diff --git a/README.md b/README.md index a997088a..c356baf7 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,9 @@ A Repository of curated datasets from various attacks to: * [Replay](#replay-datasets-) into streaming pipelines for validating your detections in your production SIEM # Installation +Notes: +* These steps are inteded to be ran on your actual Splunk host/server (not remotely) + GitHub LFS is used in this project. For Mac users git-lfs can be derived with homebrew (for another OS click [here](https://github.com/git-lfs/git-lfs/wiki/Installation)): ```` diff --git a/attack_data_service/requirements.txt b/attack_data_service/requirements.txt index 82e61eb0..5ceaaaee 100644 --- a/attack_data_service/requirements.txt +++ b/attack_data_service/requirements.txt @@ -9,7 +9,7 @@ azure-core==1.17.0 azure-identity==1.7.0 azure-mgmt-compute==18.2.0 azure-mgmt-core==1.3.0 -azure-mgmt-network==17.1.0 +azure-mgmt-network==25.1.0 azure-mgmt-resource==19.0.0 bcrypt==3.2.0 boto3==1.20.17 @@ -35,7 +35,7 @@ jmespath==0.10.0 lockfile==0.12.2 MarkupSafe==2.1.3 mock==4.0.3 -more-itertools==8.8.0 +more-itertools==10.1.0 mysql-connector-python==8.0.29 nodeenv==1.6.0 ntlm-auth==1.5.0 @@ -52,7 +52,7 @@ psutil==5.8.0 ptyprocess==0.7.0 py==1.11.0 pycparser==2.20 -PyGithub==1.54.1 +PyGithub==2.1.1 PyJWT==1.7.1 PyNaCl==1.4.0 pyparsing==2.4.7 diff --git a/bin/replay.yml b/bin/replay.yml index 9c2ff324..e6c45057 100644 --- a/bin/replay.yml +++ b/bin/replay.yml @@ -7,7 +7,7 @@ splunk: datasets: #name of data set to replay - name: T1003.002_windows_security -# relative path of raw file +# relative path of raw file ... NOTE: this path/file has to exist locally on the Splunk server path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log # splunk parameters to pass replay_parameters: diff --git a/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log b/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log index c184c5ac..0efc5ab2 100644 --- a/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log +++ b/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f910a5ffc119526effae8b946912c2962e985106cec54d3785169a59c78ca163 -size 11495 +oid sha256:2a82e3fb0c04c8a1b0ce6ec19f399f0ac96977ab273bec97e6496da3c7880d79 +size 20552 diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log new file mode 100644 index 00000000..c5e3ab49 --- /dev/null +++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:498b62af6fe8753e73d8973e4ff843aef2efca7a59d346d779d4258fddb258cb +size 125338 diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml new file mode 100644 index 00000000..61627d00 --- /dev/null +++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml @@ -0,0 +1,13 @@ +author: Steven Dick +id: 8c54662e-a3c8-456c-a8bb-928e6c13b641 +date: '2024-5-3' +description: 'Some simple T1036.003 and T1036.005 tests using moved/renamed cmd.exe' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log +sourcetypes: +- xmlwineventlog +references: +- https://attack.mitre.org/techniques/T1036/ +- https://attack.mitre.org/techniques/T1036/003/ +- https://attack.mitre.org/techniques/T1036/005/ \ No newline at end of file diff --git a/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log b/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log new file mode 100644 index 00000000..0ccde577 --- /dev/null +++ b/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e00a8337a291b0a901b1f4c1cc03b138fc66ef9b7077722bfb01ab69e1611fd5 +size 13 diff --git a/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml new file mode 100644 index 00000000..cb8540db --- /dev/null +++ b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 2ae6cf24-4e89-11ef-a7ff-acde48001122 +date: '2024-07-30' +description: Generated datasets for open dns port in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log +sourcetypes: +- 'openPorts' +references: +- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48 \ No newline at end of file diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log b/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log new file mode 100644 index 00000000..1686da4a --- /dev/null +++ b/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ae52bc1f3ed37353bcd70257efc798598ecd28230771debc17fa0c49fb641803 +size 135 diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml new file mode 100644 index 00000000..3eabc65d --- /dev/null +++ b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cd47daf6-498e-11ef-aa76-acde48001122 +date: '2024-07-24' +description: Generated datasets for open ports discovery in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log +sourcetypes: +- 'openPorts' +references: +- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48 \ No newline at end of file diff --git a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log index 99107b1e..09779c95 100644 --- a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log +++ b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e57a409f5ff8abc7f1dcf66014927f9b3a3f25419b29163827f91a3648625dcf -size 901 +oid sha256:cc3a1fce686c0502eef25c4cae4e1732c2cf59478238bf147404f0195b482fbf +size 1802 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log index 810e9188..f666d881 100644 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8c6c3c5100a96914176ad8fa31b20cb63197cb105779588b090bd0c101c05cae -size 878 +oid sha256:8720a4878af74ec20fdb87d9c7be80564592dcc4ef0582e8935b3d67ab9863b3 +size 1756 diff --git a/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log b/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log new file mode 100644 index 00000000..bd1272cd --- /dev/null +++ b/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8535b524b0232543396c9e02e214ea886f796799c04d6c4e553f5c1874a9ee5 +size 2041 diff --git a/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log b/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log new file mode 100644 index 00000000..6023559b --- /dev/null +++ b/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e31de5f6db6710a63f41f75725f6eb35ef162fa8e9e2adb79d75f410b7d7888 +size 7925 diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml new file mode 100644 index 00000000..c6127fad --- /dev/null +++ b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 09daa138-498f-11ef-aa76-acde48001122 +date: '2024-07-24' +description: Generated datasets for linux password change in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log +sourcetypes: +- 'syslog' +references: +- https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_LINUX_USER_PWD_CHANGED.htm \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log b/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log new file mode 100644 index 00000000..a4930405 --- /dev/null +++ b/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:226a9d19ebf60f02e39e1283e02996b6b20396bf6b3c50ee00723d2e2a400abd +size 103 diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log new file mode 100644 index 00000000..ab6fa1b0 --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:425490f713e83ea96714014ce4ac8f7c09a4d3eb43c41a3a2977a88830fea5dc +size 24402 diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml new file mode 100644 index 00000000..07427af1 --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml @@ -0,0 +1,25 @@ +author: Steven Dick +id: a44c84cb-231b-4657-8386-0f5d4b8f183e +date: '2024-4-13' +description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1098 +- https://attack.mitre.org/techniques/T1484/002/ +- https://attack.mitre.org/techniques/T1136/003/ +- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference +- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide +- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 +- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html +- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ +- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ +- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf +- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 +- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ +- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration +- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 \ No newline at end of file diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log new file mode 100644 index 00000000..eab7afcc --- /dev/null +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1f90ae5e05cac0d21aa10dbc921734b74e9259674f79c9484ea54d77930807 +size 59355 diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml new file mode 100644 index 00000000..002331b7 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml @@ -0,0 +1,12 @@ +author: Steven Dick +id: 1d46ff6c-4a0e-4084-8975-e367e4e92bba +date: '2023-10-30' +description: 'Generic detection of password spray behaviors using CIM datamodel.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log +sourcetypes: +- WinEventLog:Security +references: +- https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ +- https://github.com/MarkoH17/Spray365 \ No newline at end of file diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log new file mode 100644 index 00000000..edc7e6ad --- /dev/null +++ b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63a209ac79763e9a54a69559d35e33d848b430dbc719c6ca9258409f34c24aea +size 404012 diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml new file mode 100644 index 00000000..c81c854c --- /dev/null +++ b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml @@ -0,0 +1,16 @@ +author: Steven Dick +id: 7d0802bd-b870-4a93-96f0-6e8323af425e +date: '2024-2-19' +description: 'Detection of suspicious NTLM authentication behavior.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log +sourcetypes: +- XmlWinEventLog:Microsoft-Windows-NTLM/Operational +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560653(v=ws.10)?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f \ No newline at end of file diff --git a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml index ed2d51bd..19782c18 100644 --- a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml @@ -14,6 +14,7 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-system.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log sourcetypes: - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - WinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log b/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log new file mode 100644 index 00000000..bb4bd2a2 --- /dev/null +++ b/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:891605a31b4cfe03c4f9883663794314dacde05ed07f32f2c87eb31bb6ecaec8 +size 42342 diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log new file mode 100644 index 00000000..56c09c9a --- /dev/null +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac2b4ab4628203e0fe7ee7a52d77bc9451f094c94e09f21e3add1e0cf406c7da +size 2369 diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml index 1afecfc5..2694f711 100644 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml @@ -1,10 +1,10 @@ author: Teoderick Contreras, Splunk -id: 803d6b50-2fbb-11ef-9f66-acde48001122 -date: '2024-06-21' +id: f3c9a6d2-3f61-11ef-8fb2-acde48001122 +date: '2024-07-11' description: Generated datasets for firewall modify delete in attack range. environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log.txt +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log sourcetypes: - 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' references: diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml index 5e5ee1f8..adde9f4a 100644 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml @@ -13,6 +13,9 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log sourcetypes: - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - WinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log new file mode 100644 index 00000000..ef916cdc --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e1b77b283b038e7aa7933dbc6ed77871d1a599ca71e611553ac20fe75c3fccbe +size 5635 diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log new file mode 100644 index 00000000..49c3a903 --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c7bde8b973fa27199ece3f04bbf6f99a26e317c77c36cd1249af3cdbe6cae767 +size 10519 diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log new file mode 100644 index 00000000..b782004c --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04db89547e200b0ff007641941fc5290dbd880562c834f5e470594e532edee60 +size 7992 diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log new file mode 100644 index 00000000..11557f2d --- /dev/null +++ b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0c14572ac8b3a53eaf9fce4d3d66560407f87a5f53f713e7367920b39aa33e0 +size 300 diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml new file mode 100644 index 00000000..8b3cfb6d --- /dev/null +++ b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 47c96cf6-483e-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for linux unix new user in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log +sourcetypes: +- 'syslog' +references: +- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log new file mode 100644 index 00000000..b7cdfdf9 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ec1b14657a8b5ffbe8fdf73ca61c08e0da32a29fc4e75a3d50d4d5018d9fdefa +size 5864778 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log new file mode 100644 index 00000000..f73f5a16 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09fa024427846131827e26d08eb1e2c91604633fbe7fcadd2156a90e3e864c9c +size 3160 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log new file mode 100644 index 00000000..a778df7b --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:373a20f3a2c259aeca949fa08aa44b12b6f234db646f188a281e5993cf57e2d6 +size 2724 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log new file mode 100644 index 00000000..db2f03eb --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97666c5ef1ff09095e61f5e963118f8e16d4bb07647a3f6a4b06bc48f4a7664a +size 1515 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log new file mode 100644 index 00000000..5c14fb53 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67b46fe7279192b97541394f0b6e1fe3ad680c2274f25d6176dcfca140002f0d +size 140 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log new file mode 100644 index 00000000..477d319f --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52a6590f94f1f1f235d863f713c524aa249c91b82de3231936e88eb69844d59a +size 137 diff --git a/datasets/attack_techniques/T1190/moveit/SftpServer.log b/datasets/attack_techniques/T1190/moveit/SftpServer.log new file mode 100644 index 00000000..9a16bff0 --- /dev/null +++ b/datasets/attack_techniques/T1190/moveit/SftpServer.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f76558ab32fcfc27b4f357d40647d4ad62c1d9e396729567e83b490e53b89de1 +size 1361 diff --git a/datasets/attack_techniques/T1190/moveit/moveit.yml b/datasets/attack_techniques/T1190/moveit/moveit.yml new file mode 100644 index 00000000..c1cdee8e --- /dev/null +++ b/datasets/attack_techniques/T1190/moveit/moveit.yml @@ -0,0 +1,11 @@ +author: Michael Haag, Splunk +id: 9535ef60-d482-434c-b3bb-6d1bd61e83be +date: '2024-07-23' +description: AttackData from WatchTowr blog related to CVE-2024-5806. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log +sourcetypes: +- sftp_server_logs +references: +- https://attack.mitre.org/techniques/T1190 diff --git a/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log b/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log new file mode 100644 index 00000000..937f58a9 --- /dev/null +++ b/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61b13acac884547f03146d8c80b4c8e81e47ec823b40c606a76436e8476d6f10 +size 3005 diff --git a/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log b/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log new file mode 100644 index 00000000..c2f6983a --- /dev/null +++ b/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd40f904f0ec9856285d64a447d0ea7d1f227d69aa5d26d6a206bd0f5039db53 +size 123 diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log b/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log new file mode 100644 index 00000000..c5026f31 --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac5936115986fc6ce834c6d10a2253113c2df8e7c4627d68dcf5dfd99bb1dc1d +size 358 diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml new file mode 100644 index 00000000..a32cb92a --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 6deb28d0-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for process high cpu usage in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log +sourcetypes: +- 'ps_metric' +references: +- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log b/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log new file mode 100644 index 00000000..cb5999ce --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24ecfa44cc00a9c314828a6ae5ed5106981fb6b99c77c89297969b3199f418c3 +size 360 diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml new file mode 100644 index 00000000..fd91d27e --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 8f43fa5c-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for process high mem usage in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log +sourcetypes: +- 'ps_metric' +references: +- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load diff --git a/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log b/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log new file mode 100644 index 00000000..e6250eb6 --- /dev/null +++ b/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73d8c41c752b0424dc2cef844813315837ab0d2e7a7ff68cbcfa94e1bba10645 +size 74014 diff --git a/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log b/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log new file mode 100644 index 00000000..b75cade1 --- /dev/null +++ b/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8e55347bde6ef17a3c61d4f750be39043a006023bc78e089d8e3c6a198208f6d +size 459 diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log new file mode 100644 index 00000000..f23f0ee1 --- /dev/null +++ b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84650a78ea30b7b4a52cff492efad6060002454684cd08355d27a42452e41ca4 +size 68 diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml new file mode 100644 index 00000000..6cf6c747 --- /dev/null +++ b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: a5357efc-483e-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for linux unix delete user in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log +sourcetypes: +- 'syslog' +references: +- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/cl-tools-userdel diff --git a/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json b/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json new file mode 100644 index 00000000..90368347 --- /dev/null +++ b/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:513c2a2923fe4206e5f1fa6358d87b4adadb8b5e56cc2842e08bb6e3c6324e74 +size 214 diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log b/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log new file mode 100644 index 00000000..95327def --- /dev/null +++ b/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:66463325506c55c1ea047136da1019668c930387d7a1a7bfb44378b224cbcf90 +size 164 diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml new file mode 100644 index 00000000..bffbbaf8 --- /dev/null +++ b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cdf41566-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for disable linux firewall in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log +sourcetypes: +- 'Unix:Service' +references: +- https://askubuntu.com/questions/260085/how-to-stop-firewall diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log new file mode 100644 index 00000000..f5d15c3d --- /dev/null +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e669b123a43b1ca7f707e7ac69e3edb32fe0f7631ced09e5a55e1e93d2aea57a +size 53803 diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml new file mode 100644 index 00000000..54e68da3 --- /dev/null +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml @@ -0,0 +1,18 @@ +author: Steven Dick +id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +date: '2024-4-6' +description: 'Various Office 365 built-in and premium security feature alerts.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1566 +- https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults +- https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp +- https://learn.microsoft.com/en-us/purview/alert-policies +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml new file mode 100644 index 00000000..1791af8f --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 7211b19c-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin duplicate password in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log new file mode 100644 index 00000000..48b6cdaa --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b5e0815f14b85970f9b60d65e843a1efcb80c33363dc02d79cf6e2bda30ff6e +size 1750 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml new file mode 100644 index 00000000..118905c0 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 4725948a-4368-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin weak password policy in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log new file mode 100644 index 00000000..42463672 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b131c12fb88306b5f84a0e54d70ab30f052df2640d015137ef99ab29a1c9a31e +size 1897 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log new file mode 100644 index 00000000..70e6eef0 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76b474133fba8197adbb49763a946a0b0f2772c0126e1f606cf9d99d26e88882 +size 1664 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml new file mode 100644 index 00000000..b153918b --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: eeef36b6-441d-11ef-a54e-acde48001122 +date: '2024-07-17' +description: Generated datasets for high risk score in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log new file mode 100644 index 00000000..f3e58f80 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a42df9fd01f9452a5098d8d089a47a18aca2c886e1dffea6e2a62dd0b1cff426 +size 1068 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml new file mode 100644 index 00000000..9569d247 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 4b557dfa-4367-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for medium alert in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log new file mode 100644 index 00000000..a653b073 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29e03792cd236700448f35ed579afef23888c9717be829881f730317f0e3715d +size 3402 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml new file mode 100644 index 00000000..196c3b8e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 7493fbac-4410-11ef-a54e-acde48001122 +date: '2024-07-17' +description: Generated datasets for multiple low alert in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log new file mode 100644 index 00000000..68e38b7e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f459af031221a6a216c407e921ccc2a51e8ec9925cf5b70fd8e920e240e29a7 +size 1414 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml new file mode 100644 index 00000000..105a9d19 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 8d65031e-4367-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin weak password policy in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log new file mode 100644 index 00000000..5dfdf4f8 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1be55bc9f44d58ece6cdd1a81a797fad4f4326417a7c614499b8cb8d2fe2b3e0 +size 1060 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml new file mode 100644 index 00000000..8ba0eb0d --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: bdf36786-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for privilege escalation in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log new file mode 100644 index 00000000..5c28521e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41b1a5593ef48a53e359c94e6ba0e319495f81270d6f4681f85001fda79a8fcc +size 1494 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml new file mode 100644 index 00000000..071477b7 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cf18b840-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for riskscore in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log new file mode 100644 index 00000000..fd51faf4 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c311054d83d50958e2da48b6d5939f77bcdd064b119359f675400d96d0d8da16 +size 1313 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml new file mode 100644 index 00000000..5a248f98 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 91442838-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for user duplicate password in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file