directory: obfuscated_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/obfuscated_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml b/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml deleted file mode 100644 index 430328963..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_execution_policy/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: acf87f64-2767-4598-845e-181fd1fa3058 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_execution_policy -environment: attack_range -directory: powershell_execution_policy -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml b/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml index ca0991f21..9fa51ed94 100644 --- a/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml +++ b/datasets/attack_techniques/T1059.001/powershell_execution_policy/powershell_execution_policy.yml @@ -3,15 +3,11 @@ id: cc9b2649-efc9-11eb-926b-550bf0943fbb date: '2020-12-09' description: Change execution policy to bypass with regedit. registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_execution_policy +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_execution_policy/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml b/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml deleted file mode 100644 index de5d0858c..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_remotesigned/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 924b7c52-e87e-4590-8f7c-5aefc78e8317 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_remotesigned -environment: attack_range -directory: powershell_remotesigned -mitre_technique: -- T1059.001 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: remotesigned_sysmon - path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-powershell-remote-xml - path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml b/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml index 327b5e6b1..a736202e0 100644 --- a/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml +++ b/datasets/attack_techniques/T1059.001/powershell_remotesigned/powershell_remotesigned.yml @@ -2,11 +2,20 @@ author: Teoderick Contreras, Splunk id: a92e1082-ce62-4cdd-88e2-96707c6b0a39 date: '2023-06-16' description: Generated datasets for powershell remotesigned in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 +environment: attack_range +directory: powershell_remotesigned +mitre_technique: +- T1059.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: remotesigned_sysmon + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/remotesigned_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-remote-xml + path: /datasets/attack_techniques/T1059.001/powershell_remotesigned/windows-powershell-remote-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml similarity index 78% rename from datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml rename to datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml index 86f4f4246..587a18c02 100644 --- a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/data.yml +++ b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: fad082c8-3e85-45df-9887-0c8ae350f738 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_script_block_logging +author: Michael Haag +id: cc9b264c-efc9-11eb-926b-550bf0943fbb +date: '2021-06-09' +description: Manual and Atomic Red Team testing to generate script block logging data. environment: attack_range directory: powershell_script_block_logging mitre_technique: diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml deleted file mode 100644 index 4b1ca8dc3..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/script_block_logging.yml +++ /dev/null @@ -1,19 +0,0 @@ -author: Michael Haag -id: cc9b264c-efc9-11eb-926b-550bf0943fbb -date: '2021-06-09' -description: Manual and Atomic Red Team testing to generate script block logging data. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/frombase64string.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/reconusingwmi.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/pswa_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ diff --git a/datasets/attack_techniques/T1059.001/powershell_testing/data.yml b/datasets/attack_techniques/T1059.001/powershell_testing/data.yml deleted file mode 100644 index 8bfc816fa..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_testing/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5536af58-dd7f-40b1-9c7c-a0d1b61a25c0 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_testing -environment: attack_range -directory: powershell_testing -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml b/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml index 09d6134e4..0f0cb543f 100644 --- a/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml +++ b/datasets/attack_techniques/T1059.001/powershell_testing/powershell_testing.yml @@ -1,15 +1,14 @@ author: Michael Haag id: cc9b264c-efc9-11eb-926b-550bf0943fbb date: '2021-06-09' -description: BC-Security Empire, Cobalt Strike, and Atomic Red Team T1059.001 and T1482 used to generate data. +description: BC-Security Empire, Cobalt Strike, and Atomic Red Team T1059.001 and + T1482 used to generate data. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_testing/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_testing +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_testing/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml b/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml deleted file mode 100644 index d1f6c73e3..000000000 --- a/datasets/attack_techniques/T1059.001/powershell_xml_requests/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4cf8e29f-97d2-4067-a688-4a64b51df3e8 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_xml_requests -environment: attack_range -directory: powershell_xml_requests -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml b/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml index 70b800471..0cf35c189 100644 --- a/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml +++ b/datasets/attack_techniques/T1059.001/powershell_xml_requests/powershell_xml_requests.yml @@ -4,15 +4,11 @@ date: '2020-11-20' description: 'Atomic Test Results: Successful Execution of test T1059.001-8 Powershell XML requests ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: powershell_xml_requests +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/powershell_xml_requests/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/sharphound/data.yml b/datasets/attack_techniques/T1059.001/sharphound/data.yml deleted file mode 100644 index 1143734e6..000000000 --- a/datasets/attack_techniques/T1059.001/sharphound/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ac6e208a-16b2-40bf-af82-d66be993205c -date: '2025-08-12' -description: Automatically categorized datasets in directory sharphound -environment: attack_range -directory: sharphound -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml b/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml index 5cb57b04b..bd8bb5f4d 100644 --- a/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml +++ b/datasets/attack_techniques/T1059.001/sharphound/sharphound.yml @@ -3,11 +3,11 @@ id: cc9b2646-efc9-11eb-926b-550bf0943fbb date: '2021-06-03' description: Manual SharpHound testing to simulate all the behavior seen in the wild. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: sharphound +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/sharphound/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/soaphound/data.yml b/datasets/attack_techniques/T1059.001/soaphound/data.yml deleted file mode 100644 index d61255c30..000000000 --- a/datasets/attack_techniques/T1059.001/soaphound/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7d7d5f46-b100-4fd7-b314-f1928db22ca4 -date: '2025-08-12' -description: Automatically categorized datasets in directory soaphound -environment: attack_range -directory: soaphound -mitre_technique: -- T1059.001 -datasets: -- name: sysmon_soaphound - path: /datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml b/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml index 1b476e56a..9936c08c4 100644 --- a/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml +++ b/datasets/attack_techniques/T1059.001/soaphound/soaphound.yml @@ -3,9 +3,11 @@ id: adfb4776-87af-4521-a9a1-dda25b01a69f date: '2024-02-13' description: Manual soaphound testing to simulate all the behavior seen in the wild. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/soaphound/sysmon-soaphound.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ +directory: soaphound +mitre_technique: +- T1059.001 +datasets: +- name: sysmon_soaphound + path: /datasets/attack_techniques/T1059.001/soaphound/sysmon_soaphound.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml deleted file mode 100644 index 80c9306e5..000000000 --- a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: adf3ed40-f5ae-408b-aad7-5a89c708ea3e -date: '2025-08-12' -description: Automatically categorized datasets in directory unmanaged_powershell_execution -environment: attack_range -directory: unmanaged_powershell_execution -mitre_technique: -- T1059.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml index e0fefb31e..0e1b07c37 100644 --- a/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml +++ b/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/unmanaged_powershell_execution.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: c76dae70-1dc5-49e5-b480-a78da4239701 date: '2023-02-22' -description: Manually using Nimplant to execute a PowerShell commandlet using unmanaged PowerShell. +description: Manually using Nimplant to execute a PowerShell commandlet using unmanaged + PowerShell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001/ -- https://github.com/leechristensen/UnmanagedPowerShell -- https://github.com/chvancooten/NimPlant +directory: unmanaged_powershell_execution +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/unmanaged_powershell_execution/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml index 37b223b16..3d669f236 100644 --- a/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1059.003/atomic_red_team/atomic_red_team.yml @@ -3,11 +3,11 @@ id: cc9b25f9-efc9-11eb-926b-550bf09d3fbd date: '2024-02-04' description: Atomic Red Team T1059.003 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/atomic_red_team/invokesqlcmd_powershell.log -sourcetypes: -- XmlWinEventLog -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/003/ \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1059.003 +datasets: +- name: sqlcmd_windows_sysmon + path: /datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml deleted file mode 100644 index d4848f8ad..000000000 --- a/datasets/attack_techniques/T1059.003/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 51ef15eb-17d5-42d3-886b-4a92d7179902 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1059.003 -datasets: -- name: sqlcmd_windows_sysmon - path: /datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml index 2050a2afc..a893a1c10 100644 --- a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml +++ b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/cmd_spawns_cscript.yml @@ -3,15 +3,11 @@ id: cc9b25fc-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual generation of attack data in which cmd.exe spawn cscript.exe. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/003/ +directory: cmd_spawns_cscript +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml b/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml deleted file mode 100644 index ae631ff27..000000000 --- a/datasets/attack_techniques/T1059.003/cmd_spawns_cscript/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1227eaa0-5c54-4479-9c5c-3856c285572f -date: '2025-08-12' -description: Automatically categorized datasets in directory cmd_spawns_cscript -environment: attack_range -directory: cmd_spawns_cscript -mitre_technique: -- T1059.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.003/cmd_spawns_cscript/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml deleted file mode 100644 index d9a687d65..000000000 --- a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d41be634-0c4c-4b87-90a0-63ed510a936e -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell_spawn_cmd -environment: attack_range -directory: powershell_spawn_cmd -mitre_technique: -- T1059.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml index 442b30150..d4e9a8e4a 100644 --- a/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml +++ b/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/powershell_spawn_cmd.yml @@ -3,15 +3,11 @@ id: cc9b25fa-efc9-11eb-926b-550bf0943fbb date: '2020-11-10' description: Manual generation of attack data by spawn cmd.exe from powershell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1059/003/ +directory: powershell_spawn_cmd +mitre_technique: +- T1059.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.003/ryuk/data.yml b/datasets/attack_techniques/T1059.003/ryuk/ryuk.yml similarity index 56% rename from datasets/attack_techniques/T1059.003/ryuk/data.yml rename to datasets/attack_techniques/T1059.003/ryuk/ryuk.yml index 1edf4475e..b5d4f1ced 100644 --- a/datasets/attack_techniques/T1059.003/ryuk/data.yml +++ b/datasets/attack_techniques/T1059.003/ryuk/ryuk.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 2fdde836-18de-4543-8197-382a76c50332 -date: '2025-08-12' -description: Automatically categorized datasets in directory ryuk +author: Michael Haag +id: cc9b25fb-efc9-11eb-926b-550bf0943fbb +date: '2021-03-01' +description: Manual generation of attack data related to Ryuk with command line argument + of 8 LAN, related to wake on lan. environment: attack_range directory: ryuk mitre_technique: diff --git a/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml b/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml deleted file mode 100644 index 0160089b4..000000000 --- a/datasets/attack_techniques/T1059.003/ryuk/ryuk_cmdline.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Michael Haag -id: cc9b25fb-efc9-11eb-926b-550bf0943fbb -date: '2021-03-01' -description: Manual generation of attack data related to Ryuk with command line argument - of 8 LAN, related to wake on lan. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/powershell_spawn_cmd/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/003/ diff --git a/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml b/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml deleted file mode 100644 index a543a9843..000000000 --- a/datasets/attack_techniques/T1059.004/linux_discovery_tools/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 60cf3621-dcb7-44e9-a446-9592932c56de -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_discovery_tools -environment: attack_range -directory: linux_discovery_tools -mitre_technique: -- T1059.004 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml b/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml index c18f78366..61626086d 100644 --- a/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml +++ b/datasets/attack_techniques/T1059.004/linux_discovery_tools/linux_discovery_tools.yml @@ -3,13 +3,11 @@ id: 93252b82-8d73-11ec-bb43-acd118001122 date: '2022-02-14' description: Generated datasets for linux net discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/matrices/enterprise/linux/ -- https://github.com/IvanGlinkin/AutoSUID -- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS -- https://github.com/rebootuser/LinEnum -- https://attack.mitre.org/techniques/T1059/004/ \ No newline at end of file +directory: linux_discovery_tools +mitre_technique: +- T1059.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1059.004/linux_discovery_tools/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml b/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml deleted file mode 100644 index a47da2b2d..000000000 --- a/datasets/attack_techniques/T1059.005/discord_dnsquery/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 52ff8ca6-89fe-46e0-aa23-065448df115e -date: '2025-08-12' -description: Automatically categorized datasets in directory discord_dnsquery -environment: attack_range -directory: discord_dnsquery -mitre_technique: -- T1059.005 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml b/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml index c277a426f..74a8de157 100644 --- a/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml +++ b/datasets/attack_techniques/T1059.005/discord_dnsquery/discord_dnsquery.yml @@ -3,9 +3,11 @@ id: 1dea83b6-792e-11ec-95bc-acde48001122 date: '2022-01-19' description: Generated datasets for discord dnsquery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: discord_dnsquery +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/discord_dnsquery/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml b/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml deleted file mode 100644 index d8dd4983f..000000000 --- a/datasets/attack_techniques/T1059.005/vbs_wscript/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c85eaa02-ad6a-48ca-9b23-d47a51421c02 -date: '2025-08-12' -description: Automatically categorized datasets in directory vbs_wscript -environment: attack_range -directory: vbs_wscript -mitre_technique: -- T1059.005 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml b/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml index 587594d6b..ab96054a7 100644 --- a/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml +++ b/datasets/attack_techniques/T1059.005/vbs_wscript/vbs_wscript.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: eb98e75f-a568-4ab3-b0e3-406a781259b3 date: '2021-10-01' -description: Manual generation of attack data for txtfile vbs script execution through wscript process. +description: Manual generation of attack data for txtfile vbs script execution through + wscript process. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: vbs_wscript +mitre_technique: +- T1059.005 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059.005/vbs_wscript/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/autoit/autoit.yml b/datasets/attack_techniques/T1059/autoit/autoit.yml index ece05fe5f..419e5b630 100644 --- a/datasets/attack_techniques/T1059/autoit/autoit.yml +++ b/datasets/attack_techniques/T1059/autoit/autoit.yml @@ -3,11 +3,11 @@ id: 75c8fefc-fdc7-4b8c-814f-7b6cd323dace date: '2023-11-08' description: Generated datasets for autoit3.exe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/windbg_autoit.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/autoit/cab_files.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059 \ No newline at end of file +directory: autoit +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/autoit/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/autoit/data.yml b/datasets/attack_techniques/T1059/autoit/data.yml deleted file mode 100644 index 315d109bc..000000000 --- a/datasets/attack_techniques/T1059/autoit/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b9cb405e-410a-49ca-b967-58e9fa231d97 -date: '2025-08-12' -description: Automatically categorized datasets in directory autoit -environment: attack_range -directory: autoit -mitre_technique: -- T1059 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1059/autoit/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/metasploit/data.yml b/datasets/attack_techniques/T1059/metasploit/data.yml deleted file mode 100644 index 981505870..000000000 --- a/datasets/attack_techniques/T1059/metasploit/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d4fda369-7a81-4da5-878f-26d2d0ac5eeb -date: '2025-08-12' -description: Automatically categorized datasets in directory metasploit -environment: attack_range -directory: metasploit -mitre_technique: -- T1059 -datasets: -- name: apachebench_windows-sysmon - path: /datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/metasploit/metasploit.yml b/datasets/attack_techniques/T1059/metasploit/metasploit.yml index 9b75c6084..3a0e02669 100644 --- a/datasets/attack_techniques/T1059/metasploit/metasploit.yml +++ b/datasets/attack_techniques/T1059/metasploit/metasploit.yml @@ -2,13 +2,12 @@ author: Michael Haag id: 705b1487-8c72-4307-89ee-19b105d5bb5f date: '2022-11-21' description: Execution of payloads from MetaSploit. -environment: Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/metasploit/msf.powershell.powershell.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1059/ +environment: attack_range +directory: metasploit +mitre_technique: +- T1059 +datasets: +- name: apachebench_windows-sysmon + path: /datasets/attack_techniques/T1059/metasploit/apachebench_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/path_traversal/data.yml b/datasets/attack_techniques/T1059/path_traversal/data.yml deleted file mode 100644 index a08784291..000000000 --- a/datasets/attack_techniques/T1059/path_traversal/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a9d06e21-252a-4667-8578-9c3cc12fee09 -date: '2025-08-12' -description: Automatically categorized datasets in directory path_traversal -environment: attack_range -directory: path_traversal -mitre_technique: -- T1059 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1059/path_traversal/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml b/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml index cff034ef0..727af17f9 100644 --- a/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml +++ b/datasets/attack_techniques/T1059/path_traversal/path_traversal.yml @@ -3,9 +3,11 @@ id: f0fdb998-e01d-11ec-b3b2-acde48001122 date: '2022-05-30' description: Generated datasets for path traversal in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/path_traversal/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ \ No newline at end of file +directory: path_traversal +mitre_technique: +- T1059 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1059/path_traversal/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml b/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml deleted file mode 100644 index 7c7936c94..000000000 --- a/datasets/attack_techniques/T1059/suspiciously_named_executables/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 329b8786-ee83-42a2-b0a8-206f2dd18e1a -date: '2025-08-12' -description: Automatically categorized datasets in directory suspiciously_named_executables -environment: attack_range -directory: suspiciously_named_executables -mitre_technique: -- T1059 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml b/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml index 7ff36a76e..b57185b28 100644 --- a/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml +++ b/datasets/attack_techniques/T1059/suspiciously_named_executables/suspiciously_named_executables.yml @@ -1,11 +1,14 @@ author: Michael Hart id: 8179ffc0-7628-4c7b-a137-f17184efb4ed date: '2022-02-15' -description: A sample log where an adversary compiles and runs an executable with a randomly generated name under the Windows folder, ostensibly to avoid detection. +description: A sample log where an adversary compiles and runs an executable with + a randomly generated name under the Windows folder, ostensibly to avoid detection. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/ +directory: suspiciously_named_executables +mitre_technique: +- T1059 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059/suspiciously_named_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/drivers/data.yml b/datasets/attack_techniques/T1068/drivers/data.yml deleted file mode 100644 index bdb375930..000000000 --- a/datasets/attack_techniques/T1068/drivers/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0342ab67-2ca9-49e9-8a70-bd36a934e6ed -date: '2025-08-12' -description: Automatically categorized datasets in directory drivers -environment: attack_range -directory: drivers -mitre_technique: -- T1068 -datasets: -- name: sysmon_sys_filemod - path: /datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: xml7045_windows-system - path: /datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1068/drivers/drivers.yml b/datasets/attack_techniques/T1068/drivers/drivers.yml index 7fd391169..e8c8ec5ba 100644 --- a/datasets/attack_techniques/T1068/drivers/drivers.yml +++ b/datasets/attack_techniques/T1068/drivers/drivers.yml @@ -1,17 +1,17 @@ author: Michael haag id: cc9b25d8-efc9-22eb-126b-350bf0943fbb date: '2022-05-16' -description: 'Simulation of drivers loading up.' +description: Simulation of drivers loading up. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/7045_kerneldrivers.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/sc_kernel.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/driver_inventory.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1068 +directory: drivers +mitre_technique: +- T1068 +datasets: +- name: sysmon_sys_filemod + path: /datasets/attack_techniques/T1068/drivers/sysmon_sys_filemod.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: xml7045_windows-system + path: /datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml b/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml deleted file mode 100644 index 7dbaa05c2..000000000 --- a/datasets/attack_techniques/T1068/windows_escalation_behavior/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0ff11e72-45d8-42a2-8b78-c83f61770b4b -date: '2025-08-12' -description: Automatically categorized datasets in directory windows_escalation_behavior -environment: attack_range -directory: windows_escalation_behavior -mitre_technique: -- T1068 -datasets: -- name: windows_escalation_behavior_sysmon - path: /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml b/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml index c5fe7e795..799b7a897 100644 --- a/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml +++ b/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior.yml @@ -1,14 +1,13 @@ -author: Steven Dick -id: eb8bda82-5e06-4d02-983c-dde9a445661c -date: '2023-11-30' -description: 'Detection of common behaviors seen during process escalation/elevation.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1068/ -- https://vuls.cert.org/confluence/display/Wiki/2021/06/21/Finding+Privilege+Escalation+Vulnerabilities+in+Windows+using+Process+Monitor -- https://redcanary.com/blog/getsystem-offsec/ -- https://atomicredteam.io/privilege-escalation/T1134.001/ \ No newline at end of file +author: Steven Dick +id: eb8bda82-5e06-4d02-983c-dde9a445661c +date: '2023-11-30' +description: Detection of common behaviors seen during process escalation/elevation. +environment: attack_range +directory: windows_escalation_behavior +mitre_technique: +- T1068 +datasets: +- name: windows_escalation_behavior_sysmon + path: /datasets/attack_techniques/T1068/windows_escalation_behavior/windows_escalation_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/zoom_child_process/data.yml b/datasets/attack_techniques/T1068/zoom_child_process/data.yml deleted file mode 100644 index d9ed26cba..000000000 --- a/datasets/attack_techniques/T1068/zoom_child_process/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 58e90c17-12be-43b9-a378-4da5533a6a06 -date: '2025-08-12' -description: Automatically categorized datasets in directory zoom_child_process -environment: attack_range -directory: zoom_child_process -mitre_technique: -- T1068 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml b/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml index be34a0045..9968eba57 100644 --- a/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml +++ b/datasets/attack_techniques/T1068/zoom_child_process/zoom_child_process.yml @@ -3,15 +3,11 @@ id: cc9b2627-efc9-11eb-926b-550bf0943fbb date: '2020-11-19' description: Manual generation of child process of zoom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/zoom_child_process/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1068/ +directory: zoom_child_process +mitre_technique: +- T1068 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1068/zoom_child_process/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1069.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml similarity index 73% rename from datasets/attack_techniques/T1069.001/atomic_red_team/data.yml rename to datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml index 1aa0508f2..03b435453 100644 --- a/datasets/attack_techniques/T1069.001/atomic_red_team/data.yml +++ b/datasets/attack_techniques/T1069.001/atomic_red_team/atomic_red_team.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 17d965c5-9704-40aa-b8ef-47ea913eb76a -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team +author: Michael Haag +id: d6a30644-63bf-464b-8a2a-4df5de49aa43 +date: '2021-09-14' +description: Simulated events with Atomic Red Team and manual. environment: attack_range directory: atomic_red_team mitre_technique: diff --git a/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml b/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml deleted file mode 100644 index 8a6b5f147..000000000 --- a/datasets/attack_techniques/T1069.001/atomic_red_team/local_groups.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: d6a30644-63bf-464b-8a2a-4df5de49aa43 -date: '2021-09-14' -description: 'Simulated events with Atomic Red Team and manual.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml index 2973712f6..80e1ea389 100644 --- a/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1069.002/AD_discovery/AD_discovery.yml @@ -1,16 +1,34 @@ author: Mauricio Velazco id: d6a30644-63bf-464b-8a2a-4df5de49aa3f date: '2021-09-07' -description: 'Simulated test Attack range dataset for AD discovery techniques using PoschC2 and a PowerShell implant' +description: Simulated test Attack range dataset for AD discovery techniques using + PoschC2 and a PowerShell implant environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security +directory: AD_discovery +mitre_technique: +- T1069.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: ldifde_4688_windows-security + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: ldifde_windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-xml-powerview + path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1069.002/AD_discovery/data.yml b/datasets/attack_techniques/T1069.002/AD_discovery/data.yml deleted file mode 100644 index e5ce274b9..000000000 --- a/datasets/attack_techniques/T1069.002/AD_discovery/data.yml +++ /dev/null @@ -1,33 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 18d5d7b5-1364-4e26-b551-95c7c059a7c0 -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1069.002 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: ldifde_4688_windows-security - path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_4688_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: ldifde_windows-sysmon - path: /datasets/attack_techniques/T1069.002/AD_discovery/ldifde_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-powershell-xml-powerview - path: /datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml index 99714d777..5d1b17ab1 100644 --- a/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070.001/atomic_red_team/atomic_red_team.yml @@ -4,17 +4,11 @@ date: '2020-10-09' description: 'Atomic Test Results: Return value unclear for test T1070.001-1 Clear Logs Successful Execution of test T1070.001-2 Delete System Logs Using Clear-EventLog ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.001/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1070/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1070_001.yml +directory: atomic_red_team +mitre_technique: +- T1070.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml deleted file mode 100644 index 26aa4a28c..000000000 --- a/datasets/attack_techniques/T1070.001/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: df55e3ed-8d0d-4364-92fa-46bbd1360dcd -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1070.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1070.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml index 329e43653..74d0a8085 100644 --- a/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070.005/atomic_red_team/atomic_red_team.yml @@ -5,15 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1070.005-1 Add Share Return value unclear for test T1070.005-2 Remove Network Share Return value unclear for test T1070.005-3 Remove Network Share PowerShell ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +directory: atomic_red_team +mitre_technique: +- T1070.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml deleted file mode 100644 index 5fb5d74b1..000000000 --- a/datasets/attack_techniques/T1070.005/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 92a2c3ca-3419-48f0-abcc-7206c9269b00 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1070.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml index e37a4f697..d8048beec 100644 --- a/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1070/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-12-08' description: 'Atomic Test Results: Return value unclear for test T1070-1 Indicator Removal using FSUtil ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md +directory: atomic_red_team +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/atomic_red_team/data.yml b/datasets/attack_techniques/T1070/atomic_red_team/data.yml deleted file mode 100644 index ba8349f79..000000000 --- a/datasets/attack_techniques/T1070/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5588e0bd-7f49-4bdb-b559-b67665e4b599 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1070 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1070/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml b/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml deleted file mode 100644 index 2478bd87e..000000000 --- a/datasets/attack_techniques/T1070/fsutil_file_zero/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b1564f87-9636-4ef7-a2e7-272b5eb63ae2 -date: '2025-08-12' -description: Automatically categorized datasets in directory fsutil_file_zero -environment: attack_range -directory: fsutil_file_zero -mitre_technique: -- T1070 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml b/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml index 85f76696a..2399bac92 100644 --- a/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml +++ b/datasets/attack_techniques/T1070/fsutil_file_zero/fsutil_file_zero.yml @@ -3,9 +3,11 @@ id: 5e746ff0-b464-44f8-b4ec-38ede346e371 date: '2021-08-11' description: simulated Execution of lockbit ransomware malware in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/e0ac072d-58c9-4f53-8a3b-3e491c7ac5db/ \ No newline at end of file +directory: fsutil_file_zero +mitre_technique: +- T1070 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070/fsutil_file_zero/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml b/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml deleted file mode 100644 index ced8f4584..000000000 --- a/datasets/attack_techniques/T1070/remove_windows_security_event_log/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2377f199-4b88-4893-b19d-2763452b75a3 -date: '2025-08-12' -description: Automatically categorized datasets in directory remove_windows_security_event_log -environment: attack_range -directory: remove_windows_security_event_log -mitre_technique: -- T1070 -datasets: -- name: windows_security_xml - path: /datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml b/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml index 922aef430..ae0d2ee6b 100644 --- a/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml +++ b/datasets/attack_techniques/T1070/remove_windows_security_event_log/remove_windows_security_event_log.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 8e60394b-3334-484e-89e7-3cd9bbbac9fd date: '2024-01-29' -description: 'Clear Windows Event Logs using wevtutil.exe' +description: Clear Windows Event Logs using wevtutil.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md +directory: remove_windows_security_event_log +mitre_technique: +- T1070 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1070/remove_windows_security_event_log/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Eventlog diff --git a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml deleted file mode 100644 index aad745186..000000000 --- a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1341203e-1b52-4536-b6bb-f637a8b62989 -date: '2025-08-12' -description: Automatically categorized datasets in directory outbound_smb_traffic -environment: attack_range -directory: outbound_smb_traffic -mitre_technique: -- T1071.002 -datasets: -- name: zeek_conn - path: /datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log - sourcetype: bro:conn:json - source: bro diff --git a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml index db71aadc3..5e1201512 100644 --- a/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml +++ b/datasets/attack_techniques/T1071.002/outbound_smb_traffic/outbound_smb_traffic.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: 219c898a-39d5-4d63-ad1d-07bec9cabc5c date: '2024-02-27' description: Outbound smb traffic to another server -environment: Attack range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log -sourcetypes: -- bro:conn:json -references: -- https://attack.mitre.org/techniques/T1071/002/ +environment: attack_range +directory: outbound_smb_traffic +mitre_technique: +- T1071.002 +datasets: +- name: zeek_conn + path: /datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log + sourcetype: bro:conn:json + source: bro diff --git a/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml b/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml index 8e949f408..233d3bb28 100644 --- a/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml +++ b/datasets/attack_techniques/T1078.002/account_lockout/account_lockout.yml @@ -3,16 +3,19 @@ id: cc9b25d7-efc9-11eb-926b-550bf0943fbb date: '2020-11-09' description: Manual generation of attack data by locking out an account environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1078/002/ +directory: account_lockout +mitre_technique: +- T1078.002 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078.002/account_lockout/data.yml b/datasets/attack_techniques/T1078.002/account_lockout/data.yml deleted file mode 100644 index ede6c10f2..000000000 --- a/datasets/attack_techniques/T1078.002/account_lockout/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 28584690-3ad6-4752-af92-7ac7f9e153ae -date: '2025-08-12' -description: Automatically categorized datasets in directory account_lockout -environment: attack_range -directory: account_lockout -mitre_technique: -- T1078.002 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-xml-1 - path: /datasets/attack_techniques/T1078.002/account_lockout/windows-xml-1.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1078.002/account_lockout/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml deleted file mode 100644 index bf095a243..000000000 --- a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 10c3ba02-9051-4d71-89f2-d4ea5bcd104f -date: '2025-08-12' -description: Automatically categorized datasets in directory powerview_acl_enumeration -environment: attack_range -directory: powerview_acl_enumeration -mitre_technique: -- T1078.002 -datasets: -- name: windows-powershell - path: /datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml index 5f193ac27..21be74f50 100644 --- a/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml +++ b/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/powerview_acl_enumeration.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 21d1c884-80c5-4e9e-a3bc-4d13ce420b1b date: '2023-04-21' -description: Manually leverage PowerView to enumerate for active directory access control lists. +description: Manually leverage PowerView to enumerate for active directory access + control lists. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1078/002/ -- https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 -- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces -- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ \ No newline at end of file +directory: powerview_acl_enumeration +mitre_technique: +- T1078.002 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1078.002/powerview_acl_enumeration/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml index 507bf74d4..8d67edbc9 100644 --- a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml +++ b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 27baa027-31cf-43f8-bf9e-20c3946d4c45 date: '2024-02-12' -description: 'Used python to authenticate as a service principal to an Azure AD tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log -sourcetypes: -- azure_monitor_aad -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins +description: Used python to authenticate as a service principal to an Azure AD tenant. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_service_principal_authentication +mitre_technique: +- T1078.004 +datasets: +- name: azure_ad_service_principal_authentication + path: /datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml b/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml deleted file mode 100644 index 39f9af552..000000000 --- a/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7674105c-1ff1-41fc-8958-dd784a8580d0 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_service_principal_authentication -environment: attack_range -directory: azure_ad_service_principal_authentication -mitre_technique: -- T1078.004 -datasets: -- name: azure_ad_service_principal_authentication - path: /datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml b/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml index 2e1154cf7..1433a3daa 100644 --- a/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml +++ b/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure_automation_runbook.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 49d07696-6d7f-468f-8b22-c021b6128627 date: '2022-08-23' -description: Manually create an Azure Automation Runbook account using the Azure Portal. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html -- https://attack.mitre.org/techniques/T1078/004/ \ No newline at end of file +description: Manually create an Azure Automation Runbook account using the Azure Portal. + Tenant specific details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_automation_runbook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml b/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml deleted file mode 100644 index 2ba159874..000000000 --- a/datasets/attack_techniques/T1078.004/azure_automation_runbook/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4acfb721-a9c4-4563-b10c-b2d7b848a499 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_automation_runbook -environment: attack_range -directory: azure_automation_runbook -mitre_technique: -- T1078.004 -datasets: -- name: azure-activity - path: /datasets/attack_techniques/T1078.004/azure_automation_runbook/azure-activity.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml index 3a4af155d..bc9c269d8 100644 --- a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml +++ b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure_runbook_webhook.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: f8e3dbe1-73ae-418b-8d71-5dcdae97cceb date: '2022-08-23' -description: 'Manually created a Webhook for an Azure Automation Runbook through the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html +description: Manually created a Webhook for an Azure Automation Runbook through the + Azure portal. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_runbook_webhook +mitre_technique: +- T1078.004 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml b/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml deleted file mode 100644 index 41cbf7f93..000000000 --- a/datasets/attack_techniques/T1078.004/azure_runbook_webhook/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6a1f5a6c-9806-450f-972b-e3401b241a13 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_runbook_webhook -environment: attack_range -directory: azure_runbook_webhook -mitre_technique: -- T1078.004 -datasets: -- name: azure-activity - path: /datasets/attack_techniques/T1078.004/azure_runbook_webhook/azure-activity.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread/azuread.yml b/datasets/attack_techniques/T1078.004/azuread/azuread.yml index cde6f9473..a18ae111d 100644 --- a/datasets/attack_techniques/T1078.004/azuread/azuread.yml +++ b/datasets/attack_techniques/T1078.004/azuread/azuread.yml @@ -1,13 +1,16 @@ author: Mauricio Velazco id: d6b4e3c8-1f45-40a0-81a8-0fd5b9af19f2 date: '2022-07-12' -description: 'Used PowerShell to manually authenticate to an Azure AD tenant with an account that does not have Multi Factor authenttication enabled. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0 +description: Used PowerShell to manually authenticate to an Azure AD tenant with an + account that does not have Multi Factor authenttication enabled. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: azuread +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread/data.yml b/datasets/attack_techniques/T1078.004/azuread/data.yml deleted file mode 100644 index 26604d27a..000000000 --- a/datasets/attack_techniques/T1078.004/azuread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0f6b7cee-88ac-466b-b913-a0748c4932ba -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread -environment: attack_range -directory: azuread -mitre_technique: -- T1078.004 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1078.004/azuread/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml b/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml index 34ded3f27..567beaf22 100644 --- a/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml +++ b/datasets/attack_techniques/T1078.004/azuread_pws/azuread_pws.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 7bf1f61a-9cec-46d0-99cb-5e84c7df53bd date: '2022-07-13' -description: 'Manually used the PowerShell commandlet Connect-AzureAD to authenticate to an Azure AD tenant with a valid account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0 +description: Manually used the PowerShell commandlet Connect-AzureAD to authenticate + to an Azure AD tenant with a valid account. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azuread_pws +mitre_technique: +- T1078.004 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1078.004/azuread_pws/data.yml b/datasets/attack_techniques/T1078.004/azuread_pws/data.yml deleted file mode 100644 index 214893f3f..000000000 --- a/datasets/attack_techniques/T1078.004/azuread_pws/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: db9e69e8-61c9-4245-86f8-1007d077957c -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread_pws -environment: attack_range -directory: azuread_pws -mitre_technique: -- T1078.004 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1078.004/azuread_pws/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml deleted file mode 100644 index b4a53406e..000000000 --- a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a53f6f0f-4997-4c7f-bbfb-a06c03fafa93 -date: '2025-08-12' -description: Automatically categorized datasets in directory gcp_single_factor_auth -environment: attack_range -directory: gcp_single_factor_auth -mitre_technique: -- T1078.004 -datasets: -- name: gws_login - path: /datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log - sourcetype: gws:reports:login - source: gws:reports:login diff --git a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml index aeebe406e..8a17ad0bc 100644 --- a/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml +++ b/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gcp_single_factor_auth.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 09261f80-30d7-4482-92e1-a9e3ecb6abfe date: '2022-10-13' -description: 'Manually authenticateed to a GCP tenant with an account that does not have Multi Factor authenttication enabled. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1078/004/ +description: Manually authenticateed to a GCP tenant with an account that does not + have Multi Factor authenttication enabled. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: gcp_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1078.004/gcp_single_factor_auth/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml deleted file mode 100644 index 2f90bbc96..000000000 --- a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8ec328c1-a2d8-443a-a170-e5974f914d4d -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_security_and_compliance_alert_triggered -environment: attack_range -directory: o365_security_and_compliance_alert_triggered -mitre_technique: -- T1078.004 -datasets: -- name: o365_security_and_compliance_alert_triggered - path: /datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml index e62bd0c1c..85f91e950 100644 --- a/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml +++ b/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 70265c3b-8d9e-46b2-aaa4-2b0a42d4b4d1 date: '2024-03-26' -description: 'Created a forwarding rule programatically using msInvader which triggered an alert by Security & Compliance' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide +description: Created a forwarding rule programatically using msInvader which triggered + an alert by Security & Compliance +environment: attack_range +directory: o365_security_and_compliance_alert_triggered +mitre_technique: +- T1078.004 +datasets: +- name: o365_security_and_compliance_alert_triggered + path: /datasets/attack_techniques/T1078.004/o365_security_and_compliance_alert_triggered/o365_security_and_compliance_alert_triggered.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml deleted file mode 100644 index 1c83e4857..000000000 --- a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 022227b1-b740-4cdc-9a09-87574d6753d7 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_single_factor_auth -environment: attack_range -directory: okta_single_factor_auth -mitre_technique: -- T1078.004 -datasets: -- name: okta_single_factor_auth - path: /datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml index 1e6907e07..50f7a26b5 100644 --- a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml +++ b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml @@ -1,11 +1,13 @@ author: Bhavin Patel id: 71ad47d1-w6bd-4e0a-b35c-020ad9a6959q date: '2024-03-18' -description: 'Manually generated dataset for a single factor authentication attempt' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078.004 \ No newline at end of file +description: Manually generated dataset for a single factor authentication attempt +environment: attack_range +directory: okta_single_factor_auth +mitre_technique: +- T1078.004 +datasets: +- name: okta_single_factor_auth + path: /datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml deleted file mode 100644 index 6bd58bbc0..000000000 --- a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 23858ffb-cff5-4a2e-895b-8f88c69b6462 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_threatinsight_threat_detected -environment: attack_range -directory: okta_threatinsight_threat_detected -mitre_technique: -- T1078.004 -datasets: -- name: okta_threatinsight_threat_detected - path: /datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml index 9da19626d..57dfb7860 100644 --- a/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml +++ b/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: b63a92e5-412f-415f-abf9-bb29be4bbfc3 date: '2024-04-02' -description: 'Attempted to authenticate multiple times across different users with from the same Ip' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078/004/ +description: Attempted to authenticate multiple times across different users with + from the same Ip +environment: attack_range +directory: okta_threatinsight_threat_detected +mitre_technique: +- T1078.004 +datasets: +- name: okta_threatinsight_threat_detected + path: /datasets/attack_techniques/T1078.004/okta_threatinsight_threat_detected/okta_threatinsight_threat_detected.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml index 36e5957a4..144f3b992 100644 --- a/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml +++ b/datasets/attack_techniques/T1078/aws_create_policy_version/aws_create_policy_version.yml @@ -3,12 +3,16 @@ id: cc9b2645-efc9-11eb-926b-550bf0943fbb date: '2021-02-22' description: This search looks for CloudTrail events where a user created a policy version that allows them to access any resource in their account -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_create_policy_version +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml b/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml deleted file mode 100644 index 4d3a64a94..000000000 --- a/datasets/attack_techniques/T1078/aws_create_policy_version/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a6045118-a7d2-4c32-a2c1-b679747b2d05 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_create_policy_version -environment: attack_range -directory: aws_create_policy_version -mitre_technique: -- T1078 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1078/aws_create_policy_version/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1078/aws_create_policy_version/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml index 618e60f45..2e721f558 100644 --- a/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml +++ b/datasets/attack_techniques/T1078/aws_createaccesskey/aws_createaccesskey.yml @@ -5,14 +5,16 @@ description: CloudTrail events where a user A who has already permission to crea access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_createaccesskey +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml b/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml deleted file mode 100644 index 820028cf0..000000000 --- a/datasets/attack_techniques/T1078/aws_createaccesskey/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6ef15d47-5b6a-466f-962e-cb9b97eb662b -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_createaccesskey -environment: attack_range -directory: aws_createaccesskey -mitre_technique: -- T1078 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1078/aws_createaccesskey/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1078/aws_createaccesskey/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml b/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml index d5f337d02..1bcec2df3 100644 --- a/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml +++ b/datasets/attack_techniques/T1078/aws_createloginprofile/aws_createloginprofile.yml @@ -1,13 +1,16 @@ author: Bhavin Patel +id: 96c87adb-e09f-404c-8586-3132a9c2f949 date: '2021-02-22' -description: This dataset has CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip -environment: Cloud Attack Range -technique: +description: This dataset has CloudTrail events where a user A(victim A) creates a + login profile for user B, followed by a AWS Console login event from user B from + the same src_ip as user B. This correlated event can be indicative of privilege + escalation since both events happened from the same src_ip +environment: attack_range +directory: aws_createloginprofile +mitre_technique: - T1078 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ -sourcetypes: -- aws:cloudtrail +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml b/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml deleted file mode 100644 index 5203b2b0e..000000000 --- a/datasets/attack_techniques/T1078/aws_createloginprofile/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 96c87adb-e09f-404c-8586-3132a9c2f949 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_createloginprofile -environment: attack_range -directory: aws_createloginprofile -mitre_technique: -- T1078 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1078/aws_createloginprofile/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml index 2b3139793..fed7577a9 100644 --- a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml +++ b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml @@ -5,11 +5,11 @@ description: This search provides specific SAML access from specific Service Pro user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1552/004/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +environment: attack_range +directory: aws_saml_access_by_provider_user_and_principal +mitre_technique: +- T1078 +datasets: +- name: aws_saml_access_by_provider_user_and_principal-json + path: /datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml deleted file mode 100644 index 0e339ca6c..000000000 --- a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a41f6b7e-971c-4cd1-a022-6aa79bfd9e07 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_saml_access_by_provider_user_and_principal -environment: attack_range -directory: aws_saml_access_by_provider_user_and_principal -mitre_technique: -- T1078 -datasets: -- name: aws_saml_access_by_provider_user_and_principal-json - path: /datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml index 687dbb486..dd69f555d 100644 --- a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml +++ b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.yml @@ -5,11 +5,12 @@ description: This search provides detection of updates to SAML provider in AWS. to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1552/004/ -- https://us-cert.cisa.gov/ncas/alerts/aa21-008a +environment: attack_range +directory: aws_saml_update_identity_provider +mitre_technique: +- T1078 +datasets: +- name: aws_saml_update_identity_provider-json + path: /datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml b/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml deleted file mode 100644 index ba5abb24b..000000000 --- a/datasets/attack_techniques/T1078/aws_saml_update_identity_provider/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 63485f75-a269-4f88-bdbe-351bf3829a99 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_saml_update_identity_provider -environment: attack_range -directory: aws_saml_update_identity_provider -mitre_technique: -- T1078 -datasets: -- name: aws_saml_update_identity_provider-json - path: /datasets/attack_techniques/T1078/aws_saml_update_identity_provider/aws_saml_update_identity_provider.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml index efe66eda8..3e9be852a 100644 --- a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml +++ b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_setdefaultpolicyversion.yml @@ -5,11 +5,12 @@ description: This dataset has CloudTrail events where a user has set a default p versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_setdefaultpolicyversion +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml b/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml deleted file mode 100644 index 78c62007a..000000000 --- a/datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1629e1c3-9ab0-4180-83b9-31e3eb31dae6 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_setdefaultpolicyversion -environment: attack_range -directory: aws_setdefaultpolicyversion -mitre_technique: -- T1078 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1078/aws_setdefaultpolicyversion/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml b/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml index 187e85435..0b23b0c11 100644 --- a/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml +++ b/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_updateloginprofile.yml @@ -5,11 +5,16 @@ description: This dataset has CloudTrail events where a user A who has already p to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B) -environment: Cloud Attack Range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws -- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ +environment: attack_range +directory: aws_updateloginprofile +mitre_technique: +- T1078 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml b/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml deleted file mode 100644 index 8ab9dfad2..000000000 --- a/datasets/attack_techniques/T1078/aws_updateloginprofile/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b536b13c-545f-4f6c-949d-ae4aa390568b -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_updateloginprofile -environment: attack_range -directory: aws_updateloginprofile -mitre_technique: -- T1078 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1078/aws_updateloginprofile/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1078/aws_updateloginprofile/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml index a5dfbbd45..f1ebe0094 100644 --- a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml +++ b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: 05a138d2-ba8f-40bc-9b26-ea01e06b6b72 date: '2023-10-25' -description: 'Used Invoke-MfaSweep with a valid account against an Azure AD tenant' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Used Invoke-MfaSweep with a valid account against an Azure AD tenant +environment: attack_range +directory: azure_ad_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: azure_ad_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml b/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml deleted file mode 100644 index a7ab7d9b5..000000000 --- a/datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0f7e31fc-65b5-425a-b44d-b62a799b5157 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_multiple_appids_and_useragents_auth -environment: attack_range -directory: azure_ad_multiple_appids_and_useragents_auth -mitre_technique: -- T1078 -datasets: -- name: azure_ad_multiple_appids_and_useragents_auth - path: /datasets/attack_techniques/T1078/azure_ad_multiple_appids_and_useragents_auth/azure_ad_multiple_appids_and_useragents_auth.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1078/defaultaccount/data.yml b/datasets/attack_techniques/T1078/defaultaccount/data.yml deleted file mode 100644 index 7580a0590..000000000 --- a/datasets/attack_techniques/T1078/defaultaccount/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 54cc223d-f35d-4470-8fe6-d0275c027e20 -date: '2025-08-12' -description: Automatically categorized datasets in directory defaultaccount -environment: attack_range -directory: defaultaccount -mitre_technique: -- T1078 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml b/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml index 4feeab40f..6c627b26b 100644 --- a/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml +++ b/datasets/attack_techniques/T1078/defaultaccount/defaultaccount.yml @@ -3,9 +3,11 @@ id: dd9b25d7-efc9-11eb-926b-330cf0943fbb date: '2021-11-15' description: Manual generation of attack data by enabling DefaultAccount on Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1078/002/ +directory: defaultaccount +mitre_technique: +- T1078 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1078/defaultaccount/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml deleted file mode 100644 index 6f2ebab95..000000000 --- a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f6c74da5-0244-465c-94ec-d2c1cd8d5429 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_excessive_sso_logon_errors -environment: attack_range -directory: o365_excessive_sso_logon_errors -mitre_technique: -- T1078 -datasets: -- name: o365_excessive_sso_logon_errors-json - path: /datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml index b3f36c341..5c4113eab 100644 --- a/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml +++ b/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.yml @@ -4,11 +4,12 @@ date: '2021-01-26' description: This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078 -- https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ +environment: attack_range +directory: o365_excessive_sso_logon_errors +mitre_technique: +- T1078 +datasets: +- name: o365_excessive_sso_logon_errors-json + path: /datasets/attack_techniques/T1078/o365_excessive_sso_logon_errors/o365_excessive_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml deleted file mode 100644 index bd7473e40..000000000 --- a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 45ffa889-143e-4114-884f-53c65de39bc2 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_multiple_appids_and_useragents_auth -environment: attack_range -directory: o365_multiple_appids_and_useragents_auth -mitre_technique: -- T1078 -datasets: -- name: o365_multiple_appids_and_useragents_auth - path: /datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml index b2bdd8197..00c8f1743 100644 --- a/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml +++ b/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: c1b7f147-4a2d-4405-83bb-ff9259b2de3a date: '2023-10-24' -description: 'Used Invoke-MfaSweep with a valid account against an O365 tenant' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Used Invoke-MfaSweep with a valid account against an O365 tenant +environment: attack_range +directory: o365_multiple_appids_and_useragents_auth +mitre_technique: +- T1078 +datasets: +- name: o365_multiple_appids_and_useragents_auth + path: /datasets/attack_techniques/T1078/o365_multiple_appids_and_useragents_auth/o365_multiple_appids_and_useragents_auth.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml deleted file mode 100644 index 91fd53a53..000000000 --- a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 93683ac1-555c-41d2-8106-87f17538b383 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_suspicious_activity_reported_by_user -environment: attack_range -directory: okta_suspicious_activity_reported_by_user -mitre_technique: -- T1078 -datasets: -- name: okta_suspicious_activity_reported_by_user - path: /datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml index 47cdb78ac..e081abd87 100644 --- a/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml +++ b/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: 3fdec92b-7b2a-45ed-a74c-386708fbc877 date: '2024-03-11' -description: Manually reported suspicious user behavior using the link from an Okta email. -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1078 +description: Manually reported suspicious user behavior using the link from an Okta + email. +environment: attack_range +directory: okta_suspicious_activity_reported_by_user +mitre_technique: +- T1078 +datasets: +- name: okta_suspicious_activity_reported_by_user + path: /datasets/attack_techniques/T1078/okta_suspicious_activity_reported_by_user/okta_suspicious_activity_reported_by_user.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml deleted file mode 100644 index 935e9c7cb..000000000 --- a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5f859434-b8ba-445c-9d2d-c013bfb86803 -date: '2025-08-12' -description: Automatically categorized datasets in directory special_logon_on_mulitple_hosts -environment: attack_range -directory: special_logon_on_mulitple_hosts -mitre_technique: -- T1078 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml index 5cee58159..e6602fef0 100644 --- a/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml +++ b/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/special_logon_on_mulitple_hosts.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: b9cd42b4-d84d-4969-b61c-4a18b89efecd date: '2023-03-27' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder with a domain admin to discover network file shares and check access in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder with a + domain admin to discover network file shares and check access in an Active Directory + network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: special_logon_on_mulitple_hosts +mitre_technique: +- T1078 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1078/special_logon_on_mulitple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1078/update_saml_provider/data.yml b/datasets/attack_techniques/T1078/update_saml_provider/data.yml deleted file mode 100644 index 0b2e61712..000000000 --- a/datasets/attack_techniques/T1078/update_saml_provider/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1f797bf0-3c5a-482d-8eb5-541ffffc638f -date: '2025-08-12' -description: Automatically categorized datasets in directory update_saml_provider -environment: attack_range -directory: update_saml_provider -mitre_technique: -- T1078 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml b/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml index cc63bbe3d..b466fca56 100644 --- a/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml +++ b/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b2637-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Update saml provider in aws -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/update_saml_provider/update_saml_provider.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1078/ +environment: attack_range +directory: update_saml_provider +mitre_technique: +- T1078 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1078/update_saml_provider/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml index 2e5f4b303..4325fb5d1 100644 --- a/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1082/atomic_red_team/atomic_red_team.yml @@ -3,18 +3,11 @@ id: cc9b2615-efc9-11eb-926b-550bf0943fbb date: '2020-10-09' description: Atomic Red Team Execution of T1082 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1082 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +directory: atomic_red_team +mitre_technique: +- T1082 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1082/atomic_red_team/data.yml b/datasets/attack_techniques/T1082/atomic_red_team/data.yml deleted file mode 100644 index ba9678e0e..000000000 --- a/datasets/attack_techniques/T1082/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 85905af3-630b-4f0b-8822-6e8ae5a1d5d9 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1082 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1082/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml deleted file mode 100644 index 9914d0fdc..000000000 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f971d022-aa38-4a69-b58f-b7a4cd046782 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_lsmod -environment: attack_range -directory: linux_auditd_lsmod -mitre_technique: -- T1082 -datasets: -- name: linux_auditd_lsmod - path: /datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml index 4e30b7738..d6641aa6d 100644 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.yml @@ -3,9 +3,11 @@ id: f0ce5c20-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd lsmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log -sourcetypes: -- 'linux:audit' -references: -- https://man7.org/linux/man-pages/man8/kmod.8.html \ No newline at end of file +directory: linux_auditd_lsmod +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod/linux_auditd_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml deleted file mode 100644 index 6ac96f8b2..000000000 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a4f93422-1606-4c9f-ad49-80edd933b682 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_lsmod_new -environment: attack_range -directory: linux_auditd_lsmod_new -mitre_technique: -- T1082 -datasets: -- name: linux_auditd_new_lsmod - path: /datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml index 3d8a31c7f..2b608267b 100644 --- a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml +++ b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml @@ -3,9 +3,11 @@ id: 10da084a-1ab1-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd lsmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log -sourcetypes: -- 'auditd' -references: -- https://man7.org/linux/man-pages/man8/kmod.8.html \ No newline at end of file +directory: linux_auditd_lsmod_new +mitre_technique: +- T1082 +datasets: +- name: linux_auditd_new_lsmod + path: /datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml deleted file mode 100644 index 1d1d0cd9e..000000000 --- a/datasets/attack_techniques/T1083/linux_auditd_find_db/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d6263e7b-d553-4106-9bb2-61cb113dadac -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_db -environment: attack_range -directory: linux_auditd_find_db -mitre_technique: -- T1083 -datasets: -- name: linux_auditd_find_db - path: /datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml b/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml index 1f26ade49..2c0aa98d8 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml @@ -3,9 +3,11 @@ id: a33aa580-5e02-11ef-b158-acde48001122 date: '2024-08-19' description: Generated datasets for linux auditd find db in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log -sourcetypes: -- 'linux:audit' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_db +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_db + path: /datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml deleted file mode 100644 index 1888ab557..000000000 --- a/datasets/attack_techniques/T1083/linux_auditd_find_document/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8427c286-6d72-490a-a072-ecaa9c8c3ab2 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_document -environment: attack_range -directory: linux_auditd_find_document -mitre_technique: -- T1083 -datasets: -- name: auditd_execve_file_dir_discovery - path: /datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log - sourcetype: auditd - source: auditd -- name: linux_auditd_find_document - path: /datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml b/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml index 1a803e304..d66810f0f 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml @@ -3,9 +3,15 @@ id: 7146152c-ef94-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find document in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_document +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_file_dir_discovery + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/auditd_execve_file_dir_discovery.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_document + path: /datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml deleted file mode 100644 index a9052a026..000000000 --- a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4f4bc9cc-8d12-40d7-9efd-c1ba3dbbe05c -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_virtual_disk -environment: attack_range -directory: linux_auditd_find_virtual_disk -mitre_technique: -- T1083 -datasets: -- name: linux_auditd_find_virtual_disk - path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log - sourcetype: auditd - source: auditd -- name: auditd_execve_find_vhd - path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml index 096b902c8..a41c146dc 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml @@ -3,9 +3,15 @@ id: 2a0d7642-efa7-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find virtual disk in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_virtual_disk +mitre_technique: +- T1083 +datasets: +- name: linux_auditd_find_virtual_disk + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log + sourcetype: auditd + source: auditd +- name: auditd_execve_find_vhd + path: /datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/auditd_execve_find_vhd.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml deleted file mode 100644 index 6e2e9317c..000000000 --- a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c6423fa9-073e-4d36-b915-9b18c80a4c03 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_hidden_file -environment: attack_range -directory: linux_auditd_hidden_file -mitre_technique: -- T1083 -datasets: -- name: auditd_execve_hidden_file - path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log - sourcetype: auditd - source: auditd -- name: linux_auditd_hidden_file - path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml index 8d2eaf9be..4b5c5cd1a 100644 --- a/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml +++ b/datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.yml @@ -3,9 +3,15 @@ id: 3747f0f4-ef9c-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd hidden file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_hidden_file +mitre_technique: +- T1083 +datasets: +- name: auditd_execve_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/auditd_execve_hidden_file.log + sourcetype: auditd + source: auditd +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1083/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml index 8c8f301c7..c9a18c445 100644 --- a/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1087.001/AD_discovery/AD_discovery.yml @@ -1,13 +1,17 @@ author: Mauricio Velazco id: 1e2c5670-7953-492f-90e2-aa95aa190049 date: '2021-08-24' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1087.001 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.001/AD_discovery/data.yml b/datasets/attack_techniques/T1087.001/AD_discovery/data.yml deleted file mode 100644 index 7e6925981..000000000 --- a/datasets/attack_techniques/T1087.001/AD_discovery/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 042999cf-2575-4a65-9a4f-61d018d374d7 -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1087.001 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml b/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml index c68a85cbf..c888bd0bb 100644 --- a/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml +++ b/datasets/attack_techniques/T1087.002/AD_discovery/AD_discovery.yml @@ -1,15 +1,33 @@ author: Teoderick Contreras id: 85738b9d-8066-4934-a6ad-3285db2085c3 date: '2021-08-24' -description: 'Simulated test Attack range dataset for AD discovery techniques' +description: Simulated test Attack range dataset for AD discovery techniques environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security \ No newline at end of file +directory: AD_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-LocalAdminAccess-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-DomainOU-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-ForestDomain-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-interestingACL-xml + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/AD_discovery/data.yml b/datasets/attack_techniques/T1087.002/AD_discovery/data.yml deleted file mode 100644 index 4a3faa4f2..000000000 --- a/datasets/attack_techniques/T1087.002/AD_discovery/data.yml +++ /dev/null @@ -1,33 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 254e95f3-458c-498a-94d9-abc224a83b8e -date: '2025-08-12' -description: Automatically categorized datasets in directory AD_discovery -environment: attack_range -directory: AD_discovery -mitre_technique: -- T1087.002 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-LocalAdminAccess-xml - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-DomainOU-xml - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-ForestDomain-xml - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-interestingACL-xml - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml b/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml index fc44b0644..ce8352468 100644 --- a/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml +++ b/datasets/attack_techniques/T1087.002/adsi_discovery/adsi_discovery.yml @@ -3,9 +3,19 @@ id: acd06afa-c6d6-11ec-9d0f-acde48001122 date: '2022-04-28' description: Generated datasets for adsi discovery in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: adsi_discovery +mitre_technique: +- T1087.002 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml1 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml b/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml deleted file mode 100644 index d7a49c0d7..000000000 --- a/datasets/attack_techniques/T1087.002/adsi_discovery/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 01a26885-f465-4b6f-81fa-e1d37b095361 -date: '2025-08-12' -description: Automatically categorized datasets in directory adsi_discovery -environment: attack_range -directory: adsi_discovery -mitre_technique: -- T1087.002 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-xml1 - path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml1.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-xml2 - path: /datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml b/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml index 72d7d666c..1aa9f6897 100644 --- a/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml +++ b/datasets/attack_techniques/T1087.002/blackmatter_schcache/blackmatter_schcache.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: 3392c05e-dc43-4688-b695-d8265af0d6e8 date: '2021-09-07' -description: blackmailer ransomware accessing schcache due to creation of adsi object for its ldap query. +description: blackmailer ransomware accessing schcache due to creation of adsi object + for its ldap query. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: blackmatter_schcache +mitre_technique: +- T1087.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml b/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml deleted file mode 100644 index 7be649bd2..000000000 --- a/datasets/attack_techniques/T1087.002/blackmatter_schcache/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 04eeec5b-b22e-4d08-9a4f-14e374d38c73 -date: '2025-08-12' -description: Automatically categorized datasets in directory blackmatter_schcache -environment: attack_range -directory: blackmatter_schcache -mitre_technique: -- T1087.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml index f09a2c08f..dd6afba23 100644 --- a/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml +++ b/datasets/attack_techniques/T1087.004/azurehound/azurehound.yml @@ -2,10 +2,12 @@ author: Dean Luxton id: 14a1f8ea-e34a-449d-9081-0f16341e83c9 date: '2025-01-07' description: Detonating AzureHound against Frothly -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log -sourcetypes: -- azure:monitor:aad -references: -- https://github.com/SpecterOps/AzureHound \ No newline at end of file +environment: attack_range +directory: azurehound +mitre_technique: +- T1087.004 +datasets: +- name: azurehound + path: /datasets/attack_techniques/T1087.004/azurehound/azurehound.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1087.004/azurehound/data.yml b/datasets/attack_techniques/T1087.004/azurehound/data.yml deleted file mode 100644 index 061c423f1..000000000 --- a/datasets/attack_techniques/T1087.004/azurehound/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dcc3c2e1-d08c-4472-9800-1b78f1751533 -date: '2025-08-12' -description: Automatically categorized datasets in directory azurehound -environment: attack_range -directory: azurehound -mitre_technique: -- T1087.004 -datasets: -- name: azurehound - path: /datasets/attack_techniques/T1087.004/azurehound/azurehound.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml b/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml deleted file mode 100644 index 931460447..000000000 --- a/datasets/attack_techniques/T1087.004/okta_unauth_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4e648a9d-119b-4235-8758-f4d2ffc5d2f3 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_unauth_access -environment: attack_range -directory: okta_unauth_access -mitre_technique: -- T1087.004 -datasets: -- name: okta_unauth_access - path: /datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml b/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml index 4723d83c3..aaba304bc 100644 --- a/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml +++ b/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.yml @@ -1,11 +1,14 @@ author: Bhavin Patel id: cc922114-efc9-11eb-926b-550bf0943f55 date: '2024-03-07' -description: This dataset is synthetically generated using by simulating events in a lab -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log -sourcetypes: -- OktaIM2:log -references: -- https: //attack.mitre.org/techniques/T1087.004 \ No newline at end of file +description: This dataset is synthetically generated using by simulating events in + a lab +environment: attack_range +directory: okta_unauth_access +mitre_technique: +- T1087.004 +datasets: +- name: okta_unauth_access + path: /datasets/attack_techniques/T1087.004/okta_unauth_access/okta_unauth_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml b/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml deleted file mode 100644 index c93740463..000000000 --- a/datasets/attack_techniques/T1090.001/netsh_portproxy/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bfa5963c-e21b-452d-be1d-55862c1a1220 -date: '2025-08-12' -description: Automatically categorized datasets in directory netsh_portproxy -environment: attack_range -directory: netsh_portproxy -mitre_technique: -- T1090.001 -datasets: -- name: volt_sysmon - path: /datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml b/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml index 9d0401ed9..62f2610c2 100644 --- a/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml +++ b/datasets/attack_techniques/T1090.001/netsh_portproxy/netsh_portproxy.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 7bf3cd9f-08b8-45f4-93f4-0713375fb1e0 date: '2023-05-25' description: Generated datasets for netsh portproxy in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ +environment: attack_range +directory: netsh_portproxy +mitre_technique: +- T1090.001 +datasets: +- name: volt_sysmon + path: /datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml index dd7302e13..1c5e85e4a 100644 --- a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml +++ b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 9a52b439-5e84-4378-9338-ab7771112346 date: '2022-08-18' -description: 'Manually added new client credentials (secret and certificate) for a Service Principal account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications -- https://hausec.com/2021/10/26/attacking-azure-azure-ad-part-ii/ +description: Manually added new client credentials (secret and certificate) for a + Service Principal account. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml b/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml deleted file mode 100644 index 4e197bab3..000000000 --- a/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cdc836ce-07d1-413e-a2b2-78b73c8b14ba -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_service_principal_credentials -environment: attack_range -directory: azure_ad_service_principal_credentials -mitre_technique: -- T1098.001 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml deleted file mode 100644 index 5bd818914..000000000 --- a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ac409ab3-6832-41f9-8230-61ce1804938b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_service_principal_credentials -environment: attack_range -directory: o365_service_principal_credentials -mitre_technique: -- T1098.001 -datasets: -- name: o365_service_principal_credentials - path: /datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml index 6d487df02..b3cd6632a 100644 --- a/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml +++ b/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 3a911821-f424-4698-9083-e1143a035e12 date: '2023-09-01' -description: 'Manually added new client credentials (secret and certificate) for a Service Principal account. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications \ No newline at end of file +description: Manually added new client credentials (secret and certificate) for a + Service Principal account. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_service_principal_credentials +mitre_technique: +- T1098.001 +datasets: +- name: o365_service_principal_credentials + path: /datasets/attack_techniques/T1098.001/o365_service_principal_credentials/o365_service_principal_credentials.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml deleted file mode 100644 index ee934c282..000000000 --- a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b9cee146-0964-4236-ac48-be5297625365 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_new_api_token_created -environment: attack_range -directory: okta_new_api_token_created -mitre_technique: -- T1098.001 -datasets: -- name: okta_new_api_token_created - path: /datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml index 212787b4f..4256d6c81 100644 --- a/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml +++ b/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 3d1583ce-a8bd-48e0-a098-f602c0ebdb28 date: '2024-03-06' -description: 'Manually created a new API token using the Okta portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1098/001/ \ No newline at end of file +description: Manually created a new API token using the Okta portal. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_new_api_token_created +mitre_technique: +- T1098.001 +datasets: +- name: okta_new_api_token_created + path: /datasets/attack_techniques/T1098.001/okta_new_api_token_created/okta_new_api_token_created.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml deleted file mode 100644 index f60aaa466..000000000 --- a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fe1a376a-7b9b-43da-91a4-a9741eb03593 -date: '2025-08-12' -description: Automatically categorized datasets in directory full_access_as_app_permission_assigned -environment: attack_range -directory: full_access_as_app_permission_assigned -mitre_technique: -- T1098.002 -datasets: -- name: full_access_as_app_permission_assigned - path: /datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml index 1cdd7f2fc..c7c89ffc9 100644 --- a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: 6cd62088-3b97-40d2-9469-769e09fbf085 date: '2024-01-29' -description: 'Manually assigned the full_access_as_app API permission to an application registration' -environment: Azure AD -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Manually assigned the full_access_as_app API permission to an application + registration +environment: attack_range +directory: full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml deleted file mode 100644 index bfd1b90db..000000000 --- a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 31594c7e-d10f-4be6-b912-6f69cb846b38 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_full_access_as_app_permission_assigned -environment: attack_range -directory: o365_full_access_as_app_permission_assigned -mitre_technique: -- T1098.002 -datasets: -- name: o365_full_access_as_app_permission_assigned - path: /datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml index d1e1c46e2..2cd9715f4 100644 --- a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml @@ -1,9 +1,13 @@ author: Mauricio Velazco id: 284e870f-82f4-4d60-8903-d84a52644407 date: '2024-01-29' -description: 'Manually assigned the full_access_as_app API permission to an application registration' -environment: Office 365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Manually assigned the full_access_as_app API permission to an application + registration +environment: attack_range +directory: o365_full_access_as_app_permission_assigned +mitre_technique: +- T1098.002 +datasets: +- name: o365_full_access_as_app_permission_assigned + path: /datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml deleted file mode 100644 index 6588bb130..000000000 --- a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 85028914-f48b-4ede-a8f6-2f14a8214b2c -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_mailbox_folder_read_granted -environment: attack_range -directory: o365_mailbox_folder_read_granted -mitre_technique: -- T1098.002 -datasets: -- name: o365_mailbox_folder_read_granted - path: /datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml index 70225b20a..ef3cecd9e 100644 --- a/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml +++ b/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: d3b30181-a1d8-48e7-b695-bac28c10acd1 date: '2024-03-28' -description: 'Added mailbox permissions programatically using msInvader' -environment: Office 365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/002/ -- https://github.com/mvelazc0/msInvader \ No newline at end of file +description: Added mailbox permissions programatically using msInvader +environment: attack_range +directory: o365_mailbox_folder_read_granted +mitre_technique: +- T1098.002 +datasets: +- name: o365_mailbox_folder_read_granted + path: /datasets/attack_techniques/T1098.002/o365_mailbox_folder_read_granted/o365_mailbox_folder_read_granted.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml index f64968871..eb5f98225 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 3ee40ccb-0098-4738-88e7-76cfcc9026be date: '2023-09-14' -description: 'Manually added granted admin consent to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal \ No newline at end of file +description: Manually added granted admin consent to an application registration. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml deleted file mode 100644 index c2920e7ac..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_admin_consent/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 90840699-5421-4169-aea0-b524a2166cb3 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_admin_consent -environment: attack_range -directory: azure_ad_admin_consent -mitre_technique: -- T1098.003 -datasets: -- name: azure_ad_admin_consent - path: /datasets/attack_techniques/T1098.003/azure_ad_admin_consent/azure_ad_admin_consent.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml index 3ee99d4d4..c477a66c8 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure_ad_assign_global_administrator.yml @@ -1,12 +1,13 @@ author: Gowthamaraj Rajendran id: 2e0f8b91-0a1a-4617-9936-172815b5b4b5 date: '2022-08-17' -description: Manually assigned Global Administrator role to a user. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://attack.mitre.org/techniques/T1098/003/ +description: Manually assigned Global Administrator role to a user. +environment: attack_range +directory: azure_ad_assign_global_administrator +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml deleted file mode 100644 index 765aee6d5..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 38bd0ab1-7b94-41df-ac7d-2b30da315293 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_assign_global_administrator -environment: attack_range -directory: azure_ad_assign_global_administrator -mitre_technique: -- T1098.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml index 5c76e9c87..aaa98ce02 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure_ad_assign_privileged_role.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 73315548-b201-42c2-a6e6-4333bb940287 date: '2022-08-29' -description: Manually assigned privileged Azure AD roles to a user. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://attack.mitre.org/techniques/T1098/003/ +description: Manually assigned privileged Azure AD roles to a user. +environment: attack_range +directory: azure_ad_assign_privileged_role +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml deleted file mode 100644 index d5e164368..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f119a707-829b-4926-aaa8-5c37e8f63228 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_assign_privileged_role -environment: attack_range -directory: azure_ad_assign_privileged_role -mitre_technique: -- T1098.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml index 7be4a99d6..770ded3e7 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: 4e6ff64a-ab31-4935-a0a0-cdac3ca1a191 date: '2024-02-09' -description: 'Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass the admin consent process' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/003/ +description: Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass + the admin consent process +environment: attack_range +directory: azure_ad_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml deleted file mode 100644 index 63fb5af70..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9aad84d9-3152-40e5-a341-b429905c4025 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_bypass_admin_consent -environment: attack_range -directory: azure_ad_bypass_admin_consent -mitre_technique: -- T1098.003 -datasets: -- name: azure_ad_bypass_admin_consent - path: /datasets/attack_techniques/T1098.003/azure_ad_bypass_admin_consent/azure_ad_bypass_admin_consent.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml index 7195fa812..e853ce073 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure_ad_pim_role_activated.yml @@ -2,11 +2,12 @@ author: Mauricio Velazco id: b6b3a10d-c90b-4b2c-9c6b-e200d16f266f date: '2023-04-26' description: Manually assigned and activated an Azure AD PIM role -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure -- https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role +environment: attack_range +directory: azure_ad_pim_role_activated +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml deleted file mode 100644 index 145c662ce..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 255a6192-05f1-4b0f-9c09-038bd224ad11 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_pim_role_activated -environment: attack_range -directory: azure_ad_pim_role_activated -mitre_technique: -- T1098.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098.003/azure_ad_pim_role_activated/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml index 35f17c797..1aeb35283 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: acdd083c-0ba8-4f5a-ba89-2e6855fb515d date: '2023-01-30' -description: Manually assigned a high privileged Graph API permission to an application registration. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log -sourcetypes: -- azure_monitor_aad -references: -- https://cloudbrothers.info/en/azure-attack-paths/ -- https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json -- https://learn.microsoft.com/en-us/graph/permissions-reference -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 +description: Manually assigned a high privileged Graph API permission to an application + registration. +environment: attack_range +directory: azure_ad_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml deleted file mode 100644 index 7ff537ba1..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f65bc8d8-fde7-4b50-b4ef-0650a2b06afc -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_privileged_graph_perm_assigned -environment: attack_range -directory: azure_ad_privileged_graph_perm_assigned -mitre_technique: -- T1098.003 -datasets: -- name: azure_ad_privileged_graph_perm_assigned - path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_graph_perm_assigned/azure_ad_privileged_graph_perm_assigned.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml index 1c258abc7..b2f30c4d3 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure_ad_privileged_role_serviceprincipal.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: d24bfc98-78d4-4610-ab73-a377c968bb4a date: '2023-04-28' description: Manually assigned privileged Azure AD roles to a service principal -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.truesec.com/hub/blog/using-a-legitimate-application-to-create-persistence-and-initiate-email-campaigns -- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 -- https://attack.mitre.org/techniques/T1098/003/ +environment: attack_range +directory: azure_ad_privileged_role_serviceprincipal +mitre_technique: +- T1098.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml deleted file mode 100644 index c8466e04d..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 72f9d1a8-f242-466f-a1a8-3cb072c51303 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_privileged_role_serviceprincipal -environment: attack_range -directory: azure_ad_privileged_role_serviceprincipal -mitre_technique: -- T1098.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098.003/azure_ad_privileged_role_serviceprincipal/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml index b2cb9022f..b8c946371 100644 --- a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml +++ b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.yml @@ -1,13 +1,13 @@ author: Dean Luxton id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b date: '2025-01-07' -description: Performing SPN Priviliege escalation. -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log -sourcetypes: -- azure:monitor:aad -references: -- https://github.com/mvelazc0/BadZure -- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html -- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc +description: Performing SPN Priviliege escalation. +environment: attack_range +directory: azure_ad_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: azure_ad_spn_privesc + path: /datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml b/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml deleted file mode 100644 index df6b871cf..000000000 --- a/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 91f05378-20bf-417e-a05a-f55187d8dfc5 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_spn_privesc -environment: attack_range -directory: azure_ad_spn_privesc -mitre_technique: -- T1098.003 -datasets: -- name: azure_ad_spn_privesc - path: /datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml deleted file mode 100644 index 72c702995..000000000 --- a/datasets/attack_techniques/T1098.003/o365_admin_consent/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e4964ec0-2d01-43d8-a8c1-1dd0452d2b65 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_admin_consent -environment: attack_range -directory: o365_admin_consent -mitre_technique: -- T1098.003 -datasets: -- name: o365_admin_consent - path: /datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml b/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml index ac0010ac7..b3e24f48f 100644 --- a/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 324610ab-47d5-4428-95cb-1a4fabe7fe7b date: '2023-09-05' -description: 'Manually added granted admin consent to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-app-consent -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal \ No newline at end of file +description: Manually added granted admin consent to an application registration. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: o365_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_admin_consent/o365_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml deleted file mode 100644 index 675f3ac10..000000000 --- a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b8ad3e83-ee25-4de9-9411-7f6370deaab0 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_bypass_admin_consent -environment: attack_range -directory: o365_bypass_admin_consent -mitre_technique: -- T1098.003 -datasets: -- name: o365_bypass_admin_consent - path: /datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml index a1363add5..c7cbbde94 100644 --- a/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml +++ b/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco id: dc543b87-f169-4f05-8818-926b1eab8cf3 date: '2023-02-09' -description: 'Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass the admin consent process' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ +description: Used the New-MgServicePrincipalAppRoleAssignedTo commandlet to bypass + the admin consent process +environment: attack_range +directory: o365_bypass_admin_consent +mitre_technique: +- T1098.003 +datasets: +- name: o365_bypass_admin_consent + path: /datasets/attack_techniques/T1098.003/o365_bypass_admin_consent/o365_bypass_admin_consent.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml deleted file mode 100644 index eb0ce01d2..000000000 --- a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7ba3e58b-6323-4c88-b74f-31e453964934 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_grant_mail_read -environment: attack_range -directory: o365_grant_mail_read -mitre_technique: -- T1098.003 -datasets: -- name: o365_grant_mail_read - path: /datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml index f9c5377b2..fb753d9b6 100644 --- a/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml +++ b/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 21ced607-7805-4725-943e-ea593097dd74 date: '2023-09-04' -description: 'Manually added new the Mail.Read Graph API permissions to an application registration. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/001/ -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2/ -- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md#add-credentials-to-all-enterprise-applications \ No newline at end of file +description: Manually added new the Mail.Read Graph API permissions to an application + registration. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: o365_grant_mail_read +mitre_technique: +- T1098.003 +datasets: +- name: o365_grant_mail_read + path: /datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml deleted file mode 100644 index eb08b42c3..000000000 --- a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7ee5fda7-a5bf-4313-a2f5-6058136b0359 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_high_priv_role_assigned -environment: attack_range -directory: o365_high_priv_role_assigned -mitre_technique: -- T1098.003 -datasets: -- name: o365_high_priv_role_assigned - path: /datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml index cf33eebf4..555ee6975 100644 --- a/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml +++ b/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 10c9c0de-2051-468e-8c86-6a5fc6678e94 date: '2023-10-20' -description: 'Manually added granted high privilege roles to a user in an Office 365 tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/003/ -- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference -- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide -- https://learn.microsoft.com/en-us/sharepoint/sharepoint-admin-role \ No newline at end of file +description: Manually added granted high privilege roles to a user in an Office 365 + tenant. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_high_priv_role_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_high_priv_role_assigned + path: /datasets/attack_techniques/T1098.003/o365_high_priv_role_assigned/o365_high_priv_role_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml deleted file mode 100644 index 8e0fc7cbe..000000000 --- a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1331f17b-925a-4923-98fe-31c68de596fd -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_privileged_graph_perm_assigned -environment: attack_range -directory: o365_privileged_graph_perm_assigned -mitre_technique: -- T1098.003 -datasets: -- name: o365_privileged_graph_perm_assigned - path: /datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml index 2a25acf6b..1592c2c00 100644 --- a/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml +++ b/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 33369d17-7deb-47df-93f1-f458afdd3838 date: '2024-01-30' -description: Manually assigned a high privileged Graph API permission to an application registration. -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log -sourcetypes: -- o365:management:activity -references: -- https://cloudbrothers.info/en/azure-attack-paths/ -- https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.json -- https://learn.microsoft.com/en-us/graph/permissions-reference -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48 +description: Manually assigned a high privileged Graph API permission to an application + registration. +environment: attack_range +directory: o365_privileged_graph_perm_assigned +mitre_technique: +- T1098.003 +datasets: +- name: o365_privileged_graph_perm_assigned + path: /datasets/attack_techniques/T1098.003/o365_privileged_graph_perm_assigned/o365_privileged_graph_perm_assigned.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml b/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml deleted file mode 100644 index c02121c5e..000000000 --- a/datasets/attack_techniques/T1098.003/o365_spn_privesc/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4f58fbb6-4aa6-495c-80d7-ca32a49ebfce -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_spn_privesc -environment: attack_range -directory: o365_spn_privesc -mitre_technique: -- T1098.003 -datasets: -- name: o365_spn_privesc - path: /datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml index 0026242bc..64e4c9ec0 100644 --- a/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml +++ b/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.yml @@ -1,13 +1,13 @@ author: Dean Luxton id: db4f6922-ab94-4c29-aa66-ccbfcf86ce7b date: '2025-01-07' -description: Performing SPN Priviliege escalation. -environment: Frothly Azure -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log -sourcetypes: -- o365:management:activity -references: -- https://github.com/mvelazc0/BadZure -- https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html -- https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc \ No newline at end of file +description: Performing SPN Priviliege escalation. +environment: attack_range +directory: o365_spn_privesc +mitre_technique: +- T1098.003 +datasets: +- name: o365_spn_privesc + path: /datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml deleted file mode 100644 index 4876c435d..000000000 --- a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2184524b-f780-4be7-a0cc-52521dc6da8e -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_nopasswd -environment: attack_range -directory: linux_auditd_nopasswd -mitre_technique: -- T1098.004 -datasets: -- name: linux_auditd_ssh_config - path: /datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml index a8f207309..dce50561a 100644 --- a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml +++ b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml @@ -3,9 +3,11 @@ id: ccf196f8-45d4-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd nopasswd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log -sourcetypes: -- 'auditd' -references: -- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ \ No newline at end of file +directory: linux_auditd_nopasswd +mitre_technique: +- T1098.004 +datasets: +- name: linux_auditd_ssh_config + path: /datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml deleted file mode 100644 index d18814c39..000000000 --- a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5ef748ad-bc2e-46fa-b195-e6ab16379a22 -date: '2025-08-12' -description: Automatically categorized datasets in directory ssh_authorized_keys -environment: attack_range -directory: ssh_authorized_keys -mitre_technique: -- T1098.004 -datasets: -- name: authkey_linux-sysmon - path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log - sourcetype: linux_secure - source: linux_secure -- name: sysmon_linux - path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml index f1e8ab429..387aad11a 100644 --- a/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml +++ b/datasets/attack_techniques/T1098.004/ssh_authorized_keys/ssh_authorized_keys.yml @@ -3,10 +3,15 @@ id: 6d3fda80-72dd-11ec-90de-acde48001122 date: '2022-01-11' description: Generated datasets for ssh authorized keys in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/ssh-penetration-testing-port-22/ \ No newline at end of file +directory: ssh_authorized_keys +mitre_technique: +- T1098.004 +datasets: +- name: authkey_linux-sysmon + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/authkey_linux-sysmon.log + sourcetype: linux_secure + source: linux_secure +- name: sysmon_linux + path: /datasets/attack_techniques/T1098.004/ssh_authorized_keys/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml index 37fdbdca7..8ff2160ff 100644 --- a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml +++ b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 1080fb28-9a11-40c8-907d-70daf17415e4 date: '2023-10-31' -description: 'Added a new MFA method for a user within an Azure AD tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1098/005/ -- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ \ No newline at end of file +description: Added a new MFA method for a user within an Azure AD tenant. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: azure_ad_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: azure_ad_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml b/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml deleted file mode 100644 index ec5d438bc..000000000 --- a/datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2f924cc7-390e-40f1-9fec-0e6878eb22e9 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_register_new_mfa_method -environment: attack_range -directory: azure_ad_register_new_mfa_method -mitre_technique: -- T1098.005 -datasets: -- name: azure_ad_register_new_mfa_method - path: /datasets/attack_techniques/T1098.005/azure_ad_register_new_mfa_method/azure_ad_register_new_mfa_method.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml deleted file mode 100644 index cde7a2cfe..000000000 --- a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e98e38f9-e030-4315-a05e-cee4b9ca5ce5 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_register_new_mfa_method -environment: attack_range -directory: o365_register_new_mfa_method -mitre_technique: -- T1098.005 -datasets: -- name: o365_register_new_mfa_method - path: /datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml index 997e55931..7d526b318 100644 --- a/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml +++ b/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: ad17ba95-859f-4faf-b1fa-1c331d83822f date: '2023-10-20' -description: 'Added a new MFA method for a user within an Office 365 tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/005/ -- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ \ No newline at end of file +description: Added a new MFA method for a user within an Office 365 tenant. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: o365_register_new_mfa_method +mitre_technique: +- T1098.005 +datasets: +- name: o365_register_new_mfa_method + path: /datasets/attack_techniques/T1098.005/o365_register_new_mfa_method/o365_register_new_mfa_method.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml deleted file mode 100644 index aab7f698d..000000000 --- a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 64b4dc83-e63c-40f1-8fda-009333150b55 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_new_device_enrolled -environment: attack_range -directory: okta_new_device_enrolled -mitre_technique: -- T1098.005 -datasets: -- name: okta_new_device_enrolled - path: /datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml index 6bcf93119..a81fe8c60 100644 --- a/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml +++ b/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: e8b09d11-6659-4bf9-85a5-4f804ddeeac0 date: '2024-03-08' -description: 'Enrolled a new device for a user within an Okta tenant. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1098/005/ \ No newline at end of file +description: Enrolled a new device for a user within an Okta tenant. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_new_device_enrolled +mitre_technique: +- T1098.005 +datasets: +- name: okta_new_device_enrolled + path: /datasets/attack_techniques/T1098.005/okta_new_device_enrolled/okta_new_device_enrolled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml b/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml index 1c4d9a2a9..6787c3314 100644 --- a/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml +++ b/datasets/attack_techniques/T1098/account_manipulation/account_manipulation.yml @@ -2,18 +2,12 @@ author: Stanislav Miskovic id: cc9b25ec-efc9-11eb-926b-550bf0943fbb date: '2021-02-23' description: Account manipulation with likely malicious intent or tools. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllDSInternalsModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllMimikatzModules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/logAllPowerSploitModulesWithOldNames.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_delete_policy/aws_iam_delete_policy.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_failure_group_deletion/aws_iam_failure_group_deletion.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/aws_iam_successful_group_deletion/aws_iam_successful_group_deletion.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log -sourcetypes: -- WinEventLog:Security -- aws:cloudtrail -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1098/ +environment: attack_range +directory: account_manipulation +mitre_technique: +- T1098 +datasets: +- name: xml-windows-security + path: /datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/account_manipulation/data.yml b/datasets/attack_techniques/T1098/account_manipulation/data.yml deleted file mode 100644 index decdbeeee..000000000 --- a/datasets/attack_techniques/T1098/account_manipulation/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f40b46f3-ec02-4359-ac27-af12626a5ec1 -date: '2025-08-12' -description: Automatically categorized datasets in directory account_manipulation -environment: attack_range -directory: account_manipulation -mitre_technique: -- T1098 -datasets: -- name: xml-windows-security - path: /datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml index d7b58a65f..c306b8a19 100644 --- a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml +++ b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure_ad_add_serviceprincipal_owner.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 629949e6-2905-4f9e-93da-7165df77f3ba date: '2022-08-30' -description: 'Manually added a new owner to a service principal using the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/ +description: Manually added a new owner to a service principal using the Azure portal. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azure_ad_add_serviceprincipal_owner +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml b/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml deleted file mode 100644 index 75d999631..000000000 --- a/datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e2e7aa02-bd94-47bc-8650-c725d677eae0 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_add_serviceprincipal_owner -environment: attack_range -directory: azure_ad_add_serviceprincipal_owner -mitre_technique: -- T1098 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098/azure_ad_add_serviceprincipal_owner/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml index a2c603b9c..316910963 100644 --- a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml +++ b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure_ad_enable_and_reset.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 27d4f73d-6036-44f1-ad6d-a00a142ea33e date: '2022-08-30' -description: 'Manually enabled a previously disabled account and changed its password within 2 minutes using the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1098/ +description: Manually enabled a previously disabled account and changed its password + within 2 minutes using the Azure portal. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_enable_and_reset +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml b/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml deleted file mode 100644 index 11ac77a00..000000000 --- a/datasets/attack_techniques/T1098/azure_ad_enable_and_reset/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c13f9141-9055-44c3-82c1-26007b96808d -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_enable_and_reset -environment: attack_range -directory: azure_ad_enable_and_reset -mitre_technique: -- T1098 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098/azure_ad_enable_and_reset/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml index 1220a6e1a..2c932fdb9 100644 --- a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml +++ b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure_ad_set_immutableid.yml @@ -1,17 +1,15 @@ author: Mauricio Velazco id: 5edadd1e-f507-4924-8622-6c85eeea3990 date: '2022-09-02' -description: 'Manually updated the ImmutableId atribute using the Set-MsolUser PowerShell commandlet. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://o365blog.com/post/federation-vulnerability/ -- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html -- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors -- https://github.com/Gerenios/AADInternals -- https://attack.mitre.org/techniques/T1098/ +description: Manually updated the ImmutableId atribute using the Set-MsolUser PowerShell + commandlet. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_set_immutableid +mitre_technique: +- T1098 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml b/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml deleted file mode 100644 index e6ac7f0a2..000000000 --- a/datasets/attack_techniques/T1098/azure_ad_set_immutableid/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 144042cb-af0b-48c0-9177-3980ad207998 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_set_immutableid -environment: attack_range -directory: azure_ad_set_immutableid -mitre_technique: -- T1098 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1098/azure_ad_set_immutableid/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml b/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml deleted file mode 100644 index f90523831..000000000 --- a/datasets/attack_techniques/T1098/dnsadmins_member_added/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f294d056-6000-4480-8f4e-a4af011ff925 -date: '2025-08-12' -description: Automatically categorized datasets in directory dnsadmins_member_added -environment: attack_range -directory: dnsadmins_member_added -mitre_technique: -- T1098 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml b/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml index 041522e64..5b339b76d 100644 --- a/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml +++ b/datasets/attack_techniques/T1098/dnsadmins_member_added/dnsadmins_member_added.yml @@ -3,11 +3,11 @@ id: 164be50d-ff1c-482d-902a-cb65bf27ef93 date: '2022-04-06' description: Added a new user to the DnsAdmins active directory group. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ -- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise -- https://www.hackingarticles.in/windows-privilege-escalation-dnsadmins-to-domainadmin/ +directory: dnsadmins_member_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/dnsadmins_member_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System diff --git a/datasets/attack_techniques/T1098/dsrm_account/data.yml b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml similarity index 54% rename from datasets/attack_techniques/T1098/dsrm_account/data.yml rename to datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml index 6245451f3..48a2363f1 100644 --- a/datasets/attack_techniques/T1098/dsrm_account/data.yml +++ b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account.yml @@ -1,7 +1,10 @@ -author: Generated by dataset_analyzer.py -id: b7046be5-9b64-42a1-94cd-1a31d6fcf096 -date: '2025-08-12' -description: Automatically categorized datasets in directory dsrm_account +author: Dean Luxton +id: c34cf284-c478-4a27-8c98-f4a76b76b2fb +date: '2022-07-21' +description: Firstly resetting the DSRM account password using ntdsutil (captured + via the DSRM password reset event code 4795), second event was altering the functionality + of the DSRM account to enable it to become a backdoor account (reg.exe modifying + the DSRMAdminLogonBehavior value) environment: attack_range directory: dsrm_account mitre_technique: diff --git a/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml b/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml deleted file mode 100644 index 591266e4b..000000000 --- a/datasets/attack_techniques/T1098/dsrm_account/dsrm_account_manipulation.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: c34cf284-c478-4a27-8c98-f4a76b76b2fb -date: '2022-07-21' -description: Firstly resetting the DSRM account password using ntdsutil (captured via the DSRM password reset event code 4795), second event was altering the functionality of the DSRM account to enable it to become a backdoor account (reg.exe modifying the DSRMAdminLogonBehavior value) -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/dsrm_account/windows-sysmon.log -sourcetypes: -- WinEventLog -- XmlWinEventLog -- xmlwineventlog -references: -- https://adsecurity.org/?p=1714 -- https://attack.mitre.org/techniques/T1098/ diff --git a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml deleted file mode 100644 index 03da0c7de..000000000 --- a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3939ff82-aba6-4d3f-9ea0-f5c4e693bd2e -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_add_app_registration_owner -environment: attack_range -directory: o365_add_app_registration_owner -mitre_technique: -- T1098 -datasets: -- name: o365_add_app_registration_owner - path: /datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml index 3c303ffd4..3336fe006 100644 --- a/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml +++ b/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 0f9f0b2e-87d4-4a04-8cd0-9e2c6effcf65 date: '2023-09-06' -description: 'Manually added a new owner to an application registration on the Azure portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/overview-assign-app-owners +description: Manually added a new owner to an application registration on the Azure + portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_add_app_registration_owner +mitre_technique: +- T1098 +datasets: +- name: o365_add_app_registration_owner + path: /datasets/attack_techniques/T1098/o365_add_app_registration_owner/o365_add_app_registration_owner.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml deleted file mode 100644 index 211dab92b..000000000 --- a/datasets/attack_techniques/T1098/o365_azure_workload_events/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 09fcddde-2acd-4b6e-9f95-033864ee040b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_azure_workload_events -environment: attack_range -directory: o365_azure_workload_events -mitre_technique: -- T1098 -datasets: -- name: o365_azure_workload_events - path: /datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml index 07427af1e..0ac2e48b1 100644 --- a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml @@ -1,25 +1,15 @@ -author: Steven Dick -id: a44c84cb-231b-4657-8386-0f5d4b8f183e -date: '2024-4-13' -description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1098 -- https://attack.mitre.org/techniques/T1484/002/ -- https://attack.mitre.org/techniques/T1136/003/ -- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference -- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide -- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal -- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 -- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html -- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ -- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ -- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf -- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 -- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ -- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration -- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 \ No newline at end of file +author: Steven Dick +id: a44c84cb-231b-4657-8386-0f5d4b8f183e +date: 2024-4-13 +description: Various Office 365 events sourced from the Universal Access Log, meant + to duplicate other Azure detections without relying on using Azure event hubs in + the MS Cloud Services add-on. +environment: attack_range +directory: o365_azure_workload_events +mitre_technique: +- T1098 +datasets: +- name: o365_azure_workload_events + path: /datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1098/service_principal_name_added/data.yml b/datasets/attack_techniques/T1098/service_principal_name_added/data.yml deleted file mode 100644 index b3711b78a..000000000 --- a/datasets/attack_techniques/T1098/service_principal_name_added/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 423bc30c-b2ea-4ba4-a2bc-4e1de67b3118 -date: '2025-08-12' -description: Automatically categorized datasets in directory service_principal_name_added -environment: attack_range -directory: service_principal_name_added -mitre_technique: -- T1098 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml b/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml index 39e27597b..9c6bfb5ff 100644 --- a/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml +++ b/datasets/attack_techniques/T1098/service_principal_name_added/service_principal_name_added.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 6a89cdab-e808-47b9-a1c3-0c890cf6d80b date: '2022-11-17' -description: Manually adding a Service Principal Name for a domain admin account account using setspn.exe +description: Manually adding a Service Principal Name for a domain admin account account + using setspn.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=3466 -- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting +directory: service_principal_name_added +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/service_principal_name_added/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml b/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml deleted file mode 100644 index 1a6111ae1..000000000 --- a/datasets/attack_techniques/T1098/short_lived_service_principal_name/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0e1542b8-405c-44b7-b7b2-11ca135c22bd -date: '2025-08-12' -description: Automatically categorized datasets in directory short_lived_service_principal_name -environment: attack_range -directory: short_lived_service_principal_name -mitre_technique: -- T1098 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml b/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml index 27c335950..728382fa3 100644 --- a/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml +++ b/datasets/attack_techniques/T1098/short_lived_service_principal_name/short_lived_service_principal_name.yml @@ -1,12 +1,14 @@ author: Mauricio Velazco id: 6d48ceda-9d92-42b7-b612-253032070b8b date: '2022-11-18' -description: Manually adding and then deleting a Service Principal Name for a domain admin account account using setspn.exe +description: Manually adding and then deleting a Service Principal Name for a domain + admin account account using setspn.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=3466 -- https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting +directory: short_lived_service_principal_name +mitre_technique: +- T1098 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml deleted file mode 100644 index d7edd6f42..000000000 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 61efd61f-650e-4ad4-aead-e3ff4f47c972 -date: '2025-08-12' -description: Automatically categorized datasets in directory windows_multiple_accounts_deleted -environment: attack_range -directory: windows_multiple_accounts_deleted -mitre_technique: -- T1098 -datasets: -- name: windows_multiple_accounts_deleted - path: /datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml index 96b9d308f..d56314f6b 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.yml @@ -3,9 +3,11 @@ id: b4a3cd3d-c91a-4883-81b4-8b3d9b72d557 date: '2024-02-21' description: Deleted multiple users using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_accounts_deleted +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_deleted + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml deleted file mode 100644 index 9ba8755ef..000000000 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a819b24c-eab4-4b15-9218-d30d75ddfc9f -date: '2025-08-12' -description: Automatically categorized datasets in directory windows_multiple_accounts_disabled -environment: attack_range -directory: windows_multiple_accounts_disabled -mitre_technique: -- T1098 -datasets: -- name: windows_multiple_accounts_disabled - path: /datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml index 7bf20e209..128284648 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.yml @@ -3,9 +3,11 @@ id: f206d1da-d4f1-4e2c-ab5f-41d8f96aa388 date: '2024-02-21' description: Disabled multiple users using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_accounts_disabled +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_accounts_disabled + path: /datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml deleted file mode 100644 index fb0759ffd..000000000 --- a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d7fa018f-9e94-4704-afab-3c79877d0526 -date: '2025-08-12' -description: Automatically categorized datasets in directory windows_multiple_passwords_changed -environment: attack_range -directory: windows_multiple_passwords_changed -mitre_technique: -- T1098 -datasets: -- name: windows_multiple_passwords_changed - path: /datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml index 3c047f9a7..a29691fa4 100644 --- a/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml +++ b/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.yml @@ -3,9 +3,11 @@ id: 383918f9-182a-4355-9f4f-edec858dfcad date: '2024-02-21' description: Updated multiple accounts passwords using a PowerShell script. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1098/ \ No newline at end of file +directory: windows_multiple_passwords_changed +mitre_technique: +- T1098 +datasets: +- name: windows_multiple_passwords_changed + path: /datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml index 73a662f96..b33f98809 100644 --- a/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1105/atomic_red_team/atomic_red_team.yml @@ -4,21 +4,23 @@ date: '2021-03-25' description: Successful execution of Atomic Red Team T1105 - Ingress Tool Transfer. Also included Invoke-CertUtil using different command switches. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/linux-sysmon_curlwget.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/curl-linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/winrar.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- sysmon_linux -- bit9:carbonblack:json -references: -- https://attack.mitre.org/techniques/T1105 +directory: atomic_red_team +mitre_technique: +- T1105 +datasets: +- name: T1105_explorer-windows-security + path: /datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon_curl_upload + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_curl + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1105/atomic_red_team/data.yml b/datasets/attack_techniques/T1105/atomic_red_team/data.yml deleted file mode 100644 index 84ce4bd35..000000000 --- a/datasets/attack_techniques/T1105/atomic_red_team/data.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7512722f-e173-4806-a8e8-8ffa4c528dc5 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1105 -datasets: -- name: T1105_explorer-windows-security - path: /datasets/attack_techniques/T1105/atomic_red_team/T1105_explorer-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon_curl_upload - path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl_upload.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_curl - path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon_curl.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml b/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml index 00c5062fa..27ff5cced 100644 --- a/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml +++ b/datasets/attack_techniques/T1110.001/aws_login_failure/aws_login_failure.yml @@ -3,9 +3,11 @@ id: efa49be2-3149-4802-b2b1-67c11403cb29 date: '2022-08-08' description: Dataset which contains cloudtrail events with AWS login failure. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1110/001/ \ No newline at end of file +directory: aws_login_failure +mitre_technique: +- T1110.001 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml b/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml deleted file mode 100644 index 12531744c..000000000 --- a/datasets/attack_techniques/T1110.001/aws_login_failure/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 12cfe9c9-5539-4ebc-8fb8-ca7b4bdf00f9 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_login_failure -environment: attack_range -directory: aws_login_failure -mitre_technique: -- T1110.001 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml index 36fac61cf..777088ffe 100644 --- a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 65340060-37c2-40fb-a969-45596e7c5e8b date: '2023-01-23' -description: 'Used Invoke-MSOLSpray to perform a brute force attack attack against a unique Azure AD account with 25 passwords. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/dafthack/MSOLSpray +description: Used Invoke-MSOLSpray to perform a brute force attack attack against + a unique Azure AD account with 25 passwords. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_high_number_of_failed_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml b/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml deleted file mode 100644 index 1ed01be1b..000000000 --- a/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9cb9637d-6e94-4f91-824c-efb287e596a6 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_high_number_of_failed_authentications_for_user -environment: attack_range -directory: azure_ad_high_number_of_failed_authentications_for_user -mitre_technique: -- T1110.001 -datasets: -- name: azuread - path: /datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml index 937d3e249..2a367a917 100644 --- a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml +++ b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azure_ad_successful_authentication_from_different_ips.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 5f673895-0a89-4c21-bd0a-54d28fb4b948 date: '2023-01-24' -description: 'Used a browser to authenticate to the same Azure AD account from two different Ips. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://attack.mitre.org/techniques/T1110/003/ +description: Used a browser to authenticate to the same Azure AD account from two + different Ips. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_successful_authentication_from_different_ips +mitre_technique: +- T1110.001 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml b/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml deleted file mode 100644 index 94ea1ef24..000000000 --- a/datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a977f115-aa3b-4e65-bb69-8aea123fcb01 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_successful_authentication_from_different_ips -environment: attack_range -directory: azure_ad_successful_authentication_from_different_ips -mitre_technique: -- T1110.001 -datasets: -- name: azuread - path: /datasets/attack_techniques/T1110.001/azure_ad_successful_authentication_from_different_ips/azuread.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml deleted file mode 100644 index 6fc08c4ef..000000000 --- a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b4c1f9bf-2a3e-43ff-ba45-6bf1f0b194a5 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_high_number_authentications_for_user -environment: attack_range -directory: o365_high_number_authentications_for_user -mitre_technique: -- T1110.001 -datasets: -- name: o365_high_number_authentications_for_user - path: /datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml index 9770ea9f2..6e2a1540c 100644 --- a/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml +++ b/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 096d5c2a-e867-48a5-b78e-2c6587b397ab date: '2023-10-10' -description: 'Used o365spray to perform a brute force attack attack against a unique O365 account with 25 passwords. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/0xZDH/o365spray +description: Used o365spray to perform a brute force attack attack against a unique + O365 account with 25 passwords. Tenant specific details have been replaced in the + dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_high_number_authentications_for_user +mitre_technique: +- T1110.001 +datasets: +- name: o365_high_number_authentications_for_user + path: /datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml deleted file mode 100644 index f4d31cf6d..000000000 --- a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d417fa07-8088-4df8-ac0d-0646dbe2f844 -date: '2025-08-12' -description: Automatically categorized datasets in directory rdp_brute_sysmon -environment: attack_range -directory: rdp_brute_sysmon -mitre_technique: -- T1110.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml index e02401dec..2bd9e93c5 100644 --- a/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml +++ b/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/rdp_brute_sysmon.yml @@ -3,7 +3,11 @@ id: 22c3ece3-6513-4dbd-a8bb-3afd24eb354a date: '2025-01-10' description: data sets for rdp brute force attacks from attack range environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: rdp_brute_sysmon +mitre_technique: +- T1110.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml index a6fcae9e6..fd16fdd07 100644 --- a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml +++ b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_rds_password_reset.yml @@ -1,11 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: baa24d41-2a93-43c6-af77-ff9e97f75191 date: '2022-08-08' -description: Dataset which contains cloudtrail events with AWS RDS Database master password reset. +description: Dataset which contains cloudtrail events with AWS RDS Database master + password reset. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds/ \ No newline at end of file +directory: aws_rds_password_reset +mitre_technique: +- T1110.002 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml b/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml deleted file mode 100644 index 8f74dcdff..000000000 --- a/datasets/attack_techniques/T1110.002/aws_rds_password_reset/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: aefcc4f1-593a-4648-af6c-b93ffa89daa4 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_rds_password_reset -environment: attack_range -directory: aws_rds_password_reset -mitre_technique: -- T1110.002 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1110.002/aws_rds_password_reset/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml index 23ae40b01..ed58b0af9 100644 --- a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml +++ b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_mulitple_failed_console_login.yml @@ -1,12 +1,14 @@ author: Bhavin Patel id: cc9b2674-efc9-11eb-9211-110bf0943fbb date: '2022-09-26' -description: This dataset is generated from cloudtrail events in Attack range by manually simulating attacks -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1110/003/ - +description: This dataset is generated from cloudtrail events in Attack range by manually + simulating attacks +environment: attack_range +directory: aws_mulitple_failed_console_login +mitre_technique: +- T1110.003 +datasets: +- name: aws_cloudtrail-json + path: /datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml b/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml deleted file mode 100644 index 2bac2a02c..000000000 --- a/datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 319bb8f6-e8ba-4f6e-bad4-9b84d5199f0c -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_mulitple_failed_console_login -environment: attack_range -directory: aws_mulitple_failed_console_login -mitre_technique: -- T1110.003 -datasets: -- name: aws_cloudtrail-json - path: /datasets/attack_techniques/T1110.003/aws_mulitple_failed_console_login/aws_cloudtrail.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml index 30534c829..9bd5e6534 100644 --- a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml +++ b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.yml @@ -1,16 +1,13 @@ -author: Mauricio Velazco -id: d1277c1d-ab8c-4b44-aaec-f77525d8e6f9 -date: '2023-11-06' -description: 'Used Invoke-MSOLSpray and fireprox to perform a distributed password spraying attack against an Azure AD tenant using 30 users accounts. The environment was created with BadZure - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://github.com/ustayready/fireprox -- https://github.com/mvelazc0/BadZure \ No newline at end of file +author: Generated by dataset_analyzer.py +id: a5169e72-9b94-4ac9-91f6-e48f9ef786f2 +date: '2025-08-12' +description: Automatically categorized datasets in directory azure_ad_distributed_spray +environment: attack_range +directory: azure_ad_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: azure_ad_distributed_spray + path: /datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml b/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml deleted file mode 100644 index 9bd5e6534..000000000 --- a/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a5169e72-9b94-4ac9-91f6-e48f9ef786f2 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_distributed_spray -environment: attack_range -directory: azure_ad_distributed_spray -mitre_technique: -- T1110.003 -datasets: -- name: azure_ad_distributed_spray - path: /datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml b/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml index aaeff1e80..a818cb48d 100644 --- a/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml +++ b/datasets/attack_techniques/T1110.003/azuread_highrisk/azuread_highrisk.yml @@ -1,15 +1,16 @@ author: Mauricio Velazco id: a962463f-581b-4faf-a237-da45248b4fb7 date: '2022-07-11' -description: 'Used Invoke-MSOLSpray to perform a password spraying attack against an Azure AD tenant using 50 users accounts. One of the authentication atttemps is successful. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +description: Used Invoke-MSOLSpray to perform a password spraying attack against an + Azure AD tenant using 50 users accounts. One of the authentication atttemps is successful. + Tenant specific details have been replaced in the dataset including tenant id, user + names, ips, etc. +environment: attack_range +directory: azuread_highrisk +mitre_technique: +- T1110.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml b/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml deleted file mode 100644 index fbfd66aa8..000000000 --- a/datasets/attack_techniques/T1110.003/azuread_highrisk/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3853e2f2-b71e-4183-b3bf-0c6e15a0daca -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread_highrisk -environment: attack_range -directory: azuread_highrisk -mitre_technique: -- T1110.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1110.003/azuread_highrisk/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml deleted file mode 100644 index 5bc7f57f0..000000000 --- a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 83406381-62c2-46ea-b120-608baf73adcb -date: '2025-08-12' -description: Automatically categorized datasets in directory gcp_gws_multiple_login_failure -environment: attack_range -directory: gcp_gws_multiple_login_failure -mitre_technique: -- T1110.003 -datasets: -- name: gws_login-json - path: /datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json - sourcetype: gws:reports:login - source: gws:reports:login diff --git a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml index 318ae0533..92940101c 100644 --- a/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml +++ b/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gcp_gws_multiple_login_failure.yml @@ -2,13 +2,12 @@ author: Bhavin Patel id: a962263f-581b-411f-a237-da45248b4fb7 date: '2022-10-11' description: This is a synthetic dataset based on a real login failure event -environment: Google Workspace tenant configured to send data to Splunk. Data parsed by Splunk_TA_Google_Workspace 2.3.0 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection +environment: attack_range +directory: gcp_gws_multiple_login_failure +mitre_technique: +- T1110.003 +datasets: +- name: gws_login-json + path: /datasets/attack_techniques/T1110.003/gcp_gws_multiple_login_failure/gws_login.json + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml b/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml deleted file mode 100644 index 273a63932..000000000 --- a/datasets/attack_techniques/T1110.003/o365_distributed_spray/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 52bb39c1-f8ff-4b30-90fe-78f9994bd509 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_distributed_spray -environment: attack_range -directory: o365_distributed_spray -mitre_technique: -- T1110.003 -datasets: -- name: o365_distributed_spray - path: /datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml b/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml index 27b499695..fc2bd807b 100644 --- a/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml +++ b/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.yml @@ -1,16 +1,16 @@ author: Mauricio Velazco id: ce5ee9b2-8247-4744-99c3-fc943e3437d0 date: '2023-11-06' -description: 'Used o365 spray and fireprox to perform a distributed password spraying attack against an Offic3 365 tenant using 30 users accounts. The environment was created with BadZure. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distriyuted_spray.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/0xZDH/o365spray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -- https://github.com/mvelazc0/BadZure -- https://github.com/ustayready/fireprox \ No newline at end of file +description: Used o365 spray and fireprox to perform a distributed password spraying + attack against an Offic3 365 tenant using 30 users accounts. The environment was + created with BadZure. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_distributed_spray +mitre_technique: +- T1110.003 +datasets: +- name: o365_distributed_spray + path: /datasets/attack_techniques/T1110.003/o365_distributed_spray/o365_distributed_spray.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml deleted file mode 100644 index 8f9f9dffc..000000000 --- a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d4111065-141a-4948-8445-ee67d847f59c -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_multiple_users_from_ip -environment: attack_range -directory: o365_multiple_users_from_ip -mitre_technique: -- T1110.003 -datasets: -- name: o365_multiple_users_from_ip - path: /datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml index fc704f150..493c1f627 100644 --- a/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml +++ b/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: a15c0de3-afb5-4090-9205-72366c135f3c date: '2023-10-10' -description: 'Used o365 spray to perform a password spraying attack against an Office 365 tenant using 30 users accounts. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/0xZDH/o365spray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray +description: Used o365 spray to perform a password spraying attack against an Office + 365 tenant using 30 users accounts. Tenant specific details have been replaced in + the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: o365_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/o365_multiple_users_from_ip/o365_multiple_users_from_ip.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml deleted file mode 100644 index 71ef359d0..000000000 --- a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 00a4e3f4-f539-4d6a-be77-a0757050b392 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_multiple_users_from_ip -environment: attack_range -directory: okta_multiple_users_from_ip -mitre_technique: -- T1110.003 -datasets: -- name: okta_multiple_users_from_ip - path: /datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml index 5cb764d3f..5b6d00bc9 100644 --- a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml +++ b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 84f64eb3-722c-4fe7-857c-c8e15bb96ef1 date: '2022-02-29' -description: 'Used a tool to spray Okta users' -environment: Okta -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1110/003/ +description: Used a tool to spray Okta users +environment: attack_range +directory: okta_multiple_users_from_ip +mitre_technique: +- T1110.003 +datasets: +- name: okta_multiple_users_from_ip + path: /datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml b/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml deleted file mode 100644 index 9befdeef4..000000000 --- a/datasets/attack_techniques/T1110.003/password_spraying_azuread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5cad5aa0-d028-4cf1-9e5f-b576a1e1322b -date: '2025-08-12' -description: Automatically categorized datasets in directory password_spraying_azuread -environment: attack_range -directory: password_spraying_azuread -mitre_technique: -- T1110.003 -datasets: -- name: azuread_signin - path: /datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml b/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml index c74915b3c..9401ab453 100644 --- a/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml +++ b/datasets/attack_techniques/T1110.003/password_spraying_azuread/password_spraying_azuread.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: e73d690b-57d8-430f-be60-b64a0f1405cd date: '2023-06-16' -description: 'Used Invoke-MSOLSpray to perform a password spraying attack against an Azure AD tenant using 30 users accounts. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/dafthack/MSOLSpray -- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray +description: Used Invoke-MSOLSpray to perform a password spraying attack against an + Azure AD tenant using 30 users accounts. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: password_spraying_azuread +mitre_technique: +- T1110.003 +datasets: +- name: azuread_signin + path: /datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml deleted file mode 100644 index 043edb284..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 74af3586-6d65-440d-9251-a67f25f73284 -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_explicit_credential_spray_xml -environment: attack_range -directory: purplesharp_explicit_credential_spray_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml index bc4e503f7..2b25998bc 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco -id: +id: null date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Remote password spraying attack against one host using NTLM' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_explicit_credential_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml deleted file mode 100644 index 915c3d623..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 81cfe442-f75f-4e5b-9360-f7e68efb17d5 -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_invalid_users_kerberos_xml -environment: attack_range -directory: purplesharp_invalid_users_kerberos_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml index 21fdd0ece..7b55ef1ab 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/purplesharp_invalid_users_kerberos_xml.yml @@ -3,12 +3,12 @@ id: 8d6bfa7a-0a19-4beb-8f19-6e9e1ba56f5a date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 randomly generated usernames' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_invalid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml deleted file mode 100644 index c74ffed39..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8d7c3e0e-59a5-4475-9e66-2aadf86ab7bd -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_invalid_users_ntlm_xml -environment: attack_range -directory: purplesharp_invalid_users_ntlm_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml index b0215d31f..f170969c4 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/purplesharp_invalid_users_ntlm_xml.yml @@ -3,12 +3,12 @@ id: e44d2275-8b33-4244-9123-73e28eff4d77 date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: NTLM Password Spraying with randomly 50 generated usernames' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_invalid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml deleted file mode 100644 index 45ec8b72d..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 214af9a4-6d2f-4f32-b7c0-5ba391a5cfad -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_multiple_users_from_process_xml -environment: attack_range -directory: purplesharp_multiple_users_from_process_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml index 57de90ab2..174e7120a 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/purplesharp_multiple_users_from_process_xml.yml @@ -3,12 +3,12 @@ id: a9d28148-7cea-4b32-8ba9-71c1d2c80ccf date: '2022-09-09' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 random domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_multiple_users_from_process_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml deleted file mode 100644 index 6a2e8ea94..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5c866966-7003-412f-9481-6cebd5ba2dab -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_remote_spray_xml -environment: attack_range -directory: purplesharp_remote_spray_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml index b88af528c..18548d031 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/purplesharp_remote_spray_xml.yml @@ -3,12 +3,12 @@ id: 327c6937-a2e5-4f1e-99bf-0ad58652ae0b date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Remote password spraying attack against one host using NTLM' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access \ No newline at end of file +environment: attack_range +directory: purplesharp_remote_spray_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_remote_spray_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml deleted file mode 100644 index 3944678eb..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4e439e36-62cf-4546-91b5-deeb63c221b8 -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_valid_users_kerberos_xml -environment: attack_range -directory: purplesharp_valid_users_kerberos_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml index 4b8310323..33aacef81 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/purplesharp_valid_users_kerberos_xml.yml @@ -3,12 +3,12 @@ id: 5c8c641e-f287-457a-b291-12cfd34f9077 date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Kerberos Password Spraying with 50 randomly picked domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_valid_users_kerberos_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml deleted file mode 100644 index f5ae928c4..000000000 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ee420c8c-c34b-4ee1-b50b-ff5131a5e658 -date: '2025-08-12' -description: Automatically categorized datasets in directory purplesharp_valid_users_ntlm_xml -environment: attack_range -directory: purplesharp_valid_users_ntlm_xml -mitre_technique: -- T1110.003 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml index bf9f55eea..9b672cf9e 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/purplesharp_valid_users_ntlm_xml.yml @@ -3,12 +3,12 @@ id: 1dc8be3a-8648-4ff8-8858-a3f05384115e date: '2022-09-07' description: 'Automated generation of attack data using PurpleSharp: NTLM Password Spraying with 50 randomly picked domain users' -environment: attack_range + badblood -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110/003/ -- https://github.com/mvelazc0/PurpleSharp -- https://github.com/mvelazc0/PurpleAD/tree/main/Credential%20Access +environment: attack_range +directory: purplesharp_valid_users_ntlm_xml +mitre_technique: +- T1110.003 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm_xml/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml deleted file mode 100644 index 4c530e0f4..000000000 --- a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5a50589f-9dfa-4339-b66a-85fdcde2303e -date: '2025-08-12' -description: Automatically categorized datasets in directory local_administrator_cred_stuffing -environment: attack_range -directory: local_administrator_cred_stuffing -mitre_technique: -- T1110.004 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml index 2b33e22b6..77cb8b0b1 100644 --- a/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml +++ b/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/local_administrator_cred_stuffing.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: c5017f8c-178d-4c06-ad70-556a2c499448 date: '2023-03-22' -description: Manually executed Crackmapexec to spray several endpoints with one combination of username and password using the Administrator account. This dataset contains the failed authentication events for 50+ endpoints. +description: Manually executed Crackmapexec to spray several endpoints with one combination + of username and password using the Administrator account. This dataset contains + the failed authentication events for 50+ endpoints. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1110.004 -- https://wiki.porchetta.industries/smb-protocol/password-spraying \ No newline at end of file +directory: local_administrator_cred_stuffing +mitre_technique: +- T1110.004 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml index bbeddc30a..1ce0bd059 100644 --- a/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml +++ b/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.yml @@ -1,14 +1,13 @@ -author: Steven Dick -id: 27ba7e07-280e-4890-9b31-f2060d86f4c6 -date: '2024-12-19' -description: 'Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110 -- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ -- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ -- https://github.com/dafthack/MFASweep/tree/master +author: Steven Dick +id: 27ba7e07-280e-4890-9b31-f2060d86f4c6 +date: '2024-12-19' +description: Sample of MFA Sweep events used to enumerate Azure/Entra/o365 MFA weaknesses. +environment: attack_range +directory: azure_mfasweep_events +mitre_technique: +- T1110 +datasets: +- name: azure_mfasweep_events + path: /datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml b/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml deleted file mode 100644 index 19c25cb8a..000000000 --- a/datasets/attack_techniques/T1110/azure_mfasweep_events/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 69276bcf-c04d-42e9-97ed-59800c2eedfb -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_mfasweep_events -environment: attack_range -directory: azure_mfasweep_events -mitre_technique: -- T1110 -datasets: -- name: azure_mfasweep_events - path: /datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml b/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml deleted file mode 100644 index 4fe93623e..000000000 --- a/datasets/attack_techniques/T1110/o365_brute_force_login/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6be9e363-56af-4114-90a6-675063bf4a99 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_brute_force_login -environment: attack_range -directory: o365_brute_force_login -mitre_technique: -- T1110 -datasets: -- name: o365_brute_force_login-json - path: /datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml b/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml index 2a183380f..000ec2284 100644 --- a/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml +++ b/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.yml @@ -3,10 +3,11 @@ id: cc9b2650-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Brute Force Attack O365 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1110 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_brute_force_login +mitre_technique: +- T1110 +datasets: +- name: o365_brute_force_login-json + path: /datasets/attack_techniques/T1110/o365_brute_force_login/o365_brute_force_login.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml deleted file mode 100644 index 7f1197210..000000000 --- a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7a64eed4-64e2-4b03-9f3d-08ed987f7bf8 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_multiple_accounts_lockout -environment: attack_range -directory: okta_multiple_accounts_lockout -mitre_technique: -- T1110 -datasets: -- name: okta_multiple_accounts_lockout - path: /datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml index 12c146792..0655ffe91 100644 --- a/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml +++ b/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.yml @@ -1,11 +1,14 @@ author: Mauricio Velazco, Splunk id: 0419ad47-a1c2-46b2-a647-4651456a9029 date: '2024-03-04' -description: Performed a brute force attack against an Okta tenant until accounts were locked out. -environment: Okta -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1110/ \ No newline at end of file +description: Performed a brute force attack against an Okta tenant until accounts + were locked out. +environment: attack_range +directory: okta_multiple_accounts_lockout +mitre_technique: +- T1110 +datasets: +- name: okta_multiple_accounts_lockout + path: /datasets/attack_techniques/T1110/okta_multiple_accounts_lockout/okta_multiple_accounts_lockout.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml index 71f8f2228..eacf8e166 100644 --- a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml +++ b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 4bfb4b66-673f-4f7e-863d-c812ee74d9a1 date: '2023-11-23' description: Generated datasets for AuthenticationLevelOverride in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate +environment: attack_range +directory: AuthenticationLevelOverride +mitre_technique: +- T1112 +datasets: +- name: auth_sys + path: /datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml deleted file mode 100644 index 6ddfb52c0..000000000 --- a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9e5a3b2f-0be3-4b71-a546-bfd489b99b4c -date: '2025-08-12' -description: Automatically categorized datasets in directory AuthenticationLevelOverride -environment: attack_range -directory: AuthenticationLevelOverride -mitre_technique: -- T1112 -datasets: -- name: auth_sys - path: /datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml index 19782c182..22589883d 100644 --- a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml @@ -7,20 +7,23 @@ description: 'Atomic Test Results: Successful Execution of test T1112-1 Modify R logon credentials Successful Execution of test T1112-4 Add domain to Trusted sites Zone Successful Execution of test T1112-5 Javascript in registry ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1112 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md -- https://github.com/splunk/security-content/blob/develop/tests/T1112.yml +directory: atomic_red_team +mitre_technique: +- T1112 +datasets: +- name: wdigest_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: safemode_windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-webview + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/atomic_red_team/data.yml b/datasets/attack_techniques/T1112/atomic_red_team/data.yml deleted file mode 100644 index f4337137f..000000000 --- a/datasets/attack_techniques/T1112/atomic_red_team/data.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 834c0ade-18de-4bd5-9753-d8e52e5b7f9e -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1112 -datasets: -- name: wdigest_windows-sysmon - path: /datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: safemode_windows-sysmon - path: /datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon-webview - path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml deleted file mode 100644 index e488ba8fb..000000000 --- a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ab7faa6e-5a25-45c3-9681-a847b3c09576 -date: '2025-08-12' -description: Automatically categorized datasets in directory enablelinkedconnections -environment: attack_range -directory: enablelinkedconnections -mitre_technique: -- T1112 -datasets: -- name: blackbyte_sysmon - path: /datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml index 1c7295429..39266ce7e 100644 --- a/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml +++ b/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/enablelinkedconnections.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 01f4eb45-edd9-4618-a606-c2848c5fa0cb date: '2023-07-10' description: Generated datasets for enablelinkedconnections in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ +environment: attack_range +directory: enablelinkedconnections +mitre_technique: +- T1112 +datasets: +- name: blackbyte_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/enablelinkedconnections/blackbyte_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml deleted file mode 100644 index a6586efcd..000000000 --- a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dc912ec6-ba89-45a7-b790-c66eee08a3c6 -date: '2025-08-12' -description: Automatically categorized datasets in directory longpathsenabled -environment: attack_range -directory: longpathsenabled -mitre_technique: -- T1112 -datasets: -- name: longpath_sysmon - path: /datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml index 0f9d134ff..8f9809318 100644 --- a/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml +++ b/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpathsenabled.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 50a77464-fdac-4102-b0d8-ae74b00c3c1d date: '2023-07-10' description: Generated datasets for longpathsenabled in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/ +environment: attack_range +directory: longpathsenabled +mitre_technique: +- T1112 +datasets: +- name: longpath_sysmon + path: /datasets/attack_techniques/T1112/blackbyte/longpathsenabled/longpath_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/disable_notif_center/data.yml b/datasets/attack_techniques/T1112/disable_notif_center/data.yml deleted file mode 100644 index 605769962..000000000 --- a/datasets/attack_techniques/T1112/disable_notif_center/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2ac6316e-645e-4e93-90dd-4fc9ac45e4a2 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_notif_center -environment: attack_range -directory: disable_notif_center -mitre_technique: -- T1112 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1112/disable_notif_center/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml b/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml index 9475c9a21..018a3ee38 100644 --- a/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml +++ b/datasets/attack_techniques/T1112/disable_notif_center/disable_notif_center.yml @@ -3,9 +3,11 @@ id: fb50a0d2-8fd6-11ec-b295-acde48001122 date: '2022-02-17' description: Generated datasets for disable notif center in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disable_notif_center/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html \ No newline at end of file +directory: disable_notif_center +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/disable_notif_center/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml deleted file mode 100644 index 4b6a82cfa..000000000 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/data.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c059177b-60bd-4bc1-8673-7bc2a7cfa84d -date: '2025-08-12' -description: Automatically categorized datasets in directory firewall_modify_delete -environment: attack_range -directory: firewall_modify_delete -mitre_technique: -- T1112 -datasets: -- name: firewall-mod-delete - path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log - sourcetype: firewall -- name: firewall_mod_delete - path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log - sourcetype: firewall diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml index 2694f7118..925a734ce 100644 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml @@ -3,9 +3,13 @@ id: f3c9a6d2-3f61-11ef-8fb2-acde48001122 date: '2024-07-11' description: Generated datasets for firewall modify delete in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-uses-bitlocker-to-encrypt-your-files/ \ No newline at end of file +directory: firewall_modify_delete +mitre_technique: +- T1112 +datasets: +- name: firewall-mod-delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log + sourcetype: firewall +- name: firewall_mod_delete + path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log + sourcetype: firewall diff --git a/datasets/attack_techniques/T1112/minint_reg/data.yml b/datasets/attack_techniques/T1112/minint_reg/data.yml deleted file mode 100644 index 8f507c8d9..000000000 --- a/datasets/attack_techniques/T1112/minint_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 39dd03c8-2fdb-4e36-8234-4db62d9cc021 -date: '2025-08-12' -description: Automatically categorized datasets in directory minint_reg -environment: attack_range -directory: minint_reg -mitre_technique: -- T1112 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1112/minint_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml b/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml index 6ab72f217..4d6534e0b 100644 --- a/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml +++ b/datasets/attack_techniques/T1112/minint_reg/minint_reg.yml @@ -3,7 +3,11 @@ id: 732edf10-2522-47de-be21-710ac8dcde73 date: '2021-10-05' description: minint registry datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/minint_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: minint_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/minint_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml b/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml deleted file mode 100644 index 832eb5311..000000000 --- a/datasets/attack_techniques/T1112/ransomware_disable_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ede65fe8-53b4-4428-a39a-d4d54ddb56ae -date: '2025-08-12' -description: Automatically categorized datasets in directory ransomware_disable_reg -environment: attack_range -directory: ransomware_disable_reg -mitre_technique: -- T1112 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml b/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml index 7eb2a558c..48b8ff747 100644 --- a/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml +++ b/datasets/attack_techniques/T1112/ransomware_disable_reg/ransomware_disable_reg.yml @@ -3,9 +3,11 @@ id: c5bf208a-9ecf-11ec-98d7-acde48001122 date: '2022-03-08' description: Generated datasets for ransomware disable reg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ \ No newline at end of file +directory: ransomware_disable_reg +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/ransomware_disable_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/shimcache_flush/data.yml b/datasets/attack_techniques/T1112/shimcache_flush/data.yml deleted file mode 100644 index 9f84ab2dd..000000000 --- a/datasets/attack_techniques/T1112/shimcache_flush/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a51ed069-eae4-40d6-9f5f-979b6f7a5726 -date: '2025-08-12' -description: Automatically categorized datasets in directory shimcache_flush -environment: attack_range -directory: shimcache_flush -mitre_technique: -- T1112 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1112/shimcache_flush/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml b/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml index 54fac6dc7..edb138274 100644 --- a/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml +++ b/datasets/attack_techniques/T1112/shimcache_flush/shimcache_flush.yml @@ -3,7 +3,11 @@ id: 112d5721-f697-4bec-b42c-a227d4109898 date: '2021-10-05' description: shimcache flush datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/shimcache_flush/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: shimcache_flush +mitre_technique: +- T1112 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1112/shimcache_flush/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml deleted file mode 100644 index 61ec711be..000000000 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f377516d-b052-483f-a0fa-f6d63846b106 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_compliance_content_search_exported -environment: attack_range -directory: o365_compliance_content_search_exported -mitre_technique: -- T1114.002 -datasets: -- name: o365_compliance_content_search_exported - path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml index dd06918fe..5a79588c5 100644 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 2ee0daa3-784e-4113-8c3b-63f5a597501d date: '2024-04-01' -description: 'Manually exported a content search on M365 compliance portal' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 \ No newline at end of file +description: Manually exported a content search on M365 compliance portal +environment: attack_range +directory: o365_compliance_content_search_exported +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_exported + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_exported/o365_compliance_content_search_exported.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml deleted file mode 100644 index dc3425184..000000000 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 85eac7a7-a1d7-4629-9ff9-537051fded0b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_compliance_content_search_started -environment: attack_range -directory: o365_compliance_content_search_started -mitre_technique: -- T1114.002 -datasets: -- name: o365_compliance_content_search_started - path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml index af026082b..dcf28744b 100644 --- a/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml +++ b/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.yml @@ -1,11 +1,13 @@ author: Mauricio Velazco id: 779bf322-0493-41d8-b0db-d6f012057ce8 date: '2024-04-01' -description: 'Manually start a content search on M365 compliance portal' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/exchange/recipients/user-mailboxes/email-forwarding?view=exchserver-2019 \ No newline at end of file +description: Manually start a content search on M365 compliance portal +environment: attack_range +directory: o365_compliance_content_search_started +mitre_technique: +- T1114.002 +datasets: +- name: o365_compliance_content_search_started + path: /datasets/attack_techniques/T1114.002/o365_compliance_content_search_started/o365_compliance_content_search_started.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml deleted file mode 100644 index f8db2597a..000000000 --- a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 85187821-3b80-4b82-83f2-04bddb887af1 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_inbox_shared_with_all_users -environment: attack_range -directory: o365_inbox_shared_with_all_users -mitre_technique: -- T1114.002 -datasets: -- name: o365_inbox_shared_with_all_users - path: /datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml index 31139e7b1..9f21d6e2f 100644 --- a/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml +++ b/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 2751009e-d929-4f65-aee4-c1222b414305 date: '2023-09-06' -description: 'Manually provided inbox folder access to Anonymous. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf \ No newline at end of file +description: Manually provided inbox folder access to Anonymous. Tenant specific details + have been replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_inbox_shared_with_all_users +mitre_technique: +- T1114.002 +datasets: +- name: o365_inbox_shared_with_all_users + path: /datasets/attack_techniques/T1114.002/o365_inbox_shared_with_all_users/o365_inbox_shared_with_all_users.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml deleted file mode 100644 index 51643b520..000000000 --- a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 37c875dc-0df0-4abc-9e13-56d4d6caf83b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_multiple_mailboxes_accessed_via_api -environment: attack_range -directory: o365_multiple_mailboxes_accessed_via_api -mitre_technique: -- T1114.002 -datasets: -- name: o365_multiple_mailboxes_accessed_via_api - path: /datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml index bb68bed68..f9327cb20 100644 --- a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml +++ b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: 3da9163a-e320-4dd1-9c2c-dddf0436f9ba date: '2024-02-01' -description: 'Manually accessed multipla O365 mailboxes using the Graph API and an OAuth application registration using a python script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in -- https://learn.microsoft.com/en-us/graph/permissions-reference \ No newline at end of file +description: Manually accessed multipla O365 mailboxes using the Graph API and an + OAuth application registration using a python script +environment: attack_range +directory: o365_multiple_mailboxes_accessed_via_api +mitre_technique: +- T1114.002 +datasets: +- name: o365_multiple_mailboxes_accessed_via_api + path: /datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml deleted file mode 100644 index 9312e6189..000000000 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a328b822-216c-444d-a25c-31b6cdc9af55 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_oauth_app_ews_mailbox_access -environment: attack_range -directory: o365_oauth_app_ews_mailbox_access -mitre_technique: -- T1114.002 -datasets: -- name: o365_oauth_app_ews_mailbox_access - path: /datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml index ace2228bf..0e626af88 100644 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 7ffc2d34-d6c4-4987-bbfa-b1195a93affc date: '2024-02-01' -description: 'Manually accessed O365 emails via Exchange Web Services and an OAuth application registration using a PowerShell script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ -- https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/ews-applications-and-the-exchange-architecture \ No newline at end of file +description: Manually accessed O365 emails via Exchange Web Services and an OAuth + application registration using a PowerShell script +environment: attack_range +directory: o365_oauth_app_ews_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_ews_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_ews_mailbox_access/o365_oauth_app_ews_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml deleted file mode 100644 index 64652f092..000000000 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 49657c18-7317-4e0f-b6fd-73275edda22a -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_oauth_app_graph_mailbox_access -environment: attack_range -directory: o365_oauth_app_graph_mailbox_access -mitre_technique: -- T1114.002 -datasets: -- name: o365_oauth_app_graph_mailbox_access - path: /datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml index 762d845aa..27478ae2c 100644 --- a/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml +++ b/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 82a7da52-467c-40f2-bbdb-37c97bbf67be date: '2024-01-31' -description: 'Manually accessed O365 emails via the Graph API and an OAuth application registration using a PowerShell script' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/002/ -- https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in -- https://learn.microsoft.com/en-us/graph/permissions-reference \ No newline at end of file +description: Manually accessed O365 emails via the Graph API and an OAuth application + registration using a PowerShell script +environment: attack_range +directory: o365_oauth_app_graph_mailbox_access +mitre_technique: +- T1114.002 +datasets: +- name: o365_oauth_app_graph_mailbox_access + path: /datasets/attack_techniques/T1114.002/o365_oauth_app_graph_mailbox_access/o365_oauth_app_graph_mailbox_access.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml deleted file mode 100644 index d09dae350..000000000 --- a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f6c1781c-cd78-48f2-813d-4535d3e28ce7 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_email_forwarding_rule_created -environment: attack_range -directory: o365_email_forwarding_rule_created -mitre_technique: -- T1114.003 -datasets: -- name: o365_email_forwarding_rule_created - path: /datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml index 6f3949754..89974f8e4 100644 --- a/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml +++ b/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: 3e913102-26d8-4c05-aa42-7adb788db03d date: '2024-03-28' -description: 'Created a forwarding rule programatically using msInvader' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://learn.microsoft.com/en-us/purview/alert-policies?view=o365-worldwide -- https://github.com/mvelazc0/msInvader \ No newline at end of file +description: Created a forwarding rule programatically using msInvader +environment: attack_range +directory: o365_email_forwarding_rule_created +mitre_technique: +- T1114.003 +datasets: +- name: o365_email_forwarding_rule_created + path: /datasets/attack_techniques/T1114.003/o365_email_forwarding_rule_created/o365_email_forwarding_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml deleted file mode 100644 index 948deb135..000000000 --- a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_email_forwarding_rule.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Patrick Bareiss -id: cc9b25f8-efc9-11eb-926b-550bf0943fbb -date: '2020-12-16' -description: Configured forwarding rules for mailboxes in Office 365. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/o365_email_forwarding_rule/o365_email_forwarding_rule.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/003 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf diff --git a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml similarity index 62% rename from datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml rename to datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml index 24ce5bfbd..0a6bb4654 100644 --- a/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/data.yml +++ b/datasets/attack_techniques/T1114.003/o365_mailbox_forwarding_enabled/o365_mailbox_forwarding_enabled.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: ea375a4c-9684-4391-8f82-decda578585b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_mailbox_forwarding_enabled +author: Patrick Bareiss +id: cc9b25f8-efc9-11eb-926b-550bf0943fbb +date: '2020-12-16' +description: Configured forwarding rules for mailboxes in Office 365. environment: attack_range directory: o365_mailbox_forwarding_enabled mitre_technique: diff --git a/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml b/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml deleted file mode 100644 index 43d46d648..000000000 --- a/datasets/attack_techniques/T1114/o365_export_pst_file/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4eb50ba5-614b-46e7-b732-740f3a063c71 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_export_pst_file -environment: attack_range -directory: o365_export_pst_file -mitre_technique: -- T1114 -datasets: -- name: o365_export_pst_file-json - path: /datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml b/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml index a93cb5a02..6eb0e0fcf 100644 --- a/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml +++ b/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.yml @@ -3,10 +3,11 @@ id: cc9b2651-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Export PST file in O365 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_export_pst_file +mitre_technique: +- T1114 +datasets: +- name: o365_export_pst_file-json + path: /datasets/attack_techniques/T1114/o365_export_pst_file/o365_export_pst_file.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml deleted file mode 100644 index a4c42ae5e..000000000 --- a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e67627d0-1b0a-45d6-9037-4f6303dd5d7f -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_new_forwarding_mailflow_rule_created -environment: attack_range -directory: o365_new_forwarding_mailflow_rule_created -mitre_technique: -- T1114 -datasets: -- name: o365_new_forwarding_mailflow_rule_created - path: /datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml index 755bbf33c..9c8100fee 100644 --- a/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml +++ b/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.yml @@ -2,11 +2,12 @@ author: Mauricio Velazco id: a23751d9-73dc-4f83-bbaa-79f9f56cb3ee date: '2023-04-10' description: Created a forwarding mailflow rule in Office 365 using PowerShell. -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1114/ -- https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules +environment: attack_range +directory: o365_new_forwarding_mailflow_rule_created +mitre_technique: +- T1114 +datasets: +- name: o365_new_forwarding_mailflow_rule_created + path: /datasets/attack_techniques/T1114/o365_new_forwarding_mailflow_rule_created/o365_new_forwarding_mailflow_rule_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml deleted file mode 100644 index 391323b4f..000000000 --- a/datasets/attack_techniques/T1114/o365_suspect_email_actions/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 16bfceea-a344-4013-8c6d-8a5ffe7fd5eb -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_suspect_email_actions -environment: attack_range -directory: o365_suspect_email_actions -mitre_technique: -- T1114 -datasets: -- name: o365_messagetrace_suspect_events - path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log - sourcetype: o365:management:activity - source: o365 -- name: o365_exchange_suspect_events - path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml index c3261d253..391323b4f 100644 --- a/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml +++ b/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_suspect_email_actions.yml @@ -1,15 +1,17 @@ -author: Steven Dick -id: 986d1ac2-f76a-48d8-b3af-bf76dc4e80a4 -date: '2025-01-20' -description: 'Sample of events when an actor compromises a mailbox and conducts certain suspect activities such as email hard deletes, exfiltration, or password/banking information changes.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log -sourcetypes: -- o365:management:activity -- o365:reporting:messagetrace -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack \ No newline at end of file +author: Generated by dataset_analyzer.py +id: 16bfceea-a344-4013-8c6d-8a5ffe7fd5eb +date: '2025-08-12' +description: Automatically categorized datasets in directory o365_suspect_email_actions +environment: attack_range +directory: o365_suspect_email_actions +mitre_technique: +- T1114 +datasets: +- name: o365_messagetrace_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + sourcetype: o365:management:activity + source: o365 +- name: o365_exchange_suspect_events + path: /datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml b/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml deleted file mode 100644 index 0026dde30..000000000 --- a/datasets/attack_techniques/T1115/linux_auditd_xclip/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e2ff4658-2634-4c04-b544-a5c5d6ab2da9 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_xclip -environment: attack_range -directory: linux_auditd_xclip -mitre_technique: -- T1115 -datasets: -- name: linux_auditd_xclip - path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log - sourcetype: auditd - source: auditd -- name: linux_auditd_xclip2 - path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml b/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml index 8f980ad96..57325f153 100644 --- a/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml +++ b/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.yml @@ -3,9 +3,15 @@ id: 92f98534-ef83-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd xclip in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log -sourcetypes: -- 'auditd' -references: -- https://linux.die.net/man/1/xclip \ No newline at end of file +directory: linux_auditd_xclip +mitre_technique: +- T1115 +datasets: +- name: linux_auditd_xclip + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip.log + sourcetype: auditd + source: auditd +- name: linux_auditd_xclip2 + path: /datasets/attack_techniques/T1115/linux_auditd_xclip/linux_auditd_xclip2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1127.001/data.yml b/datasets/attack_techniques/T1127.001/T1127.001.yml similarity index 60% rename from datasets/attack_techniques/T1127.001/data.yml rename to datasets/attack_techniques/T1127.001/T1127.001.yml index aa558ebda..269fca229 100644 --- a/datasets/attack_techniques/T1127.001/data.yml +++ b/datasets/attack_techniques/T1127.001/T1127.001.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: a9944c1f-4fba-4aa4-984a-0ee62820b552 -date: '2025-08-12' -description: Automatically categorized datasets in directory T1127.001 +author: Michael Haag +id: cc9b261a-efc9-11eb-926b-550bf0943fbb +date: '2021-01-15' +description: MSBuild.exe execution simulating a suspicious spawn, renamed and moved. environment: attack_range directory: T1127.001 mitre_technique: diff --git a/datasets/attack_techniques/T1127.001/atomic_red_team.yml b/datasets/attack_techniques/T1127.001/atomic_red_team.yml deleted file mode 100644 index 8593cb13c..000000000 --- a/datasets/attack_techniques/T1127.001/atomic_red_team.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag -id: cc9b261a-efc9-11eb-926b-550bf0943fbb -date: '2021-01-15' -description: MSBuild.exe execution simulating a suspicious spawn, renamed and moved. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1127/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md -- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ diff --git a/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml b/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml deleted file mode 100644 index 80d21b306..000000000 --- a/datasets/attack_techniques/T1127.001/regsvr32_silent/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 823c0d90-a2c5-4105-9a96-4f42871b6a00 -date: '2025-08-12' -description: Automatically categorized datasets in directory regsvr32_silent -environment: attack_range -directory: regsvr32_silent -mitre_technique: -- T1127.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml b/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml index d7f853624..98980659f 100644 --- a/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml +++ b/datasets/attack_techniques/T1127.001/regsvr32_silent/regsvr32_silent.yml @@ -3,9 +3,11 @@ id: 6e769297-65cc-473f-9df8-1698364c5942 date: '2021-10-03' description: data sets for njrat vbs malware.. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/regsvr32_silent/powershell.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational +directory: regsvr32_silent +mitre_technique: +- T1127.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127.001/regsvr32_silent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml index 9af9816a5..5c863d8be 100644 --- a/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1127/atomic_red_team/atomic_red_team.yml @@ -3,11 +3,11 @@ id: cc9b25ea-efc9-11eb-926b-550bf0943fbb date: '2021-01-19' description: Microsoft.workflow.compiler.exe usage including renamed and moved. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1127/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-6---microsoftworkflowcompilerexe-payload-execution -- https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ +directory: atomic_red_team +mitre_technique: +- T1127 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/atomic_red_team/data.yml b/datasets/attack_techniques/T1127/atomic_red_team/data.yml deleted file mode 100644 index 414bb65b4..000000000 --- a/datasets/attack_techniques/T1127/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eca61b09-23fb-4cf1-bd98-5e930837417f -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1127 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1127/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/etw_disable/data.yml b/datasets/attack_techniques/T1127/etw_disable/data.yml deleted file mode 100644 index b4ff8e72f..000000000 --- a/datasets/attack_techniques/T1127/etw_disable/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0dd99d60-429a-4fda-a881-7403fe207d3b -date: '2025-08-12' -description: Automatically categorized datasets in directory etw_disable -environment: attack_range -directory: etw_disable -mitre_technique: -- T1127 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1127/etw_disable/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml b/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml index b2dbb6144..47880f950 100644 --- a/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml +++ b/datasets/attack_techniques/T1127/etw_disable/etw_disable.yml @@ -3,7 +3,11 @@ id: c528749d-6fb9-43e1-814f-dc39bfece3cd date: '2021-10-07' description: etw disable registry datasets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127/etw_disable/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: etw_disable +mitre_technique: +- T1127 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1127/etw_disable/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1134.005/mimikatz/data.yml b/datasets/attack_techniques/T1134.005/mimikatz/data.yml deleted file mode 100644 index bfc321ee8..000000000 --- a/datasets/attack_techniques/T1134.005/mimikatz/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f4b19386-93a3-477b-aec8-95f10804833f -date: '2025-08-12' -description: Automatically categorized datasets in directory mimikatz -environment: attack_range -directory: mimikatz -mitre_technique: -- T1134.005 -datasets: -- name: windows-security-xml - path: /datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml b/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml new file mode 100644 index 000000000..b267f8e67 --- /dev/null +++ b/datasets/attack_techniques/T1134.005/mimikatz/mimikatz.yml @@ -0,0 +1,15 @@ +author: Dean Luxton +id: fbedf606-d7c8-4fe5-96ae-ad0526b90ec0 +date: '2022-08-23' +description: Utilising the sid::patch & sid::add commands from a mimikatz shell running + debug privilegs. Successfully patched ntds & added a SID history ad attribute to + a user object. Note, also works with computer accounts ;) +environment: attack_range +directory: mimikatz +mitre_technique: +- T1134.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml b/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml deleted file mode 100644 index 930777e90..000000000 --- a/datasets/attack_techniques/T1134.005/mimikatz/sid_history.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Dean Luxton -id: fbedf606-d7c8-4fe5-96ae-ad0526b90ec0 -date: '2022-08-23' -description: Utilising the sid::patch & sid::add commands from a mimikatz shell running debug privilegs. Successfully patched ntds & added a SID history ad attribute to a user object. Note, also works with computer accounts ;) -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/mimikatz/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1772 -- https://attack.mitre.org/techniques/T1134/005/ diff --git a/datasets/attack_techniques/T1134.005/sid_history2/data.yml b/datasets/attack_techniques/T1134.005/sid_history2/data.yml deleted file mode 100644 index f96b04f1e..000000000 --- a/datasets/attack_techniques/T1134.005/sid_history2/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a5480298-f24f-4ddc-ae5c-1b47f069ce75 -date: '2025-08-12' -description: Automatically categorized datasets in directory sid_history2 -environment: attack_range -directory: sid_history2 -mitre_technique: -- T1134.005 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1134.005/sid_history2/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml b/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml index d64b12805..9d8c2c45c 100644 --- a/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml +++ b/datasets/attack_techniques/T1134.005/sid_history2/sid_history2.yml @@ -1,12 +1,15 @@ author: Mauricio Velazco id: 9a0a610f-a53a-405f-ace7-0c3e2809ed68 date: '2022-11-17' -description: Utilising the sid::patch & sid::add commands from a mimikatz shell running debug privilegs. Successfully patched ntds & added a SID history ad attribute to a user object. +description: Utilising the sid::patch & sid::add commands from a mimikatz shell running + debug privilegs. Successfully patched ntds & added a SID history ad attribute to + a user object. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134.005/sid_history2/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://adsecurity.org/?p=1772 -- https://attack.mitre.org/techniques/T1134/005/ +directory: sid_history2 +mitre_technique: +- T1134.005 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1134.005/sid_history2/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml b/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml deleted file mode 100644 index 0f07e1001..000000000 --- a/datasets/attack_techniques/T1135/ipc_share_accessed/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c85fa4ee-d852-4319-9a49-4d021057e4a6 -date: '2025-08-12' -description: Automatically categorized datasets in directory ipc_share_accessed -environment: attack_range -directory: ipc_share_accessed -mitre_technique: -- T1135 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml b/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml index b2e1d9dcb..84ebebc17 100644 --- a/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml +++ b/datasets/attack_techniques/T1135/ipc_share_accessed/ipc_share_accessed.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: acc6dde7-c023-46ba-abfc-9a16b664797d date: '2023-03-23' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: ipc_share_accessed +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/ipc_share_accessed/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml deleted file mode 100644 index d368c30b0..000000000 --- a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bfc43e75-09f7-4aa5-94a2-32ae1e39070a -date: '2025-08-12' -description: Automatically categorized datasets in directory large_number_computer_service_tickets -environment: attack_range -directory: large_number_computer_service_tickets -mitre_technique: -- T1135 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml index 771687203..cc57b7eb0 100644 --- a/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml +++ b/datasets/attack_techniques/T1135/large_number_computer_service_tickets/large_number_computer_service_tickets.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 03c013d4-3818-454b-b907-0f81330d6197 date: '2023-03-21' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network. This dataset contains the Kerberos service ticket requests for 50+ endpoints. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network. This dataset contains the Kerberos + service ticket requests for 50+ endpoints. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: large_number_computer_service_tickets +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/large_number_computer_service_tickets/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1135/net_share/data.yml b/datasets/attack_techniques/T1135/net_share/data.yml deleted file mode 100644 index 578b74759..000000000 --- a/datasets/attack_techniques/T1135/net_share/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 071a9f91-6897-46ef-bcd2-f610aab61873 -date: '2025-08-12' -description: Automatically categorized datasets in directory net_share -environment: attack_range -directory: net_share -mitre_technique: -- T1135 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1135/net_share/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1135/net_share/net_share.yml b/datasets/attack_techniques/T1135/net_share/net_share.yml index e26815960..d5d7b8bdb 100644 --- a/datasets/attack_techniques/T1135/net_share/net_share.yml +++ b/datasets/attack_techniques/T1135/net_share/net_share.yml @@ -1,11 +1,14 @@ author: Dean Luxton -id: 112a2ded-6924-4a3a-a30c-e527b9c9d75d +id: 112a2ded-6924-4a3a-a30c-e527b9c9d75d date: '2023-04-21' -description: Manually executed Net Share to discover network file shares in an Active Directory network. +description: Manually executed Net Share to discover network file shares in an Active + Directory network. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1135 +directory: net_share +mitre_technique: +- T1135 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1135/net_share/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml deleted file mode 100644 index c03459597..000000000 --- a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/data.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 54f162f1-7eec-4b75-9125-a2edef956d52 -date: '2025-08-12' -description: Automatically categorized datasets in directory net_share_discovery_via_dir -environment: attack_range -directory: net_share_discovery_via_dir -mitre_technique: -- T1135 -datasets: -- name: smb_access_security_xml - path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log - sourcetype: access_combined -- name: smbaccess-5140-security-xml2 - path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml index fb0e42656..d25427173 100644 --- a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml +++ b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml @@ -2,10 +2,14 @@ author: Teoderick Contreras, Splunk id: fe9d47bb-2da6-41d0-b8ac-ed38f3a08f71 date: '2023-05-23' description: Generated datasets for net share discovery via dir in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ +environment: attack_range +directory: net_share_discovery_via_dir +mitre_technique: +- T1135 +datasets: +- name: smb_access_security_xml + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log + sourcetype: access_combined +- name: smbaccess-5140-security-xml2 + path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml b/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml deleted file mode 100644 index 1c2f08606..000000000 --- a/datasets/attack_techniques/T1135/powerview_sharefinder/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a1e41771-8d3c-4dbb-aff9-f56f7a7c7762 -date: '2025-08-12' -description: Automatically categorized datasets in directory powerview_sharefinder -environment: attack_range -directory: powerview_sharefinder -mitre_technique: -- T1135 -datasets: -- name: windows-powershell - path: /datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml b/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml index 57e3f56d9..183827344 100644 --- a/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml +++ b/datasets/attack_techniques/T1135/powerview_sharefinder/powerview_sharefinder.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: f2a92824-4e44-4a7a-bcc6-fbbcfbab4686 date: '2023-03-20' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: powerview_sharefinder +mitre_technique: +- T1135 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1135/powerview_sharefinder/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml deleted file mode 100644 index 2e28662a7..000000000 --- a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9c2b1fb4-e5cc-4b4a-b137-fdcd965b5e5f -date: '2025-08-12' -description: Automatically categorized datasets in directory rapid_authentication_multiple_hosts -environment: attack_range -directory: rapid_authentication_multiple_hosts -mitre_technique: -- T1135 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml index 7a1bfd395..e0ce9e6e6 100644 --- a/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml +++ b/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/rapid_authentication_multiple_hosts.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 9024a52e-836e-4e95-aea8-ef37cde946e6 date: '2023-03-23' -description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover network file shares in an Active Directory network that has more than 50 hosts. +description: Manually executed PowerSploit's commandlet Invoke-ShareFinder to discover + network file shares in an Active Directory network that has more than 50 hosts. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1135 -- https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 -- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/ \ No newline at end of file +directory: rapid_authentication_multiple_hosts +mitre_technique: +- T1135 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1135/rapid_authentication_multiple_hosts/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml index adde9f4ae..0818075ec 100644 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml @@ -6,23 +6,31 @@ description: 'Atomic Test Results: Return value unclear for test T1136.001-3 Cre new user in PowerShell Successful Execution of test T1136.001-6 Create a new Windows admin user ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/4720.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1136/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1136_001.yml +directory: atomic_red_team +mitre_technique: +- T1136.001 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-powershell-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: xml-windows-security + path: /datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security-esxadmins + path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml deleted file mode 100644 index faf4eab75..000000000 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/data.yml +++ /dev/null @@ -1,33 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0cc09e75-1681-45de-8f63-ae5e6e915303 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1136.001 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon-esxadmins - path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-powershell-esxadmins - path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: xml-windows-security - path: /datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-security-esxadmins - path: /datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml deleted file mode 100644 index a2755acbf..000000000 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e6462693-e800-44f1-a999-9c4fa0f8976e -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_add_user -environment: attack_range -directory: linux_auditd_add_user -mitre_technique: -- T1136.001 -datasets: -- name: auditd_proctitle_user_add - path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log - sourcetype: auditd - source: auditd -- name: linux_auditd_add_user - path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml index 66727f3ca..97ec54804 100644 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.yml @@ -3,9 +3,15 @@ id: 96cbb496-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd add user in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log -sourcetypes: -- 'auditd' -references: -- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ \ No newline at end of file +directory: linux_auditd_add_user +mitre_technique: +- T1136.001 +datasets: +- name: auditd_proctitle_user_add + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/auditd_proctitle_user_add.log + sourcetype: auditd + source: auditd +- name: linux_auditd_add_user + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user/linux_auditd_add_user.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml deleted file mode 100644 index 19eeef31b..000000000 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 08585d30-4711-42ee-b9dd-b3657a2c14bf -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_add_user_type -environment: attack_range -directory: linux_auditd_add_user_type -mitre_technique: -- T1136.001 -datasets: -- name: linux_auditd_add_user_type - path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml index baf09b08f..b943aff42 100644 --- a/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml +++ b/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml @@ -3,9 +3,11 @@ id: 6f5ae8be-5a20-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd add user type in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_add_user_type +mitre_technique: +- T1136.001 +datasets: +- name: linux_auditd_add_user_type + path: /datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml index 4807b01ac..15840fc86 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure_ad_add_service_principal.yml @@ -1,13 +1,13 @@ author: Gowthamaraj Rajendran id: 6cdf42f8-1c1e-454c-a56e-8aad7f084a6d date: '2022-08-17' -description: Manually add Service Principal in the Azure AD. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals -- https://docs.microsoft.com/en-us/powershell/azure/create-azure-service-principal-azureps?view=azps-8.2.0 -- https://attack.mitre.org/techniques/T1136/003/ +description: Manually add Service Principal in the Azure AD. +environment: attack_range +directory: azure_ad_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml deleted file mode 100644 index d581ba2da..000000000 --- a/datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ffcbdc28-9bdc-496b-83cc-5d91708a5c97 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_add_service_principal -environment: attack_range -directory: azure_ad_add_service_principal -mitre_technique: -- T1136.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1136.003/azure_ad_add_service_principal/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml index 025eddc93..8907c3614 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure_ad_external_guest_user_invited.yml @@ -1,13 +1,14 @@ author: Gowthamaraj Rajendran id: 6cdf42f8-1c1e-454c-a56e-8aad7f084a6a date: '2022-08-18' -description: Manually invite External Guest user to the Azure AD. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf -- https://attack.mitre.org/techniques/T1136/003/ -- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +description: Manually invite External Guest user to the Azure AD. Tenant specific + details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_ad_external_guest_user_invited +mitre_technique: +- T1136.003 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml deleted file mode 100644 index ae177a59c..000000000 --- a/datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 62780cfe-cabf-41e3-8906-986260335cc1 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_external_guest_user_invited -environment: attack_range -directory: azure_ad_external_guest_user_invited -mitre_technique: -- T1136.003 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1136.003/azure_ad_external_guest_user_invited/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml index db7d780a3..aa57a4632 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 55543737-a4d0-42fe-909e-c2750e409700 date: '2024-02-07' -description: -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ +description: null +environment: attack_range +directory: azure_ad_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: azure_ad_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml deleted file mode 100644 index 1a8ee73aa..000000000 --- a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3a2d80aa-8799-44cb-91d4-e199b6eb5046 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_multiple_service_principals_created -environment: attack_range -directory: azure_ad_multiple_service_principals_created -mitre_technique: -- T1136.003 -datasets: -- name: azure_ad_multiple_service_principals_created - path: /datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml b/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml index c7eb14120..63af336ff 100644 --- a/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml +++ b/datasets/attack_techniques/T1136.003/azure_automation_account/azure_automation_account.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: ea2f4a6a-424f-4c5a-9974-ac61a9d96122 date: '2022-08-19' -description: Manually create an Azure Automation account using the Azure Portal. Tenant specific details like tenant id, user names, etc. have been modified. -environment: Azure tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log -sourcetypes: -- mscs:azure:audit -references: -- https://www.netspi.com/blog/technical/cloud-penetration-testing/maintaining-azure-persistence-via-automation-accounts/ -- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3/ -- https://www.inversecos.com/2021/12/how-to-detect-malicious-azure.html -- https://attack.mitre.org/techniques/T1136/003/ \ No newline at end of file +description: Manually create an Azure Automation account using the Azure Portal. Tenant + specific details like tenant id, user names, etc. have been modified. +environment: attack_range +directory: azure_automation_account +mitre_technique: +- T1136.003 +datasets: +- name: azure-activity + path: /datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml b/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml deleted file mode 100644 index 7b7410e5b..000000000 --- a/datasets/attack_techniques/T1136.003/azure_automation_account/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d1812cac-e631-4c10-8209-64d708d68d94 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_automation_account -environment: attack_range -directory: azure_automation_account -mitre_technique: -- T1136.003 -datasets: -- name: azure-activity - path: /datasets/attack_techniques/T1136.003/azure_automation_account/azure-activity.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml deleted file mode 100644 index 78a93979e..000000000 --- a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5dc77dca-4646-4452-98f1-30d2b38ea5bc -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_add_app_role_assignment_grant_user -environment: attack_range -directory: o365_add_app_role_assignment_grant_user -mitre_technique: -- T1136.003 -datasets: -- name: o365_add_app_role_assignment_grant_user-json - path: /datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml index 6eb13f38b..fe810a54c 100644 --- a/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml +++ b/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.yml @@ -3,11 +3,12 @@ id: cc9b25da-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the creation of a new Federation setting by alerting about an specific event related to its creation. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_add_app_role_assignment_grant_user +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_app_role_assignment_grant_user-json + path: /datasets/attack_techniques/T1136.003/o365_add_app_role_assignment_grant_user/o365_add_app_role_assignment_grant_user.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml b/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml deleted file mode 100644 index 9851c76db..000000000 --- a/datasets/attack_techniques/T1136.003/o365_add_service_principal/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6d48b50b-95e6-4869-bcb6-33a7aa3b83d3 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_add_service_principal -environment: attack_range -directory: o365_add_service_principal -mitre_technique: -- T1136.003 -datasets: -- name: o365_add_service_principal-json - path: /datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml b/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml index 85ac52cee..ad842261a 100644 --- a/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25dd-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add service principal credentials -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_add_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_add_service_principal/o365_add_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml b/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml deleted file mode 100644 index 590f5aa34..000000000 --- a/datasets/attack_techniques/T1136.003/o365_added_service_principal/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e3b45ae6-80d6-4e90-91c8-631cd15ed165 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_added_service_principal -environment: attack_range -directory: o365_added_service_principal -mitre_technique: -- T1136.003 -datasets: -- name: o365_add_service_principal - path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log - sourcetype: o365:management:activity - source: o365 -- name: o365_added_service_principal-json - path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml b/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml index f94a8c8a4..99403f88b 100644 --- a/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml +++ b/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.yml @@ -3,11 +3,16 @@ id: cc9b25db-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the creation of a new Federation setting by alerting about an specific event related to its creation. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_added_service_principal +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_service_principal + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_add_service_principal.log + sourcetype: o365:management:activity + source: o365 +- name: o365_added_service_principal-json + path: /datasets/attack_techniques/T1136.003/o365_added_service_principal/o365_added_service_principal.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml deleted file mode 100644 index c1a36272f..000000000 --- a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a77fa7c5-6982-4dc5-987e-98868c07ba16 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_multiple_service_principals_created -environment: attack_range -directory: o365_multiple_service_principals_created -mitre_technique: -- T1136.003 -datasets: -- name: o365_multiple_service_principals_created - path: /datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml index c256a6c03..4e6b9e63d 100644 --- a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: f9e755a0-5abc-4675-8313-79da901c87dd date: '2024-02-07' -description: -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ +description: null +environment: attack_range +directory: o365_multiple_service_principals_created +mitre_technique: +- T1136.003 +datasets: +- name: o365_multiple_service_principals_created + path: /datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml deleted file mode 100644 index a82c3c700..000000000 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e5d0bbeb-4f07-42cb-b3f3-bc04813ff173 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_new_federated_domain -environment: attack_range -directory: o365_new_federated_domain -mitre_technique: -- T1136.003 -datasets: -- name: o365_new_federated_domain-json - path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml index 86330da60..0fc00365c 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25de-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add-FederatedDomain -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain/oo365_new_federated_domain.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_new_federated_domain +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federated_domain-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain/o365_new_federated_domain.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml deleted file mode 100644 index a0c44e3f0..000000000 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 625c69c8-5c40-469f-9ea7-d802ff288d9a -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_new_federated_domain_added -environment: attack_range -directory: o365_new_federated_domain_added -mitre_technique: -- T1136.003 -datasets: -- name: o365_add_federated_domain - path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log - sourcetype: o365:management:activity - source: o365 -- name: o365_new_federated_domain_added-json - path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml index 12814b21e..05df38651 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.yml @@ -2,11 +2,16 @@ author: Rod Soto id: cc9b25d9-efc9-11eb-926b-550bf0943fbb date: '2021-01-26' description: This search detects the addition of a new Federated domain. -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ -- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf +environment: attack_range +directory: o365_new_federated_domain_added +mitre_technique: +- T1136.003 +datasets: +- name: o365_add_federated_domain + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_add_federated_domain.log + sourcetype: o365:management:activity + source: o365 +- name: o365_new_federated_domain_added-json + path: /datasets/attack_techniques/T1136.003/o365_new_federated_domain_added/o365_new_federated_domain_added.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml b/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml deleted file mode 100644 index f7a8c1553..000000000 --- a/datasets/attack_techniques/T1136.003/o365_new_federation/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eb513e32-35a3-47a1-92ab-ace785ea71f4 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_new_federation -environment: attack_range -directory: o365_new_federation -mitre_technique: -- T1136.003 -datasets: -- name: o365_new_federation-json - path: /datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml b/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml index 720115ede..3594ad52a 100644 --- a/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml +++ b/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.yml @@ -2,10 +2,12 @@ author: Patrick Bareiss id: cc9b25dc-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Performed operation Add app role assignment grant to user -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_new_federation +mitre_technique: +- T1136.003 +datasets: +- name: o365_new_federation-json + path: /datasets/attack_techniques/T1136.003/o365_new_federation/o365_new_federation.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml index 03addd324..b89e37c57 100644 --- a/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1140/atomic_red_team/atomic_red_team.yml @@ -4,12 +4,11 @@ date: '2021-03-25' description: 'Atomic Red Team test results of T1140, certutil.exe decode. Also included Invoke-CertUtil decoding files. ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/encode-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1140 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md +directory: atomic_red_team +mitre_technique: +- T1140 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1140/atomic_red_team/data.yml b/datasets/attack_techniques/T1140/atomic_red_team/data.yml deleted file mode 100644 index 7a394d0fd..000000000 --- a/datasets/attack_techniques/T1140/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a5f21bd8-f694-44b3-90c0-e910105a1cfa -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1140 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml b/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml deleted file mode 100644 index b62e1d490..000000000 --- a/datasets/attack_techniques/T1140/linux_auditd_base64/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 07e83507-36aa-42a9-b033-bb27fe35cc9b -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_base64 -environment: attack_range -directory: linux_auditd_base64 -mitre_technique: -- T1140 -datasets: -- name: auditd_execve_base64 - path: /datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log - sourcetype: auditd - source: auditd -- name: linux_auditd_base64 - path: /datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml b/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml index 14162f1d1..0c914076c 100644 --- a/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml +++ b/datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.yml @@ -3,9 +3,15 @@ id: d027d710-ef80-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd base64 in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log -sourcetypes: -- 'auditd' -references: -- https://gtfobins.github.io/gtfobins/dd/ \ No newline at end of file +directory: linux_auditd_base64 +mitre_technique: +- T1140 +datasets: +- name: auditd_execve_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/auditd_execve_base64.log + sourcetype: auditd + source: auditd +- name: linux_auditd_base64 + path: /datasets/attack_techniques/T1140/linux_auditd_base64/linux_auditd_base64.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml index b494c2371..7c0d1db6a 100644 --- a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/aws_concurrent_sessions_from_different_ips.yml @@ -1,15 +1,15 @@ author: Bhavin Patel id: c56117f4-95de-46ae-8fbe-7b41e49bf95e date: '2023-01-24' -description: 'Used Evilnginx2 to phish an AWS user and steal session cookies , then logged into the console from attacker machiner while the session from victim machine was also connected.' -environment: STRT AWS Account -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1185 -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx2 to phish an AWS user and steal session cookies , then + logged into the console from attacker machiner while the session from victim machine + was also connected. +environment: attack_range +directory: aws_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml deleted file mode 100644 index 2046f04e8..000000000 --- a/datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 435b6235-6698-4a81-a223-65a941b67b18 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_concurrent_sessions_from_different_ips -environment: attack_range -directory: aws_concurrent_sessions_from_different_ips -mitre_technique: -- T1185 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1185/aws_concurrent_sessions_from_different_ips/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml index 394f35b90..33fc2b78b 100644 --- a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,14 +1,16 @@ author: Mauricio Velazco id: c56d67f4-95de-46ae-8fbe-7b41e49bf95e date: '2023-01-24' -description: 'Used Evilnginx2 to phish an Azure AD user and steal session cookies. Then, imported the stolen session cookies into a different browser to access Azure AD resources from a different location and source ip. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1110/001/ -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx2 to phish an Azure AD user and steal session cookies. + Then, imported the stolen session cookies into a different browser to access Azure + AD resources from a different location and source ip. Tenant specific details have + been replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml deleted file mode 100644 index e0a83bb51..000000000 --- a/datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 80545b63-4a6a-4620-8968-3bdee04d01ab -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_concurrent_sessions_from_different_ips -environment: attack_range -directory: azure_ad_concurrent_sessions_from_different_ips -mitre_technique: -- T1185 -datasets: -- name: azuread - path: /datasets/attack_techniques/T1185/azure_ad_concurrent_sessions_from_different_ips/azuread.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml deleted file mode 100644 index 41f9a5d90..000000000 --- a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dde6a707-7db1-4680-b223-5a1199cd69ae -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_concurrent_sessions_from_different_ips -environment: attack_range -directory: o365_concurrent_sessions_from_different_ips -mitre_technique: -- T1185 -datasets: -- name: o365_concurrent_sessions_from_different_ips - path: /datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml index fdc2952e1..75da0faa1 100644 --- a/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml +++ b/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml @@ -1,14 +1,16 @@ author: Mauricio Velazco id: 892ce442-f2e8-4e4c-894e-cb068ffe1fee date: '2023-12-04' -description: 'Used Evilnginx3 to phish an O365 user and steal session cookies. Then, imported the stolen session cookies into a different browser to access M365 resources from a different location and source ip. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: O365 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1185/ -- https://github.com/kgretzky/evilginx2 -- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ +description: Used Evilnginx3 to phish an O365 user and steal session cookies. Then, + imported the stolen session cookies into a different browser to access M365 resources + from a different location and source ip. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: o365_concurrent_sessions_from_different_ips +mitre_technique: +- T1185 +datasets: +- name: o365_concurrent_sessions_from_different_ips + path: /datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1187/petitpotam/data.yml b/datasets/attack_techniques/T1187/petitpotam/data.yml deleted file mode 100644 index dd067c68b..000000000 --- a/datasets/attack_techniques/T1187/petitpotam/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ba5255e6-9f8b-41b6-892f-192a98c7776f -date: '2025-08-12' -description: Automatically categorized datasets in directory petitpotam -environment: attack_range -directory: petitpotam -mitre_technique: -- T1187 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1187/petitpotam/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-xml-1 - path: /datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml b/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml index 0869323da..7f5d33187 100644 --- a/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml +++ b/datasets/attack_techniques/T1187/petitpotam/petitpotam.yml @@ -1,13 +1,18 @@ author: Mauricio Velazcom, Michael Haag id: 5b562df1-7eca-4b70-bbbc-d2e870739abc date: '2021-09-01' -description: Running Petitpotam, ntlmrealy, Rubeus and mimikatz to obtain a TGT as a domain controller and execute a DcSyn attack. +description: Running Petitpotam, ntlmrealy, Rubeus and mimikatz to obtain a TGT as + a domain controller and execute a DcSyn attack. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/TA1187/petitpotam/windows-security.log -sourcetypes: -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1187/ -- https://github.com/topotam/PetitPotam -- https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429 +directory: petitpotam +mitre_technique: +- T1187 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-xml-1 + path: /datasets/attack_techniques/T1187/petitpotam/windows-xml-1.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1189/dyn_dns_site/data.yml b/datasets/attack_techniques/T1189/dyn_dns_site/data.yml deleted file mode 100644 index e424fe79c..000000000 --- a/datasets/attack_techniques/T1189/dyn_dns_site/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f0da1bdf-a6f4-4802-ba8f-7f3c64a76371 -date: '2025-08-12' -description: Automatically categorized datasets in directory dyn_dns_site -environment: attack_range -directory: dyn_dns_site -mitre_technique: -- T1189 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml b/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml index 975344510..2fd647887 100644 --- a/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml +++ b/datasets/attack_techniques/T1189/dyn_dns_site/dyn_dns_site.yml @@ -3,9 +3,11 @@ id: cc9b266c-efc9-11eb-926b-550bf0943fbb date: '2021-01-14' description: Manual generation of attack data by browsing to dyndns site of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1189 +directory: dyn_dns_site +mitre_technique: +- T1189 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1189/splunk/data.yml b/datasets/attack_techniques/T1189/splunk/splunk.yml similarity index 86% rename from datasets/attack_techniques/T1189/splunk/data.yml rename to datasets/attack_techniques/T1189/splunk/splunk.yml index fe7ec7006..0e426a5a0 100644 --- a/datasets/attack_techniques/T1189/splunk/data.yml +++ b/datasets/attack_techniques/T1189/splunk/splunk.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 3ebaf8b0-2f34-4a4c-a607-047f6485b04c -date: '2025-08-12' -description: Automatically categorized datasets in directory splunk +author: Rod Soto +id: cc99276c-bac9-24eb-726b-551bf0903fbb +date: '2024-12-27' +description: Manual generation of attack data environment: attack_range directory: splunk mitre_technique: diff --git a/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml b/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml deleted file mode 100644 index b0da77549..000000000 --- a/datasets/attack_techniques/T1189/splunk/svd-2024-1011.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Rod Soto -id: cc99276c-bac9-24eb-726b-551bf0903fbb -date: '2024-12-27' -description: Manual generation of attack data -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/svd-2024-1011.log -sourcetypes: -- splunkd_ui_access -references: -- https://attack.mitre.org/techniques/T1189 diff --git a/datasets/attack_techniques/T1189/xss/splunk_web_access.yml b/datasets/attack_techniques/T1189/xss/splunk_web_access.yml deleted file mode 100644 index 62da98b70..000000000 --- a/datasets/attack_techniques/T1189/xss/splunk_web_access.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Lou Stella -id: cc9b266c-efc9-24eb-726b-550bf0943fbb -date: '2022-04-27' -description: Manual generation of attack data by inserting parameters in Splunk monitoring console. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/xss/splunk_web_access.log -sourcetypes: -- splunk_web_access -references: -- https://attack.mitre.org/techniques/T1189 diff --git a/datasets/attack_techniques/T1189/xss/data.yml b/datasets/attack_techniques/T1189/xss/xss.yml similarity index 52% rename from datasets/attack_techniques/T1189/xss/data.yml rename to datasets/attack_techniques/T1189/xss/xss.yml index e13d2aab6..71984888f 100644 --- a/datasets/attack_techniques/T1189/xss/data.yml +++ b/datasets/attack_techniques/T1189/xss/xss.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: f977953b-5a95-4cf0-aafe-de2727bb93b4 -date: '2025-08-12' -description: Automatically categorized datasets in directory xss +author: Lou Stella +id: cc9b266c-efc9-24eb-726b-550bf0943fbb +date: '2022-04-27' +description: Manual generation of attack data by inserting parameters in Splunk monitoring + console. environment: attack_range directory: xss mitre_technique: diff --git a/datasets/attack_techniques/T1190/data.yml b/datasets/attack_techniques/T1190/T1190.yml similarity index 58% rename from datasets/attack_techniques/T1190/data.yml rename to datasets/attack_techniques/T1190/T1190.yml index 7a6a61129..703ccd741 100644 --- a/datasets/attack_techniques/T1190/data.yml +++ b/datasets/attack_techniques/T1190/T1190.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 2bd2f212-9f34-4da0-b18f-de5558badad9 -date: '2025-08-12' -description: Automatically categorized datasets in directory T1190 +author: Michael Haag, Splunk +id: cc9b266c-efc9-11eb-926b-550bf0943fbb +date: '2021-09-01' +description: Manual generation of attack data related to ProxyShell. environment: attack_range directory: T1190 mitre_technique: diff --git a/datasets/attack_techniques/T1190/citrix/citrix.yml b/datasets/attack_techniques/T1190/citrix/citrix.yml index 8de9e39a6..de324aa2b 100644 --- a/datasets/attack_techniques/T1190/citrix/citrix.yml +++ b/datasets/attack_techniques/T1190/citrix/citrix.yml @@ -3,17 +3,17 @@ id: cc9b266c-19c9-11eb-926b-220bf0943fas date: '2023-07-21' description: Attack data related to CVE-2023-3519 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve20233519.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/citrix-cve_2023_24489.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/cve-2023-4966-citrix.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/citrix/suricata_citrixbleed3.log -sourcetypes: -- pan:threat -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ - - https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf \ No newline at end of file +directory: citrix +mitre_technique: +- T1190 +datasets: +- name: suricata_citrixbleed2 + path: /datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log + sourcetype: suricata + source: suricata +- name: nginx_kv_citrixbleed2_startwebview + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log + sourcetype: nginx:plus:access +- name: nginx_kv_cve_2023-4966-citrix + path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/citrix/data.yml b/datasets/attack_techniques/T1190/citrix/data.yml deleted file mode 100644 index 4ed59b974..000000000 --- a/datasets/attack_techniques/T1190/citrix/data.yml +++ /dev/null @@ -1,19 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bbe637ed-44bd-432c-a9ff-e17ebe7ca538 -date: '2025-08-12' -description: Automatically categorized datasets in directory citrix -environment: attack_range -directory: citrix -mitre_technique: -- T1190 -datasets: -- name: suricata_citrixbleed2 - path: /datasets/attack_techniques/T1190/citrix/suricata_citrixbleed2.log - sourcetype: suricata - source: suricata -- name: nginx_kv_citrixbleed2_startwebview - path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log - sourcetype: nginx:plus:access -- name: nginx_kv_cve_2023-4966-citrix - path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/confluence/confluence.yml b/datasets/attack_techniques/T1190/confluence/confluence.yml index 2c6a4511b..a570666a0 100644 --- a/datasets/attack_techniques/T1190/confluence/confluence.yml +++ b/datasets/attack_techniques/T1190/confluence/confluence.yml @@ -3,18 +3,20 @@ id: 15c6f2a9-a960-4f60-b1c2-bd2ae129ef7d date: '2023-07-21' description: Attack data related to CVE-2023-22515 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/shellservlet.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log -sourcetypes: -- suricata -- nginx:plus:kv -references: - - https://attack.mitre.org/techniques/T1190 - - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html - - https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/ \ No newline at end of file +directory: confluence +mitre_technique: +- T1190 +datasets: +- name: nginx_plus_kv_confluence + path: /datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log + sourcetype: nginx:plus:access +- name: nginx_kv_confluence_CVE-2024-21683 + path: /datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log + sourcetype: nginx:plus:access +- name: suricata_confluence_cve-2023-22527 + path: /datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log + sourcetype: suricata + source: suricata +- name: nginx_shellservlet + path: /datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/confluence/data.yml b/datasets/attack_techniques/T1190/confluence/data.yml deleted file mode 100644 index 7ee750ba6..000000000 --- a/datasets/attack_techniques/T1190/confluence/data.yml +++ /dev/null @@ -1,22 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e40a6bb6-a73b-4d0b-8220-26d6c6d60094 -date: '2025-08-12' -description: Automatically categorized datasets in directory confluence -environment: attack_range -directory: confluence -mitre_technique: -- T1190 -datasets: -- name: nginx_plus_kv_confluence - path: /datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log - sourcetype: nginx:plus:access -- name: nginx_kv_confluence_CVE-2024-21683 - path: /datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log - sourcetype: nginx:plus:access -- name: suricata_confluence_cve-2023-22527 - path: /datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log - sourcetype: suricata - source: suricata -- name: nginx_shellservlet - path: /datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/crushftp/crushftp.yml b/datasets/attack_techniques/T1190/crushftp/crushftp.yml index 04c8a943e..256e33bf8 100644 --- a/datasets/attack_techniques/T1190/crushftp/crushftp.yml +++ b/datasets/attack_techniques/T1190/crushftp/crushftp.yml @@ -1,17 +1,22 @@ author: Michael Haag, Splunk id: 1e1c1f1c-0b0b-4b0b-8b0b-0b0b0b0b0b0d date: '2024-05-23' -description: Generated event logs from CrushFTP server from simulated attack leveraging CVE-2024-4040 and CVE-2025-31161,. +description: Generated event logs from CrushFTP server from simulated attack leveraging + CVE-2024-4040 and CVE-2025-31161,. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/windows-sysmon.log -sourcetypes: -- crushftp:sessionlogs - -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/airbus-cert/CVE-2024-4040 - - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ - - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation \ No newline at end of file +directory: crushftp +mitre_technique: +- T1190 +datasets: +- name: crushftp + path: /datasets/attack_techniques/T1190/crushftp/crushftp.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: crushftp11_session + path: /datasets/attack_techniques/T1190/crushftp/crushftp11_session.log + sourcetype: crushftp:sessionlogs + source: crushftp +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/crushftp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/crushftp/data.yml b/datasets/attack_techniques/T1190/crushftp/data.yml deleted file mode 100644 index 4fd616af2..000000000 --- a/datasets/attack_techniques/T1190/crushftp/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 36ed41d1-4e95-49ab-8996-ca295a1fdccf -date: '2025-08-12' -description: Automatically categorized datasets in directory crushftp -environment: attack_range -directory: crushftp -mitre_technique: -- T1190 -datasets: -- name: crushftp - path: /datasets/attack_techniques/T1190/crushftp/crushftp.log - sourcetype: crushftp:sessionlogs - source: crushftp -- name: crushftp11_session - path: /datasets/attack_techniques/T1190/crushftp/crushftp11_session.log - sourcetype: crushftp:sessionlogs - source: crushftp -- name: windows-sysmon - path: /datasets/attack_techniques/T1190/crushftp/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/ivanti/data.yml b/datasets/attack_techniques/T1190/ivanti/data.yml deleted file mode 100644 index bf1726aa5..000000000 --- a/datasets/attack_techniques/T1190/ivanti/data.yml +++ /dev/null @@ -1,39 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ee7b8a13-3682-430a-8e53-a71ad887ec5c -date: '2025-08-12' -description: Automatically categorized datasets in directory ivanti -environment: attack_range -directory: ivanti -mitre_technique: -- T1190 -datasets: -- name: suricata_ivanti_secure_connect_checkphase - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log - sourcetype: linux_secure - source: linux_secure -- name: suricata_ivanti_saml - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log - sourcetype: suricata - source: suricata -- name: suricata_ivanti_secure_connect_exploitphase - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log - sourcetype: linux_secure - source: linux_secure -- name: suricata_ivanti_epm - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log - sourcetype: suricata - source: suricata -- name: suricata_ivanti_CVE202335078 - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log - sourcetype: suricata - source: suricata -- name: ivanti_bookmark_web_access - path: /datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log - sourcetype: access_combined -- name: suricata_ivanti_CVE202335082 - path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log - sourcetype: suricata - source: suricata -- name: ivanti_vtm_nginxproxy - path: /datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/ivanti/ivanti.yml b/datasets/attack_techniques/T1190/ivanti/ivanti.yml index 504f89041..2b547e06c 100644 --- a/datasets/attack_techniques/T1190/ivanti/ivanti.yml +++ b/datasets/attack_techniques/T1190/ivanti/ivanti.yml @@ -3,23 +3,37 @@ id: 193d25ad-5fe7-4ade-8d61-33350cb453f0 date: '2023-08-08' description: Attack data related to CVE-2023-35081 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_sentry_CVE_2023_38035.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_secure_connect.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_vtm_audit.log -sourcetypes: -- suricata -- web_access -- nginx:plus:kv -- ivanti_vtm_audit -references: - - https://attack.mitre.org/techniques/T1190 - - https://www.cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081 \ No newline at end of file +directory: ivanti +mitre_technique: +- T1190 +datasets: +- name: suricata_ivanti_secure_connect_checkphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_checkphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_saml + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_saml.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_secure_connect_exploitphase + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_secure_connect_exploitphase.log + sourcetype: linux_secure + source: linux_secure +- name: suricata_ivanti_epm + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_epm.log + sourcetype: suricata + source: suricata +- name: suricata_ivanti_CVE202335078 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335078.log + sourcetype: suricata + source: suricata +- name: ivanti_bookmark_web_access + path: /datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log + sourcetype: access_combined +- name: suricata_ivanti_CVE202335082 + path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log + sourcetype: suricata + source: suricata +- name: ivanti_vtm_nginxproxy + path: /datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/java/data.yml b/datasets/attack_techniques/T1190/java/data.yml deleted file mode 100644 index 6a310bc61..000000000 --- a/datasets/attack_techniques/T1190/java/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 512bec22-b4ed-4510-8a1e-ff602bd0f326 -date: '2025-08-12' -description: Automatically categorized datasets in directory java -environment: attack_range -directory: java -mitre_technique: -- T1190 -datasets: -- name: log4shell-nginx - path: /datasets/attack_techniques/T1190/java/log4shell-nginx.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/java/java.yml b/datasets/attack_techniques/T1190/java/java.yml index 32fccb7d1..061923fc8 100644 --- a/datasets/attack_techniques/T1190/java/java.yml +++ b/datasets/attack_techniques/T1190/java/java.yml @@ -3,15 +3,10 @@ id: cc9b266c-23c9-11eb-926b-220bf0943fbb date: '2021-12-13' description: Attack data related to Log4Shell CVE-2021-44228 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/confluence.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/log4shell-nginx.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/java/java_spawn_shell_nix.log -sourcetypes: -- stream:http -- nginx:plus:kv -- sysmon_linux -- pan:threat -references: - - https://attack.mitre.org/techniques/T1190 +directory: java +mitre_technique: +- T1190 +datasets: +- name: log4shell-nginx + path: /datasets/attack_techniques/T1190/java/log4shell-nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/jenkins/data.yml b/datasets/attack_techniques/T1190/jenkins/data.yml deleted file mode 100644 index fd7376459..000000000 --- a/datasets/attack_techniques/T1190/jenkins/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f000a442-7809-41de-bfd1-f3d8974d08f3 -date: '2025-08-12' -description: Automatically categorized datasets in directory jenkins -environment: attack_range -directory: jenkins -mitre_technique: -- T1190 -datasets: -- name: nginx_jenkins_cve_2023_23897 - path: /datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/jenkins/jenkins.yml b/datasets/attack_techniques/T1190/jenkins/jenkins.yml index 37e1474a2..4a56f1aa9 100644 --- a/datasets/attack_techniques/T1190/jenkins/jenkins.yml +++ b/datasets/attack_techniques/T1190/jenkins/jenkins.yml @@ -3,18 +3,10 @@ id: ebb89c7d-afca-456d-9cc7-6827ec14733a date: '2024-01-29' description: Attack data related to CVE-2024-23897 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log -sourcetypes: -- nginx:plus:kv -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/projectdiscovery/nuclei-templates/pull/9025 - - https://github.com/jenkinsci-cert/SECURITY-3314-3315 - - https://github.com/binganao/CVE-2024-23897 - - https://github.com/h4x0r-dz/CVE-2024-23897 - - https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ - - https://www.shodan.io/search?query=product%3A%22Jenkins%22 - - https://thehackernews.com/2024/01/critical-jenkins-vulnerability-exposes.html - - https://www.jenkins.io/security/advisory/2024-01-29/ - +directory: jenkins +mitre_technique: +- T1190 +datasets: +- name: nginx_jenkins_cve_2023_23897 + path: /datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/juniper/data.yml b/datasets/attack_techniques/T1190/juniper/data.yml deleted file mode 100644 index 941e86092..000000000 --- a/datasets/attack_techniques/T1190/juniper/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 50ce13ad-96c0-4111-82b1-0f777143cd69 -date: '2025-08-12' -description: Automatically categorized datasets in directory juniper -environment: attack_range -directory: juniper -mitre_technique: -- T1190 -datasets: -- name: suricata_junos_cvemegazord - path: /datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log - sourcetype: suricata - source: suricata diff --git a/datasets/attack_techniques/T1190/juniper/juniper.yml b/datasets/attack_techniques/T1190/juniper/juniper.yml index 47320e460..d23689378 100644 --- a/datasets/attack_techniques/T1190/juniper/juniper.yml +++ b/datasets/attack_techniques/T1190/juniper/juniper.yml @@ -1,12 +1,14 @@ author: Michael Haag, Splunk id: 123e4567-e89b-12d3-a456-426614174000 date: '2023-08-29' -description: Attack data related to CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 +description: Attack data related to CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, + CVE-2023-36847 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log -sourcetypes: -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US \ No newline at end of file +directory: juniper +mitre_technique: +- T1190 +datasets: +- name: suricata_junos_cvemegazord + path: /datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/magento/data.yml b/datasets/attack_techniques/T1190/magento/data.yml deleted file mode 100644 index a3b0e1d6a..000000000 --- a/datasets/attack_techniques/T1190/magento/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9a5e8b12-c7f1-4653-ba79-b333a60cf4cd -date: '2025-08-12' -description: Automatically categorized datasets in directory magento -environment: attack_range -directory: magento -mitre_technique: -- T1190 -datasets: -- name: magento_access_filtered - path: /datasets/attack_techniques/T1190/magento/magento_access_filtered.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/magento/magento.yml b/datasets/attack_techniques/T1190/magento/magento.yml index 65715aacf..78947e712 100644 --- a/datasets/attack_techniques/T1190/magento/magento.yml +++ b/datasets/attack_techniques/T1190/magento/magento.yml @@ -3,9 +3,10 @@ id: 9535ef60-d482-414c-b8bb-6d1bd61e8322 date: '2024-11-13' description: Manual generation of attack data related to Magento access logs environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/magento/magento_access_filtered.log -sourcetypes: -- access_combined_wcookie -references: -- https://attack.mitre.org/techniques/T1190 +directory: magento +mitre_technique: +- T1190 +datasets: +- name: magento_access_filtered + path: /datasets/attack_techniques/T1190/magento/magento_access_filtered.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/outbound_java/data.yml b/datasets/attack_techniques/T1190/outbound_java/data.yml deleted file mode 100644 index 7ea0b4a14..000000000 --- a/datasets/attack_techniques/T1190/outbound_java/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2b56e287-f7c5-4459-b07f-ee9fade5b739 -date: '2025-08-12' -description: Automatically categorized datasets in directory outbound_java -environment: attack_range -directory: outbound_java -mitre_technique: -- T1190 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml b/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml index 5005b4e25..b5175c7c8 100644 --- a/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml +++ b/datasets/attack_techniques/T1190/outbound_java/outbound_java.yml @@ -3,13 +3,11 @@ id: 118e4169-7caa-43f7-9560-322949db7ae9 date: '2021-12-15' description: Manual exploitation of CVE-2021-44228-Log4j on a Linux and Windows endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/outbound_java/linux-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1190 +directory: outbound_java +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/outbound_java/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/papercut/data.yml b/datasets/attack_techniques/T1190/papercut/data.yml deleted file mode 100644 index 2d22d4707..000000000 --- a/datasets/attack_techniques/T1190/papercut/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 27303865-acee-413b-bd49-db4e2781adb3 -date: '2025-08-12' -description: Automatically categorized datasets in directory papercut -environment: attack_range -directory: papercut -mitre_technique: -- T1190 -datasets: -- name: papercutng-suricata - path: /datasets/attack_techniques/T1190/papercut/papercutng-suricata.log - sourcetype: suricata - source: suricata -- name: papercutng-app-spawn_windows-sysmon - path: /datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/papercut/papercut.yml b/datasets/attack_techniques/T1190/papercut/papercut.yml index f8ae5a244..9a9bcb063 100644 --- a/datasets/attack_techniques/T1190/papercut/papercut.yml +++ b/datasets/attack_techniques/T1190/papercut/papercut.yml @@ -1,15 +1,18 @@ author: Michael Haag, Splunk id: 5bc80380-5b2b-402b-b9ef-60ec8b7921fb date: '2023-05-15' -description: Manual generation of attack data related to PaperCutNG. The "server.log" is a debug log of exploitation from the PaperCutNG Application. +description: Manual generation of attack data related to PaperCutNG. The "server.log" + is a debug log of exploitation from the PaperCutNG Application. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/server.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/papercut/papercutng-suricata.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- stash -references: - - https://attack.mitre.org/techniques/T1190 - - https://www.papercut.com/kb/Main/HowToCollectApplicationServerDebugLogs \ No newline at end of file +directory: papercut +mitre_technique: +- T1190 +datasets: +- name: papercutng-suricata + path: /datasets/attack_techniques/T1190/papercut/papercutng-suricata.log + sourcetype: suricata + source: suricata +- name: papercutng-app-spawn_windows-sysmon + path: /datasets/attack_techniques/T1190/papercut/papercutng-app-spawn_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/proxyshell.yml b/datasets/attack_techniques/T1190/proxyshell.yml deleted file mode 100644 index d89c743a3..000000000 --- a/datasets/attack_techniques/T1190/proxyshell.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b266c-efc9-11eb-926b-550bf0943fbb -date: '2021-09-01' -description: Manual generation of attack data related to ProxyShell. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/exchange-events.json -sourcetypes: -- MSWindows:IIS -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF - - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 diff --git a/datasets/attack_techniques/T1190/proxyshell/data.yml b/datasets/attack_techniques/T1190/proxyshell/data.yml deleted file mode 100644 index cefcc28e2..000000000 --- a/datasets/attack_techniques/T1190/proxyshell/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8d236e76-d50e-4fb1-a62f-779f44e70903 -date: '2025-08-12' -description: Automatically categorized datasets in directory proxyshell -environment: attack_range -directory: proxyshell -mitre_technique: -- T1190 -datasets: -- name: msexchangehmworker_windows-sysmon - path: /datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml b/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml index c3ca58ab0..eb506c941 100644 --- a/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml +++ b/datasets/attack_techniques/T1190/proxyshell/proxyshell.yml @@ -3,23 +3,11 @@ id: d5f9b9bf-1104-4f32-9f18-202ecb06ded1 date: '2022-10-03' description: Manual generation of attack data related to ProxyShell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log -sourcetypes: -- MSWindows:IIS -- ms:iis:splunk -- stash -references: - - https://attack.mitre.org/techniques/T1190 - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AzureSentinel/Exchange-Powershell-via-SSRF - - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 - - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ - - https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA - - https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA - - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html - - https://research.splunk.com/stories/proxyshell/ - - https://docs.splunk.com/Documentation/AddOns/released/MSIIS \ No newline at end of file +directory: proxyshell +mitre_technique: +- T1190 +datasets: +- name: msexchangehmworker_windows-sysmon + path: /datasets/attack_techniques/T1190/proxyshell/msexchangehmworker_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1190/pswa/data.yml b/datasets/attack_techniques/T1190/pswa/data.yml deleted file mode 100644 index 03804e70e..000000000 --- a/datasets/attack_techniques/T1190/pswa/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e9b883f8-624d-477b-a7d3-b59bdb17b25f -date: '2025-08-12' -description: Automatically categorized datasets in directory pswa -environment: attack_range -directory: pswa -mitre_technique: -- T1190 -datasets: -- name: iis_pswaaccess - path: /datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/pswa/pswa.yml b/datasets/attack_techniques/T1190/pswa/pswa.yml index 082c023aa..0fafc8da4 100644 --- a/datasets/attack_techniques/T1190/pswa/pswa.yml +++ b/datasets/attack_techniques/T1190/pswa/pswa.yml @@ -3,14 +3,10 @@ id: d5f9b9bf-1104-4232-9f18-202ecb06ded2 date: '2024-09-09' description: Generation of data for the PowerShell Web Access (PSWA). environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_pswa_pool.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/4648_4624_pswa_pool.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log -sourcetypes: -- ms:iis:splunk -- XmlWinEventLog -references: - - https://attack.mitre.org/techniques/T1190 - - \ No newline at end of file +directory: pswa +mitre_technique: +- T1190 +datasets: +- name: iis_pswaaccess + path: /datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/sap/data.yml b/datasets/attack_techniques/T1190/sap/data.yml deleted file mode 100644 index 960aeadbb..000000000 --- a/datasets/attack_techniques/T1190/sap/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cebf0750-449b-4abf-9d28-55137474ec5c -date: '2025-08-12' -description: Automatically categorized datasets in directory sap -environment: attack_range -directory: sap -mitre_technique: -- T1190 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1190/sap/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: suricata_sapnetweaver - path: /datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log - sourcetype: suricata - source: suricata diff --git a/datasets/attack_techniques/T1190/sap/sap.yml b/datasets/attack_techniques/T1190/sap/sap.yml index b6d1a7531..b1ff04584 100644 --- a/datasets/attack_techniques/T1190/sap/sap.yml +++ b/datasets/attack_techniques/T1190/sap/sap.yml @@ -3,11 +3,15 @@ id: ca1b266c-23c9-11eb-926b-220bf0943fbb date: '2025-04-28' description: Attack data related to NetWeaver CVE-2025-31324 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/windows-sysmon.log -sourcetypes: -- suricata -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1190 +directory: sap +mitre_technique: +- T1190 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1190/sap/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: suricata_sapnetweaver + path: /datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1190/screenconnect/data.yml b/datasets/attack_techniques/T1190/screenconnect/data.yml deleted file mode 100644 index f3034b38f..000000000 --- a/datasets/attack_techniques/T1190/screenconnect/data.yml +++ /dev/null @@ -1,20 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f6590333-8589-40aa-ab4a-0652526d0e95 -date: '2025-08-12' -description: Automatically categorized datasets in directory screenconnect -environment: attack_range -directory: screenconnect -mitre_technique: -- T1190 -datasets: -- name: sysmon_app_extensions - path: /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: nginx_screenconnect - path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log - sourcetype: nginx:plus:access -- name: connectwise_auth_suricata - path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml index 9ec42e60e..358097387 100644 --- a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml @@ -1,16 +1,21 @@ author: Michael Haag, Splunk id: b0d3cc46-f74d-462b-b5db-71eba68d6912 date: '2024-02-21' -description: Manual generation of attack data related to ConnectWise Screenconnect CVE-2024-1708 CVE-2024-1709. +description: Manual generation of attack data related to ConnectWise Screenconnect + CVE-2024-1708 CVE-2024-1709. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log -sourcetypes: -- suricata -- XmlWinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1190 \ No newline at end of file +directory: screenconnect +mitre_technique: +- T1190 +datasets: +- name: sysmon_app_extensions + path: /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: nginx_screenconnect + path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log + sourcetype: nginx:plus:access +- name: connectwise_auth_suricata + path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1190/sharepoint/data.yml b/datasets/attack_techniques/T1190/sharepoint/data.yml deleted file mode 100644 index 63e3989f7..000000000 --- a/datasets/attack_techniques/T1190/sharepoint/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f4c63e96-4ce3-4e37-ae50-a28f051cca6b -date: '2025-08-12' -description: Automatically categorized datasets in directory sharepoint -environment: attack_range -directory: sharepoint -mitre_technique: -- T1190 -datasets: -- name: sharepointeop - path: /datasets/attack_techniques/T1190/sharepoint/sharepointeop.log - sourcetype: sharepoint:uls diff --git a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml index 8e627749f..2d8602280 100644 --- a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml +++ b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml @@ -3,12 +3,10 @@ id: 6e2c1f1c-0c0b-4c0b-8c0b-0c0c0c0c0c2c date: '2023-10-01' description: Manual generation of attack data related to CVE-2023-29357. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sharepoint/sharepointeop.log -sourcetypes: -- suricata -references: - - https://attack.mitre.org/techniques/T1190 - - https://x.com/cyb3rops/status/1707678149448700270?s=46&t=yQ2cOUcQNpWKLmg_cvVIxQ - - https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/ - - https://github.com/Chocapikk/CVE-2023-29357/ +directory: sharepoint +mitre_technique: +- T1190 +datasets: +- name: sharepointeop + path: /datasets/attack_techniques/T1190/sharepoint/sharepointeop.log + sourcetype: sharepoint:uls diff --git a/datasets/attack_techniques/T1190/splunk/data.yml b/datasets/attack_techniques/T1190/splunk/data.yml deleted file mode 100644 index 8a1f5aff6..000000000 --- a/datasets/attack_techniques/T1190/splunk/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 12d444fc-e341-4403-bbe7-26d1964eb793 -date: '2025-08-12' -description: Automatically categorized datasets in directory splunk -environment: attack_range -directory: splunk -mitre_technique: -- T1190 -datasets: -- name: web_access - path: /datasets/attack_techniques/T1190/splunk/web_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/splunk/log_injection.yml b/datasets/attack_techniques/T1190/splunk/log_injection.yml deleted file mode 100644 index 1b6bbd1e1..000000000 --- a/datasets/attack_techniques/T1190/splunk/log_injection.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Rod Soto -id: 67e13771-9616-4363-96d3-a8c18eea2d23 -date: '2023-07-31' -description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/splunk/web_access.log -sourcetypes: -- splunk_web_access -references: -- https://advisory.splunk.com/advisories/SVD-2023-0606 -- https://attack.mitre.org/techniques/T1190/ diff --git a/datasets/attack_techniques/T1190/splunk/splunk.yml b/datasets/attack_techniques/T1190/splunk/splunk.yml new file mode 100644 index 000000000..1727394c2 --- /dev/null +++ b/datasets/attack_techniques/T1190/splunk/splunk.yml @@ -0,0 +1,16 @@ +author: Rod Soto +id: 67e13771-9616-4363-96d3-a8c18eea2d23 +date: '2023-07-31' +description: An attacker can use a specially crafted web URL in their browser to cause + log file injection, in which the attack inserts American National Standards Institute + (ANSI) escape codes into specific files using a terminal program that supports those + escape codes. The attack requires a terminal program that supports the translation + of ANSI escape codes and requires additional user interaction to successfully execute. +environment: attack_range +directory: splunk +mitre_technique: +- T1190 +datasets: +- name: web_access + path: /datasets/attack_techniques/T1190/splunk/web_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/spring4shell/data.yml b/datasets/attack_techniques/T1190/spring4shell/data.yml deleted file mode 100644 index 68a28802b..000000000 --- a/datasets/attack_techniques/T1190/spring4shell/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f2ecb9d2-7ace-4769-b6d5-9a78f51563b5 -date: '2025-08-12' -description: Automatically categorized datasets in directory spring4shell -environment: attack_range -directory: spring4shell -mitre_technique: -- T1190 -datasets: -- name: spring4shell_nginx - path: /datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml index d4d6b263a..669aa4561 100644 --- a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml +++ b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml @@ -1,16 +1,13 @@ author: Michael Haag, Splunk id: 9535ef60-d482-214c-bxbb-6d1bd61e83be date: '2022-04-05' -description: Manual generation of attack data related to Spring4Shell with Nginx proxy logs +description: Manual generation of attack data related to Spring4Shell with Nginx proxy + logs environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/java_write_jsp-linux-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/all_functionrouter_http_streams.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/spring4shell/http_request_body_streams.log -sourcetypes: -- nginx:plus:kv -- sysmon_linux -- stream:http -references: -- https://attack.mitre.org/techniques/T1190 +directory: spring4shell +mitre_technique: +- T1190 +datasets: +- name: spring4shell_nginx + path: /datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/text4shell/data.yml b/datasets/attack_techniques/T1190/text4shell/data.yml deleted file mode 100644 index 4b7163429..000000000 --- a/datasets/attack_techniques/T1190/text4shell/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 86904e3f-e22e-4d3a-a300-eba3e2cfafd8 -date: '2025-08-12' -description: Automatically categorized datasets in directory text4shell -environment: attack_range -directory: text4shell -mitre_technique: -- T1190 -datasets: -- name: text4shell_nginx - path: /datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/text4shell/text4shell.yml b/datasets/attack_techniques/T1190/text4shell/text4shell.yml index 270a53ae8..3c3d72825 100644 --- a/datasets/attack_techniques/T1190/text4shell/text4shell.yml +++ b/datasets/attack_techniques/T1190/text4shell/text4shell.yml @@ -1,13 +1,13 @@ author: Michael Haag, Splunk id: 9535ef60-d482-214c-bxbb-6d1bd61e83be date: '2022-04-05' -description: Manual generation of attack data related to Text4Shell with Zeek HTTP logs and simulation of POC on docker. +description: Manual generation of attack data related to Text4Shell with Zeek HTTP + logs and simulation of POC on docker. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T11190/text4shell/text4shell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log -sourcetypes: -- bro:http:json -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1190 +directory: text4shell +mitre_technique: +- T1190 +datasets: +- name: text4shell_nginx + path: /datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1190/tomcat/data.yml b/datasets/attack_techniques/T1190/tomcat/data.yml deleted file mode 100644 index 9ab02e1ff..000000000 --- a/datasets/attack_techniques/T1190/tomcat/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 23665d8c-07ba-40e7-8f5a-46097ffc9e75 -date: '2025-08-12' -description: Automatically categorized datasets in directory tomcat -environment: attack_range -directory: tomcat -mitre_technique: -- T1190 -datasets: -- name: tomcat_nginx_access - path: /datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/tomcat/tomcat.yml b/datasets/attack_techniques/T1190/tomcat/tomcat.yml index ad743677b..2d57d4826 100644 --- a/datasets/attack_techniques/T1190/tomcat/tomcat.yml +++ b/datasets/attack_techniques/T1190/tomcat/tomcat.yml @@ -1,11 +1,12 @@ author: Michael Haag, Splunk id: 9535ef60-d182-212c-bxbb-6d1bd61e83be date: '2025-03-26' -description: Manual generation of attack data related to Tomcat with nginx proxypass. +description: Manual generation of attack data related to Tomcat with nginx proxypass. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log -sourcetypes: -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1190 +directory: tomcat +mitre_technique: +- T1190 +datasets: +- name: tomcat_nginx_access + path: /datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1195.002/3CX/data.yml b/datasets/attack_techniques/T1195.002/3CX/3CX.yml similarity index 79% rename from datasets/attack_techniques/T1195.002/3CX/data.yml rename to datasets/attack_techniques/T1195.002/3CX/3CX.yml index 60c41ad02..749afbfac 100644 --- a/datasets/attack_techniques/T1195.002/3CX/data.yml +++ b/datasets/attack_techniques/T1195.002/3CX/3CX.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 550dda16-c722-4c8d-ba0e-488b8bb10535 -date: '2025-08-12' -description: Automatically categorized datasets in directory 3CX +author: Michael Haag +id: be2df144-7e69-464c-9c11-534c86aa9e1e +date: '2022-03-30' +description: 3CX software running in range environment: attack_range directory: 3CX mitre_technique: diff --git a/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml b/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml deleted file mode 100644 index 0c1fb53fb..000000000 --- a/datasets/attack_techniques/T1195.002/3CX/3cx_supply_chain.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag -id: be2df144-7e69-464c-9c11-534c86aa9e1e -date: '2022-03-30' -description: 3CX software running in range -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_4688_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.002/3CX/3cx_network-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1195/002 \ No newline at end of file diff --git a/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml index e98c00c1f..de4f2e78a 100644 --- a/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1197/atomic_red_team/atomic_red_team.yml @@ -3,20 +3,15 @@ id: cc9b2617-efc9-11eb-926b-550bf0943fbb date: '2021-03-30' description: Execution of Atomic Red Team T1197 - BITS Jobs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/T1197_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/bits-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/carbon_black_events.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -- bit9:carbonblack:json -- crowdstrike:events:sensor -references: -- https://attack.mitre.org/techniques/T1197 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +directory: atomic_red_team +mitre_technique: +- T1197 +datasets: +- name: crowdstrike_falcon + path: /datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log + sourcetype: crowdstrike:events:sensor + source: crowdstrike +- name: windows-sysmon + path: /datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1197/atomic_red_team/data.yml b/datasets/attack_techniques/T1197/atomic_red_team/data.yml deleted file mode 100644 index 12dc7b7c8..000000000 --- a/datasets/attack_techniques/T1197/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5d49236e-23f9-402b-92b7-5b6f152f5b5c -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1197 -datasets: -- name: crowdstrike_falcon - path: /datasets/attack_techniques/T1197/atomic_red_team/crowdstrike_falcon.log - sourcetype: crowdstrike:events:sensor - source: crowdstrike -- name: windows-sysmon - path: /datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml b/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml deleted file mode 100644 index a4fd063e5..000000000 --- a/datasets/attack_techniques/T1200/linux_auditd_swapoff/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c62702e4-8da0-4e9f-b8f9-e8cd574eaf69 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_swapoff -environment: attack_range -directory: linux_auditd_swapoff -mitre_technique: -- T1200 -datasets: -- name: linux_auditd_swapoff2 - path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log - sourcetype: auditd - source: auditd -- name: linux_auditd_swapoff - path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml b/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml index 4f443e1ff..fe137ac98 100644 --- a/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml +++ b/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.yml @@ -3,9 +3,15 @@ id: ecf084c8-ef99-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd swapoff in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log -sourcetypes: -- 'auditd' -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ \ No newline at end of file +directory: linux_auditd_swapoff +mitre_technique: +- T1200 +datasets: +- name: linux_auditd_swapoff2 + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff2.log + sourcetype: auditd + source: auditd +- name: linux_auditd_swapoff + path: /datasets/attack_techniques/T1200/linux_auditd_swapoff/linux_auditd_swapoff.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml deleted file mode 100644 index d2e416700..000000000 --- a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 601cb045-401e-445e-9d03-ce778313fb25 -date: '2025-08-12' -description: Automatically categorized datasets in directory sysmon_usb_use_execution -environment: attack_range -directory: sysmon_usb_use_execution -mitre_technique: -- T1200 -datasets: -- name: sysmon_usb_use_execution - path: /datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml index e6d4f1e0e..5c79089ef 100644 --- a/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml +++ b/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.yml @@ -1,13 +1,14 @@ -author: Steven Dick -id: 8d818c50-7925-4664-82c6-f8eb626d4c2f -date: '2025-01-17' -description: 'Sample of events from executing suspicious files from a recently attached USB drive.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1200/ -- https://www.cisa.gov/news-events/news/using-caution-usb-drives -- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ \ No newline at end of file +author: Steven Dick +id: 8d818c50-7925-4664-82c6-f8eb626d4c2f +date: '2025-01-17' +description: Sample of events from executing suspicious files from a recently attached + USB drive. +environment: attack_range +directory: sysmon_usb_use_execution +mitre_technique: +- T1200 +datasets: +- name: sysmon_usb_use_execution + path: /datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml b/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml deleted file mode 100644 index c54ce361c..000000000 --- a/datasets/attack_techniques/T1201/pwd_policy_discovery/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: df83873f-fc03-465e-9044-c61da950afa3 -date: '2025-08-12' -description: Automatically categorized datasets in directory pwd_policy_discovery -environment: attack_range -directory: pwd_policy_discovery -mitre_technique: -- T1201 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml b/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml index d5fc83d24..271fedfe0 100644 --- a/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml +++ b/datasets/attack_techniques/T1201/pwd_policy_discovery/pwd_policy_discovery.yml @@ -1,15 +1,17 @@ author: Teoderick Contreras id: f42c4b90-4c31-4b96-9b9f-25e9faebfd15 date: '2021-08-26' -description: 'Simulated test Attack range dataset for AD Domain Policy Enumeration' +description: Simulated test Attack range dataset for AD Domain Policy Enumeration environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-system.log -source: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security \ No newline at end of file +directory: pwd_policy_discovery +mitre_technique: +- T1201 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1201/pwd_policy_discovery/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml index 557800b2c..9ab43196d 100644 --- a/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1202/atomic_red_team/atomic_red_team.yml @@ -5,13 +5,15 @@ description: 'Atomic Test Results: Successful Execution of test T1202 Indirect C Execution using forfiles.exe and pcalua.exe for evading restructions on process execution.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1202 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md +directory: atomic_red_team +mitre_technique: +- T1202 +datasets: +- name: windows-sysmon_runmru + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1202/atomic_red_team/data.yml b/datasets/attack_techniques/T1202/atomic_red_team/data.yml deleted file mode 100644 index 3751d5551..000000000 --- a/datasets/attack_techniques/T1202/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a726d142-d6df-4465-9f6c-840beaf20e9d -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1202 -datasets: -- name: windows-sysmon_runmru - path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon_runmru.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1202/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml index 0f2423309..f26b9c77e 100644 --- a/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1204.002/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-11-06' description: Manual generation of attack data by playing a bat file in system32 folder of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: atomic_red_team +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml deleted file mode 100644 index a8ff7536c..000000000 --- a/datasets/attack_techniques/T1204.002/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0586f997-b5c4-43bb-a300-db3c008113e8 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1204.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1204.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml b/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml index 9a51c5cf4..2e24f0871 100644 --- a/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml +++ b/datasets/attack_techniques/T1204.002/batch_file_in_system32/batch_file_in_system32.yml @@ -4,15 +4,11 @@ date: '2020-11-06' description: Manual generation of attack data by playing a bat file in system32 folder of Windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: batch_file_in_system32 +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml b/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml deleted file mode 100644 index d19b85d00..000000000 --- a/datasets/attack_techniques/T1204.002/batch_file_in_system32/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d60dcd01-8e16-473f-bd8e-87de6687b413 -date: '2025-08-12' -description: Automatically categorized datasets in directory batch_file_in_system32 -environment: attack_range -directory: batch_file_in_system32 -mitre_technique: -- T1204.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml b/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml deleted file mode 100644 index 169cb39e0..000000000 --- a/datasets/attack_techniques/T1204.002/single_letter_exe/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d2ab14ca-3c53-4eeb-a176-974d3e10a380 -date: '2025-08-12' -description: Automatically categorized datasets in directory single_letter_exe -environment: attack_range -directory: single_letter_exe -mitre_technique: -- T1204.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml b/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml index 435d351e1..e9d662eb8 100644 --- a/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml +++ b/datasets/attack_techniques/T1204.002/single_letter_exe/single_letter_exe.yml @@ -3,15 +3,11 @@ id: cc9b2625-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual generation of attack data by executing n.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/single_letter_exe/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: single_letter_exe +mitre_technique: +- T1204.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204.002/single_letter_exe/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml index eba6670d9..2bcbab9fc 100644 --- a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml +++ b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.yml @@ -3,11 +3,15 @@ id: 0f63eedd-c3e4-42af-af33-c0959919c494 date: '2021-08-18' description: Manual generation of attack data by uploading container to AWS ECR. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file +directory: aws_ecr_container_upload +mitre_technique: +- T1204.003 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: aws_ecr_container_upload-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml b/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml deleted file mode 100644 index 03b8ab40b..000000000 --- a/datasets/attack_techniques/T1204.003/aws_ecr_container_upload/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5d33772b-4beb-46dc-a85e-6e8003a7aa09 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_ecr_container_upload -environment: attack_range -directory: aws_ecr_container_upload -mitre_technique: -- T1204.003 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl -- name: aws_ecr_container_upload-json - path: /datasets/attack_techniques/T1204.003/aws_ecr_container_upload/aws_ecr_container_upload.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml index ef0ed5acd..9ca82e6af 100644 --- a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml +++ b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_image_scanning.yml @@ -1,11 +1,14 @@ author: Patrick Bareiss id: b6751b2a-ba1e-4a53-9585-381bc5f166f1 date: '2021-08-18' -description: Manual generation of attack data by running aws ecr scanner on docker image in AWS ECR. +description: Manual generation of attack data by running aws ecr scanner on docker + image in AWS ECR. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file +directory: aws_ecr_image_scanning +mitre_technique: +- T1204.003 +datasets: +- name: aws_ecr_scanning_findings_events-json + path: /datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml b/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml deleted file mode 100644 index c07f70e20..000000000 --- a/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b722f054-f014-4f79-b826-410d03e06baf -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_ecr_image_scanning -environment: attack_range -directory: aws_ecr_image_scanning -mitre_technique: -- T1204.003 -datasets: -- name: aws_ecr_scanning_findings_events-json - path: /datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml b/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml deleted file mode 100644 index e8e97c912..000000000 --- a/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Bhavin Patel -id: b6751b2a-ba1e-4d23-9585-384fc5f166f1 -date: '2021-08-18' -description: Risk events created on Attack range by enabling AWS ECR detections in Dev Sec Ops -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log -sourcetypes: -- stash -references: -- https://attack.mitre.org/techniques/T1204/003/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1204.003/risk_dataset/data.yml b/datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml similarity index 58% rename from datasets/attack_techniques/T1204.003/risk_dataset/data.yml rename to datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml index c65ea452d..f3e483c0f 100644 --- a/datasets/attack_techniques/T1204.003/risk_dataset/data.yml +++ b/datasets/attack_techniques/T1204.003/risk_dataset/risk_dataset.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: d105763e-b421-484d-87ac-9a3189e9f93d -date: '2025-08-12' -description: Automatically categorized datasets in directory risk_dataset +author: Bhavin Patel +id: b6751b2a-ba1e-4d23-9585-384fc5f166f1 +date: '2021-08-18' +description: Risk events created on Attack range by enabling AWS ECR detections in + Dev Sec Ops environment: attack_range directory: risk_dataset mitre_technique: diff --git a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml index 39a64c28d..0e1127ba2 100644 --- a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml +++ b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_updatelambdafunctioncode.yml @@ -3,10 +3,11 @@ id: 0f63eedd-c3e4-42af-af33-c0959919c114 date: '2022-02-28' description: Manual generation of attack data by updating a lambda function environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- http://detectioninthe.cloud/execution/modify_lambda_function_code/ -- https://attack.mitre.org/techniques/T1204/ \ No newline at end of file +directory: aws_updatelambdafunctioncode +mitre_technique: +- T1204 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml b/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml deleted file mode 100644 index 564bfabde..000000000 --- a/datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 07324041-a95b-40a0-be0f-379a3ea55a73 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_updatelambdafunctioncode -environment: attack_range -directory: aws_updatelambdafunctioncode -mitre_technique: -- T1204 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1204/aws_updatelambdafunctioncode/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml b/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml deleted file mode 100644 index bf6de6e90..000000000 --- a/datasets/attack_techniques/T1204/failed_login_service_account_ad/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8cef32da-2960-4ea7-abd8-dfe77d6d4c77 -date: '2025-08-12' -description: Automatically categorized datasets in directory failed_login_service_account_ad -environment: attack_range -directory: failed_login_service_account_ad -mitre_technique: -- T1204 -datasets: -- name: windows_security_xml - path: /datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml b/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml index 6da4f2543..352ebafb3 100644 --- a/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml +++ b/datasets/attack_techniques/T1204/failed_login_service_account_ad/failed_login_service_account_ad.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: abb51bc8-a5f1-4286-ac66-c1851c67b9b7 date: '2024-02-08' -description: 'Failed login attempt service account AD' +description: Failed login attempt service account AD environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log -sourcetypes: -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1204 +directory: failed_login_service_account_ad +mitre_technique: +- T1204 +datasets: +- name: windows_security_xml + path: /datasets/attack_techniques/T1204/failed_login_service_account_ad/windows_security_xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml deleted file mode 100644 index 94bf8a825..000000000 --- a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5268a968-0ff2-48b4-9f90-f1e561cdeb80 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_audit_daemonset_created -environment: attack_range -directory: kubernetes_audit_daemonset_created -mitre_technique: -- T1204 -datasets: -- name: kubernetes_audit_daemonset_created-json - path: /datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml index 1c60ca250..6e4368f70 100644 --- a/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml +++ b/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.yml @@ -3,9 +3,11 @@ id: da189cbc-c959-4681-a173-e409949470d4 date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a DaemonSet. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_audit_daemonset_created +mitre_technique: +- T1204 +datasets: +- name: kubernetes_audit_daemonset_created-json + path: /datasets/attack_techniques/T1204/kubernetes_audit_daemonset_created/kubernetes_audit_daemonset_created.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml deleted file mode 100644 index 0c15d0305..000000000 --- a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ce64ce8d-4eab-47de-ab51-1eee0bb82e1a -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_falco_shell_spawned -environment: attack_range -directory: kubernetes_falco_shell_spawned -mitre_technique: -- T1204 -datasets: -- name: kubernetes_falco_shell_spawned - path: /datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml index aaf40ea23..d4dd9303f 100644 --- a/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml +++ b/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.yml @@ -3,9 +3,11 @@ id: 6604d77c-fdb5-4b1c-9c1f-55ed41fcca8d date: '2023-12-13' description: Kubernetes falco logs containing a spawned shell. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log -sourcetypes: -- kube:container:falco -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_falco_shell_spawned +mitre_technique: +- T1204 +datasets: +- name: kubernetes_falco_shell_spawned + path: /datasets/attack_techniques/T1204/kubernetes_falco_shell_spawned/kubernetes_falco_shell_spawned.log + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml deleted file mode 100644 index fd0304369..000000000 --- a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 48b16de7-5aeb-48bc-822c-55b17e96be41 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_privileged_pod -environment: attack_range -directory: kubernetes_privileged_pod -mitre_technique: -- T1204 -datasets: -- name: kubernetes_privileged_pod-json - path: /datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml index bd784544e..f41b7079b 100644 --- a/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml +++ b/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.yml @@ -3,9 +3,11 @@ id: 462dfa0b-7aa4-4498-927b-8d9743141e3a date: '2023-12-14' description: Kubernetes audit logs which contains a creation of a privilged pod. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_privileged_pod +mitre_technique: +- T1204 +datasets: +- name: kubernetes_privileged_pod-json + path: /datasets/attack_techniques/T1204/kubernetes_privileged_pod/kubernetes_privileged_pod.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml deleted file mode 100644 index 4952fdfa2..000000000 --- a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2f5f7d33-2ee7-456b-95d4-34d59b0bf882 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_unauthorized_access -environment: attack_range -directory: kubernetes_unauthorized_access -mitre_technique: -- T1204 -datasets: -- name: kubernetes_unauthorized_access-json - path: /datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml index 08c2d6151..dad462416 100644 --- a/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml +++ b/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.yml @@ -3,9 +3,11 @@ id: 4db6594e-9e8c-4223-8681-262d06b4b4d3 date: '2023-12-07' description: Kubernetes audit logs which contains a forbidden access to a namespace. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1204 +directory: kubernetes_unauthorized_access +mitre_technique: +- T1204 +datasets: +- name: kubernetes_unauthorized_access-json + path: /datasets/attack_techniques/T1204/kubernetes_unauthorized_access/kubernetes_unauthorized_access.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1204/rare_executables/data.yml b/datasets/attack_techniques/T1204/rare_executables/data.yml deleted file mode 100644 index a5d9c4c99..000000000 --- a/datasets/attack_techniques/T1204/rare_executables/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a62e0e5b-fb2d-4e28-b8eb-7448d13300f6 -date: '2025-08-12' -description: Automatically categorized datasets in directory rare_executables -environment: attack_range -directory: rare_executables -mitre_technique: -- T1204 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml b/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml index 07b533535..eff918acf 100644 --- a/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml +++ b/datasets/attack_techniques/T1204/rare_executables/rare_executables.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 2523b7d6-5b06-4799-be0b-b368ee0de9a8 date: '2024-03-12' -description: 'Rare executables' +description: Rare executables environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1204 +directory: rare_executables +mitre_technique: +- T1204 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1204/rare_executables/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1207/dc_promo/data.yml b/datasets/attack_techniques/T1207/dc_promo/data.yml deleted file mode 100644 index dae86758d..000000000 --- a/datasets/attack_techniques/T1207/dc_promo/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 48f153b6-9474-41f3-b9a1-9f5a6e83ec34 -date: '2025-08-12' -description: Automatically categorized datasets in directory dc_promo -environment: attack_range -directory: dc_promo -mitre_technique: -- T1207 -datasets: -- name: windows-security-xml - path: /datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml b/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml index 5f58af6f1..0469be99b 100644 --- a/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml +++ b/datasets/attack_techniques/T1207/dc_promo/dc_promo.yml @@ -1,11 +1,13 @@ author: Dean Luxton id: a4305843-6f93-45a9-b811-01380861e45b date: '2023-01-26' -description: Manually promoting a server to a Domain Controller. +description: Manually promoting a server to a Domain Controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1207 +directory: dc_promo +mitre_technique: +- T1207 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1207/dc_promo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml b/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml deleted file mode 100644 index 442fb5c31..000000000 --- a/datasets/attack_techniques/T1207/mimikatz/dcshadow.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Dean Luxton -id: d2e3db4e-f6a2-4c59-8f07-85a0ae8db5e6 -date: '2022-07-20' -description: Manual execution of the mimikatz DCShadow command. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/zeek_dce_rpc.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/mimikatz/windows-security-xml.log -sourcetypes: -- bro:dce_rpc:json -- WinEventLog -- XmlWinEventLog -references: -- https://www.dcshadow.com/ -- https://attack.mitre.org/techniques/T1207 diff --git a/datasets/attack_techniques/T1207/mimikatz/data.yml b/datasets/attack_techniques/T1207/mimikatz/mimikatz.yml similarity index 59% rename from datasets/attack_techniques/T1207/mimikatz/data.yml rename to datasets/attack_techniques/T1207/mimikatz/mimikatz.yml index a552027d4..a6ed3ab41 100644 --- a/datasets/attack_techniques/T1207/mimikatz/data.yml +++ b/datasets/attack_techniques/T1207/mimikatz/mimikatz.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: ae741f50-4aba-4cc5-8214-aa140d5e1b83 -date: '2025-08-12' -description: Automatically categorized datasets in directory mimikatz +author: Dean Luxton +id: d2e3db4e-f6a2-4c59-8f07-85a0ae8db5e6 +date: '2022-07-20' +description: Manual execution of the mimikatz DCShadow command. environment: attack_range directory: mimikatz mitre_technique: diff --git a/datasets/attack_techniques/T1207/short_lived_server_object/data.yml b/datasets/attack_techniques/T1207/short_lived_server_object/data.yml deleted file mode 100644 index 66b4c4974..000000000 --- a/datasets/attack_techniques/T1207/short_lived_server_object/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 697a22bd-c0ef-4516-b88e-4e90cc7d18e3 -date: '2025-08-12' -description: Automatically categorized datasets in directory short_lived_server_object -environment: attack_range -directory: short_lived_server_object -mitre_technique: -- T1207 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml b/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml index 909ed0f5d..e6fe59dc4 100644 --- a/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml +++ b/datasets/attack_techniques/T1207/short_lived_server_object/short_lived_server_object.yml @@ -3,11 +3,11 @@ id: f43d4bd2-77a3-4eaa-805f-319e4dd45712 date: '2022-10-17' description: Manual execution of DCShadow attack using Mimikatz. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://www.dcshadow.com/ -- https://attack.mitre.org/techniques/T1207 -- https://pentestlab.blog/2018/04/16/dcshadow/ +directory: short_lived_server_object +mitre_technique: +- T1207 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1207/short_lived_server_object/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml deleted file mode 100644 index f8726f05a..000000000 --- a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 40f823dc-14c2-498e-a67d-fd1f71533aab -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_nginx_lfi_attack -environment: attack_range -directory: kubernetes_nginx_lfi_attack -mitre_technique: -- T1212 -datasets: -- name: kubernetes_nginx_lfi_attack - path: /datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml index c58dbfb5a..d8753f7b2 100644 --- a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml +++ b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 3b02f13d-14a6-4a47-afa3-0d9a7d5cacea date: '2021-08-18' -description: Manual generation of attack data by running a LFI attack againsta kubernetes cluster with a web app running +description: Manual generation of attack data by running a LFI attack againsta kubernetes + cluster with a web app running environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log -sourcetypes: -- kube:container:controller -references: -- https://attack.mitre.org/techniques/T1212 \ No newline at end of file +directory: kubernetes_nginx_lfi_attack +mitre_technique: +- T1212 +datasets: +- name: kubernetes_nginx_lfi_attack + path: /datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml deleted file mode 100644 index 9856e88a7..000000000 --- a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Patrick Bareiss -id: 1b1953b6-aebc-492f-8cf7-8791445aeaa8 -date: '2021-08-23' -description: Manual generation of attack data by running a RFI attack againsta kubernetes cluster with a web app running -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.log -sourcetypes: -- kube:container:controller -references: -- https://attack.mitre.org/techniques/T1212 \ No newline at end of file diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml similarity index 56% rename from datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml rename to datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml index 2b144149e..4a6549106 100644 --- a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/data.yml +++ b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 80df73df-a189-473f-b26e-78be1e8502e7 -date: '2025-08-12' -description: Automatically categorized datasets in directory kuberntest_nginx_rfi_attack +author: Patrick Bareiss +id: 1b1953b6-aebc-492f-8cf7-8791445aeaa8 +date: '2021-08-23' +description: Manual generation of attack data by running a RFI attack againsta kubernetes + cluster with a web app running environment: attack_range directory: kuberntest_nginx_rfi_attack mitre_technique: diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml deleted file mode 100644 index 6eff26294..000000000 --- a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6c859651-b825-4b6e-aa65-8a27ac8f84d9 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_sus_sharepoint_search -environment: attack_range -directory: o365_sus_sharepoint_search -mitre_technique: -- T1213.002 -datasets: -- name: o365_sus_sharepoint_search - path: /datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml index 6f9312c40..3d97dc333 100644 --- a/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml +++ b/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.yml @@ -1,15 +1,14 @@ -author: Steven Dick -id: 722e396e-9e74-4516-882d-0fc94f5d2b33 -date: '2024-12-19' -description: 'Sample of events when Sharepoint is searched for a sensitive term / or high rate of searching.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log -sourcetypes: -- o365:management:activity -references: -- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events -- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://attack.mitre.org/techniques/T1213/002/ -- https://attack.mitre.org/techniques/T1114/002/ +author: Steven Dick +id: 722e396e-9e74-4516-882d-0fc94f5d2b33 +date: '2024-12-19' +description: Sample of events when Sharepoint is searched for a sensitive term / or + high rate of searching. +environment: attack_range +directory: o365_sus_sharepoint_search +mitre_technique: +- T1213.002 +datasets: +- name: o365_sus_sharepoint_search + path: /datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml index 1a7b6cf7e..072e3198a 100644 --- a/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1216/atomic_red_team/atomic_red_team.yml @@ -1,14 +1,18 @@ author: Michael Haag, Splunk id: 8a6cdffd-77bc-41cd-9ba2-b5f7a178bacf date: '2022-09-26' -description: 'Atomic Test Results: Successful Execution of test T1216 related to SyncAppvPublishingServer Signed Script PowerShell Command Execution ' +description: 'Atomic Test Results: Successful Execution of test T1216 related to SyncAppvPublishingServer + Signed Script PowerShell Command Execution ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1216 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md +directory: atomic_red_team +mitre_technique: +- T1216 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1216/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1216/atomic_red_team/data.yml b/datasets/attack_techniques/T1216/atomic_red_team/data.yml deleted file mode 100644 index 216468090..000000000 --- a/datasets/attack_techniques/T1216/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 08124714-65e8-4c55-9362-08fcaa33d3d4 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1216 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1216/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/attack_techniques/T1216/atomic_red_team/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml index f091d3dba..67310b3c2 100644 --- a/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.001/atomic_red_team/atomic_red_team.yml @@ -3,15 +3,19 @@ id: cc9b2622-efc9-11eb-926b-550bf0943fbb date: '2021-02-11' description: ' Invoked AtomicTestHarnesses and executed T1218.001 manually.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.001/atomic_red_team/chm-wineventlog-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1218/001 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.001/T1218.001.md -- https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.001_CompiledHTMLFile +directory: atomic_red_team +mitre_technique: +- T1218.001 +datasets: +- name: 4688_windows-security + path: /datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: hh_decom_windows-sysmon + path: /datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml deleted file mode 100644 index e409de2ab..000000000 --- a/datasets/attack_techniques/T1218.001/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1579c588-4de3-4818-96fd-a15ba8708877 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.001 -datasets: -- name: 4688_windows-security - path: /datasets/attack_techniques/T1218.001/atomic_red_team/4688_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: hh_decom_windows-sysmon - path: /datasets/attack_techniques/T1218.001/atomic_red_team/hh_decom_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml index 4091f8755..4547a7f17 100644 --- a/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.002/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag id: cc9b261b-efc9-11eb-926b-550bf0943fcc date: '2021-09-08' -description: 'Invoked T1218.002 From Atomic Red Team simulating control.exe behavior' +description: Invoked T1218.002 From Atomic Red Team simulating control.exe behavior environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/002 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.yaml +directory: atomic_red_team +mitre_technique: +- T1218.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml deleted file mode 100644 index 357aec2e3..000000000 --- a/datasets/attack_techniques/T1218.002/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 30a8d3a7-267a-499b-9be1-e8d615156ea4 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml index bcfbe5633..f5b79c47e 100644 --- a/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.004/atomic_red_team/atomic_red_team.yml @@ -3,10 +3,15 @@ id: cc9b261b-efc9-11eb-926b-550bf0943fcc date: '2021-11-12' description: ' Simulation of T1218.004 via Atomic Red Team.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/004 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md +directory: atomic_red_team +mitre_technique: +- T1218.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_installutil_path + path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml deleted file mode 100644 index adfb83720..000000000 --- a/datasets/attack_techniques/T1218.004/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f96536a6-2792-40d7-9236-873b05e9e0d4 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.004 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_installutil_path - path: /datasets/attack_techniques/T1218.004/atomic_red_team/windows-sysmon_installutil_path.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml index 7ad1fb69a..0c3829a88 100644 --- a/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.005/atomic_red_team/atomic_red_team.yml @@ -15,17 +15,15 @@ description: ' Invoked AtomicTestHarnesses executing T1218.005 manually and via Engine with Inline Protocol Handler Successful Execution of test T1218.005-9 Invoke HTML Application - Simulate Lateral Movement over UNC Path ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/005 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.005/T1218.005.md +directory: atomic_red_team +mitre_technique: +- T1218.005 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: mshta_tasks_windows-sysmon + path: /datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml deleted file mode 100644 index b1e0e86d7..000000000 --- a/datasets/attack_techniques/T1218.005/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0778f707-cfd2-437b-a76f-5043849912e6 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.005 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: mshta_tasks_windows-sysmon - path: /datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml b/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml deleted file mode 100644 index 349555271..000000000 --- a/datasets/attack_techniques/T1218.005/mshta_in_registry/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d47e7693-af4a-4f25-a3bf-43cbae002f04 -date: '2025-08-12' -description: Automatically categorized datasets in directory mshta_in_registry -environment: attack_range -directory: mshta_in_registry -mitre_technique: -- T1218.005 -datasets: -- name: sysmon3 - path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml b/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml index 43e787f74..429dc2ef6 100644 --- a/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml +++ b/datasets/attack_techniques/T1218.005/mshta_in_registry/mshta_in_registry.yml @@ -2,10 +2,16 @@ author: Teoderick Contreras, Splunk id: 3454c0fb-4318-465c-9315-61cd64fa2751 date: '2022-10-14' description: Generated datasets for mshta in registry in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1218.005/mshta_in_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://redcanary.com/threat-detection-report/techniques/mshta/ +environment: attack_range +directory: mshta_in_registry +mitre_technique: +- T1218.005 +datasets: +- name: sysmon3 + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon3.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1218.005/mshta_in_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml index ce152fffe..689784cd1 100644 --- a/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.007/atomic_red_team/atomic_red_team.yml @@ -1,17 +1,17 @@ author: Michael Haag id: 51e3fe65-2e04-4c12-9edf-225235c4cb14 date: '2022-06-16' -description: 'Simulation of all procedures from Atomic Red Team.' +description: Simulation of all procedures from Atomic Red Team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/msiexec_moved.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.007/atomic_red_team/windbg_msiexec.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/007 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md +directory: atomic_red_team +mitre_technique: +- T1218.007 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_msiexec-windows-security + path: /datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml deleted file mode 100644 index 6076cedf6..000000000 --- a/datasets/attack_techniques/T1218.007/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: efe33d17-ce1b-4648-9552-6f9bf24f09cc -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.007 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.007/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688_msiexec-windows-security - path: /datasets/attack_techniques/T1218.007/atomic_red_team/4688_msiexec-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml index bcf447ffc..ca46c35ec 100644 --- a/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.008/atomic_red_team/atomic_red_team.yml @@ -1,14 +1,21 @@ author: Michael Haag id: 51e3fe65-2e04-4c12-9edf-225235c4cb14 date: '2022-06-16' -description: 'Simulation of all procedures from Atomic Red Team.' +description: Simulation of all procedures from Atomic Red Team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/008 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md +directory: atomic_red_team +mitre_technique: +- T1218.008 +datasets: +- name: odbcconf-windows-security + path: /datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon-odbc-rsp + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon-odbc-regsvr + path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml deleted file mode 100644 index cbf87b12d..000000000 --- a/datasets/attack_techniques/T1218.008/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 50f1380a-cd49-43f5-a7a8-fd6c167f3e96 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.008 -datasets: -- name: odbcconf-windows-security - path: /datasets/attack_techniques/T1218.008/atomic_red_team/odbcconf-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon-odbc-rsp - path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-rsp.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon-odbc-regsvr - path: /datasets/attack_techniques/T1218.008/atomic_red_team/windows-sysmon-odbc-regsvr.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml index b5ed9c20b..312f1755d 100644 --- a/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.009/atomic_red_team/atomic_red_team.yml @@ -4,10 +4,11 @@ date: '2021-02-12' description: ' Invoked T1218.009 via AtomicRedTeam and manual execution of regasm and regsvcs.' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/009 -- https://github.com/redcanaryco/atomic-red-team/blob/c8f43265c78d826080f62d8a8dfc4d6874f563e8/atomics/T1218.009/T1218.009.md +directory: atomic_red_team +mitre_technique: +- T1218.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml deleted file mode 100644 index 3b86f3f91..000000000 --- a/datasets/attack_techniques/T1218.009/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9be966a9-4695-46c6-af97-9e126347d0e8 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.009 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml index a9eaa0893..807e499d6 100644 --- a/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.010/atomic_red_team/atomic_red_team.yml @@ -6,16 +6,11 @@ description: Successful execution of Atomic Tests T1218.010 T1218.010-1 Regsvr32 Regsvr32 local DLL execution T1218.010-4 Regsvr32 Registering Non DLL Manual execution of same tests, but with moved/renamed regsvr32.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.010/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md +directory: atomic_red_team +mitre_technique: +- T1218.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml deleted file mode 100644 index e94937e27..000000000 --- a/datasets/attack_techniques/T1218.010/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fc8098a0-f10b-490b-b21a-d1b5aa4b9f20 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.010 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.010/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml index eb2f62c60..bafbad22c 100644 --- a/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.011/atomic_red_team/atomic_red_team.yml @@ -8,17 +8,15 @@ description: 'Atomic Test Results: Successful Execution of test T1218.011-1 Rund Execution Return value unclear for test T1218.011-5 Rundll32 syssetup.dll Execution Return value unclear for test T1218.011-6 Rundll32 setupapi.dll Execution ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1218/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md +directory: atomic_red_team +mitre_technique: +- T1218.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ordinal_windows-sysmon + path: /datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml deleted file mode 100644 index f4e270e11..000000000 --- a/datasets/attack_techniques/T1218.011/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a102a9f3-175d-4a9e-b062-7669b4b8fdf2 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.011 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.011/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: ordinal_windows-sysmon - path: /datasets/attack_techniques/T1218.011/atomic_red_team/ordinal_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml b/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml deleted file mode 100644 index f9cb36052..000000000 --- a/datasets/attack_techniques/T1218.012/verclsid_exec/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a00d9a09-8716-407d-b28a-5e2434c8982f -date: '2025-08-12' -description: Automatically categorized datasets in directory verclsid_exec -environment: attack_range -directory: verclsid_exec -mitre_technique: -- T1218.012 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml b/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml index 92890f9e2..94769a13a 100644 --- a/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml +++ b/datasets/attack_techniques/T1218.012/verclsid_exec/verclsid_exec.yml @@ -3,7 +3,11 @@ id: fcc00e68-1283-4cf4-bfc7-e19784f5c453 date: '2021-09-29' description: manual verclsid commandline data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: verclsid_exec +mitre_technique: +- T1218.012 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1218.012/verclsid_exec/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml index ad80c4074..9d38a366b 100644 --- a/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1218.013/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haah id: cc9b2652-efc9-19eb-126b-850bf0943fbb date: '2020-11-30' -description: 'Atomic Test T1218 simulated for MavInject.exe' +description: Atomic Test T1218 simulated for MavInject.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218/013 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md +directory: atomic_red_team +mitre_technique: +- T1218.013 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml b/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml deleted file mode 100644 index 59a04125d..000000000 --- a/datasets/attack_techniques/T1218.013/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3094171d-7ff5-46a6-bbce-2cc1892c3a04 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1218.013 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218.013/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml index 31ccc2379..b1643a3a3 100644 --- a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml +++ b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml @@ -3,12 +3,15 @@ id: kk922623-2bd5-42eb-926b-120zf0943f11 date: '2024-11-13' description: BitLockerToGo.exe execution with Lumma Stealer. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1218 +directory: bitlockertogo +mitre_technique: +- T1218 +datasets: +- name: 4688_bitlockertogo_windows-security + path: /datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: bitlockertogo_windows-sysmon + path: /datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/bitlockertogo/data.yml b/datasets/attack_techniques/T1218/bitlockertogo/data.yml deleted file mode 100644 index 154107688..000000000 --- a/datasets/attack_techniques/T1218/bitlockertogo/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2a5a7579-df94-4f22-a5d9-57c3496a7145 -date: '2025-08-12' -description: Automatically categorized datasets in directory bitlockertogo -environment: attack_range -directory: bitlockertogo -mitre_technique: -- T1218 -datasets: -- name: 4688_bitlockertogo_windows-security - path: /datasets/attack_techniques/T1218/bitlockertogo/4688_bitlockertogo_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: bitlockertogo_windows-sysmon - path: /datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/diskshadow/data.yml b/datasets/attack_techniques/T1218/diskshadow/data.yml deleted file mode 100644 index 5e31ec7a6..000000000 --- a/datasets/attack_techniques/T1218/diskshadow/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a91e98af-269f-4827-9ea9-3ebe261b28a6 -date: '2025-08-12' -description: Automatically categorized datasets in directory diskshadow -environment: attack_range -directory: diskshadow -mitre_technique: -- T1218 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml b/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml index 600e8b009..5e8475326 100644 --- a/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml +++ b/datasets/attack_techniques/T1218/diskshadow/diskshadow.yml @@ -3,11 +3,11 @@ id: cc9b2623-abd5-11eb-926b-550bf0943fbb date: '2022-02-17' description: Execution of T1218 test 9 in atomic red team environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/atomic_red_team/windows-sysmon.log -sourcetypes: -- xmlwineventlog -- WinEventLog -references: -- https://attack.mitre.org/techniques/T1218 +directory: diskshadow +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/diskshadow/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/eviltwin/data.yml b/datasets/attack_techniques/T1218/eviltwin/data.yml deleted file mode 100644 index f71553fc4..000000000 --- a/datasets/attack_techniques/T1218/eviltwin/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0c425709-546a-472b-9546-f871a1585c07 -date: '2025-08-12' -description: Automatically categorized datasets in directory eviltwin -environment: attack_range -directory: eviltwin -mitre_technique: -- T1218 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml index beb5de4ad..1cfc5013d 100644 --- a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml +++ b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml @@ -3,9 +3,11 @@ id: k22b2623-abd5-11eb-926b-120zf0943f11 date: '2024-04-17' description: Events related to Evil Twin msc. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log -sourcetypes: -- WinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218 +directory: eviltwin +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml index f603388fb..4e74c1986 100644 --- a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag id: mh9b260e-efc9-11eb-926b-660bf0943cac date: '2022-08-22' -description: 'Atomic Red Team tests simulating remote access software installation.' +description: Atomic Red Team tests simulating remote access software installation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1219 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md +directory: atomic_red_team +mitre_technique: +- T1219 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/atomic_red_team/data.yml b/datasets/attack_techniques/T1219/atomic_red_team/data.yml deleted file mode 100644 index 0f4626161..000000000 --- a/datasets/attack_techniques/T1219/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0a1e0573-f65b-48ce-94bf-340c796d5e96 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1219 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/screenconnect/data.yml b/datasets/attack_techniques/T1219/screenconnect/data.yml deleted file mode 100644 index df36d853e..000000000 --- a/datasets/attack_techniques/T1219/screenconnect/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7d715348-25ee-4db9-8c2f-d1598828516a -date: '2025-08-12' -description: Automatically categorized datasets in directory screenconnect -environment: attack_range -directory: screenconnect -mitre_technique: -- T1219 -datasets: -- name: screenconnect_sysmon - path: /datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml index 440256866..edaabdccf 100644 --- a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml @@ -1,19 +1,14 @@ -author: Steven Dick -id: aa7a8c73-ecd0-4276-b48b-7aac36375641 -date: '2024-02-19' -description: 'Basic installation and usage of screenconnect RMM application for testing needs.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo_traffic.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- pan:threat -- pan:traffic -references: -- https://attack.mitre.org/techniques/T1219/ -- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ -- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ -- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 -- https://applipedia.paloaltonetworks.com/ +author: Steven Dick +id: aa7a8c73-ecd0-4276-b48b-7aac36375641 +date: '2024-02-19' +description: Basic installation and usage of screenconnect RMM application for testing + needs. +environment: attack_range +directory: screenconnect +mitre_technique: +- T1219 +datasets: +- name: screenconnect_sysmon + path: /datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1219/teamviewer/data.yml b/datasets/attack_techniques/T1219/teamviewer/data.yml deleted file mode 100644 index 612a64873..000000000 --- a/datasets/attack_techniques/T1219/teamviewer/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f939d9c5-6dbf-4fea-b53c-e5c193402afd -date: '2025-08-12' -description: Automatically categorized datasets in directory teamviewer -environment: attack_range -directory: teamviewer -mitre_technique: -- T1219 -datasets: -- name: windows_security - path: /datasets/attack_techniques/T1219/teamviewer/windows_security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml b/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml index ce18ce5a3..a5116fb92 100644 --- a/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml +++ b/datasets/attack_techniques/T1219/teamviewer/teamviewer.yml @@ -1,11 +1,13 @@ -author: Patrick Bareiss -id: 67cf6919-0596-4f78-bb2f-ad7f43170d3c -date: '2024-08-09' -description: 'Basic usage of teamviewer.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/teamviewer/windows_security.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1219/ +author: Patrick Bareiss +id: 67cf6919-0596-4f78-bb2f-ad7f43170d3c +date: '2024-08-09' +description: Basic usage of teamviewer. +environment: attack_range +directory: teamviewer +mitre_technique: +- T1219 +datasets: +- name: windows_security + path: /datasets/attack_techniques/T1219/teamviewer/windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml index 41da4d65a..fbd60cab9 100644 --- a/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1220/atomic_red_team/atomic_red_team.yml @@ -1,12 +1,13 @@ author: Michael Haag id: cc9b260e-efc9-11eb-926b-660bf0943fcc date: '2021-11-12' -description: 'Atomic Red Team tests simulating XSL execution with msxsl and wmic.' +description: Atomic Red Team tests simulating XSL execution with msxsl and wmic. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1220 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md +directory: atomic_red_team +mitre_technique: +- T1220 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1220/atomic_red_team/data.yml b/datasets/attack_techniques/T1220/atomic_red_team/data.yml deleted file mode 100644 index c18f53083..000000000 --- a/datasets/attack_techniques/T1220/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f5e06bbd-8df3-4bc8-be67-9f79d8094118 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1220 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1220/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml index fd5485b2d..855011060 100644 --- a/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1222.001/atomic_red_team/atomic_red_team.yml @@ -8,16 +8,11 @@ description: 'Atomic Test Results: Successful Execution of test T1222.001-1 Take - hide file Successful Execution of test T1222.001-5 Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1222/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md +directory: atomic_red_team +mitre_technique: +- T1222.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml deleted file mode 100644 index c49ee7eb3..000000000 --- a/datasets/attack_techniques/T1222.001/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b1b1e31a-9f0c-488f-ad9e-67dc505287e8 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1222.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1222.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml index 222a468b1..768f89b5d 100644 --- a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml +++ b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml @@ -1,19 +1,42 @@ author: Dean Luxton id: 809e0d76-4d6a-46d9-ba5d-0b4a838bb98a date: '2023-12-06' -description: Collection of various DACL abuse events generated manually in Active Directory. +description: Collection of various DACL abuse events generated manually in Active + Directory. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54 -- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a +directory: dacl_abuse +mitre_technique: +- T1222.001 +datasets: +- name: group_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: owner_updated_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_deletion_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: suspicious_acl_modification-windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: domain_root_acl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_ou_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: user_dacl_mod_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: hidden_object_windows-security-xml + path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml deleted file mode 100644 index 6e7c02a5c..000000000 --- a/datasets/attack_techniques/T1222.001/dacl_abuse/data.yml +++ /dev/null @@ -1,41 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1eb5e793-72c5-4536-b7b7-dd786b0f51cf -date: '2025-08-12' -description: Automatically categorized datasets in directory dacl_abuse -environment: attack_range -directory: dacl_abuse -mitre_technique: -- T1222.001 -datasets: -- name: group_dacl_mod_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: owner_updated_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: domain_root_acl_deletion_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: suspicious_acl_modification-windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: domain_root_acl_mod_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: hidden_ou_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: user_dacl_mod_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: hidden_object_windows-security-xml - path: /datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1222.001/subinacl/data.yml b/datasets/attack_techniques/T1222.001/subinacl/data.yml deleted file mode 100644 index fee97ecf2..000000000 --- a/datasets/attack_techniques/T1222.001/subinacl/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 734e922e-c531-4d08-9f07-6cfed766652b -date: '2025-08-12' -description: Automatically categorized datasets in directory subinacl -environment: attack_range -directory: subinacl -mitre_technique: -- T1222.001 -datasets: -- name: subinacl_sysmon - path: /datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml b/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml index 88467c083..c2347ec2a 100644 --- a/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml +++ b/datasets/attack_techniques/T1222.001/subinacl/subinacl.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: 4df3550d-09e9-4a9a-9846-51972ea73916 date: '2024-12-06' -description: This dataset contains process execution logs of subinacl.exe from Windows Sysmon logs. +description: This dataset contains process execution logs of subinacl.exe from Windows + Sysmon logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf -- https://ss64.com/nt/subinacl.html +directory: subinacl +mitre_technique: +- T1222.001 +datasets: +- name: subinacl_sysmon + path: /datasets/attack_techniques/T1222.001/subinacl/subinacl_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml deleted file mode 100644 index 0c8003213..000000000 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a568867c-2d28-4af2-a70a-ebc5082e2a44 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_chattr_i -environment: attack_range -directory: linux_auditd_chattr_i -mitre_technique: -- T1222.002 -datasets: -- name: auditd_proctitle_chattr - path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log - sourcetype: auditd - source: auditd -- name: linux_auditd_chattr_i - path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml index 9f627b404..ba390f8c2 100644 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml @@ -3,9 +3,15 @@ id: 6e7ac4e4-ef96-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chattr i in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_chattr_i +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chattr + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/auditd_proctitle_chattr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chattr_i + path: /datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml deleted file mode 100644 index f6426a9c9..000000000 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2692a8c8-8b44-4c1b-ba3d-95c928d45b1c -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_chmod_exec_attrib -environment: attack_range -directory: linux_auditd_chmod_exec_attrib -mitre_technique: -- T1222.002 -datasets: -- name: auditd_proctitle_chmod - path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log - sourcetype: auditd - source: auditd -- name: linux_auditd_chmod_exec_attrib - path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml index c02625a7c..a7b86b517 100644 --- a/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml +++ b/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml @@ -3,9 +3,15 @@ id: e201ca8a-ef95-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd chmod exec attrib in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_chmod_exec_attrib +mitre_technique: +- T1222.002 +datasets: +- name: auditd_proctitle_chmod + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/auditd_proctitle_chmod.log + sourcetype: auditd + source: auditd +- name: linux_auditd_chmod_exec_attrib + path: /datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml index e5639af34..d12b9c809 100644 --- a/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1482/atomic_red_team/atomic_red_team.yml @@ -4,12 +4,11 @@ date: '2021-01-25' description: Simulated execution of T1482 from Atomic Red Team, mimicking Ryuk Ransomware actor tradecraft. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1482/ -- https://thedfirreport.com/2020/10/08/ryuks-return/ +directory: atomic_red_team +mitre_technique: +- T1482 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1482/atomic_red_team/data.yml b/datasets/attack_techniques/T1482/atomic_red_team/data.yml deleted file mode 100644 index fc6a482be..000000000 --- a/datasets/attack_techniques/T1482/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a92b3e24-3df3-4e58-947c-372da10efdf4 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1482 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1482/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1482/discovery/data.yml b/datasets/attack_techniques/T1482/discovery/discovery.yml similarity index 79% rename from datasets/attack_techniques/T1482/discovery/data.yml rename to datasets/attack_techniques/T1482/discovery/discovery.yml index 56dbfce82..ca40552e3 100644 --- a/datasets/attack_techniques/T1482/discovery/data.yml +++ b/datasets/attack_techniques/T1482/discovery/discovery.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py +author: Michael Haag id: c8cb4031-ed28-4fbc-90ed-ce8aec69102a -date: '2025-08-12' -description: Automatically categorized datasets in directory discovery +date: '2021-09-02' +description: Simulated execution of T1482 from Atomic Red Team and manually. environment: attack_range directory: discovery mitre_technique: diff --git a/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml b/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml deleted file mode 100644 index 5f7b85e56..000000000 --- a/datasets/attack_techniques/T1482/discovery/domain_trust_discovery.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Michael Haag -date: '2021-09-02' -description: Simulated execution of T1482 from Atomic Red Team and manually. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/discovery/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1482/ diff --git a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml deleted file mode 100644 index bdf67b0bd..000000000 --- a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6dbdb11c-9897-484e-8d98-249bb1be94b6 -date: '2025-08-12' -description: Automatically categorized datasets in directory default_domain_policy_modified -environment: attack_range -directory: default_domain_policy_modified -mitre_technique: -- T1484.001 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml index 1eda6917d..a999edfc1 100644 --- a/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml +++ b/datasets/attack_techniques/T1484.001/default_domain_policy_modified/default_domain_policy_modified.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: c6b30c59-3a4e-43bf-8ad4-d2ff59d88ad8 date: '2023-03-29' -description: Manually modified the Default Domain Policy Group Policy Object on a domain controller. +description: Manually modified the Default Domain Policy Group Policy Object on a + domain controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/default_domain_policy_modified/security-4688.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 \ No newline at end of file +directory: default_domain_policy_modified +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/default_domain_policy_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/data.yml b/datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml similarity index 59% rename from datasets/attack_techniques/T1484.001/gpo_modification/data.yml rename to datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml index c513b2a54..a7d20e5d2 100644 --- a/datasets/attack_techniques/T1484.001/gpo_modification/data.yml +++ b/datasets/attack_techniques/T1484.001/gpo_modification/gpo_modification.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 73543f1c-1973-4376-9826-940b0428ac9e -date: '2025-08-12' -description: Automatically categorized datasets in directory gpo_modification +author: Dean Luxton +id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0 +date: '2023-12-18' +description: Manual Group Policy Object modification on a domain controller. environment: attack_range directory: gpo_modification mitre_technique: diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml deleted file mode 100644 index 8b8af823d..000000000 --- a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Dean Luxton -id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0 -date: '2023-12-18' -description: Manual Group Policy Object modification on a domain controller. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122 -- https://wald0.com/?p=179 -- https://learn.microsoft.com/en-gb/archive/blogs/mempson/group-policy-client-side-extension-list -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory diff --git a/datasets/attack_techniques/T1484.001/group_policy_created/data.yml b/datasets/attack_techniques/T1484.001/group_policy_created/data.yml deleted file mode 100644 index bb537da08..000000000 --- a/datasets/attack_techniques/T1484.001/group_policy_created/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1397e488-3ee2-4639-92e8-5ed8939ee65c -date: '2025-08-12' -description: Automatically categorized datasets in directory group_policy_created -environment: attack_range -directory: group_policy_created -mitre_technique: -- T1484.001 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml b/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml index ebcbbd4de..3d4859faf 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_created/group_policy_created.yml @@ -3,14 +3,11 @@ id: c7e8cdcd-e4f2-4fe4-93ff-25d9aa8d2b4b date: '2023-03-29' description: Manually created a new Group Policy Object on a domain controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_created/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://attack.mitre.org/techniques/T1484/ -- https://attack.mitre.org/techniques/T1484/001 -- https://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/ -- https://adsecurity.org/?p=2716 \ No newline at end of file +directory: group_policy_created +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_created/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml deleted file mode 100644 index e9338ff9e..000000000 --- a/datasets/attack_techniques/T1484.001/group_policy_deleted/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b035d284-d295-49ce-8be9-d6f4856eed78 -date: '2025-08-12' -description: Automatically categorized datasets in directory group_policy_deleted -environment: attack_range -directory: group_policy_deleted -mitre_technique: -- T1484.001 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml index 5d4de3d75..1d6f4e52a 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f date: '2024-08-07' -description: Manually deleting an active directory GPO using the Group Policy Management Console. +description: Manually deleting an active directory GPO using the Group Policy Management + Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory +directory: group_policy_deleted +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml deleted file mode 100644 index f92d4baa7..000000000 --- a/datasets/attack_techniques/T1484.001/group_policy_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 31cd349a-1966-4277-a1c4-4a0002df0baf -date: '2025-08-12' -description: Automatically categorized datasets in directory group_policy_disabled -environment: attack_range -directory: group_policy_disabled -mitre_technique: -- T1484.001 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml index 2ad2b6d20..ecd1fd808 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c date: '2024-08-07' -description: Manually disabling an active directory GPO using the Group Policy Management Console. +description: Manually disabling an active directory GPO using the Group Policy Management + Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory +directory: group_policy_disabled +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml deleted file mode 100644 index 963f684db..000000000 --- a/datasets/attack_techniques/T1484.001/group_policy_new_cse/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2b075917-cd2d-4b04-8f01-4e536d8cd1fe -date: '2025-08-12' -description: Automatically categorized datasets in directory group_policy_new_cse -environment: attack_range -directory: group_policy_new_cse -mitre_technique: -- T1484.001 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml index 0309b2682..42c9284a7 100644 --- a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml +++ b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml @@ -1,13 +1,14 @@ author: Dean Luxton id: ec16d55d-c0c6-496c-a27f-620ec19db5e5 date: '2024-08-08' -description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console. +description: Manually adding a new client side extension to an existing an active + directory group policy using the Group Policy Management Console. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log -sourcetypes: -- XmlWinEventLog -- ActiveDirectory -references: -- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory \ No newline at end of file +directory: group_policy_new_cse +mitre_technique: +- T1484.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml b/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml deleted file mode 100644 index 17234945c..000000000 --- a/datasets/attack_techniques/T1484.002/new_federated_domain/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 20ee411d-975e-4ed4-a19f-05090cf16795 -date: '2025-08-12' -description: Automatically categorized datasets in directory new_federated_domain -environment: attack_range -directory: new_federated_domain -mitre_technique: -- T1484.002 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml b/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml index 6202df9fd..44a21c824 100644 --- a/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml +++ b/datasets/attack_techniques/T1484.002/new_federated_domain/new_federated_domain.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 7c272679-8cb2-4e0c-8d0a-608239dc6520 date: '2022-09-02' -description: 'Manually added a new trusted domain using the Azure Portal and updated federation settings using AADInternals. - Tenant specific details like tenant id, user names, etc. have been modified.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452 -- https://o365blog.com/post/federation-vulnerability/ -- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html -- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors -- https://github.com/Gerenios/AADInternals \ No newline at end of file +description: Manually added a new trusted domain using the Azure Portal and updated + federation settings using AADInternals. Tenant specific details like tenant id, + user names, etc. have been modified. +environment: attack_range +directory: new_federated_domain +mitre_technique: +- T1484.002 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1484.002/new_federated_domain/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml b/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml index 3a0656ae3..9c7659ba2 100644 --- a/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml +++ b/datasets/attack_techniques/T1484/DCShadowPermissions/DCShadowPermissions.yml @@ -1,11 +1,14 @@ author: Dean Luxton -id: ab8cde6c-5099-4955-928c-5707b62b9d7f +id: ab8cde6c-5099-4955-928c-5707b62b9d7f date: '2023-11-10' -description: Executing the Set-DCShadowPermissions.ps1 powershell script to apply the minimal permissions required to perform a DCShadow attack. +description: Executing the Set-DCShadowPermissions.ps1 powershell script to apply + the minimal permissions required to perform a DCShadow attack. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://raw.githubusercontent.com/samratashok/nishang/master/ActiveDirectory/Set-DCShadowPermissions.ps1 +directory: DCShadowPermissions +mitre_technique: +- T1484 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml b/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml deleted file mode 100644 index 4c36e8023..000000000 --- a/datasets/attack_techniques/T1484/DCShadowPermissions/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cab2042f-5a34-4856-94da-63f5c94197ab -date: '2025-08-12' -description: Automatically categorized datasets in directory DCShadowPermissions -environment: attack_range -directory: DCShadowPermissions -mitre_technique: -- T1484 -datasets: -- name: windows-security-xml - path: /datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml b/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml deleted file mode 100644 index a5f23a317..000000000 --- a/datasets/attack_techniques/T1484/aclmodification/acl_modification.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Dean Luxton -id: e47f3373-8794-4def-8b58-b26a8971a059 -date: '2022-11-18' -description: Manually applying the necessary privileges to perform the DCSync attack via adsiedit. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484/aclmodification/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb -- https://github.com/SigmaHQ/sigma/blob/29a5c62784faf986dc03952ae3e90e3df3294284/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml diff --git a/datasets/attack_techniques/T1484/aclmodification/data.yml b/datasets/attack_techniques/T1484/aclmodification/aclmodification.yml similarity index 59% rename from datasets/attack_techniques/T1484/aclmodification/data.yml rename to datasets/attack_techniques/T1484/aclmodification/aclmodification.yml index 13bf70e9b..1c50fce58 100644 --- a/datasets/attack_techniques/T1484/aclmodification/data.yml +++ b/datasets/attack_techniques/T1484/aclmodification/aclmodification.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 078b5e62-f817-4f33-8070-343e8883e72e -date: '2025-08-12' -description: Automatically categorized datasets in directory aclmodification +author: Dean Luxton +id: e47f3373-8794-4def-8b58-b26a8971a059 +date: '2022-11-18' +description: Manually applying the necessary privileges to perform the DCSync attack + via adsiedit. environment: attack_range directory: aclmodification mitre_technique: diff --git a/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml index f2bd25356..4cece34db 100644 --- a/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1485/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,11 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware extensions .wcry environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: atomic_red_team +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/atomic_red_team/data.yml b/datasets/attack_techniques/T1485/atomic_red_team/data.yml deleted file mode 100644 index 0935fb085..000000000 --- a/datasets/attack_techniques/T1485/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 133766a4-8579-4f4b-a395-125ab3b87dc9 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1485 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1485/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml deleted file mode 100644 index 01601584a..000000000 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 78225b09-7510-4a8a-b2bb-dfd20da047bd -date: '2025-08-12' -description: Automatically categorized datasets in directory decommissioned_buckets -environment: attack_range -directory: decommissioned_buckets -mitre_technique: -- T1485 -datasets: -- name: web_cloudfront_access - path: /datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 0ffd13cc1..78b7115e9 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -1,18 +1,16 @@ author: Jose Hernandez, Bhavin Patel id: 984e9022-b87b-499a-a260-8d0282c46ea2 date: '2025-02-14' -description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of an intentionally exposed S3 bucket, including its creation, public access configuration (via bucket policy and website hosting), and subsequent deletion. This simulates the detection of potentially risky S3 bucket configurations and their decommissioning process. +description: Dataset generated from AWS CloudTrail logs capturing the lifecycle of + an intentionally exposed S3 bucket, including its creation, public access configuration + (via bucket policy and website hosting), and subsequent deletion. This simulates + the detection of potentially risky S3 bucket configurations and their decommissioning + process. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log -sourcetypes: -- aws:cloudtrail -- aws:cloudfront:accesslogs -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1485/ -- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html -- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/ -- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ +directory: decommissioned_buckets +mitre_technique: +- T1485 +datasets: +- name: web_cloudfront_access + path: /datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log + sourcetype: access_combined diff --git a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml deleted file mode 100644 index 471a1f3bc..000000000 --- a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f0fd2205-79a2-48cd-a575-0ca0dbf63c00 -date: '2025-08-12' -description: Automatically categorized datasets in directory excessive_file_del_in_windefender_dir -environment: attack_range -directory: excessive_file_del_in_windefender_dir -mitre_technique: -- T1485 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml index 3f3787531..f408c00e8 100644 --- a/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml +++ b/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/excessive_file_del_in_windefender_dir.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras, Steven Dick id: e1638db8-7a07-11ec-8b68-acde48001122 date: '2024-03-05' -description: Generated datasets for excessive file del in windefender dir in attack range. +description: Generated datasets for excessive file del in windefender dir in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: excessive_file_del_in_windefender_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/excessive_file_del_in_windefender_dir/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml b/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml deleted file mode 100644 index 253387531..000000000 --- a/datasets/attack_techniques/T1485/excessive_file_deletions/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6e2d96e2-be06-4e16-b582-2b984c1452d5 -date: '2025-08-12' -description: Automatically categorized datasets in directory excessive_file_deletions -environment: attack_range -directory: excessive_file_deletions -mitre_technique: -- T1485 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml b/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml index cfd51597f..cca930df6 100644 --- a/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml +++ b/datasets/attack_techniques/T1485/excessive_file_deletions/excessive_file_deletions.yml @@ -3,9 +3,11 @@ id: 0356c805-ac3f-47a6-9f49-7303c72a50c4 date: '2021-12-08' description: High amount of file deletions environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1485/ +directory: excessive_file_deletions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/excessive_file_deletions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml deleted file mode 100644 index 6d7454c4e..000000000 --- a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 162f024d-f23c-4495-86bf-9fc6a71b2518 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_dd_overwrite -environment: attack_range -directory: linux_auditd_dd_overwrite -mitre_technique: -- T1485 -datasets: -- name: linux_auditd_dd_overwrite - path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log - sourcetype: auditd - source: auditd -- name: auditd_proctitle_dd_overwrite - path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml index 4743d81a1..e7d33eba0 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.yml @@ -3,9 +3,15 @@ id: 60feae32-ef93-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd dd overwrite in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log -sourcetypes: -- 'auditd' -references: -- https://gtfobins.github.io/gtfobins/dd/ \ No newline at end of file +directory: linux_auditd_dd_overwrite +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/linux_auditd_dd_overwrite.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_dd_overwrite + path: /datasets/attack_techniques/T1485/linux_auditd_dd_overwrite/auditd_proctitle_dd_overwrite.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml deleted file mode 100644 index 491cfcc6c..000000000 --- a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4eba62de-b5c8-4fb7-bef8-870f81290312 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_no_preserve_root -environment: attack_range -directory: linux_auditd_no_preserve_root -mitre_technique: -- T1485 -datasets: -- name: auditd_proctitle_rm_rf - path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log - sourcetype: auditd - source: auditd -- name: linux_auditd_no_preserve_root - path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml index d13d7b236..5a0ec25e2 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.yml @@ -3,9 +3,15 @@ id: 13c8b468-ef85-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd no preserve root in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log -sourcetypes: -- 'auditd' -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ \ No newline at end of file +directory: linux_auditd_no_preserve_root +mitre_technique: +- T1485 +datasets: +- name: auditd_proctitle_rm_rf + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/auditd_proctitle_rm_rf.log + sourcetype: auditd + source: auditd +- name: linux_auditd_no_preserve_root + path: /datasets/attack_techniques/T1485/linux_auditd_no_preserve_root/linux_auditd_no_preserve_root.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml b/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml deleted file mode 100644 index 65777c309..000000000 --- a/datasets/attack_techniques/T1485/linux_auditd_shred/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 413e0b6a-60c3-4f5c-85b7-9a67d2987eec -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_shred -environment: attack_range -directory: linux_auditd_shred -mitre_technique: -- T1485 -datasets: -- name: linux_auditd_shred - path: /datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log - sourcetype: auditd - source: auditd -- name: auditd_proctitle_shred - path: /datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml b/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml index 95d1f9fea..ad54961a9 100644 --- a/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml +++ b/datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.yml @@ -3,9 +3,15 @@ id: 89b601ac-efa4-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd shred in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log -sourcetypes: -- 'auditd' -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_auditd_shred +mitre_technique: +- T1485 +datasets: +- name: linux_auditd_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/linux_auditd_shred.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_shred + path: /datasets/attack_techniques/T1485/linux_auditd_shred/auditd_proctitle_shred.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml deleted file mode 100644 index 0751fe611..000000000 --- a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 829163ec-f9dc-411e-b913-3c9a4f1269c7 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_dd_file_overwrite -environment: attack_range -directory: linux_dd_file_overwrite -mitre_technique: -- T1485 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml index 69fb4f968..041974c0a 100644 --- a/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml +++ b/datasets/attack_techniques/T1485/linux_dd_file_overwrite/linux_dd_file_overwrite.yml @@ -3,9 +3,11 @@ id: 30da9cb2-8d8e-11ec-9761-acde48001122 date: '2022-02-14' description: Generated datasets for linux dd file overwrite in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md \ No newline at end of file +directory: linux_dd_file_overwrite +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/linux_dd_file_overwrite/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_extensions/data.yml b/datasets/attack_techniques/T1485/ransomware_extensions/data.yml deleted file mode 100644 index 4ecaac2e8..000000000 --- a/datasets/attack_techniques/T1485/ransomware_extensions/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0106b18b-2be5-4e07-9d51-ccf8e2d443b5 -date: '2025-08-12' -description: Automatically categorized datasets in directory ransomware_extensions -environment: attack_range -directory: ransomware_extensions -mitre_technique: -- T1485 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml b/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml index 95e82a20d..403d97170 100644 --- a/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml +++ b/datasets/attack_techniques/T1485/ransomware_extensions/ransomware_extensions.yml @@ -4,15 +4,11 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware filename GetYouFiles.txt environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_extensions/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: ransomware_extensions +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_extensions/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_notes/data.yml b/datasets/attack_techniques/T1485/ransomware_notes/data.yml deleted file mode 100644 index 7ee9b4e88..000000000 --- a/datasets/attack_techniques/T1485/ransomware_notes/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eeadd6ae-a0ac-4d4e-ada2-5d5af5aa7339 -date: '2025-08-12' -description: Automatically categorized datasets in directory ransomware_notes -environment: attack_range -directory: ransomware_notes -mitre_technique: -- T1485 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: ransom-sysmon - path: /datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml b/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml index 00ed9715e..35858d0f6 100644 --- a/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml +++ b/datasets/attack_techniques/T1485/ransomware_notes/ransomware_notes.yml @@ -4,16 +4,15 @@ date: '2020-11-09' description: Manual generation of attack data by creating a file with a known ransomware filename GetYouFiles.txt environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/ransomware_notes/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1485/ +directory: ransomware_notes +mitre_technique: +- T1485 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ransom-sysmon + path: /datasets/attack_techniques/T1485/ransomware_notes/ransom-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_boot_dir/data.yml b/datasets/attack_techniques/T1485/rm_boot_dir/data.yml deleted file mode 100644 index 25f8a189f..000000000 --- a/datasets/attack_techniques/T1485/rm_boot_dir/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 75b422b7-e863-4a6e-8fa7-b3df73945570 -date: '2025-08-12' -description: Automatically categorized datasets in directory rm_boot_dir -environment: attack_range -directory: rm_boot_dir -mitre_technique: -- T1485 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml b/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml index c08dd0594..717e035cc 100644 --- a/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml +++ b/datasets/attack_techniques/T1485/rm_boot_dir/rm_boot_dir.yml @@ -3,9 +3,11 @@ id: 39bbc1a6-c607-11ec-ba6f-acde48001122 date: '2022-04-27' description: Generated datasets for rm boot dir in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: rm_boot_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_boot_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml b/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml deleted file mode 100644 index 4f7e49496..000000000 --- a/datasets/attack_techniques/T1485/rm_shred_critical_dir/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 24f8617a-de51-4343-bea2-21442cfd750d -date: '2025-08-12' -description: Automatically categorized datasets in directory rm_shred_critical_dir -environment: attack_range -directory: rm_shred_critical_dir -mitre_technique: -- T1485 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml b/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml index 7ea38215c..3f6673eb5 100644 --- a/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml +++ b/datasets/attack_techniques/T1485/rm_shred_critical_dir/rm_shred_critical_dir.yml @@ -3,9 +3,11 @@ id: 66653d16-c546-11ec-acb6-acde48001122 date: '2022-04-26' description: Generated datasets for rm shred critical dir in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: rm_shred_critical_dir +mitre_technique: +- T1485 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1485/rm_shred_critical_dir/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/sdelete/data.yml b/datasets/attack_techniques/T1485/sdelete/data.yml deleted file mode 100644 index d67db76b2..000000000 --- a/datasets/attack_techniques/T1485/sdelete/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a2fb0b2a-6bcf-409a-b98d-493c8f32aefc -date: '2025-08-12' -description: Automatically categorized datasets in directory sdelete -environment: attack_range -directory: sdelete -mitre_technique: -- T1485 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1485/sdelete/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1485/sdelete/sdelete.yml b/datasets/attack_techniques/T1485/sdelete/sdelete.yml index 5b3c5a077..b80c59f91 100644 --- a/datasets/attack_techniques/T1485/sdelete/sdelete.yml +++ b/datasets/attack_techniques/T1485/sdelete/sdelete.yml @@ -3,9 +3,11 @@ id: 94fef1a8-8975-4afa-947d-24826e76f337 date: '2021-10-06' description: sdelte execution data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/sdelete/security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security \ No newline at end of file +directory: sdelete +mitre_technique: +- T1485 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1485/sdelete/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml b/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml index d7ddf0ff7..867f753ea 100644 --- a/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml +++ b/datasets/attack_techniques/T1486/aws_kms_key/aws_kms_key.yml @@ -5,10 +5,15 @@ description: Dataset which contains cloudtrail logs and the creation of a kms ke with a policy that all people can use the key for encryption, which is common for S3 ransomware attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1486 -- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +directory: aws_kms_key +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1486/aws_kms_key/data.yml b/datasets/attack_techniques/T1486/aws_kms_key/data.yml deleted file mode 100644 index 1a06cbad3..000000000 --- a/datasets/attack_techniques/T1486/aws_kms_key/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9f396f78-167b-4652-bb07-a582b6dc6a54 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_kms_key -environment: attack_range -directory: aws_kms_key -mitre_technique: -- T1486 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1486/aws_kms_key/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1486/aws_kms_key/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1486/dcrypt/data.yml b/datasets/attack_techniques/T1486/dcrypt/data.yml deleted file mode 100644 index 5ece99889..000000000 --- a/datasets/attack_techniques/T1486/dcrypt/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ba9b58cf-e637-433b-aa1c-77ba5c22f9e3 -date: '2025-08-12' -description: Automatically categorized datasets in directory dcrypt -environment: attack_range -directory: dcrypt -mitre_technique: -- T1486 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml b/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml index 8224242ed..9554dac5c 100644 --- a/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml +++ b/datasets/attack_techniques/T1486/dcrypt/dcrypt.yml @@ -3,9 +3,11 @@ id: cc9b260f-efc9-11eb-926b-660bf0943fbb date: '2020-11-15' description: Manual generation of dcrypt utility. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1486/ +directory: dcrypt +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/dcrypt/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/s3_file_encryption/data.yml b/datasets/attack_techniques/T1486/s3_file_encryption/data.yml deleted file mode 100644 index e380a940c..000000000 --- a/datasets/attack_techniques/T1486/s3_file_encryption/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a6e2b14c-ffd6-4c3b-84d6-d3e7a69b92c2 -date: '2025-08-12' -description: Automatically categorized datasets in directory s3_file_encryption -environment: attack_range -directory: s3_file_encryption -mitre_technique: -- T1486 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml b/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml index 72aa42221..df9e6d1d2 100644 --- a/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml +++ b/datasets/attack_techniques/T1486/s3_file_encryption/s3_file_encryption.yml @@ -4,10 +4,11 @@ date: '2021-01-11' description: Cloudtrail dataset with an s3 copy and encrypt operation. This is often used in S3 ransomware attacks. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1486 -- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ +directory: s3_file_encryption +mitre_technique: +- T1486 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1486/s3_file_encryption/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1486/sam_sam_note/data.yml b/datasets/attack_techniques/T1486/sam_sam_note/data.yml deleted file mode 100644 index 3e9e8cd9b..000000000 --- a/datasets/attack_techniques/T1486/sam_sam_note/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 562f5409-7cf3-4ffd-a994-5e32750587a7 -date: '2025-08-12' -description: Automatically categorized datasets in directory sam_sam_note -environment: attack_range -directory: sam_sam_note -mitre_technique: -- T1486 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml b/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml index 35a6033a8..07ab523ea 100644 --- a/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml +++ b/datasets/attack_techniques/T1486/sam_sam_note/sam_sam_note.yml @@ -4,15 +4,11 @@ date: '2020-12-07' description: Manual generation of attack data by creating a file with a known ransomware filename test.txt in Windows32 folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1486/sam_sam_note/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1486/ +directory: sam_sam_note +mitre_technique: +- T1486 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1486/sam_sam_note/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml deleted file mode 100644 index 3ead66f1e..000000000 --- a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 12707eeb-cdbf-49e5-a17e-b81762628bf7 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_auditd_service_stop -environment: attack_range -directory: linux_auditd_auditd_service_stop -mitre_technique: -- T1489 -datasets: -- name: linux_auditd_auditd_service_stop - path: /datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml index 2ab268e66..eb896c1ee 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml @@ -3,9 +3,11 @@ id: 66554f98-5a25-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd auditd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml deleted file mode 100644 index 407f75db9..000000000 --- a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8b2032de-bb95-4fec-8e5a-fed537499948 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_osquerd_service_stop -environment: attack_range -directory: linux_auditd_osquerd_service_stop -mitre_technique: -- T1489 -datasets: -- name: linux_auditd_osquerd_service_stop - path: /datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml index c65513c8b..2526b40c7 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml @@ -3,9 +3,11 @@ id: d9926de0-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd osquerd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_osquerd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_osquerd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml deleted file mode 100644 index 97d3ec2cf..000000000 --- a/datasets/attack_techniques/T1489/linux_auditd_service_stop/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e04311d9-a0f0-4039-9c20-cc8ac7141282 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_service_stop -environment: attack_range -directory: linux_auditd_service_stop -mitre_technique: -- T1489 -datasets: -- name: linux_auditd_service_stop - path: /datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml index 25e713cb1..d320a36bc 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.yml @@ -3,9 +3,11 @@ id: da081f1e-5648-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd service stop in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_auditd_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_service_stop/linux_auditd_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml deleted file mode 100644 index 0b440727e..000000000 --- a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ec178259-6e26-445b-9c1a-8680be48a85b -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_sysmon_service_stop -environment: attack_range -directory: linux_auditd_sysmon_service_stop -mitre_technique: -- T1489 -datasets: -- name: linux_auditd_sysmon_service_stop - path: /datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml index d4effacae..454f9f7cf 100644 --- a/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml +++ b/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras, Splunk id: dfe57ad8-5a23-11ef-927e-acde48001122 date: '2024-08-14' -description: Generated datasets for linux auditd sysmon service stop.log in attack range. +description: Generated datasets for linux auditd sysmon service stop.log in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_sysmon_service_stop +mitre_technique: +- T1489 +datasets: +- name: linux_auditd_sysmon_service_stop + path: /datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml b/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml deleted file mode 100644 index cf293f79b..000000000 --- a/datasets/attack_techniques/T1489/linux_service_stop_disable/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 60abb680-986b-4799-84df-003fe66c1bb3 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_service_stop_disable -environment: attack_range -directory: linux_service_stop_disable -mitre_technique: -- T1489 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml b/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml index c4472c800..95e962020 100644 --- a/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml +++ b/datasets/attack_techniques/T1489/linux_service_stop_disable/linux_service_stop_disable.yml @@ -3,9 +3,11 @@ id: 5612e69e-c536-11ec-b3df-acde48001122 date: '2022-04-26' description: Generated datasets for linux service stop disable in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: linux_service_stop_disable +mitre_technique: +- T1489 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1489/linux_service_stop_disable/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml index 087e6a000..75bc7dbfe 100644 --- a/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1490/atomic_red_team/atomic_red_team.yml @@ -9,17 +9,15 @@ description: 'Atomic Test Results: Successful Execution of test T1490-1 Windows Shadow Copies via WMI with PowerShell Successful Execution of test T1490-6 Windows - Delete Backup Files ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/shadow-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1490/ -- https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1490/T1490.md +directory: atomic_red_team +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_xml_windows_security_delete_shadow + path: /datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1490/atomic_red_team/data.yml b/datasets/attack_techniques/T1490/atomic_red_team/data.yml deleted file mode 100644 index 786c5af71..000000000 --- a/datasets/attack_techniques/T1490/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e29ae475-9a1f-491a-9d3d-134a7e07999e -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1490 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688_xml_windows_security_delete_shadow - path: /datasets/attack_techniques/T1490/atomic_red_team/4688_xml_windows_security_delete_shadow.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml b/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml index 37fd9c9a1..9167faf6a 100644 --- a/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml +++ b/datasets/attack_techniques/T1490/aws_bucket_version/aws_bucket_version.yml @@ -1,11 +1,13 @@ author: Bhavin Patel id: cc9125e3-efc9-1111-916b-550bf0943fbb date: '2023-04-12' -description: Dataset which contains an event for suspension of AWS bucket versioning. +description: Dataset which contains an event for suspension of AWS bucket versioning. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/aws_bucket_version/cloudtrail.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1490 \ No newline at end of file +directory: aws_bucket_version +mitre_technique: +- T1490 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1490/aws_bucket_version/data.yml b/datasets/attack_techniques/T1490/aws_bucket_version/data.yml deleted file mode 100644 index f53cf96a8..000000000 --- a/datasets/attack_techniques/T1490/aws_bucket_version/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7265e1cd-50c7-499e-8901-d75a25741241 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_bucket_version -environment: attack_range -directory: aws_bucket_version -mitre_technique: -- T1490 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1490/aws_bucket_version/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1490/ransomware_notes/data.yml b/datasets/attack_techniques/T1490/ransomware_notes/data.yml deleted file mode 100644 index abfefc69e..000000000 --- a/datasets/attack_techniques/T1490/ransomware_notes/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 88a62f79-a1bb-4def-8f37-21154f4e6dd4 -date: '2025-08-12' -description: Automatically categorized datasets in directory ransomware_notes -environment: attack_range -directory: ransomware_notes -mitre_technique: -- T1490 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml b/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml index d8060a5e3..1d056a867 100644 --- a/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml +++ b/datasets/attack_techniques/T1490/ransomware_notes/ransomware_notes.yml @@ -9,16 +9,11 @@ description: 'Atomic Test Results: Successful Execution of test T1490-1 Windows Shadow Copies via WMI with PowerShell Successful Execution of test T1490-6 Windows - Delete Backup Files ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/ransomware_notes/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1490/ -- https://github.com/redcanaryco/atomic-red-team/blob/7e4580a1e80310ca5e6652a3e54a633143290526/atomics/T1490/T1490.md +directory: ransomware_notes +mitre_technique: +- T1490 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1490/ransomware_notes/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/shadowcopy_del/data.yml b/datasets/attack_techniques/T1490/shadowcopy_del/data.yml deleted file mode 100644 index e9bd53e75..000000000 --- a/datasets/attack_techniques/T1490/shadowcopy_del/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 51cfa0a7-e93c-41ab-906d-57c198f697d8 -date: '2025-08-12' -description: Automatically categorized datasets in directory shadowcopy_del -environment: attack_range -directory: shadowcopy_del -mitre_technique: -- T1490 -datasets: -- name: wmicshadowcopydelete_sysmon - path: /datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml b/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml index 2cbd462db..307de52f1 100644 --- a/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml +++ b/datasets/attack_techniques/T1490/shadowcopy_del/shadowcopy_del.yml @@ -3,14 +3,14 @@ id: cc9b261f-efc9-11eb-926b-550bf0943fbb date: '2025-03-18' description: This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded command to delete shadow copy. - This hex encoded command was able to decrypt by powershell log. WMIC shadowcopy delete behavior. + This hex encoded command was able to decrypt by powershell log. WMIC shadowcopy + delete behavior. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- wineventlog -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1490/ +directory: shadowcopy_del +mitre_technique: +- T1490 +datasets: +- name: wmicshadowcopydelete_sysmon + path: /datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1497.003/ping_sleep/data.yml b/datasets/attack_techniques/T1497.003/ping_sleep/data.yml deleted file mode 100644 index bf15c9648..000000000 --- a/datasets/attack_techniques/T1497.003/ping_sleep/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 64046204-d1d1-44d1-937f-2033ed24df90 -date: '2025-08-12' -description: Automatically categorized datasets in directory ping_sleep -environment: attack_range -directory: ping_sleep -mitre_technique: -- T1497.003 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml b/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml index b4e908c6a..5b8139c2d 100644 --- a/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml +++ b/datasets/attack_techniques/T1497.003/ping_sleep/ping_sleep.yml @@ -3,9 +3,11 @@ id: 3a828f4c-79f5-11ec-bf39-acde48001122 date: '2022-01-20' description: Generated datasets for ping sleep in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file +directory: ping_sleep +mitre_technique: +- T1497.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1497.003/ping_sleep/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1505.001/simulation/data.yml b/datasets/attack_techniques/T1505.001/simulation/simulation.yml similarity index 83% rename from datasets/attack_techniques/T1505.001/simulation/data.yml rename to datasets/attack_techniques/T1505.001/simulation/simulation.yml index e6c1c8a6d..8ffb1a5a0 100644 --- a/datasets/attack_techniques/T1505.001/simulation/data.yml +++ b/datasets/attack_techniques/T1505.001/simulation/simulation.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: dd59d7f0-66dd-4db1-ae5d-f4601c2233e9 -date: '2025-08-12' -description: Automatically categorized datasets in directory simulation +author: Michael Haag +id: cc9b2609-1239-11eb-926b-550bf0943fbb +date: '2025-02-05' +description: Common SQL Server abuse simulation data environment: attack_range directory: simulation mitre_technique: diff --git a/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml b/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml deleted file mode 100644 index 43fd4749d..000000000 --- a/datasets/attack_techniques/T1505.001/simulation/sql_server_abuse.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Michael Haag -id: cc9b2609-1239-11eb-926b-550bf0943fbb -date: '2025-02-05' -description: Common SQL Server abuse simulation data -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/sqlservr-windows_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/windows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/sql_startupprocedure_widows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/adhocdq_windows_application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.001/simulation/dllprocedureload_windows-application.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Application -references: -- https://attack.mitre.org/techniques/T1505/001/ -- https://github.com/MHaggis/notes/tree/master/utilities/SQLSSTT \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.003/data.yml b/datasets/attack_techniques/T1505.003/T1505.003.yml similarity index 60% rename from datasets/attack_techniques/T1505.003/data.yml rename to datasets/attack_techniques/T1505.003/T1505.003.yml index cb9ca9644..cfe9f89c9 100644 --- a/datasets/attack_techniques/T1505.003/data.yml +++ b/datasets/attack_techniques/T1505.003/T1505.003.yml @@ -1,7 +1,12 @@ -author: Generated by dataset_analyzer.py -id: ad3ce362-e5b1-4eb7-b6f1-b76962b12889 -date: '2025-08-12' -description: Automatically categorized datasets in directory T1505.003 +author: Michael Haag +id: cc9b2609-efc9-11eb-926b-550bf0943fbb +date: '2021-03-11' +description: The following data was produced to emulate IIS, w3wp.exe, spawning shells, + simulating web shell activity. In addition, behavior related to Microsoft Exchange + Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning + a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. + The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, + CVE-2021-26858, and CVE-2021-27065. environment: attack_range directory: T1505.003 mitre_technique: diff --git a/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml b/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml deleted file mode 100644 index 139e1808f..000000000 --- a/datasets/attack_techniques/T1505.003/exchange_web_shell_behavior_logs.yml +++ /dev/null @@ -1,22 +0,0 @@ -author: Michael Haag -id: cc9b2609-efc9-11eb-926b-550bf0943fbb -date: '2021-03-11' -description: The following data was produced to emulate IIS, w3wp.exe, spawning shells, - simulating web shell activity. In addition, behavior related to Microsoft Exchange - Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning - a child process. Behaviors are related to vulnerabilities exploited by HAFNIUM Group. - The vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, - CVE-2021-26858, and CVE-2021-27065. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_umservices.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/windows-sysmon_proxylogon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1505/003 -- https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html -- https://my.netsurion.com/hafnium-detection-and-monitoring-solution -- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ diff --git a/datasets/attack_techniques/T1505.004/data.yml b/datasets/attack_techniques/T1505.004/T1505.004.yml similarity index 92% rename from datasets/attack_techniques/T1505.004/data.yml rename to datasets/attack_techniques/T1505.004/T1505.004.yml index f0c94d9a5..b5c1fb837 100644 --- a/datasets/attack_techniques/T1505.004/data.yml +++ b/datasets/attack_techniques/T1505.004/T1505.004.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: f6d6fcae-e312-4ac2-964b-992dcbba57dd -date: '2025-08-12' -description: Automatically categorized datasets in directory T1505.004 +author: Michael Haag +id: 22d2640d-cd56-4abd-8d76-13c881820615 +date: '2022-12-19' +description: The following data was produced to emulate suspicious IIS Module activity + on Windows. environment: attack_range directory: T1505.004 mitre_technique: diff --git a/datasets/attack_techniques/T1505.004/iis_modules.yml b/datasets/attack_techniques/T1505.004/iis_modules.yml deleted file mode 100644 index ce9701e24..000000000 --- a/datasets/attack_techniques/T1505.004/iis_modules.yml +++ /dev/null @@ -1,30 +0,0 @@ -author: Michael Haag -id: 22d2640d-cd56-4abd-8d76-13c881820615 -date: '2022-12-19' -description: The following data was produced to emulate suspicious IIS Module activity on Windows. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_install-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/appcmd_4688-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/IIS-Configuration-Operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/2282_windows-application.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_installediismodules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/disable_http_logging_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/4104_disable_http_logging_windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/gacutil_4688_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.004/pwsh_publish_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -- IIS:Configuration:Operational -- Pwsh:InstalledIISModules -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1505/004 -- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/ -- https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework-1.pdf -- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ -- https://www.secureworks.com/research/bronze-union -- https://strontic.github.io/xcyclopedia/library/appcmd.exe-055B2B09409F980BF9B5A3969D01E5B2.html \ No newline at end of file diff --git a/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml b/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml index 354854b5a..07e09a0a3 100644 --- a/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml +++ b/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.yml @@ -3,10 +3,11 @@ id: cc9b2659-efc9-11eb-926b-550bf0943fbb date: '2021-04-13' description: Dataset which contains cloudtrail logs from cloudsploit. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1526 -- https://github.com/aquasecurity/cloudsploit +directory: aws_security_scanner +mitre_technique: +- T1526 +datasets: +- name: aws_security_scanner-json + path: /datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1526/aws_security_scanner/data.yml b/datasets/attack_techniques/T1526/aws_security_scanner/data.yml deleted file mode 100644 index e498ed95a..000000000 --- a/datasets/attack_techniques/T1526/aws_security_scanner/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5a1b22cd-feed-453d-9925-3a02906ad026 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_security_scanner -environment: attack_range -directory: aws_security_scanner -mitre_technique: -- T1526 -datasets: -- name: aws_security_scanner-json - path: /datasets/attack_techniques/T1526/aws_security_scanner/aws_security_scanner.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml deleted file mode 100644 index 035b5e45e..000000000 --- a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6ba5781e-033b-47a0-9f92-a386226a74b8 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_audit_pull_image -environment: attack_range -directory: kubernetes_audit_pull_image -mitre_technique: -- T1526 -datasets: -- name: kubernetes_audit_pull_image-json - path: /datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml index 32cbbffcf..bad5b57f5 100644 --- a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml +++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml @@ -3,9 +3,11 @@ id: 38e470fb-3c73-42c5-a5e6-47838df5e62e date: '2023-12-07' description: Kubernetes audit logs which contains pulling a image. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json -sourcetypes: -- aws:cloudwatchlogs -references: -- https://attack.mitre.org/techniques/T1526 +directory: kubernetes_audit_pull_image +mitre_technique: +- T1526 +datasets: +- name: kubernetes_audit_pull_image-json + path: /datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml deleted file mode 100644 index a1445cb2f..000000000 --- a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 58ed8c63-e779-4244-a631-27d12aff8c82 -date: '2025-08-12' -description: Automatically categorized datasets in directory kubernetes_kube_hunter -environment: attack_range -directory: kubernetes_kube_hunter -mitre_technique: -- T1526 -datasets: -- name: kubernetes_kube_hunter-json - path: /datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json - sourcetype: __json - source: kubernetes diff --git a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml index 62809e48e..ed8ffbc49 100644 --- a/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml +++ b/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.yml @@ -3,10 +3,11 @@ id: dee3b6f3-e0fe-4aab-b85b-76d5957e8518 date: '2021-08-24' description: Dataset which contains kube-hunter scanning environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json -sourcetypes: -- kube:objects:events -references: -- https://attack.mitre.org/techniques/T1526 -- https://github.com/aquasecurity/kube-hunter +directory: kubernetes_kube_hunter +mitre_technique: +- T1526 +datasets: +- name: kubernetes_kube_hunter-json + path: /datasets/attack_techniques/T1526/kubernetes_kube_hunter/kubernetes_kube_hunter.json + sourcetype: __json + source: kubernetes diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml index 0a19cdf74..fd99a4ca1 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 8d4c2863-de34-4dd7-96a3-19fac4c0ec5e date: '2023-10-27' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. +environment: attack_range +directory: azure_ad_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_blocked + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml deleted file mode 100644 index be6362025..000000000 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b78e3ee4-d7e6-4be5-934e-2a4431cdc543 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_user_consent_blocked -environment: attack_range -directory: azure_ad_user_consent_blocked -mitre_technique: -- T1528 -datasets: -- name: azure_ad_user_consent_blocked - path: /datasets/attack_techniques/T1528/azure_ad_user_consent_blocked/azure_ad_user_consent_blocked.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml index 756348dd0..b415849c1 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: 2724e330-ee25-4644-8ea4-d7317f5bf8d6 date: '2023-10-30' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Simulated a user denying consent.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Simulated a user denying consent. +environment: attack_range +directory: azure_ad_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_declined + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml deleted file mode 100644 index 423fcd889..000000000 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_declined/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 24f2b50f-c5d4-49d1-9b3d-9b7b46a81132 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_user_consent_declined -environment: attack_range -directory: azure_ad_user_consent_declined -mitre_technique: -- T1528 -datasets: -- name: azure_ad_user_consent_declined - path: /datasets/attack_techniques/T1528/azure_ad_user_consent_declined/azure_ad_user_consent_declined.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml index 023089a5b..f32fdfdc4 100644 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml +++ b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.yml @@ -1,16 +1,14 @@ author: Mauricio Velazco id: a54ab903-b061-4ccf-b761-7dfe86a5e58b date: '2023-10-27' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Simulated a user granting consent.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/ -- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing -- https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth -- https://www.alteredsecurity.com/post/introduction-to-365-stealer -- https://github.com/AlteredSecurity/365-Stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Simulated a user granting consent. +environment: attack_range +directory: azure_ad_user_consent_granted +mitre_technique: +- T1528 +datasets: +- name: azure_ad_user_consent_granted + path: /datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml b/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml deleted file mode 100644 index d07590923..000000000 --- a/datasets/attack_techniques/T1528/azure_ad_user_consent_granted/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1ed0262c-12b4-4bcb-a38e-ef4823e3cd58 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_user_consent_granted -environment: attack_range -directory: azure_ad_user_consent_granted -mitre_technique: -- T1528 -datasets: -- name: azure_ad_user_consent_granted - path: /datasets/attack_techniques/T1528/azure_ad_user_consent_granted/azure_ad_user_consent_granted.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1528/device_code_authentication/data.yml b/datasets/attack_techniques/T1528/device_code_authentication/data.yml deleted file mode 100644 index 1e7526312..000000000 --- a/datasets/attack_techniques/T1528/device_code_authentication/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 67ded8fb-af33-4b18-bd48-71b592636893 -date: '2025-08-12' -description: Automatically categorized datasets in directory device_code_authentication -environment: attack_range -directory: device_code_authentication -mitre_technique: -- T1528 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml b/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml index 9c993269f..be7ff82e4 100644 --- a/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml +++ b/datasets/attack_techniques/T1528/device_code_authentication/device_code_authentication.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: b88707d8-8cf6-4ac8-9e6b-ea9fd6dc46c6 date: '2023-08-03' -description: 'Leveraged TokenTactics to perform device code phishing against an azure ad account' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/rvrsh3ll/TokenTactics -- https://embracethered.com/blog/posts/2022/device-code-phishing/ -- https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html \ No newline at end of file +description: Leveraged TokenTactics to perform device code phishing against an azure + ad account +environment: attack_range +directory: device_code_authentication +mitre_technique: +- T1528 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1528/device_code_authentication/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml deleted file mode 100644 index 8065462f3..000000000 --- a/datasets/attack_techniques/T1528/o365_user_consent_blocked/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 164b88ab-9236-4ee4-ace2-26678bad4530 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_user_consent_blocked -environment: attack_range -directory: o365_user_consent_blocked -mitre_technique: -- T1528 -datasets: -- name: o365_user_consent_blocked - path: /datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml b/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml index d8626f0d1..ef766bae3 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: c6d3a5df-a5a6-463c-9f9c-597cdba57dd8 date: '2023-10-01' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. +environment: attack_range +directory: o365_user_consent_blocked +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_blocked + path: /datasets/attack_techniques/T1528/o365_user_consent_blocked/o365_user_consent_blocked.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml deleted file mode 100644 index c65734ad9..000000000 --- a/datasets/attack_techniques/T1528/o365_user_consent_declined/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 658a395c-be8a-4876-a1a3-fbff5cca4943 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_user_consent_declined -environment: attack_range -directory: o365_user_consent_declined -mitre_technique: -- T1528 -datasets: -- name: o365_user_consent_declined - path: /datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml b/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml index c35f148b2..c77d23691 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 5ddc2e5f-b6b0-43c8-8e8b-637e96d562c6 date: '2023-10-12' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack and declined the consent when presented' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log -sourcetypes: -- o365:graph:api -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack and declined the consent when presented +environment: attack_range +directory: o365_user_consent_declined +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_declined + path: /datasets/attack_techniques/T1528/o365_user_consent_declined/o365_user_consent_declined.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml deleted file mode 100644 index 76988b7a0..000000000 --- a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 18399e92-d80c-499a-8e92-2732e31ab2af -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_user_consent_file_permissions -environment: attack_range -directory: o365_user_consent_file_permissions -mitre_technique: -- T1528 -datasets: -- name: o365_user_consent_file_permissions - path: /datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml index 71a022231..1e6c50971 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a5bb8668-a4e2-4d06-9de3-fae665fcf4c4 date: '2023-10-18' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Once set up, simulated a user consenting the application.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Once set up, simulated a user consenting the application. +environment: attack_range +directory: o365_user_consent_file_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_file_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_file_permissions/o365_user_consent_file_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml deleted file mode 100644 index 3b272c3fb..000000000 --- a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 08e31c5b-3a54-40e1-a2e5-7bed47ca6637 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_user_consent_mail_permissions -environment: attack_range -directory: o365_user_consent_mail_permissions -mitre_technique: -- T1528 -datasets: -- name: o365_user_consent_mail_permissions - path: /datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml index f33c69de9..806d8cf66 100644 --- a/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml +++ b/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: e788bb56-f05b-431c-8823-f01d44469bb3 date: '2023-10-12' -description: 'Used 365-stealer and a multi-tenant application registration to simulate a consent grant attack. Once set up, simulated a user consenting the application.' -environment: O365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1528 -- https://github.com/AlteredSecurity/365-Stealer -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide -- https://www.alteredsecurity.com/post/introduction-to-365-stealer +description: Used 365-stealer and a multi-tenant application registration to simulate + a consent grant attack. Once set up, simulated a user consenting the application. +environment: attack_range +directory: o365_user_consent_mail_permissions +mitre_technique: +- T1528 +datasets: +- name: o365_user_consent_mail_permissions + path: /datasets/attack_techniques/T1528/o365_user_consent_mail_permissions/o365_user_consent_mail_permissions.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml b/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml index 0cdf8981c..f80805211 100644 --- a/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml +++ b/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_s3_public_bucket.yml @@ -4,9 +4,11 @@ date: '2021-01-12' description: Dataset which contains cloudtrail logs and the creation of a public S3 bucket. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1530 +directory: aws_s3_public_bucket +mitre_technique: +- T1530 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml b/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml deleted file mode 100644 index ff7cde6f1..000000000 --- a/datasets/attack_techniques/T1530/aws_s3_public_bucket/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 73a793df-58fb-4ed8-a4fe-35b808225de9 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_s3_public_bucket -environment: attack_range -directory: aws_s3_public_bucket -mitre_technique: -- T1530 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1530/aws_s3_public_bucket/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml index 378604c0c..cbe3dc816 100644 --- a/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1531/atomic_red_team/atomic_red_team.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: 1514bd3e-20a3-4d53-a740-8e952f5e7afb date: '2021-11-15' -description: 'Atomic Red Team tests simulating delete net user.' +description: Atomic Red Team tests simulating delete net user. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/atomic_red_team/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +directory: atomic_red_team +mitre_technique: +- T1531 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1531/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1531/atomic_red_team/data.yml b/datasets/attack_techniques/T1531/atomic_red_team/data.yml deleted file mode 100644 index eb1ca440b..000000000 --- a/datasets/attack_techniques/T1531/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3ea7232a-9176-4840-861e-625d076897d9 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1531 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1531/atomic_red_team/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml b/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml index f8f585941..9a8533074 100644 --- a/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml +++ b/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_ami_shared_public.yml @@ -1,11 +1,17 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-11eb-926b-5511f09431bb date: '2023-03-31' -description: Adversaries made suspicious AWS AMI attribute modifications, such as sharing it with another AWS account or making the full AMI image public. Adversaries are known to abuse these APIs to exfiltrate sensitive organization information stored in the AWS Resources, there by its very important to monitor these seemingly benign API activity in Cloudtrail logs. +description: Adversaries made suspicious AWS AMI attribute modifications, such as + sharing it with another AWS account or making the full AMI image public. Adversaries + are known to abuse these APIs to exfiltrate sensitive organization information stored + in the AWS Resources, there by its very important to monitor these seemingly benign + API activity in Cloudtrail logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_ami_shared_public +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml b/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml deleted file mode 100644 index 9034aef79..000000000 --- a/datasets/attack_techniques/T1537/aws_ami_shared_public/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 366044b4-8354-4859-80d1-b9e8ac2f5896 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_ami_shared_public -environment: attack_range -directory: aws_ami_shared_public -mitre_technique: -- T1537 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1537/aws_ami_shared_public/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml b/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml index b2d9098ad..e399d4951 100644 --- a/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml +++ b/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_exfil_risk_events.yml @@ -1,11 +1,14 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-1111-926b-5511f09431bb date: '2023-03-31' -description: This dataset contains Risk events created by the detection analytics related Collection and Exfiltration techniques in Enterprise Security +description: This dataset contains Risk events created by the detection analytics + related Collection and Exfiltration techniques in Enterprise Security environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log -sourcetypes: -- stash -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_exfil_risk_events +mitre_technique: +- T1537 +datasets: +- name: aws_risk + path: /datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml b/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml deleted file mode 100644 index a65eb52e6..000000000 --- a/datasets/attack_techniques/T1537/aws_exfil_risk_events/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7336c166-f292-439b-abc8-1275c2e457a9 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_exfil_risk_events -environment: attack_range -directory: aws_exfil_risk_events -mitre_technique: -- T1537 -datasets: -- name: aws_risk - path: /datasets/attack_techniques/T1537/aws_exfil_risk_events/aws_risk.log - sourcetype: aws:cloudtrail - source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml b/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml index bceb33f99..8d40b6a64 100644 --- a/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml +++ b/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_snapshot_exfil.yml @@ -1,13 +1,19 @@ -author: Bhavin Patel +author: Bhavin Patel id: cc9b2602-efc9-11eb-926b-550bf0943fbb date: '2021-07-20' description: Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1537/ +directory: aws_snapshot_exfil +mitre_technique: +- T1537 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml b/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml deleted file mode 100644 index ae110b936..000000000 --- a/datasets/attack_techniques/T1537/aws_snapshot_exfil/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0436771e-a141-4da1-8f51-6752f1b030e3 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_snapshot_exfil -environment: attack_range -directory: aws_snapshot_exfil -mitre_technique: -- T1537 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1537/aws_snapshot_exfil/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml deleted file mode 100644 index 0442f01ea..000000000 --- a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cdbbbe96-9152-4113-ba57-bdcc67c3dfc0 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_web_session_multiple_ip -environment: attack_range -directory: okta_web_session_multiple_ip -mitre_technique: -- T1539 -datasets: -- name: okta_web_session_multiple_ip - path: /datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml index 9f53bd5de..dc8327807 100644 --- a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml +++ b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml @@ -1,11 +1,14 @@ author: Bhavin Patel id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959w date: '2024-03-18' -description: 'Manually generated dataset of two sessions from mutiple IPs, useragents, etc' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1539/ +description: Manually generated dataset of two sessions from mutiple IPs, useragents, + etc +environment: attack_range +directory: okta_web_session_multiple_ip +mitre_technique: +- T1539 +datasets: +- name: okta_web_session_multiple_ip + path: /datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml b/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml index c279adc3b..af35eace9 100644 --- a/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml +++ b/datasets/attack_techniques/T1542.003/bootkits/bootkits.yml @@ -1,14 +1,13 @@ author: Automated Attack Data Service id: b3252a4d-449e-42cd-be46-bec739d77c4c date: '2023-05-03' -description: 'Attack data for bootkits' +description: Attack data for bootkits environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ +directory: bootkits +mitre_technique: +- T1542.003 +datasets: +- name: network-winlogon-windows-sysmon + path: /datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1542.003/bootkits/data.yml b/datasets/attack_techniques/T1542.003/bootkits/data.yml deleted file mode 100644 index 3775af35d..000000000 --- a/datasets/attack_techniques/T1542.003/bootkits/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1dde0d18-5cbd-4115-b412-99d6e61e5098 -date: '2025-08-12' -description: Automatically categorized datasets in directory bootkits -environment: attack_range -directory: bootkits -mitre_technique: -- T1542.003 -datasets: -- name: network-winlogon-windows-sysmon - path: /datasets/attack_techniques/T1542.003/bootkits/network-winlogon-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml index 26a5f144f..4fb0fbac7 100644 --- a/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1543.003/atomic_red_team/atomic_red_team.yml @@ -6,19 +6,27 @@ description: 'Atomic Test Results: Return value unclear for test T1543.003-1 Mod Installation CMD Return value unclear for test T1543.003-3 Service Installation PowerShell ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md +directory: atomic_red_team +mitre_technique: +- T1543.003 +datasets: +- name: 4688-remcom-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-remote-service-create-windows-security + path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-system + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: remote_service_create_windows-sysmon + path: /datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml deleted file mode 100644 index 9c1481056..000000000 --- a/datasets/attack_techniques/T1543.003/atomic_red_team/data.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ac41d77d-0760-4659-9187-b756920928e7 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1543.003 -datasets: -- name: 4688-remcom-windows-security - path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remcom-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1543.003/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688-remote-service-create-windows-security - path: /datasets/attack_techniques/T1543.003/atomic_red_team/4688-remote-service-create-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: remcom_windows-system - path: /datasets/attack_techniques/T1543.003/atomic_red_team/remcom_windows-system.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:System -- name: remote_service_create_windows-sysmon - path: /datasets/attack_techniques/T1543.003/atomic_red_team/remote_service_create_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement/data.yml deleted file mode 100644 index 206b6586a..000000000 --- a/datasets/attack_techniques/T1543.003/lateral_movement/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 961318f6-4baf-4b77-9328-901a0da416c3 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement -environment: attack_range -directory: lateral_movement -mitre_technique: -- T1543.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml b/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml index 7a907f0af..d1db2f119 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement/lateral_movement.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 1ccc911f-a49b-4dc9-903a-0ae2c67b0475 date: '2021-11-12' -description: Manually using the sc.exe binary to create and start a Windows Service on a remote endpoint for lateral movement and remote code execution. +description: Manually using the sc.exe binary to create and start a Windows Service + on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc +directory: lateral_movement +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml deleted file mode 100644 index 0ed577ad4..000000000 --- a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 235dd031-6d02-42c1-affe-123ec3577f4a -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_lolbas -environment: attack_range -directory: lateral_movement_lolbas -mitre_technique: -- T1543.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml index ba8d349cd..76344e7c0 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/lateral_movement_lolbas.yml @@ -1,15 +1,14 @@ author: Mauricio Velazco id: 9aa6af3d-608e-4a69-8a89-c49b9b3cd3fa date: '2021-11-23' -description: Manually using the sc.exe binary to create and start a Windows Service on a remote endpoint for lateral movement and remote code execution. +description: Manually using the sc.exe binary to create and start a Windows Service + on a remote endpoint for lateral movement and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://docs.microsoft.com/en-us/windows/win32/services/controlling-a-service-using-sc -- https://pentestlab.blog/2020/07/21/lateral-movement-services/ +directory: lateral_movement_lolbas +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_lolbas/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml deleted file mode 100644 index 638a5c20d..000000000 --- a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 12aa7591-f308-4c4a-9f96-1f0091348949 -date: '2025-08-12' -description: Automatically categorized datasets in directory lateral_movement_powershell -environment: attack_range -directory: lateral_movement_powershell -mitre_technique: -- T1543.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml index b9385b627..3d8ccb4be 100644 --- a/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml +++ b/datasets/attack_techniques/T1543.003/lateral_movement_powershell/lateral_movement_powershell.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 32ff9c98-48d2-46aa-9e95-b79f970c5f07 date: '2021-11-29' -description: Manually using the Metasploit framework binary to create and start a Windows Service on a remote endpoint that calls PowerShell.exe for lateral movement and remote code execution. +description: Manually using the Metasploit framework binary to create and start a + Windows Service on a remote endpoint that calls PowerShell.exe for lateral movement + and remote code execution. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1543/003/ -- https://www.rapid7.com/db/modules/exploit/windows/smb/psexec/ -- https://pentestlab.blog/2020/07/21/lateral-movement-services/ +directory: lateral_movement_powershell +mitre_technique: +- T1543.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml b/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml deleted file mode 100644 index a27275911..000000000 --- a/datasets/attack_techniques/T1543.003/services_lolbas_execution/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 56560e17-fbc8-4234-97ae-d206267db41e -date: '2025-08-12' -description: Automatically categorized datasets in directory services_lolbas_execution -environment: attack_range -directory: services_lolbas_execution -mitre_technique: -- T1543.003 -datasets: -- name: 4688_xml_windows_security - path: /datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml b/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml index 833211098..4f3ca90ea 100644 --- a/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml +++ b/datasets/attack_techniques/T1543.003/services_lolbas_execution/services_lolbas_execution.yml @@ -1,12 +1,13 @@ author: Bhavin Patel id: cc9b2651-efc9-11eb-926b-550bf0143fbb date: '2023-10-02' -description: 'Attack data for services.exe spawning msiexec' +description: Attack data for services.exe spawning msiexec environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log -sourcetypes: -- XmlWinEventLog -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md -- https://atomicredteam.io/privilege-escalation/T1543.003/ +directory: services_lolbas_execution +mitre_technique: +- T1543.003 +datasets: +- name: 4688_xml_windows_security + path: /datasets/attack_techniques/T1543.003/services_lolbas_execution/4688_xml_windows_security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml b/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml deleted file mode 100644 index 3a1acd159..000000000 --- a/datasets/attack_techniques/T1546.001/txtfile_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cf547925-52e2-4cf1-84f5-5f7e5d69646d -date: '2025-08-12' -description: Automatically categorized datasets in directory txtfile_reg -environment: attack_range -directory: txtfile_reg -mitre_technique: -- T1546.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml b/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml index ab1f08d14..8cacb4a64 100644 --- a/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml +++ b/datasets/attack_techniques/T1546.001/txtfile_reg/txtfile_reg.yml @@ -1,10 +1,14 @@ author: Teoderick Contreras id: 50a25246-7301-4282-99b9-6580b278cc61 date: '2021-09-28' -description: Manual generation of attack data for txtfile default file association registry entry for persistence and privilege escalation. +description: Manual generation of attack data for txtfile default file association + registry entry for persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: txtfile_reg +mitre_technique: +- T1546.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml b/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml deleted file mode 100644 index d359b99ca..000000000 --- a/datasets/attack_techniques/T1546.002/scrnsave_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8629b7f9-5357-411f-bc6e-fc93a036d94d -date: '2025-08-12' -description: Automatically categorized datasets in directory scrnsave_reg -environment: attack_range -directory: scrnsave_reg -mitre_technique: -- T1546.002 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml b/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml index 4a95b6e5a..a949845bf 100644 --- a/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml +++ b/datasets/attack_techniques/T1546.002/scrnsave_reg/scrnsave_reg.yml @@ -1,11 +1,14 @@ author: Teoderick Contreras id: 2d6fba98-4e8d-4818-82d6-dbc0191c4ef7 date: '2021-09-28' -description: Manual generation of attack data for SCRNSAVE.EXE registry entry for persistence and privilege escalation. +description: Manual generation of attack data for SCRNSAVE.EXE registry entry for + persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1546/002 +directory: scrnsave_reg +mitre_technique: +- T1546.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1546.002/scrnsave_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml index c746ed4f6..fde0d4b58 100644 --- a/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.003/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,11 @@ date: '2020-12-08' description: 'Atomic Test Results: Return value unclear for test T1546.003-1 Persistence via WMI Event Subscription ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/atomic_red_team/mofcomp.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md +directory: atomic_red_team +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml deleted file mode 100644 index 2ed5d71ea..000000000 --- a/datasets/attack_techniques/T1546.003/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4475a793-d061-4d59-b67a-e46fde796702 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1546.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.003/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml b/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml deleted file mode 100644 index ee18c4386..000000000 --- a/datasets/attack_techniques/T1546.003/wmi_event_subscription/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 023da78e-423b-4937-bdc4-82143004171f -date: '2025-08-12' -description: Automatically categorized datasets in directory wmi_event_subscription -environment: attack_range -directory: wmi_event_subscription -mitre_technique: -- T1546.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml b/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml index ddb4e1a95..55fbc5cbd 100644 --- a/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml +++ b/datasets/attack_techniques/T1546.003/wmi_event_subscription/wmi_event_subscription.yml @@ -3,12 +3,11 @@ id: cc9b262d-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: Manual WMI persistence via WMI Event Subscription environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md +directory: wmi_event_subscription +mitre_technique: +- T1546.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.003/wmi_event_subscription/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml deleted file mode 100644 index f18327300..000000000 --- a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f732a4d4-3cc8-4494-9137-1bc2c676a6af -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_unix_shell_mod_config -environment: attack_range -directory: linux_auditd_unix_shell_mod_config -mitre_technique: -- T1546.004 -datasets: -- name: linux_auditd_unix_shell_mod_config - path: /datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml index 1a73380f9..1f87524cf 100644 --- a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml +++ b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml @@ -3,9 +3,11 @@ id: 6a85a94e-45d6-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd unix shell mod config in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_unix_shell_mod_config +mitre_technique: +- T1546.004 +datasets: +- name: linux_auditd_unix_shell_mod_config + path: /datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml b/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml deleted file mode 100644 index cda13d10e..000000000 --- a/datasets/attack_techniques/T1546.004/linux_init_profile/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e1822070-a603-47b8-aa47-695a9ef5e1bc -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_init_profile -environment: attack_range -directory: linux_init_profile -mitre_technique: -- T1546.004 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml b/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml index b22b98c23..7aa9eee2f 100644 --- a/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml +++ b/datasets/attack_techniques/T1546.004/linux_init_profile/linux_init_profile.yml @@ -3,9 +3,11 @@ id: 02957dd0-6242-11ec-a156-acde48001122 date: '2021-12-21' description: Generated datasets for linux init profile in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/ \ No newline at end of file +directory: linux_init_profile +mitre_technique: +- T1546.004 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml index 2ecd932fd..b9ae3b2bd 100644 --- a/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.008/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,11 @@ id: cc9b25d2-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: Generation of Atomic Red Team technique T1546.008 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.008/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/008/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md +directory: atomic_red_team +mitre_technique: +- T1546.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml deleted file mode 100644 index 3d1d1df4a..000000000 --- a/datasets/attack_techniques/T1546.008/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: afb6ffde-d288-4f9d-abb0-beb5facb25cf -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1546.008 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.008/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml index 381807d4b..edbf615a7 100644 --- a/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.011/atomic_red_team/atomic_red_team.yml @@ -6,16 +6,11 @@ description: 'Atomic Test Results: Successful Execution of test T1546.011-1 Appl created in the default shim database directory Successful Execution of test T1546.011-3 Registry key creation and/or modification events for SDB ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/011/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md +directory: atomic_red_team +mitre_technique: +- T1546.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml deleted file mode 100644 index c305b70da..000000000 --- a/datasets/attack_techniques/T1546.011/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a7893d69-e08f-4db9-a5eb-6cab89242fb0 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1546.011 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml index 5915f5d61..b52106bbb 100644 --- a/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.012/atomic_red_team/atomic_red_team.yml @@ -4,18 +4,15 @@ date: '2020-11-27' description: 'Atomic Test Results: Successful Execution of test T1546.012-1 IFEO Add Debugger Successful Execution of test T1546.012-2 IFEO Global Flags ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -- WinEventLog:Application -references: -- https://attack.mitre.org/techniques/T1546/012/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md +directory: atomic_red_team +mitre_technique: +- T1546.012 +datasets: +- name: windows-application + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-ProcessExitMonitor +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml deleted file mode 100644 index f026b8e9f..000000000 --- a/datasets/attack_techniques/T1546.012/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0b1bf2de-5f62-46a1-a88d-c01c0d8434e7 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1546.012 -datasets: -- name: windows-application - path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-application.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-ProcessExitMonitor -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.012/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml index 90c0dba72..bda5df25b 100644 --- a/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1546.015/atomic_red_team/atomic_red_team.yml @@ -1,16 +1,22 @@ author: Michael Haag, Splunk id: 48489030-45fb-4945-a761-9aef99cd5978 date: '2022-09-26' -description: 'Atomic Test Results: Successful Execution of test T1546.015 related to inprocserver32 ' +description: 'Atomic Test Results: Successful Execution of test T1546.015 related + to inprocserver32 ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1546/015/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.015.md +directory: atomic_red_team +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-powershell + path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml b/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml deleted file mode 100644 index 0b683ec3b..000000000 --- a/datasets/attack_techniques/T1546.015/atomic_red_team/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 68bee785-3f0d-433f-8848-9c158c87372e -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1546.015 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-powershell - path: /datasets/attack_techniques/T1546.015/atomic_red_team/windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml b/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml deleted file mode 100644 index a641018e2..000000000 --- a/datasets/attack_techniques/T1546.015/pwh_com_object/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 874cd43a-7676-4689-9d0b-5bd32c86a7a9 -date: '2025-08-12' -description: Automatically categorized datasets in directory pwh_com_object -environment: attack_range -directory: pwh_com_object -mitre_technique: -- T1546.015 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml b/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml index fc612c529..d56a10c25 100644 --- a/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml +++ b/datasets/attack_techniques/T1546.015/pwh_com_object/pwh_com_object.yml @@ -3,9 +3,11 @@ id: f717f18e-aa0f-11ec-90af-acde48001122 date: '2022-03-22' description: Generated datasets for pwh com object in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://threadreaderapp.com/thread/1423361119926816776.html \ No newline at end of file +directory: pwh_com_object +mitre_technique: +- T1546.015 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1546.015/pwh_com_object/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1546.015/uac_colorui/data.yml b/datasets/attack_techniques/T1546.015/uac_colorui/data.yml deleted file mode 100644 index 77cf7df0f..000000000 --- a/datasets/attack_techniques/T1546.015/uac_colorui/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bb9a522e-0b7b-4ce7-b3af-90d25542f5a6 -date: '2025-08-12' -description: Automatically categorized datasets in directory uac_colorui -environment: attack_range -directory: uac_colorui -mitre_technique: -- T1546.015 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml b/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml index 713d52db5..8ac9e8c0b 100644 --- a/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml +++ b/datasets/attack_techniques/T1546.015/uac_colorui/uac_colorui.yml @@ -3,9 +3,11 @@ id: 2970b9f5-37cf-42ab-8ebe-7b90f63d69ec date: '2021-08-13' description: simulate colorui uac bypass technique. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/#_ftn2 \ No newline at end of file +directory: uac_colorui +mitre_technique: +- T1546.015 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1546.015/uac_colorui/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml b/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml index 2071b2197..373ad7154 100644 --- a/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml +++ b/datasets/attack_techniques/T1546/adminsdholder_modified/adminsdholder_modified.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: a9ed69d2-b5a2-4eba-8906-e5e407e79e16 date: '2022-11-15' -description: Used powershell to modify the ACL of the AdminSDHolder active directory object. +description: Used powershell to modify the ACL of the AdminSDHolder active directory + object. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log -sourcetypes: -- XmlWinEventLog -references: -- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory -- https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx -- https://adsecurity.org/?p=1906 -- https://pentestlab.blog/2022/01/04/domain-persistence-adminsdholder/ \ No newline at end of file +directory: adminsdholder_modified +mitre_technique: +- T1546 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml b/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml deleted file mode 100644 index fba321753..000000000 --- a/datasets/attack_techniques/T1546/adminsdholder_modified/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 72d7f6a2-7cda-4a0d-ac0c-94bc71c3121f -date: '2025-08-12' -description: Automatically categorized datasets in directory adminsdholder_modified -environment: attack_range -directory: adminsdholder_modified -mitre_technique: -- T1546 -datasets: -- name: windows-security - path: /datasets/attack_techniques/T1546/adminsdholder_modified/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml index 69da252f4..3da842458 100644 --- a/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.001/atomic_red_team/atomic_red_team.yml @@ -8,18 +8,15 @@ description: 'Atomic Test Results: Successful Execution of test T1547.001-1 Reg Suspicious jse file run from startup Folder Return value unclear for test T1547.001-6 Suspicious bat file run from startup Folder ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/t1547001-runonce.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1547/001/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md +directory: atomic_red_team +mitre_technique: +- T1547.001 +datasets: +- name: bootexecute-windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml deleted file mode 100644 index 9c7ef2d06..000000000 --- a/datasets/attack_techniques/T1547.001/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5824674e-1223-406e-8f1a-aba3024ac094 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1547.001 -datasets: -- name: bootexecute-windows-sysmon - path: /datasets/attack_techniques/T1547.001/atomic_red_team/bootexecute-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1547.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml b/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml deleted file mode 100644 index 5e864a453..000000000 --- a/datasets/attack_techniques/T1547.003/timeprovider_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6cb1adbb-cc26-43a9-b8d9-e23c92d984f7 -date: '2025-08-12' -description: Automatically categorized datasets in directory timeprovider_reg -environment: attack_range -directory: timeprovider_reg -mitre_technique: -- T1547.003 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml b/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml index f04ef4633..9a6498546 100644 --- a/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml +++ b/datasets/attack_techniques/T1547.003/timeprovider_reg/timeprovider_reg.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: ad1f89a2-47be-4c29-a7a0-9930921aa38d date: '2021-09-30' -description: manual timeprovider registry modification datasets for persistence and privilege escalation. +description: manual timeprovider registry modification datasets for persistence and + privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: timeprovider_reg +mitre_technique: +- T1547.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1547.003/timeprovider_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml b/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml deleted file mode 100644 index cfe65f112..000000000 --- a/datasets/attack_techniques/T1547.005/malicious_ssp/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: da28bf9c-c1e1-4cb8-819a-460ce5e78ff2 -date: '2025-08-12' -description: Automatically categorized datasets in directory malicious_ssp -environment: attack_range -directory: malicious_ssp -mitre_technique: -- T1547.005 -datasets: -- name: windows-security-xml - path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml b/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml index ca57acabf..dfe71dd12 100644 --- a/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml +++ b/datasets/attack_techniques/T1547.005/malicious_ssp/malicious_ssp.yml @@ -1,16 +1,19 @@ author: Dean Luxton id: 23ec953f-b6b4-41ec-a81d-8c08fb3706ab date: '2022-08-23' -description: Manually copying mimilib.dll over to system32 & registering the dll as a new SSP via registry. Attack was ran successfully against a non-domain joined windows device, and a domain joined windows sever. (Also applicable against DCs) +description: Manually copying mimilib.dll over to system32 & registering the dll as + a new SSP via registry. Attack was ran successfully against a non-domain joined + windows device, and a domain joined windows sever. (Also applicable against DCs) environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log -sourcetypes: -- XmlWinEventLog -- xmlwineventlog -references: -- https://adsecurity.org/?p=1760 -- https://blog.xpnsec.com/exploring-mimikatz-part-2/ -- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package -- https://attack.mitre.org/techniques/T1547/005 +directory: malicious_ssp +mitre_technique: +- T1547.005 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.005/malicious_ssp/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml deleted file mode 100644 index 84c6e3841..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3a0d58c8-22dd-4fd3-92aa-896c538daeb3 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_insmod -environment: attack_range -directory: linux_auditd_insmod -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_insmod - path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml index 444e87985..f3927c7ac 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.yml @@ -3,9 +3,11 @@ id: a85c69f0-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd insmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log -sourcetypes: -- 'linux:audit' -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: linux_auditd_insmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod/linux_auditd_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml deleted file mode 100644 index 8c03e73a8..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5b1810bc-fb03-4d67-92ff-a638cba5c82e -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_insmod_new -environment: attack_range -directory: linux_auditd_insmod_new -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_new_insmod - path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml index f74016453..f2826f748 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml @@ -3,9 +3,11 @@ id: 9d807532-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd insmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log -sourcetypes: -- 'auditd' -references: -- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 \ No newline at end of file +directory: linux_auditd_insmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_insmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml deleted file mode 100644 index bf23c28a8..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 46f43a79-5ee7-44b9-9b30-55e6283eb342 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_modprobe -environment: attack_range -directory: linux_auditd_modprobe -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_modprobe - path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml index 63d3354c4..1e67200d4 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.yml @@ -3,9 +3,11 @@ id: cfe5a4be-5645-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd modprobe in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log -sourcetypes: -- 'linux:audit' -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: linux_auditd_modprobe +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe/linux_auditd_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml deleted file mode 100644 index 6d48ae484..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a2931ada-6410-4567-a613-95d3de336c8f -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_modprobe_new -environment: attack_range -directory: linux_auditd_modprobe_new -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_new_modprobe - path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml index 8437c4982..48299ae23 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml @@ -3,9 +3,11 @@ id: db4b9b9e-1ab0-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd modprobe new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log -sourcetypes: -- 'auditd' -references: -- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 \ No newline at end of file +directory: linux_auditd_modprobe_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml deleted file mode 100644 index c540af639..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 12fcbdde-d62b-402a-815d-8ae421a8b802 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_modprobe_unload_module -environment: attack_range -directory: linux_auditd_modprobe_unload_module -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_modprobe_unload_module - path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log - sourcetype: auditd - source: auditd -- name: auditd_execve_modprobe - path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml index 1b1a3dd29..1337d1436 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml @@ -1,11 +1,18 @@ author: Teoderick Contreras, Splunk id: 6237b4fc-efa6-11ef-b72e-629be3538068 date: '2025-02-20' -description: Generated datasets for linux auditd modprobe unload module in attack range. +description: Generated datasets for linux auditd modprobe unload module in attack + range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_modprobe_unload_module +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_modprobe_unload_module + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log + sourcetype: auditd + source: auditd +- name: auditd_execve_modprobe + path: /datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml deleted file mode 100644 index 7ccbcb641..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 34826bd2-9181-4e17-808a-a3e82ff59de6 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_rmmod -environment: attack_range -directory: linux_auditd_rmmod -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_rmmod - path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml index 92c585288..2988af55a 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml @@ -3,9 +3,11 @@ id: 8ceb8526-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd rmmod in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_rmmod +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml deleted file mode 100644 index be05226cb..000000000 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 42a93ebb-914d-4a9e-a997-d9ba40fb7016 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_rmmod_new -environment: attack_range -directory: linux_auditd_rmmod_new -mitre_technique: -- T1547.006 -datasets: -- name: linux_auditd_new_rmmod - path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml index 5b3bcf998..52aa4edcf 100644 --- a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml +++ b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml @@ -3,9 +3,11 @@ id: 460dec20-1ab1-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd rmmod new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_rmmod_new +mitre_technique: +- T1547.006 +datasets: +- name: linux_auditd_new_rmmod + path: /datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml deleted file mode 100644 index df85e7984..000000000 --- a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5ad0d1f8-147a-43d6-9886-db4ae9f30284 -date: '2025-08-12' -description: Automatically categorized datasets in directory loading_linux_kernel_module -environment: attack_range -directory: loading_linux_kernel_module -mitre_technique: -- T1547.006 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml index 71aaa75e7..c4a664052 100644 --- a/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml +++ b/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/loading_linux_kernel_module.yml @@ -3,9 +3,11 @@ id: 97358c88-632c-11ec-a5ca-acde48001122 date: '2021-12-22' description: Generated datasets for loading linux kernel module in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ \ No newline at end of file +directory: loading_linux_kernel_module +mitre_technique: +- T1547.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml index a9dab2c19..32b94f776 100644 --- a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml @@ -3,9 +3,11 @@ id: cc9i2628-efc9-88eb-926b-550bf0943fbb date: '2022-08-22' description: Generation of Atomic Red Team technique T1547.008 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1547/008 +directory: atomic_red_team +mitre_technique: +- T1547.008 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml deleted file mode 100644 index 721d5c232..000000000 --- a/datasets/attack_techniques/T1547.008/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 246ed053-0c69-4971-869a-56e7aeaf63b2 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1547.008 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1547.008/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml index d77724d41..64f0f44fb 100644 --- a/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.010/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,15 @@ id: cc9b2628-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: Generation of Atomic Red Team technique T1547.010 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: atomic_red_team +mitre_technique: +- T1547.010 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml b/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml deleted file mode 100644 index 9ee1d9a03..000000000 --- a/datasets/attack_techniques/T1547.010/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 076ce53c-f065-4c7a-883a-aa48bb208dd0 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1547.010 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1547.010/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/attack_techniques/T1547.010/atomic_red_team/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/print_reg/data.yml b/datasets/attack_techniques/T1547.012/print_reg/data.yml deleted file mode 100644 index ef4b58084..000000000 --- a/datasets/attack_techniques/T1547.012/print_reg/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d524d660-dd07-4564-ae78-b2bf44fc0bac -date: '2025-08-12' -description: Automatically categorized datasets in directory print_reg -environment: attack_range -directory: print_reg -mitre_technique: -- T1547.012 -datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1547.012/print_reg/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon_print - path: /datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/attack_techniques/T1547.012/print_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml b/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml index 2ab940fd8..5b7a14b81 100644 --- a/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml +++ b/datasets/attack_techniques/T1547.012/print_reg/print_reg.yml @@ -1,10 +1,22 @@ author: Teoderick Contreras id: 787d019a-8348-4840-8802-e0080ab1deb6 date: '2021-09-29' -description: manual printer processor registry modification datasets for persistence and privilege escalation. +description: manual printer processor registry modification datasets for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: print_reg +mitre_technique: +- T1547.012 +datasets: +- name: windows-xml + path: /datasets/attack_techniques/T1547.012/print_reg/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_print + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/attack_techniques/T1547.012/print_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/printnightmare/data.yml b/datasets/attack_techniques/T1547.012/printnightmare/data.yml deleted file mode 100644 index a8f77a281..000000000 --- a/datasets/attack_techniques/T1547.012/printnightmare/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 826eb620-41b7-4661-a2fa-14d2f2b6a5fd -date: '2025-08-12' -description: Automatically categorized datasets in directory printnightmare -environment: attack_range -directory: printnightmare -mitre_technique: -- T1547.012 -datasets: -- name: mimikatz-windows-sysmon - path: /datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml b/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml index 259ba7758..4c3a26952 100644 --- a/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml +++ b/datasets/attack_techniques/T1547.012/printnightmare/printnightmare.yml @@ -3,18 +3,15 @@ id: cc9b265b-efc9-11eb-926b-550bf0943fbb date: '2021-07-01' description: Automated generation of attack data by exploiting CVE-2021-1675 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/printnightmare/windows-printservice_admin.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -- WinEventLog:Microsoft-Windows-PrintService/Admin -- WinEventLog:Microsoft-Windows-PrintService/Operational -references: -- https://attack.mitre.org/techniques/T1547/012/ +directory: printnightmare +mitre_technique: +- T1547.012 +datasets: +- name: mimikatz-windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/mimikatz-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1547.012/printnightmare/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml b/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml index cfbf5ccb7..a8f69fe2e 100644 --- a/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml +++ b/datasets/attack_techniques/T1548.001/chmod_uid/chmod_uid.yml @@ -3,9 +3,11 @@ id: 3cda83cc-6261-11ec-b4f9-acde48001122 date: '2021-12-21' description: Generated datasets for chmod uid in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: chmod_uid +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/chmod_uid/data.yml b/datasets/attack_techniques/T1548.001/chmod_uid/data.yml deleted file mode 100644 index afb529bf7..000000000 --- a/datasets/attack_techniques/T1548.001/chmod_uid/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eb8e1ee0-bb1d-4550-961c-8ad227e01ae2 -date: '2025-08-12' -description: Automatically categorized datasets in directory chmod_uid -environment: attack_range -directory: chmod_uid -mitre_technique: -- T1548.001 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.001/chmod_uid/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml deleted file mode 100644 index e8ff30349..000000000 --- a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/data.yml +++ /dev/null @@ -1,25 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 50ce101e-82d5-4f3c-bcf2-636600c53a46 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_setuid -environment: attack_range -directory: linux_auditd_setuid -mitre_technique: -- T1548.001 -datasets: -- name: linux_auditd_setuid - path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log - sourcetype: auditd - source: auditd -- name: auditd_proctitle_setuid - path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_proctitle_setuid.log - sourcetype: auditd - source: auditd -- name: linux_auditd_setcap_priv - path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log - sourcetype: auditd - source: auditd -- name: auditd_execve_setcap - path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml index ab7943dd5..2bb93ac8d 100644 --- a/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml +++ b/datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.yml @@ -3,9 +3,23 @@ id: d05ad908-efa3-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd setuid in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log -sourcetypes: -- 'auditd' -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: linux_auditd_setuid +mitre_technique: +- T1548.001 +datasets: +- name: linux_auditd_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setuid.log + sourcetype: auditd + source: auditd +- name: auditd_proctitle_setuid + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_proctitle_setuid.log + sourcetype: auditd + source: auditd +- name: linux_auditd_setcap_priv + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/linux_auditd_setcap_priv.log + sourcetype: auditd + source: auditd +- name: auditd_execve_setcap + path: /datasets/attack_techniques/T1548.001/linux_auditd_setuid/auditd_execve_setcap.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.001/linux_setcap/data.yml b/datasets/attack_techniques/T1548.001/linux_setcap/data.yml deleted file mode 100644 index ff2f9adde..000000000 --- a/datasets/attack_techniques/T1548.001/linux_setcap/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cd6620c0-4e69-48bf-bd71-6f97b7625b6f -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_setcap -environment: attack_range -directory: linux_setcap -mitre_technique: -- T1548.001 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml b/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml index 4be2cfd0d..5f76a6b38 100644 --- a/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml +++ b/datasets/attack_techniques/T1548.001/linux_setcap/linux_setcap.yml @@ -3,9 +3,11 @@ id: 0d7e7bb4-6262-11ec-9ed4-acde48001122 date: '2021-12-21' description: Generated datasets for linux setcap in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ \ No newline at end of file +directory: linux_setcap +mitre_technique: +- T1548.001 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.001/linux_setcap/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml index 096f8e2cb..2911884e7 100644 --- a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml +++ b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/LocalAccountTokenFilterPolicy.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: a996c867-70b4-4ac4-bfbc-fae63b60f169 date: '2021-09-30' -description: manual disable uac remote restriction registry modification datasets for persistence and privilege escalation. +description: manual disable uac remote restriction registry modification datasets + for persistence and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: LocalAccountTokenFilterPolicy +mitre_technique: +- T1548.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml b/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml deleted file mode 100644 index 69c28ad9b..000000000 --- a/datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e26c9115-ea12-4347-ae18-bea02132aa1a -date: '2025-08-12' -description: Automatically categorized datasets in directory LocalAccountTokenFilterPolicy -environment: attack_range -directory: LocalAccountTokenFilterPolicy -mitre_technique: -- T1548.002 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1548.002/LocalAccountTokenFilterPolicy/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml index b9caafcc8..b1e9c8d29 100644 --- a/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1548.002/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,15 @@ id: cc9b25fe-efc9-11eb-926b-550bf0943fbb date: '2020-11-18' description: Generation of Atomic Red Team technique T1548.002 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: atomic_red_team +mitre_technique: +- T1548.002 +datasets: +- name: dism_pswa_4688_windows-security + path: /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-sysmon + path: /datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml deleted file mode 100644 index 6f08e1636..000000000 --- a/datasets/attack_techniques/T1548.002/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c6678a14-2bab-43e0-9778-2118616072ea -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1548.002 -datasets: -- name: dism_pswa_4688_windows-security - path: /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-sysmon - path: /datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/slui/data.yml b/datasets/attack_techniques/T1548.002/slui/slui.yml similarity index 61% rename from datasets/attack_techniques/T1548.002/slui/data.yml rename to datasets/attack_techniques/T1548.002/slui/slui.yml index 94fbe181a..0597f3e2f 100644 --- a/datasets/attack_techniques/T1548.002/slui/data.yml +++ b/datasets/attack_techniques/T1548.002/slui/slui.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 8af2a457-f8e2-4720-9be3-fa7807bc4357 -date: '2025-08-12' -description: Automatically categorized datasets in directory slui +author: Michael Haag, Splunk +id: cc9b25ff-efc9-11eb-926b-550bf0943fbb +date: '2021-05-13' +description: Generation of slui.exe UAC Bypass behaviors. environment: attack_range directory: slui mitre_technique: diff --git a/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml b/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml deleted file mode 100644 index 6dfc2a9ad..000000000 --- a/datasets/attack_techniques/T1548.002/slui/slui_uac_bypass.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Michael Haag, Splunk -id: cc9b25ff-efc9-11eb-926b-550bf0943fbb -date: '2021-05-13' -description: Generation of slui.exe UAC Bypass behaviors. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ -- https://www.exploit-db.com/exploits/46998 -- https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b -- https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 -- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ -- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html diff --git a/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml b/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml deleted file mode 100644 index 17bcb36f1..000000000 --- a/datasets/attack_techniques/T1548.002/ssa_eventvwr/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 03e98791-5f8c-434e-b434-a6995e5d8a6a -date: '2025-08-12' -description: Automatically categorized datasets in directory ssa_eventvwr -environment: attack_range -directory: ssa_eventvwr -mitre_technique: -- T1548.002 -datasets: -- name: windows-sysmon-registry - path: /datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml b/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml index eadd8aeb9..329ea260a 100644 --- a/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml +++ b/datasets/attack_techniques/T1548.002/ssa_eventvwr/ssa_eventvwr.yml @@ -3,9 +3,11 @@ id: cc9b25fe-efc5-13eb-9d6b-550bf0943fbb date: '2022-02-23' description: SSA Slimmed logs for T1548.002 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ +directory: ssa_eventvwr +mitre_technique: +- T1548.002 +datasets: +- name: windows-sysmon-registry + path: /datasets/attack_techniques/T1548.002/ssa_eventvwr/windows-sysmon-registry.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/data.yml b/datasets/attack_techniques/T1548.002/uac_behavior/data.yml deleted file mode 100644 index 1ce2af5f1..000000000 --- a/datasets/attack_techniques/T1548.002/uac_behavior/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a29f33eb-5498-4926-9fad-e5585f3ffbdf -date: '2025-08-12' -description: Automatically categorized datasets in directory uac_behavior -environment: attack_range -directory: uac_behavior -mitre_technique: -- T1548.002 -datasets: -- name: uac_behavior_sysmon - path: /datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml index 1be2cca37..43fd7868b 100644 --- a/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml +++ b/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior.yml @@ -1,14 +1,14 @@ -author: Steven Dick -id: 0fe95fd6-68cf-41de-9e05-26547ce1e08a -date: '2023-11-20' -description: 'Detection of common User Account Control bypass techniques, generated using Atomic Tests for T1548.002' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/002/ -- https://atomicredteam.io/defense-evasion/T1548.002/ -- https://hadess.io/user-account-control-uncontrol-mastering-the-art-of-bypassing-windows-uac/ -- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ \ No newline at end of file +author: Steven Dick +id: 0fe95fd6-68cf-41de-9e05-26547ce1e08a +date: '2023-11-20' +description: Detection of common User Account Control bypass techniques, generated + using Atomic Tests for T1548.002 +environment: attack_range +directory: uac_behavior +mitre_technique: +- T1548.002 +datasets: +- name: uac_behavior_sysmon + path: /datasets/attack_techniques/T1548.002/uac_behavior/uac_behavior_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas/data.yml b/datasets/attack_techniques/T1548.003/doas/data.yml deleted file mode 100644 index f4fb01d83..000000000 --- a/datasets/attack_techniques/T1548.003/doas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: de9bbee7-eeaa-4469-ac98-53bba895c6fd -date: '2025-08-12' -description: Automatically categorized datasets in directory doas -environment: attack_range -directory: doas -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/doas/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas/doas.yml b/datasets/attack_techniques/T1548.003/doas/doas.yml index 71905749f..79800cd33 100644 --- a/datasets/attack_techniques/T1548.003/doas/doas.yml +++ b/datasets/attack_techniques/T1548.003/doas/doas.yml @@ -3,9 +3,11 @@ id: 934e2ef8-6e0e-11ec-9cba-acde48001122 date: '2022-01-05' description: Generated datasets for doas in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://wiki.gentoo.org/wiki/Doas \ No newline at end of file +directory: doas +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas_exec/data.yml b/datasets/attack_techniques/T1548.003/doas_exec/data.yml deleted file mode 100644 index 552024588..000000000 --- a/datasets/attack_techniques/T1548.003/doas_exec/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c756bb13-def2-4843-9291-f3a8984ee1b1 -date: '2025-08-12' -description: Automatically categorized datasets in directory doas_exec -environment: attack_range -directory: doas_exec -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml b/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml index 46d528230..ff05a28f8 100644 --- a/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml +++ b/datasets/attack_techniques/T1548.003/doas_exec/doas_exec.yml @@ -3,9 +3,11 @@ id: 5ee37c76-6e0f-11ec-b0d2-acde48001122 date: '2022-01-05' description: Generated datasets for doas exec in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://wiki.gentoo.org/wiki/Doas \ No newline at end of file +directory: doas_exec +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/doas_exec/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_adduser/data.yml b/datasets/attack_techniques/T1548.003/linux_adduser/data.yml deleted file mode 100644 index a783b5a0b..000000000 --- a/datasets/attack_techniques/T1548.003/linux_adduser/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 36e23b44-949c-4745-9c58-c8afd782e824 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_adduser -environment: attack_range -directory: linux_adduser -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml b/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml index 826b30c06..6bab42150 100644 --- a/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml +++ b/datasets/attack_techniques/T1548.003/linux_adduser/linux_adduser.yml @@ -3,9 +3,11 @@ id: ca07fc9e-6260-11ec-b8ae-acde48001122 date: '2021-12-21' description: Generated datasets for linux adduser in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ \ No newline at end of file +directory: linux_adduser +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/linux_adduser/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml deleted file mode 100644 index 2acec716e..000000000 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6c3c5aaf-88f3-4132-9acc-27f9cef7d8de -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_doas -environment: attack_range -directory: linux_auditd_doas -mitre_technique: -- T1548.003 -datasets: -- name: linux_auditd_doas - path: /datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml index d576a159e..ad1d2819c 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.yml @@ -3,9 +3,11 @@ id: 06e6ca4e-5644-11ef-b567-acde48001122 date: '2024-08-09' description: Generated datasets for linux auditd doas in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log -sourcetypes: -- 'linux:audit' -references: -- https://www.makeuseof.com/how-to-install-and-use-doas/ \ No newline at end of file +directory: linux_auditd_doas +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas/linux_auditd_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml deleted file mode 100644 index 081d4440c..000000000 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dd0fe634-9b2d-4ecc-97f3-ab59d44fd289 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_doas_new -environment: attack_range -directory: linux_auditd_doas_new -mitre_technique: -- T1548.003 -datasets: -- name: linux_auditd_new_doas - path: /datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml index 665f5c3f1..cfc44578e 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml @@ -3,9 +3,11 @@ id: d79ea71c-1aaf-11f0-a1c6-629be3538069 date: '2025-04-16' description: Generated datasets for linux auditd doas new in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log -sourcetypes: -- 'auditd' -references: -- https://www.makeuseof.com/how-to-install-and-use-doas/ \ No newline at end of file +directory: linux_auditd_doas_new +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_new_doas + path: /datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml deleted file mode 100644 index 245803ca7..000000000 --- a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c4eb82ce-c698-46dd-ba6e-716324177ca8 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_nopasswd -environment: attack_range -directory: linux_auditd_nopasswd -mitre_technique: -- T1548.003 -datasets: -- name: linux_auditd_nopasswd - path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log - sourcetype: auditd - source: auditd -- name: linux_auditd_nopasswd2 - path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml index 6de1019b3..baa42e9b7 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.yml @@ -3,9 +3,15 @@ id: 97e7e652-ef9d-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd nopasswd in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log -sourcetypes: -- 'auditd' -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: linux_auditd_nopasswd +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_nopasswd + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd.log + sourcetype: auditd + source: auditd +- name: linux_auditd_nopasswd2 + path: /datasets/attack_techniques/T1548.003/linux_auditd_nopasswd/linux_auditd_nopasswd2.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml deleted file mode 100644 index a49398d54..000000000 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4db2b6d7-4b14-49ad-b64a-bcaf57f27baf -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_sudo_su -environment: attack_range -directory: linux_auditd_sudo_su -mitre_technique: -- T1548.003 -datasets: -- name: auditd_proctitle_sudo - path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log - sourcetype: auditd - source: auditd -- name: linux_auditd_sudo_su - path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml index bf81e735a..6ddf4749f 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.yml @@ -3,9 +3,15 @@ id: 7add3492-efa5-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd sudo su in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log -sourcetypes: -- 'auditd' -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: linux_auditd_sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: auditd_proctitle_sudo + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/auditd_proctitle_sudo.log + sourcetype: auditd + source: auditd +- name: linux_auditd_sudo_su + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudo_su/linux_auditd_sudo_su.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml deleted file mode 100644 index 71016bf5d..000000000 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: be32d097-bda9-4968-99fd-37d75e66ad1b -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_sudoers_access -environment: attack_range -directory: linux_auditd_sudoers_access -mitre_technique: -- T1548.003 -datasets: -- name: linux_auditd_sudoers_access - path: /datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml index 04a42a1a3..c783d9258 100644 --- a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml +++ b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml @@ -3,9 +3,11 @@ id: f47e0ecc-45d4-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd sudoers access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log -sourcetypes: -- 'auditd' -references: -- https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf \ No newline at end of file +directory: linux_auditd_sudoers_access +mitre_technique: +- T1548.003 +datasets: +- name: linux_auditd_sudoers_access + path: /datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml deleted file mode 100644 index da14f50ed..000000000 --- a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a045bb3c-4462-41ee-932c-9583c406552a -date: '2025-08-12' -description: Automatically categorized datasets in directory nopasswd_sudoers -environment: attack_range -directory: nopasswd_sudoers -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml index 73d549d9b..525f26ba8 100644 --- a/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml +++ b/datasets/attack_techniques/T1548.003/nopasswd_sudoers/nopasswd_sudoers.yml @@ -3,9 +3,11 @@ id: 4505ff28-6260-11ec-85e5-acde48001122 date: '2021-12-21' description: Generated datasets for nopasswd sudoers in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: nopasswd_sudoers +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/nopasswd_sudoers/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudo_su/data.yml b/datasets/attack_techniques/T1548.003/sudo_su/data.yml deleted file mode 100644 index c5dc09c29..000000000 --- a/datasets/attack_techniques/T1548.003/sudo_su/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4a8fc4f9-93e5-428a-9e9f-52cecdea968a -date: '2025-08-12' -description: Automatically categorized datasets in directory sudo_su -environment: attack_range -directory: sudo_su -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml b/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml index 5cb4c6e56..a8ab22d53 100644 --- a/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml +++ b/datasets/attack_techniques/T1548.003/sudo_su/sudo_su.yml @@ -3,9 +3,11 @@ id: 9660d0e4-6d6b-11ec-bc7d-acde48001122 date: '2022-01-04' description: Generated datasets for sudo su in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: sudo_su +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudo_su/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml b/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml deleted file mode 100644 index 1672f8140..000000000 --- a/datasets/attack_techniques/T1548.003/sudoers_temp/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 58a1c487-e83c-41dd-b308-65c4dcdc241c -date: '2025-08-12' -description: Automatically categorized datasets in directory sudoers_temp -environment: attack_range -directory: sudoers_temp -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml b/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml index afb842ed8..d075703d5 100644 --- a/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml +++ b/datasets/attack_techniques/T1548.003/sudoers_temp/sudoers_temp.yml @@ -3,9 +3,11 @@ id: 4ff7f3ee-64a6-11ec-83e6-acde48001122 date: '2021-12-24' description: Generated datasets for sudoers temp in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/003/ \ No newline at end of file +directory: sudoers_temp +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/visudo/data.yml b/datasets/attack_techniques/T1548.003/visudo/data.yml deleted file mode 100644 index 681f074f5..000000000 --- a/datasets/attack_techniques/T1548.003/visudo/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: de19d3cb-4769-4617-9297-076fa48f6c71 -date: '2025-08-12' -description: Automatically categorized datasets in directory visudo -environment: attack_range -directory: visudo -mitre_technique: -- T1548.003 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548.003/visudo/visudo.yml b/datasets/attack_techniques/T1548.003/visudo/visudo.yml index 62825b2ab..f8c850cc6 100644 --- a/datasets/attack_techniques/T1548.003/visudo/visudo.yml +++ b/datasets/attack_techniques/T1548.003/visudo/visudo.yml @@ -3,9 +3,11 @@ id: f5ead72e-625f-11ec-a0f1-acde48001122 date: '2021-12-21' description: Generated datasets for visudo in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands \ No newline at end of file +directory: visudo +mitre_technique: +- T1548.003 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548.003/visudo/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt/apt.yml b/datasets/attack_techniques/T1548/apt/apt.yml index 4f167ac78..2d03fc843 100644 --- a/datasets/attack_techniques/T1548/apt/apt.yml +++ b/datasets/attack_techniques/T1548/apt/apt.yml @@ -3,9 +3,11 @@ id: 142db055-e432-44c3-b013-7560242c5399 date: '2022-08-12' description: Apt linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: apt +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt/data.yml b/datasets/attack_techniques/T1548/apt/data.yml deleted file mode 100644 index 84635d037..000000000 --- a/datasets/attack_techniques/T1548/apt/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dd83f383-1de9-40e6-be9f-300553196148 -date: '2025-08-12' -description: Automatically categorized datasets in directory apt -environment: attack_range -directory: apt -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/apt/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt_get/apt_get.yml b/datasets/attack_techniques/T1548/apt_get/apt_get.yml index a8208668f..f364fc5a5 100644 --- a/datasets/attack_techniques/T1548/apt_get/apt_get.yml +++ b/datasets/attack_techniques/T1548/apt_get/apt_get.yml @@ -3,9 +3,11 @@ id: 626b6584-bdcf-4b12-9e72-6c63eda796c0 date: '2022-08-12' description: apt-get linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: apt_get +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/apt_get/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/apt_get/data.yml b/datasets/attack_techniques/T1548/apt_get/data.yml deleted file mode 100644 index 65a725a91..000000000 --- a/datasets/attack_techniques/T1548/apt_get/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fdd4a2e9-de8b-4caa-93fc-6581fb25e5ce -date: '2025-08-12' -description: Automatically categorized datasets in directory apt_get -environment: attack_range -directory: apt_get -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/apt_get/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/awk/awk.yml b/datasets/attack_techniques/T1548/awk/awk.yml index 670ca187d..99a1fb311 100644 --- a/datasets/attack_techniques/T1548/awk/awk.yml +++ b/datasets/attack_techniques/T1548/awk/awk.yml @@ -3,9 +3,11 @@ id: c243b463-7dbb-4887-8660-b4430e68d73a date: '2022-08-01' description: AWK linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/awk/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: awk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/awk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/awk/data.yml b/datasets/attack_techniques/T1548/awk/data.yml deleted file mode 100644 index 7664523c0..000000000 --- a/datasets/attack_techniques/T1548/awk/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1e63112b-1654-4ca2-a487-ad055e356fa4 -date: '2025-08-12' -description: Automatically categorized datasets in directory awk -environment: attack_range -directory: awk -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/awk/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/busybox/busybox.yml b/datasets/attack_techniques/T1548/busybox/busybox.yml index 6a3f76e4e..a7b887874 100644 --- a/datasets/attack_techniques/T1548/busybox/busybox.yml +++ b/datasets/attack_techniques/T1548/busybox/busybox.yml @@ -3,9 +3,11 @@ id: 391e59ca-5057-4a8a-a009-59525071f11d date: '2022-08-12' description: Busybox linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/busybox/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: busybox +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/busybox/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/busybox/data.yml b/datasets/attack_techniques/T1548/busybox/data.yml deleted file mode 100644 index 3250fcc00..000000000 --- a/datasets/attack_techniques/T1548/busybox/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7cc455d0-b36f-436f-9a2f-c5743a58d0b2 -date: '2025-08-12' -description: Automatically categorized datasets in directory busybox -environment: attack_range -directory: busybox -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/busybox/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c89/c89.yml b/datasets/attack_techniques/T1548/c89/c89.yml index fe88ca5bb..95c4510fa 100644 --- a/datasets/attack_techniques/T1548/c89/c89.yml +++ b/datasets/attack_techniques/T1548/c89/c89.yml @@ -3,9 +3,11 @@ id: b02cf07e-9e11-4c06-a4b3-db7945e9d5d0 date: '2022-08-12' description: C89 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c89/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: c89 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c89/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c89/data.yml b/datasets/attack_techniques/T1548/c89/data.yml deleted file mode 100644 index 2a4d699a1..000000000 --- a/datasets/attack_techniques/T1548/c89/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5406e23f-ed05-4b7a-8bf3-671ca5e4d8ef -date: '2025-08-12' -description: Automatically categorized datasets in directory c89 -environment: attack_range -directory: c89 -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/c89/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c99/c99.yml b/datasets/attack_techniques/T1548/c99/c99.yml index e6e6a95a6..6843d3cec 100644 --- a/datasets/attack_techniques/T1548/c99/c99.yml +++ b/datasets/attack_techniques/T1548/c99/c99.yml @@ -3,9 +3,11 @@ id: 84a4839d-cf5f-42ca-9a96-dfa0b296a94a date: '2022-08-12' description: C99 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/c99/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: c99 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/c99/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/c99/data.yml b/datasets/attack_techniques/T1548/c99/data.yml deleted file mode 100644 index d35d57eed..000000000 --- a/datasets/attack_techniques/T1548/c99/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2dcade8b-581a-457e-8bf9-2d7567cf589b -date: '2025-08-12' -description: Automatically categorized datasets in directory c99 -environment: attack_range -directory: c99 -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/c99/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/composer/composer.yml b/datasets/attack_techniques/T1548/composer/composer.yml index c13784ed1..561cf878e 100644 --- a/datasets/attack_techniques/T1548/composer/composer.yml +++ b/datasets/attack_techniques/T1548/composer/composer.yml @@ -3,9 +3,11 @@ id: 8bc07a27-ecab-485f-b8e1-fdd0506dee06 date: '2022-08-12' description: Composer linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/composer/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: composer +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/composer/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/composer/data.yml b/datasets/attack_techniques/T1548/composer/data.yml deleted file mode 100644 index c295dc51e..000000000 --- a/datasets/attack_techniques/T1548/composer/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b5595dec-ad57-4f4c-b6f3-1bc50b075144 -date: '2025-08-12' -description: Automatically categorized datasets in directory composer -environment: attack_range -directory: composer -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/composer/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml b/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml index 3e1b4c441..1bcfcf5c4 100644 --- a/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml +++ b/datasets/attack_techniques/T1548/cpulimit/cpulimit.yml @@ -3,9 +3,11 @@ id: b0389a29-5eaa-4ec0-aee3-dc8a667ebbb1 date: '2022-08-12' description: Cpulimit linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: cpulimit +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/cpulimit/data.yml b/datasets/attack_techniques/T1548/cpulimit/data.yml deleted file mode 100644 index 7fb5cf589..000000000 --- a/datasets/attack_techniques/T1548/cpulimit/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dc597588-268a-450b-834d-05c8182a1ce9 -date: '2025-08-12' -description: Automatically categorized datasets in directory cpulimit -environment: attack_range -directory: cpulimit -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/cpulimit/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/csvtool/csvtool.yml b/datasets/attack_techniques/T1548/csvtool/csvtool.yml index e08adf684..9b81b3dfc 100644 --- a/datasets/attack_techniques/T1548/csvtool/csvtool.yml +++ b/datasets/attack_techniques/T1548/csvtool/csvtool.yml @@ -3,9 +3,11 @@ id: ab0285b6-cbed-4163-b18a-76e572b0ad34 date: '2022-08-12' description: Csvtool linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/csvtool/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: csvtool +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/csvtool/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/csvtool/data.yml b/datasets/attack_techniques/T1548/csvtool/data.yml deleted file mode 100644 index 63834d835..000000000 --- a/datasets/attack_techniques/T1548/csvtool/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 88bc713c-5a47-4a41-9761-2dda288a059c -date: '2025-08-12' -description: Automatically categorized datasets in directory csvtool -environment: attack_range -directory: csvtool -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/csvtool/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/docker/data.yml b/datasets/attack_techniques/T1548/docker/data.yml deleted file mode 100644 index 3996b33c9..000000000 --- a/datasets/attack_techniques/T1548/docker/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 796f4601-47da-4299-bfec-924e66a7e65a -date: '2025-08-12' -description: Automatically categorized datasets in directory docker -environment: attack_range -directory: docker -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/docker/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/docker/docker.yml b/datasets/attack_techniques/T1548/docker/docker.yml index 7e3f4982e..b22966eef 100644 --- a/datasets/attack_techniques/T1548/docker/docker.yml +++ b/datasets/attack_techniques/T1548/docker/docker.yml @@ -3,9 +3,11 @@ id: 7de57102-fefa-4883-b318-23be33b1a4af date: '2022-08-01' description: Docker linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/docker/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: docker +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/docker/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/emacs/data.yml b/datasets/attack_techniques/T1548/emacs/data.yml deleted file mode 100644 index 563cf240e..000000000 --- a/datasets/attack_techniques/T1548/emacs/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a57ed9db-ec15-46a4-abff-a5f96b20829b -date: '2025-08-12' -description: Automatically categorized datasets in directory emacs -environment: attack_range -directory: emacs -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/emacs/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/emacs/emacs.yml b/datasets/attack_techniques/T1548/emacs/emacs.yml index 240d8bad5..08224ec0d 100644 --- a/datasets/attack_techniques/T1548/emacs/emacs.yml +++ b/datasets/attack_techniques/T1548/emacs/emacs.yml @@ -3,9 +3,11 @@ id: ca038e78-021e-4f4f-ae04-68e58b911625 date: '2022-08-10' description: EMACS linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/emacs/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: emacs +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/emacs/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/find/data.yml b/datasets/attack_techniques/T1548/find/data.yml deleted file mode 100644 index d085f083f..000000000 --- a/datasets/attack_techniques/T1548/find/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0ab02249-96ed-4274-a288-29f6e6078279 -date: '2025-08-12' -description: Automatically categorized datasets in directory find -environment: attack_range -directory: find -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/find/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/find/find.yml b/datasets/attack_techniques/T1548/find/find.yml index 418248b8b..b25c03886 100644 --- a/datasets/attack_techniques/T1548/find/find.yml +++ b/datasets/attack_techniques/T1548/find/find.yml @@ -3,9 +3,11 @@ id: d86175c7-17f9-474d-aaee-686ca19ef406 date: '2022-08-10' description: Find linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/find/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: find +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/find/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gawk/data.yml b/datasets/attack_techniques/T1548/gawk/data.yml deleted file mode 100644 index 5821a27e1..000000000 --- a/datasets/attack_techniques/T1548/gawk/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 485f5b87-615b-4967-a58b-57265b4c4ba5 -date: '2025-08-12' -description: Automatically categorized datasets in directory gawk -environment: attack_range -directory: gawk -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/gawk/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gawk/gawk.yml b/datasets/attack_techniques/T1548/gawk/gawk.yml index 49650fe93..a6c08fa93 100644 --- a/datasets/attack_techniques/T1548/gawk/gawk.yml +++ b/datasets/attack_techniques/T1548/gawk/gawk.yml @@ -3,9 +3,11 @@ id: 77d7bacd-dcba-4c12-92c8-51fd87b25825 date: '2022-08-10' description: GNU Awk linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gawk/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gawk +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gawk/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gdb/data.yml b/datasets/attack_techniques/T1548/gdb/data.yml deleted file mode 100644 index 1e348d581..000000000 --- a/datasets/attack_techniques/T1548/gdb/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3d25c98f-cdd5-4575-be3e-7f6400fa8417 -date: '2025-08-12' -description: Automatically categorized datasets in directory gdb -environment: attack_range -directory: gdb -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/gdb/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gdb/gdb.yml b/datasets/attack_techniques/T1548/gdb/gdb.yml index b836d4154..1698a92c0 100644 --- a/datasets/attack_techniques/T1548/gdb/gdb.yml +++ b/datasets/attack_techniques/T1548/gdb/gdb.yml @@ -3,9 +3,11 @@ id: f312ff8f-272f-44a2-b665-28a52f2d4667 date: '2022-08-10' description: GDB linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gdb/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gdb +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gdb/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gem/data.yml b/datasets/attack_techniques/T1548/gem/data.yml deleted file mode 100644 index 9cbb7177b..000000000 --- a/datasets/attack_techniques/T1548/gem/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5fa0b74d-ff0f-43c3-b2d5-218488f8617d -date: '2025-08-12' -description: Automatically categorized datasets in directory gem -environment: attack_range -directory: gem -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/gem/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/gem/gem.yml b/datasets/attack_techniques/T1548/gem/gem.yml index 618d9e88c..6dbcea522 100644 --- a/datasets/attack_techniques/T1548/gem/gem.yml +++ b/datasets/attack_techniques/T1548/gem/gem.yml @@ -3,9 +3,11 @@ id: e08064be-ad33-4dd7-9cc9-2f7e9ed81302 date: '2022-08-10' description: GEM linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/gem/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: gem +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/gem/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/make/data.yml b/datasets/attack_techniques/T1548/make/data.yml deleted file mode 100644 index e233f322e..000000000 --- a/datasets/attack_techniques/T1548/make/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e50fda40-c860-420b-b4dd-1249adf6bdd6 -date: '2025-08-12' -description: Automatically categorized datasets in directory make -environment: attack_range -directory: make -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/make/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/make/make.yml b/datasets/attack_techniques/T1548/make/make.yml index d8e15c9f0..5bd3e35da 100644 --- a/datasets/attack_techniques/T1548/make/make.yml +++ b/datasets/attack_techniques/T1548/make/make.yml @@ -3,9 +3,11 @@ id: 56a53a5f-56f9-45c6-a29a-4ea5366f90eb date: '2022-08-10' description: Make linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/make/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: make +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/make/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/mysql/data.yml b/datasets/attack_techniques/T1548/mysql/data.yml deleted file mode 100644 index de9248107..000000000 --- a/datasets/attack_techniques/T1548/mysql/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 08c2e44e-757e-4f75-8058-ff20e9b0b32f -date: '2025-08-12' -description: Automatically categorized datasets in directory mysql -environment: attack_range -directory: mysql -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/mysql/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/mysql/mysql.yml b/datasets/attack_techniques/T1548/mysql/mysql.yml index 43b6df931..a17e17a24 100644 --- a/datasets/attack_techniques/T1548/mysql/mysql.yml +++ b/datasets/attack_techniques/T1548/mysql/mysql.yml @@ -3,9 +3,11 @@ id: 6a0e3130-6fdf-4b82-9c1d-a914d1ab63b0 date: '2022-08-10' description: MySQL linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/mysql/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: mysql +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/mysql/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/node/data.yml b/datasets/attack_techniques/T1548/node/data.yml deleted file mode 100644 index 677f38535..000000000 --- a/datasets/attack_techniques/T1548/node/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 08f488c5-ae63-478a-9892-80c250aef768 -date: '2025-08-12' -description: Automatically categorized datasets in directory node -environment: attack_range -directory: node -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/node/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/node/node.yml b/datasets/attack_techniques/T1548/node/node.yml index 9e9803943..72b80c244 100644 --- a/datasets/attack_techniques/T1548/node/node.yml +++ b/datasets/attack_techniques/T1548/node/node.yml @@ -3,9 +3,11 @@ id: 1b157687-1552-49e6-af63-397a9a6a6eb9 date: '2022-08-01' description: Node linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/node/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: node +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/node/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/octave/data.yml b/datasets/attack_techniques/T1548/octave/data.yml deleted file mode 100644 index 9f7651070..000000000 --- a/datasets/attack_techniques/T1548/octave/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 91789434-3628-47ff-b762-5cbfbe3aa64a -date: '2025-08-12' -description: Automatically categorized datasets in directory octave -environment: attack_range -directory: octave -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/octave/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/octave/octave.yml b/datasets/attack_techniques/T1548/octave/octave.yml index 411b6e819..5cb20eb40 100644 --- a/datasets/attack_techniques/T1548/octave/octave.yml +++ b/datasets/attack_techniques/T1548/octave/octave.yml @@ -3,9 +3,11 @@ id: 35f3aae2-eca4-41a7-877d-a19b3a61fab4 date: '2022-08-12' description: Octave linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/octave/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: octave +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/octave/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/openvpn/data.yml b/datasets/attack_techniques/T1548/openvpn/data.yml deleted file mode 100644 index 5b751617d..000000000 --- a/datasets/attack_techniques/T1548/openvpn/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4146ef23-5387-494f-9556-c2578bd68fe2 -date: '2025-08-12' -description: Automatically categorized datasets in directory openvpn -environment: attack_range -directory: openvpn -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/openvpn/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/openvpn/openvpn.yml b/datasets/attack_techniques/T1548/openvpn/openvpn.yml index 155df0449..97d9579b8 100644 --- a/datasets/attack_techniques/T1548/openvpn/openvpn.yml +++ b/datasets/attack_techniques/T1548/openvpn/openvpn.yml @@ -3,9 +3,11 @@ id: 49252518-96e6-4f7a-8392-719c725bc3ca date: '2022-08-12' description: Openvpn linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/openvpn/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: openvpn +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/openvpn/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/php/data.yml b/datasets/attack_techniques/T1548/php/data.yml deleted file mode 100644 index 2c7e21555..000000000 --- a/datasets/attack_techniques/T1548/php/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f272d6a6-44c6-4ec9-ad3b-022d97cc0764 -date: '2025-08-12' -description: Automatically categorized datasets in directory php -environment: attack_range -directory: php -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/php/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/php/php.yml b/datasets/attack_techniques/T1548/php/php.yml index 1309ccfc0..94f838474 100644 --- a/datasets/attack_techniques/T1548/php/php.yml +++ b/datasets/attack_techniques/T1548/php/php.yml @@ -3,9 +3,11 @@ id: a0ef4611-c714-42cf-96e6-f06716d78bb5 date: '2022-08-10' description: PHP linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/php/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: php +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/php/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/puppet/data.yml b/datasets/attack_techniques/T1548/puppet/data.yml deleted file mode 100644 index 0c25dd3a6..000000000 --- a/datasets/attack_techniques/T1548/puppet/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6d26fbf0-6ccc-4934-b2b5-dde73ba1770e -date: '2025-08-12' -description: Automatically categorized datasets in directory puppet -environment: attack_range -directory: puppet -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/puppet/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/puppet/puppet.yml b/datasets/attack_techniques/T1548/puppet/puppet.yml index 32cdf4487..8b045b145 100644 --- a/datasets/attack_techniques/T1548/puppet/puppet.yml +++ b/datasets/attack_techniques/T1548/puppet/puppet.yml @@ -3,9 +3,11 @@ id: 81e7003c-1b44-467f-84da-05a3d38d1d8f date: '2022-08-12' description: Puppet linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/puppet/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: puppet +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/puppet/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/rpm/data.yml b/datasets/attack_techniques/T1548/rpm/data.yml deleted file mode 100644 index e70436f77..000000000 --- a/datasets/attack_techniques/T1548/rpm/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fe50425e-8666-4709-a9c1-7d12a74ad0da -date: '2025-08-12' -description: Automatically categorized datasets in directory rpm -environment: attack_range -directory: rpm -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/rpm/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/rpm/rpm.yml b/datasets/attack_techniques/T1548/rpm/rpm.yml index a4755da80..61b276807 100644 --- a/datasets/attack_techniques/T1548/rpm/rpm.yml +++ b/datasets/attack_techniques/T1548/rpm/rpm.yml @@ -3,9 +3,11 @@ id: bad65c56-3e48-433c-a40c-d5a022da142c date: '2022-08-10' description: RPM linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/rpm/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: rpm +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/rpm/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/ruby/data.yml b/datasets/attack_techniques/T1548/ruby/data.yml deleted file mode 100644 index 577638569..000000000 --- a/datasets/attack_techniques/T1548/ruby/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 96576d3b-4d34-4c26-8b02-088c801b2230 -date: '2025-08-12' -description: Automatically categorized datasets in directory ruby -environment: attack_range -directory: ruby -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/ruby/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/ruby/ruby.yml b/datasets/attack_techniques/T1548/ruby/ruby.yml index 655c5a9dc..c2566b92c 100644 --- a/datasets/attack_techniques/T1548/ruby/ruby.yml +++ b/datasets/attack_techniques/T1548/ruby/ruby.yml @@ -3,9 +3,11 @@ id: c9fcba32-de3a-42b0-8959-0e08ef5ff852 date: '2022-08-10' description: Ruby linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/ruby/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: ruby +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/ruby/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/sqlite3/data.yml b/datasets/attack_techniques/T1548/sqlite3/data.yml deleted file mode 100644 index 507e683dc..000000000 --- a/datasets/attack_techniques/T1548/sqlite3/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8e2562e4-511a-463c-a4e4-360c4875b718 -date: '2025-08-12' -description: Automatically categorized datasets in directory sqlite3 -environment: attack_range -directory: sqlite3 -mitre_technique: -- T1548 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml b/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml index e10fa66e1..582068339 100644 --- a/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml +++ b/datasets/attack_techniques/T1548/sqlite3/sqlite3.yml @@ -3,9 +3,11 @@ id: 5e4819bc-e65a-419c-992d-6219675b5136 date: '2022-08-12' description: Sqlite3 linux living off the land and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/tactics/TA0004/ \ No newline at end of file +directory: sqlite3 +mitre_technique: +- T1548 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1548/sqlite3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/uac_bypass/data.yml b/datasets/attack_techniques/T1548/uac_bypass/data.yml deleted file mode 100644 index d93eec355..000000000 --- a/datasets/attack_techniques/T1548/uac_bypass/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 996c4b6b-5b4c-41df-bc80-d3de2de86829 -date: '2025-08-12' -description: Automatically categorized datasets in directory uac_bypass -environment: attack_range -directory: uac_bypass -mitre_technique: -- T1548 -datasets: -- name: windows-sysmon2 - path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml b/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml index fc1c2bf42..0aa5d03af 100644 --- a/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml +++ b/datasets/attack_techniques/T1548/uac_bypass/uac_bypass.yml @@ -3,9 +3,15 @@ id: cc9b2662-efc9-11eb-926b-550bf0943fbb date: '2021-07-23' description: Privilege elevation abuse by bypassing uac windows feature environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1548/uac_bypass/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1548/ +directory: uac_bypass +mitre_technique: +- T1548 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1548/uac_bypass/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml index 5d903b2c2..b441cbe4a 100644 --- a/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1550.002/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,11 @@ date: '2020-10-08' description: Manual generation of attack data including pass the hash attack with mimikatz and psexec. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.002/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1550/002/ -- https://attack.stealthbits.com/pass-the-hash-attack-explained +directory: atomic_red_team +mitre_technique: +- T1550.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml deleted file mode 100644 index d2d4faa72..000000000 --- a/datasets/attack_techniques/T1550.002/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1a631cf3-6109-4f75-99b7-4e9a221f0e52 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1550.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1550.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.003/mimikatz/data.yml b/datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml similarity index 61% rename from datasets/attack_techniques/T1550.003/mimikatz/data.yml rename to datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml index c5bf5da44..c3c77820b 100644 --- a/datasets/attack_techniques/T1550.003/mimikatz/data.yml +++ b/datasets/attack_techniques/T1550.003/mimikatz/mimikatz.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 957a035d-4fa7-47f9-ab76-8cc25490a68f -date: '2025-08-12' -description: Automatically categorized datasets in directory mimikatz +author: Mauricio Velazco +id: d0a6ab5b-6ff2-4e12-b854-296fdd8d0c9b +date: '2022-01-24' +description: Pass the ticket attack using mimikatz. environment: attack_range directory: mimikatz mitre_technique: diff --git a/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml b/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml deleted file mode 100644 index 25b2da4ed..000000000 --- a/datasets/attack_techniques/T1550.003/mimikatz/mimiktaz.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Mauricio Velazco -id: d0a6ab5b-6ff2-4e12-b854-296fdd8d0c9b -date: '2022-01-24' -description: Pass the ticket attack using mimikatz. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/mimikatz/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://www.tarlogic.com/blog/how-to-attack-kerberos/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1550.003/rubeus/data.yml b/datasets/attack_techniques/T1550.003/rubeus/data.yml deleted file mode 100644 index 6fda0d40c..000000000 --- a/datasets/attack_techniques/T1550.003/rubeus/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 44621d16-89cf-48ca-89e1-1472527c1e86 -date: '2025-08-12' -description: Automatically categorized datasets in directory rubeus -environment: attack_range -directory: rubeus -mitre_technique: -- T1550.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml b/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml index 665c2a06d..1f7c27259 100644 --- a/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1550.003/rubeus/rubeus.yml @@ -1,13 +1,13 @@ author: Mauricio Velazco id: e742e10c-835e-45e2-b3ef-ca9034ca60d5 date: '2022-02-01' -description: Pass the ticket attack using rubeus. +description: Pass the ticket attack using rubeus. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://www.tarlogic.com/blog/how-to-attack-kerberos/ \ No newline at end of file +directory: rubeus +mitre_technique: +- T1550.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550/rubeus/data.yml b/datasets/attack_techniques/T1550/rubeus/data.yml deleted file mode 100644 index e6b8b9f09..000000000 --- a/datasets/attack_techniques/T1550/rubeus/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bd6116d4-7605-463e-b45e-4a2fb4be5118 -date: '2025-08-12' -description: Automatically categorized datasets in directory rubeus -environment: attack_range -directory: rubeus -mitre_technique: -- T1550 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1550/rubeus/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1550/rubeus/rubeus.yml b/datasets/attack_techniques/T1550/rubeus/rubeus.yml index 6d3ffa5db..7d46235c5 100644 --- a/datasets/attack_techniques/T1550/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1550/rubeus/rubeus.yml @@ -3,13 +3,11 @@ id: a26a4ec9-0d36-4e60-8775-c9d7bed4f71d date: '2022-03-09' description: Over pass the hash attack using Rubeus. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/rubeus/windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/GhostPack/Rubeus -- https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a -- https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/ \ No newline at end of file +directory: rubeus +mitre_technique: +- T1550 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1550/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.001/password_in_username/data.yml b/datasets/attack_techniques/T1552.001/password_in_username/data.yml deleted file mode 100644 index 53166fae6..000000000 --- a/datasets/attack_techniques/T1552.001/password_in_username/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f23df0d4-ef53-4e0c-a746-868b586ae291 -date: '2025-08-12' -description: Automatically categorized datasets in directory password_in_username -environment: attack_range -directory: password_in_username -mitre_technique: -- T1552.001 -datasets: -- name: linux_secure - path: /datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml b/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml index bdc6a0351..d595b9acb 100644 --- a/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml +++ b/datasets/attack_techniques/T1552.001/password_in_username/password_in_username.yml @@ -1,11 +1,14 @@ author: Mikael Bjerkeland id: 95aa5e13-2866-494e-a9da-e7cacffa5522 date: '2022-05-27' -description: Linux SSH authentication logs containing a password where the username is expected. +description: Linux SSH authentication logs containing a password where the username + is expected. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log -sourcetypes: -- linux_secure -references: -- https://attack.mitre.org/techniques/T1552/001 +directory: password_in_username +mitre_technique: +- T1552.001 +datasets: +- name: linux_secure + path: /datasets/attack_techniques/T1552.001/password_in_username/linux_secure.log + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml b/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml index dfe46655f..4ac841722 100644 --- a/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml +++ b/datasets/attack_techniques/T1552.002/autoadminlogon/autoadminlogon.yml @@ -1,11 +1,13 @@ author: Teoderick Contreras id: 6458a36b-ed61-4a99-8e75-1da62434adac date: '2021-09-06' -description: Simulated datasets for creation of autoadminlogon entry in registry - name. +description: Simulated datasets for creation of autoadminlogon entry in registry name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - +directory: autoadminlogon +mitre_technique: +- T1552.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml b/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml deleted file mode 100644 index a48933318..000000000 --- a/datasets/attack_techniques/T1552.002/autoadminlogon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 062ef41e-87b7-415a-8cbf-63dc7d7e7740 -date: '2025-08-12' -description: Automatically categorized datasets in directory autoadminlogon -environment: attack_range -directory: autoadminlogon -mitre_technique: -- T1552.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1552.002/autoadminlogon/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml deleted file mode 100644 index 800bb4e37..000000000 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d2d974c3-1492-4a98-a6b2-d84a25c0dbe9 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_gpg -environment: attack_range -directory: linux_auditd_find_gpg -mitre_technique: -- T1552.004 -datasets: -- name: auditd_execve_find_gpg - path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log - sourcetype: auditd - source: auditd -- name: linux_auditd_find_gpg - path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml index c2b327ad2..22afeacb4 100644 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml @@ -3,9 +3,15 @@ id: c188ccb2-efa0-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find gpg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_find_gpg +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/auditd_execve_find_gpg.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_gpg + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml deleted file mode 100644 index 062f87903..000000000 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f47e34f8-1a74-4c3b-8611-b925be2555fe -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_ssh_files -environment: attack_range -directory: linux_auditd_find_ssh_files -mitre_technique: -- T1552.004 -datasets: -- name: auditd_execve_find_ssh - path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log - sourcetype: auditd - source: auditd -- name: linux_auditd_find_ssh_files - path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml index 6bb190525..7f0831d2a 100644 --- a/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml +++ b/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml @@ -3,9 +3,15 @@ id: 90026cbe-ef98-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find ssh files in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_ssh_files +mitre_technique: +- T1552.004 +datasets: +- name: auditd_execve_find_ssh + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/auditd_execve_find_ssh.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_ssh_files + path: /datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml deleted file mode 100644 index ed5e0f99f..000000000 --- a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 451d2b6a-bd0d-4427-a26c-9b7133e5d949 -date: '2025-08-12' -description: Automatically categorized datasets in directory findstr_gpp_discovery -environment: attack_range -directory: findstr_gpp_discovery -mitre_technique: -- T1552.006 -datasets: -- name: windows-4688 - path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: windows-security - path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml index 6734d9c5a..661ee9650 100644 --- a/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml +++ b/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/findstr_gpp_discovery.yml @@ -3,13 +3,15 @@ id: 50f6c117-ff07-46d8-88fd-cc38515187f1 date: '2023-03-17' description: Manually executed findstr attempt to find retrieve GPP credentials. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1552 -- https://attack.mitre.org/techniques/T1552/006/ -- https://pentestlab.blog/2017/03/20/group-policy-preferences/ \ No newline at end of file +directory: findstr_gpp_discovery +mitre_technique: +- T1552.006 +datasets: +- name: windows-4688 + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-4688.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: windows-security + path: /datasets/attack_techniques/T1552.006/findstr_gpp_discovery/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml b/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml index 84a0978b3..c8180e221 100644 --- a/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml +++ b/datasets/attack_techniques/T1552/aws_getpassworddata/aws_getpassworddata.yml @@ -1 +1,17 @@ -aws_getpassworddata \ No newline at end of file +author: Generated by dataset_analyzer.py +id: 5a01d722-30cb-4138-9311-e53f76912938 +date: '2025-08-12' +description: Automatically categorized datasets in directory aws_getpassworddata +environment: attack_range +directory: aws_getpassworddata +mitre_technique: +- T1552 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml b/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml deleted file mode 100644 index c8180e221..000000000 --- a/datasets/attack_techniques/T1552/aws_getpassworddata/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5a01d722-30cb-4138-9311-e53f76912938 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_getpassworddata -environment: attack_range -directory: aws_getpassworddata -mitre_technique: -- T1552 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1552/aws_getpassworddata/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1552/aws_getpassworddata/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1553.003/sip/data.yml b/datasets/attack_techniques/T1553.003/sip/data.yml deleted file mode 100644 index e0f8f28c2..000000000 --- a/datasets/attack_techniques/T1553.003/sip/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 66a8b6b1-9df5-468b-a7f9-1f2daf58b90a -date: '2025-08-12' -description: Automatically categorized datasets in directory sip -environment: attack_range -directory: sip -mitre_technique: -- T1553.003 -datasets: -- name: sip_windows-sysmon - path: /datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.003/sip/sip.yml b/datasets/attack_techniques/T1553.003/sip/sip.yml index ed8c94376..b9e763f7c 100644 --- a/datasets/attack_techniques/T1553.003/sip/sip.yml +++ b/datasets/attack_techniques/T1553.003/sip/sip.yml @@ -1,17 +1,13 @@ author: Michael Haag, Splunk id: 579f138c-67a8-11ee-8c99-0242ac120002 date: '2023-10-10' -description: 'Manual testing of adding a SIP provider to the registry' +description: Manual testing of adding a SIP provider to the registry environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- XmlWinEventLog -- PwSh:SubjectInterfacePackage -references: -- https://attack.mitre.org/techniques/T1553/003/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md +directory: sip +mitre_technique: +- T1553.003 +datasets: +- name: sip_windows-sysmon + path: /datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml index 98a7ca3f7..fd5e4a802 100644 --- a/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1553.004/atomic_red_team/atomic_red_team.yml @@ -5,16 +5,11 @@ description: 'Atomic Test Results: Return value unclear for test T1553.004-4 Ins root CA on Windows Successful Execution of test T1553.004-5 Install root CA on Windows with certutil ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1553/004/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +directory: atomic_red_team +mitre_technique: +- T1553.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml deleted file mode 100644 index 080162783..000000000 --- a/datasets/attack_techniques/T1553.004/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1587bd09-a874-4262-9a83-2ce3f62a75b3 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1553.004 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml deleted file mode 100644 index 0973df9f6..000000000 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e790ff3f-0157-4dd9-9c85-d48d212e7883 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_credentials -environment: attack_range -directory: linux_auditd_find_credentials -mitre_technique: -- T1555.005 -datasets: -- name: auditd_execve_find_creds - path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log - sourcetype: auditd - source: auditd -- name: linux_auditd_find_credentials - path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml index 5dba62138..e34b8797f 100644 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml @@ -3,9 +3,15 @@ id: 00d8d032-ef98-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find credentials in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_credentials +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_find_creds + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/auditd_execve_find_creds.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_credentials + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml deleted file mode 100644 index 3766c1ee0..000000000 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e1f9bef4-220d-42c1-b268-c77e3f425bf9 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_find_password_db -environment: attack_range -directory: linux_auditd_find_password_db -mitre_technique: -- T1555.005 -datasets: -- name: auditd_execve_pwd_mgr - path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log - sourcetype: auditd - source: auditd -- name: linux_auditd_find_password_db - path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml index dce9950ff..6175b79a6 100644 --- a/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml +++ b/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.yml @@ -3,9 +3,15 @@ id: 465abfd6-ef97-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd find password db in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log -sourcetypes: -- 'auditd' -references: -- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS \ No newline at end of file +directory: linux_auditd_find_password_db +mitre_technique: +- T1555.005 +datasets: +- name: auditd_execve_pwd_mgr + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/auditd_execve_pwd_mgr.log + sourcetype: auditd + source: auditd +- name: linux_auditd_find_password_db + path: /datasets/attack_techniques/T1555.005/linux_auditd_find_password_db/linux_auditd_find_password_db.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml b/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml deleted file mode 100644 index e61cae756..000000000 --- a/datasets/attack_techniques/T1555/web_browser_pass_view/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 172a8e06-fad0-4cb3-beb5-7076f3dd3a72 -date: '2025-08-12' -description: Automatically categorized datasets in directory web_browser_pass_view -environment: attack_range -directory: web_browser_pass_view -mitre_technique: -- T1555 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml b/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml index 90f4a1d19..74a7d0db3 100644 --- a/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml +++ b/datasets/attack_techniques/T1555/web_browser_pass_view/web_browser_pass_view.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: c3e68b5e-babb-4ef1-b835-62de0b025006 date: '2021-11-22' -description: 'simulated brwser pass view application used by remcos in attackrange' +description: simulated brwser pass view application used by remcos in attackrange environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: web_browser_pass_view +mitre_technique: +- T1555 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1555/web_browser_pass_view/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml index caf02930b..7dd30725e 100644 --- a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml @@ -3,9 +3,11 @@ id: an9b2653-efc1-11eb-926b-550bf0943fbb date: '2022-03-30' description: Atomic testing with T1553.005 related to lnk and iso. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1558/001 +directory: atomic_red_team +mitre_technique: +- T1556.001 +datasets: +- name: iso_windows-sysmon + path: /datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml deleted file mode 100644 index 7393c5a04..000000000 --- a/datasets/attack_techniques/T1556.001/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ba1a56e1-43ee-4899-88d4-d72efb4570b0 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1556.001 -datasets: -- name: iso_windows-sysmon - path: /datasets/attack_techniques/T1556.001/atomic_red_team/iso_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml index 3108607e0..128832e36 100644 --- a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml +++ b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/aws_new_mfa_method_registered_for_user.yml @@ -2,14 +2,12 @@ author: Bhavin Patel id: ff860c11-881f-4d35-a9a9-83b3f311f171 date: '2023-05-22' description: Registed new MFA methods for an AWS Account -environment: AWS Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1078/004/ -- https://attack.mitre.org/techniques/T1535/ +environment: attack_range +directory: aws_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml b/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml deleted file mode 100644 index 1c74bf040..000000000 --- a/datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e077e0c0-0467-4a1b-ad04-4d459a5ecbb9 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_new_mfa_method_registered_for_user -environment: attack_range -directory: aws_new_mfa_method_registered_for_user -mitre_technique: -- T1556.006 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1556.006/aws_new_mfa_method_registered_for_user/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml index 0977f6b77..0f7aa321c 100644 --- a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml +++ b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azure_ad_new_mfa_method_registered_for_user.yml @@ -2,13 +2,12 @@ author: Mauricio Velazco id: ff860c21-881f-4d35-a9a9-83b3f38bf171 date: '2023-01-30' description: Registed new MFA methods for an Azure AD account -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/techniques/T1556/006/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: azure_ad_new_mfa_method_registered_for_user +mitre_technique: +- T1556.006 +datasets: +- name: azuread + path: /datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml b/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml deleted file mode 100644 index 33f6d4262..000000000 --- a/datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2c96fad9-2e4f-4a71-939a-28d62cf82bff -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_new_mfa_method_registered_for_user -environment: attack_range -directory: azure_ad_new_mfa_method_registered_for_user -mitre_technique: -- T1556.006 -datasets: -- name: azuread - path: /datasets/attack_techniques/T1556.006/azure_ad_new_mfa_method_registered_for_user/azuread.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml deleted file mode 100644 index 340c70eb3..000000000 --- a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e62c09b1-4efa-4a84-83a1-5fb3e530a7ce -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_mfa_method_disabled -environment: attack_range -directory: okta_mfa_method_disabled -mitre_technique: -- T1556.006 -datasets: -- name: okta_mfa_method_disabled - path: /datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml index d0c8231d3..7cb8a195c 100644 --- a/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml +++ b/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: b582f8e4-283c-4b96-b64d-7723c540ff5e date: '2024-03-11' description: Using the Okta admin portal, disabled MFA for a user. -environment: Okta tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/techniques/T1556/006/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: okta_mfa_method_disabled +mitre_technique: +- T1556.006 +datasets: +- name: okta_mfa_method_disabled + path: /datasets/attack_techniques/T1556.006/okta_mfa_method_disabled/okta_mfa_method_disabled.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1556/azuread/azuread.yml b/datasets/attack_techniques/T1556/azuread/azuread.yml index 80fd66626..60fa2e3b5 100644 --- a/datasets/attack_techniques/T1556/azuread/azuread.yml +++ b/datasets/attack_techniques/T1556/azuread/azuread.yml @@ -2,12 +2,12 @@ author: Mauricio Velazco id: b0db79c9-1e82-4a32-9f69-998dc33508a8 date: '2022-08-15' description: Logs on disabling the MFA for a user -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/tactics/TA0005/ +environment: attack_range +directory: azuread +mitre_technique: +- T1556 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1556/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1556/azuread/data.yml b/datasets/attack_techniques/T1556/azuread/data.yml deleted file mode 100644 index 6d799dd16..000000000 --- a/datasets/attack_techniques/T1556/azuread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cd1405fd-b93c-4a6f-b2a9-0b53686f2433 -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread -environment: attack_range -directory: azuread -mitre_technique: -- T1556 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1556/azuread/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml index 9934f8881..64b9d30e5 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_bulk_policy_deletion.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 01167925-4c70-4c62-a850-54c3da8ed54e date: '2025-07-10' -description: 'Deleted multiple policies in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Deleted multiple policies in Duo. +environment: attack_range +directory: cisco_duo_bulk_policy_deletion +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml deleted file mode 100644 index c7964a871..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0d7e70f9-9e88-47d6-96be-a99ec7575c3b -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_bulk_policy_deletion -environment: attack_range -directory: cisco_duo_bulk_policy_deletion -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_bulk_policy_deletion/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml index b4c51c368..5c1fe45d1 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_bypass_2FA.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 27cc5ad7-1afd-4409-863e-9fac6f4cf941 date: '2025-07-08' -description: 'Changed the setting for a user to allow them to bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json -sourcetypes: -- cisco:duo:activity -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Changed the setting for a user to allow them to bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml deleted file mode 100644 index 58ac3fac9..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6be87cd6-7c22-4d5b-943c-280e247b513b -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_bypass_2FA -environment: attack_range -directory: cisco_duo_bypass_2FA -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_activity-json - path: /datasets/attack_techniques/T1556/cisco_duo_bypass_2FA/cisco_duo_activity.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml index f76903594..24fd522c6 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_bypass_code.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 876dbd42-57bb-40dc-a61f-269b6b6f6a4a date: '2025-07-08' -description: 'Generate a bypass code for a user in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Generate a bypass code for a user in Duo. +environment: attack_range +directory: cisco_duo_bypass_code +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml b/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml deleted file mode 100644 index 4935988e3..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_bypass_code/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 939ea572-9e7c-4ae9-a836-617784164af1 -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_bypass_code -environment: attack_range -directory: cisco_duo_bypass_code -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_activity-json - path: /datasets/attack_techniques/T1556/cisco_duo_bypass_code/cisco_duo_activity.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml index 065d52878..5194dde9a 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_policy_allow_devices_without_screen_lock.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 61a63676-89fe-4c8a-aa62-f0cf0e917837 date: '2025-07-10' -description: 'Created a policy which allows devices without screen lock in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows devices without screen lock in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_devices_without_screen_lock +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml deleted file mode 100644 index 647d81b7c..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 071be2b7-ab82-4cf2-9936-8e8f18cbd5b3 -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_allow_devices_without_screen_lock -environment: attack_range -directory: cisco_duo_policy_allow_devices_without_screen_lock -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_devices_without_screen_lock/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml index e9e870c09..a956feb72 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_policy_allow_network_bypass_2fa.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: db6c74e0-aaac-4bd2-b557-d2327746d105 date: '2025-07-09' -description: 'Created a policy which allow network bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allow network bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_network_bypass_2fa +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml deleted file mode 100644 index d1c39166b..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ddd9ffce-4138-41a6-9303-9b633243aa75 -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_allow_network_bypass_2fa -environment: attack_range -directory: cisco_duo_policy_allow_network_bypass_2fa -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_network_bypass_2fa/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml index 03f465fb2..d15e62040 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_policy_allow_old_flash_and_java.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: ed19ab1d-7610-4e8c-89a9-8c82ff450bb0 date: '2025-07-09' -description: 'Created a policy which allow old Flash and Java versions in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allow old Flash and Java versions in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_old_flash_and_java +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml deleted file mode 100644 index a1c918eea..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5f3d2064-96f4-4005-b4fe-60419e730c90 -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_allow_old_flash_and_java -environment: attack_range -directory: cisco_duo_policy_allow_old_flash_and_java -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_old_flash_and_java/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml index d3a55b959..4f333f8fe 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_policy_allow_tampered_devices.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: b8be207e-3693-4653-aecf-a26dba43c5cc date: '2025-07-10' -description: 'Created a policy which allows tampered devices in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows tampered devices in Duo. +environment: attack_range +directory: cisco_duo_policy_allow_tampered_devices +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml deleted file mode 100644 index 4f5e9d60a..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ec7ccf81-dd65-4165-86f2-b6944d78a88f -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_allow_tampered_devices -environment: attack_range -directory: cisco_duo_policy_allow_tampered_devices -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_allow_tampered_devices/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml index 153f08a31..7214f530a 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_policy_bypass_2FA.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 6aa8cb0c-fde5-4c1f-abc6-45aba2142277 date: '2025-07-08' -description: 'Created a policy which allows bypass 2FA in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows bypass 2FA in Duo. +environment: attack_range +directory: cisco_duo_policy_bypass_2FA +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml deleted file mode 100644 index 6847614fc..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 053ebc2a-2710-4f75-81df-b9a65944533f -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_bypass_2FA -environment: attack_range -directory: cisco_duo_policy_bypass_2FA -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml index 3276c7fc3..b04bc9352 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_policy_bypass_2FA_other_countries.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: bf1b3ff6-c06c-4782-8949-8f3dfc7557c2 date: '2025-07-08' -description: 'Created a policy which allows bypass 2FA in Duo for users in other countries.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which allows bypass 2FA in Duo for users in other countries. +environment: attack_range +directory: cisco_duo_policy_bypass_2FA_other_countries +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml deleted file mode 100644 index 81cb6b340..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cfcb4f50-ccb5-47e8-abe2-c08ba1afccfe -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_bypass_2FA_other_countries -environment: attack_range -directory: cisco_duo_policy_bypass_2FA_other_countries -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_bypass_2FA_other_countries/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml index 01a64ca68..aded80a84 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_policy_deny_access.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 4cad132f-5b35-4397-8a0a-4566272264ed date: '2025-07-08' -description: 'Created a policy which denies access in Duo.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json -sourcetypes: -- cisco:duo:administrator -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Created a policy which denies access in Duo. +environment: attack_range +directory: cisco_duo_policy_deny_access +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_administrator-json + path: /datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml b/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml deleted file mode 100644 index e05354e13..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4236f200-67d0-4e81-94aa-ce1118a21b67 -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_policy_deny_access -environment: attack_range -directory: cisco_duo_policy_deny_access -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_administrator-json - path: /datasets/attack_techniques/T1556/cisco_duo_policy_deny_access/cisco_duo_administrator.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml index 9fb62aa09..c0c46365d 100644 --- a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml +++ b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_unusual_admin_login.yml @@ -1,11 +1,13 @@ author: Patrick Bareiss id: 8bb65e4d-656a-40a8-a8be-0f3735f4a9e5 date: '2025-07-10' -description: 'Logged in as an admin from an unusual location.' -environment: Cisco Duo Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json -sourcetypes: -- cisco:duo:activity -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Logged in as an admin from an unusual location. +environment: attack_range +directory: cisco_duo_unusual_admin_login +mitre_technique: +- T1556 +datasets: +- name: cisco_duo_activity-json + path: /datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json + sourcetype: cisco:duo:administrator + source: duo diff --git a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml b/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml deleted file mode 100644 index ec522a774..000000000 --- a/datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b79ca3b3-cc3a-4939-be70-52ea168a9b9d -date: '2025-08-12' -description: Automatically categorized datasets in directory cisco_duo_unusual_admin_login -environment: attack_range -directory: cisco_duo_unusual_admin_login -mitre_technique: -- T1556 -datasets: -- name: cisco_duo_activity-json - path: /datasets/attack_techniques/T1556/cisco_duo_unusual_admin_login/cisco_duo_activity.json - sourcetype: cisco:duo:administrator - source: duo diff --git a/datasets/attack_techniques/T1556/disable_credential_guard/data.yml b/datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml similarity index 61% rename from datasets/attack_techniques/T1556/disable_credential_guard/data.yml rename to datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml index 9a4276058..97c2a5bc1 100644 --- a/datasets/attack_techniques/T1556/disable_credential_guard/data.yml +++ b/datasets/attack_techniques/T1556/disable_credential_guard/disable_credential_guard.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 6f242979-0056-4757-b94a-78e66b227fc4 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_credential_guard +author: Dean Luxton +id: 3c82c945-1a1f-47c7-86ed-f74ba444767f +date: '2022-08-23' +description: Deleteing the credential guard reg keys to disable credential guard on + a windows host. environment: attack_range directory: disable_credential_guard mitre_technique: diff --git a/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml b/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml deleted file mode 100644 index 61088f0fd..000000000 --- a/datasets/attack_techniques/T1556/disable_credential_guard/lsacfgflags.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Dean Luxton -id: 3c82c945-1a1f-47c7-86ed-f74ba444767f -date: '2022-08-23' -description: Deleteing the credential guard reg keys to disable credential guard on a windows host. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_credential_guard/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage -- https://teamhydra.blog/2020/08/25/bypassing-credential-guard - diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection/data.yml b/datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml similarity index 61% rename from datasets/attack_techniques/T1556/disable_lsa_protection/data.yml rename to datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml index f4f5c6feb..364da443c 100644 --- a/datasets/attack_techniques/T1556/disable_lsa_protection/data.yml +++ b/datasets/attack_techniques/T1556/disable_lsa_protection/disable_lsa_protection.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 570ad81c-9a71-467b-b35e-0401e26e32ff -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_lsa_protection +author: Dean Luxton +id: 8de764d7-2723-4ed0-bd65-1990c2cd9347 +date: '2022-08-23' +description: Disabling LSA Protection by deleting registry keys. environment: attack_range directory: disable_lsa_protection mitre_technique: diff --git a/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml b/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml deleted file mode 100644 index b9d1f4042..000000000 --- a/datasets/attack_techniques/T1556/disable_lsa_protection/runasppl.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Dean Luxton -id: 8de764d7-2723-4ed0-bd65-1990c2cd9347 -date: '2022-08-23' -description: Disabling LSA Protection by deleting registry keys. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/disable_lsa_protection/windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection -- https://itm4n.github.io/lsass-runasppl/ -- https://attack.mitre.org/techniques/T1556 diff --git a/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml b/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml deleted file mode 100644 index 2c7002109..000000000 --- a/datasets/attack_techniques/T1556/gcp_disable_mfa/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e5814663-c3fa-41fb-bbf5-3d1cd4289c26 -date: '2025-08-12' -description: Automatically categorized datasets in directory gcp_disable_mfa -environment: attack_range -directory: gcp_disable_mfa -mitre_technique: -- T1556 -datasets: -- name: gws_admin - path: /datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log - sourcetype: gws:reports:login - source: gws:reports:login diff --git a/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml b/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml index 1a18b1ecc..b95a4ad5e 100644 --- a/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml +++ b/datasets/attack_techniques/T1556/gcp_disable_mfa/gcp_disable_mfa.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 0d1788e7-075f-4777-bdc4-f782e1dc4d4e date: '2022-10-13' -description: Logs generated by manually disabling second factor authentication for a GWS user. -environment: Google Workspace Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log -sourcetypes: -- gws:reports:admin -references: -- https://support.google.com/a/answer/175197?hl=en -- https://attack.mitre.org/techniques/T1556/ -- https://attack.mitre.org/tactics/TA0005/ +description: Logs generated by manually disabling second factor authentication for + a GWS user. +environment: attack_range +directory: gcp_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: gws_admin + path: /datasets/attack_techniques/T1556/gcp_disable_mfa/gws_admin.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml b/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml deleted file mode 100644 index d4b43115c..000000000 --- a/datasets/attack_techniques/T1556/o365_disable_mfa/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3b6a5f7e-baad-4d6e-8bfb-cd3132131c00 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_disable_mfa -environment: attack_range -directory: o365_disable_mfa -mitre_technique: -- T1556 -datasets: -- name: o365_disable_mfa-json - path: /datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml b/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml index 3b2942445..5a6cb7e57 100644 --- a/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml +++ b/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.yml @@ -3,10 +3,11 @@ id: cc9b25d1-efc9-11eb-926b-550bf0943fbb date: '2020-12-17' description: Disbale mfa for user in Office 365. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1556 -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf +directory: o365_disable_mfa +mitre_technique: +- T1556 +datasets: +- name: o365_disable_mfa-json + path: /datasets/attack_techniques/T1556/o365_disable_mfa/o365_disable_mfa.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml b/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml deleted file mode 100644 index 3eb2a0c4c..000000000 --- a/datasets/attack_techniques/T1556/o365_sso_logon_errors/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eb3e3dbc-83c7-4441-8453-e565eabcd63c -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_sso_logon_errors -environment: attack_range -directory: o365_sso_logon_errors -mitre_technique: -- T1556 -datasets: -- name: o365_sso_logon_errors2-json - path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json - sourcetype: o365:management:activity - source: o365 -- name: o365_sso_logon_errors-json - path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml b/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml index f6911ec45..585974801 100644 --- a/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml +++ b/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.yml @@ -2,10 +2,16 @@ author: Patrick Bareiss id: cc9b25d0-efc9-11eb-926b-550bf0943fbb date: '2021-02-01' description: Multiple failed sso logins to O365 -environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1136/003/ +environment: attack_range +directory: o365_sso_logon_errors +mitre_technique: +- T1556 +datasets: +- name: o365_sso_logon_errors2-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors2.json + sourcetype: o365:management:activity + source: o365 +- name: o365_sso_logon_errors-json + path: /datasets/attack_techniques/T1556/o365_sso_logon_errors/o365_sso_logon_errors.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1556/okta_idp/data.yml b/datasets/attack_techniques/T1556/okta_idp/data.yml deleted file mode 100644 index c50cb451e..000000000 --- a/datasets/attack_techniques/T1556/okta_idp/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b10d5453-11cd-4c0e-b54a-bd39a9a378b2 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_idp -environment: attack_range -directory: okta_idp -mitre_technique: -- T1556 -datasets: -- name: okta - path: /datasets/attack_techniques/T1556/okta_idp/okta.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml b/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml index e5b4afc4b..172228fc6 100644 --- a/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml +++ b/datasets/attack_techniques/T1556/okta_idp/okta_idp.yml @@ -1,11 +1,13 @@ author: Bhavin Patel id: 6a21e46e-d759-11e0-bbd6-932611ee0111 date: '2024-03-05' -description: 'Manually generated multple IDP changes in the OKTA tenant' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556/okta_idp/okta.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1556/ \ No newline at end of file +description: Manually generated multple IDP changes in the OKTA tenant +environment: attack_range +directory: okta_idp +mitre_technique: +- T1556 +datasets: +- name: okta + path: /datasets/attack_techniques/T1556/okta_idp/okta.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml index 4e774559c..4c405ceae 100644 --- a/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1558.003/atomic_red_team/atomic_red_team.yml @@ -4,16 +4,15 @@ date: '2020-10-08' description: Manual kerberoasting attack with mimikatz. Changed the kerberos encryption type to RC4. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting +directory: atomic_red_team +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_setspn + path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml b/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml deleted file mode 100644 index 4bdb45888..000000000 --- a/datasets/attack_techniques/T1558.003/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e1c8b999-8e87-4649-9afe-277aa7cb3eb2 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1558.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_setspn - path: /datasets/attack_techniques/T1558.003/atomic_red_team/windows-sysmon_setspn.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/powerview-2/data.yml b/datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml similarity index 61% rename from datasets/attack_techniques/T1558.003/powerview-2/data.yml rename to datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml index 5c84a4f50..a95a112c0 100644 --- a/datasets/attack_techniques/T1558.003/powerview-2/data.yml +++ b/datasets/attack_techniques/T1558.003/powerview-2/powerview-2.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 70f96415-e191-491d-8e60-78bbe77ce27e -date: '2025-08-12' -description: Automatically categorized datasets in directory powerview-2 +author: Gowthamaraj rajendran +id: 53fefaf9-134b-4b74-be5e-041ca28ec967 +date: '2022-06-23' +description: Using PowerView manually to get SPN accounts using Get-DomainUser or + Get-NetUser environment: attack_range directory: powerview-2 mitre_technique: diff --git a/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml b/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml deleted file mode 100644 index 403f6cd7b..000000000 --- a/datasets/attack_techniques/T1558.003/powerview-2/powerview.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Gowthamaraj rajendran -id: 53fefaf9-134b-4b74-be5e-041ca28ec967 -date: '2022-06-23' -description: 'Using PowerView manually to get SPN accounts using Get-DomainUser or Get-NetUser' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview-2/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 diff --git a/datasets/attack_techniques/T1558.003/powerview/data.yml b/datasets/attack_techniques/T1558.003/powerview/data.yml deleted file mode 100644 index 226d08e3a..000000000 --- a/datasets/attack_techniques/T1558.003/powerview/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 75ef962f-17d4-41a4-812c-b261aad2112b -date: '2025-08-12' -description: Automatically categorized datasets in directory powerview -environment: attack_range -directory: powerview -mitre_technique: -- T1558.003 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/powerview/powerview.yml b/datasets/attack_techniques/T1558.003/powerview/powerview.yml index 2824a9fd2..a8a22131b 100644 --- a/datasets/attack_techniques/T1558.003/powerview/powerview.yml +++ b/datasets/attack_techniques/T1558.003/powerview/powerview.yml @@ -1,12 +1,13 @@ author: Mauricio Velazco id: 87715e15-e2ad-4d63-910c-38f2a017601c date: '2022-06-22' -description: 'Using PowerView manually to obtain a Kerberos service ticket using Get-DomainSPNTicket' +description: Using PowerView manually to obtain a Kerberos service ticket using Get-DomainSPNTicket environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 +directory: powerview +mitre_technique: +- T1558.003 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.003/powerview/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1558.003/rubeus/data.yml b/datasets/attack_techniques/T1558.003/rubeus/data.yml deleted file mode 100644 index 5d06bb099..000000000 --- a/datasets/attack_techniques/T1558.003/rubeus/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 31260f5f-691e-4d5c-8eef-38f89bb214b6 -date: '2025-08-12' -description: Automatically categorized datasets in directory rubeus -environment: attack_range -directory: rubeus -mitre_technique: -- T1558.003 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml b/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml index 3df1e0af3..834c8bfa7 100644 --- a/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml +++ b/datasets/attack_techniques/T1558.003/rubeus/rubeus.yml @@ -1,14 +1,14 @@ author: Mauricio Velazco id: 5c49aefd-bc2a-4af3-94b5-6f8c16be3c70 date: '2022-02-11' -description: Manual kerberoasting attack with Rubeus. Created 30 service accounts with SPNs. +description: Manual kerberoasting attack with Rubeus. Created 30 service accounts + with SPNs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log -sourcetypes: -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1558/003 -- https://github.com/GhostPack/Rubeus +directory: rubeus +mitre_technique: +- T1558.003 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1558.003/rubeus/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558.004/powershell/data.yml b/datasets/attack_techniques/T1558.004/powershell/data.yml deleted file mode 100644 index 875e0a373..000000000 --- a/datasets/attack_techniques/T1558.004/powershell/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 015dddbe-14cb-46b3-8a64-2224cc236746 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell -environment: attack_range -directory: powershell -mitre_technique: -- T1558.004 -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-security-xml - path: /datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558.004/powershell/powershell.yml b/datasets/attack_techniques/T1558.004/powershell/powershell.yml index e6a93933c..7cb9ded39 100644 --- a/datasets/attack_techniques/T1558.004/powershell/powershell.yml +++ b/datasets/attack_techniques/T1558.004/powershell/powershell.yml @@ -1,14 +1,18 @@ author: Mauricio Velazco id: 1f409a75-25d7-4ac6-99d1-27ae0bca0f4a date: '2022-02-22' -description: Using PowerShell to manually update the Kerberos Pre Authentication flag on a domain account using Set-ADAccountControl. +description: Using PowerShell to manually update the Kerberos Pre Authentication flag + on a domain account using Set-ADAccountControl. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1558/004 -- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/ +directory: powershell +mitre_technique: +- T1558.004 +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-security-xml + path: /datasets/attack_techniques/T1558.004/powershell/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1558/diamond_ticket/data.yml b/datasets/attack_techniques/T1558/diamond_ticket/data.yml deleted file mode 100644 index 6b25980ed..000000000 --- a/datasets/attack_techniques/T1558/diamond_ticket/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 46f9b6f5-699f-4cd0-bc05-3f99ca6b4213 -date: '2025-08-12' -description: Automatically categorized datasets in directory diamond_ticket -environment: attack_range -directory: diamond_ticket -mitre_technique: -- T1558 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1558/diamond_ticket/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml b/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml index 216aa2d97..4d0177253 100644 --- a/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml +++ b/datasets/attack_techniques/T1558/diamond_ticket/diamond_ticket.yml @@ -3,12 +3,11 @@ id: be469518-9d2d-4ebb-b839-12683cd18a7c date: '2023-10-05' description: Manual simulation of the diamond ticket attack using rubeus and mimikatz. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558/diamond_ticket/sysmon.log -sourcetypes: -- XmlWinEventLog -references: -- https://trustedsec.com/blog/a-diamond-in-the-ruff -- https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks -- https://github.com/GhostPack/Rubeus/pull/136 +directory: diamond_ticket +mitre_technique: +- T1558 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1558/diamond_ticket/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml b/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml index 59972629e..d2eda3cac 100644 --- a/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml +++ b/datasets/attack_techniques/T1560.001/archive_utility/archive_utility.yml @@ -4,11 +4,11 @@ date: '2021-04-22' description: The following data was generated with Cobalt Strike spawning 7z.exe to archive files on disk. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1560/001/ -- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -- https://thedfirreport.com/2021/01/31/bazar-no-ryuk/ +directory: archive_utility +mitre_technique: +- T1560.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1560.001/archive_utility/data.yml b/datasets/attack_techniques/T1560.001/archive_utility/data.yml deleted file mode 100644 index 44b03c5b3..000000000 --- a/datasets/attack_techniques/T1560.001/archive_utility/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4088cfe5-7d90-48ed-8457-e891fd89c657 -date: '2025-08-12' -description: Automatically categorized datasets in directory archive_utility -environment: attack_range -directory: archive_utility -mitre_technique: -- T1560.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1560.001/archive_utility/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml b/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml deleted file mode 100644 index 5b587ae39..000000000 --- a/datasets/attack_techniques/T1561.002/mbr_raw_access/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3499f381-d325-4982-838b-7b8c007a7744 -date: '2025-08-12' -description: Automatically categorized datasets in directory mbr_raw_access -environment: attack_range -directory: mbr_raw_access -mitre_technique: -- T1561.002 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml b/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml index 4cad2f77d..667be8ddd 100644 --- a/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml +++ b/datasets/attack_techniques/T1561.002/mbr_raw_access/mbr_raw_access.yml @@ -3,9 +3,11 @@ id: 5d8ecae2-90ab-11ec-995c-acde48001122 date: '2022-02-18' description: Generated datasets for mbr raw access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html \ No newline at end of file +directory: mbr_raw_access +mitre_technique: +- T1561.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1561.002/mbr_raw_access/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml index d89d61135..25727b752 100644 --- a/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1562.001/atomic_red_team/atomic_red_team.yml @@ -18,20 +18,27 @@ description: 'Atomic Test Results: Return value unclear for test T1562.001-9 Unl Defender Evade Scanning -Extension Return value unclear for test T1562.001-23 Tamper with Windows Defender Evade Scanning -Process ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -- https://github.com/splunk/security-content/blob/develop/tests/T1562_001.yml +directory: atomic_red_team +mitre_technique: +- T1562.001 +datasets: +- name: hvci_windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon_raccine + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: Disable-WindowsOptionalFeature-powershell + path: /datasets/attack_techniques/T1562.001/atomic_red_team/Disable-WindowsOptionalFeature-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-sysmon_dism + path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml deleted file mode 100644 index 8e6fa7ed1..000000000 --- a/datasets/attack_techniques/T1562.001/atomic_red_team/data.yml +++ /dev/null @@ -1,29 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a10db232-4e8c-43b7-8101-5211d144404b -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1562.001 -datasets: -- name: hvci_windows-sysmon - path: /datasets/attack_techniques/T1562.001/atomic_red_team/hvci_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon_raccine - path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_raccine.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: Disable-WindowsOptionalFeature-powershell - path: /datasets/attack_techniques/T1562.001/atomic_red_team/Disable-WindowsOptionalFeature-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-sysmon_dism - path: /datasets/attack_techniques/T1562.001/atomic_red_team/windows-sysmon_dism.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml deleted file mode 100644 index 0a8e5d120..000000000 --- a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 372889f4-9c31-4d32-8345-fa82ff853935 -date: '2025-08-12' -description: Automatically categorized datasets in directory defender_exclusion_sysmon -environment: attack_range -directory: defender_exclusion_sysmon -mitre_technique: -- T1562.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml index 2c3b2bddf..62d100a74 100644 --- a/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml +++ b/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/defender_exclusion_sysmon.yml @@ -3,9 +3,11 @@ id: 4e425836-4de1-11ec-9b72-acde48001122 date: '2021-11-25' description: Generated datasets for defender exclusion sysmon in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/ \ No newline at end of file +directory: defender_exclusion_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml deleted file mode 100644 index 35be14752..000000000 --- a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dd350e59-696a-47f7-bca4-2d6033008b82 -date: '2025-08-12' -description: Automatically categorized datasets in directory delete_win_defender_context_menu -environment: attack_range -directory: delete_win_defender_context_menu -mitre_technique: -- T1562.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml index c70e7a9eb..e8d294c17 100644 --- a/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml +++ b/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/delete_win_defender_context_menu.yml @@ -3,9 +3,11 @@ id: d3a715a6-e64e-11ec-990a-acde48001122 date: '2022-06-07' description: Generated datasets for delete win defender context menu in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ \ No newline at end of file +directory: delete_win_defender_context_menu +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/delete_win_defender_context_menu/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml deleted file mode 100644 index f00302be3..000000000 --- a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 19fd310f-7591-4da9-a4da-2310e3c9c1e6 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable-windows-security-defender-features -environment: attack_range -directory: disable-windows-security-defender-features -mitre_technique: -- T1562.001 -datasets: -- name: windefender-bypas-2-sysmon - path: /datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml index 49426d333..9d4bb8fbf 100644 --- a/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml +++ b/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/disable-windows-security-defender-features.yml @@ -3,10 +3,12 @@ id: b8954128-7be5-4e5a-94eb-66632e6c468c date: '2024-01-08' description: Generated datasets for disable-windows-security-defender-features in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://github.com/undergroundwires/privacy.sexy +environment: attack_range +directory: disable-windows-security-defender-features +mitre_technique: +- T1562.001 +datasets: +- name: windefender-bypas-2-sysmon + path: /datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml b/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml deleted file mode 100644 index c91b04853..000000000 --- a/datasets/attack_techniques/T1562.001/disable_defender_logging/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9824ee14-df2d-424f-8657-8eee1e19a063 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_defender_logging -environment: attack_range -directory: disable_defender_logging -mitre_technique: -- T1562.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml b/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml index d8e41589c..f4abeeba7 100644 --- a/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml +++ b/datasets/attack_techniques/T1562.001/disable_defender_logging/disable_defender_logging.yml @@ -3,9 +3,11 @@ id: 6833fabc-e646-11ec-995a-acde48001122 date: '2022-06-07' description: Generated datasets for disable defender logging in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ \ No newline at end of file +directory: disable_defender_logging +mitre_technique: +- T1562.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1562.001/disable_defender_logging/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/disable_gpo/data.yml b/datasets/attack_techniques/T1562.001/disable_gpo/data.yml deleted file mode 100644 index 383f728f2..000000000 --- a/datasets/attack_techniques/T1562.001/disable_gpo/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7b84dcaf-feff-41f2-b51f-a3f51b250daf -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_gpo -environment: attack_range -directory: disable_gpo -mitre_technique: -- T1562.001 -datasets: -- name: windows-security-xml - path: /datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml b/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml index 5b5a0377f..eaf8c9f39 100644 --- a/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml +++ b/datasets/attack_techniques/T1562.001/disable_gpo/disable_gpo.yml @@ -1,11 +1,13 @@ author: Dean Luxton id: 4ac4ac49-6718-4cd8-8939-6dddead1fdf4 date: '2023-01-26' -description: Manually disabling group policy objects on a Domain Controller. +description: Manually disabling group policy objects on a Domain Controller. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1562/001 +directory: disable_gpo +mitre_technique: +- T1562.001 +datasets: +- name: windows-security-xml + path: /datasets/attack_techniques/T1562.001/disable_gpo/windows-security-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml deleted file mode 100644 index 30102dd88..000000000 --- a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bde29817-f9c2-47b4-be4b-a2478027dade -date: '2025-08-12' -description: Automatically categorized datasets in directory pwh_defender_disabling -environment: attack_range -directory: pwh_defender_disabling -mitre_technique: -- T1562.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml index ab4a29be9..ce39694a4 100644 --- a/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml +++ b/datasets/attack_techniques/T1562.001/pwh_defender_disabling/pwh_defender_disabling.yml @@ -3,10 +3,11 @@ id: cc9b2665-efc9-11eb-926b-550bf0943fbb date: '2021-07-05' description: Stopped win-defender application using powershell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: pwh_defender_disabling +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml deleted file mode 100644 index 122008b0c..000000000 --- a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 40be2ce2-01a0-4210-8733-2e0b9e466df5 -date: '2025-08-12' -description: Automatically categorized datasets in directory sc_service_start_disabled -environment: attack_range -directory: sc_service_start_disabled -mitre_technique: -- T1562.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml index 8b055f716..567050e08 100644 --- a/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml +++ b/datasets/attack_techniques/T1562.001/sc_service_start_disabled/sc_service_start_disabled.yml @@ -1,15 +1,16 @@ author: Michael Hart +id: 40be2ce2-01a0-4210-8733-2e0b9e466df5 date: '2020-06-23' -description: 'This dataset contains observed behaviors in one of our honeypots. - It appears that the malware used sc.exe to disable various services from - starting. The sheer volume and frequency of calls is excessive, something not - typically observed in the normal course of operation on windows.' +description: This dataset contains observed behaviors in one of our honeypots. It + appears that the malware used sc.exe to disable various services from starting. The + sheer volume and frequency of calls is excessive, something not typically observed + in the normal course of operation on windows. environment: attack_range -technique: +directory: sc_service_start_disabled +mitre_technique: - T1562.001 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log -references: -- https://attack.mitre.org/techniques/T1562/001 -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/sc_service_start_disabled/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml b/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml deleted file mode 100644 index b74eaf645..000000000 --- a/datasets/attack_techniques/T1562.001/unload_sysmon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a73e8662-76e0-4d8a-a3d6-e6037bc69355 -date: '2025-08-12' -description: Automatically categorized datasets in directory unload_sysmon -environment: attack_range -directory: unload_sysmon -mitre_technique: -- T1562.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml b/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml index 112dc6dab..6407fbbd1 100644 --- a/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml +++ b/datasets/attack_techniques/T1562.001/unload_sysmon/unload_sysmon.yml @@ -1,13 +1,14 @@ author: Bhavin Patel id: cc9b2664-efc9-11eb-926b-550bf0943fbb date: '2022-06-01' -description: 'Unload Sysmon Filter Driver - usage of process fltMC.exe to unload a Sysmon Driver that will stop sysmon from collecting the data.' +description: Unload Sysmon Filter Driver - usage of process fltMC.exe to unload a + Sysmon Driver that will stop sysmon from collecting the data. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -- https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver +directory: unload_sysmon +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/unload_sysmon/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml b/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml deleted file mode 100644 index c0c38520a..000000000 --- a/datasets/attack_techniques/T1562.001/win_defend_service_stop/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6a3f44cd-8ab1-4cb5-8a3d-439718002aa6 -date: '2025-08-12' -description: Automatically categorized datasets in directory win_defend_service_stop -environment: attack_range -directory: win_defend_service_stop -mitre_technique: -- T1562.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml b/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml index 517187fb1..2e10f256d 100644 --- a/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml +++ b/datasets/attack_techniques/T1562.001/win_defend_service_stop/win_defend_service_stop.yml @@ -3,16 +3,11 @@ id: cc9b2666-efc9-11eb-926b-550bf0943fbb date: '2020-11-06' description: Stopped windefend service with sc.exe stop windefend environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-system.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: win_defend_service_stop +mitre_technique: +- T1562.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml b/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml index a052de7de..1da3bebab 100644 --- a/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml +++ b/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering.yml @@ -1,16 +1,15 @@ author: Nasreddine Bencherchali, Splunk id: f853dd76-9ea6-4957-b3c0-c2ca2517c35c date: '2025-01-27' -description: This dataset contains Process Creation and policy change logs set logs from Windows Sysmon and Security, related to abuse of auditpol to change, remove and clear the audit policy. +description: This dataset contains Process Creation and policy change logs set logs + from Windows Sysmon and Security, related to abuse of auditpol to change, remove + and clear the audit policy. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_security.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -- 'XmlWinEventLog:Security' -references: -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-remove -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-set -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-clear -- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-resourcesacl +directory: auditpol_tampering +mitre_technique: +- T1562.002 +datasets: +- name: auditpol_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml b/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml deleted file mode 100644 index 9540a4bbf..000000000 --- a/datasets/attack_techniques/T1562.002/auditpol_tampering/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 729d6285-f78d-42ee-9d7f-d106ddfa2e8b -date: '2025-08-12' -description: Automatically categorized datasets in directory auditpol_tampering -environment: attack_range -directory: auditpol_tampering -mitre_technique: -- T1562.002 -datasets: -- name: auditpol_tampering_sysmon - path: /datasets/attack_techniques/T1562.002/auditpol_tampering/auditpol_tampering_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml deleted file mode 100644 index f1b2a2569..000000000 --- a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0be7f057-b844-48e3-a29f-75d356a113d6 -date: '2025-08-12' -description: Automatically categorized datasets in directory eventlog_sddl_tampering -environment: attack_range -directory: eventlog_sddl_tampering -mitre_technique: -- T1562.002 -datasets: -- name: eventlog_sddl_tampering_sysmon - path: /datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml index 3025dcf4b..38904a9e6 100644 --- a/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml +++ b/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: c3d46f0d-4223-437f-96e3-7ed9636198c7 date: '2024-12-06' -description: This dataset contains registry set logs from Windows Sysmon logs related to modification of the ChannelAccess and CustomSD registry values. +description: This dataset contains registry set logs from Windows Sysmon logs related + to modification of the ChannelAccess and CustomSD registry values. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy -- https://web.archive.org/web/20220710181255/https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness +directory: eventlog_sddl_tampering +mitre_technique: +- T1562.002 +datasets: +- name: eventlog_sddl_tampering_sysmon + path: /datasets/attack_techniques/T1562.002/eventlog_sddl_tampering/eventlog_sddl_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml index fdfa2fed3..a1840fdaf 100644 --- a/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1562.004/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,11 @@ id: cc9b261c-efc9-11eb-926b-550bf0943fbb date: '2020-11-23' description: atomic red team execution of technique T1562.004 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1562/004/ -- https://github.com/redcanaryco/atomic-red-team/blob/de05b1a73dc0edfe23d7c0b606744078496056cb/atomics/T1562.004/T1562.004.md +directory: atomic_red_team +mitre_technique: +- T1562.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml b/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml deleted file mode 100644 index fa0b444dd..000000000 --- a/datasets/attack_techniques/T1562.004/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8066fb51-6b8c-41ff-bb2b-44c281ea5ee4 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1562.004 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1562.004/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml deleted file mode 100644 index f6dd69b1c..000000000 --- a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5836d3ab-af99-4d0f-b581-2ba02f02218e -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_disable_firewall -environment: attack_range -directory: linux_auditd_disable_firewall -mitre_technique: -- T1562.004 -datasets: -- name: linux_auditd_disable_firewall - path: /datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml index 615caf46a..f4186e232 100644 --- a/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml +++ b/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml @@ -3,9 +3,11 @@ id: f7eb4f16-5a20-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd disable firewall in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_disable_firewall +mitre_technique: +- T1562.004 +datasets: +- name: linux_auditd_disable_firewall + path: /datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml deleted file mode 100644 index 193160065..000000000 --- a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/data.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0d4c92cc-7fdb-4be8-8d3f-4d534b0a63bb -date: '2025-08-12' -description: Automatically categorized datasets in directory njrat_add_firewall_rule -environment: attack_range -directory: njrat_add_firewall_rule -mitre_technique: -- T1562.004 -datasets: -- name: njrat_firewall_security - path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_security.log - sourcetype: firewall -- name: njrat_firewall_sysmon - path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml index 94d1a10dd..6952023c1 100644 --- a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml +++ b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml @@ -2,10 +2,15 @@ author: Teoderick Contreras, Splunk id: 5fd828a1-728d-4f17-adba-3e5e43ab290d date: '2023-12-12' description: Generated datasets for njrat add firewall rule in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.splunk.com/en_us/blog/security/more-than-just-a-rat-unveiling-njrat-s-mbr-wiping-capabilities.html +environment: attack_range +directory: njrat_add_firewall_rule +mitre_technique: +- T1562.004 +datasets: +- name: njrat_firewall_security + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_security.log + sourcetype: firewall +- name: njrat_firewall_sysmon + path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml deleted file mode 100644 index 665cc1a1f..000000000 --- a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8ede05b0-984b-4f03-b38c-cbe50cf3d099 -date: '2025-08-12' -description: Automatically categorized datasets in directory njrat_delete_firewall -environment: attack_range -directory: njrat_delete_firewall -mitre_technique: -- T1562.004 -datasets: -- name: njrat_delete_firewall - path: /datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log - sourcetype: firewall diff --git a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml index 1736e19b6..869c18cb9 100644 --- a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml +++ b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml @@ -2,10 +2,11 @@ author: Teoderick Contreras, Splunk id: dc0fb123-86a8-4fbc-a4aa-81ffc6346852 date: '2023-09-08' description: Generated datasets for njrat delete firewall in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat +environment: attack_range +directory: njrat_delete_firewall +mitre_technique: +- T1562.004 +datasets: +- name: njrat_delete_firewall + path: /datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log + sourcetype: firewall diff --git a/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml b/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml index 2e172fa5b..9bc03811d 100644 --- a/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml +++ b/datasets/attack_techniques/T1562.007/aws_create_acl/aws_create_acl.yml @@ -4,9 +4,15 @@ date: '2021-01-12' description: Dataset which contains cloudtrail logs and the creation of a acl with all ports open. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/007/ +directory: aws_create_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml b/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml deleted file mode 100644 index a521e5ca8..000000000 --- a/datasets/attack_techniques/T1562.007/aws_create_acl/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fbefb83d-e977-4caa-9393-fba61356307e -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_create_acl -environment: attack_range -directory: aws_create_acl -mitre_technique: -- T1562.007 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.007/aws_create_acl/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.007/aws_create_acl/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml b/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml index 5a4b6247e..e08c66731 100644 --- a/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml +++ b/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_delete_acl.yml @@ -3,9 +3,15 @@ id: cc9b2605-efc9-11eb-926b-550bf0943fbb date: '2021-01-12' description: Dataset which contains cloudtrail logs and the deletion of a acl rule. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/007/ +directory: aws_delete_acl +mitre_technique: +- T1562.007 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml b/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml deleted file mode 100644 index bc1d65040..000000000 --- a/datasets/attack_techniques/T1562.007/aws_delete_acl/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 046587da-976e-471a-9c3d-5b68b68c469a -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_delete_acl -environment: attack_range -directory: aws_delete_acl -mitre_technique: -- T1562.007 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.007/aws_delete_acl/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.007/aws_delete_acl/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml deleted file mode 100644 index 30bb2dd44..000000000 --- a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cb588559-62f1-482d-b539-1b6d40060ae9 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_bypass_mfa_via_trusted_ip -environment: attack_range -directory: o365_bypass_mfa_via_trusted_ip -mitre_technique: -- T1562.007 -datasets: -- name: o365_bypass_mfa_via_trusted_ip-json - path: /datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml index 880e52a41..c10a2d588 100644 --- a/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml +++ b/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.yml @@ -4,10 +4,11 @@ date: '2021-01-12' description: Dataset containing activity from O365 when IP addresses are added to Trusted IP list such that the attackers can bypass MFA environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json -sourcetypes: -- o365:management:activity -references: -- https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf -- https://attack.mitre.org/techniques/T1562/007/ +directory: o365_bypass_mfa_via_trusted_ip +mitre_technique: +- T1562.007 +datasets: +- name: o365_bypass_mfa_via_trusted_ip-json + path: /datasets/attack_techniques/T1562.007/o365_bypass_mfa_via_trusted_ip/o365_bypass_mfa_via_trusted_ip.json + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml b/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml index 9913d4e6c..08343aa59 100644 --- a/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml +++ b/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_delete_security_services.yml @@ -1,14 +1,18 @@ author: Bhavin Patel, Splunk id: 31c58b11-66d9-4dfb-a614-3843d111e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events with a deletes of AWS Services like CloudWatch, Guardduy, Web Application Firewalls. +description: Dataset which contains cloudtrail events with a deletes of AWS Services + like CloudWatch, Guardduy, Web Application Firewalls. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ \ No newline at end of file +directory: aws_delete_security_services +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml b/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml deleted file mode 100644 index 011f9d243..000000000 --- a/datasets/attack_techniques/T1562.008/aws_delete_security_services/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ad803cd5-2e1d-4105-b61e-5d0e3bb68e2c -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_delete_security_services -environment: attack_range -directory: aws_delete_security_services -mitre_technique: -- T1562.008 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.008/aws_delete_security_services/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml deleted file mode 100644 index 09cd03358..000000000 --- a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1fd4c241-885f-4059-8772-a91a30278e66 -date: '2025-08-12' -description: Automatically categorized datasets in directory delete_cloudwatch_log_group -environment: attack_range -directory: delete_cloudwatch_log_group -mitre_technique: -- T1562.008 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml index 9c5b0508a..7a2fa4d4a 100644 --- a/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml +++ b/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/delete_cloudwatch_log_group.yml @@ -1,14 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: 31c58bb8-66d9-4dfb-a614-3843d071e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events when a cloudwatch log group is deleted. +description: Dataset which contains cloudtrail events when a cloudwatch log group + is deleted. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: delete_cloudwatch_log_group +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/delete_cloudwatch_log_group/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml deleted file mode 100644 index 134e93c0e..000000000 --- a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f2810dc1-4d61-48fd-9a0d-1ee402d4b7fc -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_advanced_audit_disabled -environment: attack_range -directory: o365_advanced_audit_disabled -mitre_technique: -- T1562.008 -datasets: -- name: o365_advanced_audit_disabled - path: /datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml index 44960b787..b34a56142 100644 --- a/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml +++ b/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco, Splunk id: 77abf938-1722-4b41-82c1-996db1c5214f date: '2023-09-19' -description: 'Manually disabled advanced audit logging for one user in O365. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Offic3 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1562/008/ -- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf -- https://learn.microsoft.com/en-us/purview/audit-premium \ No newline at end of file +description: Manually disabled advanced audit logging for one user in O365. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: o365_advanced_audit_disabled +mitre_technique: +- T1562.008 +datasets: +- name: o365_advanced_audit_disabled + path: /datasets/attack_techniques/T1562.008/o365_advanced_audit_disabled/o365_advanced_audit_disabled.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml deleted file mode 100644 index f9bb388b9..000000000 --- a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6637182b-0d1c-4b24-a1bd-189963f05a62 -date: '2025-08-12' -description: Automatically categorized datasets in directory put_bucketlifecycle -environment: attack_range -directory: put_bucketlifecycle -mitre_technique: -- T1562.008 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml index 431208eba..0168c1aa9 100644 --- a/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml +++ b/datasets/attack_techniques/T1562.008/put_bucketlifecycle/put_bucketlifecycle.yml @@ -1,11 +1,18 @@ author: Bhavin Patel, Splunk id: 31c58bb8-66d9-4dfb-a614-3843d111e1c8 date: '2022-07-19' -description: Dataset which contains cloudtrail events with a new lifecycle rule on an S3 bucket +description: Dataset which contains cloudtrail events with a new lifecycle rule on + an S3 bucket environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1562/008/ \ No newline at end of file +directory: put_bucketlifecycle +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/put_bucketlifecycle/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml deleted file mode 100644 index 74a28ec5e..000000000 --- a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5e115b1d-75e1-47fd-a84d-11fccbe3ec4f -date: '2025-08-12' -description: Automatically categorized datasets in directory stop_delete_cloudtrail -environment: attack_range -directory: stop_delete_cloudtrail -mitre_technique: -- T1562.008 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail_2-json - path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json - sourcetype: aws:cloudtrail:lake - source: aws_asl -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml index 05b5d9c64..20d0a8d4f 100644 --- a/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml +++ b/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/stop_delete_cloudtrail.yml @@ -1,15 +1,22 @@ author: Bhavin Patel id: cc9b2603-efc9-11eb-926b-55ddf0dd3fbb date: '2022-07-12' -description: Dataset which contains cloudtrail events when a cloudtrail is stopped from logging. This attack was simulated using status red team. +description: Dataset which contains cloudtrail events when a cloudtrail is stopped + from logging. This attack was simulated using status red team. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: stop_delete_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail_2-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail_2.json + sourcetype: aws:cloudtrail:lake + source: aws_asl +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/stop_delete_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml b/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml deleted file mode 100644 index e7d47953e..000000000 --- a/datasets/attack_techniques/T1562.008/update_cloudtrail/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 14fe3de9-3546-43a2-920d-d50e11d6f8a3 -date: '2025-08-12' -description: Automatically categorized datasets in directory update_cloudtrail -environment: attack_range -directory: update_cloudtrail -mitre_technique: -- T1562.008 -datasets: -- name: aws_cloudtrail_events-json - path: /datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json - sourcetype: aws:cloudtrail - source: aws_cloudtrail -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml b/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml index 454e1da9a..a6fb034c4 100644 --- a/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml +++ b/datasets/attack_techniques/T1562.008/update_cloudtrail/update_cloudtrail.yml @@ -1,13 +1,18 @@ author: Gowthamaraj Rajendran, Splunk id: e95c46cb-7bd8-4824-a1da-3a559058dced date: '2022-07-19' -description: Dataset which contains cloudtrail events when a cloudwatch log group is updated. +description: Dataset which contains cloudtrail events when a cloudwatch log group + is updated. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1562/008/ +directory: update_cloudtrail +mitre_technique: +- T1562.008 +datasets: +- name: aws_cloudtrail_events-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/aws_cloudtrail_events.json + sourcetype: aws:cloudtrail + source: aws_cloudtrail +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1562.008/update_cloudtrail/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml index 80d830e74..55b15ee62 100644 --- a/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml +++ b/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml @@ -3,9 +3,11 @@ id: cb20a2e8-45d3-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for auditd daemon type in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log -sourcetypes: -- 'auditd' -references: -- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types \ No newline at end of file +directory: auditd_daemon_type +mitre_technique: +- T1562.012 +datasets: +- name: linux_auditd_daemon + path: /datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml deleted file mode 100644 index 07591c1c8..000000000 --- a/datasets/attack_techniques/T1562.012/auditd_daemon_type/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5d05a094-c1c3-47f9-a3a1-6727ed219352 -date: '2025-08-12' -description: Automatically categorized datasets in directory auditd_daemon_type -environment: attack_range -directory: auditd_daemon_type -mitre_technique: -- T1562.012 -datasets: -- name: linux_auditd_daemon - path: /datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml index 68fcdf3fa..0ab441ad9 100644 --- a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml +++ b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: de83d520-d6eb-44e9-a24e-8a863987ce8b date: '2023-10-26' -description: 'Used the PowerShell AzureAD Module to disable risk-based step-up consent within an Azure AD tenant' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log -sourcetypes: -- azure:monitor:aad \ No newline at end of file +description: Used the PowerShell AzureAD Module to disable risk-based step-up consent + within an Azure AD tenant +environment: attack_range +directory: azuread_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: azuread_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml b/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml deleted file mode 100644 index e0757d756..000000000 --- a/datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d69fb192-8868-41b2-b881-1f899b2f1c17 -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread_disable_blockconsent_for_riskapps -environment: attack_range -directory: azuread_disable_blockconsent_for_riskapps -mitre_technique: -- T1562 -datasets: -- name: azuread_disable_blockconsent_for_riskapps - path: /datasets/attack_techniques/T1562/azuread_disable_blockconsent_for_riskapps/azuread_disable_blockconsent_for_riskapps.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml deleted file mode 100644 index 97ba45f97..000000000 --- a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1a51e505-1ace-4c6f-88dd-d3f8fd48ca4b -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_disable_blockconsent_for_riskapps -environment: attack_range -directory: o365_disable_blockconsent_for_riskapps -mitre_technique: -- T1562 -datasets: -- name: o365_disable_blockconsent_for_riskapps - path: /datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml index 29c798724..bdcb7c8b5 100644 --- a/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml +++ b/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.yml @@ -1,9 +1,14 @@ author: Mauricio Velazco id: 31e03eb3-69a9-4072-990c-7e9e62866c20 date: '2023-10-26' -description: 'Used the PowerShell AzureAD Module to disable risk-based step-up consent within an O365 tenant' -environment: Office 365 tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log -sourcetypes: -- o365:management:activity \ No newline at end of file +description: Used the PowerShell AzureAD Module to disable risk-based step-up consent + within an O365 tenant +environment: attack_range +directory: o365_disable_blockconsent_for_riskapps +mitre_technique: +- T1562 +datasets: +- name: o365_disable_blockconsent_for_riskapps + path: /datasets/attack_techniques/T1562/o365_disable_blockconsent_for_riskapps/o365_disable_blockconsent_for_riskapps.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1563.002/rdphijack/data.yml b/datasets/attack_techniques/T1563.002/rdphijack/data.yml deleted file mode 100644 index 05a77aef9..000000000 --- a/datasets/attack_techniques/T1563.002/rdphijack/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6a010aa0-842d-4d3c-b0be-31953032cb17 -date: '2025-08-12' -description: Automatically categorized datasets in directory rdphijack -environment: attack_range -directory: rdphijack -mitre_technique: -- T1563.002 -datasets: -- name: tscon_windows-sysmon - path: /datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688_tscon_windows-security - path: /datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml b/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml index 0063f249f..3af0d1cfd 100644 --- a/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml +++ b/datasets/attack_techniques/T1563.002/rdphijack/rdphijack.yml @@ -1,14 +1,17 @@ author: Michael Haag id: 04cbf4da-19b8-44b6-a143-a7cfe4d7f6ec date: '2023-03-29' -description: 'Atomic Testing of RDP Hijacking' +description: Atomic Testing of RDP Hijacking environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1563.002/rdphijack/remoteconnectionmanager.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1563.002 \ No newline at end of file +directory: rdphijack +mitre_technique: +- T1563.002 +datasets: +- name: tscon_windows-sysmon + path: /datasets/attack_techniques/T1563.002/rdphijack/tscon_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688_tscon_windows-security + path: /datasets/attack_techniques/T1563.002/rdphijack/4688_tscon_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml deleted file mode 100644 index 697f3b729..000000000 --- a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 211cd784-64d5-4836-9141-34ab7ea6f3e1 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_hidden_file -environment: attack_range -directory: linux_auditd_hidden_file -mitre_technique: -- T1564.001 -datasets: -- name: linux_auditd_hidden_file - path: /datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml index b7a527335..518fb31ec 100644 --- a/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml +++ b/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml @@ -3,9 +3,11 @@ id: 765100c0-5a22-11ef-927e-acde48001122 date: '2024-08-14' description: Generated datasets for linux auditd hidden file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log -sourcetypes: -- 'linux:audit' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_hidden_file +mitre_technique: +- T1564.001 +datasets: +- name: linux_auditd_hidden_file + path: /datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml b/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml index 3ae3d7961..ef60fccb8 100644 --- a/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml +++ b/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse.yml @@ -1,16 +1,13 @@ -author: Steven Dick -id: e18714c0-ab84-44f6-9117-5531e3eb3a0c -date: '2023-10-30' -description: 'Detection of common behaviors used to abouse NTFS alternate datastreams.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Security -references: -- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -- https://car.mitre.org/analytics/CAR-2020-08-001/ -- https://blogs.juniper.net/en-us/threat-research/bitpaymer-ransomware-hides-behind-windows-alternate-data-streams -- https://blog.netwrix.com/2022/12/16/alternate_data_stream/ -- https://twitter.com/0xrawsec/status/1002478725605273600?s=21 \ No newline at end of file +author: Steven Dick +id: e18714c0-ab84-44f6-9117-5531e3eb3a0c +date: '2023-10-30' +description: Detection of common behaviors used to abouse NTFS alternate datastreams. +environment: attack_range +directory: ads_abuse +mitre_technique: +- T1564.004 +datasets: +- name: ads_abuse_sysmon + path: /datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1564.004/ads_abuse/data.yml b/datasets/attack_techniques/T1564.004/ads_abuse/data.yml deleted file mode 100644 index 66d6ce14b..000000000 --- a/datasets/attack_techniques/T1564.004/ads_abuse/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c9e7505f-824a-49b6-bc70-539050e33952 -date: '2025-08-12' -description: Automatically categorized datasets in directory ads_abuse -environment: attack_range -directory: ads_abuse -mitre_technique: -- T1564.004 -datasets: -- name: ads_abuse_sysmon - path: /datasets/attack_techniques/T1564.004/ads_abuse/ads_abuse_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1564.008/o365/data.yml b/datasets/attack_techniques/T1564.008/o365/o365.yml similarity index 60% rename from datasets/attack_techniques/T1564.008/o365/data.yml rename to datasets/attack_techniques/T1564.008/o365/o365.yml index ea199d6c1..a318aa98a 100644 --- a/datasets/attack_techniques/T1564.008/o365/data.yml +++ b/datasets/attack_techniques/T1564.008/o365/o365.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: d5c5cb0e-4e19-4935-acfc-55f2223673c1 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365 +author: 3237998318 +id: 54715c41-4283-44f7-a327-fbd230d83c60 +date: '2025-02-14' +description: Detection of suspicious mailbox rule creation. environment: attack_range directory: o365 mitre_technique: diff --git a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml b/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml deleted file mode 100644 index 424cd4c7e..000000000 --- a/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: 0xC0FFEEEE -id: 54715c41-4283-44f7-a327-fbd230d83c60 -date: '2025-02-14' -description: 'Detection of suspicious mailbox rule creation.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.008/o365/o365_suspicious_mailbox_rule.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1564/008/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml b/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml deleted file mode 100644 index 18ae20cb8..000000000 --- a/datasets/attack_techniques/T1564/sc_sdset_tampering/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 21faed17-8cd1-4fee-9043-31b5286bea9e -date: '2025-08-12' -description: Automatically categorized datasets in directory sc_sdset_tampering -environment: attack_range -directory: sc_sdset_tampering -mitre_technique: -- T1564 -datasets: -- name: sc_sdset_tampering_sysmon - path: /datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml b/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml index 7e62a79a8..307ae0c7e 100644 --- a/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml +++ b/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering.yml @@ -1,12 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: fa0426d9-d19e-4430-8aab-f4b8d04a30fb date: '2024-12-06' -description: This dataset contains process execution logs from Windows Sysmon logs related to execution of sc.exe with the sdset flag. +description: This dataset contains process execution logs from Windows Sysmon logs + related to execution of sc.exe with the sdset flag. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1564/T1564.md#atomic-test-4---create-and-hide-a-service-with-scexe -- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +directory: sc_sdset_tampering +mitre_technique: +- T1564 +datasets: +- name: sc_sdset_tampering_sysmon + path: /datasets/attack_techniques/T1564/sc_sdset_tampering/sc_sdset_tampering_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml deleted file mode 100644 index ec33f2459..000000000 --- a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c56b4682-41dc-42f8-abb7-a8f5ce5c2e24 -date: '2025-08-12' -description: Automatically categorized datasets in directory gsuite_outbound_email_to_external -environment: attack_range -directory: gsuite_outbound_email_to_external -mitre_technique: -- T1566.001 -datasets: -- name: gsuite_external_domain - path: /datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log - sourcetype: gsuite:gmail:bigquery - source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml index fe3630b01..a9cef7a7b 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_outbound_email_to_external.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: ab768e85-64f9-42ea-be35-979ad9132d47 date: '2021-08-19' -description: 'Simulated test Gsuite Datasets for email having external domain outbound traffic' +description: Simulated test Gsuite Datasets for email having external domain outbound + traffic environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_outbound_email_to_external +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_external_domain + path: /datasets/attack_techniques/T1566.001/gsuite_outbound_email_to_external/gsuite_external_domain.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml deleted file mode 100644 index 95cadbda8..000000000 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bb71bda0-8f31-48e6-b6c7-626903bdcbac -date: '2025-08-12' -description: Automatically categorized datasets in directory gsuite_susp_attachment_ext -environment: attack_range -directory: gsuite_susp_attachment_ext -mitre_technique: -- T1566.001 -datasets: -- name: gsuite_gmail_file_ext - path: /datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log - sourcetype: gsuite:gmail:bigquery - source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml index 88dec3a31..0924a2327 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_susp_attachment_ext.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: 37c6214c-3b6d-44a8-b3d6-8cb45283ecc9 date: '2021-08-19' -description: 'Simulated test Gsuite Datasets for email having suspicious file extension attachment' +description: Simulated test Gsuite Datasets for email having suspicious file extension + attachment environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_attachment_ext +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_gmail_file_ext + path: /datasets/attack_techniques/T1566.001/gsuite_susp_attachment_ext/gsuite_gmail_file_ext.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml deleted file mode 100644 index adcd42078..000000000 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0647b470-d070-46ee-93d1-832ab83e1303 -date: '2025-08-12' -description: Automatically categorized datasets in directory gsuite_susp_subj -environment: attack_range -directory: gsuite_susp_subj -mitre_technique: -- T1566.001 -datasets: -- name: gsuite_susp_subj_attach - path: /datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log - sourcetype: gsuite:gmail:bigquery - source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml index e0a266dc8..d08c7a588 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: cdbf3681-65ec-4ebd-8992-257b26b5395b date: '2021-08-20' -description: 'Simulated test Gsuite Datasets for email having suspicious subject and attachment' +description: Simulated test Gsuite Datasets for email having suspicious subject and + attachment environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_subj +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_subj_attach + path: /datasets/attack_techniques/T1566.001/gsuite_susp_subj/gsuite_susp_subj_attach.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml deleted file mode 100644 index ee9bb4dfe..000000000 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_url/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f690652a-2387-4c92-80aa-dbaa453c2dd8 -date: '2025-08-12' -description: Automatically categorized datasets in directory gsuite_susp_url -environment: attack_range -directory: gsuite_susp_url -mitre_technique: -- T1566.001 -datasets: -- name: gsuite_susp_url - path: /datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log - sourcetype: gsuite:gmail:bigquery - source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml b/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml index a03b16b7a..d3bca06e2 100644 --- a/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml +++ b/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: 0ea6dc4a-b26d-4706-8c10-5d6fd485ba3a date: '2021-08-23' -description: 'Simulated test Gsuite Datasets for email having suspicious link' +description: Simulated test Gsuite Datasets for email having suspicious link environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log -sourcetypes: -- gsuite:gmail:bigquery \ No newline at end of file +directory: gsuite_susp_url +mitre_technique: +- T1566.001 +datasets: +- name: gsuite_susp_url + path: /datasets/attack_techniques/T1566.001/gsuite_susp_url/gsuite_susp_url.log + sourcetype: gsuite:gmail:bigquery + source: http:gsuite diff --git a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml deleted file mode 100644 index cb5b221fe..000000000 --- a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: dc075a3a-7e62-4b66-900a-d721c498f295 -date: '2025-08-12' -description: Automatically categorized datasets in directory office_doc_abuses_rels -environment: attack_range -directory: office_doc_abuses_rels -mitre_technique: -- T1566.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml index c1d46835c..df60ea27c 100644 --- a/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml +++ b/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/office_doc_abuses_rels.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 8b93f6a5-ae09-451e-a52a-4f60754d2b53 date: '2023-01-27' description: Generated datasets for office doc abuses rels in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: office_doc_abuses_rels +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/office_doc_abuses_rels/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml deleted file mode 100644 index 5d49281b6..000000000 --- a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5e2671e7-3e6d-41b8-8bf0-c69c2216a70b -date: '2025-08-12' -description: Automatically categorized datasets in directory onenote_spear_phishing -environment: attack_range -directory: onenote_spear_phishing -mitre_technique: -- T1566.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml index e1d90fa1d..87186e05a 100644 --- a/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml +++ b/datasets/attack_techniques/T1566.001/onenote_spear_phishing/onenote_spear_phishing.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: e44d12fd-c4ff-4d10-846b-23cb9b8cdffb date: '2023-01-24' description: Generated datasets for onenote spear phishing in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat +environment: attack_range +directory: onenote_spear_phishing +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/onenote_spear_phishing/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml deleted file mode 100644 index 9d1515908..000000000 --- a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 376de3c6-d9f5-440c-9784-a58e39d57368 -date: '2025-08-12' -description: Automatically categorized datasets in directory phishing_pdf_uri -environment: attack_range -directory: phishing_pdf_uri -mitre_technique: -- T1566.001 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml index 4a3604d7d..7a9ce3f14 100644 --- a/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml +++ b/datasets/attack_techniques/T1566.001/phishing_pdf_uri/phishing_pdf_uri.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 2145b2b6-3130-4f64-8781-c74973c87ce9 date: '2023-01-18' description: Generated datasets for phishing pdf uri in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1615382907446767616?s=20 +environment: attack_range +directory: phishing_pdf_uri +mitre_technique: +- T1566.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1566.001/phishing_pdf_uri/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml index 5f55eef14..b874a7a99 100644 --- a/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1566.002/atomic_red_team/atomic_red_team.yml @@ -4,15 +4,16 @@ date: '2020-08-13' description: Evilginx2 DNS activity captured by Stream. Custom attack_range config using DC to delegate DNS to evilginx2; web traffic proxied through the Splunk server which was running Stream and resolving DNS via DC. -environment: attack_range_evilginx2 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/attack_data_stream_dns.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/attack_data_network_resolution_dm.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- stream:dns -- WinEventLog:Security -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1566/002/ +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml deleted file mode 100644 index 68e1641f4..000000000 --- a/datasets/attack_techniques/T1566.002/atomic_red_team/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4020d6ef-6824-45ce-8aa7-7956c6e3a79c -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1566.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/attack_techniques/T1566.002/atomic_red_team/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml deleted file mode 100644 index e31708f0d..000000000 --- a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a6452d37-fec0-4c2a-9ef9-8c96afa0c1dc -date: '2025-08-12' -description: Automatically categorized datasets in directory lnk_file_temp_folder -environment: attack_range -directory: lnk_file_temp_folder -mitre_technique: -- T1566.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml index 8bc80af9c..2d328b27e 100644 --- a/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml +++ b/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/lnk_file_temp_folder.yml @@ -3,15 +3,11 @@ id: cc9b262a-efc9-11eb-926b-550bf0943fbb date: '2020-12-08' description: lnk file in temp folder environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1566/002/ +directory: lnk_file_temp_folder +mitre_technique: +- T1566.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1566.002/lnk_file_temp_folder/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml b/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml index 3baa5e626..e506cb7f1 100644 --- a/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml +++ b/datasets/attack_techniques/T1566/cve-2024-21378/cve-2024-21378.yml @@ -1,11 +1,13 @@ author: Michael Haag id: e18714c0-ab84-44f6-9117-5531e3eb3a0c date: '2024-03-20' -description: 'Data generaeted for CVE-2024-21378' +description: Data generaeted for CVE-2024-21378 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/ \ No newline at end of file +directory: cve-2024-21378 +mitre_technique: +- T1566 +datasets: +- name: inprocserver32_windows-sysmon + path: /datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/cve-2024-21378/data.yml b/datasets/attack_techniques/T1566/cve-2024-21378/data.yml deleted file mode 100644 index 803db5df9..000000000 --- a/datasets/attack_techniques/T1566/cve-2024-21378/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0d4a9070-07f0-4f51-8913-65d07abbea48 -date: '2025-08-12' -description: Automatically categorized datasets in directory cve-2024-21378 -environment: attack_range -directory: cve-2024-21378 -mitre_technique: -- T1566 -datasets: -- name: inprocserver32_windows-sysmon - path: /datasets/attack_techniques/T1566/cve-2024-21378/inprocserver32_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/data.yml b/datasets/attack_techniques/T1566/o365_various_alerts/data.yml deleted file mode 100644 index 2f7f9e6c2..000000000 --- a/datasets/attack_techniques/T1566/o365_various_alerts/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f8381aee-343b-4a90-a256-d58e930ec897 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_various_alerts -environment: attack_range -directory: o365_various_alerts -mitre_technique: -- T1566 -datasets: -- name: o365_various_alerts - path: /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml index 54e68da3c..7df8a312d 100644 --- a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml @@ -1,18 +1,13 @@ -author: Steven Dick -id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 -date: '2024-4-6' -description: 'Various Office 365 built-in and premium security feature alerts.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1566 -- https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults -- https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp -- https://learn.microsoft.com/en-us/purview/alert-policies -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide -- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide \ No newline at end of file +author: Steven Dick +id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +date: 2024-4-6 +description: Various Office 365 built-in and premium security feature alerts. +environment: attack_range +directory: o365_various_alerts +mitre_technique: +- T1566 +datasets: +- name: o365_various_alerts + path: /datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml b/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml deleted file mode 100644 index 816e562c1..000000000 --- a/datasets/attack_techniques/T1566/zscalar_web_proxy/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9e137269-cf8f-4a47-8db3-99fca7085c79 -date: '2025-08-12' -description: Automatically categorized datasets in directory zscalar_web_proxy -environment: attack_range -directory: zscalar_web_proxy -mitre_technique: -- T1566 -datasets: -- name: zscalar_web_proxy-json - path: /datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json - sourcetype: zscalernss-web - source: zscaler diff --git a/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml b/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml index b561d320d..0bbca90fd 100644 --- a/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml +++ b/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.yml @@ -1,11 +1,13 @@ author: Bhavin patel, Gowtham id: e18714c0-ab84-44f6-9117-5531e3eb3a0c date: '2024-03-12' -description: 'Synthentic Dataset generated for Zscaler detections for Blocked activities' +description: Synthentic Dataset generated for Zscaler detections for Blocked activities environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json -sourcetypes: -- zscalernss-web -references: -- https://help.zscaler.com/zia/nss-feed-output-format-web-logs \ No newline at end of file +directory: zscalar_web_proxy +mitre_technique: +- T1566 +datasets: +- name: zscalar_web_proxy-json + path: /datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json + sourcetype: zscalernss-web + source: zscaler diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml deleted file mode 100644 index 39311b675..000000000 --- a/datasets/attack_techniques/T1567/o365_sus_file_activity/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: eeaecc01-574e-4f4a-83e8-15b88f912187 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_sus_file_activity -environment: attack_range -directory: o365_sus_file_activity -mitre_technique: -- T1567 -datasets: -- name: o365_sus_file_activity - path: /datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml index a27cd3a17..fc3a9c772 100644 --- a/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml +++ b/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.yml @@ -1,13 +1,14 @@ -author: Steven Dick -id: a5b98f63-2116-4f7d-bd46-228872bc79f8 -date: '2025-01-28' -description: 'Sample of events when an actor attempts to exfiltrate data from sharepoint using various methods.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1567/exfil -- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data -- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ \ No newline at end of file +author: Steven Dick +id: a5b98f63-2116-4f7d-bd46-228872bc79f8 +date: '2025-01-28' +description: Sample of events when an actor attempts to exfiltrate data from sharepoint + using various methods. +environment: attack_range +directory: o365_sus_file_activity +mitre_technique: +- T1567 +datasets: +- name: o365_sus_file_activity + path: /datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1567/web_upload_nginx/data.yml b/datasets/attack_techniques/T1567/web_upload_nginx/data.yml deleted file mode 100644 index 82218986b..000000000 --- a/datasets/attack_techniques/T1567/web_upload_nginx/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2d747d1c-9e53-402e-ac8f-03f422e9587d -date: '2025-08-12' -description: Automatically categorized datasets in directory web_upload_nginx -environment: attack_range -directory: web_upload_nginx -mitre_technique: -- T1567 -datasets: -- name: web_upload_nginx - path: /datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log - sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml index 78967e0fc..4f5323cd6 100644 --- a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml +++ b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml @@ -3,9 +3,10 @@ id: 15c6f211-a960-4f60-b111-bd2ae129ef7d date: '2023-02-21' description: Simulate Large Web upload with high bytes out environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log -sourcetypes: -- nginx:plus:kv -references: -- https://attack.mitre.org/techniques/T1567/ \ No newline at end of file +directory: web_upload_nginx +mitre_technique: +- T1567 +datasets: +- name: web_upload_nginx + path: /datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log + sourcetype: nginx:plus:access diff --git a/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml index 9480c6cd6..482591d54 100644 --- a/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1569.002/atomic_red_team/atomic_red_team.yml @@ -3,16 +3,12 @@ id: cc9b260a-efc9-11eb-926b-550bf0943fbb date: '2021-04-05' description: Adversaries may abuse the Windows SC.exe to execute malicious commands or payloads which is captured by Windows System logs. -environment: attack_range_evilginx2 -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/atomic_red_team/windows-system.log -sourcetypes: -- WinEventLog:System -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1569/002/ +environment: attack_range +directory: atomic_red_team +mitre_technique: +- T1569.002 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml deleted file mode 100644 index 150a9d75e..000000000 --- a/datasets/attack_techniques/T1569.002/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7bbef5a0-f455-41d2-8db9-2696c63c5fea -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1569.002 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1569.002/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/linux_service_start/data.yml b/datasets/attack_techniques/T1569.002/linux_service_start/data.yml deleted file mode 100644 index 8a0f09b6e..000000000 --- a/datasets/attack_techniques/T1569.002/linux_service_start/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 87321017-c5ed-4e41-843f-09026f46614d -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_service_start -environment: attack_range -directory: linux_service_start -mitre_technique: -- T1569.002 -datasets: -- name: auditd_proctitle_service_start - path: /datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml b/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml index c21c9a57a..0ecd3dea7 100644 --- a/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml +++ b/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml @@ -3,9 +3,11 @@ id: 4057fbfc-efa2-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux service start in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_service_start +mitre_technique: +- T1569.002 +datasets: +- name: auditd_proctitle_service_start + path: /datasets/attack_techniques/T1569.002/linux_service_start/auditd_proctitle_service_start.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1569.002/remcom/data.yml b/datasets/attack_techniques/T1569.002/remcom/data.yml deleted file mode 100644 index 6b962f405..000000000 --- a/datasets/attack_techniques/T1569.002/remcom/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7803414a-3d43-48e9-8c55-a869097d59be -date: '2025-08-12' -description: Automatically categorized datasets in directory remcom -environment: attack_range -directory: remcom -mitre_technique: -- T1569.002 -datasets: -- name: 4688_remcom_windows-security - path: /datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: remcom_windows-sysmon - path: /datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/remcom/remcom.yml b/datasets/attack_techniques/T1569.002/remcom/remcom.yml index 3b985d2aa..56e647679 100644 --- a/datasets/attack_techniques/T1569.002/remcom/remcom.yml +++ b/datasets/attack_techniques/T1569.002/remcom/remcom.yml @@ -1,13 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2023-03-20' -description: 'Atomic Testing of Remcom' +description: Atomic Testing of Remcom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1570 \ No newline at end of file +directory: remcom +mitre_technique: +- T1569.002 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1569.002/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1569.002/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml deleted file mode 100644 index 71f873a5d..000000000 --- a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fccb9484-f15b-4aef-a210-b1e398a93aa6 -date: '2025-08-12' -description: Automatically categorized datasets in directory scmanager_sddl_tamper -environment: attack_range -directory: scmanager_sddl_tamper -mitre_technique: -- T1569.002 -datasets: -- name: scmanager_sddl_tamper_sysmon - path: /datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml index 99d08312d..a9d538494 100644 --- a/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml +++ b/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper.yml @@ -1,11 +1,14 @@ author: Nasreddine Bencherchali, Splunk id: d25e417e-735f-46db-b1cb-8d6c5ea9bc6f date: '2024-12-06' -description: This dataset contains process execution logs from Windows Sysmon logs related to execution of sc.exe with the sdset flag. +description: This dataset contains process execution logs from Windows Sysmon logs + related to execution of sc.exe with the sdset flag. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://github.com/redcanaryco/atomic-red-team/blob/8ac5c4f84692b11ea2832d18d3dc6f1ce7fb4e41/atomics/T1569.002/T1569.002.md#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet +directory: scmanager_sddl_tamper +mitre_technique: +- T1569.002 +datasets: +- name: scmanager_sddl_tamper_sysmon + path: /datasets/attack_techniques/T1569.002/scmanager_sddl_tamper/scmanager_sddl_tamper_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1570/remcom/data.yml b/datasets/attack_techniques/T1570/remcom/data.yml deleted file mode 100644 index cc43fe872..000000000 --- a/datasets/attack_techniques/T1570/remcom/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 13439b43-e480-418b-8f2e-2ce59e5a4f4c -date: '2025-08-12' -description: Automatically categorized datasets in directory remcom -environment: attack_range -directory: remcom -mitre_technique: -- T1570 -datasets: -- name: 4688_remcom_windows-security - path: /datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: remcom_windows-sysmon - path: /datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1570/remcom/remcom.yml b/datasets/attack_techniques/T1570/remcom/remcom.yml index 14c348230..905d3588c 100644 --- a/datasets/attack_techniques/T1570/remcom/remcom.yml +++ b/datasets/attack_techniques/T1570/remcom/remcom.yml @@ -1,13 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2023-03-20' -description: 'Atomic Testing of Remcom' +description: Atomic Testing of Remcom environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1570 \ No newline at end of file +directory: remcom +mitre_technique: +- T1570 +datasets: +- name: 4688_remcom_windows-security + path: /datasets/attack_techniques/T1570/remcom/4688_remcom_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: remcom_windows-sysmon + path: /datasets/attack_techniques/T1570/remcom/remcom_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml b/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml index 1dde9b20d..cd1ddfd9b 100644 --- a/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml +++ b/datasets/attack_techniques/T1572/cobalt_strike/cobalt_strike.yml @@ -5,14 +5,11 @@ description: DNS Beaconing using Cobalt Strike 4.2. Activity was generated using Range and Kali Linux. DNS Beaconing was performed using TXT and A records using the domain - getbobspizza.com. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/stream_events_zeek.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/streams_dns.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log -sourcetypes: -- bro:dns:json -- stream:dns -- suricata -references: -- https://attack.mitre.org/techniques/T1572 -- https://cobaltstrike.com/help-dns-beacon +directory: cobalt_strike +mitre_technique: +- T1572 +datasets: +- name: suricata_events + path: /datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log + sourcetype: suricata + source: suricata diff --git a/datasets/attack_techniques/T1572/cobalt_strike/data.yml b/datasets/attack_techniques/T1572/cobalt_strike/data.yml deleted file mode 100644 index 9563bc1a1..000000000 --- a/datasets/attack_techniques/T1572/cobalt_strike/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1149f3ef-73bb-4c41-91e0-4a280b7ea6df -date: '2025-08-12' -description: Automatically categorized datasets in directory cobalt_strike -environment: attack_range -directory: cobalt_strike -mitre_technique: -- T1572 -datasets: -- name: suricata_events - path: /datasets/attack_techniques/T1572/cobalt_strike/suricata_events.log - sourcetype: suricata - source: suricata diff --git a/datasets/attack_techniques/T1572/ngrok/data.yml b/datasets/attack_techniques/T1572/ngrok/data.yml deleted file mode 100644 index e943896a8..000000000 --- a/datasets/attack_techniques/T1572/ngrok/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 80a0bbee-e39f-40f2-ac4b-d92c0c2f7d65 -date: '2025-08-12' -description: Automatically categorized datasets in directory ngrok -environment: attack_range -directory: ngrok -mitre_technique: -- T1572 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1572/ngrok/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/ngrok/ngrok.yml b/datasets/attack_techniques/T1572/ngrok/ngrok.yml index bba57ec37..366a98964 100644 --- a/datasets/attack_techniques/T1572/ngrok/ngrok.yml +++ b/datasets/attack_techniques/T1572/ngrok/ngrok.yml @@ -3,12 +3,11 @@ id: 24608f3f-bc86-43e1-ab46-4625f94a6cdf date: '2022-11-16' description: ngrok.exe execution on windows. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ngrok/ngrok_linux-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1572 -- https://ngrok.com \ No newline at end of file +directory: ngrok +mitre_technique: +- T1572 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/ngrok/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1572/plink/data.yml b/datasets/attack_techniques/T1572/plink/data.yml deleted file mode 100644 index 712198738..000000000 --- a/datasets/attack_techniques/T1572/plink/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bde63a27-d046-475c-b7fa-463e11a7a5b1 -date: '2025-08-12' -description: Automatically categorized datasets in directory plink -environment: attack_range -directory: plink -mitre_technique: -- T1572 -datasets: -- name: plink-windows-sysmon - path: /datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1572/plink/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4688-windows-security - path: /datasets/attack_techniques/T1572/plink/4688-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1572/plink/plink.yml b/datasets/attack_techniques/T1572/plink/plink.yml index 431c583c0..e83aea6d4 100644 --- a/datasets/attack_techniques/T1572/plink/plink.yml +++ b/datasets/attack_techniques/T1572/plink/plink.yml @@ -3,12 +3,19 @@ id: cc9b2667-efc9-11eb-926b-660bf0943fbb date: '2021-11-15' description: Simulation of plink activity. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/4688-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1572 +directory: plink +mitre_technique: +- T1572 +datasets: +- name: plink-windows-sysmon + path: /datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1572/plink/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4688-windows-security + path: /datasets/attack_techniques/T1572/plink/4688-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml deleted file mode 100644 index f2e5d4675..000000000 --- a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: cc9b2667-efc9-11eb-926b-660bf0943fbb -date: '2021-11-15' -description: Simulation of plink activity. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1572 diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/data.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml similarity index 63% rename from datasets/attack_techniques/T1572/ssh_proxy_command/data.yml rename to datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml index 49bb6a282..88ec55b02 100644 --- a/datasets/attack_techniques/T1572/ssh_proxy_command/data.yml +++ b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh_proxy_command.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: fd427487-e339-4b24-bd79-8fb585beb8c0 -date: '2025-08-12' -description: Automatically categorized datasets in directory ssh_proxy_command +author: Michael Haag +id: cc9b2667-efc9-11eb-926b-660bf0943fbb +date: '2021-11-15' +description: Simulation of plink activity. environment: attack_range directory: ssh_proxy_command mitre_technique: diff --git a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml index 6fa93260e..0b2bc6683 100644 --- a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml @@ -3,9 +3,11 @@ id: cc9bv5d6-wfc9-11eb-926b-550bf0943faz date: '2022-08-18' description: 'Atomic Test Results: Successful Execution of test T1574.001' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/001/ \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1574.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml b/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml deleted file mode 100644 index 18c2bbfaf..000000000 --- a/datasets/attack_techniques/T1574.001/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 339befb8-64be-472f-b84a-86f27d399116 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1574.001 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1574.001/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/iscsicpl/data.yml b/datasets/attack_techniques/T1574.001/iscsicpl/data.yml deleted file mode 100644 index fa1ab3e1e..000000000 --- a/datasets/attack_techniques/T1574.001/iscsicpl/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e7346b8b-c764-4fa8-af96-b3fe37fb514b -date: '2025-08-12' -description: Automatically categorized datasets in directory iscsicpl -environment: attack_range -directory: iscsicpl -mitre_technique: -- T1574.001 -datasets: -- name: iscsicpl-windows-sysmon - path: /datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml b/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml index cdaa454d1..6e243298f 100644 --- a/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml +++ b/datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl.yml @@ -1,13 +1,13 @@ author: Michael Haag id: aa9b2664-efc9-11eb-926b-550bfe94334b date: '2020-12-08' -description: 'This behavior is related to the POC for iscsicpl.exe.' +description: This behavior is related to the POC for iscsicpl.exe. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/iscsicpl/iscsi-windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/001 -- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC -- https://github.com/422926799/csplugin/tree/master/bypassUAC +directory: iscsicpl +mitre_technique: +- T1574.001 +datasets: +- name: iscsicpl-windows-sysmon + path: /datasets/attack_techniques/T1574.001/iscsicpl/iscsicpl-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/hijacklibs/data.yml b/datasets/attack_techniques/T1574.002/hijacklibs/data.yml deleted file mode 100644 index 9dfc55208..000000000 --- a/datasets/attack_techniques/T1574.002/hijacklibs/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 16951ab8-44c0-4e6f-b097-f35c6aa4050b -date: '2025-08-12' -description: Automatically categorized datasets in directory hijacklibs -environment: attack_range -directory: hijacklibs -mitre_technique: -- T1574.002 -datasets: -- name: hijacklibs_sysmon - path: /datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml b/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml index 4e94bdd5f..f00c221a8 100644 --- a/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml +++ b/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs.yml @@ -1,14 +1,14 @@ -author: Steven Dick -id: 9c084d2d-ab99-4bda-875f-cf565afee2fe -date: '2024-2-19' -description: 'Detection of suspicious usage of DLLs commonly used in sideloading and search order hijacking.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/002/ -- https://hijacklibs.net/api/ -- https://wietze.github.io/blog/hijacking-dlls-in-windows -- https://github.com/olafhartong/sysmon-modular/pull/195/files \ No newline at end of file +author: Steven Dick +id: 9c084d2d-ab99-4bda-875f-cf565afee2fe +date: 2024-2-19 +description: Detection of suspicious usage of DLLs commonly used in sideloading and + search order hijacking. +environment: attack_range +directory: hijacklibs +mitre_technique: +- T1574.002 +datasets: +- name: hijacklibs_sysmon + path: /datasets/attack_techniques/T1574.002/hijacklibs/hijacklibs_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/msi_module_load/data.yml b/datasets/attack_techniques/T1574.002/msi_module_load/data.yml deleted file mode 100644 index a5cff34ef..000000000 --- a/datasets/attack_techniques/T1574.002/msi_module_load/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e25838e0-474c-4968-88d5-3ad214e22404 -date: '2025-08-12' -description: Automatically categorized datasets in directory msi_module_load -environment: attack_range -directory: msi_module_load -mitre_technique: -- T1574.002 -datasets: -- name: windows-sysmon2 - path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml b/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml index d7693f4fd..85ca3b435 100644 --- a/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml +++ b/datasets/attack_techniques/T1574.002/msi_module_load/msi_module_load.yml @@ -1,12 +1,17 @@ author: Michael Haag id: cc9b2664-efc9-11eb-926b-550bf094334b date: '2020-12-08' -description: 'This behavior is related to the POC for InstallerFileTakeOver.' +description: This behavior is related to the POC for InstallerFileTakeOver. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1574/002 -- https://github.com/klinix5/InstallerFileTakeOver/tree/main/InstallerFileTakeOver \ No newline at end of file +directory: msi_module_load +mitre_technique: +- T1574.002 +datasets: +- name: windows-sysmon2 + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.002/msi_module_load/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/wineloader/data.yml b/datasets/attack_techniques/T1574.002/wineloader/data.yml deleted file mode 100644 index 40cd153cc..000000000 --- a/datasets/attack_techniques/T1574.002/wineloader/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c73f0cf4-0bd3-4cd7-b4de-918f716e4082 -date: '2025-08-12' -description: Automatically categorized datasets in directory wineloader -environment: attack_range -directory: wineloader -mitre_technique: -- T1574.002 -datasets: -- name: sqlwriter_sqldumper_sideload_windows-sysmon - path: /datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml b/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml index 6492f0c5c..9b41ccca7 100644 --- a/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml +++ b/datasets/attack_techniques/T1574.002/wineloader/wineloader.yml @@ -2,11 +2,12 @@ author: Michael Haag, Teoderick Contreras, Splunk id: cd06d28d-f107-434f-ba16-c7e0729aaa19 date: '2023-12-18' description: Generated datasets for loaded modules in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties -- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader +environment: attack_range +directory: wineloader +mitre_technique: +- T1574.002 +datasets: +- name: sqlwriter_sqldumper_sideload_windows-sysmon + path: /datasets/attack_techniques/T1574.002/wineloader/sqlwriter_sqldumper_sideload_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/lib_hijack/data.yml b/datasets/attack_techniques/T1574.006/lib_hijack/data.yml deleted file mode 100644 index 4814c73bc..000000000 --- a/datasets/attack_techniques/T1574.006/lib_hijack/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2fa58667-88ed-4a19-87ec-7d3d78a4b6ba -date: '2025-08-12' -description: Automatically categorized datasets in directory lib_hijack -environment: attack_range -directory: lib_hijack -mitre_technique: -- T1574.006 -datasets: -- name: sysmon_linux - path: /datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml b/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml index 10854f2a2..69bdf20b3 100644 --- a/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml +++ b/datasets/attack_techniques/T1574.006/lib_hijack/lib_hijack.yml @@ -3,9 +3,11 @@ id: 52fa6e8a-632c-11ec-9174-acde48001122 date: '2021-12-22' description: Generated datasets for lib hijack in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 \ No newline at end of file +directory: lib_hijack +mitre_technique: +- T1574.006 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1574.006/lib_hijack/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml deleted file mode 100644 index 9138e5e89..000000000 --- a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 137ad8d3-d4b0-419d-814a-578bd4a9b268 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_ldpreload -environment: attack_range -directory: linux_auditd_ldpreload -mitre_technique: -- T1574.006 -datasets: -- name: auditd_execve_ldpreload - path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log - sourcetype: auditd - source: auditd -- name: linux_auditd_ldpreload - path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml index cd0945250..b73148181 100644 --- a/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml +++ b/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.yml @@ -3,9 +3,15 @@ id: 1bcc82b0-ef9f-11ef-b72e-629be3538068 date: '2025-02-20' description: Generated datasets for linux auditd ldpreload in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log -sourcetypes: -- 'auditd' -references: -- https://compilepeace.medium.com/memory-malware-part-0x2-writing-userland-rootkits-via-ld-preload-30121c8343d5 \ No newline at end of file +directory: linux_auditd_ldpreload +mitre_technique: +- T1574.006 +datasets: +- name: auditd_execve_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/auditd_execve_ldpreload.log + sourcetype: auditd + source: auditd +- name: linux_auditd_ldpreload + path: /datasets/attack_techniques/T1574.006/linux_auditd_ldpreload/linux_auditd_ldpreload.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml deleted file mode 100644 index dc1df8546..000000000 --- a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 7e24977d-0de1-43f7-9ad1-4a94c27e3030 -date: '2025-08-12' -description: Automatically categorized datasets in directory linux_auditd_preload_file -environment: attack_range -directory: linux_auditd_preload_file -mitre_technique: -- T1574.006 -datasets: -- name: linux_auditd_preload_file - path: /datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log - sourcetype: auditd - source: auditd diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml index 64eb324fe..141d48687 100644 --- a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml +++ b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml @@ -3,9 +3,11 @@ id: 9e682288-45d5-11f0-9bec-629be3538068 date: '2025-06-10' description: Generated datasets for linux auditd preload file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log -sourcetypes: -- 'auditd' -references: -- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html \ No newline at end of file +directory: linux_auditd_preload_file +mitre_technique: +- T1574.006 +datasets: +- name: linux_auditd_preload_file + path: /datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log + sourcetype: auditd + source: auditd diff --git a/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml index 7ca386dac..2e05b2749 100644 --- a/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1574.009/atomic_red_team/atomic_red_team.yml @@ -4,17 +4,11 @@ date: '2020-10-09' description: 'Atomic Test Results: Successful Execution of test T1574.009-1 Execution of program.exe as service with unquoted service path ' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.009/atomic_red_team/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1574/009/ -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md -- https://github.com/splunk/security-content/blob/develop/tests/T1574_009.yml +directory: atomic_red_team +mitre_technique: +- T1574.009 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml b/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml deleted file mode 100644 index 67f4dcbbe..000000000 --- a/datasets/attack_techniques/T1574.009/atomic_red_team/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c42d4802-1849-4769-9c9f-e4a692835909 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1574.009 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1574.009/atomic_red_team/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml b/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml index 7f7d4529e..4937e9870 100644 --- a/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml +++ b/datasets/attack_techniques/T1574.011/change_registry_path_service/change_registry_path_service.yml @@ -3,15 +3,11 @@ id: cc9b262b-efc9-11eb-926b-550bf0943fbb date: '2020-11-26' description: change serice ImagePath with reg.exe environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.011/change_registry_path_service/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:System -- WinEventLog:Security -references: -- https://attack.mitre.org/techniques/T1574/011/ +directory: change_registry_path_service +mitre_technique: +- T1574.011 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml b/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml deleted file mode 100644 index b5395f85f..000000000 --- a/datasets/attack_techniques/T1574.011/change_registry_path_service/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 258a7559-c06b-430c-b66b-e0d6aa73188d -date: '2025-08-12' -description: Automatically categorized datasets in directory change_registry_path_service -environment: attack_range -directory: change_registry_path_service -mitre_technique: -- T1574.011 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1574.011/change_registry_path_service/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml index 9c7636cf9..888360127 100644 --- a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml +++ b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.yml @@ -3,9 +3,11 @@ id: cc9b262b-efc9-22eb-922b-550bf2943fbb date: '2024-02-21' description: Contains dataset for AWS security group changes environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json -sourcetypes: -- aws:cloudtrail -references: -- https://attack.mitre.org/techniques/T1578/005/ \ No newline at end of file +directory: aws_authorize_security_group +mitre_technique: +- T1578.005 +datasets: +- name: aws_authorize_security_group-json + path: /datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json + sourcetype: linux_secure + source: linux_secure diff --git a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml b/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml deleted file mode 100644 index d0934616b..000000000 --- a/datasets/attack_techniques/T1578.005/aws_authorize_security_group/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 865ea0a0-f890-4e58-a4dd-24aeb07e4ff9 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_authorize_security_group -environment: attack_range -directory: aws_authorize_security_group -mitre_technique: -- T1578.005 -datasets: -- name: aws_authorize_security_group-json - path: /datasets/attack_techniques/T1578.005/aws_authorize_security_group/aws_authorize_security_group.json - sourcetype: linux_secure - source: linux_secure diff --git a/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml b/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml deleted file mode 100644 index 538cd49e4..000000000 --- a/datasets/attack_techniques/T1586.003/okta_multiple_city/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 3b221d0b-cf5b-43e8-b354-05b9f6210f9e -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_multiple_city -environment: attack_range -directory: okta_multiple_city -mitre_technique: -- T1586.003 -datasets: -- name: okta_multiple_city_im2 - path: /datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml b/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml index 81721dfdf..ade166ff1 100644 --- a/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml +++ b/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city.yml @@ -1,11 +1,14 @@ author: Bhavin Patel id: cc922674-efc9-11eb-926b-550bf0943f33 date: '2024-03-07' -description: This dataset is synthetically generated using by simulating events in a lab -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.json -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1586.003 +description: This dataset is synthetically generated using by simulating events in + a lab +environment: attack_range +directory: okta_multiple_city +mitre_technique: +- T1586.003 +datasets: +- name: okta_multiple_city_im2 + path: /datasets/attack_techniques/T1586.003/okta_multiple_city/okta_multiple_city_im2.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1587.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml similarity index 62% rename from datasets/attack_techniques/T1587.002/atomic_red_team/data.yml rename to datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml index ce0daa4b5..669a90633 100644 --- a/datasets/attack_techniques/T1587.002/atomic_red_team/data.yml +++ b/datasets/attack_techniques/T1587.002/atomic_red_team/atomic_red_team.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: e6475497-6ba2-46d8-8a73-bf0d3b650f21 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team +author: Michael Haag +id: cc9b2634-efc9-11eb-834c-550bf09133cb +date: '2022-03-31' +description: This behavior is related to a root certificate being added to the CurrentUser + store. environment: attack_range directory: atomic_red_team mitre_technique: diff --git a/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml b/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml deleted file mode 100644 index 5b140ba62..000000000 --- a/datasets/attack_techniques/T1587.002/atomic_red_team/certificates.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Michael Haag -id: cc9b2634-efc9-11eb-834c-550bf09133cb -date: '2022-03-31' -description: 'This behavior is related to a root certificate being added to the CurrentUser store.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.002/atomic_red_team/certblob_windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec \ No newline at end of file diff --git a/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml b/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml deleted file mode 100644 index cbffec874..000000000 --- a/datasets/attack_techniques/T1588.002/atomic_red_team/advancedrun.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Michael Haag -id: cc9b2664-efc9-11eb-834c-550bf094334b -date: '2021-01-24' -description: 'This behavior is related to the advancedrun.exe.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1588.002/atomic_red_team/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1588/002 -- http://www.nirsoft.net/utils/advanced_run.html -- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1588.002/atomic_red_team/data.yml b/datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml similarity index 61% rename from datasets/attack_techniques/T1588.002/atomic_red_team/data.yml rename to datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml index bcf0ec9d9..57342b6b5 100644 --- a/datasets/attack_techniques/T1588.002/atomic_red_team/data.yml +++ b/datasets/attack_techniques/T1588.002/atomic_red_team/atomic_red_team.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: 43d74648-ed9a-40b8-b9d7-7cc63c5c1c07 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team +author: Michael Haag +id: cc9b2664-efc9-11eb-834c-550bf094334b +date: '2021-01-24' +description: This behavior is related to the advancedrun.exe. environment: attack_range directory: atomic_red_team mitre_technique: diff --git a/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml b/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml deleted file mode 100644 index 64fec00ce..000000000 --- a/datasets/attack_techniques/T1590.002/enum_dns_record/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8c5890b6-344a-4942-8eff-2201f0ef8000 -date: '2025-08-12' -description: Automatically categorized datasets in directory enum_dns_record -environment: attack_range -directory: enum_dns_record -mitre_technique: -- T1590.002 -datasets: -- name: sysmon - path: /datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml b/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml index 624ca554e..b2502c2d5 100644 --- a/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml +++ b/datasets/attack_techniques/T1590.002/enum_dns_record/enum_dns_record.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: ed9a4df5-515e-49f3-9068-23b87f389fe9 date: '2023-04-11' description: Generated datasets for enum dns record in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://cert.gov.ua/article/3718487 +environment: attack_range +directory: enum_dns_record +mitre_technique: +- T1590.002 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1590.002/enum_dns_record/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml b/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml index a10e26f07..ce3dabd95 100644 --- a/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml +++ b/datasets/attack_techniques/T1595/attacker_scan_tools/attacker_scan_tools.yml @@ -3,11 +3,16 @@ id: cc9b260b-efc9-11eb-926b-550bf0943fbb date: '2021-06-25' description: This dataset contains execution of commonly used attacker tool found in HoneyPot for XMRig, specifically- MassScan_GUI.exe and masscan.exe -environment: attack_range_honeypot -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1595 +environment: attack_range +directory: attacker_scan_tools +mitre_technique: +- T1595 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml b/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml deleted file mode 100644 index e26fdf77b..000000000 --- a/datasets/attack_techniques/T1595/attacker_scan_tools/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0af0637f-a100-4d96-ad8a-42f96cad1dcb -date: '2025-08-12' -description: Automatically categorized datasets in directory attacker_scan_tools -environment: attack_range -directory: attacker_scan_tools -mitre_technique: -- T1595 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/attack_techniques/T1595/attacker_scan_tools/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml b/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml deleted file mode 100644 index 57e2dc618..000000000 --- a/datasets/attack_techniques/T1595/sysmon_scanning_events/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d853ffcb-a638-4cd5-bbaa-ddf17f0b4bd8 -date: '2025-08-12' -description: Automatically categorized datasets in directory sysmon_scanning_events -environment: attack_range -directory: sysmon_scanning_events -mitre_technique: -- T1595 -datasets: -- name: sysmon_scanning_events - path: /datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml b/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml index 182bb41e9..72a995789 100644 --- a/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml +++ b/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.yml @@ -1,11 +1,13 @@ -author: Steven Dick -id: 981a2657-3ed0-46e9-b9f4-8a59a6442cb3 -date: '2024-12-26' -description: 'A set of events related generic powershell/sysmon network enumeration.' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1595 \ No newline at end of file +author: Steven Dick +id: 981a2657-3ed0-46e9-b9f4-8a59a6442cb3 +date: '2024-12-26' +description: A set of events related generic powershell/sysmon network enumeration. +environment: attack_range +directory: sysmon_scanning_events +mitre_technique: +- T1595 +datasets: +- name: sysmon_scanning_events + path: /datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1598.002/rdp/data.yml b/datasets/attack_techniques/T1598.002/rdp/data.yml deleted file mode 100644 index 6e424b903..000000000 --- a/datasets/attack_techniques/T1598.002/rdp/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 5d19d164-ecdc-4095-9e23-5dacf819915f -date: '2025-08-12' -description: Automatically categorized datasets in directory rdp -environment: attack_range -directory: rdp -mitre_technique: -- T1598.002 -datasets: -- name: mstsc_rdpfile-windows-sysmon - path: /datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1598.002/rdp/rdp.yml b/datasets/attack_techniques/T1598.002/rdp/rdp.yml index 850941da8..cc4933139 100644 --- a/datasets/attack_techniques/T1598.002/rdp/rdp.yml +++ b/datasets/attack_techniques/T1598.002/rdp/rdp.yml @@ -3,9 +3,11 @@ id: 119b260b-efc9-11eb-926b-550bf3943f2b date: '2024-11-25' description: This dataset contains RDP file execution events from Windows Sysmon logs. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log -sourcetypes: -- xmlwineventlog -references: -- https://attack.mitre.org/techniques/T1598/002 \ No newline at end of file +directory: rdp +mitre_technique: +- T1598.002 +datasets: +- name: mstsc_rdpfile-windows-sysmon + path: /datasets/attack_techniques/T1598.002/rdp/mstsc_rdpfile-windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml b/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml index a3d2c0067..2a0b5ac2a 100644 --- a/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml +++ b/datasets/attack_techniques/T1620/common_language_runtim_loaded/common_language_runtim_loaded.yml @@ -1,13 +1,14 @@ author: Mauricio Velazco id: 67f59d0d-34e2-4a9a-9829-2198e4826e07 date: '2023-02-23' -description: Manually using Nimplant to execute Rubeus using the execute-assembly function. +description: Manually using Nimplant to execute Rubeus using the execute-assembly + function. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1620/ -- https://www.cobaltstrike.com/blog/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -- https://github.com/chvancooten/NimPlant +directory: common_language_runtim_loaded +mitre_technique: +- T1620 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml b/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml deleted file mode 100644 index f77664de5..000000000 --- a/datasets/attack_techniques/T1620/common_language_runtim_loaded/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 97f3e434-cbe2-48b6-bdb7-2f7ab63fd14a -date: '2025-08-12' -description: Automatically categorized datasets in directory common_language_runtim_loaded -environment: attack_range -directory: common_language_runtim_loaded -mitre_technique: -- T1620 -datasets: -- name: windows-sysmon - path: /datasets/attack_techniques/T1620/common_language_runtim_loaded/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml b/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml index 4fa8c0d11..4723b4554 100644 --- a/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml +++ b/datasets/attack_techniques/T1621/aws_mfa_disabled/aws_mfa_disabled.yml @@ -1,14 +1,14 @@ author: Bhavin Patel id: 1c9b1174-efc9-11eb-111b-550bf0943fbb date: '2022-10-03' -description: This dataset contains an cloudtrail events of disabling and deactivating MFA challenge. -environment: NA -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/cloudtrail.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/amazon_security_lake.json -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json -sourcetypes: -- aws:cloudtrail -- aws:asl -references: -- https://attack.mitre.org/techniques/T1621 +description: This dataset contains an cloudtrail events of disabling and deactivating + MFA challenge. +environment: attack_range +directory: aws_mfa_disabled +mitre_technique: +- T1621 +datasets: +- name: asl_ocsf_cloudtrail-json + path: /datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json + sourcetype: aws:cloudtrail:lake + source: aws_asl diff --git a/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml b/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml deleted file mode 100644 index c719926b5..000000000 --- a/datasets/attack_techniques/T1621/aws_mfa_disabled/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b68e7ac9-5bc8-42f0-a559-ac40fc9ba721 -date: '2025-08-12' -description: Automatically categorized datasets in directory aws_mfa_disabled -environment: attack_range -directory: aws_mfa_disabled -mitre_technique: -- T1621 -datasets: -- name: asl_ocsf_cloudtrail-json - path: /datasets/attack_techniques/T1621/aws_mfa_disabled/asl_ocsf_cloudtrail.json - sourcetype: aws:cloudtrail:lake - source: aws_asl diff --git a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml index c542e336c..71586dc9a 100644 --- a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 5a6ed21a-ea34-4950-b09b-0b0bf369269e date: '2022-10-31' -description: 'Manually authenticated to the Azure AD Portal failed to pass MFA challenge by denying it. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks +description: Manually authenticated to the Azure AD Portal failed to pass MFA challenge + by denying it. Tenant specific details have been replaced in the dataset including + tenant id, user names, ips, etc. +environment: attack_range +directory: azure_ad_multiple_denied_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure_ad_multiple_denied_mfa_requests + path: /datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml b/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml deleted file mode 100644 index 68eb77e5e..000000000 --- a/datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d2346b4e-9a58-4458-89de-974b9b41a693 -date: '2025-08-12' -description: Automatically categorized datasets in directory azure_ad_multiple_denied_mfa_requests -environment: attack_range -directory: azure_ad_multiple_denied_mfa_requests -mitre_technique: -- T1621 -datasets: -- name: azure_ad_multiple_denied_mfa_requests - path: /datasets/attack_techniques/T1621/azure_ad_multiple_denied_mfa_requests/azure_ad_multiple_denied_mfa_requests.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1621/azuread/azuread.yml b/datasets/attack_techniques/T1621/azuread/azuread.yml index c9148ff31..04ad814a4 100644 --- a/datasets/attack_techniques/T1621/azuread/azuread.yml +++ b/datasets/attack_techniques/T1621/azuread/azuread.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: b0db79c9-1e82-4a32-9f69-998dc33508a9 date: '2022-07-14' -description: 'Manually authenticated to the Azure AD Portal failed to pass MFA challenge by denying it or letting it timeout. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/azuread/azure-audit.log -sourcetypes: -- mscs:azure:eventhub -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks +description: Manually authenticated to the Azure AD Portal failed to pass MFA challenge + by denying it or letting it timeout. Tenant specific details have been replaced + in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: azuread +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/azuread/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/azuread/data.yml b/datasets/attack_techniques/T1621/azuread/data.yml deleted file mode 100644 index ccf664982..000000000 --- a/datasets/attack_techniques/T1621/azuread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: decec97f-a2ca-46d4-bcaf-fe8db9d1ba27 -date: '2025-08-12' -description: Automatically categorized datasets in directory azuread -environment: attack_range -directory: azuread -mitre_technique: -- T1621 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1621/azuread/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml b/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml deleted file mode 100644 index 1e27231be..000000000 --- a/datasets/attack_techniques/T1621/gcp_failed_mfa/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d6b865b9-6e68-4f03-b973-fc1fb9ed4694 -date: '2025-08-12' -description: Automatically categorized datasets in directory gcp_failed_mfa -environment: attack_range -directory: gcp_failed_mfa -mitre_technique: -- T1621 -datasets: -- name: gws_login - path: /datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log - sourcetype: gws:reports:login - source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml b/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml index 9ffb3ea80..3b4e93feb 100644 --- a/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml +++ b/datasets/attack_techniques/T1621/gcp_failed_mfa/gcp_failed_mfa.yml @@ -1,13 +1,15 @@ author: Mauricio Velazco id: 6edb20af-362b-417b-87e4-fa1d7aa8ca2c date: '2022-10-14' -description: 'Manually authenticated to the GCP portal and failed to pass MFA challenge by typing in a wrong code. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ \ No newline at end of file +description: Manually authenticated to the GCP portal and failed to pass MFA challenge + by typing in a wrong code. Tenant specific details have been replaced in the dataset + including tenant id, user names, ips, etc. +environment: attack_range +directory: gcp_failed_mfa +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/gcp_failed_mfa/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml deleted file mode 100644 index 590065b54..000000000 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0f41727a-b3e0-41a9-a387-205470659a77 -date: '2025-08-12' -description: Automatically categorized datasets in directory multiple_failed_mfa_gws -environment: attack_range -directory: multiple_failed_mfa_gws -mitre_technique: -- T1621 -datasets: -- name: gws_login - path: /datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log - sourcetype: gws:reports:login - source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml index 554b17ad0..5673821d5 100644 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/multiple_failed_mfa_gws.yml @@ -1,15 +1,15 @@ author: Mauricio Velazco id: 8fa3d1ff-5d16-4e3a-8a0b-3f1afdf14c49 date: '2022-10-17' -description: 'Manually generated multple MFA requests for a user leveraging the Google CLoud Console portal and submitting wrong codes. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Google Cloud Platform tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log -sourcetypes: -- gws:reports:login -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraging the Google + CLoud Console portal and submitting wrong codes. Tenant specific details have been + replaced in the dataset including tenant id, user names, ips, etc. +environment: attack_range +directory: multiple_failed_mfa_gws +mitre_technique: +- T1621 +datasets: +- name: gws_login + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_gws/gws_login.log + sourcetype: gws:reports:login + source: gws:reports:login diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml deleted file mode 100644 index 80e7e392f..000000000 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6cd5695e-549e-45dd-8e5a-7ad5100f758d -date: '2025-08-12' -description: Automatically categorized datasets in directory multiple_failed_mfa_requests -environment: attack_range -directory: multiple_failed_mfa_requests -mitre_technique: -- T1621 -datasets: -- name: azure-audit - path: /datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log - sourcetype: azure:monitor:aad - source: azure diff --git a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml index 284012ceb..5a58cfb5a 100644 --- a/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/multiple_failed_mfa_requests.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: 63af0495-3a3a-4d38-9658-96d3c1872ea8 date: '2022-08-25' -description: 'Manually generated multple MFA requests for a user leveraing the Azure AD Portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Azure AD tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log -sourcetypes: -- azure:monitor:aad -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraing the Azure + AD Portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: azure-audit + path: /datasets/attack_techniques/T1621/multiple_failed_mfa_requests/azure-audit.log + sourcetype: azure:monitor:aad + source: azure diff --git a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml deleted file mode 100644 index c88a3d49a..000000000 --- a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 4afcbe95-23e1-4ade-9f72-84bf9275ec51 -date: '2025-08-12' -description: Automatically categorized datasets in directory o365_multiple_failed_mfa_requests -environment: attack_range -directory: o365_multiple_failed_mfa_requests -mitre_technique: -- T1621 -datasets: -- name: o365_multiple_failed_mfa_requests - path: /datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log - sourcetype: o365:management:activity - source: o365 diff --git a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml index 6dc37298b..f60c599a2 100644 --- a/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.yml @@ -1,16 +1,15 @@ author: Mauricio Velazco id: f76a30f9-7ac3-4e4d-95d7-c55e65012040 date: '2023-10-19' -description: 'Manually generated multple MFA requests for a user leveraing the Outlook portal. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Office 365 enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log -sourcetypes: -- o365:management:activity -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks -- https://www.mandiant.com/resources/blog/russian-targeting-gov-business -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user leveraing the Outlook + portal. Tenant specific details have been replaced in the dataset including tenant + id, user names, ips, etc. +environment: attack_range +directory: o365_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: o365_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/o365_multiple_failed_mfa_requests/o365_multiple_failed_mfa_requests.log + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml b/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml deleted file mode 100644 index 17e88efca..000000000 --- a/datasets/attack_techniques/T1621/okta_mfa_login_failed/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 88990979-9fd5-4d56-9760-d83b30fc940c -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_mfa_login_failed -environment: attack_range -directory: okta_mfa_login_failed -mitre_technique: -- T1621 -datasets: -- name: okta_mfa_login_failed - path: /datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml b/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml index b6357db5a..5dc23a1a4 100644 --- a/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml +++ b/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.yml @@ -1,14 +1,15 @@ author: Bhavin Patel id: 6a21e46e-d759-11e0-bbd6-932611ee01ad date: '2024-03-05' -description: 'Manually generated multple failed MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple failed MFA requests for a user in Okta. Tenant + specific details have been replaced in the dataset including tenant id, user names, + ips, etc. +environment: attack_range +directory: okta_mfa_login_failed +mitre_technique: +- T1621 +datasets: +- name: okta_mfa_login_failed + path: /datasets/attack_techniques/T1621/okta_mfa_login_failed/okta_mfa_login_failed.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_mismatch/data.yml b/datasets/attack_techniques/T1621/okta_mismatch/data.yml deleted file mode 100644 index 4a501f5a2..000000000 --- a/datasets/attack_techniques/T1621/okta_mismatch/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c67e371f-db71-4782-ad34-3df24bcb3100 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_mismatch -environment: attack_range -directory: okta_mismatch -mitre_technique: -- T1621 -datasets: -- name: okta_mismatch - path: /datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml b/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml index 7c1403ea6..cc909be67 100644 --- a/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml +++ b/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.yml @@ -1,14 +1,15 @@ author: Bhavin Patel id: 6ab28666-327b-4c39-8b30-b717b04763ec date: '2024-11-19' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta Tenant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://research.splunk.com/application/8085b79b-9b85-4e67-ad63-351c9e9a5e9a/ \ No newline at end of file +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_mismatch +mitre_technique: +- T1621 +datasets: +- name: okta_mismatch + path: /datasets/attack_techniques/T1621/okta_mismatch/okta_mismatch.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml deleted file mode 100644 index 0e0a07b7f..000000000 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 613e1fb2-33ff-45c6-b266-804347535574 -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_multiple_failed_mfa_pushes -environment: attack_range -directory: okta_multiple_failed_mfa_pushes -mitre_technique: -- T1621 -datasets: -- name: okta_multiple_failed_mfa_pushes - path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml index 628fce2e6..8ba8f4ae6 100644 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 6ab28c66-327b-4c39-8b30-b727b04763ec date: '2024-03-18' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_multiple_failed_mfa_pushes +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_pushes + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_pushes/okta_multiple_failed_mfa_pushes.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml deleted file mode 100644 index 4a329681c..000000000 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1a6a1dac-1956-4c4f-8223-85b2d6c2e2aa -date: '2025-08-12' -description: Automatically categorized datasets in directory okta_multiple_failed_mfa_requests -environment: attack_range -directory: okta_multiple_failed_mfa_requests -mitre_technique: -- T1621 -datasets: -- name: okta_multiple_failed_mfa_requests - path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log - sourcetype: OktaIM2:log - source: Okta diff --git a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml index 110ac3357..2ff50c10c 100644 --- a/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml +++ b/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.yml @@ -1,14 +1,15 @@ author: Mauricio Velazco id: 6a21e46e-d759-4be0-bbd6-932601ee01ad date: '2024-03-05' -description: 'Manually generated multple MFA requests for a user in Okta. - Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.' -environment: Okta enant -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log -sourcetypes: -- OktaIM2:log -references: -- https://attack.mitre.org/techniques/T1621/ -- https://attack.mitre.org/techniques/T1078/004/ -- https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/ +description: Manually generated multple MFA requests for a user in Okta. Tenant specific + details have been replaced in the dataset including tenant id, user names, ips, + etc. +environment: attack_range +directory: okta_multiple_failed_mfa_requests +mitre_technique: +- T1621 +datasets: +- name: okta_multiple_failed_mfa_requests + path: /datasets/attack_techniques/T1621/okta_multiple_failed_mfa_requests/okta_multiple_failed_mfa_requests.log + sourcetype: OktaIM2:log + source: Okta diff --git a/datasets/attack_techniques/T1621/pingid/data.yml b/datasets/attack_techniques/T1621/pingid/pingid.yml similarity index 67% rename from datasets/attack_techniques/T1621/pingid/data.yml rename to datasets/attack_techniques/T1621/pingid/pingid.yml index 93d73f709..b4c902684 100644 --- a/datasets/attack_techniques/T1621/pingid/data.yml +++ b/datasets/attack_techniques/T1621/pingid/pingid.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: d117fd5b-b249-4ed4-abd0-52eb21cbf0a2 -date: '2025-08-12' -description: Automatically categorized datasets in directory pingid +author: Steven Dick +id: 050d14b8-455d-43a8-9d99-9c38f8afd73c +date: '2023-09-26' +description: Detection of a few common MFA abuse scenarios with datasets from pindID environment: attack_range directory: pingid mitre_technique: diff --git a/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml b/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml deleted file mode 100644 index 678f2a88f..000000000 --- a/datasets/attack_techniques/T1621/pingid/pingid_dataset.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Steven Dick -id: 050d14b8-455d-43a8-9d99-9c38f8afd73c -date: '2023-09-26' -description: 'Detection of a few common MFA abuse scenarios with datasets from pindID' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/pingid.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/pingid/windows_pw_reset.log -sourcetypes: -- _json -- WinEventLog:Security -references: -- https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677 -- https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/ -- https://twitter.com/jhencinski/status/1618660062352007174 -- https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA diff --git a/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml index e4de3483b..eeec94245 100644 --- a/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1649/atomic_red_team/atomic_red_team.yml @@ -1,26 +1,46 @@ author: Michael Haag id: 43136df7-63f7-46d5-97af-a18d2a5f9e74 date: '2023-02-01' -description: Generation of Atomic Red Team techniques that create and export a certificate on Windows, simulating an adversary stealing certificates. +description: Generation of Atomic Red Team techniques that create and export a certificate + on Windows, simulating an adversary stealing certificates. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certificateservices-lifecycle.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfxcertificate.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_certificate.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/capi2-operational.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/risk_certificate_services.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1649 \ No newline at end of file +directory: atomic_red_team +mitre_technique: +- T1649 +datasets: +- name: export_certificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: certwrite_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4876_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: export_pfxcertificate_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4104_export_pfx-windows-powershell + path: /datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: backupdb_certutil_windows-sysmon + path: /datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: 4887_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4886_windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security +- name: 4688_certutil_backupdb-windows-security + path: /datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1649/atomic_red_team/data.yml b/datasets/attack_techniques/T1649/atomic_red_team/data.yml deleted file mode 100644 index 70fbe0cfe..000000000 --- a/datasets/attack_techniques/T1649/atomic_red_team/data.yml +++ /dev/null @@ -1,45 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 923fb4aa-0090-4b25-af11-83d604a58300 -date: '2025-08-12' -description: Automatically categorized datasets in directory atomic_red_team -environment: attack_range -directory: atomic_red_team -mitre_technique: -- T1649 -datasets: -- name: export_certificate_windows-sysmon - path: /datasets/attack_techniques/T1649/atomic_red_team/export_certificate_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: certwrite_windows-sysmon - path: /datasets/attack_techniques/T1649/atomic_red_team/certwrite_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4876_windows-security - path: /datasets/attack_techniques/T1649/atomic_red_team/4876_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: export_pfxcertificate_windows-sysmon - path: /datasets/attack_techniques/T1649/atomic_red_team/export_pfxcertificate_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4104_export_pfx-windows-powershell - path: /datasets/attack_techniques/T1649/atomic_red_team/4104_export_pfx-windows-powershell.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: backupdb_certutil_windows-sysmon - path: /datasets/attack_techniques/T1649/atomic_red_team/backupdb_certutil_windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: 4887_windows-security - path: /datasets/attack_techniques/T1649/atomic_red_team/4887_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: 4886_windows-security - path: /datasets/attack_techniques/T1649/atomic_red_team/4886_windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security -- name: 4688_certutil_backupdb-windows-security - path: /datasets/attack_techniques/T1649/atomic_red_team/4688_certutil_backupdb-windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1649/certify_abuse/data.yml b/datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml similarity index 52% rename from datasets/attack_techniques/T1649/certify_abuse/data.yml rename to datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml index 4a2777e6b..286dbb5ea 100644 --- a/datasets/attack_techniques/T1649/certify_abuse/data.yml +++ b/datasets/attack_techniques/T1649/certify_abuse/certify_abuse.yml @@ -1,7 +1,9 @@ -author: Generated by dataset_analyzer.py -id: 9a6caf5e-09e5-4c5a-a205-761f53510999 -date: '2025-08-12' -description: Automatically categorized datasets in directory certify_abuse +author: Steven Dick +id: a6e1c749-e7b0-401e-9ce7-de9f38e7113f +date: '2023-06-30' +description: Detection of common behaviors when certify/certipy tools are used to + exploit AD CS for the ESC1 vulnerablity. Manual testing using standard compiled + versions of both tools environment: attack_range directory: certify_abuse mitre_technique: diff --git a/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml b/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml deleted file mode 100644 index 1fc1463a9..000000000 --- a/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Steven Dick -id: a6e1c749-e7b0-401e-9ce7-de9f38e7113f -date: '2023-06-30' -description: 'Detection of common behaviors when certify/certipy tools are used to exploit AD CS for the ESC1 vulnerablity. Manual testing using standard compiled versions of both tools' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_winsecurity.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1649/certify_abuse/certify_esc1_abuse_powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- WinEventLog:Security -references: -- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf -- https://github.com/ly4k/Certipy#esc1 -- https://pentestlaboratories.com/2021/11/08/threat-hunting-certificate-account-persistence/ \ No newline at end of file diff --git a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml index 6609a4a5b..d857bb6a5 100644 --- a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml +++ b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml @@ -1,9 +1,14 @@ author: Teoderick Contreras id: f4f24c8e-3019-42c7-8a7e-093c5f657711 date: '2021-09-29' -description: manual activesetup stubpath registry modification datasets for persistence and privilege escalation. +description: manual activesetup stubpath registry modification datasets for persistence + and privilege escalation. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: active_setup_stubpath +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml b/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml deleted file mode 100644 index 5bc52b835..000000000 --- a/datasets/attack_techniques/t1547.014/active_setup_stubpath/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a154bdc5-4271-4c4b-b664-b9adbfe7f96c -date: '2025-08-12' -description: Automatically categorized datasets in directory active_setup_stubpath -environment: attack_range -directory: active_setup_stubpath -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml b/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml deleted file mode 100644 index 9ce5f2074..000000000 --- a/datasets/attack_techniques/t1592/host_info_dxdiag/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2c9c47c0-d6fa-40de-9db4-cda43227aff8 -date: '2025-08-12' -description: Automatically categorized datasets in directory host_info_dxdiag -environment: attack_range -directory: host_info_dxdiag -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml index f18c6b1f3..378911054 100644 --- a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml +++ b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: ee6ee414-4666-42fd-be3a-81da24e174ed date: '2021-11-19' -description: 'simulated remcos dxdiag execution for host information gathering' +description: simulated remcos dxdiag execution for host information gathering environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: host_info_dxdiag +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/t1592/pwh_av_recon/data.yml b/datasets/attack_techniques/t1592/pwh_av_recon/data.yml deleted file mode 100644 index 2d1716f6e..000000000 --- a/datasets/attack_techniques/t1592/pwh_av_recon/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fce26f89-aa9f-4463-98d8-424393a7e3e3 -date: '2025-08-12' -description: Automatically categorized datasets in directory pwh_av_recon -environment: attack_range -directory: pwh_av_recon -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml index a0cd0bd8d..d3e2feea7 100644 --- a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml +++ b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml @@ -3,9 +3,11 @@ id: a7c7fe4a-aa0e-11ec-a505-acde48001122 date: '2022-03-22' description: Generated datasets for pwh av recon in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1592/pwh_av_recon/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ \ No newline at end of file +directory: pwh_av_recon +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/acidrain/acidrain.yml b/datasets/malware/acidrain/acidrain.yml index b26aa1509..55fa1e278 100644 --- a/datasets/malware/acidrain/acidrain.yml +++ b/datasets/malware/acidrain/acidrain.yml @@ -3,9 +3,11 @@ id: bcab43fc-ba40-11ec-9840-acde48001122 date: '2022-04-12' description: Generated datasets for acidrain in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/acidrain/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ \ No newline at end of file +directory: acidrain +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/acidrain/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/acidrain/data.yml b/datasets/malware/acidrain/data.yml deleted file mode 100644 index af189e60b..000000000 --- a/datasets/malware/acidrain/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b0309de3-26b7-40ef-81c4-453d60e64363 -date: '2025-08-12' -description: Automatically categorized datasets in directory acidrain -environment: attack_range -directory: acidrain -mitre_technique: -- unknown -datasets: -- name: sysmon_linux - path: /datasets/malware/acidrain/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml index 68f1ff7ff..28e78b436 100644 --- a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 46c3910f-e139-4e97-a065-5537b28b5fa8 date: '2022-09-21' description: Generated datasets for agent tesla ftp in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_ftp +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml b/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml deleted file mode 100644 index 566345bbd..000000000 --- a/datasets/malware/agent_tesla/agent_tesla_ftp/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f7d4ad99-16bf-4550-8c41-9906bcbeda6e -date: '2025-08-12' -description: Automatically categorized datasets in directory agent_tesla_ftp -environment: attack_range -directory: agent_tesla_ftp -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml index 03899a941..a34344fe5 100644 --- a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: c82fd5f0-8876-4b0a-bcec-230ff31bf058 date: '2022-09-21' description: Generated datasets for agent tesla smtp in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_smtp +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml b/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml deleted file mode 100644 index fc890b9fd..000000000 --- a/datasets/malware/agent_tesla/agent_tesla_smtp/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 23f63d4a-bb54-454f-baa8-66094799088e -date: '2025-08-12' -description: Automatically categorized datasets in directory agent_tesla_smtp -environment: attack_range -directory: agent_tesla_smtp -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml index deebc4f96..00bd2de25 100644 --- a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml +++ b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 11c22ca3-0392-4221-a8f8-7d39df80b9a0 date: '2022-09-21' description: Generated datasets for agent tesla tor dns query in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware +environment: attack_range +directory: agent_tesla_tor_dns_query +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml deleted file mode 100644 index 9f9b8ca49..000000000 --- a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 22f85ca0-1adf-4a62-9efd-dd6a1d990253 -date: '2025-08-12' -description: Automatically categorized datasets in directory agent_tesla_tor_dns_query -environment: attack_range -directory: agent_tesla_tor_dns_query -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml index 62c278395..eeeea7512 100644 --- a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml +++ b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 275677fa-df36-426e-ab9f-9f130da29b1f date: '2022-09-21' description: Generated datasets for chm powershell in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://isc.sans.edu/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675 +environment: attack_range +directory: chm_powershell +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/agent_tesla/chm_powershell/data.yml b/datasets/malware/agent_tesla/chm_powershell/data.yml deleted file mode 100644 index 39103506e..000000000 --- a/datasets/malware/agent_tesla/chm_powershell/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 10dc1693-4be5-468d-b9e1-15b1b6f4caa3 -date: '2025-08-12' -description: Automatically categorized datasets in directory chm_powershell -environment: attack_range -directory: chm_powershell -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/amadey/access_permission/access_permission.yml b/datasets/malware/amadey/access_permission/access_permission.yml index 21e9c41f5..ccfacf743 100644 --- a/datasets/malware/amadey/access_permission/access_permission.yml +++ b/datasets/malware/amadey/access_permission/access_permission.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 1eb71f8b-d23c-4447-a371-4328dd05bc1c date: '2023-06-13' description: Generated datasets for access permission in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/amadey/access_permission/amadey_sysmon2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey +environment: attack_range +directory: access_permission +mitre_technique: +- unknown +datasets: +- name: amadey_sysmon2 + path: /datasets/malware/amadey/access_permission/amadey_sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/amadey/access_permission/data.yml b/datasets/malware/amadey/access_permission/data.yml deleted file mode 100644 index 1046f66c7..000000000 --- a/datasets/malware/amadey/access_permission/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d1651ba2-1249-484c-ae0b-e891946484ea -date: '2025-08-12' -description: Automatically categorized datasets in directory access_permission -environment: attack_range -directory: access_permission -mitre_technique: -- unknown -datasets: -- name: amadey_sysmon2 - path: /datasets/malware/amadey/access_permission/amadey_sysmon2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test1/data.yml b/datasets/malware/awfulshred/test1/data.yml deleted file mode 100644 index dfd8a26b3..000000000 --- a/datasets/malware/awfulshred/test1/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 64315eea-76f6-48f0-a85a-083f9e306ef1 -date: '2025-08-12' -description: Automatically categorized datasets in directory test1 -environment: attack_range -directory: test1 -mitre_technique: -- unknown -datasets: -- name: sysmon_linux - path: /datasets/malware/awfulshred/test1/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test1/test1.yml b/datasets/malware/awfulshred/test1/test1.yml index 614dd388b..0a691c357 100644 --- a/datasets/malware/awfulshred/test1/test1.yml +++ b/datasets/malware/awfulshred/test1/test1.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: faf182a1-016e-42c0-8150-3f1f4f0c2606 date: '2023-02-08' description: Generated datasets for test1 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test1/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test1 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test1/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test2/data.yml b/datasets/malware/awfulshred/test2/data.yml deleted file mode 100644 index 2038f59fd..000000000 --- a/datasets/malware/awfulshred/test2/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 46e507b4-4af4-4c13-8a7d-5bcf59a35072 -date: '2025-08-12' -description: Automatically categorized datasets in directory test2 -environment: attack_range -directory: test2 -mitre_technique: -- unknown -datasets: -- name: sysmon_linux - path: /datasets/malware/awfulshred/test2/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test2/test2.yml b/datasets/malware/awfulshred/test2/test2.yml index 7231c5a30..68f0654e1 100644 --- a/datasets/malware/awfulshred/test2/test2.yml +++ b/datasets/malware/awfulshred/test2/test2.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 8aca3e92-a6cb-4aa5-9eb5-3f63585681a8 date: '2023-02-08' description: Generated datasets for test2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test2/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test2 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test2/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test3/data.yml b/datasets/malware/awfulshred/test3/data.yml deleted file mode 100644 index 2c133e1e1..000000000 --- a/datasets/malware/awfulshred/test3/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 20d4b9a4-0b35-4a99-ad8c-d6b258c3e46a -date: '2025-08-12' -description: Automatically categorized datasets in directory test3 -environment: attack_range -directory: test3 -mitre_technique: -- unknown -datasets: -- name: sysmon_linux - path: /datasets/malware/awfulshred/test3/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/awfulshred/test3/test3.yml b/datasets/malware/awfulshred/test3/test3.yml index 6a964bace..7880c1610 100644 --- a/datasets/malware/awfulshred/test3/test3.yml +++ b/datasets/malware/awfulshred/test3/test3.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 29167716-e0c5-44ec-af4d-12b57ace49ac date: '2023-02-09' description: Generated datasets for test3 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/awfulshred/test3/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/ +environment: attack_range +directory: test3 +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/awfulshred/test3/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/azorult/azorult.yml b/datasets/malware/azorult/azorult.yml index 18abef371..3c1fc0ef2 100644 --- a/datasets/malware/azorult/azorult.yml +++ b/datasets/malware/azorult/azorult.yml @@ -3,9 +3,11 @@ id: c5f4387e-f21c-11ec-9f67-acde48001122 date: '2022-06-22' description: Generated datasets for azorult in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/azorult/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/ \ No newline at end of file +directory: azorult +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/azorult/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/azorult/data.yml b/datasets/malware/azorult/data.yml deleted file mode 100644 index 32b0111bc..000000000 --- a/datasets/malware/azorult/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 10e1ba77-db09-4ee6-8609-19555c477d8a -date: '2025-08-12' -description: Automatically categorized datasets in directory azorult -environment: attack_range -directory: azorult -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/azorult/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml index d4f9e1baf..95515a61b 100644 --- a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml +++ b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 0878ab9a-69e0-4d0e-a2c8-366889310425 date: '2022-09-01' description: Generated datasets for brute duplicate token in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: brute_duplicate_token +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/brute_duplicate_token/data.yml b/datasets/malware/brute_ratel/brute_duplicate_token/data.yml deleted file mode 100644 index faf00add7..000000000 --- a/datasets/malware/brute_ratel/brute_duplicate_token/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bd3a4ce9-1206-444a-b498-0e278c38075f -date: '2025-08-12' -description: Automatically categorized datasets in directory brute_duplicate_token -environment: attack_range -directory: brute_duplicate_token -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml index 810eb4a71..e1627b8e4 100644 --- a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml +++ b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: df76ce73-7258-41ae-ba31-aa96729ab442 date: '2022-09-05' description: Generated datasets for create remote thread in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/create_remote_thread/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: create_remote_thread +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/create_remote_thread/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/create_remote_thread/data.yml b/datasets/malware/brute_ratel/create_remote_thread/data.yml deleted file mode 100644 index 82d0756f1..000000000 --- a/datasets/malware/brute_ratel/create_remote_thread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 75c59f86-16ba-4be0-b8a5-88d117503bd0 -date: '2025-08-12' -description: Automatically categorized datasets in directory create_remote_thread -environment: attack_range -directory: create_remote_thread -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/create_remote_thread/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml b/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml deleted file mode 100644 index c367e4ebf..000000000 --- a/datasets/malware/brute_ratel/iso_version_dll_campaign/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1c747d24-1259-451e-ab1a-c5451fefdcd5 -date: '2025-08-12' -description: Automatically categorized datasets in directory iso_version_dll_campaign -environment: attack_range -directory: iso_version_dll_campaign -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml index 69ffa7515..fb05abd65 100644 --- a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml +++ b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: a82706f1-b01d-4474-bd3c-fbf3a20207bd date: '2022-08-30' description: Generated datasets for iso version dll campaign in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: iso_version_dll_campaign +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/loading_samlib/data.yml b/datasets/malware/brute_ratel/loading_samlib/data.yml deleted file mode 100644 index 5eb6ea762..000000000 --- a/datasets/malware/brute_ratel/loading_samlib/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: efffb7c4-c273-49de-8e96-0e6c595c4ef9 -date: '2025-08-12' -description: Automatically categorized datasets in directory loading_samlib -environment: attack_range -directory: loading_samlib -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/loading_samlib/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml index aa0bc9d1e..b8339d3f1 100644 --- a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml +++ b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: ab382976-dff6-41f3-bfa9-1bffee40a426 date: '2022-08-31' description: Generated datasets for loading samlib in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/loading_samlib/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: loading_samlib +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/loading_samlib/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/service_deletion/data.yml b/datasets/malware/brute_ratel/service_deletion/data.yml deleted file mode 100644 index e5253d2ec..000000000 --- a/datasets/malware/brute_ratel/service_deletion/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 774b8a4f-8f5d-4428-b156-5523e370220b -date: '2025-08-12' -description: Automatically categorized datasets in directory service_deletion -environment: attack_range -directory: service_deletion -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/service_deletion/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml index d2912d1a6..8982076c3 100644 --- a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml +++ b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 4b0e2bb8-d5ae-4c8e-a6ad-ed71ea3cbb2f date: '2022-09-01' description: Generated datasets for service deletion in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/service_deletion/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: service_deletion +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/service_deletion/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml deleted file mode 100644 index 40804d753..000000000 --- a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 46b8cc94-ea39-4d6c-9e36-55839202e880 -date: '2025-08-12' -description: Automatically categorized datasets in directory wallpaper_via_transcodedwallpaper -environment: attack_range -directory: wallpaper_via_transcodedwallpaper -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml index 4f09272ba..aca087ccd 100644 --- a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml +++ b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 24cbdc61-c864-40aa-a121-0a1ff9b88f8f date: '2022-09-05' description: Generated datasets for wallpaper via transcodedwallpaper in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ +environment: attack_range +directory: wallpaper_via_transcodedwallpaper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/chaos_ransomware.yml b/datasets/malware/chaos_ransomware/chaos_ransomware.yml index cc272882e..36e6e8f0c 100644 --- a/datasets/malware/chaos_ransomware/chaos_ransomware.yml +++ b/datasets/malware/chaos_ransomware/chaos_ransomware.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 09b72e6e-b405-488e-a0b2-7e22ad442ccf date: '2023-01-12' description: Generated datasets for chaos ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html +environment: attack_range +directory: chaos_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/data.yml b/datasets/malware/chaos_ransomware/data.yml deleted file mode 100644 index 6c90ae82d..000000000 --- a/datasets/malware/chaos_ransomware/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 129a18ab-f2c5-4e1d-8d18-04e3020fc37a -date: '2025-08-12' -description: Automatically categorized datasets in directory chaos_ransomware -environment: attack_range -directory: chaos_ransomware -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/chaos_ransomware/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml b/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml deleted file mode 100644 index f649e0e40..000000000 --- a/datasets/malware/chaos_ransomware/spread_in_root_drives/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 14c235ce-3c75-4d41-8968-12e60bc5d65d -date: '2025-08-12' -description: Automatically categorized datasets in directory spread_in_root_drives -environment: attack_range -directory: spread_in_root_drives -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml index 538e00c59..ce089170d 100644 --- a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml +++ b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 5b8e6074-8f56-40c2-954a-94d906bd0ae7 date: '2023-01-17' description: Generated datasets for spread in root drives in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia +environment: attack_range +directory: spread_in_root_drives +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_a/clop_a.yml b/datasets/malware/clop/clop_a/clop_a.yml index a8f003129..24c41cff3 100644 --- a/datasets/malware/clop/clop_a/clop_a.yml +++ b/datasets/malware/clop/clop_a/clop_a.yml @@ -4,12 +4,15 @@ date: '2021-03-22' description: Execution of CLOP malware on Windows 10 endpoint and simulated service name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog -references: -- https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html -- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html/ +directory: clop_a +mitre_technique: +- unknown +datasets: +- name: windows-xml + path: /datasets/malware/clop/clop_a/windows-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:System +- name: windows-sysmon + path: /datasets/malware/clop/clop_a/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_a/data.yml b/datasets/malware/clop/clop_a/data.yml deleted file mode 100644 index ea4aa61d8..000000000 --- a/datasets/malware/clop/clop_a/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0e34c4de-338a-42ae-bd2d-db175e8e6efa -date: '2025-08-12' -description: Automatically categorized datasets in directory clop_a -environment: attack_range -directory: clop_a -mitre_technique: -- unknown -datasets: -- name: windows-xml - path: /datasets/malware/clop/clop_a/windows-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:System -- name: windows-sysmon - path: /datasets/malware/clop/clop_a/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_b/clop_b.yml b/datasets/malware/clop/clop_b/clop_b.yml index d96b2f68b..d0bf0fa6c 100644 --- a/datasets/malware/clop/clop_b/clop_b.yml +++ b/datasets/malware/clop/clop_b/clop_b.yml @@ -3,10 +3,11 @@ id: cc9b266e-efc9-11eb-926b-550bf0943fbb date: '2021-03-22' description: Execution of CLOP malware on Windows 10 endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html -- https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html/ +directory: clop_b +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/clop/clop_b/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/clop/clop_b/data.yml b/datasets/malware/clop/clop_b/data.yml deleted file mode 100644 index e3e260147..000000000 --- a/datasets/malware/clop/clop_b/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 60fa4b9a-3181-410b-add4-fea2a3d69e5a -date: '2025-08-12' -description: Automatically categorized datasets in directory clop_b -environment: attack_range -directory: clop_b -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/clop/clop_b/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/conti/conti_leak/conti_leak.yml b/datasets/malware/conti/conti_leak/conti_leak.yml index c4b8e4369..da65ad647 100644 --- a/datasets/malware/conti/conti_leak/conti_leak.yml +++ b/datasets/malware/conti/conti_leak/conti_leak.yml @@ -3,13 +3,19 @@ id: a9915722-bab6-426c-a66e-acc561ed1ce8 date: '2021-08-10' description: simulated Execution of conti leak malware in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-security.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- wineventlog -references: -- https://threadreaderapp.com/thread/1423361119926816776.html +directory: conti_leak +mitre_technique: +- unknown +datasets: +- name: windows-sysmon_7z + path: /datasets/malware/conti/conti_leak/windows-sysmon_7z.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-sysmon + path: /datasets/malware/conti/conti_leak/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: windows-security + path: /datasets/malware/conti/conti_leak/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/malware/conti/conti_leak/data.yml b/datasets/malware/conti/conti_leak/data.yml deleted file mode 100644 index 8ff0c36c8..000000000 --- a/datasets/malware/conti/conti_leak/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fd03530f-4f01-41c7-9096-05eb6f99368f -date: '2025-08-12' -description: Automatically categorized datasets in directory conti_leak -environment: attack_range -directory: conti_leak -mitre_technique: -- unknown -datasets: -- name: windows-sysmon_7z - path: /datasets/malware/conti/conti_leak/windows-sysmon_7z.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-sysmon - path: /datasets/malware/conti/conti_leak/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: windows-security - path: /datasets/malware/conti/conti_leak/windows-security.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Security diff --git a/datasets/malware/cyclopsblink/cyclopsblink.yml b/datasets/malware/cyclopsblink/cyclopsblink.yml index 28cc3e3b3..46937029d 100644 --- a/datasets/malware/cyclopsblink/cyclopsblink.yml +++ b/datasets/malware/cyclopsblink/cyclopsblink.yml @@ -3,9 +3,11 @@ id: 80f8ff9e-b670-11ec-bdcb-acde48001122 date: '2022-04-07' description: Generated datasets for cyclopsblink in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/cyclopsblink/sysmon_linux.log -sourcetypes: -- Syslog:Linux-Sysmon/Operational -references: -- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf \ No newline at end of file +directory: cyclopsblink +mitre_technique: +- unknown +datasets: +- name: sysmon_linux + path: /datasets/malware/cyclopsblink/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/cyclopsblink/data.yml b/datasets/malware/cyclopsblink/data.yml deleted file mode 100644 index f45935df0..000000000 --- a/datasets/malware/cyclopsblink/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 57ce07fe-e424-4f8b-8d2c-e3fcd9fff385 -date: '2025-08-12' -description: Automatically categorized datasets in directory cyclopsblink -environment: attack_range -directory: cyclopsblink -mitre_technique: -- unknown -datasets: -- name: sysmon_linux - path: /datasets/malware/cyclopsblink/sysmon_linux.log - sourcetype: sysmon:linux - source: Syslog:Linux-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_delay_execution/data.yml b/datasets/malware/dcrat/dcrat_delay_execution/data.yml deleted file mode 100644 index 1f57556ea..000000000 --- a/datasets/malware/dcrat/dcrat_delay_execution/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bb3f3d8a-f0f3-4ff7-9501-603f05ddc375 -date: '2025-08-12' -description: Automatically categorized datasets in directory dcrat_delay_execution -environment: attack_range -directory: dcrat_delay_execution -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/dcrat/dcrat_delay_execution/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml index 9496c4b2b..eb1ccc1cc 100644 --- a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml +++ b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml @@ -3,9 +3,11 @@ id: 6e822ef6-0e74-11ed-b114-acde48001122 date: '2022-07-28' description: Generated datasets for dcrat delay execution in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_delay_execution/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_delay_execution +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_delay_execution/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_enum_camera/data.yml b/datasets/malware/dcrat/dcrat_enum_camera/data.yml deleted file mode 100644 index 7821a7566..000000000 --- a/datasets/malware/dcrat/dcrat_enum_camera/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 758f68df-4281-4564-a451-31aea1a9a05d -date: '2025-08-12' -description: Automatically categorized datasets in directory dcrat_enum_camera -environment: attack_range -directory: dcrat_enum_camera -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml index f5fef3aef..9dba18c37 100644 --- a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml +++ b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml @@ -3,9 +3,11 @@ id: 3ae30a30-0f18-11ed-8df2-acde48001122 date: '2022-07-29' description: Generated datasets for dcrat enum camera in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_enum_camera +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/dcrat/dcrat_explorer_url/data.yml b/datasets/malware/dcrat/dcrat_explorer_url/data.yml deleted file mode 100644 index 4511c30d0..000000000 --- a/datasets/malware/dcrat/dcrat_explorer_url/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8db3c16d-9df0-4306-87bf-6cecca36ac93 -date: '2025-08-12' -description: Automatically categorized datasets in directory dcrat_explorer_url -environment: attack_range -directory: dcrat_explorer_url -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/dcrat/dcrat_explorer_url/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml index fd3f5e66f..f9811e585 100644 --- a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml +++ b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml @@ -3,9 +3,11 @@ id: f1e16b7e-1192-11ed-9fa5-acde48001122 date: '2022-08-01' description: Generated datasets for dcrat explorer url in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_explorer_url/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: dcrat_explorer_url +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_explorer_url/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_forkbomb/data.yml b/datasets/malware/dcrat/dcrat_forkbomb/data.yml deleted file mode 100644 index 707f9c06e..000000000 --- a/datasets/malware/dcrat/dcrat_forkbomb/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fb854396-703c-4726-82fa-07c99b206b00 -date: '2025-08-12' -description: Automatically categorized datasets in directory dcrat_forkbomb -environment: attack_range -directory: dcrat_forkbomb -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/dcrat/dcrat_forkbomb/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml index 17e6a8170..ce31f8674 100644 --- a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml +++ b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml @@ -3,9 +3,11 @@ id: e98fe846-0e73-11ed-8ac5-acde48001122 date: '2022-07-28' description: Generated datasets for dcrat forkbomb in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/dcrat_forkbomb/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat \ No newline at end of file +directory: dcrat_forkbomb +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/dcrat_forkbomb/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/reboot_logoff_commandline/data.yml b/datasets/malware/dcrat/reboot_logoff_commandline/data.yml deleted file mode 100644 index dc57d355e..000000000 --- a/datasets/malware/dcrat/reboot_logoff_commandline/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 1ca9bec8-3032-47cb-8f3f-373da4f03a71 -date: '2025-08-12' -description: Automatically categorized datasets in directory reboot_logoff_commandline -environment: attack_range -directory: reboot_logoff_commandline -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml index 011cae91e..dc57d355e 100644 --- a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml +++ b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml @@ -1,12 +1,13 @@ -author: Teoderick Contreras -id: ddebec6c-0da9-11ed-a3fd-acde48001122 -date: '2022-07-27' -description: Generated datasets for reboot logoff commandline in attack range. +author: Generated by dataset_analyzer.py +id: 1ca9bec8-3032-47cb-8f3f-373da4f03a71 +date: '2025-08-12' +description: Automatically categorized datasets in directory reboot_logoff_commandline environment: attack_range -dataset: -- -https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor +directory: reboot_logoff_commandline +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/shutdown_commandline/data.yml b/datasets/malware/dcrat/shutdown_commandline/data.yml deleted file mode 100644 index d24ec2a4f..000000000 --- a/datasets/malware/dcrat/shutdown_commandline/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e0e8e514-c156-4bf1-b5c1-7cca60ae7dc4 -date: '2025-08-12' -description: Automatically categorized datasets in directory shutdown_commandline -environment: attack_range -directory: shutdown_commandline -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/dcrat/shutdown_commandline/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml index cff35aa36..e5e96256f 100644 --- a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml +++ b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml @@ -3,9 +3,11 @@ id: 29eaf4c8-0daa-11ed-a9e1-acde48001122 date: '2022-07-27' description: Generated datasets for shutdown commandline in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/dcrat/shutdown_commandline/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor \ No newline at end of file +directory: shutdown_commandline +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/dcrat/shutdown_commandline/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/doublezero_wiper/data.yml b/datasets/malware/doublezero_wiper/data.yml deleted file mode 100644 index 6d716ff12..000000000 --- a/datasets/malware/doublezero_wiper/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 597b0994-e706-4420-bea4-6a3e1f023c0b -date: '2025-08-12' -description: Automatically categorized datasets in directory doublezero_wiper -environment: attack_range -directory: doublezero_wiper -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/doublezero_wiper/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/doublezero_wiper/doublezero_wiper.yml b/datasets/malware/doublezero_wiper/doublezero_wiper.yml index da512da44..be2087175 100644 --- a/datasets/malware/doublezero_wiper/doublezero_wiper.yml +++ b/datasets/malware/doublezero_wiper/doublezero_wiper.yml @@ -3,9 +3,11 @@ id: 0781d036-ae79-11ec-b37d-acde48001122 date: '2022-03-28' description: Generated datasets for doublezero wiper in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/doublezero_wiper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html \ No newline at end of file +directory: doublezero_wiper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/doublezero_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_js_2/data.yml b/datasets/malware/fin7/fin7_js_2/data.yml deleted file mode 100644 index 5f99afc6e..000000000 --- a/datasets/malware/fin7/fin7_js_2/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 91f6a4e9-53b3-4a14-b19f-a8a88b7a9d9d -date: '2025-08-12' -description: Automatically categorized datasets in directory fin7_js_2 -environment: attack_range -directory: fin7_js_2 -mitre_technique: -- unknown -datasets: -- name: wmi_module_loaded_sysmon - path: /datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: ldap_module_loaded_sysmon - path: /datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/malware/fin7/fin7_js_2/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml index bddd75fa4..5e13bbd21 100644 --- a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml +++ b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml @@ -3,10 +3,19 @@ id: a81ffedc-b040-4055-b13d-eeb837380c7d date: '2021-09-14' description: fin7 js implant data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: fin7_js_2 +mitre_technique: +- unknown +datasets: +- name: wmi_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: ldap_module_loaded_sysmon + path: /datasets/malware/fin7/fin7_js_2/ldap_module_loaded_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/fin7/fin7_js_2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_macro_js_1/data.yml b/datasets/malware/fin7/fin7_macro_js_1/data.yml deleted file mode 100644 index a8f9f51de..000000000 --- a/datasets/malware/fin7/fin7_macro_js_1/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 6a7f53f9-83d6-4d4a-90b7-a0ae44185e9a -date: '2025-08-12' -description: Automatically categorized datasets in directory fin7_macro_js_1 -environment: attack_range -directory: fin7_macro_js_1 -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/fin7/fin7_macro_js_1/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml index 97cadf1c0..47d4e43d9 100644 --- a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml +++ b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml @@ -3,7 +3,11 @@ id: 148f9a52-05bd-4d44-b6cb-17aa7131ab49 date: '2021-09-14' description: fin7 macro and js implant data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/fin7_macro_js_1/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: fin7_macro_js_1 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/fin7/fin7_macro_js_1/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/jssloader/data.yml b/datasets/malware/fin7/jssloader/data.yml deleted file mode 100644 index 22837e981..000000000 --- a/datasets/malware/fin7/jssloader/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 33fe2d9b-87ee-4b8a-9230-06bc5d3a8228 -date: '2025-08-12' -description: Automatically categorized datasets in directory jssloader -environment: attack_range -directory: jssloader -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/fin7/jssloader/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/fin7/jssloader/jssloader.yml b/datasets/malware/fin7/jssloader/jssloader.yml index 416c76f29..76a41c0f6 100644 --- a/datasets/malware/fin7/jssloader/jssloader.yml +++ b/datasets/malware/fin7/jssloader/jssloader.yml @@ -3,7 +3,11 @@ id: 6fd684f5-6bbd-4706-bd50-5efb4d79a194 date: '2021-09-14' description: fin7 jssloader dataset. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: jssloader +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/fin7/jssloader/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/gootloader/partial_ttps/gootloader.yml b/datasets/malware/gootloader/partial_ttps/gootloader.yml deleted file mode 100644 index 6f8e37ba9..000000000 --- a/datasets/malware/gootloader/partial_ttps/gootloader.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Steven Dick -id: 82ce58ec-f2cb-4570-9a7c-b666362c5ebb -date: '2023-06-15' -description: 'Detection of gootloader common behaviors sourced from manual malware testing in Q1 2023' -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations -- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -- https://redcanary.com/blog/gootloader/ \ No newline at end of file diff --git a/datasets/malware/gootloader/partial_ttps/data.yml b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml similarity index 72% rename from datasets/malware/gootloader/partial_ttps/data.yml rename to datasets/malware/gootloader/partial_ttps/partial_ttps.yml index b4727eee2..fdd11a907 100644 --- a/datasets/malware/gootloader/partial_ttps/data.yml +++ b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml @@ -1,7 +1,8 @@ -author: Generated by dataset_analyzer.py -id: 5674a31a-3456-4d68-ba30-e0a8257ebd84 -date: '2025-08-12' -description: Automatically categorized datasets in directory partial_ttps +author: Steven Dick +id: 82ce58ec-f2cb-4570-9a7c-b666362c5ebb +date: '2023-06-15' +description: Detection of gootloader common behaviors sourced from manual malware + testing in Q1 2023 environment: attack_range directory: partial_ttps mitre_technique: diff --git a/datasets/malware/hermetic_wiper/data.yml b/datasets/malware/hermetic_wiper/data.yml deleted file mode 100644 index e99f7fabf..000000000 --- a/datasets/malware/hermetic_wiper/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: fd9db676-1512-472c-a0d4-a77381891197 -date: '2025-08-12' -description: Automatically categorized datasets in directory hermetic_wiper -environment: attack_range -directory: hermetic_wiper -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/hermetic_wiper/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml deleted file mode 100644 index beb89efc8..000000000 --- a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f394d5b3-f57b-4919-ab36-6ca55ecd968d -date: '2025-08-12' -description: Automatically categorized datasets in directory globalfolderoptions_reg -environment: attack_range -directory: globalfolderoptions_reg -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml index 029a4de9b..0bada3944 100644 --- a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml +++ b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml @@ -3,9 +3,11 @@ id: 35b9ddaa-9a14-11ec-aec5-acde48001122 date: '2022-03-02' description: Generated datasets for globalfolderoptions reg in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html \ No newline at end of file +directory: globalfolderoptions_reg +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/hermetic_wiper/hermetic_wiper.yml b/datasets/malware/hermetic_wiper/hermetic_wiper.yml index 94fddbc93..d67d437c2 100644 --- a/datasets/malware/hermetic_wiper/hermetic_wiper.yml +++ b/datasets/malware/hermetic_wiper/hermetic_wiper.yml @@ -3,9 +3,11 @@ id: 7f55b95a-9642-11ec-ba7c-acde48001122 date: '2022-02-25' description: Generated datasets for hermetic wiper in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html \ No newline at end of file +directory: hermetic_wiper +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/hermetic_wiper/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml index cd2c13329..c72ce3b1d 100644 --- a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml +++ b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml @@ -3,7 +3,11 @@ id: cca625ab-da97-4206-8800-e56676c2075d date: '2021-10-21' description: cmd carry out string command parameter data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/cmd_carry_str_param/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: cmd_carry_str_param +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/icedid/cmd_carry_str_param/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/cmd_carry_str_param/data.yml b/datasets/malware/icedid/cmd_carry_str_param/data.yml deleted file mode 100644 index 4fac4d4e9..000000000 --- a/datasets/malware/icedid/cmd_carry_str_param/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8546612d-f4bb-4465-9bfc-6dee096ce79a -date: '2025-08-12' -description: Automatically categorized datasets in directory cmd_carry_str_param -environment: attack_range -directory: cmd_carry_str_param -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/icedid/cmd_carry_str_param/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_av/data.yml b/datasets/malware/icedid/disable_av/data.yml deleted file mode 100644 index 7a228e329..000000000 --- a/datasets/malware/icedid/disable_av/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 52564d17-a509-45d5-8e27-91a097d394b4 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_av -environment: attack_range -directory: disable_av -mitre_technique: -- unknown -datasets: -- name: sysmon2 - path: /datasets/malware/icedid/disable_av/sysmon2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/malware/icedid/disable_av/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_av/disable_av.yml b/datasets/malware/icedid/disable_av/disable_av.yml index b13e7dcd1..16e717e87 100644 --- a/datasets/malware/icedid/disable_av/disable_av.yml +++ b/datasets/malware/icedid/disable_av/disable_av.yml @@ -1,11 +1,17 @@ author: Teoderick Contreras id: bedd30e3-3a7a-4ba3-8138-4f1d9c9dfadb date: '2021-10-18' -description: icedid disable windows defender malware in attack range - name. +description: icedid disable windows defender malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: disable_av +mitre_technique: +- unknown +datasets: +- name: sysmon2 + path: /datasets/malware/icedid/disable_av/sysmon2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/icedid/disable_av/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_schtask/data.yml b/datasets/malware/icedid/disable_schtask/data.yml deleted file mode 100644 index 771ba88c6..000000000 --- a/datasets/malware/icedid/disable_schtask/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 93bc9750-219d-4514-a3c1-e0f29c68eff7 -date: '2025-08-12' -description: Automatically categorized datasets in directory disable_schtask -environment: attack_range -directory: disable_schtask -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/icedid/disable_schtask/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/disable_schtask/disable_schtask.yml b/datasets/malware/icedid/disable_schtask/disable_schtask.yml index e21ececa8..56f1b35f1 100644 --- a/datasets/malware/icedid/disable_schtask/disable_schtask.yml +++ b/datasets/malware/icedid/disable_schtask/disable_schtask.yml @@ -1,10 +1,13 @@ author: Teoderick Contreras id: f67f0c95-c850-4303-b65d-bcd99e87c520 date: '2021-10-18' -description: icedid disable schedule task malware in attack range - name. +description: icedid disable schedule task malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_schtask/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: disable_schtask +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/icedid/disable_schtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/inf_icedid/data.yml b/datasets/malware/icedid/inf_icedid/data.yml deleted file mode 100644 index 12c12153b..000000000 --- a/datasets/malware/icedid/inf_icedid/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 2773df7b-8370-4a2a-b265-95eef2530ec5 -date: '2025-08-12' -description: Automatically categorized datasets in directory inf_icedid -environment: attack_range -directory: inf_icedid -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/icedid/inf_icedid/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/inf_icedid/inf_icedid.yml b/datasets/malware/icedid/inf_icedid/inf_icedid.yml index bd61c5ef4..27a63d4f4 100644 --- a/datasets/malware/icedid/inf_icedid/inf_icedid.yml +++ b/datasets/malware/icedid/inf_icedid/inf_icedid.yml @@ -1,13 +1,13 @@ author: Teoderick Contreras id: 1500f3aa-332a-496c-9f2a-9d7fbe8f7f03 date: '2021-07-29' -description: Execution of icedid malware in attack range - name. +description: Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/inf_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ - +directory: inf_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/inf_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/phish_icedid/data.yml b/datasets/malware/icedid/phish_icedid/data.yml deleted file mode 100644 index c1313e001..000000000 --- a/datasets/malware/icedid/phish_icedid/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 62a5717f-b084-4008-b35a-4fb0eb620fc6 -date: '2025-08-12' -description: Automatically categorized datasets in directory phish_icedid -environment: attack_range -directory: phish_icedid -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/icedid/phish_icedid/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/phish_icedid/phish_icedid.yml b/datasets/malware/icedid/phish_icedid/phish_icedid.yml index f5ea5fce8..355d0cc1d 100644 --- a/datasets/malware/icedid/phish_icedid/phish_icedid.yml +++ b/datasets/malware/icedid/phish_icedid/phish_icedid.yml @@ -1,13 +1,13 @@ author: Teoderick Contreras id: ed600555-e180-42eb-b8a7-532bafcd448b date: '2021-07-29' -description: Execution of icedid malware in attack range - name. +description: Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/phish_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ - +directory: phish_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/phish_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/simulated_icedid/data.yml b/datasets/malware/icedid/simulated_icedid/data.yml deleted file mode 100644 index 68286c6dc..000000000 --- a/datasets/malware/icedid/simulated_icedid/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0b143f10-2f28-467d-8c77-295907e0e109 -date: '2025-08-12' -description: Automatically categorized datasets in directory simulated_icedid -environment: attack_range -directory: simulated_icedid -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/icedid/simulated_icedid/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml index 782db25d9..af0e3ef0b 100644 --- a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml +++ b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml @@ -1,12 +1,13 @@ author: Teoderick Contreras id: 745613c6-c475-4743-9cac-9a314ea33618 date: '2021-08-05' -description: simulated Execution of icedid malware in attack range - name. +description: simulated Execution of icedid malware in attack range name. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/simulated_icedid/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/ +directory: simulated_icedid +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/icedid/simulated_icedid/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/industroyer2/data.yml b/datasets/malware/industroyer2/data.yml deleted file mode 100644 index be18658e6..000000000 --- a/datasets/malware/industroyer2/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f837d03a-3057-47a9-b7d8-73ac2f61c1ec -date: '2025-08-12' -description: Automatically categorized datasets in directory industroyer2 -environment: attack_range -directory: industroyer2 -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/industroyer2/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/industroyer2/industroyer2.yml b/datasets/malware/industroyer2/industroyer2.yml index c48838369..396acadcd 100644 --- a/datasets/malware/industroyer2/industroyer2.yml +++ b/datasets/malware/industroyer2/industroyer2.yml @@ -3,9 +3,11 @@ id: d3197692-c245-11ec-b39f-acde48001122 date: '2022-04-22' description: Generated datasets for industroyer2 in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ \ No newline at end of file +directory: industroyer2 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/industroyer2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/lockbit_ransomware/data.yml b/datasets/malware/lockbit_ransomware/data.yml deleted file mode 100644 index 30a770621..000000000 --- a/datasets/malware/lockbit_ransomware/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0071c47b-4433-4902-b736-6383efea85a1 -date: '2025-08-12' -description: Automatically categorized datasets in directory lockbit_ransomware -environment: attack_range -directory: lockbit_ransomware -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/lockbit_ransomware/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml index 561207b0d..7f44fdfc4 100644 --- a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml +++ b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: cb28b767-140b-4375-bb89-85cb6d836f02 date: '2023-01-16' description: Generated datasets for lockbit ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/lockbit_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html +environment: attack_range +directory: lockbit_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/lockbit_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/olympic_destroyer/data.yml b/datasets/malware/olympic_destroyer/data.yml deleted file mode 100644 index cabb90975..000000000 --- a/datasets/malware/olympic_destroyer/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 37266d13-945c-444c-9c4c-1e540bdcb93a -date: '2025-08-12' -description: Automatically categorized datasets in directory olympic_destroyer -environment: attack_range -directory: olympic_destroyer -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/olympic_destroyer/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/olympic_destroyer/olympic_destroyer.yml b/datasets/malware/olympic_destroyer/olympic_destroyer.yml index 7d3a8c807..ce9798756 100644 --- a/datasets/malware/olympic_destroyer/olympic_destroyer.yml +++ b/datasets/malware/olympic_destroyer/olympic_destroyer.yml @@ -3,13 +3,11 @@ id: acb8ab82-94a3-11ec-961b-acde48001122 date: '2022-02-23' description: Generated datasets for olympic destroyer in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/security.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/olympic_destroyer/system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:system -- WinEventLog:Security -references: -- https://blog.talosintelligence.com/2018/02/olympic-destroyer.html \ No newline at end of file +directory: olympic_destroyer +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/olympic_destroyer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/prestige_ransomware/data.yml b/datasets/malware/prestige_ransomware/data.yml deleted file mode 100644 index e06c0b774..000000000 --- a/datasets/malware/prestige_ransomware/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: caf28c2c-8e27-4335-9bc2-4d3b31aa09b3 -date: '2025-08-12' -description: Automatically categorized datasets in directory prestige_ransomware -environment: attack_range -directory: prestige_ransomware -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/prestige_ransomware/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/prestige_ransomware/prestige_ransomware.yml b/datasets/malware/prestige_ransomware/prestige_ransomware.yml index 77e52606e..de4e87130 100644 --- a/datasets/malware/prestige_ransomware/prestige_ransomware.yml +++ b/datasets/malware/prestige_ransomware/prestige_ransomware.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: f8e41440-5e29-4478-a4e4-50937ba66f45 date: '2022-11-30' description: Generated datasets for prestige ransomware in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/prestige_ransomware/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: prestige_ransomware +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/prestige_ransomware/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/data.yml b/datasets/malware/qakbot/data.yml deleted file mode 100644 index f3d3118fd..000000000 --- a/datasets/malware/qakbot/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ed355916-9ae6-4710-bfe1-ba0bdd34792b -date: '2025-08-12' -description: Automatically categorized datasets in directory qakbot -environment: attack_range -directory: qakbot -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/qakbot/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qakbot.yml b/datasets/malware/qakbot/qakbot.yml index 822f3cd3a..6145eaa72 100644 --- a/datasets/malware/qakbot/qakbot.yml +++ b/datasets/malware/qakbot/qakbot.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 0ced1e29-5390-4a9a-bd97-6a09cb604a0d date: '2022-10-20' description: Generated datasets for qakbot in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot +environment: attack_range +directory: qakbot +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot2/data.yml b/datasets/malware/qakbot/qbot2/data.yml deleted file mode 100644 index 0c1c6fd64..000000000 --- a/datasets/malware/qakbot/qbot2/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 55d090b2-ff85-4936-a2eb-ed01406f595d -date: '2025-08-12' -description: Automatically categorized datasets in directory qbot2 -environment: attack_range -directory: qbot2 -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/qakbot/qbot2/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot2/qbot2.yml b/datasets/malware/qakbot/qbot2/qbot2.yml index 57f9f7e74..a0b6afa46 100644 --- a/datasets/malware/qakbot/qbot2/qbot2.yml +++ b/datasets/malware/qakbot/qbot2/qbot2.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: c3fb027f-b61d-4c24-a7db-923eb340d1fd date: '2022-10-24' description: Generated datasets for qbot2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot2/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ +environment: attack_range +directory: qbot2 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot2/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_3/data.yml b/datasets/malware/qakbot/qbot_3/data.yml deleted file mode 100644 index 119a7d228..000000000 --- a/datasets/malware/qakbot/qbot_3/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: b06bf290-3d5c-4248-b2ae-94e07c646192 -date: '2025-08-12' -description: Automatically categorized datasets in directory qbot_3 -environment: attack_range -directory: qbot_3 -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/qakbot/qbot_3/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_3/qbot_3.yml b/datasets/malware/qakbot/qbot_3/qbot_3.yml index 46d186dd6..aef76459b 100644 --- a/datasets/malware/qakbot/qbot_3/qbot_3.yml +++ b/datasets/malware/qakbot/qbot_3/qbot_3.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 3e8a23a9-237c-4bfc-9fce-926ff7af0d1b date: '2022-10-27' description: Generated datasets for qbot 3 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_3/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_3 +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/qakbot/qbot_3/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr/data.yml b/datasets/malware/qakbot/qbot_wermgr/data.yml deleted file mode 100644 index 74182a81d..000000000 --- a/datasets/malware/qakbot/qbot_wermgr/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d3d1656c-40ff-4a73-9894-d572bb4a88a6 -date: '2025-08-12' -description: Automatically categorized datasets in directory qbot_wermgr -environment: attack_range -directory: qbot_wermgr -mitre_technique: -- unknown -datasets: -- name: sysmon_wermgr - path: /datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml index a517cad75..03d9abd9e 100644 --- a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml +++ b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: c61b9839-5dc6-43e6-a743-8307aa995e18 date: '2022-10-27' description: Generated datasets for qbot wermgr in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_wermgr +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr + path: /datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr2/data.yml b/datasets/malware/qakbot/qbot_wermgr2/data.yml deleted file mode 100644 index 603003b77..000000000 --- a/datasets/malware/qakbot/qbot_wermgr2/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e21bf308-0966-4d84-98db-e1c5c5a66503 -date: '2025-08-12' -description: Automatically categorized datasets in directory qbot_wermgr2 -environment: attack_range -directory: qbot_wermgr2 -mitre_technique: -- unknown -datasets: -- name: sysmon_wermgr2 - path: /datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml index d901cc13d..7cc93a910 100644 --- a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml +++ b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 8b988b47-53f3-4152-b8c1-071bcafe672f date: '2022-10-27' description: Generated datasets for qbot wermgr2 in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/pr0xylife/status/1585612370441031680?s=46&t=Dc3CJi4AnM-8rNoacLbScg +environment: attack_range +directory: qbot_wermgr2 +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr2 + path: /datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/remote_thread/data.yml b/datasets/malware/qakbot/remote_thread/data.yml deleted file mode 100644 index 34a58cab0..000000000 --- a/datasets/malware/qakbot/remote_thread/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cb2cc98c-b7cd-4cab-9a5b-a6cd90902c76 -date: '2025-08-12' -description: Automatically categorized datasets in directory remote_thread -environment: attack_range -directory: remote_thread -mitre_technique: -- unknown -datasets: -- name: sysmon_wermgr_remote - path: /datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/qakbot/remote_thread/remote_thread.yml b/datasets/malware/qakbot/remote_thread/remote_thread.yml index a0c38ccf6..31a3b2557 100644 --- a/datasets/malware/qakbot/remote_thread/remote_thread.yml +++ b/datasets/malware/qakbot/remote_thread/remote_thread.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 04394a47-b925-4c07-9f4e-55f5ed6fe113 date: '2022-10-28' description: Generated datasets for remote thread in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/ +environment: attack_range +directory: remote_thread +mitre_technique: +- unknown +datasets: +- name: sysmon_wermgr_remote + path: /datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/redline/modify_registry/data.yml b/datasets/malware/redline/modify_registry/data.yml deleted file mode 100644 index d5a2cdf8e..000000000 --- a/datasets/malware/redline/modify_registry/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c1ec5665-aa8b-499b-9319-dd94c8321a9b -date: '2025-08-12' -description: Automatically categorized datasets in directory modify_registry -environment: attack_range -directory: modify_registry -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/redline/modify_registry/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/redline/modify_registry/modify_registry.yml b/datasets/malware/redline/modify_registry/modify_registry.yml index c28d952b6..e09debf29 100644 --- a/datasets/malware/redline/modify_registry/modify_registry.yml +++ b/datasets/malware/redline/modify_registry/modify_registry.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: d22bdc15-a39d-41ef-b718-0fe1959188e6 date: '2023-04-24' description: Generated datasets for modify registry in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/redline/modify_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer +environment: attack_range +directory: modify_registry +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/redline/modify_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos/data.yml b/datasets/malware/remcos/remcos/data.yml deleted file mode 100644 index affbfd1b5..000000000 --- a/datasets/malware/remcos/remcos/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9cc46179-1fd6-470e-b6f5-dbe2ebbc6fd6 -date: '2025-08-12' -description: Automatically categorized datasets in directory remcos -environment: attack_range -directory: remcos -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/remcos/remcos/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos/remcos.yml b/datasets/malware/remcos/remcos/remcos.yml index 6eac10c39..21f5718d3 100644 --- a/datasets/malware/remcos/remcos/remcos.yml +++ b/datasets/malware/remcos/remcos/remcos.yml @@ -3,7 +3,11 @@ id: e9a69082-58e2-47c4-b93b-d68ada5b7444 date: '2021-10-05' description: Remcos Sample -https://tria.ge/210929-ap75vsddan, https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_agent/data.yml b/datasets/malware/remcos/remcos_agent/data.yml deleted file mode 100644 index 920bab8fa..000000000 --- a/datasets/malware/remcos/remcos_agent/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 679039ca-936a-462f-99ee-409ae6dbe14c -date: '2025-08-12' -description: Automatically categorized datasets in directory remcos_agent -environment: attack_range -directory: remcos_agent -mitre_technique: -- unknown -datasets: -- name: sysmon_wav - path: /datasets/malware/remcos/remcos_agent/sysmon_wav.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/malware/remcos/remcos_agent/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_agent/remcos_agent.yml b/datasets/malware/remcos/remcos_agent/remcos_agent.yml index 6d8ab39e1..739a1b870 100644 --- a/datasets/malware/remcos/remcos_agent/remcos_agent.yml +++ b/datasets/malware/remcos/remcos_agent/remcos_agent.yml @@ -3,11 +3,15 @@ id: e9a69082-58e2-47c4-b93b-d68ada5b7444 date: '2021-09-22' description: remcos RAT agent data sets. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/sysmon_wav.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_agent/security.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog \ No newline at end of file +directory: remcos_agent +mitre_technique: +- unknown +datasets: +- name: sysmon_wav + path: /datasets/malware/remcos/remcos_agent/sysmon_wav.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_agent/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_dynwrapx/data.yml b/datasets/malware/remcos/remcos_dynwrapx/data.yml deleted file mode 100644 index c5e9d219e..000000000 --- a/datasets/malware/remcos/remcos_dynwrapx/data.yml +++ /dev/null @@ -1,21 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 52f9736e-39de-4d07-b9ff-0f333b199949 -date: '2025-08-12' -description: Automatically categorized datasets in directory remcos_dynwrapx -environment: attack_range -directory: remcos_dynwrapx -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon_dynwraper - path: /datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- name: sysmon - path: /datasets/malware/remcos/remcos_dynwrapx/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml index 9f23b9b8d..0076e62c1 100644 --- a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml +++ b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml @@ -1,12 +1,21 @@ author: Teoderick Contreras id: 8cbe30d9-0a2e-43e4-b07f-2a8a3dd402b9 date: '2021-11-18' -description: 'simulated remcos script loading dynwrapx.dll for shellcode execution' +description: simulated remcos script loading dynwrapx.dll for shellcode execution environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log - -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos_dynwrapx +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_dynwraper + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon_dynwraper.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon + path: /datasets/malware/remcos/remcos_dynwrapx/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_pastebin_download/data.yml b/datasets/malware/remcos/remcos_pastebin_download/data.yml deleted file mode 100644 index ffac0989c..000000000 --- a/datasets/malware/remcos/remcos_pastebin_download/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: e9cbc26f-1c8c-46ab-a5b0-3470a2abd621 -date: '2025-08-12' -description: Automatically categorized datasets in directory remcos_pastebin_download -environment: attack_range -directory: remcos_pastebin_download -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/remcos/remcos_pastebin_download/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml index f2b899a22..3f7f515f7 100644 --- a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml +++ b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml @@ -1,9 +1,13 @@ author: Teoderick Contreras id: 22ee6dae-30e6-44a4-affc-88b070d96c20 date: '2021-11-18' -description: 'simulated remcos script download malicious stager in pastebin or discord.' +description: simulated remcos script download malicious stager in pastebin or discord. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_pastebin_download/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file +directory: remcos_pastebin_download +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_pastebin_download/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_registry/data.yml b/datasets/malware/remcos/remcos_registry/data.yml deleted file mode 100644 index 3dc9883bb..000000000 --- a/datasets/malware/remcos/remcos_registry/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: ec0b4102-04fb-4148-988a-c2452c5f8cbd -date: '2025-08-12' -description: Automatically categorized datasets in directory remcos_registry -environment: attack_range -directory: remcos_registry -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/remcos/remcos_registry/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/remcos/remcos_registry/remcos_registry.yml b/datasets/malware/remcos/remcos_registry/remcos_registry.yml index c7c0ed530..589aa281c 100644 --- a/datasets/malware/remcos/remcos_registry/remcos_registry.yml +++ b/datasets/malware/remcos/remcos_registry/remcos_registry.yml @@ -3,9 +3,11 @@ id: dfcbf9ec-a8ef-11ec-871d-acde48001122 date: '2022-03-21' description: Generated datasets for remcos registry in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/remcos/remcos_registry/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://blog.malwarebytes.com/threat-intelligence/2021/07/remcos-rat-delivered-via-visual-basic/ \ No newline at end of file +directory: remcos_registry +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/remcos/remcos_registry/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/msmpeng_side/data.yml b/datasets/malware/revil/msmpeng_side/data.yml deleted file mode 100644 index 4046249c5..000000000 --- a/datasets/malware/revil/msmpeng_side/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: cdb59580-27e5-4981-967d-787c294a197a -date: '2025-08-12' -description: Automatically categorized datasets in directory msmpeng_side -environment: attack_range -directory: msmpeng_side -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/revil/msmpeng_side/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml index 18ee639f8..a49929ba1 100644 --- a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml +++ b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml @@ -3,10 +3,11 @@ id: cc9b266d-efc9-11eb-926b-550bf0943fbb date: '2021-07-05' description: side loading dll to load evil ransomware using msmpeng.exe application environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/pwh_defender_disabling/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1562/001 -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +directory: msmpeng_side +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/revil/msmpeng_side/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ryuk/data.yml b/datasets/malware/ryuk/data.yml deleted file mode 100644 index 6b8c9c503..000000000 --- a/datasets/malware/ryuk/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f7c6917e-9802-4aa3-8827-5eea353e3718 -date: '2025-08-12' -description: Automatically categorized datasets in directory ryuk -environment: attack_range -directory: ryuk -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/ryuk/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/ryuk/ryuk.yml b/datasets/malware/ryuk/ryuk.yml index 1dcc02e99..83ae8b94e 100644 --- a/datasets/malware/ryuk/ryuk.yml +++ b/datasets/malware/ryuk/ryuk.yml @@ -3,10 +3,11 @@ id: cc9b2671-efc9-11eb-926b-550bf0943fbb date: '2020-11-30' description: Execution of ryuk malware on Windows 10 endpoint. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/ryuk/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ -- https://www.malwarebytes.com/ryuk-ransomware/ +directory: ryuk +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/ryuk/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/snakemalware/snake.yml b/datasets/malware/snakemalware/snake.yml deleted file mode 100644 index bed95e706..000000000 --- a/datasets/malware/snakemalware/snake.yml +++ /dev/null @@ -1,15 +0,0 @@ -author: Michael Haag -id: cef7f8d2-10bb-49ff-ba67-4dc25f927e86 -date: '2023-05-11' -description: Simulation of Snake Malware endpoint artifacts. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/comadmin_windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_crmlog-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake_malware_regblob-windows-sysmon.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/snakemalware/snake-service-windows-system.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- WinEventLog:System -references: -- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF diff --git a/datasets/malware/snakemalware/data.yml b/datasets/malware/snakemalware/snakemalware.yml similarity index 83% rename from datasets/malware/snakemalware/data.yml rename to datasets/malware/snakemalware/snakemalware.yml index c3b9d520e..35ac5dbd8 100644 --- a/datasets/malware/snakemalware/data.yml +++ b/datasets/malware/snakemalware/snakemalware.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: aa8e0ddb-5a15-4c51-8144-b8e7376885d9 -date: '2025-08-12' -description: Automatically categorized datasets in directory snakemalware +author: Michael Haag +id: cef7f8d2-10bb-49ff-ba67-4dc25f927e86 +date: '2023-05-11' +description: Simulation of Snake Malware endpoint artifacts. environment: attack_range directory: snakemalware mitre_technique: diff --git a/datasets/malware/swift_slicer/data.yml b/datasets/malware/swift_slicer/data.yml deleted file mode 100644 index bdcfd7b7f..000000000 --- a/datasets/malware/swift_slicer/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 00309112-e1aa-46be-b58f-b63b5e1c6c81 -date: '2025-08-12' -description: Automatically categorized datasets in directory swift_slicer -environment: attack_range -directory: swift_slicer -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/swift_slicer/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/swift_slicer/swift_slicer.yml b/datasets/malware/swift_slicer/swift_slicer.yml index 14b94553e..090600be9 100644 --- a/datasets/malware/swift_slicer/swift_slicer.yml +++ b/datasets/malware/swift_slicer/swift_slicer.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: fc0e1d4d-d8e7-4007-bd29-a0d05384d4cc date: '2023-02-02' description: Generated datasets for swift slicer in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/swift_slicer/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/ +environment: attack_range +directory: swift_slicer +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/swift_slicer/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/spear_phish/data.yml b/datasets/malware/trickbot/spear_phish/data.yml deleted file mode 100644 index f0db4052a..000000000 --- a/datasets/malware/trickbot/spear_phish/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: a3884890-e6a1-4fb5-a8ca-8e7f1cd4ced1 -date: '2025-08-12' -description: Automatically categorized datasets in directory spear_phish -environment: attack_range -directory: spear_phish -mitre_technique: -- unknown -datasets: -- name: windows-sysmon - path: /datasets/malware/trickbot/spear_phish/windows-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/trickbot/spear_phish/spear_phish.yml b/datasets/malware/trickbot/spear_phish/spear_phish.yml index cee7869b6..b1e835989 100644 --- a/datasets/malware/trickbot/spear_phish/spear_phish.yml +++ b/datasets/malware/trickbot/spear_phish/spear_phish.yml @@ -4,9 +4,11 @@ date: '2021-07-19' description: Spear Phishing Technique of trickbot using regsvr32, mshta, office product and rundll32.. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/trickbot/spear_phish/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://twitter.com/cyb3rops/status/1416050325870587910?s=21 +directory: spear_phish +mitre_technique: +- unknown +datasets: +- name: windows-sysmon + path: /datasets/malware/trickbot/spear_phish/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/vilsel/vilse.yml b/datasets/malware/vilsel/vilse.yml deleted file mode 100644 index b9cd654d8..000000000 --- a/datasets/malware/vilsel/vilse.yml +++ /dev/null @@ -1,9 +0,0 @@ -author: Teoderick Contreras -id: a8d7ae24-f24b-4913-a8d8-9db9794175ad -date: '2021-11-12' -description: simulated ioc from vilsel malware. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/malware/vilsel/data.yml b/datasets/malware/vilsel/vilsel.yml similarity index 68% rename from datasets/malware/vilsel/data.yml rename to datasets/malware/vilsel/vilsel.yml index 925ee155c..8ea88a5f7 100644 --- a/datasets/malware/vilsel/data.yml +++ b/datasets/malware/vilsel/vilsel.yml @@ -1,7 +1,7 @@ -author: Generated by dataset_analyzer.py -id: cdf3ca88-386a-4e0b-8bdc-bf9fb3d8f954 -date: '2025-08-12' -description: Automatically categorized datasets in directory vilsel +author: Teoderick Contreras +id: a8d7ae24-f24b-4913-a8d8-9db9794175ad +date: '2021-11-12' +description: simulated ioc from vilsel malware. environment: attack_range directory: vilsel mitre_technique: diff --git a/datasets/malware/winpeas/data.yml b/datasets/malware/winpeas/data.yml deleted file mode 100644 index f8ab21f1f..000000000 --- a/datasets/malware/winpeas/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 37287379-35fc-42c5-ae44-93be3a2d56ce -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas -environment: attack_range -directory: winpeas -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/winpeas/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/powershell/data.yml b/datasets/malware/winpeas/powershell/data.yml deleted file mode 100644 index 22c30cdb0..000000000 --- a/datasets/malware/winpeas/powershell/data.yml +++ /dev/null @@ -1,17 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 0250c2e0-5319-4c34-bb07-96ee3e073478 -date: '2025-08-12' -description: Automatically categorized datasets in directory powershell -environment: attack_range -directory: powershell -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/malware/winpeas/powershell/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -- name: windows-powershell-xml2 - path: /datasets/malware/winpeas/powershell/windows-powershell-xml2.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winpeas/powershell/powershell.yml b/datasets/malware/winpeas/powershell/powershell.yml index af75c80e3..44f96d585 100644 --- a/datasets/malware/winpeas/powershell/powershell.yml +++ b/datasets/malware/winpeas/powershell/powershell.yml @@ -2,10 +2,16 @@ author: Teoderick Contreras, Splunk id: 43ba5a2c-de77-43c4-818f-ea7239e78dbc date: '2022-12-01' description: Generated datasets for powershell in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/powershell/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: powershell +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winpeas/powershell/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational +- name: windows-powershell-xml2 + path: /datasets/malware/winpeas/powershell/windows-powershell-xml2.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winpeas/winpeas.yml b/datasets/malware/winpeas/winpeas.yml index c74bce219..3917b656c 100644 --- a/datasets/malware/winpeas/winpeas.yml +++ b/datasets/malware/winpeas/winpeas.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 76ff87b3-e383-42a3-a1a0-15f97e414b97 date: '2022-12-01' description: Generated datasets for winpeas in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/winpeas/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml b/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml deleted file mode 100644 index 2652a8445..000000000 --- a/datasets/malware/winpeas/winpeas_cmdkeylist/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9fa6376e-abde-4b50-9772-9eb598d26b07 -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas_cmdkeylist -environment: attack_range -directory: winpeas_cmdkeylist -mitre_technique: -- unknown -datasets: -- name: cmdkey-sysmon - path: /datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml index f89fd2d7a..f50a4aa03 100644 --- a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml +++ b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 0ee6da63-312c-4bc3-82fd-1814f4e39db3 date: '2022-12-01' description: Generated datasets for winpeas cmdkeylist in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_cmdkeylist +mitre_technique: +- unknown +datasets: +- name: cmdkey-sysmon + path: /datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_fsutil/data.yml b/datasets/malware/winpeas/winpeas_fsutil/data.yml deleted file mode 100644 index ae16df2e0..000000000 --- a/datasets/malware/winpeas/winpeas_fsutil/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 8e39b5c9-5029-4316-a71c-b8f2eddd65af -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas_fsutil -environment: attack_range -directory: winpeas_fsutil -mitre_technique: -- unknown -datasets: -- name: fsutil-fsinfo-sysmon - path: /datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml index 99c0200f5..5d803297f 100644 --- a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml +++ b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 39b35e91-b3a6-4e07-8025-bd207b6fd433 date: '2022-12-01' description: Generated datasets for winpeas fsutil in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_fsutil +mitre_technique: +- unknown +datasets: +- name: fsutil-fsinfo-sysmon + path: /datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_private_key/data.yml b/datasets/malware/winpeas/winpeas_search_private_key/data.yml deleted file mode 100644 index 9ea4a80c9..000000000 --- a/datasets/malware/winpeas/winpeas_search_private_key/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 9103a09a-2a18-4684-a12d-1a9da9bd95c9 -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas_search_private_key -environment: attack_range -directory: winpeas_search_private_key -mitre_technique: -- unknown -datasets: -- name: dir-private-sysmon - path: /datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml index d503362e3..e15d06ab4 100644 --- a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml +++ b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: dc44c54e-8c73-4352-a55b-d7e97e7e83b2 date: '2022-12-01' description: Generated datasets for winpeas search private key in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_private_key +mitre_technique: +- unknown +datasets: +- name: dir-private-sysmon + path: /datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd/data.yml b/datasets/malware/winpeas/winpeas_search_pwd/data.yml deleted file mode 100644 index 7954eacaa..000000000 --- a/datasets/malware/winpeas/winpeas_search_pwd/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: f83c84fd-9e69-4f6b-9864-cdf8abab4c5b -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas_search_pwd -environment: attack_range -directory: winpeas_search_pwd -mitre_technique: -- unknown -datasets: -- name: query-putty-sysmon - path: /datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml index 48348f7c6..07d87a1d1 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 6a758cd5-24c2-4008-9e59-8e90c8eb5e94 date: '2022-12-01' description: Generated datasets for winpeas search pwd in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_pwd +mitre_technique: +- unknown +datasets: +- name: query-putty-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml b/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml deleted file mode 100644 index 7b71dbbd4..000000000 --- a/datasets/malware/winpeas/winpeas_search_pwd_db/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: bacd1013-9944-4e34-a832-c998a0bfe57f -date: '2025-08-12' -description: Automatically categorized datasets in directory winpeas_search_pwd_db -environment: attack_range -directory: winpeas_search_pwd_db -mitre_technique: -- unknown -datasets: -- name: dir-db-sysmon - path: /datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml index ee29e41f6..1b9d39886 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 0e7d9bf7-a6d8-44df-a137-1a3f27b05cfb date: '2022-12-01' description: Generated datasets for winpeas search pwd db in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ +environment: attack_range +directory: winpeas_search_pwd_db +mitre_technique: +- unknown +datasets: +- name: dir-db-sysmon + path: /datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winter-vivern/pwh_exfiltration/data.yml b/datasets/malware/winter-vivern/pwh_exfiltration/data.yml deleted file mode 100644 index e414a39f6..000000000 --- a/datasets/malware/winter-vivern/pwh_exfiltration/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d0187188-8f9b-4d20-9937-623fe7efbfd7 -date: '2025-08-12' -description: Automatically categorized datasets in directory pwh_exfiltration -environment: attack_range -directory: pwh_exfiltration -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml index d7cf41337..2d66c0cff 100644 --- a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml +++ b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: b2602a30-e0a9-4ab9-b770-54faed4bf0d4 date: '2023-02-21' description: Generated datasets for pwh exfiltration in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: pwh_exfiltration +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/pwh_uploadstring/data.yml b/datasets/malware/winter-vivern/pwh_uploadstring/data.yml deleted file mode 100644 index 2e3aba3d8..000000000 --- a/datasets/malware/winter-vivern/pwh_uploadstring/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 973b0e6e-b7e1-43d2-96b4-09ed980dd680 -date: '2025-08-12' -description: Automatically categorized datasets in directory pwh_uploadstring -environment: attack_range -directory: pwh_uploadstring -mitre_technique: -- unknown -datasets: -- name: windows-powershell-xml - path: /datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml index af450f454..b402c0069 100644 --- a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml +++ b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 9614341e-a5ee-4b30-8ca2-648438d13a3f date: '2023-02-21' description: Generated datasets for pwh uploadstring in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: pwh_uploadstring +mitre_technique: +- unknown +datasets: +- name: windows-powershell-xml + path: /datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/malware/winter-vivern/scheduledtask/data.yml b/datasets/malware/winter-vivern/scheduledtask/data.yml deleted file mode 100644 index 6a113f49c..000000000 --- a/datasets/malware/winter-vivern/scheduledtask/data.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Generated by dataset_analyzer.py -id: d1f08808-6d55-4b49-a474-3eaebc198b72 -date: '2025-08-12' -description: Automatically categorized datasets in directory scheduledtask -environment: attack_range -directory: scheduledtask -mitre_technique: -- unknown -datasets: -- name: sysmon - path: /datasets/malware/winter-vivern/scheduledtask/sysmon.log - sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml index 9760e43b5..54baacde2 100644 --- a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml +++ b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: 10c0003d-f2dc-4b79-a388-6d7382879412 date: '2023-02-21' description: Generated datasets for scheduledtask in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/winter-vivern/scheduledtask/sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://cert.gov.ua/article/3761104 +environment: attack_range +directory: scheduledtask +mitre_technique: +- unknown +datasets: +- name: sysmon + path: /datasets/malware/winter-vivern/scheduledtask/sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 779af007406fd667c4bba0abbda08ebfbc13f98e Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 13 Aug 2025 10:11:06 +0200 Subject: [PATCH 11/18] Better dataset format for data yml files --- bin/dataset_schema.json | 3 + bin/requirements.txt | 2 +- bin/validate.py | 299 ++++++++++++++++++ .../hivenightmare/atomic_red_team.yml | 14 - .../{powerview.yml => powerview_old.yml} | 0 .../{powerview.yml => powerview_old.yml} | 0 ...etadcomputer.yml => getadcomputer_old.yml} | 0 .../atomic_red_team/atomic_red_team.yml | 3 +- .../atomic_red_team/atomic_red_team.yml | 14 +- .../compmgtm_access/compmgtm_access.yml | 14 +- .../wirm_execute_shell/wirm_execute_shell.yml | 14 +- .../wsman_trustedhost/wsman_trustedhost.yml | 16 +- ....yml => illegal_access_to_content_old.yml} | 0 ... => njrat_fileless_registry_entry_old.yml} | 0 ...xecution.yml => rar_sfx_execution_old.yml} | 0 ...e_usage.yml => query_remote_usage_old.yml} | 0 ...t.yml => suspicious_spawn_svchost_old.yml} | 0 ...ide.yml => right_to_left_override_old.yml} | 0 ...ershell.yml => renamed_powershell_old.yml} | 0 ...ata.yml => process_in_programdata_old.yml} | 0 ...ml => 32bit_process_execute_64bit_old.yml} | 0 ...bas_usage.yml => cmd_lolbas_usage_old.yml} | 0 ...ecution.yml => debugger_execution_old.yml} | 0 ... executables_suspicious_file_path_old.yml} | 0 ...emp_path.yml => process_temp_path_old.yml} | 0 ...ocess_running_unexpected_location_old.yml} | 0 .../ssltls/{ssltls.yml => ssltls_old.yml} | 0 .../{zeek_ssl.yml => zeek_ssl_old.yml} | 0 .../T1046/nmap/{nmap.yml => nmap_old.yml} | 0 ...pen_dns_port.yml => open_dns_port_old.yml} | 0 ...overy.yml => open_ports_discovery_old.yml} | 0 ..._task.yml => hidden_schedule_task_old.yml} | 0 ...{taskschd_dll.yml => taskschd_dll_old.yml} | 0 ...edtask.yml => valleyrat_schedtask_old.yml} | 0 ....yml => non-service-searchindexer_old.yml} | 0 .../{splunkd.yml => splunkd_old.yml} | 0 .../powershell_script_block_logging.yml | 3 +- ...{amos_stealer.yml => amos_stealer_old.yml} | 0 ...md_arguments.yml => cmd_arguments_old.yml} | 0 ...history.yml => delete_pwh_history_old.yml} | 0 .../{browsers.yml => browsers_old.yml} | 0 .../office/{office.yml => office_old.yml} | 0 ...cmd_line.yml => unusally_cmd_line_old.yml} | 0 ...{macos_lolbin.yml => macos_lolbin_old.yml} | 0 .../{ms_defender.yml => ms_defender_old.yml} | 0 ...fic.yml => log4shell_ldap_traffic_old.yml} | 0 ...ocesses.yml => taskhost_processes_old.yml} | 0 ...ses.yml => windows_temp_processes_old.yml} | 0 ...handlers.yml => protocol_handlers_old.yml} | 0 ...andline.yml => abused_commandline_old.yml} | 0 .../{pkexec_lpe.yml => pkexec_lpe_old.yml} | 0 ...in_check.yml => njrat_admin_check_old.yml} | 0 ...ed.yml => windows_pwh_log_cleared_old.yml} | 0 ...l => ConsoleHost_History_deletion_old.yml} | 0 .../cipher/{cipher.yml => cipher_old.yml} | 0 ...etion.yml => illegal_log_deletion_old.yml} | 0 ...yml => rmdir_delete_files_and_dir_old.yml} | 0 .../intune/{intune.yml => intune_old.yml} | 0 ...ccount_login.yml => account_login_old.yml} | 0 ...g.yml => samaaccountname_spoofing_old.yml} | 0 ...ws_login_sfa.yml => aws_login_sfa_old.yml} | 0 .../okta_single_factor_auth.yml | 2 +- ...saml.yml => assume_role_with_saml_old.yml} | 0 ...y.yml => attach_role_trust_policy_old.yml} | 0 ...o_role.yml => attach_user_to_role_old.yml} | 0 ..._access_by_provider_user_and_principal.yml | 5 +- ...e_IAM_role.yml => create_IAM_role_old.yml} | 0 ...=> gcploit_exploitation_framework_old.yml} | 0 ... high_risk_permission_by_resource_old.yml} | 0 ....yml => high_risk_role_by_project_old.yml} | 0 .../{audittrail.yml => audittrail_old.yml} | 0 ...usage.yml => sts_assumerole_usage_old.yml} | 0 .../attack_techniques/T1083/splunk/data.yml | 12 - ...=> aws_invoke_model_access_denied_old.yml} | 0 ...iew_get_netuser_preauthnotrequire_old.yml} | 0 ...or_allowed.yml => pan_tor_allowed_old.yml} | 0 .../{disable_rdp.yml => disable_rdp_old.yml} | 0 ...ation_impersonation_role_assigned_old.yml} | 0 ...full_access_as_app_permission_assigned.yml | 3 +- ...full_access_as_app_permission_assigned.yml | 3 +- ...ange.yml => linux_password_change_old.yml} | 0 ...m_api_cli.yml => telegram_api_cli_old.yml} | 0 ...m_api_dns.yml => telegram_api_dns_old.yml} | 0 ...ion.yml => njrat_ngrok_connection_old.yml} | 0 ...ns_query.yml => tinyurl_dns_query_old.yml} | 0 ...gin_failures_from_a_single_source_old.yml} | 0 ... aws_multiple_login_fail_per_user_old.yml} | 0 ...tack.yml => password_spray_attack_old.yml} | 0 ...bruteforce.yml => ntlm_bruteforce_old.yml} | 0 .../okta_multiple_users_from_ip.yml | 2 +- ...rplesharp_disabled_users_kerberos_old.yml} | 0 ...lesharp_explicit_credential_spray_old.yml} | 0 ...plesharp_explicit_credential_spray_xml.yml | 2 +- ...urplesharp_invalid_users_kerberos_old.yml} | 0 ...=> purplesharp_invalid_users_ntlm_old.yml} | 0 ...sharp_multiple_users_from_process_old.yml} | 0 ...y.yml => purplesharp_remote_spray_old.yml} | 0 ... purplesharp_valid_users_kerberos_old.yml} | 0 ...l => purplesharp_valid_users_ntlm_old.yml} | 0 ... => DisableRemoteDesktopAntiAlias_old.yml} | 0 .../T1112/{T1112.yml => T1112_old.yml} | 0 ...yml => bitlocker_registry_setting_old.yml} | 0 .../{disable_rdp.yml => disable_rdp_old.yml} | 0 .../firewall_modify_delete.yml | 6 +- ...{kingsoft_reg.yml => kingsoft_reg_old.yml} | 0 ...y.yml => njrat_md5_registry_entry_old.yml} | 0 ...aper.yml => no_changing_wallpaper_old.yml} | 0 ...{proxy_enable.yml => proxy_enable_old.yml} | 0 ...{proxy_server.yml => proxy_server_old.yml} | 0 .../pwn_reg/{pwn_reg.yml => pwn_reg_old.yml} | 0 ...cy.yml => smart_card_group_policy_old.yml} | 0 ...est_registry.yml => test_registry_old.yml} | 0 ..._c2_reg2.yml => valleyrat_c2_reg2_old.yml} | 0 ..._dontshowui.yml => wer_dontshowui_old.yml} | 0 ... => windows_mod_reg_risk_behavior_old.yml} | 0 ...reenshot.yml => braodo_screenshot_old.yml} | 0 ...65_multiple_mailboxes_accessed_via_api.yml | 3 +- ...l => suspicious_rights_delegation_old.yml} | 0 ...ange.yml => transport_rule_change_old.yml} | 0 ...c_red_team.yml => atomic_red_team_old.yml} | 0 ...atasync.yml => aws_exfil_datasync_old.yml} | 0 ....yml => executable_shared_modules_old.yml} | 0 ...vices.yml => rdp_terminalservices_old.yml} | 0 ...yml => explorer_root_proc_cmdline_old.yml} | 0 .../net_share_discovery_via_dir.yml | 6 +- ...reate_user.yml => net_create_user_old.yml} | 0 ...ad_multiple_service_principals_created.yml | 2 +- ...65_multiple_service_principals_created.yml | 2 +- ...w_user.yml => linux_unix_new_user_old.yml} | 0 ...xtension.yml => disable_extension_old.yml} | 0 ...s_browser.yml => headless_browser_old.yml} | 0 .../attack_techniques/T1189/splunk/splunk.yml | 24 -- datasets/attack_techniques/T1189/xss/xss.yml | 13 - .../T1190/adobe/{adobe.yml => adobe_old.yml} | 0 .../{ciscoiosxe.yml => ciscoiosxe_old.yml} | 0 .../attack_techniques/T1190/citrix/citrix.yml | 4 +- .../T1190/confluence/confluence.yml | 3 + .../T1190/f5/{f5.yml => f5_old.yml} | 0 .../{fortigate.yml => fortigate_old.yml} | 0 .../attack_techniques/T1190/ivanti/ivanti.yml | 4 +- .../attack_techniques/T1190/java/java.yml | 1 + .../T1190/jenkins/jenkins.yml | 1 + .../{jetbrains.yml => jetbrains_old.yml} | 0 ...rk_logs.yml => log4j_network_logs_old.yml} | 0 ...roxy_logs.yml => log4j_proxy_logs_old.yml} | 0 .../T1190/magento/magento.yml | 12 - .../moveit/{moveit.yml => moveit_old.yml} | 0 .../{bro_conn.yml => bro_conn_old.yml} | 0 .../attack_techniques/T1190/pswa/pswa.yml | 12 - .../T1190/screenconnect/screenconnect.yml | 1 + .../T1190/sharepoint/sharepoint.yml | 3 +- .../attack_techniques/T1190/splunk/splunk.yml | 16 - .../T1190/spring4shell/spring4shell.yml | 3 +- .../T1190/text4shell/text4shell.yml | 3 +- .../attack_techniques/T1190/tomcat/tomcat.yml | 5 +- .../vmware/{vmware.yml => vmware_old.yml} | 0 .../{wordpress.yml => wordpress_old.yml} | 0 .../ws_ftp/{ws_ftp.yml => ws_ftp_old.yml} | 0 ...equest.yml => github_pull_request_old.yml} | 0 ... => github_security_advisor_alert_old.yml} | 0 ...actions_disable_security_workflow_old.yml} | 0 ..._master.yml => github_push_master_old.yml} | 0 ...policy.yml => aws_password_policy_old.yml} | 0 ...be_audit_create_node_port_service_old.yml} | 0 .../attack_techniques/T1210/splunk/data.yml | 22 -- .../kubernetes_nginx_lfi_attack.yml | 1 + .../kuberntest_nginx_rfi_attack.yml | 1 + .../{audittrail.yml => audittrail_old.yml} | 0 ..._lib_loaded.yml => moz_lib_loaded_old.yml} | 0 ...ml => msiexec-hidewindow-rundll32_old.yml} | 0 ...tem.yml => update_per_user_system_old.yml} | 0 .../T1218/bitlockertogo/bitlockertogo.yml | 2 +- .../T1218/eviltwin/eviltwin.yml | 2 +- ...fftheland.yml => livingofftheland_old.yml} | 0 ...ml => lolbas_with_network_traffic_old.yml} | 0 .../T1219/atomic_red_team/atomic_red_team.yml | 2 +- .../T1219/screenconnect/screenconnect.yml | 2 +- ...ttrib_hidden.yml => attrib_hidden_old.yml} | 0 ...ritance.yml => icacls_inheritance_old.yml} | 0 ...yml => domain_policy_modification_old.yml} | 0 ....yml => aws_delete_knowledge_base_old.yml} | 0 .../decommissioned_buckets.yml | 3 +- ...nds.yml => bitlocker_sus_commands_old.yml} | 0 ...e_csrf.yml => splunk_kvstore_csrf_old.yml} | 0 ...age.yml => process_high_cpu_usage_old.yml} | 0 ...age.yml => process_high_mem_usage_old.yml} | 0 ...=> njrat_ping_delay_before_delete_old.yml} | 0 ...ml => time_delay_using_choice_exe_old.yml} | 0 ...o_sandbox.yml => chrom_no_sandbox_old.yml} | 0 ...xer_dos.yml => splunk_indexer_dos_old.yml} | 0 ...2024.yml => splunk_vulns_jan_2024_old.yml} | 0 ... => splunk_zip_bomb_vulnerability_old.yml} | 0 ... detect_webshell_exploit_behavior_old.yml} | 0 ..._implant.yml => container_implant_old.yml} | 0 ...ml => aws_exfil_high_no_getobject_old.yml} | 0 ...ser.yml => linux_unix_delete_user_old.yml} | 0 ...{log_off_user.yml => log_off_user_old.yml} | 0 ...ml => powershell_log_process_tree_old.yml} | 0 ...l => high_copy_files_in_net_share_old.yml} | 0 .../okta_web_session_multiple_ip.yml | 2 +- .../{krbrelayup.yml => krbrelayup_old.yml} | 0 ... lateral_movement_suspicious_path_old.yml} | 0 ...buse.yml => compattelrunner_abuse_old.yml} | 0 .../atomic_red_team/atomic_red_team.yml | 2 +- ...c_red_team.yml => atomic_red_team_old.yml} | 0 ...nf.yml => linux_audited_doas_conf_old.yml} | 0 ...ol.yml => abuse_elevation_control_old.yml} | 0 .../{linux_risk.yml => linux_risk_old.yml} | 0 ...ta.yml => extracts_from_real_data_old.yml} | 0 .../{impacket.yml => impacket_old.yml} | 0 ...sage.yml => netexec_toolkit_usage_old.yml} | 0 ...xml_config.yml => file_xml_config_old.yml} | 0 ...age.yml => ie_intelliform_storage_old.yml} | 0 ...rtutil_exe_certificate_extraction_old.yml} | 0 ...y.yml => powershell_gpp_discovery_old.yml} | 0 ...cret.yml => kube_audit_get_secret_old.yml} | 0 ...akey_keylogger_outlook_reg_access_old.yml} | 0 ....yml => windows_post_exploitation_old.yml} | 0 ...ass.yml => mark_of_the_web_bypass_old.yml} | 0 ...=> circle_ci_disable_security_job_old.yml} | 0 ...> circle_ci_disable_security_step_old.yml} | 0 ...l => browser_credential_info_temp_old.yml} | 0 ...ltcli_creds.yml => vaultcli_creds_old.yml} | 0 ...ml => applying_stolen_credentials_old.yml} | 0 ...=> cmdkey_create_credential_store_old.yml} | 0 ...> cmdkey_delete_credentials_store_old.yml} | 0 .../atomic_red_team/atomic_red_team.yml | 2 +- .../{cisco_ios.yml => cisco_ios_old.yml} | 0 .../{impacket.yml => impacket_old.yml} | 0 .../{impacket.yml => impacket_old.yml} | 0 .../{getaduser.yml => getaduser_old.yml} | 0 .../{powerview.yml => powerview_old.yml} | 0 .../{krbrelayup.yml => krbrelayup_old.yml} | 0 ...nymous_pipe.yml => anonymous_pipe_old.yml} | 0 ...rchive_tools.yml => archive_tools_old.yml} | 0 ...e.yml => archive_utility_darkgate_old.yml} | 0 ...p_dir.yml => archived_in_temp_dir_old.yml} | 0 ...archive.yml => powershell_archive_old.yml} | 0 ...> cisco_secure_endpoint_tampering_old.yml} | 0 ..._defender_operational_wineventlog_old.yml} | 0 ... => defender_exclusion_powershell_old.yml} | 0 ..._defender_operational_wineventlog_old.yml} | 0 ...r_pwsh.yml => rmdir_defender_pwsh_old.yml} | 0 .../{taskkill.yml => taskkill_old.yml} | 0 ...l_browser.yml => taskkill_browser_old.yml} | 0 .../{added_rule.yml => added_rule_old.yml} | 0 .../{delete_rule.yml => delete_rule_old.yml} | 0 ...n_event.yml => firewall_win_event_old.yml} | 0 .../{modify_rule.yml => modify_rule_old.yml} | 0 .../njrat_add_firewall_rule.yml | 3 +- .../njrat_delete_firewall.yml | 3 +- ...w_bypass.yml => dotnet_etw_bypass_old.yml} | 0 ... => aws_bedrock_delete_guardrails_old.yml} | 0 ...k_delete_model_invocation_logging_old.yml} | 0 ...emon_end.yml => auditd_daemon_end_old.yml} | 0 .../{applocker.yml => applocker_old.yml} | 0 ...all.yml => disable_linux_firewall_old.yml} | 0 .../{headless.yml => headless_old.yml} | 0 .../attack_techniques/T1564.008/o365/o365.yml | 2 +- ...are.yml => gdrive_susp_file_share_old.yml} | 0 ....yml => spearphishing_attachments_old.yml} | 0 ...ed_dll.yml => outlook_dropped_dll_old.yml} | 0 ...e_drive.yml => gsuite_share_drive_old.yml} | 0 .../web_upload_nginx/web_upload_nginx.yml | 1 + ...ol.yml => illegal_service_control_old.yml} | 0 .../atomic_red_team/atomic_red_team.yml | 2 +- ...modules.yml => svr_loaded_modules_old.yml} | 0 ...dll_load.yml => unsigned_dll_load_old.yml} | 0 ...gned_dll_loaded_same_process_path_old.yml} | 0 ...ck_list_foundation_model_failures_old.yml} | 0 .../data.yml | 3 +- .../T1580/{aws_iam.yml => aws_iam_old.yml} | 0 ...n.yml => illegal_account_creation_old.yml} | 0 ...=> aws_console_login_multiple_ips_old.yml} | 0 .../{splunkd.yml => splunkd_old.yml} | 0 .../{kerbrute.yml => kerbrute_old.yml} | 0 ..._failed_mfa.yml => aws_failed_mfa_old.yml} | 0 ...c_red_team.yml => atomic_red_team_old.yml} | 0 ...ation.yml => eventlog_enumeration_old.yml} | 0 .../active_setup_stubpath.yml | 2 +- .../host_info_dxdiag/host_info_dxdiag.yml | 2 +- .../t1592/pwh_av_recon/pwh_av_recon.yml | 2 +- ...{nvm_flowdata.yml => nvm_flowdata_old.yml} | 0 ...n_events.yml => connection_events_old.yml} | 0 .../{file_events.yml => file_events_old.yml} | 0 ...on_events.yml => intrusion_events_old.yml} | 0 ...vents.yml => lumma_stealer_events_old.yml} | 0 datasets/malware/acidrain/acidrain.yml | 3 +- .../agent_tesla_ftp/agent_tesla_ftp.yml | 2 - .../agent_tesla_smtp/agent_tesla_smtp.yml | 2 - .../agent_tesla_tor_dns_query.yml | 2 - .../chm_powershell/chm_powershell.yml | 2 - .../access_permission/access_permission.yml | 2 - ...{shell_regrun.yml => shell_regrun_old.yml} | 0 datasets/malware/awfulshred/test1/test1.yml | 2 - datasets/malware/awfulshred/test2/test2.yml | 2 - datasets/malware/awfulshred/test3/test3.yml | 2 - datasets/malware/azorult/azorult.yml | 2 - .../brute_duplicate_token.yml | 2 - .../create_remote_thread.yml | 2 - .../iso_version_dll_campaign.yml | 2 - .../loading_samlib/loading_samlib.yml | 2 - ...ken.yml => sedebugprivilege_token_old.yml} | 0 .../service_deletion/service_deletion.yml | 2 - .../wallpaper_via_transcodedwallpaper.yml | 2 - .../chaos_ransomware/chaos_ransomware.yml | 2 - .../spread_in_root_drives.yml | 2 - datasets/malware/clop/clop_a/clop_a.yml | 2 - datasets/malware/clop/clop_b/clop_b.yml | 2 - datasets/malware/conti/conti-cobalt/data.yml | 2 - .../malware/conti/conti_leak/conti_leak.yml | 2 - datasets/malware/conti/inf1/data.yml | 2 - .../malware/cyclopsblink/cyclopsblink.yml | 2 - .../dcrat_delay_execution.yml | 2 - .../dcrat_enum_camera/dcrat_enum_camera.yml | 2 - .../dcrat_explorer_url/dcrat_explorer_url.yml | 2 - .../dcrat/dcrat_forkbomb/dcrat_forkbomb.yml | 2 - .../reboot_logoff_commandline.yml | 2 - .../shutdown_commandline.yml | 2 - .../doublezero_wiper/doublezero_wiper.yml | 2 - datasets/malware/fin7/fin7_js_2/fin7_js_2.yml | 2 - .../fin7/fin7_macro_js_1/fin7_macro_js_1.yml | 2 - .../{fin7_sacl.yml => fin7_sacl_old.yml} | 0 datasets/malware/fin7/jssloader/jssloader.yml | 2 - .../gootloader/partial_ttps/partial_ttps.yml | 2 - .../globalfolderoptions_reg.yml | 2 - .../malware/hermetic_wiper/hermetic_wiper.yml | 2 - .../cmd_carry_str_param.yml | 2 - .../malware/icedid/disable_av/disable_av.yml | 2 - .../disable_schtask/disable_schtask.yml | 2 - .../malware/icedid/inf_icedid/inf_icedid.yml | 2 - .../icedid/phish_icedid/phish_icedid.yml | 2 - .../simulated_icedid/simulated_icedid.yml | 2 - .../malware/industroyer2/industroyer2.yml | 2 - .../lockbit_ransomware/lockbit_ransomware.yml | 2 - datasets/malware/minergate/data.yml | 2 - .../olympic_destroyer/olympic_destroyer.yml | 2 - .../prestige_ransomware.yml | 2 - datasets/malware/qakbot/qakbot.yml | 2 - datasets/malware/qakbot/qbot2/qbot2.yml | 2 - datasets/malware/qakbot/qbot_3/qbot_3.yml | 2 - .../qakbot/qbot_wermgr/qbot_wermgr.yml | 2 - .../qakbot/qbot_wermgr2/qbot_wermgr2.yml | 2 - .../qakbot/remote_thread/remote_thread.yml | 2 - .../malware/ransomware_ttp/data1/data.yml | 2 - .../malware/ransomware_ttp/data2/data.yml | 2 - ..._access.yml => browser_ext_access_old.yml} | 0 ...{browser_list.yml => browser_list_old.yml} | 0 ...hrome_local_state_simulate_access_old.yml} | 0 ...chrome_login_data_simulate_access_old.yml} | 0 .../modify_registry/modify_registry.yml | 2 - ...on_registry.yml => recon_registry_old.yml} | 0 ...p.yml => win_update_services_stop_old.yml} | 0 datasets/malware/remcos/remcos/remcos.yml | 2 - .../remcos/remcos_agent/remcos_agent.yml | 2 - .../remcos_dynwrapx/remcos_dynwrapx.yml | 2 - ...client.yml => remcos_panel_client_old.yml} | 0 .../remcos_pastebin_download.yml | 2 - .../remcos_registry/remcos_registry.yml | 2 - datasets/malware/revil/inf1/data.yml | 2 - datasets/malware/revil/inf2/data.yml | 2 - .../revil/msmpeng_side/msmpeng_side.yml | 2 - datasets/malware/ryuk/ryuk.yml | 2 - .../malware/snakemalware/snakemalware.yml | 2 - .../malware/swift_slicer/swift_slicer.yml | 2 - .../malware/trickbot/exe_smbshare/data.yml | 2 - datasets/malware/trickbot/infection/data.yml | 2 - datasets/malware/trickbot/namedpipe/data.yml | 2 - .../trickbot/spear_phish/spear_phish.yml | 2 - datasets/malware/vilsel/vilsel.yml | 2 - ...ver.yml => maxconnectionperserver_old.yml} | 0 ...c_bypass.yml => pkgmgr_uac_bypass_old.yml} | 0 ...loaded.yml => unsigned_dll_loaded_old.yml} | 0 .../malware/winpeas/powershell/powershell.yml | 2 - datasets/malware/winpeas/winpeas.yml | 2 - .../winpeas_cmdkeylist/winpeas_cmdkeylist.yml | 2 - .../winpeas/winpeas_fsutil/winpeas_fsutil.yml | 2 - .../winpeas_search_private_key.yml | 2 - .../winpeas_search_pwd/winpeas_search_pwd.yml | 2 - .../winpeas_search_pwd_db.yml | 2 - .../pwh_exfiltration/pwh_exfiltration.yml | 2 - .../pwh_uploadstring/pwh_uploadstring.yml | 2 - .../scheduledtask/scheduledtask.yml | 2 - datasets/malware/xmrig_miner/data.yml | 2 - ...lly_high_cloud_instances_launched_old.yml} | 0 ...ts.yml => cisco_secure_app_alerts_old.yml} | 0 ...s.yml => defender_incident_alerts_old.yml} | 0 ...rtutil_exe_certificate_extraction_old.yml} | 0 ...ts.yml => cisco_ai_defense_alerts_old.yml} | 0 ...d.yml => admin_duplicate_password_old.yml} | 0 ...yml => admin_weak_password_policy_old.yml} | 0 ...tream_events.yml => stream_events_old.yml} | 0 ...risk_score.yml => high_risk_score_old.yml} | 0 ...{medium_alert.yml => medium_alert_old.yml} | 0 ...w_alert.yml => multiple_low_alert_old.yml} | 0 ...=> non_admin_weak_password_policy_old.yml} | 0 ...ation.yml => privilege_escalation_old.yml} | 0 .../{riskscore.yml => riskscore_old.yml} | 0 ...rd.yml => user_duplicate_password_old.yml} | 0 ...2016_iis.yml => exchange_2016_iis_old.yml} | 0 ...yml => first_time_windows_service_old.yml} | 0 ...on.yml => linux_post_exploitation_old.yml} | 0 ...ion.yml => log4shell_exploitation_old.yml} | 0 .../{okta_risk.yml => okta_risk_old.yml} | 0 ...ike.yml => security_hub_ec2_spike_old.yml} | 0 .../{replay.yml => replay_old.yml} | 0 ...s_risk.yml => windows_lolbas_risk_old.yml} | 0 407 files changed, 407 insertions(+), 358 deletions(-) create mode 100644 bin/dataset_schema.json create mode 100644 bin/validate.py delete mode 100644 datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml rename datasets/attack_techniques/T1018/constrained/{powerview.yml => powerview_old.yml} (100%) rename datasets/attack_techniques/T1018/unconstrained/{powerview.yml => powerview_old.yml} (100%) rename datasets/attack_techniques/T1018/unconstrained2/{getadcomputer.yml => getadcomputer_old.yml} (100%) rename datasets/attack_techniques/T1021/illegal_access_to_content/{illegal_access_to_content.yml => illegal_access_to_content_old.yml} (100%) rename datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/{njrat_fileless_registry_entry.yml => njrat_fileless_registry_entry_old.yml} (100%) rename datasets/attack_techniques/T1027.013/rar_sfx_execution/{rar_sfx_execution.yml => rar_sfx_execution_old.yml} (100%) rename datasets/attack_techniques/T1033/query_remote_usage/{query_remote_usage.yml => query_remote_usage_old.yml} (100%) rename datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/{suspicious_spawn_svchost.yml => suspicious_spawn_svchost_old.yml} (100%) rename datasets/attack_techniques/T1036.002/outlook_attachment/{right_to_left_override.yml => right_to_left_override_old.yml} (100%) rename datasets/attack_techniques/T1036.003/renamed_powershell/{renamed_powershell.yml => renamed_powershell_old.yml} (100%) rename datasets/attack_techniques/T1036.005/process_in_programdata/{process_in_programdata.yml => process_in_programdata_old.yml} (100%) rename datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/{32bit_process_execute_64bit.yml => 32bit_process_execute_64bit_old.yml} (100%) rename datasets/attack_techniques/T1036/cmd_lolbas_usage/{cmd_lolbas_usage.yml => cmd_lolbas_usage_old.yml} (100%) rename datasets/attack_techniques/T1036/debugger_execution/{debugger_execution.yml => debugger_execution_old.yml} (100%) rename datasets/attack_techniques/T1036/executables_suspicious_file_path/{executables_suspicious_file_path.yml => executables_suspicious_file_path_old.yml} (100%) rename datasets/attack_techniques/T1036/process_temp_path/{process_temp_path.yml => process_temp_path_old.yml} (100%) rename datasets/attack_techniques/T1036/system_process_running_unexpected_location/{system_process_running_unexpected_location.yml => system_process_running_unexpected_location_old.yml} (100%) rename datasets/attack_techniques/T1040/ssltls/{ssltls.yml => ssltls_old.yml} (100%) rename datasets/attack_techniques/T1041/zeek_ssl/{zeek_ssl.yml => zeek_ssl_old.yml} (100%) rename datasets/attack_techniques/T1046/nmap/{nmap.yml => nmap_old.yml} (100%) rename datasets/attack_techniques/T1046/open_dns_port/{open_dns_port.yml => open_dns_port_old.yml} (100%) rename datasets/attack_techniques/T1046/open_ports_discovery/{open_ports_discovery.yml => open_ports_discovery_old.yml} (100%) rename datasets/attack_techniques/T1053/hidden_schedule_task/{hidden_schedule_task.yml => hidden_schedule_task_old.yml} (100%) rename datasets/attack_techniques/T1053/taskschd_dll/{taskschd_dll.yml => taskschd_dll_old.yml} (100%) rename datasets/attack_techniques/T1053/valleyrat_schedtask/{valleyrat_schedtask.yml => valleyrat_schedtask_old.yml} (100%) rename datasets/attack_techniques/T1055/non-service-searchindexer/{non-service-searchindexer.yml => non-service-searchindexer_old.yml} (100%) rename datasets/attack_techniques/T1055/splunk_ds/{splunkd.yml => splunkd_old.yml} (100%) rename datasets/attack_techniques/T1059.002/amos_stealer/{amos_stealer.yml => amos_stealer_old.yml} (100%) rename datasets/attack_techniques/T1059.003/cmd_arguments/{cmd_arguments.yml => cmd_arguments_old.yml} (100%) rename datasets/attack_techniques/T1059.003/delete_pwh_history/{delete_pwh_history.yml => delete_pwh_history_old.yml} (100%) rename datasets/attack_techniques/T1059.003/ssa_validation/browsers/{browsers.yml => browsers_old.yml} (100%) rename datasets/attack_techniques/T1059.003/ssa_validation/office/{office.yml => office_old.yml} (100%) rename datasets/attack_techniques/T1059.003/unusally_cmd_line/{unusally_cmd_line.yml => unusally_cmd_line_old.yml} (100%) rename datasets/attack_techniques/T1059.004/macos_lolbin/{macos_lolbin.yml => macos_lolbin_old.yml} (100%) rename datasets/attack_techniques/T1059/defender/{ms_defender.yml => ms_defender_old.yml} (100%) rename datasets/attack_techniques/T1059/log4shell_ldap_traffic/{log4shell_ldap_traffic.yml => log4shell_ldap_traffic_old.yml} (100%) rename datasets/attack_techniques/T1059/meterpreter/taskhost_processes/{taskhost_processes.yml => taskhost_processes_old.yml} (100%) rename datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/{windows_temp_processes.yml => windows_temp_processes_old.yml} (100%) rename datasets/attack_techniques/T1059/protocol_handlers/{protocol_handlers.yml => protocol_handlers_old.yml} (100%) rename datasets/attack_techniques/T1059/risk_behavior/abused_commandline/{abused_commandline.yml => abused_commandline_old.yml} (100%) rename datasets/attack_techniques/T1068/pkexec/{pkexec_lpe.yml => pkexec_lpe_old.yml} (100%) rename datasets/attack_techniques/T1069.001/njrat_admin_check/{njrat_admin_check.yml => njrat_admin_check_old.yml} (100%) rename datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/{windows_pwh_log_cleared.yml => windows_pwh_log_cleared_old.yml} (100%) rename datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/{ConsoleHost_History_deletion.yml => ConsoleHost_History_deletion_old.yml} (100%) rename datasets/attack_techniques/T1070.004/cipher/{cipher.yml => cipher_old.yml} (100%) rename datasets/attack_techniques/T1070/illegal_log_deletion/{illegal_log_deletion.yml => illegal_log_deletion_old.yml} (100%) rename datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/{rmdir_delete_files_and_dir.yml => rmdir_delete_files_and_dir_old.yml} (100%) rename datasets/attack_techniques/T1072/intune/{intune.yml => intune_old.yml} (100%) rename datasets/attack_techniques/T1078.002/account_login/{account_login.yml => account_login_old.yml} (100%) rename datasets/attack_techniques/T1078.002/samaccountname_spoofing/{samaaccountname_spoofing.yml => samaaccountname_spoofing_old.yml} (100%) rename datasets/attack_techniques/T1078.004/aws_login_sfa/{aws_login_sfa.yml => aws_login_sfa_old.yml} (100%) rename datasets/attack_techniques/T1078/assume_role_with_saml/{assume_role_with_saml.yml => assume_role_with_saml_old.yml} (100%) rename datasets/attack_techniques/T1078/attach_role_trust_policy/{attach_role_trust_policy.yml => attach_role_trust_policy_old.yml} (100%) rename datasets/attack_techniques/T1078/attach_user_to_role/{attach_user_to_role.yml => attach_user_to_role_old.yml} (100%) rename datasets/attack_techniques/T1078/create_IAM_role/{create_IAM_role.yml => create_IAM_role_old.yml} (100%) rename datasets/attack_techniques/T1078/gcploit_exploitation_framework/{gcploit_exploitation_framework.yml => gcploit_exploitation_framework_old.yml} (100%) rename datasets/attack_techniques/T1078/high_risk_permission_by_resource/{high_risk_permission_by_resource.yml => high_risk_permission_by_resource_old.yml} (100%) rename datasets/attack_techniques/T1078/high_risk_role_by_project/{high_risk_role_by_project.yml => high_risk_role_by_project_old.yml} (100%) rename datasets/attack_techniques/T1078/splunkd_auth/{audittrail.yml => audittrail_old.yml} (100%) rename datasets/attack_techniques/T1078/sts_assumerole_usage/{sts_assumerole_usage.yml => sts_assumerole_usage_old.yml} (100%) delete mode 100644 datasets/attack_techniques/T1083/splunk/data.yml rename datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/{aws_invoke_model_access_denied.yml => aws_invoke_model_access_denied_old.yml} (100%) rename datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/{powerview_get_netuser_preauthnotrequire.yml => powerview_get_netuser_preauthnotrequire_old.yml} (100%) rename datasets/attack_techniques/T1090.003/pan_tor_allowed/{pan_tor_allowed.yml => pan_tor_allowed_old.yml} (100%) rename datasets/attack_techniques/T1095/palologs/{disable_rdp.yml => disable_rdp_old.yml} (100%) rename datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/{application_impersonation_role_assigned.yml => application_impersonation_role_assigned_old.yml} (100%) rename datasets/attack_techniques/T1098/linux_password_change/{linux_password_change.yml => linux_password_change_old.yml} (100%) rename datasets/attack_techniques/T1102.002/telegram_api_cli/{telegram_api_cli.yml => telegram_api_cli_old.yml} (100%) rename datasets/attack_techniques/T1102.002/telegram_api_dns/{telegram_api_dns.yml => telegram_api_dns_old.yml} (100%) rename datasets/attack_techniques/T1102/njrat_ngrok_connection/{njrat_ngrok_connection.yml => njrat_ngrok_connection_old.yml} (100%) rename datasets/attack_techniques/T1105/tinyurl_dns_query/{tinyurl_dns_query.yml => tinyurl_dns_query_old.yml} (100%) rename datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/{high_number_of_login_failures_from_a_single_source.yml => high_number_of_login_failures_from_a_single_source_old.yml} (100%) rename datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/{aws_multiple_login_fail_per_user.yml => aws_multiple_login_fail_per_user_old.yml} (100%) rename datasets/attack_techniques/T1110.003/generic_password_spray/{password_spray_attack.yml => password_spray_attack_old.yml} (100%) rename datasets/attack_techniques/T1110.003/ntlm_bruteforce/{ntlm_bruteforce.yml => ntlm_bruteforce_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/{purplesharp_disabled_users_kerberos.yml => purplesharp_disabled_users_kerberos_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/{purplesharp_explicit_credential_spray.yml => purplesharp_explicit_credential_spray_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/{purplesharp_invalid_users_kerberos.yml => purplesharp_invalid_users_kerberos_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/{purplesharp_invalid_users_ntlm.yml => purplesharp_invalid_users_ntlm_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/{purplesharp_multiple_users_from_process.yml => purplesharp_multiple_users_from_process_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_remote_spray/{purplesharp_remote_spray.yml => purplesharp_remote_spray_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/{purplesharp_valid_users_kerberos.yml => purplesharp_valid_users_kerberos_old.yml} (100%) rename datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/{purplesharp_valid_users_ntlm.yml => purplesharp_valid_users_ntlm_old.yml} (100%) rename datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/{DisableRemoteDesktopAntiAlias.yml => DisableRemoteDesktopAntiAlias_old.yml} (100%) rename datasets/attack_techniques/T1112/{T1112.yml => T1112_old.yml} (100%) rename datasets/attack_techniques/T1112/bitlocker_registry_setting/{bitlocker_registry_setting.yml => bitlocker_registry_setting_old.yml} (100%) rename datasets/attack_techniques/T1112/disable_rdp/{disable_rdp.yml => disable_rdp_old.yml} (100%) rename datasets/attack_techniques/T1112/kingsoft_reg/{kingsoft_reg.yml => kingsoft_reg_old.yml} (100%) rename datasets/attack_techniques/T1112/njrat_md5_registry_entry/{njrat_md5_registry_entry.yml => njrat_md5_registry_entry_old.yml} (100%) rename datasets/attack_techniques/T1112/no_changing_wallpaper/{no_changing_wallpaper.yml => no_changing_wallpaper_old.yml} (100%) rename datasets/attack_techniques/T1112/proxy_enable/{proxy_enable.yml => proxy_enable_old.yml} (100%) rename datasets/attack_techniques/T1112/proxy_server/{proxy_server.yml => proxy_server_old.yml} (100%) rename datasets/attack_techniques/T1112/pwn_reg/{pwn_reg.yml => pwn_reg_old.yml} (100%) rename datasets/attack_techniques/T1112/smart_card_group_policy/{smart_card_group_policy.yml => smart_card_group_policy_old.yml} (100%) rename datasets/attack_techniques/T1112/test_registry/{test_registry.yml => test_registry_old.yml} (100%) rename datasets/attack_techniques/T1112/valleyrat_c2_reg2/{valleyrat_c2_reg2.yml => valleyrat_c2_reg2_old.yml} (100%) rename datasets/attack_techniques/T1112/wer_dontshowui/{wer_dontshowui.yml => wer_dontshowui_old.yml} (100%) rename datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/{windows_mod_reg_risk_behavior.yml => windows_mod_reg_risk_behavior_old.yml} (100%) rename datasets/attack_techniques/T1113/braodo_screenshot/{braodo_screenshot.yml => braodo_screenshot_old.yml} (100%) rename datasets/attack_techniques/T1114.002/suspicious_rights_delegation/{suspicious_rights_delegation.yml => suspicious_rights_delegation_old.yml} (100%) rename datasets/attack_techniques/T1114.003/transport_rule_change/{transport_rule_change.yml => transport_rule_change_old.yml} (100%) rename datasets/attack_techniques/T1115/atomic_red_team/{atomic_red_team.yml => atomic_red_team_old.yml} (100%) rename datasets/attack_techniques/T1119/aws_exfil_datasync/{aws_exfil_datasync.yml => aws_exfil_datasync_old.yml} (100%) rename datasets/attack_techniques/T1129/executable_shared_modules/{executable_shared_modules.yml => executable_shared_modules_old.yml} (100%) rename datasets/attack_techniques/T1133/rdp/{rdp_terminalservices.yml => rdp_terminalservices_old.yml} (100%) rename datasets/attack_techniques/T1134/explorer_root_proc_cmdline/{explorer_root_proc_cmdline.yml => explorer_root_proc_cmdline_old.yml} (100%) rename datasets/attack_techniques/T1136.001/net_create_user/{net_create_user.yml => net_create_user_old.yml} (100%) rename datasets/attack_techniques/T1136/linux_unix_new_user/{linux_unix_new_user.yml => linux_unix_new_user_old.yml} (100%) rename datasets/attack_techniques/T1176.001/disable_extension/{disable_extension.yml => disable_extension_old.yml} (100%) rename datasets/attack_techniques/T1185/headlessbrowser/{headless_browser.yml => headless_browser_old.yml} (100%) delete mode 100644 datasets/attack_techniques/T1189/splunk/splunk.yml delete mode 100644 datasets/attack_techniques/T1189/xss/xss.yml rename datasets/attack_techniques/T1190/adobe/{adobe.yml => adobe_old.yml} (100%) rename datasets/attack_techniques/T1190/cisco/iosxe/{ciscoiosxe.yml => ciscoiosxe_old.yml} (100%) rename datasets/attack_techniques/T1190/f5/{f5.yml => f5_old.yml} (100%) rename datasets/attack_techniques/T1190/fortigate/{fortigate.yml => fortigate_old.yml} (100%) rename datasets/attack_techniques/T1190/jetbrains/{jetbrains.yml => jetbrains_old.yml} (100%) rename datasets/attack_techniques/T1190/log4j_network_logs/{log4j_network_logs.yml => log4j_network_logs_old.yml} (100%) rename datasets/attack_techniques/T1190/log4j_proxy_logs/{log4j_proxy_logs.yml => log4j_proxy_logs_old.yml} (100%) delete mode 100644 datasets/attack_techniques/T1190/magento/magento.yml rename datasets/attack_techniques/T1190/moveit/{moveit.yml => moveit_old.yml} (100%) rename datasets/attack_techniques/T1190/outbound_ldap/{bro_conn.yml => bro_conn_old.yml} (100%) delete mode 100644 datasets/attack_techniques/T1190/pswa/pswa.yml delete mode 100644 datasets/attack_techniques/T1190/splunk/splunk.yml rename datasets/attack_techniques/T1190/vmware/{vmware.yml => vmware_old.yml} (100%) rename datasets/attack_techniques/T1190/wordpress/{wordpress.yml => wordpress_old.yml} (100%) rename datasets/attack_techniques/T1190/ws_ftp/{ws_ftp.yml => ws_ftp_old.yml} (100%) rename datasets/attack_techniques/T1195.001/github_pull_request/{github_pull_request.yml => github_pull_request_old.yml} (100%) rename datasets/attack_techniques/T1195.001/github_security_advisor_alert/{github_security_advisor_alert.yml => github_security_advisor_alert_old.yml} (100%) rename datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/{github_actions_disable_security_workflow.yml => github_actions_disable_security_workflow_old.yml} (100%) rename datasets/attack_techniques/T1199/github_push_master/{github_push_master.yml => github_push_master_old.yml} (100%) rename datasets/attack_techniques/T1201/aws_password_policy/{aws_password_policy.yml => aws_password_policy_old.yml} (100%) rename datasets/attack_techniques/T1204/kube_audit_create_node_port_service/{kube_audit_create_node_port_service.yml => kube_audit_create_node_port_service_old.yml} (100%) delete mode 100644 datasets/attack_techniques/T1210/splunk/data.yml rename datasets/attack_techniques/T1213/audittrail/{audittrail.yml => audittrail_old.yml} (100%) rename datasets/attack_techniques/T1218.003/moz_lib_loaded/{moz_lib_loaded.yml => moz_lib_loaded_old.yml} (100%) rename datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/{msiexec-hidewindow-rundll32.yml => msiexec-hidewindow-rundll32_old.yml} (100%) rename datasets/attack_techniques/T1218.011/update_per_user_system/{update_per_user_system.yml => update_per_user_system_old.yml} (100%) rename datasets/attack_techniques/T1218/living_off_the_land/{livingofftheland.yml => livingofftheland_old.yml} (100%) rename datasets/attack_techniques/T1218/lolbas_with_network_traffic/{lolbas_with_network_traffic.yml => lolbas_with_network_traffic_old.yml} (100%) rename datasets/attack_techniques/T1222.001/attrib_hidden/{attrib_hidden.yml => attrib_hidden_old.yml} (100%) rename datasets/attack_techniques/T1222.001/icacls_inheritance/{icacls_inheritance.yml => icacls_inheritance_old.yml} (100%) rename datasets/attack_techniques/T1484/{domain_policy_modification.yml => domain_policy_modification_old.yml} (100%) rename datasets/attack_techniques/T1485/aws_delete_knowledge_base/{aws_delete_knowledge_base.yml => aws_delete_knowledge_base_old.yml} (100%) rename datasets/attack_techniques/T1486/bitlocker_sus_commands/{bitlocker_sus_commands.yml => bitlocker_sus_commands_old.yml} (100%) rename datasets/attack_techniques/T1489/splunk_kvstore_csrf/{splunk_kvstore_csrf.yml => splunk_kvstore_csrf_old.yml} (100%) rename datasets/attack_techniques/T1496/process_high_cpu_usage/{process_high_cpu_usage.yml => process_high_cpu_usage_old.yml} (100%) rename datasets/attack_techniques/T1496/process_high_mem_usage/{process_high_mem_usage.yml => process_high_mem_usage_old.yml} (100%) rename datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/{njrat_ping_delay_before_delete.yml => njrat_ping_delay_before_delete_old.yml} (100%) rename datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/{time_delay_using_choice_exe.yml => time_delay_using_choice_exe_old.yml} (100%) rename datasets/attack_techniques/T1497/chrom_no_sandbox/{chrom_no_sandbox.yml => chrom_no_sandbox_old.yml} (100%) rename datasets/attack_techniques/T1498/splunk_indexer_dos/{splunk_indexer_dos.yml => splunk_indexer_dos_old.yml} (100%) rename datasets/attack_techniques/T1499/splunk/{splunk_vulns_jan_2024.yml => splunk_vulns_jan_2024_old.yml} (100%) rename datasets/attack_techniques/T1499/splunk/{splunk_zip_bomb_vulnerability.yml => splunk_zip_bomb_vulnerability_old.yml} (100%) rename datasets/attack_techniques/T1505.003/generic_webshell_exploit/{detect_webshell_exploit_behavior.yml => detect_webshell_exploit_behavior_old.yml} (100%) rename datasets/attack_techniques/T1525/container_implant/{container_implant.yml => container_implant_old.yml} (100%) rename datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/{aws_exfil_high_no_getobject.yml => aws_exfil_high_no_getobject_old.yml} (100%) rename datasets/attack_techniques/T1531/linux_unix_delete_user/{linux_unix_delete_user.yml => linux_unix_delete_user_old.yml} (100%) rename datasets/attack_techniques/T1531/log_off_user/{log_off_user.yml => log_off_user_old.yml} (100%) rename datasets/attack_techniques/T1531/powershell_log_process_tree/{powershell_log_process_tree.yml => powershell_log_process_tree_old.yml} (100%) rename datasets/attack_techniques/T1537/high_copy_files_in_net_share/{high_copy_files_in_net_share.yml => high_copy_files_in_net_share_old.yml} (100%) rename datasets/attack_techniques/T1543.003/krbrelayup/{krbrelayup.yml => krbrelayup_old.yml} (100%) rename datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/{lateral_movement_suspicious_path.yml => lateral_movement_suspicious_path_old.yml} (100%) rename datasets/attack_techniques/T1546/compattelrunner_abuse/{compattelrunner_abuse.yml => compattelrunner_abuse_old.yml} (100%) rename datasets/attack_techniques/T1547.011/atomic_red_team/{atomic_red_team.yml => atomic_red_team_old.yml} (100%) rename datasets/attack_techniques/T1548.003/linux_audited_doas_conf/{linux_audited_doas_conf.yml => linux_audited_doas_conf_old.yml} (100%) rename datasets/attack_techniques/T1548/{abuse_elevation_control.yml => abuse_elevation_control_old.yml} (100%) rename datasets/attack_techniques/T1548/linux_risk/{linux_risk.yml => linux_risk_old.yml} (100%) rename datasets/attack_techniques/T1550.002/extracts_from_real_data/{extracts_from_real_data.yml => extracts_from_real_data_old.yml} (100%) rename datasets/attack_techniques/T1550/impacket/{impacket.yml => impacket_old.yml} (100%) rename datasets/attack_techniques/T1550/netexec_toolkit_usage/{netexec_toolkit_usage.yml => netexec_toolkit_usage_old.yml} (100%) rename datasets/attack_techniques/T1552.001/file_xml_config/{file_xml_config.yml => file_xml_config_old.yml} (100%) rename datasets/attack_techniques/T1552.001/ie_intelliform_storage/{ie_intelliform_storage.yml => ie_intelliform_storage_old.yml} (100%) rename datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/{certutil_exe_certificate_extraction.yml => certutil_exe_certificate_extraction_old.yml} (100%) rename datasets/attack_techniques/T1552.006/powershell_gpp_discovery/{powershell_gpp_discovery.yml => powershell_gpp_discovery_old.yml} (100%) rename datasets/attack_techniques/T1552.007/kube_audit_get_secret/{kube_audit_get_secret.yml => kube_audit_get_secret_old.yml} (100%) rename datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/{snakey_keylogger_outlook_reg_access.yml => snakey_keylogger_outlook_reg_access_old.yml} (100%) rename datasets/attack_techniques/T1552/windows_post_exploitation/{windows_post_exploitation.yml => windows_post_exploitation_old.yml} (100%) rename datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/{mark_of_the_web_bypass.yml => mark_of_the_web_bypass_old.yml} (100%) rename datasets/attack_techniques/T1554/circle_ci_disable_security_job/{circle_ci_disable_security_job.yml => circle_ci_disable_security_job_old.yml} (100%) rename datasets/attack_techniques/T1554/circle_ci_disable_security_step/{circle_ci_disable_security_step.yml => circle_ci_disable_security_step_old.yml} (100%) rename datasets/attack_techniques/T1555.003/browser_credential_info_temp/{browser_credential_info_temp.yml => browser_credential_info_temp_old.yml} (100%) rename datasets/attack_techniques/T1555.004/vaultcli_creds/{vaultcli_creds.yml => vaultcli_creds_old.yml} (100%) rename datasets/attack_techniques/T1555/applying_stolen_credentials/{applying_stolen_credentials.yml => applying_stolen_credentials_old.yml} (100%) rename datasets/attack_techniques/T1555/cmdkey_create_credential_store/{cmdkey_create_credential_store.yml => cmdkey_create_credential_store_old.yml} (100%) rename datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/{cmdkey_delete_credentials_store.yml => cmdkey_delete_credentials_store_old.yml} (100%) rename datasets/attack_techniques/T1557.002/cisco_ios/{cisco_ios.yml => cisco_ios_old.yml} (100%) rename datasets/attack_techniques/T1558.001/impacket/{impacket.yml => impacket_old.yml} (100%) rename datasets/attack_techniques/T1558.002/impacket/{impacket.yml => impacket_old.yml} (100%) rename datasets/attack_techniques/T1558.004/getaduser/{getaduser.yml => getaduser_old.yml} (100%) rename datasets/attack_techniques/T1558.004/powerview/{powerview.yml => powerview_old.yml} (100%) rename datasets/attack_techniques/T1558/krbrelayup/{krbrelayup.yml => krbrelayup_old.yml} (100%) rename datasets/attack_techniques/T1559/anonymous_pipe/{anonymous_pipe.yml => anonymous_pipe_old.yml} (100%) rename datasets/attack_techniques/T1560.001/archive_tools/{archive_tools.yml => archive_tools_old.yml} (100%) rename datasets/attack_techniques/T1560.001/archive_utility_darkgate/{archive_utility_darkgate.yml => archive_utility_darkgate_old.yml} (100%) rename datasets/attack_techniques/T1560/archived_in_temp_dir/{archived_in_temp_dir.yml => archived_in_temp_dir_old.yml} (100%) rename datasets/attack_techniques/T1560/powershell_archive/{powershell_archive.yml => powershell_archive_old.yml} (100%) rename datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/{cisco_secure_endpoint_tampering.yml => cisco_secure_endpoint_tampering_old.yml} (100%) rename datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/{defender_exclusion_defender_operational_wineventlog.yml => defender_exclusion_defender_operational_wineventlog_old.yml} (100%) rename datasets/attack_techniques/T1562.001/defender_exclusion_powershell/{defender_exclusion_powershell.yml => defender_exclusion_powershell_old.yml} (100%) rename datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/{disable_defender_operational_wineventlog.yml => disable_defender_operational_wineventlog_old.yml} (100%) rename datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/{rmdir_defender_pwsh.yml => rmdir_defender_pwsh_old.yml} (100%) rename datasets/attack_techniques/T1562.001/taskkill/{taskkill.yml => taskkill_old.yml} (100%) rename datasets/attack_techniques/T1562.001/taskkill_browser/{taskkill_browser.yml => taskkill_browser_old.yml} (100%) rename datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/{added_rule.yml => added_rule_old.yml} (100%) rename datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/{delete_rule.yml => delete_rule_old.yml} (100%) rename datasets/attack_techniques/T1562.004/firewall_win_event/{firewall_win_event.yml => firewall_win_event_old.yml} (100%) rename datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/{modify_rule.yml => modify_rule_old.yml} (100%) rename datasets/attack_techniques/T1562.006/dotnet_etw_bypass/{dotnet_etw_bypass.yml => dotnet_etw_bypass_old.yml} (100%) rename datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/{aws_bedrock_delete_guardrails.yml => aws_bedrock_delete_guardrails_old.yml} (100%) rename datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/{aws_bedrock_delete_model_invocation_logging.yml => aws_bedrock_delete_model_invocation_logging_old.yml} (100%) rename datasets/attack_techniques/T1562.012/auditd_daemon_end/{auditd_daemon_end.yml => auditd_daemon_end_old.yml} (100%) rename datasets/attack_techniques/T1562/applocker/{applocker.yml => applocker_old.yml} (100%) rename datasets/attack_techniques/T1562/disable_linux_firewall/{disable_linux_firewall.yml => disable_linux_firewall_old.yml} (100%) rename datasets/attack_techniques/T1564.003/headless/{headless.yml => headless_old.yml} (100%) rename datasets/attack_techniques/T1566.001/gdrive_susp_file_share/{gdrive_susp_file_share.yml => gdrive_susp_file_share_old.yml} (100%) rename datasets/attack_techniques/T1566.001/{spearphishing_attachments.yml => spearphishing_attachments_old.yml} (100%) rename datasets/attack_techniques/T1566/outlook_dropped_dll/{outlook_dropped_dll.yml => outlook_dropped_dll_old.yml} (100%) rename datasets/attack_techniques/T1567.002/gsuite_share_drive/{gsuite_share_drive.yml => gsuite_share_drive_old.yml} (100%) rename datasets/attack_techniques/T1569/illegal_service_control/{illegal_service_control.yml => illegal_service_control_old.yml} (100%) rename datasets/attack_techniques/T1574.002/svr_loaded_modules/{svr_loaded_modules.yml => svr_loaded_modules_old.yml} (100%) rename datasets/attack_techniques/T1574.002/unsigned_dll_load/{unsigned_dll_load.yml => unsigned_dll_load_old.yml} (100%) rename datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/{unsigned_dll_loaded_same_process_path.yml => unsigned_dll_loaded_same_process_path_old.yml} (100%) rename datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/{aws_bedrock_list_foundation_model_failures.yml => aws_bedrock_list_foundation_model_failures_old.yml} (100%) rename datasets/attack_techniques/T1580/{aws_iam.yml => aws_iam_old.yml} (100%) rename datasets/attack_techniques/T1585/illegal_account_creation/{illegal_account_creation.yml => illegal_account_creation_old.yml} (100%) rename datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/{aws_console_login_multiple_ips.yml => aws_console_login_multiple_ips_old.yml} (100%) rename datasets/attack_techniques/T1587.003/splunk_fwder/{splunkd.yml => splunkd_old.yml} (100%) rename datasets/attack_techniques/T1589.002/kerbrute/{kerbrute.yml => kerbrute_old.yml} (100%) rename datasets/attack_techniques/T1621/aws_failed_mfa/{aws_failed_mfa.yml => aws_failed_mfa_old.yml} (100%) rename datasets/attack_techniques/T1647/atomic_red_team/{atomic_red_team.yml => atomic_red_team_old.yml} (100%) rename datasets/attack_techniques/T1654/eventlog_enumeration/{eventlog_enumeration.yml => eventlog_enumeration_old.yml} (100%) rename datasets/cisco_network_visibility_module/cisco_nvm_flowdata/{nvm_flowdata.yml => nvm_flowdata_old.yml} (100%) rename datasets/cisco_secure_firewall_threat_defense/connection_event/{connection_events.yml => connection_events_old.yml} (100%) rename datasets/cisco_secure_firewall_threat_defense/file_event/{file_events.yml => file_events_old.yml} (100%) rename datasets/cisco_secure_firewall_threat_defense/intrusion_event/{intrusion_events.yml => intrusion_events_old.yml} (100%) rename datasets/cisco_secure_firewall_threat_defense/lumma_stealer/{lumma_stealer_events.yml => lumma_stealer_events_old.yml} (100%) rename datasets/malware/amadey/shell_regrun/{shell_regrun.yml => shell_regrun_old.yml} (100%) rename datasets/malware/brute_ratel/sedebugprivilege_token/{sedebugprivilege_token.yml => sedebugprivilege_token_old.yml} (100%) rename datasets/malware/fin7/fin7_sacl/{fin7_sacl.yml => fin7_sacl_old.yml} (100%) rename datasets/malware/redline/browser_ext_access/{browser_ext_access.yml => browser_ext_access_old.yml} (100%) rename datasets/malware/redline/browser_list/{browser_list.yml => browser_list_old.yml} (100%) rename datasets/malware/redline/chrome_local_state_simulate_access/{chrome_local_state_simulate_access.yml => chrome_local_state_simulate_access_old.yml} (100%) rename datasets/malware/redline/chrome_login_data_simulate_access/{chrome_login_data_simulate_access.yml => chrome_login_data_simulate_access_old.yml} (100%) rename datasets/malware/redline/recon_registry/{recon_registry.yml => recon_registry_old.yml} (100%) rename datasets/malware/redline/win_update_services_stop/{win_update_services_stop.yml => win_update_services_stop_old.yml} (100%) rename datasets/malware/remcos/remcos_panel_client/{remcos_panel_client.yml => remcos_panel_client_old.yml} (100%) rename datasets/malware/warzone_rat/maxconnectionperserver/{maxconnectionperserver.yml => maxconnectionperserver_old.yml} (100%) rename datasets/malware/warzone_rat/pkgmgr_uac_bypass/{pkgmgr_uac_bypass.yml => pkgmgr_uac_bypass_old.yml} (100%) rename datasets/malware/warzone_rat/unsigned_dll_loaded/{unsigned_dll_loaded.yml => unsigned_dll_loaded_old.yml} (100%) rename datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/{abnormally_high_cloud_instances_launched.yml => abnormally_high_cloud_instances_launched_old.yml} (100%) rename datasets/suspicious_behaviour/alerts/{cisco_secure_app_alerts.yml => cisco_secure_app_alerts_old.yml} (100%) rename datasets/suspicious_behaviour/alerts/{defender_incident_alerts.yml => defender_incident_alerts_old.yml} (100%) rename datasets/suspicious_behaviour/certutil_exe_certificate_extraction/{certutil_exe_certificate_extraction.yml => certutil_exe_certificate_extraction_old.yml} (100%) rename datasets/suspicious_behaviour/cisco_ai_defense_alerts/{cisco_ai_defense_alerts.yml => cisco_ai_defense_alerts_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/{admin_duplicate_password.yml => admin_duplicate_password_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/{admin_weak_password_policy.yml => admin_weak_password_policy_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/{stream_events.yml => stream_events_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/{high_risk_score.yml => high_risk_score_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/{medium_alert.yml => medium_alert_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/{multiple_low_alert.yml => multiple_low_alert_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/{non_admin_weak_password_policy.yml => non_admin_weak_password_policy_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/{privilege_escalation.yml => privilege_escalation_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/riskscore/{riskscore.yml => riskscore_old.yml} (100%) rename datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/{user_duplicate_password.yml => user_duplicate_password_old.yml} (100%) rename datasets/suspicious_behaviour/exchange_2016_iis/{exchange_2016_iis.yml => exchange_2016_iis_old.yml} (100%) rename datasets/suspicious_behaviour/first_time_windows_service/{first_time_windows_service.yml => first_time_windows_service_old.yml} (100%) rename datasets/suspicious_behaviour/linux_post_exploitation/{linux_post_exploitation.yml => linux_post_exploitation_old.yml} (100%) rename datasets/suspicious_behaviour/log4shell_exploitation/{log4shell_exploitation.yml => log4shell_exploitation_old.yml} (100%) rename datasets/suspicious_behaviour/okta_account_takeover_risk_events/{okta_risk.yml => okta_risk_old.yml} (100%) rename datasets/suspicious_behaviour/security_hub_ec2_spike/{security_hub_ec2_spike.yml => security_hub_ec2_spike_old.yml} (100%) rename datasets/suspicious_behaviour/windows_lolbas_risk/{replay.yml => replay_old.yml} (100%) rename datasets/suspicious_behaviour/windows_lolbas_risk/{windows_lolbas_risk.yml => windows_lolbas_risk_old.yml} (100%) diff --git a/bin/dataset_schema.json b/bin/dataset_schema.json new file mode 100644 index 000000000..6acc39cf5 --- /dev/null +++ b/bin/dataset_schema.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97085370d23378475c243e900bfeb0b462b849ff3e2b4f38fec5547177c91a3b +size 2274 diff --git a/bin/requirements.txt b/bin/requirements.txt index c235e601e..f15921c97 100644 --- a/bin/requirements.txt +++ b/bin/requirements.txt @@ -5,4 +5,4 @@ splunk-sdk gitpython tqdm colorama -pyyaml \ No newline at end of file +jsonschema \ No newline at end of file diff --git a/bin/validate.py b/bin/validate.py new file mode 100644 index 000000000..398a4ab38 --- /dev/null +++ b/bin/validate.py @@ -0,0 +1,299 @@ +#!/usr/bin/env python3 +""" +YAML Dataset Validation Script + +This script validates YAML files in the specified directory against a +predefined JSON schema. +All dataset YAML files must conform to the specified structure with mandatory fields. +""" + +import argparse +import json +import sys +import uuid +from datetime import datetime +from pathlib import Path +from typing import Dict, List, Any + +import yaml +from jsonschema import validate, ValidationError, draft7_format_checker + + +def load_yaml_schema() -> Dict[str, Any]: + """ + Load and return the JSON schema for validating YAML dataset files. + + Returns: + Dict containing the JSON schema definition + + Raises: + FileNotFoundError: If schema file doesn't exist + json.JSONDecodeError: If schema file is invalid JSON + """ + # Get the schema file path relative to the script location + script_dir = Path(__file__).parent + schema_path = script_dir / 'dataset_schema.json' + + try: + with open(schema_path, 'r', encoding='utf-8') as file: + return json.load(file) + except FileNotFoundError: + raise FileNotFoundError(f"Schema file not found: {schema_path}") + except json.JSONDecodeError as e: + raise json.JSONDecodeError(f"Invalid JSON in schema file {schema_path}: {e}") + + +def validate_uuid(uuid_string: str) -> bool: + """ + Validate that a string is a properly formatted UUID. + + Args: + uuid_string: String to validate as UUID + + Returns: + True if valid UUID, False otherwise + """ + try: + uuid.UUID(uuid_string) + return True + except ValueError: + return False + + +def validate_date(date_string: str) -> bool: + """ + Validate that a string is a properly formatted date (YYYY-MM-DD). + + Args: + date_string: String to validate as date + + Returns: + True if valid date, False otherwise + """ + try: + datetime.strptime(date_string, '%Y-%m-%d') + return True + except ValueError: + return False + + +def load_yaml_file(file_path: Path) -> Dict[str, Any]: + """ + Load and parse a YAML file. + + Args: + file_path: Path to the YAML file + + Returns: + Parsed YAML content as dictionary + + Raises: + yaml.YAMLError: If YAML parsing fails + FileNotFoundError: If file doesn't exist + """ + try: + with open(file_path, 'r', encoding='utf-8') as file: + return yaml.safe_load(file) + except yaml.YAMLError as e: + raise yaml.YAMLError(f"YAML parsing error in {file_path}: {e}") + except FileNotFoundError: + raise FileNotFoundError(f"File not found: {file_path}") + + +def validate_yaml_file(file_path: Path, schema: Dict[str, Any]) -> List[str]: + """ + Validate a single YAML file against the schema. + + Args: + file_path: Path to the YAML file to validate + schema: JSON schema to validate against + + Returns: + List of validation errors (empty if valid) + """ + errors = [] + + try: + # Load YAML content + yaml_content = load_yaml_file(file_path) + + # Validate against JSON schema + validate(yaml_content, schema, format_checker=draft7_format_checker) + + # Additional custom validations + if 'id' in yaml_content and not validate_uuid(yaml_content['id']): + errors.append(f"Invalid UUID format for 'id': {yaml_content['id']}") + + if 'date' in yaml_content and not validate_date(yaml_content['date']): + errors.append( + f"Invalid date format for 'date': {yaml_content['date']} " + f"(expected YYYY-MM-DD)" + ) + + except ValidationError as e: + errors.append(f"Schema validation error: {e.message}") + if e.absolute_path: + errors.append(f" Path: {' -> '.join(str(p) for p in e.absolute_path)}") + except yaml.YAMLError as e: + errors.append(f"YAML parsing error: {e}") + except FileNotFoundError as e: + errors.append(f"File error: {e}") + except Exception as e: + errors.append(f"Unexpected error: {e}") + + return errors + + +def find_yaml_files(input_dir: Path) -> List[Path]: + """ + Find all YAML files in the specified directory. + + Args: + input_dir: Path to the directory to search for YAML files + + Returns: + List of paths to YAML files + """ + yaml_files = [] + + # Look for .yml and .yaml files recursively + for pattern in ['**/*.yml', '**/*.yaml']: + yaml_files.extend(input_dir.glob(pattern)) + + # Exclude template files and files with 'old' in the name + yaml_files = [ + f for f in yaml_files + if not f.name.startswith('TEMPLATE') and 'old' not in f.name.lower() + ] + + return sorted(yaml_files) + + +def parse_arguments(): + """ + Parse command-line arguments. + + Returns: + argparse.Namespace: Parsed arguments + """ + parser = argparse.ArgumentParser( + description="Validate YAML files against a predefined JSON schema.", + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=""" +Examples: + %(prog)s # Validate files in the default 'datasets' directory + %(prog)s /path/to/data # Validate files in a specific directory + %(prog)s ../other_datasets # Validate files in a relative path + """ + ) + + parser.add_argument( + 'input_folder', + nargs='?', + default='datasets', + help='Directory to search for YAML files (default: datasets)' + ) + + return parser.parse_args() + + +def main(): + """ + Main function to validate all YAML files in the specified directory. + """ + # Parse command-line arguments + args = parse_arguments() + + # Get the project root directory and input directory + script_dir = Path(__file__).parent + project_root = script_dir.parent + + # Handle input folder path (can be relative or absolute) + if Path(args.input_folder).is_absolute(): + input_dir = Path(args.input_folder) + else: + input_dir = project_root / args.input_folder + + if not input_dir.exists(): + print(f"Error: Input directory not found: {input_dir}") + sys.exit(1) + + if not input_dir.is_dir(): + print(f"Error: Input path is not a directory: {input_dir}") + sys.exit(1) + + print(f"Validating YAML files in: {input_dir}") + + # Load the JSON schema + try: + schema = load_yaml_schema() + except (FileNotFoundError, json.JSONDecodeError) as e: + print(f"Error loading schema: {e}") + sys.exit(1) + + # Find all YAML files + yaml_files = find_yaml_files(input_dir) + + if not yaml_files: + print(f"No YAML files found in the input directory: {input_dir}") + return + + print(f"Found {len(yaml_files)} YAML files to validate...") + print("-" * 60) + + total_files = len(yaml_files) + valid_files = 0 + invalid_files = 0 + failed_validations = [] # Track failed files and their errors + + # Validate each file + for yaml_file in yaml_files: + # Try to get relative path from project root, fallback to input_dir + try: + relative_path = yaml_file.relative_to(project_root) + except ValueError: + relative_path = yaml_file.relative_to(input_dir) + + print(f"\nValidating: {relative_path}") + + errors = validate_yaml_file(yaml_file, schema) + + if errors: + invalid_files += 1 + print(f"❌ INVALID - {len(errors)} error(s):") + for error in errors: + print(f" • {error}") + # Store failed validation details + failed_validations.append((relative_path, errors)) + else: + valid_files += 1 + print("✅ VALID") + + # Print summary + print("\n" + "=" * 60) + print("VALIDATION SUMMARY") + print("=" * 60) + print(f"Total files processed: {total_files}") + print(f"Valid files: {valid_files}") + print(f"Invalid files: {invalid_files}") + + if invalid_files > 0: + print(f"\n❌ {invalid_files} file(s) failed validation!") + + # Print detailed failed validations at the end + print("\n" + "=" * 60) + print("FAILED VALIDATIONS") + print("=" * 60) + for file_path, errors in failed_validations: + print(f"\n📁 {file_path}") + print("-" * 40) + for i, error in enumerate(errors, 1): + print(f"{i}. {error}") + + sys.exit(1) + else: + print("\n✅ All files passed validation!") + + +if __name__ == "__main__": + main() diff --git a/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml b/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml deleted file mode 100644 index d3f9fe29d..000000000 --- a/datasets/attack_techniques/T1003.002/hivenightmare/atomic_red_team.yml +++ /dev/null @@ -1,14 +0,0 @@ -author: Mauricio Velazco, Michael Haag -id: cc9b25e8-efc9-11eb-926b-550bf0943fbb -date: '2021-07-21' -description: CVE-2021-36934 exploitation using PowerShell to copy the SAM, SYSTEM - and SECURITY hives from a Volume Shadow Copy to a temp folder -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/serioussam/windows-powershell.log -sourcetypes: -- WinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1003/002/ -- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 diff --git a/datasets/attack_techniques/T1018/constrained/powerview.yml b/datasets/attack_techniques/T1018/constrained/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/constrained/powerview.yml rename to datasets/attack_techniques/T1018/constrained/powerview_old.yml diff --git a/datasets/attack_techniques/T1018/unconstrained/powerview.yml b/datasets/attack_techniques/T1018/unconstrained/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/unconstrained/powerview.yml rename to datasets/attack_techniques/T1018/unconstrained/powerview_old.yml diff --git a/datasets/attack_techniques/T1018/unconstrained2/getadcomputer.yml b/datasets/attack_techniques/T1018/unconstrained2/getadcomputer_old.yml similarity index 100% rename from datasets/attack_techniques/T1018/unconstrained2/getadcomputer.yml rename to datasets/attack_techniques/T1018/unconstrained2/getadcomputer_old.yml diff --git a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml index 1bc21bcb4..60c8ad4fb 100644 --- a/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1021.002/atomic_red_team/atomic_red_team.yml @@ -28,7 +28,8 @@ datasets: source: XmlWinEventLog:Security - name: firewall-powershell path: /datasets/attack_techniques/T1021.002/atomic_red_team/firewall-powershell.log - sourcetype: firewall + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - name: 4688_wmiexec_windows-security path: /datasets/attack_techniques/T1021.002/atomic_red_team/4688_wmiexec_windows-security.log sourcetype: XmlWinEventLog diff --git a/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml index a0dc32ff5..dda0d0e27 100644 --- a/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1021.004/atomic_red_team/atomic_red_team.yml @@ -3,9 +3,11 @@ id: cc9b260c-efc9-11eb-916b-150bf0941fbb date: '2022-07-24' description: 'Simulated lateral movement with SSH' environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log -sourcetypes: -- sysmon_linux -references: -- https://attack.mitre.org/techniques/T1021/004/ +directory: atomic_red_team +mitre_technique: +- T1021.004 +datasets: +- name: linux-sysmon + path: /datasets/attack_techniques/T1021.004/atomic_red_team/linux-sysmon.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml b/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml index e7c891196..55365cda8 100644 --- a/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml +++ b/datasets/attack_techniques/T1021.006/compmgtm_access/compmgtm_access.yml @@ -3,9 +3,11 @@ id: 2eba8f04-033e-11f0-bf1c-629be3538069 date: '2025-03-17' description: Generated datasets for compmgtm access in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/compmgtm_access/compmgmt_load.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a \ No newline at end of file +directory: compmgtm_access +mitre_technique: +- T1021.006 +datasets: +- name: compmgmt_load + path: /datasets/attack_techniques/T1021.006/compmgtm_access/compmgmt_load.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml b/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml index 357c5803a..d5e6fc4d7 100644 --- a/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml +++ b/datasets/attack_techniques/T1021.006/wirm_execute_shell/wirm_execute_shell.yml @@ -3,9 +3,11 @@ id: 805b344a-b946-11ef-8789-acde48001122 date: '2024-12-13' description: Generated datasets for wirm execute shell in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://strontic.github.io/xcyclopedia/library/winrshost.exe-6790044CEB4BA5BE6AA8161460D990FD.html \ No newline at end of file +directory: wirm_execute_shell +mitre_technique: +- T1021.006 +datasets: +- name: winrshost_pwh + path: /datasets/attack_techniques/T1021.006/wirm_execute_shell/winrshost_pwh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml index b96be2e0d..576b9d722 100644 --- a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml +++ b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml @@ -2,10 +2,12 @@ author: Teoderick Contreras, Splunk id: a7e8ecfc-4ee6-4869-bd77-0d9fe5bcdc85 date: '2023-11-23' description: Generated datasets for wsman trustedhost in attack range. -environment: attackrange -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate +environment: attack_range +directory: wsman_trustedhost +mitre_technique: +- T1021.006 +datasets: +- name: wsman_pwh + path: /datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content.yml b/datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content_old.yml similarity index 100% rename from datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content.yml rename to datasets/attack_techniques/T1021/illegal_access_to_content/illegal_access_to_content_old.yml diff --git a/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry.yml b/datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry_old.yml similarity index 100% rename from datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry.yml rename to datasets/attack_techniques/T1027.011/njrat_fileless_registry_entry/njrat_fileless_registry_entry_old.yml diff --git a/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution.yml b/datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution_old.yml similarity index 100% rename from datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution.yml rename to datasets/attack_techniques/T1027.013/rar_sfx_execution/rar_sfx_execution_old.yml diff --git a/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.yml b/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.yml rename to datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage_old.yml diff --git a/datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost.yml b/datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost_old.yml similarity index 100% rename from datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost.yml rename to datasets/attack_techniques/T1035.009/suspicious_spawn_svchost/suspicious_spawn_svchost_old.yml diff --git a/datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override.yml b/datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override.yml rename to datasets/attack_techniques/T1036.002/outlook_attachment/right_to_left_override_old.yml diff --git a/datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell.yml b/datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell.yml rename to datasets/attack_techniques/T1036.003/renamed_powershell/renamed_powershell_old.yml diff --git a/datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata.yml b/datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata.yml rename to datasets/attack_techniques/T1036.005/process_in_programdata/process_in_programdata_old.yml diff --git a/datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit.yml b/datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit_old.yml similarity index 100% rename from datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit.yml rename to datasets/attack_techniques/T1036.009/32bit_process_execute_64bit/32bit_process_execute_64bit_old.yml diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml rename to datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage_old.yml diff --git a/datasets/attack_techniques/T1036/debugger_execution/debugger_execution.yml b/datasets/attack_techniques/T1036/debugger_execution/debugger_execution_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/debugger_execution/debugger_execution.yml rename to datasets/attack_techniques/T1036/debugger_execution/debugger_execution_old.yml diff --git a/datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path.yml b/datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path.yml rename to datasets/attack_techniques/T1036/executables_suspicious_file_path/executables_suspicious_file_path_old.yml diff --git a/datasets/attack_techniques/T1036/process_temp_path/process_temp_path.yml b/datasets/attack_techniques/T1036/process_temp_path/process_temp_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/process_temp_path/process_temp_path.yml rename to datasets/attack_techniques/T1036/process_temp_path/process_temp_path_old.yml diff --git a/datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location.yml b/datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location_old.yml similarity index 100% rename from datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location.yml rename to datasets/attack_techniques/T1036/system_process_running_unexpected_location/system_process_running_unexpected_location_old.yml diff --git a/datasets/attack_techniques/T1040/ssltls/ssltls.yml b/datasets/attack_techniques/T1040/ssltls/ssltls_old.yml similarity index 100% rename from datasets/attack_techniques/T1040/ssltls/ssltls.yml rename to datasets/attack_techniques/T1040/ssltls/ssltls_old.yml diff --git a/datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl.yml b/datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl_old.yml similarity index 100% rename from datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl.yml rename to datasets/attack_techniques/T1041/zeek_ssl/zeek_ssl_old.yml diff --git a/datasets/attack_techniques/T1046/nmap/nmap.yml b/datasets/attack_techniques/T1046/nmap/nmap_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/nmap/nmap.yml rename to datasets/attack_techniques/T1046/nmap/nmap_old.yml diff --git a/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml rename to datasets/attack_techniques/T1046/open_dns_port/open_dns_port_old.yml diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery_old.yml similarity index 100% rename from datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml rename to datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery_old.yml diff --git a/datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task.yml b/datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task.yml rename to datasets/attack_techniques/T1053/hidden_schedule_task/hidden_schedule_task_old.yml diff --git a/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.yml b/datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll.yml rename to datasets/attack_techniques/T1053/taskschd_dll/taskschd_dll_old.yml diff --git a/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.yml b/datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask_old.yml similarity index 100% rename from datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask.yml rename to datasets/attack_techniques/T1053/valleyrat_schedtask/valleyrat_schedtask_old.yml diff --git a/datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer.yml b/datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer_old.yml similarity index 100% rename from datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer.yml rename to datasets/attack_techniques/T1055/non-service-searchindexer/non-service-searchindexer_old.yml diff --git a/datasets/attack_techniques/T1055/splunk_ds/splunkd.yml b/datasets/attack_techniques/T1055/splunk_ds/splunkd_old.yml similarity index 100% rename from datasets/attack_techniques/T1055/splunk_ds/splunkd.yml rename to datasets/attack_techniques/T1055/splunk_ds/splunkd_old.yml diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml index 587a18c02..517d03017 100644 --- a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml +++ b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/powershell_script_block_logging.yml @@ -17,4 +17,5 @@ datasets: source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: credaccess-powershell path: /datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log - sourcetype: access_combined + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml b/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml rename to datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer_old.yml diff --git a/datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments.yml b/datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments.yml rename to datasets/attack_techniques/T1059.003/cmd_arguments/cmd_arguments_old.yml diff --git a/datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history.yml b/datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history.yml rename to datasets/attack_techniques/T1059.003/delete_pwh_history/delete_pwh_history_old.yml diff --git a/datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers.yml b/datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers.yml rename to datasets/attack_techniques/T1059.003/ssa_validation/browsers/browsers_old.yml diff --git a/datasets/attack_techniques/T1059.003/ssa_validation/office/office.yml b/datasets/attack_techniques/T1059.003/ssa_validation/office/office_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/ssa_validation/office/office.yml rename to datasets/attack_techniques/T1059.003/ssa_validation/office/office_old.yml diff --git a/datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line.yml b/datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line.yml rename to datasets/attack_techniques/T1059.003/unusally_cmd_line/unusally_cmd_line_old.yml diff --git a/datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin.yml b/datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin_old.yml similarity index 100% rename from datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin.yml rename to datasets/attack_techniques/T1059.004/macos_lolbin/macos_lolbin_old.yml diff --git a/datasets/attack_techniques/T1059/defender/ms_defender.yml b/datasets/attack_techniques/T1059/defender/ms_defender_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/defender/ms_defender.yml rename to datasets/attack_techniques/T1059/defender/ms_defender_old.yml diff --git a/datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic.yml b/datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic.yml rename to datasets/attack_techniques/T1059/log4shell_ldap_traffic/log4shell_ldap_traffic_old.yml diff --git a/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes.yml b/datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes.yml rename to datasets/attack_techniques/T1059/meterpreter/taskhost_processes/taskhost_processes_old.yml diff --git a/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes.yml b/datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes.yml rename to datasets/attack_techniques/T1059/meterpreter/windows_temp_processes/windows_temp_processes_old.yml diff --git a/datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers.yml b/datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers.yml rename to datasets/attack_techniques/T1059/protocol_handlers/protocol_handlers_old.yml diff --git a/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline.yml b/datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline_old.yml similarity index 100% rename from datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline.yml rename to datasets/attack_techniques/T1059/risk_behavior/abused_commandline/abused_commandline_old.yml diff --git a/datasets/attack_techniques/T1068/pkexec/pkexec_lpe.yml b/datasets/attack_techniques/T1068/pkexec/pkexec_lpe_old.yml similarity index 100% rename from datasets/attack_techniques/T1068/pkexec/pkexec_lpe.yml rename to datasets/attack_techniques/T1068/pkexec/pkexec_lpe_old.yml diff --git a/datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check.yml b/datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check_old.yml similarity index 100% rename from datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check.yml rename to datasets/attack_techniques/T1069.001/njrat_admin_check/njrat_admin_check_old.yml diff --git a/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared.yml b/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared.yml rename to datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/windows_pwh_log_cleared_old.yml diff --git a/datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion.yml b/datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion.yml rename to datasets/attack_techniques/T1070.003/ConsoleHost_History_deletion/ConsoleHost_History_deletion_old.yml diff --git a/datasets/attack_techniques/T1070.004/cipher/cipher.yml b/datasets/attack_techniques/T1070.004/cipher/cipher_old.yml similarity index 100% rename from datasets/attack_techniques/T1070.004/cipher/cipher.yml rename to datasets/attack_techniques/T1070.004/cipher/cipher_old.yml diff --git a/datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion.yml b/datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion_old.yml similarity index 100% rename from datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion.yml rename to datasets/attack_techniques/T1070/illegal_log_deletion/illegal_log_deletion_old.yml diff --git a/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml b/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir_old.yml similarity index 100% rename from datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml rename to datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir_old.yml diff --git a/datasets/attack_techniques/T1072/intune/intune.yml b/datasets/attack_techniques/T1072/intune/intune_old.yml similarity index 100% rename from datasets/attack_techniques/T1072/intune/intune.yml rename to datasets/attack_techniques/T1072/intune/intune_old.yml diff --git a/datasets/attack_techniques/T1078.002/account_login/account_login.yml b/datasets/attack_techniques/T1078.002/account_login/account_login_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.002/account_login/account_login.yml rename to datasets/attack_techniques/T1078.002/account_login/account_login_old.yml diff --git a/datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing.yml b/datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing.yml rename to datasets/attack_techniques/T1078.002/samaccountname_spoofing/samaaccountname_spoofing_old.yml diff --git a/datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa.yml b/datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa_old.yml similarity index 100% rename from datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa.yml rename to datasets/attack_techniques/T1078.004/aws_login_sfa/aws_login_sfa_old.yml diff --git a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml index 50f7a26b5..d7a3f0d9d 100644 --- a/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml +++ b/datasets/attack_techniques/T1078.004/okta_single_factor_auth/okta_single_factor_auth.yml @@ -1,5 +1,5 @@ author: Bhavin Patel -id: 71ad47d1-w6bd-4e0a-b35c-020ad9a6959q +id: 1664c41a-5f46-4f83-bd5d-619aa02870fc date: '2024-03-18' description: Manually generated dataset for a single factor authentication attempt environment: attack_range diff --git a/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.yml b/datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml.yml rename to datasets/attack_techniques/T1078/assume_role_with_saml/assume_role_with_saml_old.yml diff --git a/datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy.yml b/datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy.yml rename to datasets/attack_techniques/T1078/attach_role_trust_policy/attach_role_trust_policy_old.yml diff --git a/datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role.yml b/datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role.yml rename to datasets/attack_techniques/T1078/attach_user_to_role/attach_user_to_role_old.yml diff --git a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml index fed7577a9..8d8a8ef56 100644 --- a/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml +++ b/datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.yml @@ -10,6 +10,7 @@ directory: aws_saml_access_by_provider_user_and_principal mitre_technique: - T1078 datasets: -- name: aws_saml_access_by_provider_user_and_principal-json +- name: aws_saml_access_by_provider_user_and_principal path: /datasets/attack_techniques/T1078/aws_saml_access_by_provider_user_and_principal/aws_saml_access_by_provider_user_and_principal.json - sourcetype: access_combined + sourcetype: aws:cloudtrail + source: aws_cloudtrail diff --git a/datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role.yml b/datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role.yml rename to datasets/attack_techniques/T1078/create_IAM_role/create_IAM_role_old.yml diff --git a/datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework.yml b/datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework.yml rename to datasets/attack_techniques/T1078/gcploit_exploitation_framework/gcploit_exploitation_framework_old.yml diff --git a/datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource.yml b/datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource.yml rename to datasets/attack_techniques/T1078/high_risk_permission_by_resource/high_risk_permission_by_resource_old.yml diff --git a/datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project.yml b/datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project.yml rename to datasets/attack_techniques/T1078/high_risk_role_by_project/high_risk_role_by_project_old.yml diff --git a/datasets/attack_techniques/T1078/splunkd_auth/audittrail.yml b/datasets/attack_techniques/T1078/splunkd_auth/audittrail_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/splunkd_auth/audittrail.yml rename to datasets/attack_techniques/T1078/splunkd_auth/audittrail_old.yml diff --git a/datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage.yml b/datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage.yml rename to datasets/attack_techniques/T1078/sts_assumerole_usage/sts_assumerole_usage_old.yml diff --git a/datasets/attack_techniques/T1083/splunk/data.yml b/datasets/attack_techniques/T1083/splunk/data.yml deleted file mode 100644 index 474d6426f..000000000 --- a/datasets/attack_techniques/T1083/splunk/data.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Generated by dataset_analyzer.py -id: 18dbb58f-e14c-4b62-aa7d-9c03cbd7f1d9 -date: '2025-08-12' -description: Automatically categorized datasets in directory splunk -environment: attack_range -directory: splunk -mitre_technique: -- T1083 -datasets: -- name: SVD-2024-0711_web_access_splunk_web_access - path: /datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied_old.yml similarity index 100% rename from datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml rename to datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied_old.yml diff --git a/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire.yml b/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire_old.yml similarity index 100% rename from datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire.yml rename to datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/powerview_get_netuser_preauthnotrequire_old.yml diff --git a/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.yml b/datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed_old.yml similarity index 100% rename from datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed.yml rename to datasets/attack_techniques/T1090.003/pan_tor_allowed/pan_tor_allowed_old.yml diff --git a/datasets/attack_techniques/T1095/palologs/disable_rdp.yml b/datasets/attack_techniques/T1095/palologs/disable_rdp_old.yml similarity index 100% rename from datasets/attack_techniques/T1095/palologs/disable_rdp.yml rename to datasets/attack_techniques/T1095/palologs/disable_rdp_old.yml diff --git a/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.yml b/datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned_old.yml similarity index 100% rename from datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned.yml rename to datasets/attack_techniques/T1098.002/application_impersonation_role_assigned/application_impersonation_role_assigned_old.yml diff --git a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml index c7c89ffc9..031a270e5 100644 --- a/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.yml @@ -10,4 +10,5 @@ mitre_technique: datasets: - name: full_access_as_app_permission_assigned path: /datasets/attack_techniques/T1098.002/full_access_as_app_permission_assigned/full_access_as_app_permission_assigned.log - sourcetype: access_combined + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml index 2cd9715f4..10c482db9 100644 --- a/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml +++ b/datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.yml @@ -10,4 +10,5 @@ mitre_technique: datasets: - name: o365_full_access_as_app_permission_assigned path: /datasets/attack_techniques/T1098.002/o365_full_access_as_app_permission_assigned/o365_full_access_as_app_permission_assigned.log - sourcetype: access_combined + sourcetype: o365:management:activity + source: o365 diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change_old.yml similarity index 100% rename from datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml rename to datasets/attack_techniques/T1098/linux_password_change/linux_password_change_old.yml diff --git a/datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli.yml b/datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli_old.yml similarity index 100% rename from datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli.yml rename to datasets/attack_techniques/T1102.002/telegram_api_cli/telegram_api_cli_old.yml diff --git a/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns.yml b/datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns_old.yml similarity index 100% rename from datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns.yml rename to datasets/attack_techniques/T1102.002/telegram_api_dns/telegram_api_dns_old.yml diff --git a/datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection.yml b/datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection_old.yml similarity index 100% rename from datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection.yml rename to datasets/attack_techniques/T1102/njrat_ngrok_connection/njrat_ngrok_connection_old.yml diff --git a/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query.yml b/datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query_old.yml similarity index 100% rename from datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query.yml rename to datasets/attack_techniques/T1105/tinyurl_dns_query/tinyurl_dns_query_old.yml diff --git a/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source.yml b/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source.yml rename to datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source/high_number_of_login_failures_from_a_single_source_old.yml diff --git a/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user.yml b/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user.yml rename to datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/aws_multiple_login_fail_per_user_old.yml diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml rename to datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack_old.yml diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml rename to datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce_old.yml diff --git a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml index 5b6d00bc9..65015e96c 100644 --- a/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml +++ b/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.yml @@ -1,6 +1,6 @@ author: Mauricio Velazco id: 84f64eb3-722c-4fe7-857c-c8e15bb96ef1 -date: '2022-02-29' +date: '2022-02-27' description: Used a tool to spray Okta users environment: attack_range directory: okta_multiple_users_from_ip diff --git a/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/purplesharp_disabled_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray.yml rename to datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/purplesharp_explicit_credential_spray_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml index 2b25998bc..f8bafc9fd 100644 --- a/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml +++ b/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray_xml/purplesharp_explicit_credential_spray_xml.yml @@ -1,5 +1,5 @@ author: Mauricio Velazco -id: null +id: cc959a2c-7e5c-4a0b-a0fd-0f6e75eeaada date: '2022-09-08' description: 'Automated generation of attack data using PurpleSharp: Remote password spraying attack against one host using NTLM' diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/purplesharp_invalid_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm.yml b/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm.yml rename to datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/purplesharp_invalid_users_ntlm_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process.yml b/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process.yml rename to datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/purplesharp_multiple_users_from_process_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray.yml b/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray.yml rename to datasets/attack_techniques/T1110.003/purplesharp_remote_spray/purplesharp_remote_spray_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos.yml rename to datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/purplesharp_valid_users_kerberos_old.yml diff --git a/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm.yml b/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm_old.yml similarity index 100% rename from datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm.yml rename to datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/purplesharp_valid_users_ntlm_old.yml diff --git a/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml b/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml rename to datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias_old.yml diff --git a/datasets/attack_techniques/T1112/T1112.yml b/datasets/attack_techniques/T1112/T1112_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/T1112.yml rename to datasets/attack_techniques/T1112/T1112_old.yml diff --git a/datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting.yml b/datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting.yml rename to datasets/attack_techniques/T1112/bitlocker_registry_setting/bitlocker_registry_setting_old.yml diff --git a/datasets/attack_techniques/T1112/disable_rdp/disable_rdp.yml b/datasets/attack_techniques/T1112/disable_rdp/disable_rdp_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/disable_rdp/disable_rdp.yml rename to datasets/attack_techniques/T1112/disable_rdp/disable_rdp_old.yml diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml index 925a734ce..57e32fa0d 100644 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml @@ -9,7 +9,9 @@ mitre_technique: datasets: - name: firewall-mod-delete path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log - sourcetype: firewall + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - name: firewall_mod_delete path: /datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log - sourcetype: firewall + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.yml b/datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg.yml rename to datasets/attack_techniques/T1112/kingsoft_reg/kingsoft_reg_old.yml diff --git a/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry.yml b/datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry.yml rename to datasets/attack_techniques/T1112/njrat_md5_registry_entry/njrat_md5_registry_entry_old.yml diff --git a/datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper.yml b/datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper.yml rename to datasets/attack_techniques/T1112/no_changing_wallpaper/no_changing_wallpaper_old.yml diff --git a/datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml b/datasets/attack_techniques/T1112/proxy_enable/proxy_enable_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml rename to datasets/attack_techniques/T1112/proxy_enable/proxy_enable_old.yml diff --git a/datasets/attack_techniques/T1112/proxy_server/proxy_server.yml b/datasets/attack_techniques/T1112/proxy_server/proxy_server_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/proxy_server/proxy_server.yml rename to datasets/attack_techniques/T1112/proxy_server/proxy_server_old.yml diff --git a/datasets/attack_techniques/T1112/pwn_reg/pwn_reg.yml b/datasets/attack_techniques/T1112/pwn_reg/pwn_reg_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/pwn_reg/pwn_reg.yml rename to datasets/attack_techniques/T1112/pwn_reg/pwn_reg_old.yml diff --git a/datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy.yml b/datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy.yml rename to datasets/attack_techniques/T1112/smart_card_group_policy/smart_card_group_policy_old.yml diff --git a/datasets/attack_techniques/T1112/test_registry/test_registry.yml b/datasets/attack_techniques/T1112/test_registry/test_registry_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/test_registry/test_registry.yml rename to datasets/attack_techniques/T1112/test_registry/test_registry_old.yml diff --git a/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.yml b/datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2.yml rename to datasets/attack_techniques/T1112/valleyrat_c2_reg2/valleyrat_c2_reg2_old.yml diff --git a/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml b/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml rename to datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui_old.yml diff --git a/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior.yml b/datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior_old.yml similarity index 100% rename from datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior.yml rename to datasets/attack_techniques/T1112/windows_mod_reg_risk_behavior/windows_mod_reg_risk_behavior_old.yml diff --git a/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.yml b/datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot_old.yml similarity index 100% rename from datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot.yml rename to datasets/attack_techniques/T1113/braodo_screenshot/braodo_screenshot_old.yml diff --git a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml index f9327cb20..e0f4c5cb4 100644 --- a/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml +++ b/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.yml @@ -10,4 +10,5 @@ mitre_technique: datasets: - name: o365_multiple_mailboxes_accessed_via_api path: /datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log - sourcetype: access_combined + sourcetype: o365:management:activity + source: o365 \ No newline at end of file diff --git a/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.yml b/datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation_old.yml similarity index 100% rename from datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation.yml rename to datasets/attack_techniques/T1114.002/suspicious_rights_delegation/suspicious_rights_delegation_old.yml diff --git a/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml b/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change_old.yml similarity index 100% rename from datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.yml rename to datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change_old.yml diff --git a/datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1115/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync.yml b/datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync_old.yml similarity index 100% rename from datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync.yml rename to datasets/attack_techniques/T1119/aws_exfil_datasync/aws_exfil_datasync_old.yml diff --git a/datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules.yml b/datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules_old.yml similarity index 100% rename from datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules.yml rename to datasets/attack_techniques/T1129/executable_shared_modules/executable_shared_modules_old.yml diff --git a/datasets/attack_techniques/T1133/rdp/rdp_terminalservices.yml b/datasets/attack_techniques/T1133/rdp/rdp_terminalservices_old.yml similarity index 100% rename from datasets/attack_techniques/T1133/rdp/rdp_terminalservices.yml rename to datasets/attack_techniques/T1133/rdp/rdp_terminalservices_old.yml diff --git a/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml b/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline_old.yml similarity index 100% rename from datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml rename to datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline_old.yml diff --git a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml index d25427173..ba734f3ca 100644 --- a/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml +++ b/datasets/attack_techniques/T1135/net_share_discovery_via_dir/net_share_discovery_via_dir.yml @@ -9,7 +9,9 @@ mitre_technique: datasets: - name: smb_access_security_xml path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smb_access_security_xml.log - sourcetype: access_combined + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Auditing - name: smbaccess-5140-security-xml2 path: /datasets/attack_techniques/T1135/net_share_discovery_via_dir/smbaccess-5140-security-xml2.log - sourcetype: access_combined + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Auditing diff --git a/datasets/attack_techniques/T1136.001/net_create_user/net_create_user.yml b/datasets/attack_techniques/T1136.001/net_create_user/net_create_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1136.001/net_create_user/net_create_user.yml rename to datasets/attack_techniques/T1136.001/net_create_user/net_create_user_old.yml diff --git a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml index aa57a4632..b370e49c5 100644 --- a/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/azure_ad_multiple_service_principals_created/azure_ad_multiple_service_principals_created.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco id: 55543737-a4d0-42fe-909e-c2750e409700 date: '2024-02-07' -description: null +description: 'azure ad multiple service principals created' environment: attack_range directory: azure_ad_multiple_service_principals_created mitre_technique: diff --git a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml index 4e6b9e63d..409b3c302 100644 --- a/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml +++ b/datasets/attack_techniques/T1136.003/o365_multiple_service_principals_created/o365_multiple_service_principals_created.yml @@ -1,7 +1,7 @@ author: Mauricio Velazco id: f9e755a0-5abc-4675-8313-79da901c87dd date: '2024-02-07' -description: null +description: 'o365 multiple service principals created' environment: attack_range directory: o365_multiple_service_principals_created mitre_technique: diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml rename to datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user_old.yml diff --git a/datasets/attack_techniques/T1176.001/disable_extension/disable_extension.yml b/datasets/attack_techniques/T1176.001/disable_extension/disable_extension_old.yml similarity index 100% rename from datasets/attack_techniques/T1176.001/disable_extension/disable_extension.yml rename to datasets/attack_techniques/T1176.001/disable_extension/disable_extension_old.yml diff --git a/datasets/attack_techniques/T1185/headlessbrowser/headless_browser.yml b/datasets/attack_techniques/T1185/headlessbrowser/headless_browser_old.yml similarity index 100% rename from datasets/attack_techniques/T1185/headlessbrowser/headless_browser.yml rename to datasets/attack_techniques/T1185/headlessbrowser/headless_browser_old.yml diff --git a/datasets/attack_techniques/T1189/splunk/splunk.yml b/datasets/attack_techniques/T1189/splunk/splunk.yml deleted file mode 100644 index 0e426a5a0..000000000 --- a/datasets/attack_techniques/T1189/splunk/splunk.yml +++ /dev/null @@ -1,24 +0,0 @@ -author: Rod Soto -id: cc99276c-bac9-24eb-726b-551bf0903fbb -date: '2024-12-27' -description: Manual generation of attack data -environment: attack_range -directory: splunk -mitre_technique: -- T1189 -datasets: -- name: splunk_xss_in_highlighted_json_events_splunkd_ui_access - path: /datasets/attack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log - sourcetype: access_combined -- name: splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access - path: /datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_on_app_search_table_endpoint_splunk_web_access.log - sourcetype: access_combined -- name: SVD-2024-0712_splunkd_ui_access_splunk_ui_access - path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log - sourcetype: access_combined -- name: SVD-2024-0714_web_access_splunk_web_access - path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log - sourcetype: access_combined -- name: SVD-2024-0715_splunkd_splunkd_access - path: /datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1189/xss/xss.yml b/datasets/attack_techniques/T1189/xss/xss.yml deleted file mode 100644 index 71984888f..000000000 --- a/datasets/attack_techniques/T1189/xss/xss.yml +++ /dev/null @@ -1,13 +0,0 @@ -author: Lou Stella -id: cc9b266c-efc9-24eb-726b-550bf0943fbb -date: '2022-04-27' -description: Manual generation of attack data by inserting parameters in Splunk monitoring - console. -environment: attack_range -directory: xss -mitre_technique: -- T1189 -datasets: -- name: splunk_web_access - path: /datasets/attack_techniques/T1189/xss/splunk_web_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/adobe/adobe.yml b/datasets/attack_techniques/T1190/adobe/adobe_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/adobe/adobe.yml rename to datasets/attack_techniques/T1190/adobe/adobe_old.yml diff --git a/datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe.yml b/datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe.yml rename to datasets/attack_techniques/T1190/cisco/iosxe/ciscoiosxe_old.yml diff --git a/datasets/attack_techniques/T1190/citrix/citrix.yml b/datasets/attack_techniques/T1190/citrix/citrix.yml index de324aa2b..4ea438d51 100644 --- a/datasets/attack_techniques/T1190/citrix/citrix.yml +++ b/datasets/attack_techniques/T1190/citrix/citrix.yml @@ -1,5 +1,5 @@ author: Michael Haag, Splunk -id: cc9b266c-19c9-11eb-926b-220bf0943fas +id: 56fbbe5d-d63e-4b59-abed-738363477b95 date: '2023-07-21' description: Attack data related to CVE-2023-3519 environment: attack_range @@ -14,6 +14,8 @@ datasets: - name: nginx_kv_citrixbleed2_startwebview path: /datasets/attack_techniques/T1190/citrix/nginx_kv_citrixbleed2_startwebview.log sourcetype: nginx:plus:access + source: nginx - name: nginx_kv_cve_2023-4966-citrix path: /datasets/attack_techniques/T1190/citrix/nginx_kv_cve_2023-4966-citrix.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/confluence/confluence.yml b/datasets/attack_techniques/T1190/confluence/confluence.yml index a570666a0..e31225d6c 100644 --- a/datasets/attack_techniques/T1190/confluence/confluence.yml +++ b/datasets/attack_techniques/T1190/confluence/confluence.yml @@ -10,9 +10,11 @@ datasets: - name: nginx_plus_kv_confluence path: /datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log sourcetype: nginx:plus:access + source: nginx - name: nginx_kv_confluence_CVE-2024-21683 path: /datasets/attack_techniques/T1190/confluence/nginx_kv_confluence_CVE-2024-21683.log sourcetype: nginx:plus:access + source: nginx - name: suricata_confluence_cve-2023-22527 path: /datasets/attack_techniques/T1190/confluence/suricata_confluence_cve-2023-22527.log sourcetype: suricata @@ -20,3 +22,4 @@ datasets: - name: nginx_shellservlet path: /datasets/attack_techniques/T1190/confluence/nginx_shellservlet.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/f5/f5.yml b/datasets/attack_techniques/T1190/f5/f5_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/f5/f5.yml rename to datasets/attack_techniques/T1190/f5/f5_old.yml diff --git a/datasets/attack_techniques/T1190/fortigate/fortigate.yml b/datasets/attack_techniques/T1190/fortigate/fortigate_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/fortigate/fortigate.yml rename to datasets/attack_techniques/T1190/fortigate/fortigate_old.yml diff --git a/datasets/attack_techniques/T1190/ivanti/ivanti.yml b/datasets/attack_techniques/T1190/ivanti/ivanti.yml index 2b547e06c..0c533348f 100644 --- a/datasets/attack_techniques/T1190/ivanti/ivanti.yml +++ b/datasets/attack_techniques/T1190/ivanti/ivanti.yml @@ -29,7 +29,8 @@ datasets: source: suricata - name: ivanti_bookmark_web_access path: /datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log - sourcetype: access_combined + sourcetype: suricata + source: suricata - name: suricata_ivanti_CVE202335082 path: /datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log sourcetype: suricata @@ -37,3 +38,4 @@ datasets: - name: ivanti_vtm_nginxproxy path: /datasets/attack_techniques/T1190/ivanti/ivanti_vtm_nginxproxy.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/java/java.yml b/datasets/attack_techniques/T1190/java/java.yml index 061923fc8..25c244bbe 100644 --- a/datasets/attack_techniques/T1190/java/java.yml +++ b/datasets/attack_techniques/T1190/java/java.yml @@ -10,3 +10,4 @@ datasets: - name: log4shell-nginx path: /datasets/attack_techniques/T1190/java/log4shell-nginx.log sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/jenkins/jenkins.yml b/datasets/attack_techniques/T1190/jenkins/jenkins.yml index 4a56f1aa9..5bb69eb17 100644 --- a/datasets/attack_techniques/T1190/jenkins/jenkins.yml +++ b/datasets/attack_techniques/T1190/jenkins/jenkins.yml @@ -10,3 +10,4 @@ datasets: - name: nginx_jenkins_cve_2023_23897 path: /datasets/attack_techniques/T1190/jenkins/nginx_jenkins_cve_2023_23897.log sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/jetbrains/jetbrains.yml b/datasets/attack_techniques/T1190/jetbrains/jetbrains_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/jetbrains/jetbrains.yml rename to datasets/attack_techniques/T1190/jetbrains/jetbrains_old.yml diff --git a/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.yml b/datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs.yml rename to datasets/attack_techniques/T1190/log4j_network_logs/log4j_network_logs_old.yml diff --git a/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.yml b/datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs.yml rename to datasets/attack_techniques/T1190/log4j_proxy_logs/log4j_proxy_logs_old.yml diff --git a/datasets/attack_techniques/T1190/magento/magento.yml b/datasets/attack_techniques/T1190/magento/magento.yml deleted file mode 100644 index 78947e712..000000000 --- a/datasets/attack_techniques/T1190/magento/magento.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Michael Haag, Splunk -id: 9535ef60-d482-414c-b8bb-6d1bd61e8322 -date: '2024-11-13' -description: Manual generation of attack data related to Magento access logs -environment: attack_range -directory: magento -mitre_technique: -- T1190 -datasets: -- name: magento_access_filtered - path: /datasets/attack_techniques/T1190/magento/magento_access_filtered.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/moveit/moveit.yml b/datasets/attack_techniques/T1190/moveit/moveit_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/moveit/moveit.yml rename to datasets/attack_techniques/T1190/moveit/moveit_old.yml diff --git a/datasets/attack_techniques/T1190/outbound_ldap/bro_conn.yml b/datasets/attack_techniques/T1190/outbound_ldap/bro_conn_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/outbound_ldap/bro_conn.yml rename to datasets/attack_techniques/T1190/outbound_ldap/bro_conn_old.yml diff --git a/datasets/attack_techniques/T1190/pswa/pswa.yml b/datasets/attack_techniques/T1190/pswa/pswa.yml deleted file mode 100644 index 0fafc8da4..000000000 --- a/datasets/attack_techniques/T1190/pswa/pswa.yml +++ /dev/null @@ -1,12 +0,0 @@ -author: Michael Haag, Splunk -id: d5f9b9bf-1104-4232-9f18-202ecb06ded2 -date: '2024-09-09' -description: Generation of data for the PowerShell Web Access (PSWA). -environment: attack_range -directory: pswa -mitre_technique: -- T1190 -datasets: -- name: iis_pswaaccess - path: /datasets/attack_techniques/T1190/pswa/iis_pswaaccess.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml index 358097387..1e391a92b 100644 --- a/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1190/screenconnect/screenconnect.yml @@ -15,6 +15,7 @@ datasets: - name: nginx_screenconnect path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log sourcetype: nginx:plus:access + source: nginx - name: connectwise_auth_suricata path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log sourcetype: linux_secure diff --git a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml index 2d8602280..b63541d59 100644 --- a/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml +++ b/datasets/attack_techniques/T1190/sharepoint/sharepoint.yml @@ -9,4 +9,5 @@ mitre_technique: datasets: - name: sharepointeop path: /datasets/attack_techniques/T1190/sharepoint/sharepointeop.log - sourcetype: sharepoint:uls + source: suricata + sourcetype: suricata diff --git a/datasets/attack_techniques/T1190/splunk/splunk.yml b/datasets/attack_techniques/T1190/splunk/splunk.yml deleted file mode 100644 index 1727394c2..000000000 --- a/datasets/attack_techniques/T1190/splunk/splunk.yml +++ /dev/null @@ -1,16 +0,0 @@ -author: Rod Soto -id: 67e13771-9616-4363-96d3-a8c18eea2d23 -date: '2023-07-31' -description: An attacker can use a specially crafted web URL in their browser to cause - log file injection, in which the attack inserts American National Standards Institute - (ANSI) escape codes into specific files using a terminal program that supports those - escape codes. The attack requires a terminal program that supports the translation - of ANSI escape codes and requires additional user interaction to successfully execute. -environment: attack_range -directory: splunk -mitre_technique: -- T1190 -datasets: -- name: web_access - path: /datasets/attack_techniques/T1190/splunk/web_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml index 669aa4561..564cc8818 100644 --- a/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml +++ b/datasets/attack_techniques/T1190/spring4shell/spring4shell.yml @@ -1,5 +1,5 @@ author: Michael Haag, Splunk -id: 9535ef60-d482-214c-bxbb-6d1bd61e83be +id: 444c1707-a2db-43ee-ab04-e03307137ec5 date: '2022-04-05' description: Manual generation of attack data related to Spring4Shell with Nginx proxy logs @@ -11,3 +11,4 @@ datasets: - name: spring4shell_nginx path: /datasets/attack_techniques/T1190/spring4shell/spring4shell_nginx.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/text4shell/text4shell.yml b/datasets/attack_techniques/T1190/text4shell/text4shell.yml index 3c3d72825..f3a2ee033 100644 --- a/datasets/attack_techniques/T1190/text4shell/text4shell.yml +++ b/datasets/attack_techniques/T1190/text4shell/text4shell.yml @@ -1,5 +1,5 @@ author: Michael Haag, Splunk -id: 9535ef60-d482-214c-bxbb-6d1bd61e83be +id: 36cda810-e712-4d51-9e00-3d91a07e5b7f date: '2022-04-05' description: Manual generation of attack data related to Text4Shell with Zeek HTTP logs and simulation of POC on docker. @@ -11,3 +11,4 @@ datasets: - name: text4shell_nginx path: /datasets/attack_techniques/T1190/text4shell/text4shell_nginx.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/tomcat/tomcat.yml b/datasets/attack_techniques/T1190/tomcat/tomcat.yml index 2d57d4826..463bf44b3 100644 --- a/datasets/attack_techniques/T1190/tomcat/tomcat.yml +++ b/datasets/attack_techniques/T1190/tomcat/tomcat.yml @@ -1,5 +1,5 @@ author: Michael Haag, Splunk -id: 9535ef60-d182-212c-bxbb-6d1bd61e83be +id: c09bfa7f-1770-4c05-aefa-149f1b6d6e7d date: '2025-03-26' description: Manual generation of attack data related to Tomcat with nginx proxypass. environment: attack_range @@ -9,4 +9,5 @@ mitre_technique: datasets: - name: tomcat_nginx_access path: /datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log - sourcetype: access_combined + sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1190/vmware/vmware.yml b/datasets/attack_techniques/T1190/vmware/vmware_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/vmware/vmware.yml rename to datasets/attack_techniques/T1190/vmware/vmware_old.yml diff --git a/datasets/attack_techniques/T1190/wordpress/wordpress.yml b/datasets/attack_techniques/T1190/wordpress/wordpress_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/wordpress/wordpress.yml rename to datasets/attack_techniques/T1190/wordpress/wordpress_old.yml diff --git a/datasets/attack_techniques/T1190/ws_ftp/ws_ftp.yml b/datasets/attack_techniques/T1190/ws_ftp/ws_ftp_old.yml similarity index 100% rename from datasets/attack_techniques/T1190/ws_ftp/ws_ftp.yml rename to datasets/attack_techniques/T1190/ws_ftp/ws_ftp_old.yml diff --git a/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.yml b/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.yml rename to datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request_old.yml diff --git a/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.yml b/datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert.yml rename to datasets/attack_techniques/T1195.001/github_security_advisor_alert/github_security_advisor_alert_old.yml diff --git a/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.yml b/datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow_old.yml similarity index 100% rename from datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow.yml rename to datasets/attack_techniques/T1195.002/github_actions_disable_security_workflow/github_actions_disable_security_workflow_old.yml diff --git a/datasets/attack_techniques/T1199/github_push_master/github_push_master.yml b/datasets/attack_techniques/T1199/github_push_master/github_push_master_old.yml similarity index 100% rename from datasets/attack_techniques/T1199/github_push_master/github_push_master.yml rename to datasets/attack_techniques/T1199/github_push_master/github_push_master_old.yml diff --git a/datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy.yml b/datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy_old.yml similarity index 100% rename from datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy.yml rename to datasets/attack_techniques/T1201/aws_password_policy/aws_password_policy_old.yml diff --git a/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.yml b/datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service_old.yml similarity index 100% rename from datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service.yml rename to datasets/attack_techniques/T1204/kube_audit_create_node_port_service/kube_audit_create_node_port_service_old.yml diff --git a/datasets/attack_techniques/T1210/splunk/data.yml b/datasets/attack_techniques/T1210/splunk/data.yml deleted file mode 100644 index c1bfb435d..000000000 --- a/datasets/attack_techniques/T1210/splunk/data.yml +++ /dev/null @@ -1,22 +0,0 @@ -author: Generated by dataset_analyzer.py -id: c07c0b21-2a31-478e-a244-3872c392d7c8 -date: '2025-08-12' -description: Automatically categorized datasets in directory splunk -environment: attack_range -directory: splunk -mitre_technique: -- T1210 -datasets: -- name: svd-2024-1003-index_internal_sourcetype_splunkd_access - path: /datasets/attack_techniques/T1210/splunk/svd-2024-1003-index_internal_sourcetype_splunkd_access.log - sourcetype: access_combined -- name: splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature - path: /datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.log - sourcetype: linux_secure - source: linux_secure -- name: svd-2024-1001-index_internal_sourcetype_splunkd_access - path: /datasets/attack_techniques/T1210/splunk/svd-2024-1001-index_internal_sourcetype_splunkd_access.log - sourcetype: access_combined -- name: splunk_rce_via_user_xslt_splunkd_ui_access - path: /datasets/attack_techniques/T1210/splunk/splunk_rce_via_user_xslt_splunkd_ui_access.log - sourcetype: access_combined diff --git a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml index d8753f7b2..a169a6822 100644 --- a/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml +++ b/datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.yml @@ -11,3 +11,4 @@ datasets: - name: kubernetes_nginx_lfi_attack path: /datasets/attack_techniques/T1212/kubernetes_nginx_lfi_attack/kubernetes_nginx_lfi_attack.log sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml index 4a6549106..d1b9f47a4 100644 --- a/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml +++ b/datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kuberntest_nginx_rfi_attack.yml @@ -11,3 +11,4 @@ datasets: - name: kubernetes_nginx_rfi_attack path: /datasets/attack_techniques/T1212/kuberntest_nginx_rfi_attack/kubernetes_nginx_rfi_attack.log sourcetype: nginx:plus:access + source: nginx \ No newline at end of file diff --git a/datasets/attack_techniques/T1213/audittrail/audittrail.yml b/datasets/attack_techniques/T1213/audittrail/audittrail_old.yml similarity index 100% rename from datasets/attack_techniques/T1213/audittrail/audittrail.yml rename to datasets/attack_techniques/T1213/audittrail/audittrail_old.yml diff --git a/datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded.yml b/datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded.yml rename to datasets/attack_techniques/T1218.003/moz_lib_loaded/moz_lib_loaded_old.yml diff --git a/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32.yml b/datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32.yml rename to datasets/attack_techniques/T1218.007/msiexec-hidewindow-rundll32/msiexec-hidewindow-rundll32_old.yml diff --git a/datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system.yml b/datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system_old.yml similarity index 100% rename from datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system.yml rename to datasets/attack_techniques/T1218.011/update_per_user_system/update_per_user_system_old.yml diff --git a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml index b1643a3a3..770f00319 100644 --- a/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml +++ b/datasets/attack_techniques/T1218/bitlockertogo/bitlockertogo.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: kk922623-2bd5-42eb-926b-120zf0943f11 +id: 9c55b9da-3d3c-4f1d-987d-cb2162cf3b5b date: '2024-11-13' description: BitLockerToGo.exe execution with Lumma Stealer. environment: attack_range diff --git a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml index 1cfc5013d..54bd9042d 100644 --- a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml +++ b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: k22b2623-abd5-11eb-926b-120zf0943f11 +id: cfd5079f-a845-4a22-8ccd-b10d4c2aca90 date: '2024-04-17' description: Events related to Evil Twin msc. environment: attack_range diff --git a/datasets/attack_techniques/T1218/living_off_the_land/livingofftheland.yml b/datasets/attack_techniques/T1218/living_off_the_land/livingofftheland_old.yml similarity index 100% rename from datasets/attack_techniques/T1218/living_off_the_land/livingofftheland.yml rename to datasets/attack_techniques/T1218/living_off_the_land/livingofftheland_old.yml diff --git a/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.yml b/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic_old.yml similarity index 100% rename from datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.yml rename to datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic_old.yml diff --git a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml index 4e74c1986..84cec0715 100644 --- a/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1219/atomic_red_team/atomic_red_team.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: mh9b260e-efc9-11eb-926b-660bf0943cac +id: 0ae53442-9f79-4e35-a58f-00d2316e23d5 date: '2022-08-22' description: Atomic Red Team tests simulating remote access software installation. environment: attack_range diff --git a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml index edaabdccf..3aad87425 100644 --- a/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml +++ b/datasets/attack_techniques/T1219/screenconnect/screenconnect.yml @@ -1,5 +1,5 @@ author: Steven Dick -id: aa7a8c73-ecd0-4276-b48b-7aac36375641 +id: f3c31ec1-5f2d-4a24-8911-53d9b0a7def5 date: '2024-02-19' description: Basic installation and usage of screenconnect RMM application for testing needs. diff --git a/datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden.yml b/datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden_old.yml similarity index 100% rename from datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden.yml rename to datasets/attack_techniques/T1222.001/attrib_hidden/attrib_hidden_old.yml diff --git a/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance.yml b/datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance_old.yml similarity index 100% rename from datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance.yml rename to datasets/attack_techniques/T1222.001/icacls_inheritance/icacls_inheritance_old.yml diff --git a/datasets/attack_techniques/T1484/domain_policy_modification.yml b/datasets/attack_techniques/T1484/domain_policy_modification_old.yml similarity index 100% rename from datasets/attack_techniques/T1484/domain_policy_modification.yml rename to datasets/attack_techniques/T1484/domain_policy_modification_old.yml diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base_old.yml similarity index 100% rename from datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml rename to datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base_old.yml diff --git a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml index 78b7115e9..e07c5fdef 100644 --- a/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml +++ b/datasets/attack_techniques/T1485/decommissioned_buckets/decommissioned_buckets.yml @@ -13,4 +13,5 @@ mitre_technique: datasets: - name: web_cloudfront_access path: /datasets/attack_techniques/T1485/decommissioned_buckets/web_cloudfront_access.log - sourcetype: access_combined + source: aws_cloudfront_accesslogs + sourcetype: aws:cloudfront:accesslogs diff --git a/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml b/datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands_old.yml similarity index 100% rename from datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands.yml rename to datasets/attack_techniques/T1486/bitlocker_sus_commands/bitlocker_sus_commands_old.yml diff --git a/datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf.yml b/datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf_old.yml similarity index 100% rename from datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf.yml rename to datasets/attack_techniques/T1489/splunk_kvstore_csrf/splunk_kvstore_csrf_old.yml diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml rename to datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage_old.yml diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml rename to datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage_old.yml diff --git a/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete.yml b/datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete_old.yml similarity index 100% rename from datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete.yml rename to datasets/attack_techniques/T1497.003/njrat_ping_delay_before_delete/njrat_ping_delay_before_delete_old.yml diff --git a/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe.yml b/datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe_old.yml similarity index 100% rename from datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe.yml rename to datasets/attack_techniques/T1497.003/time_delay_using_choice_exe/time_delay_using_choice_exe_old.yml diff --git a/datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox.yml b/datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox_old.yml similarity index 100% rename from datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox.yml rename to datasets/attack_techniques/T1497/chrom_no_sandbox/chrom_no_sandbox_old.yml diff --git a/datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos.yml b/datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos_old.yml similarity index 100% rename from datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos.yml rename to datasets/attack_techniques/T1498/splunk_indexer_dos/splunk_indexer_dos_old.yml diff --git a/datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024.yml b/datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024_old.yml similarity index 100% rename from datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024.yml rename to datasets/attack_techniques/T1499/splunk/splunk_vulns_jan_2024_old.yml diff --git a/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.yml b/datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability_old.yml similarity index 100% rename from datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability.yml rename to datasets/attack_techniques/T1499/splunk/splunk_zip_bomb_vulnerability_old.yml diff --git a/datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior.yml b/datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior_old.yml similarity index 100% rename from datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior.yml rename to datasets/attack_techniques/T1505.003/generic_webshell_exploit/detect_webshell_exploit_behavior_old.yml diff --git a/datasets/attack_techniques/T1525/container_implant/container_implant.yml b/datasets/attack_techniques/T1525/container_implant/container_implant_old.yml similarity index 100% rename from datasets/attack_techniques/T1525/container_implant/container_implant.yml rename to datasets/attack_techniques/T1525/container_implant/container_implant_old.yml diff --git a/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject.yml b/datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject_old.yml similarity index 100% rename from datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject.yml rename to datasets/attack_techniques/T1530/aws_exfil_high_no_getobject/aws_exfil_high_no_getobject_old.yml diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml rename to datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user_old.yml diff --git a/datasets/attack_techniques/T1531/log_off_user/log_off_user.yml b/datasets/attack_techniques/T1531/log_off_user/log_off_user_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/log_off_user/log_off_user.yml rename to datasets/attack_techniques/T1531/log_off_user/log_off_user_old.yml diff --git a/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree.yml b/datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree_old.yml similarity index 100% rename from datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree.yml rename to datasets/attack_techniques/T1531/powershell_log_process_tree/powershell_log_process_tree_old.yml diff --git a/datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share.yml b/datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share_old.yml similarity index 100% rename from datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share.yml rename to datasets/attack_techniques/T1537/high_copy_files_in_net_share/high_copy_files_in_net_share_old.yml diff --git a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml index dc8327807..4f9a44849 100644 --- a/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml +++ b/datasets/attack_techniques/T1539/okta_web_session_multiple_ip/okta_web_session_multiple_ip.yml @@ -1,5 +1,5 @@ author: Bhavin Patel -id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959w +id: 7bbee66b-eb76-41d6-8e4e-d7890e502d23 date: '2024-03-18' description: Manually generated dataset of two sessions from mutiple IPs, useragents, etc diff --git a/datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup.yml b/datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup_old.yml similarity index 100% rename from datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup.yml rename to datasets/attack_techniques/T1543.003/krbrelayup/krbrelayup_old.yml diff --git a/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path.yml b/datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path.yml rename to datasets/attack_techniques/T1543.003/lateral_movement_suspicious_path/lateral_movement_suspicious_path_old.yml diff --git a/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.yml b/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse_old.yml similarity index 100% rename from datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.yml rename to datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse_old.yml diff --git a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml index 32b94f776..4fd18792c 100644 --- a/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1547.008/atomic_red_team/atomic_red_team.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: cc9i2628-efc9-88eb-926b-550bf0943fbb +id: e0b28658-8542-40e7-9dc5-62775762ef70 date: '2022-08-22' description: Generation of Atomic Red Team technique T1547.008 environment: attack_range diff --git a/datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1547.011/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml b/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf_old.yml similarity index 100% rename from datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml rename to datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf_old.yml diff --git a/datasets/attack_techniques/T1548/abuse_elevation_control.yml b/datasets/attack_techniques/T1548/abuse_elevation_control_old.yml similarity index 100% rename from datasets/attack_techniques/T1548/abuse_elevation_control.yml rename to datasets/attack_techniques/T1548/abuse_elevation_control_old.yml diff --git a/datasets/attack_techniques/T1548/linux_risk/linux_risk.yml b/datasets/attack_techniques/T1548/linux_risk/linux_risk_old.yml similarity index 100% rename from datasets/attack_techniques/T1548/linux_risk/linux_risk.yml rename to datasets/attack_techniques/T1548/linux_risk/linux_risk_old.yml diff --git a/datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data.yml b/datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data_old.yml similarity index 100% rename from datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data.yml rename to datasets/attack_techniques/T1550.002/extracts_from_real_data/extracts_from_real_data_old.yml diff --git a/datasets/attack_techniques/T1550/impacket/impacket.yml b/datasets/attack_techniques/T1550/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1550/impacket/impacket.yml rename to datasets/attack_techniques/T1550/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.yml b/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage_old.yml similarity index 100% rename from datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.yml rename to datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage_old.yml diff --git a/datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config.yml b/datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config.yml rename to datasets/attack_techniques/T1552.001/file_xml_config/file_xml_config_old.yml diff --git a/datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage.yml b/datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage.yml rename to datasets/attack_techniques/T1552.001/ie_intelliform_storage/ie_intelliform_storage_old.yml diff --git a/datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml b/datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml rename to datasets/attack_techniques/T1552.004/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml diff --git a/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery.yml b/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery.yml rename to datasets/attack_techniques/T1552.006/powershell_gpp_discovery/powershell_gpp_discovery_old.yml diff --git a/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.yml b/datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret_old.yml similarity index 100% rename from datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret.yml rename to datasets/attack_techniques/T1552.007/kube_audit_get_secret/kube_audit_get_secret_old.yml diff --git a/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access.yml b/datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access_old.yml similarity index 100% rename from datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access.yml rename to datasets/attack_techniques/T1552/snakey_keylogger_outlook_reg_access/snakey_keylogger_outlook_reg_access_old.yml diff --git a/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation.yml b/datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_old.yml similarity index 100% rename from datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation.yml rename to datasets/attack_techniques/T1552/windows_post_exploitation/windows_post_exploitation_old.yml diff --git a/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass.yml b/datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass_old.yml similarity index 100% rename from datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass.yml rename to datasets/attack_techniques/T1553.005/mark_of_the_web_bypass/mark_of_the_web_bypass_old.yml diff --git a/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.yml b/datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job_old.yml similarity index 100% rename from datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job.yml rename to datasets/attack_techniques/T1554/circle_ci_disable_security_job/circle_ci_disable_security_job_old.yml diff --git a/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.yml b/datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step_old.yml similarity index 100% rename from datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step.yml rename to datasets/attack_techniques/T1554/circle_ci_disable_security_step/circle_ci_disable_security_step_old.yml diff --git a/datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp.yml b/datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp_old.yml similarity index 100% rename from datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp.yml rename to datasets/attack_techniques/T1555.003/browser_credential_info_temp/browser_credential_info_temp_old.yml diff --git a/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds.yml b/datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds_old.yml similarity index 100% rename from datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds.yml rename to datasets/attack_techniques/T1555.004/vaultcli_creds/vaultcli_creds_old.yml diff --git a/datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials.yml b/datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials.yml rename to datasets/attack_techniques/T1555/applying_stolen_credentials/applying_stolen_credentials_old.yml diff --git a/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml b/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml rename to datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store_old.yml diff --git a/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml b/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store_old.yml similarity index 100% rename from datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml rename to datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store_old.yml diff --git a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml index 7dd30725e..80d8f9ed7 100644 --- a/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1556.001/atomic_red_team/atomic_red_team.yml @@ -1,5 +1,5 @@ author: Michael Haag, Splunk -id: an9b2653-efc1-11eb-926b-550bf0943fbb +id: deab3766-be55-4bc3-8b9a-2ab47d84d1d2 date: '2022-03-30' description: Atomic testing with T1553.005 related to lnk and iso. environment: attack_range diff --git a/datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios.yml b/datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios_old.yml similarity index 100% rename from datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios.yml rename to datasets/attack_techniques/T1557.002/cisco_ios/cisco_ios_old.yml diff --git a/datasets/attack_techniques/T1558.001/impacket/impacket.yml b/datasets/attack_techniques/T1558.001/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.001/impacket/impacket.yml rename to datasets/attack_techniques/T1558.001/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1558.002/impacket/impacket.yml b/datasets/attack_techniques/T1558.002/impacket/impacket_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.002/impacket/impacket.yml rename to datasets/attack_techniques/T1558.002/impacket/impacket_old.yml diff --git a/datasets/attack_techniques/T1558.004/getaduser/getaduser.yml b/datasets/attack_techniques/T1558.004/getaduser/getaduser_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.004/getaduser/getaduser.yml rename to datasets/attack_techniques/T1558.004/getaduser/getaduser_old.yml diff --git a/datasets/attack_techniques/T1558.004/powerview/powerview.yml b/datasets/attack_techniques/T1558.004/powerview/powerview_old.yml similarity index 100% rename from datasets/attack_techniques/T1558.004/powerview/powerview.yml rename to datasets/attack_techniques/T1558.004/powerview/powerview_old.yml diff --git a/datasets/attack_techniques/T1558/krbrelayup/krbrelayup.yml b/datasets/attack_techniques/T1558/krbrelayup/krbrelayup_old.yml similarity index 100% rename from datasets/attack_techniques/T1558/krbrelayup/krbrelayup.yml rename to datasets/attack_techniques/T1558/krbrelayup/krbrelayup_old.yml diff --git a/datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe.yml b/datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe_old.yml similarity index 100% rename from datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe.yml rename to datasets/attack_techniques/T1559/anonymous_pipe/anonymous_pipe_old.yml diff --git a/datasets/attack_techniques/T1560.001/archive_tools/archive_tools.yml b/datasets/attack_techniques/T1560.001/archive_tools/archive_tools_old.yml similarity index 100% rename from datasets/attack_techniques/T1560.001/archive_tools/archive_tools.yml rename to datasets/attack_techniques/T1560.001/archive_tools/archive_tools_old.yml diff --git a/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml b/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate_old.yml similarity index 100% rename from datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml rename to datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate_old.yml diff --git a/datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir.yml b/datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir_old.yml similarity index 100% rename from datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir.yml rename to datasets/attack_techniques/T1560/archived_in_temp_dir/archived_in_temp_dir_old.yml diff --git a/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.yml b/datasets/attack_techniques/T1560/powershell_archive/powershell_archive_old.yml similarity index 100% rename from datasets/attack_techniques/T1560/powershell_archive/powershell_archive.yml rename to datasets/attack_techniques/T1560/powershell_archive/powershell_archive_old.yml diff --git a/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering.yml b/datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering.yml rename to datasets/attack_techniques/T1562.001/cisco_secure_endpoint_tampering/cisco_secure_endpoint_tampering_old.yml diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog.yml rename to datasets/attack_techniques/T1562.001/defender_exclusion_defender_operational_wineventlog/defender_exclusion_defender_operational_wineventlog_old.yml diff --git a/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell.yml b/datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell.yml rename to datasets/attack_techniques/T1562.001/defender_exclusion_powershell/defender_exclusion_powershell_old.yml diff --git a/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml b/datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog.yml rename to datasets/attack_techniques/T1562.001/disable_defender_operational_wineventlog/disable_defender_operational_wineventlog_old.yml diff --git a/datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh.yml b/datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh.yml rename to datasets/attack_techniques/T1562.001/rmdir_defender_pwsh/rmdir_defender_pwsh_old.yml diff --git a/datasets/attack_techniques/T1562.001/taskkill/taskkill.yml b/datasets/attack_techniques/T1562.001/taskkill/taskkill_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/taskkill/taskkill.yml rename to datasets/attack_techniques/T1562.001/taskkill/taskkill_old.yml diff --git a/datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser.yml b/datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser.yml rename to datasets/attack_techniques/T1562.001/taskkill_browser/taskkill_browser_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event_old.yml diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml rename to datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule_old.yml diff --git a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml index 6952023c1..e1c622b76 100644 --- a/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml +++ b/datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_add_firewall_rule.yml @@ -9,7 +9,8 @@ mitre_technique: datasets: - name: njrat_firewall_security path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_security.log - sourcetype: firewall + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security - name: njrat_firewall_sysmon path: /datasets/attack_techniques/T1562.004/njrat_add_firewall_rule/njrat_firewall_sysmon.log sourcetype: XmlWinEventLog diff --git a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml index 869c18cb9..d1f8f3ec2 100644 --- a/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml +++ b/datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.yml @@ -9,4 +9,5 @@ mitre_technique: datasets: - name: njrat_delete_firewall path: /datasets/attack_techniques/T1562.004/njrat_delete_firewall/njrat_delete_firewall.log - sourcetype: firewall + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational diff --git a/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.yml b/datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass.yml rename to datasets/attack_techniques/T1562.006/dotnet_etw_bypass/dotnet_etw_bypass_old.yml diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml rename to datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails_old.yml diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml rename to datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging_old.yml diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end_old.yml similarity index 100% rename from datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml rename to datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end_old.yml diff --git a/datasets/attack_techniques/T1562/applocker/applocker.yml b/datasets/attack_techniques/T1562/applocker/applocker_old.yml similarity index 100% rename from datasets/attack_techniques/T1562/applocker/applocker.yml rename to datasets/attack_techniques/T1562/applocker/applocker_old.yml diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall_old.yml similarity index 100% rename from datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml rename to datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall_old.yml diff --git a/datasets/attack_techniques/T1564.003/headless/headless.yml b/datasets/attack_techniques/T1564.003/headless/headless_old.yml similarity index 100% rename from datasets/attack_techniques/T1564.003/headless/headless.yml rename to datasets/attack_techniques/T1564.003/headless/headless_old.yml diff --git a/datasets/attack_techniques/T1564.008/o365/o365.yml b/datasets/attack_techniques/T1564.008/o365/o365.yml index a318aa98a..ac18c9b6a 100644 --- a/datasets/attack_techniques/T1564.008/o365/o365.yml +++ b/datasets/attack_techniques/T1564.008/o365/o365.yml @@ -1,4 +1,4 @@ -author: 3237998318 +author: unknown id: 54715c41-4283-44f7-a327-fbd230d83c60 date: '2025-02-14' description: Detection of suspicious mailbox rule creation. diff --git a/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share.yml b/datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share_old.yml similarity index 100% rename from datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share.yml rename to datasets/attack_techniques/T1566.001/gdrive_susp_file_share/gdrive_susp_file_share_old.yml diff --git a/datasets/attack_techniques/T1566.001/spearphishing_attachments.yml b/datasets/attack_techniques/T1566.001/spearphishing_attachments_old.yml similarity index 100% rename from datasets/attack_techniques/T1566.001/spearphishing_attachments.yml rename to datasets/attack_techniques/T1566.001/spearphishing_attachments_old.yml diff --git a/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll.yml b/datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll_old.yml similarity index 100% rename from datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll.yml rename to datasets/attack_techniques/T1566/outlook_dropped_dll/outlook_dropped_dll_old.yml diff --git a/datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive.yml b/datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive_old.yml similarity index 100% rename from datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive.yml rename to datasets/attack_techniques/T1567.002/gsuite_share_drive/gsuite_share_drive_old.yml diff --git a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml index 4f5323cd6..c19cedac4 100644 --- a/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml +++ b/datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.yml @@ -10,3 +10,4 @@ datasets: - name: web_upload_nginx path: /datasets/attack_techniques/T1567/web_upload_nginx/web_upload_nginx.log sourcetype: nginx:plus:access + source: nginx diff --git a/datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control.yml b/datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control_old.yml similarity index 100% rename from datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control.yml rename to datasets/attack_techniques/T1569/illegal_service_control/illegal_service_control_old.yml diff --git a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml index 0b2bc6683..98a74439a 100644 --- a/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1574.001/atomic_red_team/atomic_red_team.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: cc9bv5d6-wfc9-11eb-926b-550bf0943faz +id: d623f17e-f97d-4ce9-9cf6-6f6b76b14ba4 date: '2022-08-18' description: 'Atomic Test Results: Successful Execution of test T1574.001' environment: attack_range diff --git a/datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules.yml b/datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules.yml rename to datasets/attack_techniques/T1574.002/svr_loaded_modules/svr_loaded_modules_old.yml diff --git a/datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load.yml b/datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load.yml rename to datasets/attack_techniques/T1574.002/unsigned_dll_load/unsigned_dll_load_old.yml diff --git a/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path.yml b/datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path_old.yml similarity index 100% rename from datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path.yml rename to datasets/attack_techniques/T1574.002/unsigned_dll_loaded_same_process_path/unsigned_dll_loaded_same_process_path_old.yml diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures_old.yml similarity index 100% rename from datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml rename to datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures_old.yml diff --git a/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml index b4d1248e6..1307e315b 100644 --- a/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml +++ b/datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/data.yml @@ -9,7 +9,8 @@ mitre_technique: datasets: - name: aws_iam_accessdenied_discovery_events-json path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json - sourcetype: access_combined + sourcetype: aws:cloudtrail + source: aws_cloudtrail - name: asl_ocsf_cloudtrail-json path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json sourcetype: aws:cloudtrail:lake diff --git a/datasets/attack_techniques/T1580/aws_iam.yml b/datasets/attack_techniques/T1580/aws_iam_old.yml similarity index 100% rename from datasets/attack_techniques/T1580/aws_iam.yml rename to datasets/attack_techniques/T1580/aws_iam_old.yml diff --git a/datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation.yml b/datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation_old.yml similarity index 100% rename from datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation.yml rename to datasets/attack_techniques/T1585/illegal_account_creation/illegal_account_creation_old.yml diff --git a/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips.yml b/datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips_old.yml similarity index 100% rename from datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips.yml rename to datasets/attack_techniques/T1586.003/aws_console_login_multiple_ips/aws_console_login_multiple_ips_old.yml diff --git a/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.yml b/datasets/attack_techniques/T1587.003/splunk_fwder/splunkd_old.yml similarity index 100% rename from datasets/attack_techniques/T1587.003/splunk_fwder/splunkd.yml rename to datasets/attack_techniques/T1587.003/splunk_fwder/splunkd_old.yml diff --git a/datasets/attack_techniques/T1589.002/kerbrute/kerbrute.yml b/datasets/attack_techniques/T1589.002/kerbrute/kerbrute_old.yml similarity index 100% rename from datasets/attack_techniques/T1589.002/kerbrute/kerbrute.yml rename to datasets/attack_techniques/T1589.002/kerbrute/kerbrute_old.yml diff --git a/datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa.yml b/datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa_old.yml similarity index 100% rename from datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa.yml rename to datasets/attack_techniques/T1621/aws_failed_mfa/aws_failed_mfa_old.yml diff --git a/datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team_old.yml similarity index 100% rename from datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team.yml rename to datasets/attack_techniques/T1647/atomic_red_team/atomic_red_team_old.yml diff --git a/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml b/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration_old.yml similarity index 100% rename from datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml rename to datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration_old.yml diff --git a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml index d857bb6a5..9ee830994 100644 --- a/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml +++ b/datasets/attack_techniques/t1547.014/active_setup_stubpath/active_setup_stubpath.yml @@ -6,7 +6,7 @@ description: manual activesetup stubpath registry modification datasets for pers environment: attack_range directory: active_setup_stubpath mitre_technique: -- unknown +- T1547.014 datasets: - name: sysmon path: /datasets/attack_techniques/t1547.014/active_setup_stubpath/sysmon.log diff --git a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml index 378911054..6478b3df0 100644 --- a/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml +++ b/datasets/attack_techniques/t1592/host_info_dxdiag/host_info_dxdiag.yml @@ -5,7 +5,7 @@ description: simulated remcos dxdiag execution for host information gathering environment: attack_range directory: host_info_dxdiag mitre_technique: -- unknown +- T1592 datasets: - name: sysmon path: /datasets/attack_techniques/t1592/host_info_dxdiag/sysmon.log diff --git a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml index d3e2feea7..390924027 100644 --- a/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml +++ b/datasets/attack_techniques/t1592/pwh_av_recon/pwh_av_recon.yml @@ -5,7 +5,7 @@ description: Generated datasets for pwh av recon in attack range. environment: attack_range directory: pwh_av_recon mitre_technique: -- unknown +- T1592 datasets: - name: windows-powershell-xml path: /datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log diff --git a/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.yml b/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata_old.yml similarity index 100% rename from datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.yml rename to datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml b/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml rename to datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml b/datasets/cisco_secure_firewall_threat_defense/file_event/file_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml rename to datasets/cisco_secure_firewall_threat_defense/file_event/file_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml b/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml rename to datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events_old.yml diff --git a/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml b/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events_old.yml similarity index 100% rename from datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml rename to datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events_old.yml diff --git a/datasets/malware/acidrain/acidrain.yml b/datasets/malware/acidrain/acidrain.yml index 55fa1e278..9bb6b7ed4 100644 --- a/datasets/malware/acidrain/acidrain.yml +++ b/datasets/malware/acidrain/acidrain.yml @@ -4,8 +4,7 @@ date: '2022-04-12' description: Generated datasets for acidrain in attack range. environment: attack_range directory: acidrain -mitre_technique: -- unknown +mitre_technique: [] datasets: - name: sysmon_linux path: /datasets/malware/acidrain/sysmon_linux.log diff --git a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml index 28e78b436..1a612e8ae 100644 --- a/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_ftp/agent_tesla_ftp.yml @@ -4,8 +4,6 @@ date: '2022-09-21' description: Generated datasets for agent tesla ftp in attack range. environment: attack_range directory: agent_tesla_ftp -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/agent_tesla/agent_tesla_ftp/sysmon.log diff --git a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml index a34344fe5..9671b6c92 100644 --- a/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml +++ b/datasets/malware/agent_tesla/agent_tesla_smtp/agent_tesla_smtp.yml @@ -4,8 +4,6 @@ date: '2022-09-21' description: Generated datasets for agent tesla smtp in attack range. environment: attack_range directory: agent_tesla_smtp -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/agent_tesla/agent_tesla_smtp/sysmon.log diff --git a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml index 00bd2de25..35d4aa330 100644 --- a/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml +++ b/datasets/malware/agent_tesla/agent_tesla_tor_dns_query/agent_tesla_tor_dns_query.yml @@ -4,8 +4,6 @@ date: '2022-09-21' description: Generated datasets for agent tesla tor dns query in attack range. environment: attack_range directory: agent_tesla_tor_dns_query -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/agent_tesla/agent_tesla_tor_dns_query/sysmon.log diff --git a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml index eeeea7512..cb6e68679 100644 --- a/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml +++ b/datasets/malware/agent_tesla/chm_powershell/chm_powershell.yml @@ -4,8 +4,6 @@ date: '2022-09-21' description: Generated datasets for chm powershell in attack range. environment: attack_range directory: chm_powershell -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/agent_tesla/chm_powershell/windows-powershell-xml.log diff --git a/datasets/malware/amadey/access_permission/access_permission.yml b/datasets/malware/amadey/access_permission/access_permission.yml index ccfacf743..007027a3a 100644 --- a/datasets/malware/amadey/access_permission/access_permission.yml +++ b/datasets/malware/amadey/access_permission/access_permission.yml @@ -4,8 +4,6 @@ date: '2023-06-13' description: Generated datasets for access permission in attack range. environment: attack_range directory: access_permission -mitre_technique: -- unknown datasets: - name: amadey_sysmon2 path: /datasets/malware/amadey/access_permission/amadey_sysmon2.log diff --git a/datasets/malware/amadey/shell_regrun/shell_regrun.yml b/datasets/malware/amadey/shell_regrun/shell_regrun_old.yml similarity index 100% rename from datasets/malware/amadey/shell_regrun/shell_regrun.yml rename to datasets/malware/amadey/shell_regrun/shell_regrun_old.yml diff --git a/datasets/malware/awfulshred/test1/test1.yml b/datasets/malware/awfulshred/test1/test1.yml index 0a691c357..456998609 100644 --- a/datasets/malware/awfulshred/test1/test1.yml +++ b/datasets/malware/awfulshred/test1/test1.yml @@ -4,8 +4,6 @@ date: '2023-02-08' description: Generated datasets for test1 in attack range. environment: attack_range directory: test1 -mitre_technique: -- unknown datasets: - name: sysmon_linux path: /datasets/malware/awfulshred/test1/sysmon_linux.log diff --git a/datasets/malware/awfulshred/test2/test2.yml b/datasets/malware/awfulshred/test2/test2.yml index 68f0654e1..9a5f802d0 100644 --- a/datasets/malware/awfulshred/test2/test2.yml +++ b/datasets/malware/awfulshred/test2/test2.yml @@ -4,8 +4,6 @@ date: '2023-02-08' description: Generated datasets for test2 in attack range. environment: attack_range directory: test2 -mitre_technique: -- unknown datasets: - name: sysmon_linux path: /datasets/malware/awfulshred/test2/sysmon_linux.log diff --git a/datasets/malware/awfulshred/test3/test3.yml b/datasets/malware/awfulshred/test3/test3.yml index 7880c1610..05d89940b 100644 --- a/datasets/malware/awfulshred/test3/test3.yml +++ b/datasets/malware/awfulshred/test3/test3.yml @@ -4,8 +4,6 @@ date: '2023-02-09' description: Generated datasets for test3 in attack range. environment: attack_range directory: test3 -mitre_technique: -- unknown datasets: - name: sysmon_linux path: /datasets/malware/awfulshred/test3/sysmon_linux.log diff --git a/datasets/malware/azorult/azorult.yml b/datasets/malware/azorult/azorult.yml index 3c1fc0ef2..c140f9c3a 100644 --- a/datasets/malware/azorult/azorult.yml +++ b/datasets/malware/azorult/azorult.yml @@ -4,8 +4,6 @@ date: '2022-06-22' description: Generated datasets for azorult in attack range. environment: attack_range directory: azorult -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/azorult/sysmon.log diff --git a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml index 95515a61b..7820b959c 100644 --- a/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml +++ b/datasets/malware/brute_ratel/brute_duplicate_token/brute_duplicate_token.yml @@ -4,8 +4,6 @@ date: '2022-09-01' description: Generated datasets for brute duplicate token in attack range. environment: attack_range directory: brute_duplicate_token -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/brute_duplicate_token/sysmon.log diff --git a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml index e1627b8e4..582211dc6 100644 --- a/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml +++ b/datasets/malware/brute_ratel/create_remote_thread/create_remote_thread.yml @@ -4,8 +4,6 @@ date: '2022-09-05' description: Generated datasets for create remote thread in attack range. environment: attack_range directory: create_remote_thread -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/create_remote_thread/sysmon.log diff --git a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml index fb05abd65..7ae7685a2 100644 --- a/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml +++ b/datasets/malware/brute_ratel/iso_version_dll_campaign/iso_version_dll_campaign.yml @@ -4,8 +4,6 @@ date: '2022-08-30' description: Generated datasets for iso version dll campaign in attack range. environment: attack_range directory: iso_version_dll_campaign -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/iso_version_dll_campaign/sysmon.log diff --git a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml index b8339d3f1..20b5336e3 100644 --- a/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml +++ b/datasets/malware/brute_ratel/loading_samlib/loading_samlib.yml @@ -4,8 +4,6 @@ date: '2022-08-31' description: Generated datasets for loading samlib in attack range. environment: attack_range directory: loading_samlib -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/loading_samlib/sysmon.log diff --git a/datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token.yml b/datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token_old.yml similarity index 100% rename from datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token.yml rename to datasets/malware/brute_ratel/sedebugprivilege_token/sedebugprivilege_token_old.yml diff --git a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml index 8982076c3..6af11da4e 100644 --- a/datasets/malware/brute_ratel/service_deletion/service_deletion.yml +++ b/datasets/malware/brute_ratel/service_deletion/service_deletion.yml @@ -4,8 +4,6 @@ date: '2022-09-01' description: Generated datasets for service deletion in attack range. environment: attack_range directory: service_deletion -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/service_deletion/sysmon.log diff --git a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml index aca087ccd..c1a6d3d5b 100644 --- a/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml +++ b/datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/wallpaper_via_transcodedwallpaper.yml @@ -4,8 +4,6 @@ date: '2022-09-05' description: Generated datasets for wallpaper via transcodedwallpaper in attack range. environment: attack_range directory: wallpaper_via_transcodedwallpaper -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/brute_ratel/wallpaper_via_transcodedwallpaper/sysmon.log diff --git a/datasets/malware/chaos_ransomware/chaos_ransomware.yml b/datasets/malware/chaos_ransomware/chaos_ransomware.yml index 36e6e8f0c..7128971b7 100644 --- a/datasets/malware/chaos_ransomware/chaos_ransomware.yml +++ b/datasets/malware/chaos_ransomware/chaos_ransomware.yml @@ -4,8 +4,6 @@ date: '2023-01-12' description: Generated datasets for chaos ransomware in attack range. environment: attack_range directory: chaos_ransomware -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/chaos_ransomware/sysmon.log diff --git a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml index ce089170d..20abed67e 100644 --- a/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml +++ b/datasets/malware/chaos_ransomware/spread_in_root_drives/spread_in_root_drives.yml @@ -4,8 +4,6 @@ date: '2023-01-17' description: Generated datasets for spread in root drives in attack range. environment: attack_range directory: spread_in_root_drives -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/chaos_ransomware/spread_in_root_drives/sysmon.log diff --git a/datasets/malware/clop/clop_a/clop_a.yml b/datasets/malware/clop/clop_a/clop_a.yml index 24c41cff3..5c5fabce1 100644 --- a/datasets/malware/clop/clop_a/clop_a.yml +++ b/datasets/malware/clop/clop_a/clop_a.yml @@ -5,8 +5,6 @@ description: Execution of CLOP malware on Windows 10 endpoint and simulated ser name. environment: attack_range directory: clop_a -mitre_technique: -- unknown datasets: - name: windows-xml path: /datasets/malware/clop/clop_a/windows-xml.log diff --git a/datasets/malware/clop/clop_b/clop_b.yml b/datasets/malware/clop/clop_b/clop_b.yml index d0bf0fa6c..97ee166fe 100644 --- a/datasets/malware/clop/clop_b/clop_b.yml +++ b/datasets/malware/clop/clop_b/clop_b.yml @@ -4,8 +4,6 @@ date: '2021-03-22' description: Execution of CLOP malware on Windows 10 endpoint. environment: attack_range directory: clop_b -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/clop/clop_b/windows-sysmon.log diff --git a/datasets/malware/conti/conti-cobalt/data.yml b/datasets/malware/conti/conti-cobalt/data.yml index 2c689bcd8..98e10eaae 100644 --- a/datasets/malware/conti/conti-cobalt/data.yml +++ b/datasets/malware/conti/conti-cobalt/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory conti-cobalt environment: attack_range directory: conti-cobalt -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/conti/conti-cobalt/windows-sysmon.log diff --git a/datasets/malware/conti/conti_leak/conti_leak.yml b/datasets/malware/conti/conti_leak/conti_leak.yml index da65ad647..e22436e02 100644 --- a/datasets/malware/conti/conti_leak/conti_leak.yml +++ b/datasets/malware/conti/conti_leak/conti_leak.yml @@ -4,8 +4,6 @@ date: '2021-08-10' description: simulated Execution of conti leak malware in attack range. environment: attack_range directory: conti_leak -mitre_technique: -- unknown datasets: - name: windows-sysmon_7z path: /datasets/malware/conti/conti_leak/windows-sysmon_7z.log diff --git a/datasets/malware/conti/inf1/data.yml b/datasets/malware/conti/inf1/data.yml index 152c26766..9897702bd 100644 --- a/datasets/malware/conti/inf1/data.yml +++ b/datasets/malware/conti/inf1/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory inf1 environment: attack_range directory: inf1 -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/conti/inf1/windows-sysmon.log diff --git a/datasets/malware/cyclopsblink/cyclopsblink.yml b/datasets/malware/cyclopsblink/cyclopsblink.yml index 46937029d..88300dd7d 100644 --- a/datasets/malware/cyclopsblink/cyclopsblink.yml +++ b/datasets/malware/cyclopsblink/cyclopsblink.yml @@ -4,8 +4,6 @@ date: '2022-04-07' description: Generated datasets for cyclopsblink in attack range. environment: attack_range directory: cyclopsblink -mitre_technique: -- unknown datasets: - name: sysmon_linux path: /datasets/malware/cyclopsblink/sysmon_linux.log diff --git a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml index eb1ccc1cc..fd7d1cfaf 100644 --- a/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml +++ b/datasets/malware/dcrat/dcrat_delay_execution/dcrat_delay_execution.yml @@ -4,8 +4,6 @@ date: '2022-07-28' description: Generated datasets for dcrat delay execution in attack range. environment: attack_range directory: dcrat_delay_execution -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/dcrat/dcrat_delay_execution/sysmon.log diff --git a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml index 9dba18c37..2903992ae 100644 --- a/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml +++ b/datasets/malware/dcrat/dcrat_enum_camera/dcrat_enum_camera.yml @@ -4,8 +4,6 @@ date: '2022-07-29' description: Generated datasets for dcrat enum camera in attack range. environment: attack_range directory: dcrat_enum_camera -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/dcrat/dcrat_enum_camera/windows-powershell-xml.log diff --git a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml index f9811e585..4955f393c 100644 --- a/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml +++ b/datasets/malware/dcrat/dcrat_explorer_url/dcrat_explorer_url.yml @@ -4,8 +4,6 @@ date: '2022-08-01' description: Generated datasets for dcrat explorer url in attack range. environment: attack_range directory: dcrat_explorer_url -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/dcrat/dcrat_explorer_url/sysmon.log diff --git a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml index ce31f8674..00caf4d20 100644 --- a/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml +++ b/datasets/malware/dcrat/dcrat_forkbomb/dcrat_forkbomb.yml @@ -4,8 +4,6 @@ date: '2022-07-28' description: Generated datasets for dcrat forkbomb in attack range. environment: attack_range directory: dcrat_forkbomb -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/dcrat/dcrat_forkbomb/sysmon.log diff --git a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml index dc57d355e..11fe21df2 100644 --- a/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml +++ b/datasets/malware/dcrat/reboot_logoff_commandline/reboot_logoff_commandline.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory reboot_logoff_commandline environment: attack_range directory: reboot_logoff_commandline -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/dcrat/reboot_logoff_commandline/sysmon.log diff --git a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml index e5e96256f..a064392c3 100644 --- a/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml +++ b/datasets/malware/dcrat/shutdown_commandline/shutdown_commandline.yml @@ -4,8 +4,6 @@ date: '2022-07-27' description: Generated datasets for shutdown commandline in attack range. environment: attack_range directory: shutdown_commandline -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/dcrat/shutdown_commandline/sysmon.log diff --git a/datasets/malware/doublezero_wiper/doublezero_wiper.yml b/datasets/malware/doublezero_wiper/doublezero_wiper.yml index be2087175..ca45b4c2f 100644 --- a/datasets/malware/doublezero_wiper/doublezero_wiper.yml +++ b/datasets/malware/doublezero_wiper/doublezero_wiper.yml @@ -4,8 +4,6 @@ date: '2022-03-28' description: Generated datasets for doublezero wiper in attack range. environment: attack_range directory: doublezero_wiper -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/doublezero_wiper/sysmon.log diff --git a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml index 5e13bbd21..56b9d255b 100644 --- a/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml +++ b/datasets/malware/fin7/fin7_js_2/fin7_js_2.yml @@ -4,8 +4,6 @@ date: '2021-09-14' description: fin7 js implant data sets. environment: attack_range directory: fin7_js_2 -mitre_technique: -- unknown datasets: - name: wmi_module_loaded_sysmon path: /datasets/malware/fin7/fin7_js_2/wmi_module_loaded_sysmon.log diff --git a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml index 47d4e43d9..2210b1bdb 100644 --- a/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml +++ b/datasets/malware/fin7/fin7_macro_js_1/fin7_macro_js_1.yml @@ -4,8 +4,6 @@ date: '2021-09-14' description: fin7 macro and js implant data sets. environment: attack_range directory: fin7_macro_js_1 -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/fin7/fin7_macro_js_1/sysmon.log diff --git a/datasets/malware/fin7/fin7_sacl/fin7_sacl.yml b/datasets/malware/fin7/fin7_sacl/fin7_sacl_old.yml similarity index 100% rename from datasets/malware/fin7/fin7_sacl/fin7_sacl.yml rename to datasets/malware/fin7/fin7_sacl/fin7_sacl_old.yml diff --git a/datasets/malware/fin7/jssloader/jssloader.yml b/datasets/malware/fin7/jssloader/jssloader.yml index 76a41c0f6..df9f1f780 100644 --- a/datasets/malware/fin7/jssloader/jssloader.yml +++ b/datasets/malware/fin7/jssloader/jssloader.yml @@ -4,8 +4,6 @@ date: '2021-09-14' description: fin7 jssloader dataset. environment: attack_range directory: jssloader -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/fin7/jssloader/sysmon.log diff --git a/datasets/malware/gootloader/partial_ttps/partial_ttps.yml b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml index fdd11a907..6165584eb 100644 --- a/datasets/malware/gootloader/partial_ttps/partial_ttps.yml +++ b/datasets/malware/gootloader/partial_ttps/partial_ttps.yml @@ -5,8 +5,6 @@ description: Detection of gootloader common behaviors sourced from manual malwar testing in Q1 2023 environment: attack_range directory: partial_ttps -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/gootloader/partial_ttps/windows-powershell-xml.log diff --git a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml index 0bada3944..a38dfa59b 100644 --- a/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml +++ b/datasets/malware/hermetic_wiper/globalfolderoptions_reg/globalfolderoptions_reg.yml @@ -4,8 +4,6 @@ date: '2022-03-02' description: Generated datasets for globalfolderoptions reg in attack range. environment: attack_range directory: globalfolderoptions_reg -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/hermetic_wiper/globalfolderoptions_reg/sysmon.log diff --git a/datasets/malware/hermetic_wiper/hermetic_wiper.yml b/datasets/malware/hermetic_wiper/hermetic_wiper.yml index d67d437c2..1b6718c38 100644 --- a/datasets/malware/hermetic_wiper/hermetic_wiper.yml +++ b/datasets/malware/hermetic_wiper/hermetic_wiper.yml @@ -4,8 +4,6 @@ date: '2022-02-25' description: Generated datasets for hermetic wiper in attack range. environment: attack_range directory: hermetic_wiper -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/hermetic_wiper/sysmon.log diff --git a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml index c72ce3b1d..01e048745 100644 --- a/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml +++ b/datasets/malware/icedid/cmd_carry_str_param/cmd_carry_str_param.yml @@ -4,8 +4,6 @@ date: '2021-10-21' description: cmd carry out string command parameter data sets. environment: attack_range directory: cmd_carry_str_param -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/icedid/cmd_carry_str_param/sysmon.log diff --git a/datasets/malware/icedid/disable_av/disable_av.yml b/datasets/malware/icedid/disable_av/disable_av.yml index 16e717e87..5e410e7e3 100644 --- a/datasets/malware/icedid/disable_av/disable_av.yml +++ b/datasets/malware/icedid/disable_av/disable_av.yml @@ -4,8 +4,6 @@ date: '2021-10-18' description: icedid disable windows defender malware in attack range name. environment: attack_range directory: disable_av -mitre_technique: -- unknown datasets: - name: sysmon2 path: /datasets/malware/icedid/disable_av/sysmon2.log diff --git a/datasets/malware/icedid/disable_schtask/disable_schtask.yml b/datasets/malware/icedid/disable_schtask/disable_schtask.yml index 56f1b35f1..de8bbf090 100644 --- a/datasets/malware/icedid/disable_schtask/disable_schtask.yml +++ b/datasets/malware/icedid/disable_schtask/disable_schtask.yml @@ -4,8 +4,6 @@ date: '2021-10-18' description: icedid disable schedule task malware in attack range name. environment: attack_range directory: disable_schtask -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/icedid/disable_schtask/sysmon.log diff --git a/datasets/malware/icedid/inf_icedid/inf_icedid.yml b/datasets/malware/icedid/inf_icedid/inf_icedid.yml index 27a63d4f4..253f4c766 100644 --- a/datasets/malware/icedid/inf_icedid/inf_icedid.yml +++ b/datasets/malware/icedid/inf_icedid/inf_icedid.yml @@ -4,8 +4,6 @@ date: '2021-07-29' description: Execution of icedid malware in attack range name. environment: attack_range directory: inf_icedid -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/icedid/inf_icedid/windows-sysmon.log diff --git a/datasets/malware/icedid/phish_icedid/phish_icedid.yml b/datasets/malware/icedid/phish_icedid/phish_icedid.yml index 355d0cc1d..8c21d21c0 100644 --- a/datasets/malware/icedid/phish_icedid/phish_icedid.yml +++ b/datasets/malware/icedid/phish_icedid/phish_icedid.yml @@ -4,8 +4,6 @@ date: '2021-07-29' description: Execution of icedid malware in attack range name. environment: attack_range directory: phish_icedid -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/icedid/phish_icedid/windows-sysmon.log diff --git a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml index af0e3ef0b..b62dc9ec5 100644 --- a/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml +++ b/datasets/malware/icedid/simulated_icedid/simulated_icedid.yml @@ -4,8 +4,6 @@ date: '2021-08-05' description: simulated Execution of icedid malware in attack range name. environment: attack_range directory: simulated_icedid -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/icedid/simulated_icedid/windows-sysmon.log diff --git a/datasets/malware/industroyer2/industroyer2.yml b/datasets/malware/industroyer2/industroyer2.yml index 396acadcd..8bac8d097 100644 --- a/datasets/malware/industroyer2/industroyer2.yml +++ b/datasets/malware/industroyer2/industroyer2.yml @@ -4,8 +4,6 @@ date: '2022-04-22' description: Generated datasets for industroyer2 in attack range. environment: attack_range directory: industroyer2 -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/industroyer2/sysmon.log diff --git a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml index 7f44fdfc4..ebe42e238 100644 --- a/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml +++ b/datasets/malware/lockbit_ransomware/lockbit_ransomware.yml @@ -4,8 +4,6 @@ date: '2023-01-16' description: Generated datasets for lockbit ransomware in attack range. environment: attack_range directory: lockbit_ransomware -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/lockbit_ransomware/sysmon.log diff --git a/datasets/malware/minergate/data.yml b/datasets/malware/minergate/data.yml index fcc4d0e67..e004ad996 100644 --- a/datasets/malware/minergate/data.yml +++ b/datasets/malware/minergate/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory minergate environment: attack_range directory: minergate -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/minergate/windows-sysmon.log diff --git a/datasets/malware/olympic_destroyer/olympic_destroyer.yml b/datasets/malware/olympic_destroyer/olympic_destroyer.yml index ce9798756..8c8f34d5f 100644 --- a/datasets/malware/olympic_destroyer/olympic_destroyer.yml +++ b/datasets/malware/olympic_destroyer/olympic_destroyer.yml @@ -4,8 +4,6 @@ date: '2022-02-23' description: Generated datasets for olympic destroyer in attack range. environment: attack_range directory: olympic_destroyer -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/olympic_destroyer/sysmon.log diff --git a/datasets/malware/prestige_ransomware/prestige_ransomware.yml b/datasets/malware/prestige_ransomware/prestige_ransomware.yml index de4e87130..d06865845 100644 --- a/datasets/malware/prestige_ransomware/prestige_ransomware.yml +++ b/datasets/malware/prestige_ransomware/prestige_ransomware.yml @@ -4,8 +4,6 @@ date: '2022-11-30' description: Generated datasets for prestige ransomware in attack range. environment: attack_range directory: prestige_ransomware -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/prestige_ransomware/sysmon.log diff --git a/datasets/malware/qakbot/qakbot.yml b/datasets/malware/qakbot/qakbot.yml index 6145eaa72..07c9de82e 100644 --- a/datasets/malware/qakbot/qakbot.yml +++ b/datasets/malware/qakbot/qakbot.yml @@ -4,8 +4,6 @@ date: '2022-10-20' description: Generated datasets for qakbot in attack range. environment: attack_range directory: qakbot -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/qakbot/sysmon.log diff --git a/datasets/malware/qakbot/qbot2/qbot2.yml b/datasets/malware/qakbot/qbot2/qbot2.yml index a0b6afa46..0831a015c 100644 --- a/datasets/malware/qakbot/qbot2/qbot2.yml +++ b/datasets/malware/qakbot/qbot2/qbot2.yml @@ -4,8 +4,6 @@ date: '2022-10-24' description: Generated datasets for qbot2 in attack range. environment: attack_range directory: qbot2 -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/qakbot/qbot2/sysmon.log diff --git a/datasets/malware/qakbot/qbot_3/qbot_3.yml b/datasets/malware/qakbot/qbot_3/qbot_3.yml index aef76459b..57d2b64a5 100644 --- a/datasets/malware/qakbot/qbot_3/qbot_3.yml +++ b/datasets/malware/qakbot/qbot_3/qbot_3.yml @@ -4,8 +4,6 @@ date: '2022-10-27' description: Generated datasets for qbot 3 in attack range. environment: attack_range directory: qbot_3 -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/qakbot/qbot_3/sysmon.log diff --git a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml index 03d9abd9e..8545b000a 100644 --- a/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml +++ b/datasets/malware/qakbot/qbot_wermgr/qbot_wermgr.yml @@ -4,8 +4,6 @@ date: '2022-10-27' description: Generated datasets for qbot wermgr in attack range. environment: attack_range directory: qbot_wermgr -mitre_technique: -- unknown datasets: - name: sysmon_wermgr path: /datasets/malware/qakbot/qbot_wermgr/sysmon_wermgr.log diff --git a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml index 7cc93a910..7e168db79 100644 --- a/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml +++ b/datasets/malware/qakbot/qbot_wermgr2/qbot_wermgr2.yml @@ -4,8 +4,6 @@ date: '2022-10-27' description: Generated datasets for qbot wermgr2 in attack range. environment: attack_range directory: qbot_wermgr2 -mitre_technique: -- unknown datasets: - name: sysmon_wermgr2 path: /datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log diff --git a/datasets/malware/qakbot/remote_thread/remote_thread.yml b/datasets/malware/qakbot/remote_thread/remote_thread.yml index 31a3b2557..2e2bf2bc5 100644 --- a/datasets/malware/qakbot/remote_thread/remote_thread.yml +++ b/datasets/malware/qakbot/remote_thread/remote_thread.yml @@ -4,8 +4,6 @@ date: '2022-10-28' description: Generated datasets for remote thread in attack range. environment: attack_range directory: remote_thread -mitre_technique: -- unknown datasets: - name: sysmon_wermgr_remote path: /datasets/malware/qakbot/remote_thread/sysmon_wermgr_remote.log diff --git a/datasets/malware/ransomware_ttp/data1/data.yml b/datasets/malware/ransomware_ttp/data1/data.yml index 82e70e03a..bed16fde2 100644 --- a/datasets/malware/ransomware_ttp/data1/data.yml +++ b/datasets/malware/ransomware_ttp/data1/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory data1 environment: attack_range directory: data1 -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/ransomware_ttp/data1/windows-sysmon.log diff --git a/datasets/malware/ransomware_ttp/data2/data.yml b/datasets/malware/ransomware_ttp/data2/data.yml index 424447ce2..31a2beef1 100644 --- a/datasets/malware/ransomware_ttp/data2/data.yml +++ b/datasets/malware/ransomware_ttp/data2/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory data2 environment: attack_range directory: data2 -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/ransomware_ttp/data2/windows-sysmon.log diff --git a/datasets/malware/redline/browser_ext_access/browser_ext_access.yml b/datasets/malware/redline/browser_ext_access/browser_ext_access_old.yml similarity index 100% rename from datasets/malware/redline/browser_ext_access/browser_ext_access.yml rename to datasets/malware/redline/browser_ext_access/browser_ext_access_old.yml diff --git a/datasets/malware/redline/browser_list/browser_list.yml b/datasets/malware/redline/browser_list/browser_list_old.yml similarity index 100% rename from datasets/malware/redline/browser_list/browser_list.yml rename to datasets/malware/redline/browser_list/browser_list_old.yml diff --git a/datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access.yml b/datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access_old.yml similarity index 100% rename from datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access.yml rename to datasets/malware/redline/chrome_local_state_simulate_access/chrome_local_state_simulate_access_old.yml diff --git a/datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access.yml b/datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access_old.yml similarity index 100% rename from datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access.yml rename to datasets/malware/redline/chrome_login_data_simulate_access/chrome_login_data_simulate_access_old.yml diff --git a/datasets/malware/redline/modify_registry/modify_registry.yml b/datasets/malware/redline/modify_registry/modify_registry.yml index e09debf29..52295dfdc 100644 --- a/datasets/malware/redline/modify_registry/modify_registry.yml +++ b/datasets/malware/redline/modify_registry/modify_registry.yml @@ -4,8 +4,6 @@ date: '2023-04-24' description: Generated datasets for modify registry in attack range. environment: attack_range directory: modify_registry -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/redline/modify_registry/sysmon.log diff --git a/datasets/malware/redline/recon_registry/recon_registry.yml b/datasets/malware/redline/recon_registry/recon_registry_old.yml similarity index 100% rename from datasets/malware/redline/recon_registry/recon_registry.yml rename to datasets/malware/redline/recon_registry/recon_registry_old.yml diff --git a/datasets/malware/redline/win_update_services_stop/win_update_services_stop.yml b/datasets/malware/redline/win_update_services_stop/win_update_services_stop_old.yml similarity index 100% rename from datasets/malware/redline/win_update_services_stop/win_update_services_stop.yml rename to datasets/malware/redline/win_update_services_stop/win_update_services_stop_old.yml diff --git a/datasets/malware/remcos/remcos/remcos.yml b/datasets/malware/remcos/remcos/remcos.yml index 21f5718d3..4d06fe06a 100644 --- a/datasets/malware/remcos/remcos/remcos.yml +++ b/datasets/malware/remcos/remcos/remcos.yml @@ -4,8 +4,6 @@ date: '2021-10-05' description: Remcos Sample -https://tria.ge/210929-ap75vsddan, https://www.virustotal.com/gui/file/cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89 environment: attack_range directory: remcos -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/remcos/remcos/windows-sysmon.log diff --git a/datasets/malware/remcos/remcos_agent/remcos_agent.yml b/datasets/malware/remcos/remcos_agent/remcos_agent.yml index 739a1b870..809cb8d8a 100644 --- a/datasets/malware/remcos/remcos_agent/remcos_agent.yml +++ b/datasets/malware/remcos/remcos_agent/remcos_agent.yml @@ -4,8 +4,6 @@ date: '2021-09-22' description: remcos RAT agent data sets. environment: attack_range directory: remcos_agent -mitre_technique: -- unknown datasets: - name: sysmon_wav path: /datasets/malware/remcos/remcos_agent/sysmon_wav.log diff --git a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml index 0076e62c1..e930d49e0 100644 --- a/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml +++ b/datasets/malware/remcos/remcos_dynwrapx/remcos_dynwrapx.yml @@ -4,8 +4,6 @@ date: '2021-11-18' description: simulated remcos script loading dynwrapx.dll for shellcode execution environment: attack_range directory: remcos_dynwrapx -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/remcos/remcos_dynwrapx/windows-sysmon.log diff --git a/datasets/malware/remcos/remcos_panel_client/remcos_panel_client.yml b/datasets/malware/remcos/remcos_panel_client/remcos_panel_client_old.yml similarity index 100% rename from datasets/malware/remcos/remcos_panel_client/remcos_panel_client.yml rename to datasets/malware/remcos/remcos_panel_client/remcos_panel_client_old.yml diff --git a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml index 3f7f515f7..d0be13c43 100644 --- a/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml +++ b/datasets/malware/remcos/remcos_pastebin_download/remcos_pastebin_download.yml @@ -4,8 +4,6 @@ date: '2021-11-18' description: simulated remcos script download malicious stager in pastebin or discord. environment: attack_range directory: remcos_pastebin_download -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/remcos/remcos_pastebin_download/sysmon.log diff --git a/datasets/malware/remcos/remcos_registry/remcos_registry.yml b/datasets/malware/remcos/remcos_registry/remcos_registry.yml index 589aa281c..8af436cee 100644 --- a/datasets/malware/remcos/remcos_registry/remcos_registry.yml +++ b/datasets/malware/remcos/remcos_registry/remcos_registry.yml @@ -4,8 +4,6 @@ date: '2022-03-21' description: Generated datasets for remcos registry in attack range. environment: attack_range directory: remcos_registry -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/remcos/remcos_registry/sysmon.log diff --git a/datasets/malware/revil/inf1/data.yml b/datasets/malware/revil/inf1/data.yml index b77fc81a9..7a9266134 100644 --- a/datasets/malware/revil/inf1/data.yml +++ b/datasets/malware/revil/inf1/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory inf1 environment: attack_range directory: inf1 -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/revil/inf1/windows-sysmon.log diff --git a/datasets/malware/revil/inf2/data.yml b/datasets/malware/revil/inf2/data.yml index ee5d30793..f08ef43f4 100644 --- a/datasets/malware/revil/inf2/data.yml +++ b/datasets/malware/revil/inf2/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory inf2 environment: attack_range directory: inf2 -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/revil/inf2/windows-sysmon.log diff --git a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml index a49929ba1..879c2f097 100644 --- a/datasets/malware/revil/msmpeng_side/msmpeng_side.yml +++ b/datasets/malware/revil/msmpeng_side/msmpeng_side.yml @@ -4,8 +4,6 @@ date: '2021-07-05' description: side loading dll to load evil ransomware using msmpeng.exe application environment: attack_range directory: msmpeng_side -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/revil/msmpeng_side/windows-sysmon.log diff --git a/datasets/malware/ryuk/ryuk.yml b/datasets/malware/ryuk/ryuk.yml index 83ae8b94e..7ef63c1e1 100644 --- a/datasets/malware/ryuk/ryuk.yml +++ b/datasets/malware/ryuk/ryuk.yml @@ -4,8 +4,6 @@ date: '2020-11-30' description: Execution of ryuk malware on Windows 10 endpoint. environment: attack_range directory: ryuk -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/ryuk/windows-sysmon.log diff --git a/datasets/malware/snakemalware/snakemalware.yml b/datasets/malware/snakemalware/snakemalware.yml index 35ac5dbd8..e3de16b90 100644 --- a/datasets/malware/snakemalware/snakemalware.yml +++ b/datasets/malware/snakemalware/snakemalware.yml @@ -4,8 +4,6 @@ date: '2023-05-11' description: Simulation of Snake Malware endpoint artifacts. environment: attack_range directory: snakemalware -mitre_technique: -- unknown datasets: - name: snake-service-windows-system path: /datasets/malware/snakemalware/snake-service-windows-system.log diff --git a/datasets/malware/swift_slicer/swift_slicer.yml b/datasets/malware/swift_slicer/swift_slicer.yml index 090600be9..3dfce1d17 100644 --- a/datasets/malware/swift_slicer/swift_slicer.yml +++ b/datasets/malware/swift_slicer/swift_slicer.yml @@ -4,8 +4,6 @@ date: '2023-02-02' description: Generated datasets for swift slicer in attack range. environment: attack_range directory: swift_slicer -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/swift_slicer/sysmon.log diff --git a/datasets/malware/trickbot/exe_smbshare/data.yml b/datasets/malware/trickbot/exe_smbshare/data.yml index 8a28afb0d..d08a7f23f 100644 --- a/datasets/malware/trickbot/exe_smbshare/data.yml +++ b/datasets/malware/trickbot/exe_smbshare/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory exe_smbshare environment: attack_range directory: exe_smbshare -mitre_technique: -- unknown datasets: - name: windows-xml path: /datasets/malware/trickbot/exe_smbshare/windows-xml.log diff --git a/datasets/malware/trickbot/infection/data.yml b/datasets/malware/trickbot/infection/data.yml index bdf65c95f..ca60462dd 100644 --- a/datasets/malware/trickbot/infection/data.yml +++ b/datasets/malware/trickbot/infection/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory infection environment: attack_range directory: infection -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/trickbot/infection/windows-sysmon.log diff --git a/datasets/malware/trickbot/namedpipe/data.yml b/datasets/malware/trickbot/namedpipe/data.yml index cd3826965..ba4136772 100644 --- a/datasets/malware/trickbot/namedpipe/data.yml +++ b/datasets/malware/trickbot/namedpipe/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory namedpipe environment: attack_range directory: namedpipe -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/trickbot/namedpipe/windows-sysmon.log diff --git a/datasets/malware/trickbot/spear_phish/spear_phish.yml b/datasets/malware/trickbot/spear_phish/spear_phish.yml index b1e835989..d8fcd6322 100644 --- a/datasets/malware/trickbot/spear_phish/spear_phish.yml +++ b/datasets/malware/trickbot/spear_phish/spear_phish.yml @@ -5,8 +5,6 @@ description: Spear Phishing Technique of trickbot using regsvr32, mshta, office and rundll32.. environment: attack_range directory: spear_phish -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/trickbot/spear_phish/windows-sysmon.log diff --git a/datasets/malware/vilsel/vilsel.yml b/datasets/malware/vilsel/vilsel.yml index 8ea88a5f7..954c68461 100644 --- a/datasets/malware/vilsel/vilsel.yml +++ b/datasets/malware/vilsel/vilsel.yml @@ -4,8 +4,6 @@ date: '2021-11-12' description: simulated ioc from vilsel malware. environment: attack_range directory: vilsel -mitre_technique: -- unknown datasets: - name: windows-xml path: /datasets/malware/vilsel/windows-xml.log diff --git a/datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver.yml b/datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver_old.yml similarity index 100% rename from datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver.yml rename to datasets/malware/warzone_rat/maxconnectionperserver/maxconnectionperserver_old.yml diff --git a/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass.yml b/datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass_old.yml similarity index 100% rename from datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass.yml rename to datasets/malware/warzone_rat/pkgmgr_uac_bypass/pkgmgr_uac_bypass_old.yml diff --git a/datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded.yml b/datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded_old.yml similarity index 100% rename from datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded.yml rename to datasets/malware/warzone_rat/unsigned_dll_loaded/unsigned_dll_loaded_old.yml diff --git a/datasets/malware/winpeas/powershell/powershell.yml b/datasets/malware/winpeas/powershell/powershell.yml index 44f96d585..4ce1847f9 100644 --- a/datasets/malware/winpeas/powershell/powershell.yml +++ b/datasets/malware/winpeas/powershell/powershell.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for powershell in attack range. environment: attack_range directory: powershell -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/winpeas/powershell/windows-powershell-xml.log diff --git a/datasets/malware/winpeas/winpeas.yml b/datasets/malware/winpeas/winpeas.yml index 3917b656c..079f611d5 100644 --- a/datasets/malware/winpeas/winpeas.yml +++ b/datasets/malware/winpeas/winpeas.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas in attack range. environment: attack_range directory: winpeas -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/winpeas/sysmon.log diff --git a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml index f50a4aa03..f7b86772a 100644 --- a/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml +++ b/datasets/malware/winpeas/winpeas_cmdkeylist/winpeas_cmdkeylist.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas cmdkeylist in attack range. environment: attack_range directory: winpeas_cmdkeylist -mitre_technique: -- unknown datasets: - name: cmdkey-sysmon path: /datasets/malware/winpeas/winpeas_cmdkeylist/cmdkey-sysmon.log diff --git a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml index 5d803297f..50430706e 100644 --- a/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml +++ b/datasets/malware/winpeas/winpeas_fsutil/winpeas_fsutil.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas fsutil in attack range. environment: attack_range directory: winpeas_fsutil -mitre_technique: -- unknown datasets: - name: fsutil-fsinfo-sysmon path: /datasets/malware/winpeas/winpeas_fsutil/fsutil-fsinfo-sysmon.log diff --git a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml index e15d06ab4..bf73995ce 100644 --- a/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml +++ b/datasets/malware/winpeas/winpeas_search_private_key/winpeas_search_private_key.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas search private key in attack range. environment: attack_range directory: winpeas_search_private_key -mitre_technique: -- unknown datasets: - name: dir-private-sysmon path: /datasets/malware/winpeas/winpeas_search_private_key/dir-private-sysmon.log diff --git a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml index 07d87a1d1..76b57601a 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd/winpeas_search_pwd.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas search pwd in attack range. environment: attack_range directory: winpeas_search_pwd -mitre_technique: -- unknown datasets: - name: query-putty-sysmon path: /datasets/malware/winpeas/winpeas_search_pwd/query-putty-sysmon.log diff --git a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml index 1b9d39886..c837e7c07 100644 --- a/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml +++ b/datasets/malware/winpeas/winpeas_search_pwd_db/winpeas_search_pwd_db.yml @@ -4,8 +4,6 @@ date: '2022-12-01' description: Generated datasets for winpeas search pwd db in attack range. environment: attack_range directory: winpeas_search_pwd_db -mitre_technique: -- unknown datasets: - name: dir-db-sysmon path: /datasets/malware/winpeas/winpeas_search_pwd_db/dir-db-sysmon.log diff --git a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml index 2d66c0cff..3c2a1e563 100644 --- a/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml +++ b/datasets/malware/winter-vivern/pwh_exfiltration/pwh_exfiltration.yml @@ -4,8 +4,6 @@ date: '2023-02-21' description: Generated datasets for pwh exfiltration in attack range. environment: attack_range directory: pwh_exfiltration -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/winter-vivern/pwh_exfiltration/windows-powershell-xml.log diff --git a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml index b402c0069..4b30cb2c9 100644 --- a/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml +++ b/datasets/malware/winter-vivern/pwh_uploadstring/pwh_uploadstring.yml @@ -4,8 +4,6 @@ date: '2023-02-21' description: Generated datasets for pwh uploadstring in attack range. environment: attack_range directory: pwh_uploadstring -mitre_technique: -- unknown datasets: - name: windows-powershell-xml path: /datasets/malware/winter-vivern/pwh_uploadstring/windows-powershell-xml.log diff --git a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml index 54baacde2..c183639d6 100644 --- a/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml +++ b/datasets/malware/winter-vivern/scheduledtask/scheduledtask.yml @@ -4,8 +4,6 @@ date: '2023-02-21' description: Generated datasets for scheduledtask in attack range. environment: attack_range directory: scheduledtask -mitre_technique: -- unknown datasets: - name: sysmon path: /datasets/malware/winter-vivern/scheduledtask/sysmon.log diff --git a/datasets/malware/xmrig_miner/data.yml b/datasets/malware/xmrig_miner/data.yml index 236d4132a..19652bb09 100644 --- a/datasets/malware/xmrig_miner/data.yml +++ b/datasets/malware/xmrig_miner/data.yml @@ -4,8 +4,6 @@ date: '2025-08-12' description: Automatically categorized datasets in directory xmrig_miner environment: attack_range directory: xmrig_miner -mitre_technique: -- unknown datasets: - name: windows-sysmon path: /datasets/malware/xmrig_miner/windows-sysmon.log diff --git a/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched.yml b/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched_old.yml similarity index 100% rename from datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched.yml rename to datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/abnormally_high_cloud_instances_launched_old.yml diff --git a/datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts.yml b/datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts.yml rename to datasets/suspicious_behaviour/alerts/cisco_secure_app_alerts_old.yml diff --git a/datasets/suspicious_behaviour/alerts/defender_incident_alerts.yml b/datasets/suspicious_behaviour/alerts/defender_incident_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/alerts/defender_incident_alerts.yml rename to datasets/suspicious_behaviour/alerts/defender_incident_alerts_old.yml diff --git a/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml b/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml similarity index 100% rename from datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction.yml rename to datasets/suspicious_behaviour/certutil_exe_certificate_extraction/certutil_exe_certificate_extraction_old.yml diff --git a/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.yml b/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts_old.yml similarity index 100% rename from datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.yml rename to datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.yml b/datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/event_stream_events/stream_events_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore_old.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password_old.yml similarity index 100% rename from datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml rename to datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password_old.yml diff --git a/datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis.yml b/datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis_old.yml similarity index 100% rename from datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis.yml rename to datasets/suspicious_behaviour/exchange_2016_iis/exchange_2016_iis_old.yml diff --git a/datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service.yml b/datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service_old.yml similarity index 100% rename from datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service.yml rename to datasets/suspicious_behaviour/first_time_windows_service/first_time_windows_service_old.yml diff --git a/datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation.yml b/datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation.yml rename to datasets/suspicious_behaviour/linux_post_exploitation/linux_post_exploitation_old.yml diff --git a/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation.yml b/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation_old.yml similarity index 100% rename from datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation.yml rename to datasets/suspicious_behaviour/log4shell_exploitation/log4shell_exploitation_old.yml diff --git a/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.yml b/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk_old.yml similarity index 100% rename from datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.yml rename to datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk_old.yml diff --git a/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.yml b/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike_old.yml similarity index 100% rename from datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.yml rename to datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike_old.yml diff --git a/datasets/suspicious_behaviour/windows_lolbas_risk/replay.yml b/datasets/suspicious_behaviour/windows_lolbas_risk/replay_old.yml similarity index 100% rename from datasets/suspicious_behaviour/windows_lolbas_risk/replay.yml rename to datasets/suspicious_behaviour/windows_lolbas_risk/replay_old.yml diff --git a/datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk.yml b/datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk_old.yml similarity index 100% rename from datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk.yml rename to datasets/suspicious_behaviour/windows_lolbas_risk/windows_lolbas_risk_old.yml From b62b85f6dd2a497e42fee41b90536bd7222dcaaa Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 18 Aug 2025 11:30:43 +0200 Subject: [PATCH 12/18] merge with master --- .github/VALIDATION_WORKFLOWS.md | 245 +++++++++++++++++++ .github/workflows/required-checks.yml | 59 +++++ .github/workflows/validate-changed-files.yml | 164 +++++++++++++ .github/workflows/validate-pr.yml | 69 ++++++ .github/workflows/validate-push.yml | 72 ++++++ 5 files changed, 609 insertions(+) create mode 100644 .github/VALIDATION_WORKFLOWS.md create mode 100644 .github/workflows/required-checks.yml create mode 100644 .github/workflows/validate-changed-files.yml create mode 100644 .github/workflows/validate-pr.yml create mode 100644 .github/workflows/validate-push.yml diff --git a/.github/VALIDATION_WORKFLOWS.md b/.github/VALIDATION_WORKFLOWS.md new file mode 100644 index 000000000..eb2f23dca --- /dev/null +++ b/.github/VALIDATION_WORKFLOWS.md @@ -0,0 +1,245 @@ +# Attack Data Validation Workflows + +This document explains the GitHub Actions workflows that automatically validate attack data YAML files on every pull request and push to ensure data quality and consistency. + +## Overview + +The validation system consists of four main workflows that work together to ensure all attack data meets the required schema and quality standards: + +1. **validate-pr.yml** - Full validation on all PRs +2. **validate-changed-files.yml** - Optimized validation for only changed files +3. **validate-push.yml** - Validation on pushes to main branches +4. **required-checks.yml** - Status checks and YAML linting + +## Workflows Description + +### 1. Validate Attack Data on PR (`validate-pr.yml`) + +**Triggers:** Pull requests to `master` or `main` branches +**Purpose:** Comprehensive validation of all dataset YAML files + +**Features:** +- Runs on PR open, synchronize, and reopen events +- Validates all YAML files in the `datasets/` directory +- Uses the validation script at `bin/validate.py` +- Comments on PR with success/failure status +- Only triggers when relevant files are changed + +**Path filters:** +- `datasets/**/*.yml` +- `datasets/**/*.yaml` +- `bin/validate.py` +- `bin/dataset_schema.json` +- `bin/requirements.txt` + +### 2. Validate Changed Attack Data Files (`validate-changed-files.yml`) + +**Triggers:** Pull requests to `master` or `main` branches +**Purpose:** Fast validation of only changed YAML files + +**Features:** +- Optimized for performance - only validates changed files +- Uses `tj-actions/changed-files` to detect modifications +- Provides detailed feedback on which files passed/failed +- Automatically skips if no YAML files were changed +- Comments on PR with detailed results + +**Benefits:** +- Faster execution for large repositories +- Clear visibility into which specific files have issues +- Reduces CI/CD time for PRs with few changes + +### 3. Validate Attack Data on Push (`validate-push.yml`) + +**Triggers:** Pushes to `master` or `main` branches +**Purpose:** Safety net to catch validation failures that reach main branches + +**Features:** +- Validates all dataset files after merge +- Creates GitHub issues automatically if validation fails +- Provides detailed error reporting +- Labels issues with appropriate tags for triage + +**Issue Creation:** +- Creates issues labeled with `bug`, `validation-failure`, `high-priority` +- Includes commit hash and workflow run links +- Provides action items for resolution + +### 4. Required Status Checks (`required-checks.yml`) + +**Triggers:** Pull requests to `master` or `main` branches +**Purpose:** Enforce validation requirements and provide additional checks + +**Features:** +- Basic YAML syntax linting with `yamllint` +- Status check requirement enforcement +- Configuration for branch protection rules + +## Setup Instructions + +### 1. Branch Protection Rules + +To enforce these validations, configure branch protection rules in your GitHub repository: + +1. Go to **Settings** → **Branches** +2. Add a rule for your main branch (`master` or `main`) +3. Enable **Require status checks to pass before merging** +4. Add these required status checks: + - `validate-attack-data` (from validate-pr.yml) + - `validate-changed-files` (from validate-changed-files.yml) + - `validation-status` (from required-checks.yml) + - `yaml-lint` (from required-checks.yml) + +### 2. Repository Secrets + +No additional secrets are required for the validation workflows. They use the default `GITHUB_TOKEN` for commenting on PRs and creating issues. + +### 3. Dependencies + +The workflows automatically install Python dependencies from `bin/requirements.txt`: +- `pyyaml` +- `jsonschema` +- Other dependencies as needed + +## Validation Rules + +The validation process checks: + +### Schema Validation +- All YAML files must conform to the JSON schema in `bin/dataset_schema.json` +- Required fields must be present and properly formatted +- Data types must match schema specifications + +### Custom Validations +- **UUID Format**: The `id` field must be a valid UUID +- **Date Format**: The `date` field must follow YYYY-MM-DD format +- **File Naming**: Template files and files with 'old' in the name are excluded + +### YAML Syntax +- Valid YAML syntax +- Proper indentation (2 spaces) +- Line length limits (120 characters) +- Consistent formatting + +## Workflow Outputs + +### Success Scenarios +- ✅ PR comments indicating successful validation +- ✅ Green status checks in PR interface +- ✅ Detailed file-by-file validation results + +### Failure Scenarios +- ❌ PR comments with error details +- ❌ Failed status checks blocking merge +- 🚨 Automatic issue creation for main branch failures +- 📝 Detailed error logs in workflow runs + +## Troubleshooting + +### Common Issues + +1. **Schema Validation Errors** + - Check that all required fields are present + - Verify field data types match schema + - Ensure proper YAML formatting + +2. **UUID Format Errors** + - Generate valid UUIDs using tools like `uuidgen` + - Ensure no extra characters or formatting + +3. **Date Format Errors** + - Use YYYY-MM-DD format (e.g., 2024-01-15) + - Avoid time components or other formats + +4. **YAML Syntax Errors** + - Use a YAML validator or linter + - Check indentation (use spaces, not tabs) + - Verify string quoting when needed + +### Debugging Workflows + +1. **Check Workflow Logs** + - Go to Actions tab in GitHub + - Click on the failed workflow run + - Review step-by-step execution logs + +2. **Local Testing** + ```bash + cd bin + python validate.py ../datasets + ``` + +3. **File-Specific Testing** + ```bash + cd bin + python validate.py path/to/specific/file.yml + ``` + +## Best Practices + +### For Contributors + +1. **Test Locally First** + - Run validation script before pushing + - Use the same schema and validation rules + +2. **Keep Changes Small** + - Smaller PRs are easier to validate and review + - Changed-files workflow provides faster feedback + +3. **Follow Schema Requirements** + - Always include required fields + - Use proper data types and formats + - Reference schema documentation + +### For Maintainers + +1. **Monitor Validation Health** + - Review failed workflows regularly + - Update schema as requirements evolve + - Keep dependencies updated + +2. **Branch Protection** + - Enforce status checks on main branches + - Require reviews in addition to validation + - Consider additional quality gates + +3. **Issue Triage** + - Address validation failures on main branches quickly + - Create hotfix procedures for critical issues + - Maintain schema documentation + +## Files Structure + +``` +.github/ +├── workflows/ +│ ├── validate-pr.yml # Full PR validation +│ ├── validate-changed-files.yml # Changed files validation +│ ├── validate-push.yml # Push validation +│ └── required-checks.yml # Status checks & linting +└── VALIDATION_WORKFLOWS.md # This documentation + +bin/ +├── validate.py # Main validation script +├── dataset_schema.json # JSON schema definition +└── requirements.txt # Python dependencies + +datasets/ # Attack data files +└── **/*.yml, **/*.yaml # Files to validate +``` + +## Support + +For issues with validation workflows: + +1. Check this documentation first +2. Review workflow logs in GitHub Actions +3. Test validation locally using the `validate.py` script +4. Create an issue if problems persist + +For schema-related questions: +- Review `bin/dataset_schema.json` +- Check existing valid examples in `datasets/` +- Refer to attack data documentation + diff --git a/.github/workflows/required-checks.yml b/.github/workflows/required-checks.yml new file mode 100644 index 000000000..378f6d020 --- /dev/null +++ b/.github/workflows/required-checks.yml @@ -0,0 +1,59 @@ +name: Required Status Checks + +on: + pull_request: + branches: [ master, main ] + types: [opened, synchronize, reopened] + +jobs: + # This job ensures all validation workflows are required for PRs + validation-status: + runs-on: ubuntu-latest + steps: + - name: Check validation status + run: | + echo "This workflow ensures that all validation checks are required for PR merging." + echo "Required workflows:" + echo " ✅ Validate Attack Data on PR" + echo " ✅ Validate Changed Attack Data Files" + echo "" + echo "This job will always pass, but the other validation workflows must complete successfully." + echo "Configure branch protection rules to require these status checks before merging." + + # Lint YAML syntax (basic check) + yaml-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install yamllint + run: pip install yamllint + + - name: Lint YAML files + run: | + # Create a yamllint configuration + cat > .yamllint.yml << 'EOF' + extends: default + rules: + line-length: + max: 120 + indentation: + spaces: 2 + comments: + min-spaces-from-content: 1 + document-start: disable + truthy: disable + EOF + + # Find and lint all YAML files in datasets + find datasets -name "*.yml" -o -name "*.yaml" | while read file; do + echo "Linting: $file" + yamllint -c .yamllint.yml "$file" + done + diff --git a/.github/workflows/validate-changed-files.yml b/.github/workflows/validate-changed-files.yml new file mode 100644 index 000000000..da1d6ca81 --- /dev/null +++ b/.github/workflows/validate-changed-files.yml @@ -0,0 +1,164 @@ +name: Validate Changed Attack Data Files + +on: + pull_request: + branches: [ master, main ] + types: [opened, synchronize, reopened] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + +jobs: + validate-changed-files: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + lfs: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r bin/requirements.txt + + - name: Get changed YAML files + id: changed-files + uses: tj-actions/changed-files@v41 + with: + files: | + datasets/**/*.yml + datasets/**/*.yaml + separator: "," + + - name: Validate changed YAML files + if: steps.changed-files.outputs.any_changed == 'true' + run: | + echo "Changed YAML files:" + echo "${{ steps.changed-files.outputs.all_changed_files }}" + + # Create a temporary script to validate only changed files + cat > validate_changed.py << 'EOF' + #!/usr/bin/env python3 + import sys + import os + sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'bin')) + + from validate import load_yaml_schema, validate_yaml_file + from pathlib import Path + + # Get changed files from environment + changed_files = os.environ.get('CHANGED_FILES', '').split(',') + changed_files = [f.strip() for f in changed_files if f.strip()] + + if not changed_files: + print("No changed YAML files to validate") + sys.exit(0) + + # Load schema + schema = load_yaml_schema() + + total_files = len(changed_files) + valid_files = 0 + invalid_files = 0 + failed_validations = [] + + print(f"Validating {total_files} changed YAML file(s)...") + print("-" * 60) + + for file_path in changed_files: + yaml_file = Path(file_path) + if not yaml_file.exists(): + print(f"⚠️ File not found (may have been deleted): {yaml_file}") + continue + + print(f"\nValidating: {yaml_file}") + errors = validate_yaml_file(yaml_file, schema) + + if errors: + invalid_files += 1 + print(f"❌ INVALID - {len(errors)} error(s):") + for error in errors: + print(f" • {error}") + failed_validations.append((yaml_file, errors)) + else: + valid_files += 1 + print("✅ VALID") + + # Print summary + print("\n" + "=" * 60) + print("VALIDATION SUMMARY") + print("=" * 60) + print(f"Total files processed: {valid_files + invalid_files}") + print(f"Valid files: {valid_files}") + print(f"Invalid files: {invalid_files}") + + if invalid_files > 0: + print(f"\n❌ {invalid_files} file(s) failed validation!") + sys.exit(1) + else: + print("\n✅ All changed files passed validation!") + EOF + + # Run validation on changed files + CHANGED_FILES="${{ steps.changed-files.outputs.all_changed_files }}" python validate_changed.py + env: + PYTHONPATH: ${{ github.workspace }}/bin + + - name: No YAML files changed + if: steps.changed-files.outputs.any_changed == 'false' + run: | + echo "No YAML files were changed in this PR. Skipping validation." + + - name: Comment PR on validation failure + if: failure() && steps.changed-files.outputs.any_changed == 'true' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: `❌ **Changed Files Validation Failed** + + The following changed YAML files in this PR do not pass validation: + + \`\`\` + ${{ steps.changed-files.outputs.all_changed_files }} + \`\`\` + + Please check the workflow logs for detailed error messages and fix the issues before merging. + + [View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})` + }); + + - name: Comment PR on validation success + if: success() && steps.changed-files.outputs.any_changed == 'true' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: `✅ **Changed Files Validation Passed** + + All changed YAML files in this PR have been successfully validated: + + \`\`\` + ${{ steps.changed-files.outputs.all_changed_files }} + \`\`\` + + Ready for review and merge! 🚀` + }); + diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml new file mode 100644 index 000000000..578ebe158 --- /dev/null +++ b/.github/workflows/validate-pr.yml @@ -0,0 +1,69 @@ +name: Validate Attack Data on PR + +on: + pull_request: + branches: [ master, main ] + types: [opened, synchronize, reopened] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + +jobs: + validate-attack-data: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # Fetch full history for proper validation + fetch-depth: 0 + lfs: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r bin/requirements.txt + + - name: Validate YAML files + run: | + cd bin + python validate.py ../datasets + env: + PYTHONPATH: ${{ github.workspace }}/bin + + - name: Comment PR on failure + if: failure() + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: '❌ **Attack Data Validation Failed**\n\nThe YAML files in this PR do not pass validation. Please check the workflow logs for detailed error messages and fix the issues before merging.\n\n[View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + }); + + - name: Comment PR on success + if: success() + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: '✅ **Attack Data Validation Passed**\n\nAll YAML files in this PR have been successfully validated against the schema.' + }); + diff --git a/.github/workflows/validate-push.yml b/.github/workflows/validate-push.yml new file mode 100644 index 000000000..e81a1925c --- /dev/null +++ b/.github/workflows/validate-push.yml @@ -0,0 +1,72 @@ +name: Validate Attack Data on Push + +on: + push: + branches: [ master, main ] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + +jobs: + validate-attack-data: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + lfs: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r bin/requirements.txt + + - name: Validate YAML files + run: | + cd bin + python validate.py ../datasets + env: + PYTHONPATH: ${{ github.workspace }}/bin + + - name: Create issue on validation failure + if: failure() + uses: actions/github-script@v7 + with: + script: | + const title = `🚨 Attack Data Validation Failed - ${new Date().toISOString().split('T')[0]}`; + const body = `**Validation failed on push to ${context.ref}** + + Commit: ${context.sha} + + The YAML files in the datasets directory do not pass validation. This indicates that invalid data has been merged into the main branch. + + **Action Required:** + 1. Review the [failed workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) + 2. Fix the validation errors + 3. Create a hotfix PR to resolve the issues + + **Files that may be affected:** + - datasets/**/*.yml + - datasets/**/*.yaml + - bin/validate.py + - bin/dataset_schema.json + `; + + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: title, + body: body, + labels: ['bug', 'validation-failure', 'high-priority'] + }); + From 7e8bc309fb72f4cb55e05c4048df7c9cfc8ac771 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 18 Aug 2025 16:43:04 +0200 Subject: [PATCH 13/18] fixed failed validation --- .../esxi_sensitive_files.yml | 14 +++++++------ .../esxi_vm_download/esxi_vm_download.yml | 16 ++++++++------- .../T1014/medusa_rootkit/medusa.yml | 15 +++++++------- .../macos_net_discovery.yml | 19 +++++++++++------- .../T1021.001/bmc_creation/bmc_creation.yml | 14 +++++++------ .../T1021.001/mstsc_admini/mstsc_admini.yml | 14 +++++++------ .../T1021.001/rdp_creation/rdp_creation.yml | 14 +++++++------ .../rdp_session_established.yml | 14 +++++++------ .../terminal_server_reg_created.yml | 14 +++++++------ .../T1021.001/unhide_file/unhide_file.yml | 14 +++++++------ .../esxi_ssh_enabled/esxi_ssh_enabled.yml | 14 +++++++------ .../esxi_shell_enabled/esxi_shell_enabled.yml | 14 +++++++------ .../esxi_reverse_shell/esxi_reverse_shell.yml | 14 +++++++------ .../T1059/vmtoolsd/vmtoolsd_execution.yml | 14 +++++++------ .../automatic_file_deleted.yml | 14 +++++++------ .../bmc_file_deleted/bmc_file_deleted.yml | 14 +++++++------ .../T1070.004/rdp_deletion/rdp_deletion.yml | 14 +++++++------ .../terminal_server_reg_deleted.yml | 14 +++++++------ .../esxi_system_clock_manipulation.yml | 14 +++++++------ .../esxi_external_root_login.yml | 14 +++++++------ .../esxi_stolen_root_account.yml | 14 +++++++------ .../esxi_system_information.yml | 14 +++++++------ .../esxi_account_modified.yml | 14 +++++++------ .../T1098/esxi_admin_role/esxi_admin_role.yml | 14 +++++++------ .../esxi_ssh_brute_force.yml | 14 +++++++------ .../reg_profiles_private.yml | 14 +++++++------ .../T1204.002/appx/appx_deployment.yml | 19 +++++++++++------- .../rundll32_dll_in_temp.yml | 14 +++++++------ .../sharepoint_webshell/sharepointshells.yml | 18 ++++++++--------- .../esxi_malicious_vib_forced_install.yml | 14 +++++++------ .../esxi_bulk_vm_termination.yml | 14 +++++++------ .../esxi_audit_tampering.yml | 14 +++++++------ .../esxi_loghost_config_tampering.yml | 14 +++++++------ .../esxi_syslog_config/esxi_syslog_config.yml | 14 +++++++------ .../esxi_firewall_disabled.yml | 14 +++++++------ .../esxi_encryption_modified.yml | 14 +++++++------ .../esxi_lockdown_disabled.yml | 14 +++++++------ .../esxi_vib_acceptance_level_tampering.yml | 16 ++++++++------- .../attack_techniques/T1567/gdrive/gdrive.yml | 20 +++++++++++-------- .../firewall_api_path/firewall_api_path.yml | 14 +++++++------ .../esxi_dormant_vm_started.yml | 14 +++++++------ .../add_store_cert/add_store_cert.yml | 14 +++++++------ .../esxi_download_errors.yml | 14 +++++++------ .../esxi_vm_discovery/esxi_vm_discovery.yml | 16 ++++++++------- 44 files changed, 367 insertions(+), 276 deletions(-) diff --git a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml index 0d969405e..0b412daf5 100644 --- a/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml +++ b/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml @@ -3,9 +3,11 @@ id: f4e7c8fc-c534-415b-9f99-9e9419096db5 date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1003/008 +directory: esxi_sensitive_files +mitre_technique: +- T1003.008 +datasets: +- name: esxi_shell_enabled + path: /datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml index 7024e2b33..30accb17c 100644 --- a/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml +++ b/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386 date: '2025-07-09' -description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools." +description: Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools. environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1005 +directory: esxi_vm_download +mitre_technique: +- T1005 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml b/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml index 7c9c63691..4f7540439 100644 --- a/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml +++ b/datasets/attack_techniques/T1014/medusa_rootkit/medusa.yml @@ -3,10 +3,11 @@ id: 2481e83c-b888-4383-bc61-9d292f4e03ea date: '2025-08-05' description: Logs from usage of the Medusa rootkit on a Linux host. environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1014/ +directory: medusa_rootkit +mitre_technique: +- T1014 +datasets: +- name: sysmon_linux + path: /datasets/attack_techniques/T1014/medusa_rootkit/sysmon_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml b/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml index d200ffa42..647347365 100644 --- a/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml +++ b/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_net_discovery.yml @@ -3,10 +3,15 @@ id: e0c0d5e5-8c29-4db3-9d27-d42f31c552f5 date: '2025-08-15' description: Generated datasets for MacOS net discovery environment: vm -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log -sourcetypes: -- osquery:results -references: -- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md \ No newline at end of file +directory: macos_net_discovery +mitre_technique: +- T1016 +datasets: +- name: osquery:results + path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log + sourcetype: osquery:results + source: osquery:results +- name: osquery:results + path: /datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: osquery:results \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml index fd564fe6e..dae784e42 100644 --- a/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml +++ b/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.yml @@ -3,9 +3,11 @@ id: 2050c38a-6d1e-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for bmc creation in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/bmc_creation/bmc_creation.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: bmc_creation +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/bmc_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml index 706475278..0c0ba143a 100644 --- a/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml +++ b/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admini.yml @@ -3,9 +3,11 @@ id: bf432e34-6d3b-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for mstsc admini in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/mstsc_admini/mstsc_admin.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: mstsc_admini +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/mstsc_admini/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml b/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml index 9fcfe8967..d55258678 100644 --- a/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml +++ b/datasets/attack_techniques/T1021.001/rdp_creation/rdp_creation.yml @@ -3,9 +3,11 @@ id: 30e07cc0-6d25-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for rdp creation in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_creation/deafault_rdp_created.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: rdp_creation +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/rdp_creation/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml b/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml index 34e28e932..cf28cd542 100644 --- a/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml +++ b/datasets/attack_techniques/T1021.001/rdp_session_established/rdp_session_established.yml @@ -3,9 +3,11 @@ id: d96eb482-6dee-11f0-b544-629be3538069 date: '2025-07-31' description: Generated datasets for rdp session established in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log -sourcetypes: -- 'XmlWinEventLog:Security' -references: -- https://thelocalh0st.github.io/posts/rdp/ \ No newline at end of file +directory: rdp_session_established +mitre_technique: +- T1021.001 +datasets: +- name: windows-security + path: /datasets/attack_techniques/T1021.001/rdp_session_established/4624_10_logon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml index e320f516d..30c1c856e 100644 --- a/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml +++ b/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_server_reg_created.yml @@ -3,9 +3,11 @@ id: 27f7e43a-6d3a-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for terminal server reg created in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/terminal_server_reg_created/terminal_sever_client_Reg_created.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: terminal_server_reg_created +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/terminal_server_reg_created/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml index 9f5fa6747..250d33eb3 100644 --- a/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml +++ b/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.yml @@ -3,9 +3,11 @@ id: a2d674e4-6d3c-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for unhide file in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/unhide_file/unhide_file.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: unhide_file +mitre_technique: +- T1021.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1021.001/unhide_file/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml index 4e7ed3744..a679440c8 100644 --- a/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml +++ b/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml @@ -3,9 +3,11 @@ id: 6bce52c9-2cd1-4916-be2d-7d6214bc5c98 date: '2025-07-09' description: 'Sample of ESXi syslog events ssh being enabled on the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1021/004 +directory: esxi_ssh_enabled +mitre_technique: +- T1021.004 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml index b3e936a27..41a862a15 100644 --- a/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml +++ b/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml @@ -3,9 +3,11 @@ id: 117b7a96-83f5-4de9-9394-be8997bc43f4 date: '2025-07-09' description: 'Sample of ESXi syslog events showing ESXi shell access being enabled.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1021 +directory: esxi_shell_enabled +mitre_technique: +- T1021 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml index d5cfc80ec..9e5de8982 100644 --- a/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml +++ b/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml @@ -3,9 +3,11 @@ id: cf946971-ec10-4792-a697-4b208bc42e7f date: '2025-07-08' description: 'Sample of ESXi syslog events showing reverse shell attempts from the ESXi system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1059 +directory: esxi_reverse_shell +mitre_technique: +- T1059 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml index 632c1456e..c3ba90362 100644 --- a/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml +++ b/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.yml @@ -3,9 +3,11 @@ id: 45640c5f-9ef7-4d93-aa3e-2bc188d0be0a date: '2025-07-30' description: 'Sample of Sysmon events showing execution of commands on a host via VMWare Tools.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/vmtoolsd/vmtoolsd_execution.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059 +directory: vmtoolsd_execution +mitre_technique: +- T1059 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059/vmtoolsd/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml index b1f3f760e..fdf0a2c08 100644 --- a/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml +++ b/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.yml @@ -3,9 +3,11 @@ id: c6e9706c-6d27-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for automatic file deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/automatic_file_deleted/automatic_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: automatic_file_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/automatic_file_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml index d66fab1b3..165bae8f3 100644 --- a/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml +++ b/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.yml @@ -3,9 +3,11 @@ id: e9002aca-6d26-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for bmc file deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/bmc_file_deleted/bmc_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: bmc_file_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/bmc_file_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml index f6f6debea..185978650 100644 --- a/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml +++ b/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_deletion.yml @@ -3,9 +3,11 @@ id: 55943188-6d25-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for rdp deletion in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/rdp_deletion/rdp_file_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: rdp_deletion +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/rdp_deletion/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml index 342bfa271..a252771ef 100644 --- a/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml +++ b/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_reg_deleted.yml @@ -3,9 +3,11 @@ id: 8c2fbcce-6d3b-11f0-86b8-629be3538068 date: '2025-07-30' description: Generated datasets for terminal server reg deleted in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/terminal_server_client_reg_deleted.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://medium.com/@bonguides25/how-to-clear-rdp-connections-history-in-windows-cf0ffb67f344 \ No newline at end of file +directory: terminal_server_reg_deleted +mitre_technique: +- T1070.004 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1070.004/terminal_server_reg_deleted/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml index b5c1411f2..7c91d06e7 100644 --- a/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml +++ b/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml @@ -3,9 +3,11 @@ id: f8571084-93e7-46fc-ae37-7a22e81e57f3 date: '2025-07-09' description: 'Sample of ESXi syslog events showing manipulation of the system clock.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1070 +directory: esxi_system_clock_manipulation +mitre_technique: +- T1070 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml index f29be6cbd..7be4d10db 100644 --- a/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml +++ b/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml @@ -3,9 +3,11 @@ id: ebd8a8a8-e517-43d1-b744-a8260f18ef6e date: '2025-07-08' description: 'Sample of ESXi syslog events showing root logins from an external system.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1078 +directory: esxi_external_root_login +mitre_technique: +- T1078 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml index 966851506..6dee33972 100644 --- a/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml +++ b/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml @@ -3,9 +3,11 @@ id: a61432b5-65c6-4509-b44a-3c176fa00d86 date: '2025-07-09' description: 'Sample of ESXi syslog events showing root logins from multple locations in quick succession.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1078 +directory: esxi_stolen_root_account +mitre_technique: +- T1078 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml index 6782dd4fe..936e47562 100644 --- a/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml +++ b/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml @@ -3,9 +3,11 @@ id: 632f631d-6d62-4bc6-8b6b-c51a9134a016 date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to enumerate system information.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1082 +directory: esxi_system_information +mitre_technique: +- T1082 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml index e562742e6..bc177e973 100644 --- a/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml +++ b/datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml @@ -3,9 +3,11 @@ id: 7ebe0ae9-792a-4da1-aa7d-b338db54edfc date: '2025-07-08' description: 'Sample of ESXi syslog events showing account manipulation of esxi account with malicious intent.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1098/ +directory: esxi_account_modified +mitre_technique: +- T1098 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml index ba8682d40..fb79bfe15 100644 --- a/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml +++ b/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml @@ -3,9 +3,11 @@ id: 6957528c-1167-469f-a982-d03dea0ff09e date: '2025-07-09' description: 'Sample of ESXi syslog events showing account manipulation of esxi account to give it the admin role.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1098/ +directory: esxi_admin_role +mitre_technique: +- T1098 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml index 575295697..8be972666 100644 --- a/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml +++ b/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml @@ -3,9 +3,11 @@ id: 5c239f0f-ec10-4107-b6a0-c9228257e4b1 date: '2025-07-09' description: 'Sample of ESXi syslog events showing an ssh brute force attempt against an ESXi server.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1110 +directory: esxi_ssh_brute_force +mitre_technique: +- T1110 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml index 7f706d0ff..6bc5b5a99 100644 --- a/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml +++ b/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.yml @@ -3,9 +3,11 @@ id: eff617c0-72aa-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for reg profiles private in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/reg_profiles_private/reg_profiles_private.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: reg_profiles_private +mitre_technique: +- T1112 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1112/reg_profiles_private/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml b/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml index f10e33550..0ee4d37b0 100644 --- a/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml +++ b/datasets/attack_techniques/T1204.002/appx/appx_deployment.yml @@ -3,10 +3,15 @@ id: cc912623-efc9-11eb-926b-550bf0943f12 date: '2025-08-07' description: Windows Appx Deployment Server logs environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/appx/windows-appxpackaging.log -sourcetypes: -- XmlWinEventLog -references: -- https://attack.mitre.org/techniques/T1204/002/ +directory: appx_deployment +mitre_technique: +- T1204.002 +datasets: +- name: appx + path: /datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-AppXDeployment-Server +- name: appx + path: /datasets/attack_techniques/T1204.002/appx/windows-appxpackaging.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-AppxPackagingOM \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml index c0c9c8cbb..0eb7d61e4 100644 --- a/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml +++ b/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_dll_in_temp.yml @@ -3,9 +3,11 @@ id: 76f9a94c-6c63-11f0-89ae-629be3538068 date: '2025-07-29' description: Generated datasets for rundll32 dll in temp in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/ \ No newline at end of file +directory: rundll32_dll_in_temp +mitre_technique: +- T1218.011 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1218.011/rundll32_dll_in_temp/rundll32_tmp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml b/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml index 530f0c923..a647f76ea 100644 --- a/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml +++ b/datasets/attack_techniques/T1505.003/sharepoint_webshell/sharepointshells.yml @@ -3,13 +3,11 @@ id: cb9b2601-efc9-11eb-926b-550bf0943fbb date: '2025-07-20' description: Generation of attack data related to CVE-2025-53770 (ToolShell) showing file creation of the malicious spinstall0.aspx web shell in SharePoint layouts directories. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.003/sharepoint_webshell/sysmon_spinstall0.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: - - https://attack.mitre.org/techniques/T1505/003 - - https://research.eye.security/sharepoint-under-siege/ - - https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/ - - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ - - https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 +directory: sharepoint_webshell +mitre_technique: +- T1505.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1505.003/sharepoint_webshell/sysmon_spinstall0.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml index 48f62eaf5..fcedf5766 100644 --- a/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml +++ b/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml @@ -3,9 +3,11 @@ id: 61568617-ad53-4998-b9aa-88d4114f5330 date: '2025-07-08' description: 'Sample of ESXi syslog events showing attempted forced installation of malicious VIBs' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1505/006 +directory: esxi_malicious_vib_forced_install +mitre_technique: +- T1505.006 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml index a15f7cb4e..cf4485b88 100644 --- a/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml +++ b/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml @@ -3,9 +3,11 @@ id: 2bbe8c66-7262-4e13-b9a0-9d521e5d6305 date: '2025-07-08' description: 'Sample of ESXi syslog events showing commands used for bulk termination of VMs.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1529 +directory: esxi_bulk_vm_termination +mitre_technique: +- T1529 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml index db546b466..9dd1e71c7 100644 --- a/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml +++ b/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml @@ -3,9 +3,11 @@ id: 1ca23917-04c2-41db-b31b-702bcd728737 date: '2025-07-08' description: 'Sample of ESXi syslog events showing tampering of audit settings.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_audit_tampering +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml index fe658dec0..aeebff2a7 100644 --- a/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml +++ b/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml @@ -3,9 +3,11 @@ id: 125f03ca-3a22-4bf7-bb02-4abd338b326e date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to modify the loghost configuration.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_loghost_config_tampering +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml index b0ca5dff3..6f68cf204 100644 --- a/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml +++ b/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml @@ -3,9 +3,11 @@ id: c012bd08-cbdb-49b6-9a0d-acd51b1f1cca date: '2025-07-09' description: 'Sample of ESXi syslog events showing attempts to modify the syslog configuration.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/003 +directory: esxi_syslog_config +mitre_technique: +- T1562.003 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml index 4cc5936b1..4580e1feb 100644 --- a/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml +++ b/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml @@ -3,9 +3,11 @@ id: 39edc074-9898-4de9-8296-45c51b7e18dd date: '2025-07-08' description: 'Sample of ESXi syslog events showing attempts to disable the firewall.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562/004 +directory: esxi_firewall_disabled +mitre_technique: +- T1562.004 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml index 66eed2c50..1b87134bf 100644 --- a/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml +++ b/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml @@ -3,9 +3,11 @@ id: 05d39cf3-abd8-46e3-b775-88935c28fffc date: '2025-07-08' description: 'Sample of ESXi syslog events showing ESXi encryption settings being modified to impair defenses.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_encryption_modified +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml index 72887f93f..13fa2fa37 100644 --- a/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml +++ b/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml @@ -3,9 +3,11 @@ id: 98448462-9f32-47ef-ac24-844bb1c0f1c0 date: '2025-07-08' description: 'Sample of ESXi syslog events showing ESXi lockdown settings being modified to impair defenses.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_lockdown_disabled +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml index 1c4f027ef..f04b42ade 100644 --- a/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml +++ b/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: 2440ce36-e445-4b34-8591-12afd1f8c884 date: '2025-07-09' -description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels." +description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1562 +directory: esxi_vib_acceptance_level_tampering +mitre_technique: +- T1562 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1567/gdrive/gdrive.yml b/datasets/attack_techniques/T1567/gdrive/gdrive.yml index b4ba961d0..ee375914f 100644 --- a/datasets/attack_techniques/T1567/gdrive/gdrive.yml +++ b/datasets/attack_techniques/T1567/gdrive/gdrive.yml @@ -3,11 +3,15 @@ id: 9c1ebd7e-b293-4238-98ff-4ecef8444cdb date: '2025-08-01' description: Simulate usage of the gdrive binary to interact with Google Drive. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_windows.log -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/gdrive/gdrive_linux.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -- Syslog:Linux-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1567/ +directory: gdrive +mitre_technique: +- T1567 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1567/gdrive/gdrive_windows.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational +- name: sysmon_linux + path: /datasets/attack_techniques/T1567/gdrive/gdrive_linux.log + sourcetype: sysmon:linux + source: Syslog:Linux-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml b/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml index 4003ae344..ae3c41eb4 100644 --- a/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml +++ b/datasets/attack_techniques/T1574.001/firewall_api_path/firewall_api_path.yml @@ -3,9 +3,11 @@ id: e90865ba-72ac-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for firewall api path in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: firewall_api_path +mitre_technique: +- T1574.001 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1574.001/firewall_api_path/firewallapi_temp.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml index 9d7b9c3b1..5129c0179 100644 --- a/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml +++ b/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml @@ -3,9 +3,11 @@ id: a398a202-5b62-4043-9286-647fde220dca date: '2025-07-08' description: 'Sample of ESXi syslog events showing dormant VMs being activated.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1584 +directory: esxi_dormant_vm_started +mitre_technique: +- T1584 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml b/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml index 581b8db30..59ae7c3aa 100644 --- a/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml +++ b/datasets/attack_techniques/T1587.003/add_store_cert/add_store_cert.yml @@ -3,9 +3,11 @@ id: 28f730ce-72ae-11f0-9625-629be3538068 date: '2025-08-06' description: Generated datasets for add store cert in attack range. environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.microsoft.com/en-us/security/blog/2025/07/31/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats/ \ No newline at end of file +directory: add_store_cert +mitre_technique: +- T1587.003 +datasets: +- name: sysmon + path: /datasets/attack_techniques/T1587.003/add_store_cert/addstore_cert.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml index 261e8853e..4cb056777 100644 --- a/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml +++ b/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml @@ -3,9 +3,11 @@ id: 39edc074-9898-4de9-8296-45c51b7e18dd date: '2025-07-08' description: 'Sample of ESXi syslog events showing failed attempts to install malicious VIBs.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1601/001 +directory: esxi_download_errors +mitre_technique: +- T1601.001 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file diff --git a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml index 0a876e68e..531c2cc19 100644 --- a/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml +++ b/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml @@ -1,11 +1,13 @@ author: Raven Tait, Splunk id: d3f26d3a-3ae5-4e3d-a9b3-567622b6fb1d date: '2025-07-09' -description: 'Sample of ESXi syslog events VM discovery commands." +description: 'Sample of ESXi syslog events VM discovery commands.' environment: custom -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log -sourcetypes: -- vmw-syslog -references: -- https://attack.mitre.org/techniques/T1673 +directory: esxi_vm_discovery +mitre_technique: +- T1673 +datasets: +- name: vmw-syslog + path: /datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log + sourcetype: vmw-syslog + source: vmw-syslog \ No newline at end of file From 757f9ceaf6b60f5f6deda176650b634bc371dd81 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 19 Aug 2025 12:24:21 +0200 Subject: [PATCH 14/18] validate improvements --- .github/workflows/validate-changed-files.yml | 164 ------------------- .github/workflows/validate-pr.yml | 69 -------- .github/workflows/validate-push.yml | 72 -------- .github/workflows/validate.yml | 124 ++++++++++++++ 4 files changed, 124 insertions(+), 305 deletions(-) delete mode 100644 .github/workflows/validate-changed-files.yml delete mode 100644 .github/workflows/validate-pr.yml delete mode 100644 .github/workflows/validate-push.yml create mode 100644 .github/workflows/validate.yml diff --git a/.github/workflows/validate-changed-files.yml b/.github/workflows/validate-changed-files.yml deleted file mode 100644 index da1d6ca81..000000000 --- a/.github/workflows/validate-changed-files.yml +++ /dev/null @@ -1,164 +0,0 @@ -name: Validate Changed Attack Data Files - -on: - pull_request: - branches: [ master, main ] - types: [opened, synchronize, reopened] - paths: - - 'datasets/**/*.yml' - - 'datasets/**/*.yaml' - -jobs: - validate-changed-files: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - lfs: true - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - cache: 'pip' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r bin/requirements.txt - - - name: Get changed YAML files - id: changed-files - uses: tj-actions/changed-files@v41 - with: - files: | - datasets/**/*.yml - datasets/**/*.yaml - separator: "," - - - name: Validate changed YAML files - if: steps.changed-files.outputs.any_changed == 'true' - run: | - echo "Changed YAML files:" - echo "${{ steps.changed-files.outputs.all_changed_files }}" - - # Create a temporary script to validate only changed files - cat > validate_changed.py << 'EOF' - #!/usr/bin/env python3 - import sys - import os - sys.path.insert(0, os.path.join(os.path.dirname(__file__), 'bin')) - - from validate import load_yaml_schema, validate_yaml_file - from pathlib import Path - - # Get changed files from environment - changed_files = os.environ.get('CHANGED_FILES', '').split(',') - changed_files = [f.strip() for f in changed_files if f.strip()] - - if not changed_files: - print("No changed YAML files to validate") - sys.exit(0) - - # Load schema - schema = load_yaml_schema() - - total_files = len(changed_files) - valid_files = 0 - invalid_files = 0 - failed_validations = [] - - print(f"Validating {total_files} changed YAML file(s)...") - print("-" * 60) - - for file_path in changed_files: - yaml_file = Path(file_path) - if not yaml_file.exists(): - print(f"⚠️ File not found (may have been deleted): {yaml_file}") - continue - - print(f"\nValidating: {yaml_file}") - errors = validate_yaml_file(yaml_file, schema) - - if errors: - invalid_files += 1 - print(f"❌ INVALID - {len(errors)} error(s):") - for error in errors: - print(f" • {error}") - failed_validations.append((yaml_file, errors)) - else: - valid_files += 1 - print("✅ VALID") - - # Print summary - print("\n" + "=" * 60) - print("VALIDATION SUMMARY") - print("=" * 60) - print(f"Total files processed: {valid_files + invalid_files}") - print(f"Valid files: {valid_files}") - print(f"Invalid files: {invalid_files}") - - if invalid_files > 0: - print(f"\n❌ {invalid_files} file(s) failed validation!") - sys.exit(1) - else: - print("\n✅ All changed files passed validation!") - EOF - - # Run validation on changed files - CHANGED_FILES="${{ steps.changed-files.outputs.all_changed_files }}" python validate_changed.py - env: - PYTHONPATH: ${{ github.workspace }}/bin - - - name: No YAML files changed - if: steps.changed-files.outputs.any_changed == 'false' - run: | - echo "No YAML files were changed in this PR. Skipping validation." - - - name: Comment PR on validation failure - if: failure() && steps.changed-files.outputs.any_changed == 'true' - uses: actions/github-script@v7 - with: - script: | - const { owner, repo, number } = context.issue; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: number, - body: `❌ **Changed Files Validation Failed** - - The following changed YAML files in this PR do not pass validation: - - \`\`\` - ${{ steps.changed-files.outputs.all_changed_files }} - \`\`\` - - Please check the workflow logs for detailed error messages and fix the issues before merging. - - [View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})` - }); - - - name: Comment PR on validation success - if: success() && steps.changed-files.outputs.any_changed == 'true' - uses: actions/github-script@v7 - with: - script: | - const { owner, repo, number } = context.issue; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: number, - body: `✅ **Changed Files Validation Passed** - - All changed YAML files in this PR have been successfully validated: - - \`\`\` - ${{ steps.changed-files.outputs.all_changed_files }} - \`\`\` - - Ready for review and merge! 🚀` - }); - diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml deleted file mode 100644 index 578ebe158..000000000 --- a/.github/workflows/validate-pr.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Validate Attack Data on PR - -on: - pull_request: - branches: [ master, main ] - types: [opened, synchronize, reopened] - paths: - - 'datasets/**/*.yml' - - 'datasets/**/*.yaml' - - 'bin/validate.py' - - 'bin/dataset_schema.json' - - 'bin/requirements.txt' - -jobs: - validate-attack-data: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - # Fetch full history for proper validation - fetch-depth: 0 - lfs: true - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - cache: 'pip' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r bin/requirements.txt - - - name: Validate YAML files - run: | - cd bin - python validate.py ../datasets - env: - PYTHONPATH: ${{ github.workspace }}/bin - - - name: Comment PR on failure - if: failure() - uses: actions/github-script@v7 - with: - script: | - const { owner, repo, number } = context.issue; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: number, - body: '❌ **Attack Data Validation Failed**\n\nThe YAML files in this PR do not pass validation. Please check the workflow logs for detailed error messages and fix the issues before merging.\n\n[View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - }); - - - name: Comment PR on success - if: success() - uses: actions/github-script@v7 - with: - script: | - const { owner, repo, number } = context.issue; - await github.rest.issues.createComment({ - owner, - repo, - issue_number: number, - body: '✅ **Attack Data Validation Passed**\n\nAll YAML files in this PR have been successfully validated against the schema.' - }); - diff --git a/.github/workflows/validate-push.yml b/.github/workflows/validate-push.yml deleted file mode 100644 index e81a1925c..000000000 --- a/.github/workflows/validate-push.yml +++ /dev/null @@ -1,72 +0,0 @@ -name: Validate Attack Data on Push - -on: - push: - branches: [ master, main ] - paths: - - 'datasets/**/*.yml' - - 'datasets/**/*.yaml' - - 'bin/validate.py' - - 'bin/dataset_schema.json' - - 'bin/requirements.txt' - -jobs: - validate-attack-data: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - lfs: true - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - cache: 'pip' - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install -r bin/requirements.txt - - - name: Validate YAML files - run: | - cd bin - python validate.py ../datasets - env: - PYTHONPATH: ${{ github.workspace }}/bin - - - name: Create issue on validation failure - if: failure() - uses: actions/github-script@v7 - with: - script: | - const title = `🚨 Attack Data Validation Failed - ${new Date().toISOString().split('T')[0]}`; - const body = `**Validation failed on push to ${context.ref}** - - Commit: ${context.sha} - - The YAML files in the datasets directory do not pass validation. This indicates that invalid data has been merged into the main branch. - - **Action Required:** - 1. Review the [failed workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) - 2. Fix the validation errors - 3. Create a hotfix PR to resolve the issues - - **Files that may be affected:** - - datasets/**/*.yml - - datasets/**/*.yaml - - bin/validate.py - - bin/dataset_schema.json - `; - - await github.rest.issues.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: title, - body: body, - labels: ['bug', 'validation-failure', 'high-priority'] - }); - diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 000000000..1718bd040 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,124 @@ +name: Validate Attack Data + +on: + pull_request: + branches: [ master, main ] + types: [opened, synchronize, reopened] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + push: + branches: [ master, main ] + paths: + - 'datasets/**/*.yml' + - 'datasets/**/*.yaml' + - 'bin/validate.py' + - 'bin/dataset_schema.json' + - 'bin/requirements.txt' + +jobs: + validate-attack-data: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + lfs: true + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.9' + cache: 'pip' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r bin/requirements.txt + + # Validate all YAML files + - name: Validate all YAML files + run: | + python bin/validate.py + env: + PYTHONPATH: ${{ github.workspace }}/bin + + # PR-specific success/failure handling + - name: Comment PR on validation failure + if: failure() && github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + + const body = `❌ **Attack Data Validation Failed** + + The YAML files in this PR do not pass validation. Please check the workflow logs for detailed error messages and fix the issues before merging. + + [View workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})`; + + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: body + }); + + - name: Comment PR on validation success + if: success() && github.event_name == 'pull_request' + uses: actions/github-script@v7 + with: + script: | + const { owner, repo, number } = context.issue; + + const body = `✅ **Attack Data Validation Passed** + + All YAML files in this PR have been successfully validated against the schema. + + Ready for review and merge! 🚀`; + + await github.rest.issues.createComment({ + owner, + repo, + issue_number: number, + body: body + }); + + # Push-specific failure handling (create issue) + - name: Create issue on validation failure (Push) + if: failure() && github.event_name == 'push' + uses: actions/github-script@v7 + with: + script: | + const title = `🚨 Attack Data Validation Failed - ${new Date().toISOString().split('T')[0]}`; + const body = `**Validation failed on push to ${context.ref}** + + Commit: ${context.sha} + + The YAML files in the datasets directory do not pass validation. This indicates that invalid data has been merged into the main branch. + + **Action Required:** + 1. Review the [failed workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) + 2. Fix the validation errors + 3. Create a hotfix PR to resolve the issues + + **Files that may be affected:** + - datasets/**/*.yml + - datasets/**/*.yaml + - bin/validate.py + - bin/dataset_schema.json + `; + + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: title, + body: body, + labels: ['bug', 'validation-failure', 'high-priority'] + }); + + From 8ea9fef99c9f13fb6fefda44c6301eaa9f732739 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 19 Aug 2025 12:34:52 +0200 Subject: [PATCH 15/18] bug fixes --- .github/workflows/validate.yml | 5 +++++ bin/validate.py | 41 +++++++++++++++++++++------------- 2 files changed, 31 insertions(+), 15 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 1718bd040..e0d6a6a5b 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -19,6 +19,11 @@ on: - 'bin/dataset_schema.json' - 'bin/requirements.txt' +permissions: + contents: read + issues: write + pull-requests: write + jobs: validate-attack-data: runs-on: ubuntu-latest diff --git a/bin/validate.py b/bin/validate.py index 398a4ab38..38e67b146 100644 --- a/bin/validate.py +++ b/bin/validate.py @@ -181,7 +181,8 @@ def parse_arguments(): formatter_class=argparse.RawDescriptionHelpFormatter, epilog=""" Examples: - %(prog)s # Validate files in the default 'datasets' directory + %(prog)s # Validate files in default 'datasets' dir (failures only) + %(prog)s -v # Validate with verbose output (show all files) %(prog)s /path/to/data # Validate files in a specific directory %(prog)s ../other_datasets # Validate files in a relative path """ @@ -194,6 +195,12 @@ def parse_arguments(): help='Directory to search for YAML files (default: datasets)' ) + parser.add_argument( + '-v', '--verbose', + action='store_true', + help='Show validation results for all files (default: only show failures)' + ) + return parser.parse_args() @@ -239,7 +246,8 @@ def main(): return print(f"Found {len(yaml_files)} YAML files to validate...") - print("-" * 60) + if args.verbose: + print("-" * 60) total_files = len(yaml_files) valid_files = 0 @@ -254,20 +262,22 @@ def main(): except ValueError: relative_path = yaml_file.relative_to(input_dir) - print(f"\nValidating: {relative_path}") - errors = validate_yaml_file(yaml_file, schema) if errors: invalid_files += 1 - print(f"❌ INVALID - {len(errors)} error(s):") + # Always show failures + print(f"\n❌ INVALID: {relative_path}") + print(f" {len(errors)} error(s):") for error in errors: print(f" • {error}") # Store failed validation details failed_validations.append((relative_path, errors)) else: valid_files += 1 - print("✅ VALID") + # Only show valid files in verbose mode + if args.verbose: + print(f"\n✅ VALID: {relative_path}") # Print summary print("\n" + "=" * 60) @@ -280,15 +290,16 @@ def main(): if invalid_files > 0: print(f"\n❌ {invalid_files} file(s) failed validation!") - # Print detailed failed validations at the end - print("\n" + "=" * 60) - print("FAILED VALIDATIONS") - print("=" * 60) - for file_path, errors in failed_validations: - print(f"\n📁 {file_path}") - print("-" * 40) - for i, error in enumerate(errors, 1): - print(f"{i}. {error}") + # In verbose mode, also print detailed failed validations at the end + if args.verbose and failed_validations: + print("\n" + "=" * 60) + print("FAILED VALIDATIONS SUMMARY") + print("=" * 60) + for file_path, errors in failed_validations: + print(f"\n📁 {file_path}") + print("-" * 40) + for i, error in enumerate(errors, 1): + print(f"{i}. {error}") sys.exit(1) else: From a845871ff0ead4887dda4c8b2c490b606f807b57 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 19 Aug 2025 12:43:58 +0200 Subject: [PATCH 16/18] bug fixes --- .../msix_powershell/msix_powershell.yml | 16 ++++++++-------- .../T1218/msix_ai_stubs/msix_ai_stubs.yml | 15 ++++++++------- .../T1553.005/msix_unsigned/msix_unsigned.yml | 16 ++++++++-------- 3 files changed, 24 insertions(+), 23 deletions(-) diff --git a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml index 9219e5bbc..8ef9a74d7 100644 --- a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml +++ b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml @@ -3,11 +3,11 @@ id: 3f9b2623-abd5-11eb-926b-120zf0943f11 date: '2023-06-22' description: PowerShell execution from MSIX packages and WindowsApps directory environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1059.001/msix_powershell/windows-sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1059/001 -- https://redcanary.com/blog/threat-intelligence/msix-installers/ -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_powershell +mitre_technique: +- T1059.001 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1059.001/msix_powershell/windows-sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml index 4ed9fedc3..f28c13bef 100644 --- a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml +++ b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml @@ -3,10 +3,11 @@ id: kk9b2623-abd5-11eb-926b-120zf0943f11 date: '2023-05-15' description: MSIX AI_STUBS execution detection for malicious installer packages environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1218/msix_ai_stubs/windows_sysmon.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational -references: -- https://attack.mitre.org/techniques/T1218 -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_ai_stubs +mitre_technique: +- T1218 +datasets: +- name: windows-sysmon + path: /datasets/attack_techniques/T1218/msix_ai_stubs/windows_sysmon.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational \ No newline at end of file diff --git a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml index 748cd8f23..06808bc99 100644 --- a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml +++ b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml @@ -3,11 +3,11 @@ id: 4f9b2623-abd5-11eb-926b-120zf0943f22 date: '2023-06-22' description: Detection of unsigned MSIX package installation using PowerShell environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1553.005/msix_unsigned/windows-powershell.log -sourcetypes: -- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational -references: -- https://attack.mitre.org/techniques/T1553/005 -- https://redcanary.com/blog/threat-intelligence/msix-installers/ -- https://redcanary.com/threat-detection-report/techniques/installer-packages/ +directory: msix_unsigned +mitre_technique: +- T1553.005 +datasets: +- name: windows-powershell + path: /datasets/attack_techniques/T1553.005/msix_unsigned/windows-powershell.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational \ No newline at end of file From e78087b9d2ec3c348572ccb6a58a340fb5540534 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 19 Aug 2025 13:26:28 +0200 Subject: [PATCH 17/18] updates --- .github/VALIDATION_WORKFLOWS.md | 245 -------------------------- .github/validate_dataset_ymls.py | 46 ----- .github/workflows/required-checks.yml | 59 ------- .github/workflows/validate.yml | 6 - datasets/TEMPLATE.yml | 27 ++- 5 files changed, 12 insertions(+), 371 deletions(-) delete mode 100644 .github/VALIDATION_WORKFLOWS.md delete mode 100644 .github/validate_dataset_ymls.py delete mode 100644 .github/workflows/required-checks.yml diff --git a/.github/VALIDATION_WORKFLOWS.md b/.github/VALIDATION_WORKFLOWS.md deleted file mode 100644 index eb2f23dca..000000000 --- a/.github/VALIDATION_WORKFLOWS.md +++ /dev/null @@ -1,245 +0,0 @@ -# Attack Data Validation Workflows - -This document explains the GitHub Actions workflows that automatically validate attack data YAML files on every pull request and push to ensure data quality and consistency. - -## Overview - -The validation system consists of four main workflows that work together to ensure all attack data meets the required schema and quality standards: - -1. **validate-pr.yml** - Full validation on all PRs -2. **validate-changed-files.yml** - Optimized validation for only changed files -3. **validate-push.yml** - Validation on pushes to main branches -4. **required-checks.yml** - Status checks and YAML linting - -## Workflows Description - -### 1. Validate Attack Data on PR (`validate-pr.yml`) - -**Triggers:** Pull requests to `master` or `main` branches -**Purpose:** Comprehensive validation of all dataset YAML files - -**Features:** -- Runs on PR open, synchronize, and reopen events -- Validates all YAML files in the `datasets/` directory -- Uses the validation script at `bin/validate.py` -- Comments on PR with success/failure status -- Only triggers when relevant files are changed - -**Path filters:** -- `datasets/**/*.yml` -- `datasets/**/*.yaml` -- `bin/validate.py` -- `bin/dataset_schema.json` -- `bin/requirements.txt` - -### 2. Validate Changed Attack Data Files (`validate-changed-files.yml`) - -**Triggers:** Pull requests to `master` or `main` branches -**Purpose:** Fast validation of only changed YAML files - -**Features:** -- Optimized for performance - only validates changed files -- Uses `tj-actions/changed-files` to detect modifications -- Provides detailed feedback on which files passed/failed -- Automatically skips if no YAML files were changed -- Comments on PR with detailed results - -**Benefits:** -- Faster execution for large repositories -- Clear visibility into which specific files have issues -- Reduces CI/CD time for PRs with few changes - -### 3. Validate Attack Data on Push (`validate-push.yml`) - -**Triggers:** Pushes to `master` or `main` branches -**Purpose:** Safety net to catch validation failures that reach main branches - -**Features:** -- Validates all dataset files after merge -- Creates GitHub issues automatically if validation fails -- Provides detailed error reporting -- Labels issues with appropriate tags for triage - -**Issue Creation:** -- Creates issues labeled with `bug`, `validation-failure`, `high-priority` -- Includes commit hash and workflow run links -- Provides action items for resolution - -### 4. Required Status Checks (`required-checks.yml`) - -**Triggers:** Pull requests to `master` or `main` branches -**Purpose:** Enforce validation requirements and provide additional checks - -**Features:** -- Basic YAML syntax linting with `yamllint` -- Status check requirement enforcement -- Configuration for branch protection rules - -## Setup Instructions - -### 1. Branch Protection Rules - -To enforce these validations, configure branch protection rules in your GitHub repository: - -1. Go to **Settings** → **Branches** -2. Add a rule for your main branch (`master` or `main`) -3. Enable **Require status checks to pass before merging** -4. Add these required status checks: - - `validate-attack-data` (from validate-pr.yml) - - `validate-changed-files` (from validate-changed-files.yml) - - `validation-status` (from required-checks.yml) - - `yaml-lint` (from required-checks.yml) - -### 2. Repository Secrets - -No additional secrets are required for the validation workflows. They use the default `GITHUB_TOKEN` for commenting on PRs and creating issues. - -### 3. Dependencies - -The workflows automatically install Python dependencies from `bin/requirements.txt`: -- `pyyaml` -- `jsonschema` -- Other dependencies as needed - -## Validation Rules - -The validation process checks: - -### Schema Validation -- All YAML files must conform to the JSON schema in `bin/dataset_schema.json` -- Required fields must be present and properly formatted -- Data types must match schema specifications - -### Custom Validations -- **UUID Format**: The `id` field must be a valid UUID -- **Date Format**: The `date` field must follow YYYY-MM-DD format -- **File Naming**: Template files and files with 'old' in the name are excluded - -### YAML Syntax -- Valid YAML syntax -- Proper indentation (2 spaces) -- Line length limits (120 characters) -- Consistent formatting - -## Workflow Outputs - -### Success Scenarios -- ✅ PR comments indicating successful validation -- ✅ Green status checks in PR interface -- ✅ Detailed file-by-file validation results - -### Failure Scenarios -- ❌ PR comments with error details -- ❌ Failed status checks blocking merge -- 🚨 Automatic issue creation for main branch failures -- 📝 Detailed error logs in workflow runs - -## Troubleshooting - -### Common Issues - -1. **Schema Validation Errors** - - Check that all required fields are present - - Verify field data types match schema - - Ensure proper YAML formatting - -2. **UUID Format Errors** - - Generate valid UUIDs using tools like `uuidgen` - - Ensure no extra characters or formatting - -3. **Date Format Errors** - - Use YYYY-MM-DD format (e.g., 2024-01-15) - - Avoid time components or other formats - -4. **YAML Syntax Errors** - - Use a YAML validator or linter - - Check indentation (use spaces, not tabs) - - Verify string quoting when needed - -### Debugging Workflows - -1. **Check Workflow Logs** - - Go to Actions tab in GitHub - - Click on the failed workflow run - - Review step-by-step execution logs - -2. **Local Testing** - ```bash - cd bin - python validate.py ../datasets - ``` - -3. **File-Specific Testing** - ```bash - cd bin - python validate.py path/to/specific/file.yml - ``` - -## Best Practices - -### For Contributors - -1. **Test Locally First** - - Run validation script before pushing - - Use the same schema and validation rules - -2. **Keep Changes Small** - - Smaller PRs are easier to validate and review - - Changed-files workflow provides faster feedback - -3. **Follow Schema Requirements** - - Always include required fields - - Use proper data types and formats - - Reference schema documentation - -### For Maintainers - -1. **Monitor Validation Health** - - Review failed workflows regularly - - Update schema as requirements evolve - - Keep dependencies updated - -2. **Branch Protection** - - Enforce status checks on main branches - - Require reviews in addition to validation - - Consider additional quality gates - -3. **Issue Triage** - - Address validation failures on main branches quickly - - Create hotfix procedures for critical issues - - Maintain schema documentation - -## Files Structure - -``` -.github/ -├── workflows/ -│ ├── validate-pr.yml # Full PR validation -│ ├── validate-changed-files.yml # Changed files validation -│ ├── validate-push.yml # Push validation -│ └── required-checks.yml # Status checks & linting -└── VALIDATION_WORKFLOWS.md # This documentation - -bin/ -├── validate.py # Main validation script -├── dataset_schema.json # JSON schema definition -└── requirements.txt # Python dependencies - -datasets/ # Attack data files -└── **/*.yml, **/*.yaml # Files to validate -``` - -## Support - -For issues with validation workflows: - -1. Check this documentation first -2. Review workflow logs in GitHub Actions -3. Test validation locally using the `validate.py` script -4. Create an issue if problems persist - -For schema-related questions: -- Review `bin/dataset_schema.json` -- Check existing valid examples in `datasets/` -- Refer to attack data documentation - diff --git a/.github/validate_dataset_ymls.py b/.github/validate_dataset_ymls.py deleted file mode 100644 index 45b7f1b2c..000000000 --- a/.github/validate_dataset_ymls.py +++ /dev/null @@ -1,46 +0,0 @@ -import datetime -import pathlib -import sys -from enum import StrEnum, auto -from uuid import UUID - -from pydantic import BaseModel, Field, HttpUrl - - -class Environment(StrEnum): - attack_range = auto() - - -class AttackDataYml(BaseModel): - author: str = Field(..., min_length=5) - id: UUID - date: datetime.date - description: str = Field(..., min_length=5) - environment: Environment - dataset: list[HttpUrl] = Field(..., min_length=1) - sourcetypes: list[str] = Field(..., min_length=1) - references: list[HttpUrl] = Field(..., min_length=1) - - -# Get all of the yml files in the datasets folder -datasets_root = pathlib.Path("datasets/") - - -# We only permit certain filetypes to be present in this directory. -# This is to avoid the inclusion of unsupported file types and to -# assist in the validation of the YML files -ALLOWED_SUFFIXES = [".yml", ".log", ".json"] -SPECIAL_GIT_GILES = ".gitkeep" -bad_files = [ - name - for name in datasets_root.glob(r"**/*.*") - if name.is_file() - and not (name.suffix in ALLOWED_SUFFIXES or name.name == SPECIAL_GIT_GILES) -] - -if len(bad_files) > 0: - print( - f"Error, the following files were found in the {datasets_root} folder. Only files ending in {ALLOWED_SUFFIXES} or {SPECIAL_GIT_GILES} are allowed:" - ) - print("\n".join([str(f) for f in bad_files])) - sys.exit(1) diff --git a/.github/workflows/required-checks.yml b/.github/workflows/required-checks.yml deleted file mode 100644 index 378f6d020..000000000 --- a/.github/workflows/required-checks.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Required Status Checks - -on: - pull_request: - branches: [ master, main ] - types: [opened, synchronize, reopened] - -jobs: - # This job ensures all validation workflows are required for PRs - validation-status: - runs-on: ubuntu-latest - steps: - - name: Check validation status - run: | - echo "This workflow ensures that all validation checks are required for PR merging." - echo "Required workflows:" - echo " ✅ Validate Attack Data on PR" - echo " ✅ Validate Changed Attack Data Files" - echo "" - echo "This job will always pass, but the other validation workflows must complete successfully." - echo "Configure branch protection rules to require these status checks before merging." - - # Lint YAML syntax (basic check) - yaml-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - - - name: Install yamllint - run: pip install yamllint - - - name: Lint YAML files - run: | - # Create a yamllint configuration - cat > .yamllint.yml << 'EOF' - extends: default - rules: - line-length: - max: 120 - indentation: - spaces: 2 - comments: - min-spaces-from-content: 1 - document-start: disable - truthy: disable - EOF - - # Find and lint all YAML files in datasets - find datasets -name "*.yml" -o -name "*.yaml" | while read file; do - echo "Linting: $file" - yamllint -c .yamllint.yml "$file" - done - diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index e0d6a6a5b..acce3ce87 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -110,12 +110,6 @@ jobs: 1. Review the [failed workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) 2. Fix the validation errors 3. Create a hotfix PR to resolve the issues - - **Files that may be affected:** - - datasets/**/*.yml - - datasets/**/*.yaml - - bin/validate.py - - bin/dataset_schema.json `; await github.rest.issues.create({ diff --git a/datasets/TEMPLATE.yml b/datasets/TEMPLATE.yml index 2ac949fc5..dc17bb454 100644 --- a/datasets/TEMPLATE.yml +++ b/datasets/TEMPLATE.yml @@ -1,16 +1,13 @@ -# Template for creating dataset.yml -author: Patrick Bareiss -description: Credential Dumping attempt via LSASS, specifically those launched - by Atomic Red Team using Windows Credential Editor, ProcDump, comsvcs.dll, - direct system calls and API unhooking, Windows Task Manager, Mimikatz and finally pypykatz. +author: Author Name +id: cc9b25d6-efc9-11eb-926b-550bf0943fbb +date: '2022-01-12' +description: 'Describe the dataset and what techniques/tests were executed here' environment: attack_range -technique: T1003.001 -dataset: - - https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1003.001/attack_data.json - - https://attack-range-attack-data.s3-us-west-2.amazonaws.com/T1003.001/attack_data.tar.gz -references: - - https://attack.mitre.org/techniques/T1003/001/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md - - https://github.com/splunk/security-content/blob/develop/tests/T1003_001.yml -sourcetypes: 'Microsoft-Windows-Sysmon/Operational' -date: '2020-07-21' +directory: your_directory_name +mitre_technique: +- T1XXX.XXX +datasets: +- name: dataset_name + path: /datasets/attack_techniques/T1XXX.XXX/directory/dataset_file.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 99a81fb29cf69e357cd8c304fe4e3bf96221d7bc Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 19 Aug 2025 13:28:12 +0200 Subject: [PATCH 18/18] bug fixes --- .../T1059.001/msix_powershell/msix_powershell.yml | 2 +- .../attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml | 2 +- .../attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml index 8ef9a74d7..ff7bd1bfa 100644 --- a/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml +++ b/datasets/attack_techniques/T1059.001/msix_powershell/msix_powershell.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: 3f9b2623-abd5-11eb-926b-120zf0943f11 +id: 05ee5a71-724f-4386-86de-746f9ba957fd date: '2023-06-22' description: PowerShell execution from MSIX packages and WindowsApps directory environment: attack_range diff --git a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml index f28c13bef..3e8656622 100644 --- a/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml +++ b/datasets/attack_techniques/T1218/msix_ai_stubs/msix_ai_stubs.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: kk9b2623-abd5-11eb-926b-120zf0943f11 +id: 2ab56d32-5936-40cb-8903-eab35d4fa4c8 date: '2023-05-15' description: MSIX AI_STUBS execution detection for malicious installer packages environment: attack_range diff --git a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml index 06808bc99..976066e8a 100644 --- a/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml +++ b/datasets/attack_techniques/T1553.005/msix_unsigned/msix_unsigned.yml @@ -1,5 +1,5 @@ author: Michael Haag -id: 4f9b2623-abd5-11eb-926b-120zf0943f22 +id: ebbe603c-a8e9-4d36-8c73-3bda679b4280 date: '2023-06-22' description: Detection of unsigned MSIX package installation using PowerShell environment: attack_range