From 1024d48d29a9a7504f1f50a3859ed672613da853 Mon Sep 17 00:00:00 2001 From: Fred Frey Date: Fri, 8 Apr 2022 13:27:59 -0400 Subject: [PATCH 01/34] specify running commands on actual Splunk server I got tripped up and digging through code why it was failing. I was running this on my laptop and pointing it to an EC2 Splunk server. Figured out I believe these commands are supposed to be ran on the actual Splunk server .. so I ssh'd in and it worked. This is my first time so if this is incorrect please don't merge, but hopefully helping someone else who comes behind and may try and populated data into a remote Splunk server (which didn't work for me) --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 7b9851fd..caaaecbf 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,9 @@ A Repository of curated datasets from various attacks to: * [Replay](#replay-datasets) into streaming pipelines for validating your detections in your production SIEM # Installation +Notes: +* These steps are inteded to be ran on your actual Splunk host/server (not remotely) + GitHub LFS is used in this project. For Mac users git-lfs can be derived with homebrew (for another OS click [here](https://github.com/git-lfs/git-lfs/wiki/Installation)): ```` From b706f644eb3a6bc1d82810932133eacfa54b766c Mon Sep 17 00:00:00 2001 From: Fred Frey Date: Fri, 8 Apr 2022 13:36:17 -0400 Subject: [PATCH 02/34] comment file must be local to spunk --- bin/replay.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/replay.yml b/bin/replay.yml index 9c2ff324..e6c45057 100644 --- a/bin/replay.yml +++ b/bin/replay.yml @@ -7,7 +7,7 @@ splunk: datasets: #name of data set to replay - name: T1003.002_windows_security -# relative path of raw file +# relative path of raw file ... NOTE: this path/file has to exist locally on the Splunk server path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log # splunk parameters to pass replay_parameters: From 26fafcdf4474d57821fbc883fcb530b649da15ec Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Sep 2023 06:26:31 +0000 Subject: [PATCH 03/34] Bump more-itertools from 8.8.0 to 10.1.0 Bumps [more-itertools](https://github.com/more-itertools/more-itertools) from 8.8.0 to 10.1.0. - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v8.8.0...v10.1.0) --- updated-dependencies: - dependency-name: more-itertools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- attack_data_service/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attack_data_service/requirements.txt b/attack_data_service/requirements.txt index 82e61eb0..2d308fdd 100644 --- a/attack_data_service/requirements.txt +++ b/attack_data_service/requirements.txt @@ -35,7 +35,7 @@ jmespath==0.10.0 lockfile==0.12.2 MarkupSafe==2.1.3 mock==4.0.3 -more-itertools==8.8.0 +more-itertools==10.1.0 mysql-connector-python==8.0.29 nodeenv==1.6.0 ntlm-auth==1.5.0 From 463a256850fbc50b457bf3f20a4f21712ce5e60e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Oct 2023 06:29:53 +0000 Subject: [PATCH 04/34] Bump azure-mgmt-network from 17.1.0 to 25.1.0 Bumps [azure-mgmt-network](https://github.com/Azure/azure-sdk-for-python) from 17.1.0 to 25.1.0. - [Release notes](https://github.com/Azure/azure-sdk-for-python/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-python/blob/main/doc/esrp_release.md) - [Commits](https://github.com/Azure/azure-sdk-for-python/compare/azure-mgmt-network_17.1.0...azure-mgmt-network_25.1.0) --- updated-dependencies: - dependency-name: azure-mgmt-network dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- attack_data_service/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attack_data_service/requirements.txt b/attack_data_service/requirements.txt index 82e61eb0..e9844919 100644 --- a/attack_data_service/requirements.txt +++ b/attack_data_service/requirements.txt @@ -9,7 +9,7 @@ azure-core==1.17.0 azure-identity==1.7.0 azure-mgmt-compute==18.2.0 azure-mgmt-core==1.3.0 -azure-mgmt-network==17.1.0 +azure-mgmt-network==25.1.0 azure-mgmt-resource==19.0.0 bcrypt==3.2.0 boto3==1.20.17 From b9c894895d314644c84d84d1f054fb9b259c3437 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Oct 2023 06:34:53 +0000 Subject: [PATCH 05/34] Bump pygithub from 1.54.1 to 2.1.1 Bumps [pygithub](https://github.com/pygithub/pygithub) from 1.54.1 to 2.1.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](https://github.com/pygithub/pygithub/compare/v1.54.1...v2.1.1) --- updated-dependencies: - dependency-name: pygithub dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- attack_data_service/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attack_data_service/requirements.txt b/attack_data_service/requirements.txt index 82e61eb0..e1bb7dcd 100644 --- a/attack_data_service/requirements.txt +++ b/attack_data_service/requirements.txt @@ -52,7 +52,7 @@ psutil==5.8.0 ptyprocess==0.7.0 py==1.11.0 pycparser==2.20 -PyGithub==1.54.1 +PyGithub==2.1.1 PyJWT==1.7.1 PyNaCl==1.4.0 pyparsing==2.4.7 From fee2f745d75d4acf03f63804eb35e4b055831c95 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 11 Nov 2023 10:43:07 -0500 Subject: [PATCH 06/34] Initial upload --- .../generic_password_spray/password_spray_attack.log | 3 +++ .../generic_password_spray/password_spray_attack.yml | 12 ++++++++++++ 2 files changed, 15 insertions(+) create mode 100644 datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log create mode 100644 datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log new file mode 100644 index 00000000..a40d7b44 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:501fe8274740a6b2bf82eb76bb2c1a3b9de5ab5614ceb8d387f75d76bf5355c8 +size 43197 diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml new file mode 100644 index 00000000..002331b7 --- /dev/null +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml @@ -0,0 +1,12 @@ +author: Steven Dick +id: 1d46ff6c-4a0e-4084-8975-e367e4e92bba +date: '2023-10-30' +description: 'Generic detection of password spray behaviors using CIM datamodel.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log +sourcetypes: +- WinEventLog:Security +references: +- https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ +- https://github.com/MarkoH17/Spray365 \ No newline at end of file From 5ca4a04597993157024bb1eb7ba99474c5727aea Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 16 Mar 2024 11:26:48 -0400 Subject: [PATCH 07/34] Add files via upload --- .../ntlm_bruteforce/ntlm_bruteforce.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml new file mode 100644 index 00000000..c81c854c --- /dev/null +++ b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml @@ -0,0 +1,16 @@ +author: Steven Dick +id: 7d0802bd-b870-4a93-96f0-6e8323af425e +date: '2024-2-19' +description: 'Detection of suspicious NTLM authentication behavior.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log +sourcetypes: +- XmlWinEventLog:Microsoft-Windows-NTLM/Operational +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://www.varonis.com/blog/investigate-ntlm-brute-force +- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191 +- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827 +- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560653(v=ws.10)?redirectedfrom=MSDN +- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f \ No newline at end of file From b94585310acfcfc694b6c5ff7280dc9652513e92 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 16 Mar 2024 11:28:18 -0400 Subject: [PATCH 08/34] log upload --- .../T1110.003/ntlm_bruteforce/ntlm_bruteforce.log | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log diff --git a/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log new file mode 100644 index 00000000..edc7e6ad --- /dev/null +++ b/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63a209ac79763e9a54a69559d35e33d848b430dbc719c6ca9258409f34c24aea +size 404012 From 291ab96721a566ce5df303a05ad6b5ad651cba3d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 7 Apr 2024 11:07:57 -0400 Subject: [PATCH 09/34] Add files via upload --- .../premium_0365_alerts.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml diff --git a/datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml b/datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml new file mode 100644 index 00000000..03dcb2f4 --- /dev/null +++ b/datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml @@ -0,0 +1,18 @@ +author: Steven Dick +id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 +date: '2024-4-6' +description: 'Various Office 365 premium and built-in security feature alerts.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/0365_premium_alerts/o365_premium_alerts.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1566 +- https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults +- https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp +- https://learn.microsoft.com/en-us/purview/alert-policies +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide +- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide \ No newline at end of file From 85c05adf02505a692180108108047e851941cbc1 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 7 Apr 2024 11:12:46 -0400 Subject: [PATCH 10/34] consistency updates --- .../T1566/o365_various_alerts/o365_various_alerts.log | 3 +++ .../o365_various_alerts.yml} | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log rename datasets/attack_techniques/T1566/{o365_premium_alerts/premium_0365_alerts.yml => o365_various_alerts/o365_various_alerts.yml} (86%) diff --git a/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log new file mode 100644 index 00000000..f5d15c3d --- /dev/null +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e669b123a43b1ca7f707e7ac69e3edb32fe0f7631ced09e5a55e1e93d2aea57a +size 53803 diff --git a/datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml similarity index 86% rename from datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml rename to datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml index 03dcb2f4..54e68da3 100644 --- a/datasets/attack_techniques/T1566/o365_premium_alerts/premium_0365_alerts.yml +++ b/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.yml @@ -1,10 +1,10 @@ author: Steven Dick id: 35cffd75-1e1c-4837-a886-94c4ebf79f62 date: '2024-4-6' -description: 'Various Office 365 premium and built-in security feature alerts.' +description: 'Various Office 365 built-in and premium security feature alerts.' environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/0365_premium_alerts/o365_premium_alerts.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log sourcetypes: - o365:management:activity references: From d82beadb4ec57e9b609b859fcd87097c6f39e6d8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 13 Apr 2024 15:28:33 -0400 Subject: [PATCH 11/34] Add files via upload --- .../T1098/T1098/o365_various_events.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 datasets/attack_techniques/T1098/T1098/o365_various_events.yml diff --git a/datasets/attack_techniques/T1098/T1098/o365_various_events.yml b/datasets/attack_techniques/T1098/T1098/o365_various_events.yml new file mode 100644 index 00000000..07427af1 --- /dev/null +++ b/datasets/attack_techniques/T1098/T1098/o365_various_events.yml @@ -0,0 +1,25 @@ +author: Steven Dick +id: a44c84cb-231b-4657-8386-0f5d4b8f183e +date: '2024-4-13' +description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log +sourcetypes: +- o365:management:activity +references: +- https://attack.mitre.org/techniques/T1098 +- https://attack.mitre.org/techniques/T1484/002/ +- https://attack.mitre.org/techniques/T1136/003/ +- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference +- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide +- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal +- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 +- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html +- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/ +- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/ +- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf +- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999 +- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/ +- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration +- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360 \ No newline at end of file From 798fd14651956c3551bf180c3673cfd5d0a33fff Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sat, 13 Apr 2024 15:32:51 -0400 Subject: [PATCH 12/34] Intial uploads and consistency fixes --- .../o365_azure_workload_events/o365_azure_workload_events.log | 3 +++ .../o365_azure_workload_events.yml} | 0 2 files changed, 3 insertions(+) create mode 100644 datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log rename datasets/attack_techniques/T1098/{T1098/o365_various_events.yml => o365_azure_workload_events/o365_azure_workload_events.yml} (100%) diff --git a/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log new file mode 100644 index 00000000..ab6fa1b0 --- /dev/null +++ b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:425490f713e83ea96714014ce4ac8f7c09a4d3eb43c41a3a2977a88830fea5dc +size 24402 diff --git a/datasets/attack_techniques/T1098/T1098/o365_various_events.yml b/datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml similarity index 100% rename from datasets/attack_techniques/T1098/T1098/o365_various_events.yml rename to datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml From 94d63135f503cfd89a6ea34b3c5c291de96d16c0 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 3 May 2024 11:23:47 -0400 Subject: [PATCH 13/34] Add files via upload --- .../T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml new file mode 100644 index 00000000..61627d00 --- /dev/null +++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml @@ -0,0 +1,13 @@ +author: Steven Dick +id: 8c54662e-a3c8-456c-a8bb-928e6c13b641 +date: '2024-5-3' +description: 'Some simple T1036.003 and T1036.005 tests using moved/renamed cmd.exe' +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log +sourcetypes: +- xmlwineventlog +references: +- https://attack.mitre.org/techniques/T1036/ +- https://attack.mitre.org/techniques/T1036/003/ +- https://attack.mitre.org/techniques/T1036/005/ \ No newline at end of file From 3c803e1dfbf2de9a8e2f4f0b81558a718db60dba Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 3 May 2024 11:26:32 -0400 Subject: [PATCH 14/34] log upload --- .../T1036/cmd_lolbas_usage/cmd_lolbas_usage.log | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log diff --git a/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log new file mode 100644 index 00000000..c5e3ab49 --- /dev/null +++ b/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:498b62af6fe8753e73d8973e4ff843aef2efca7a59d346d779d4258fddb258cb +size 125338 From 421c06d02555143c699a068b3576743c63cba14d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 17 Jun 2024 09:50:15 -0400 Subject: [PATCH 15/34] Add additional data for extra detections --- .../generic_password_spray/password_spray_attack.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log index a40d7b44..49343dfd 100644 --- a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:501fe8274740a6b2bf82eb76bb2c1a3b9de5ab5614ceb8d387f75d76bf5355c8 -size 43197 +oid sha256:c380ed0206acea8ae89c400755a3313d99b00e965dee95d8ac2233177ec538f2 +size 57477 From 85920a5a2b4654813833a6e59388900faf0cadff Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 25 Jun 2024 10:10:20 -0600 Subject: [PATCH 16/34] Updated linux base64 decode data --- .../attack_techniques/T1027/atomic_red_team/linux-sysmon.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log b/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log index c184c5ac..0efc5ab2 100644 --- a/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log +++ b/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f910a5ffc119526effae8b946912c2962e985106cec54d3785169a59c78ca163 -size 11495 +oid sha256:2a82e3fb0c04c8a1b0ce6ec19f399f0ac96977ab273bec97e6496da3c7880d79 +size 20552 From 6aa1be207b06dce2decd08b424f4417add953d5d Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Mon, 1 Jul 2024 08:40:12 -0700 Subject: [PATCH 17/34] added new datasets in preparation for release --- .../splunk/SVD-2024-0711_web_access_splunk_web_access.log | 3 +++ .../T1087/splunk/SVD-2024-0716_splunkd_splunkd.log | 3 +++ .../T1189/splunk/SVD-2024-0712_audittrail_audittrail.log | 3 +++ .../SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log | 3 +++ .../attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log | 3 +++ .../splunk/SVD-2024-0714_web_access_splunk_web_access.log | 3 +++ .../T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log | 3 +++ .../T1189/splunk/SVD-2024-0717_python_log_splunk_python.log | 3 +++ .../T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log | 3 +++ ...SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log | 3 +++ .../SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log | 3 +++ .../splunk/SVD-2024-0710_web_service_splunk_web_service.log | 3 +++ .../T1548/splunk/SVD-2024-0709_json_json.json | 3 +++ 13 files changed, 39 insertions(+) create mode 100644 datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log create mode 100644 datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log create mode 100644 datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log create mode 100644 datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log create mode 100644 datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log create mode 100644 datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log create mode 100644 datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log create mode 100644 datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json diff --git a/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log b/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log new file mode 100644 index 00000000..bd1272cd --- /dev/null +++ b/datasets/attack_techniques/T1083/splunk/SVD-2024-0711_web_access_splunk_web_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8535b524b0232543396c9e02e214ea886f796799c04d6c4e553f5c1874a9ee5 +size 2041 diff --git a/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log b/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log new file mode 100644 index 00000000..6023559b --- /dev/null +++ b/datasets/attack_techniques/T1087/splunk/SVD-2024-0716_splunkd_splunkd.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2e31de5f6db6710a63f41f75725f6eb35ef162fa8e9e2adb79d75f410b7d7888 +size 7925 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log new file mode 100644 index 00000000..b7cdfdf9 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_audittrail_audittrail.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ec1b14657a8b5ffbe8fdf73ca61c08e0da32a29fc4e75a3d50d4d5018d9fdefa +size 5864778 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log new file mode 100644 index 00000000..f73f5a16 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0712_splunkd_ui_access_splunk_ui_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09fa024427846131827e26d08eb1e2c91604633fbe7fcadd2156a90e3e864c9c +size 3160 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log new file mode 100644 index 00000000..a778df7b --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0713_json_json.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:373a20f3a2c259aeca949fa08aa44b12b6f234db646f188a281e5993cf57e2d6 +size 2724 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log new file mode 100644 index 00000000..db2f03eb --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0714_web_access_splunk_web_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97666c5ef1ff09095e61f5e963118f8e16d4bb07647a3f6a4b06bc48f4a7664a +size 1515 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log new file mode 100644 index 00000000..5c14fb53 --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0715_splunkd_splunkd_access.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67b46fe7279192b97541394f0b6e1fe3ad680c2274f25d6176dcfca140002f0d +size 140 diff --git a/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log b/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log new file mode 100644 index 00000000..477d319f --- /dev/null +++ b/datasets/attack_techniques/T1189/splunk/SVD-2024-0717_python_log_splunk_python.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52a6590f94f1f1f235d863f713c524aa249c91b82de3231936e88eb69844d59a +size 137 diff --git a/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log b/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log new file mode 100644 index 00000000..937f58a9 --- /dev/null +++ b/datasets/attack_techniques/T1210/splunk/SVD-2024-0701_pdfgen_log_splunk_pdfgen.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:61b13acac884547f03146d8c80b4c8e81e47ec823b40c606a76436e8476d6f10 +size 3005 diff --git a/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log b/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log new file mode 100644 index 00000000..c2f6983a --- /dev/null +++ b/datasets/attack_techniques/T1210/splunk/SVD-2024-0705_splunk_archiver_splunk_archiver-too_small.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd40f904f0ec9856285d64a447d0ea7d1f227d69aa5d26d6a206bd0f5039db53 +size 123 diff --git a/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log b/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log new file mode 100644 index 00000000..e6250eb6 --- /dev/null +++ b/datasets/attack_techniques/T1499/splunk/SVD-2024-0702_splunkd_crash_log_splunkd_crash_log.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73d8c41c752b0424dc2cef844813315837ab0d2e7a7ff68cbcfa94e1bba10645 +size 74014 diff --git a/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log b/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log new file mode 100644 index 00000000..b75cade1 --- /dev/null +++ b/datasets/attack_techniques/T1499/splunk/SVD-2024-0710_web_service_splunk_web_service.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8e55347bde6ef17a3c61d4f750be39043a006023bc78e089d8e3c6a198208f6d +size 459 diff --git a/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json b/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json new file mode 100644 index 00000000..90368347 --- /dev/null +++ b/datasets/attack_techniques/T1548/splunk/SVD-2024-0709_json_json.json @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:513c2a2923fe4206e5f1fa6358d87b4adadb8b5e56cc2842e08bb6e3c6324e74 +size 214 From 01f8197c9ce014ef2905f1860e9a0a97aa8d70b2 Mon Sep 17 00:00:00 2001 From: tccontre Date: Thu, 11 Jul 2024 10:46:31 +0200 Subject: [PATCH 18/34] shrinklock --- .../T1112/firewall_modify_delete/firewall_mod_delete.log | 3 +++ .../T1112/firewall_modify_delete/firewall_modify_delete.yml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log new file mode 100644 index 00000000..56c09c9a --- /dev/null +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac2b4ab4628203e0fe7ee7a52d77bc9451f094c94e09f21e3add1e0cf406c7da +size 2369 diff --git a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml index 1afecfc5..2694f711 100644 --- a/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml +++ b/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml @@ -1,10 +1,10 @@ author: Teoderick Contreras, Splunk -id: 803d6b50-2fbb-11ef-9f66-acde48001122 -date: '2024-06-21' +id: f3c9a6d2-3f61-11ef-8fb2-acde48001122 +date: '2024-07-11' description: Generated datasets for firewall modify delete in attack range. environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log.txt +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log sourcetypes: - 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' references: From 05d2fb21ad853a0062b81f420bd74657a449f0bb Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 16 Jul 2024 13:42:20 +0200 Subject: [PATCH 19/34] crow --- .../admin_weak_password_policy.yml | 11 +++++++++++ .../crowdstrike_weak_password_admin_cleaned.log | 3 +++ .../medium_alert/crowdstrike_medium_clean.log | 3 +++ .../crowdstrike_stream/medium_alert/medium_alert.yml | 11 +++++++++++ .../crowdstrike_multiple_low_cleaned.log | 3 +++ .../multiple_low_alert/multiple_low_alert.yml | 11 +++++++++++ .../crowdstrike_user_weak_password_cleaned.log | 3 +++ .../non_admin_weak_password_policy.yml | 11 +++++++++++ 8 files changed, 56 insertions(+) create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml new file mode 100644 index 00000000..118905c0 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/admin_weak_password_policy.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 4725948a-4368-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin weak password policy in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log new file mode 100644 index 00000000..42463672 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_weak_password_policy/crowdstrike_weak_password_admin_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b131c12fb88306b5f84a0e54d70ab30f052df2640d015137ef99ab29a1c9a31e +size 1897 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log new file mode 100644 index 00000000..f3e58f80 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a42df9fd01f9452a5098d8d089a47a18aca2c886e1dffea6e2a62dd0b1cff426 +size 1068 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml new file mode 100644 index 00000000..9569d247 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/medium_alert.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 4b557dfa-4367-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for medium alert in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/medium_alert/crowdstrike_medium_clean.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log new file mode 100644 index 00000000..ee3da4a3 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:159165085dede360707dfc8316a30b1436f82c281ccf05706d70ccc42b595b6b +size 3348 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml new file mode 100644 index 00000000..d81381dd --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 6cf65862-4367-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for multiple low alert in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log new file mode 100644 index 00000000..68e38b7e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f459af031221a6a216c407e921ccc2a51e8ec9925cf5b70fd8e920e240e29a7 +size 1414 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml new file mode 100644 index 00000000..27bf6d01 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 8d65031e-4367-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin weak password policy in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_admin_weak_password_policy/crowdstrike_user_weak_password_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ From 3661866cfbf34c188dba825f6f5e6ba64daf1b43 Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 16 Jul 2024 15:21:46 +0200 Subject: [PATCH 20/34] crow --- .../non_admin_weak_password_policy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml index 27bf6d01..105a9d19 100644 --- a/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml +++ b/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/non_admin_weak_password_policy.yml @@ -4,7 +4,7 @@ date: '2024-07-16' description: Generated datasets for admin weak password policy in attack range. environment: attack_range dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_admin_weak_password_policy/crowdstrike_user_weak_password_cleaned.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/non_adminweak_password_policy/crowdstrike_user_weak_password_cleaned.log sourcetypes: - 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' references: From e90a3a077bf99159b372eb4ce355cf3b39239948 Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 17 Jul 2024 09:42:42 +0200 Subject: [PATCH 21/34] crow --- .../crowdstrike_multiple_low_cleaned.log | 3 --- .../multiple_low_alert/multiple_low_alert.yml | 11 ----------- 2 files changed, 14 deletions(-) delete mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log delete mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log deleted file mode 100644 index ee3da4a3..00000000 --- a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:159165085dede360707dfc8316a30b1436f82c281ccf05706d70ccc42b595b6b -size 3348 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml deleted file mode 100644 index d81381dd..00000000 --- a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml +++ /dev/null @@ -1,11 +0,0 @@ -author: Teoderick Contreras, Splunk -id: 6cf65862-4367-11ef-b064-acde48001122 -date: '2024-07-16' -description: Generated datasets for multiple low alert in attack range. -environment: attack_range -dataset: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log -sourcetypes: -- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' -references: -- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ From b9159b48b819ad03062112a13279988d8f2f1aba Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 17 Jul 2024 09:45:49 +0200 Subject: [PATCH 22/34] crow --- .../crowdstrike_multiple_low_cleaned.log | 3 +++ .../multiple_low_alert/multiple_low_alert.yml | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log new file mode 100644 index 00000000..a653b073 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:29e03792cd236700448f35ed579afef23888c9717be829881f730317f0e3715d +size 3402 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml new file mode 100644 index 00000000..196c3b8e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/multiple_low_alert.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 7493fbac-4410-11ef-a54e-acde48001122 +date: '2024-07-17' +description: Generated datasets for multiple low alert in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/multiple_low_alert/crowdstrike_multiple_low_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming \ No newline at end of file From 3b01b2c2f89af69ddd12a15014ccfc018eb046cc Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 17 Jul 2024 11:21:58 +0200 Subject: [PATCH 23/34] crow --- .../admin_duplicate_password.yml | 11 +++++++++++ .../crowdstrike_admin_dup_pwd_cleaned.log | 3 +++ .../crowdstrike_high_riskscore_cleaned.log | 3 +++ .../high_risk_score/high_risk_score.yml | 11 +++++++++++ .../crowdstrike_priv_esc_cleaned.log | 3 +++ .../privilege_escalation/privilege_escalation.yml | 11 +++++++++++ .../riskscore/crowdstrike_riskscore_cleaned.log | 3 +++ .../crowdstrike_stream/riskscore/riskscore.yml | 11 +++++++++++ .../crowdstrike_user_dup_pwd_cleaned.log | 3 +++ .../user_duplicate_password.yml | 11 +++++++++++ 10 files changed, 70 insertions(+) create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log create mode 100644 datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml new file mode 100644 index 00000000..1791af8f --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/admin_duplicate_password.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 7211b19c-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for admin duplicate password in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log new file mode 100644 index 00000000..48b6cdaa --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/admin_duplicate_password/crowdstrike_admin_dup_pwd_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3b5e0815f14b85970f9b60d65e843a1efcb80c33363dc02d79cf6e2bda30ff6e +size 1750 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log new file mode 100644 index 00000000..70e6eef0 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76b474133fba8197adbb49763a946a0b0f2772c0126e1f606cf9d99d26e88882 +size 1664 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml new file mode 100644 index 00000000..b153918b --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/high_risk_score.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: eeef36b6-441d-11ef-a54e-acde48001122 +date: '2024-07-17' +description: Generated datasets for high risk score in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/high_risk_score/crowdstrike_high_riskscore_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log new file mode 100644 index 00000000..5dfdf4f8 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1be55bc9f44d58ece6cdd1a81a797fad4f4326417a7c614499b8cb8d2fe2b3e0 +size 1060 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml new file mode 100644 index 00000000..8ba0eb0d --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/privilege_escalation.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: bdf36786-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for privilege escalation in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/privilege_escalation/crowdstrike_priv_esc_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log new file mode 100644 index 00000000..5c28521e --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:41b1a5593ef48a53e359c94e6ba0e319495f81270d6f4681f85001fda79a8fcc +size 1494 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml new file mode 100644 index 00000000..071477b7 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/riskscore.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cf18b840-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for riskscore in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/riskscore/crowdstrike_riskscore_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log new file mode 100644 index 00000000..fd51faf4 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c311054d83d50958e2da48b6d5939f77bcdd064b119359f675400d96d0d8da16 +size 1313 diff --git a/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml new file mode 100644 index 00000000..5a248f98 --- /dev/null +++ b/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/user_duplicate_password.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 91442838-4381-11ef-b064-acde48001122 +date: '2024-07-16' +description: Generated datasets for user duplicate password in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/crowdstrike_stream/user_duplicate_password/crowdstrike_user_dup_pwd_cleaned.log +sourcetypes: +- 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' +references: +- https://www.crowdstrike.com/cybersecurity-101/observability/log-streaming/ \ No newline at end of file From d5d6f018b51fdd80d471ddbcf4d0af42d16c4d2a Mon Sep 17 00:00:00 2001 From: tccontre Date: Mon, 22 Jul 2024 17:31:38 +0200 Subject: [PATCH 24/34] lnx-unx --- .../T1136/linux_unix_new_user/linux_new_user.log | 3 +++ .../T1136/linux_unix_new_user/linux_unix_new_user.yml | 11 +++++++++++ .../T1496/process_high_cpu_usage/linux_max_cpu2.log | 3 +++ .../process_high_cpu_usage/process_high_cpu_usage.yml | 11 +++++++++++ .../T1496/process_high_mem_usage/linux_max_mem.log | 3 +++ .../process_high_mem_usage/process_high_mem_usage.yml | 11 +++++++++++ .../T1531/linux_unix_delete_user/linux_del_user.log | 3 +++ .../linux_unix_delete_user/linux_unix_delete_user.yml | 11 +++++++++++ .../disable_linux_firewall/Linux_service_inactive.log | 3 +++ .../disable_linux_firewall/disable_linux_firewall.yml | 11 +++++++++++ 10 files changed, 70 insertions(+) create mode 100644 datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log create mode 100644 datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml create mode 100644 datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log create mode 100644 datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml create mode 100644 datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log create mode 100644 datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml create mode 100644 datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log create mode 100644 datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml create mode 100644 datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log create mode 100644 datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log new file mode 100644 index 00000000..11557f2d --- /dev/null +++ b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0c14572ac8b3a53eaf9fce4d3d66560407f87a5f53f713e7367920b39aa33e0 +size 300 diff --git a/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml new file mode 100644 index 00000000..8b3cfb6d --- /dev/null +++ b/datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 47c96cf6-483e-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for linux unix new user in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log +sourcetypes: +- 'syslog' +references: +- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/ diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log b/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log new file mode 100644 index 00000000..c5026f31 --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ac5936115986fc6ce834c6d10a2253113c2df8e7c4627d68dcf5dfd99bb1dc1d +size 358 diff --git a/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml new file mode 100644 index 00000000..a32cb92a --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 6deb28d0-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for process high cpu usage in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log +sourcetypes: +- 'ps_metric' +references: +- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log b/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log new file mode 100644 index 00000000..cb5999ce --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24ecfa44cc00a9c314828a6ae5ed5106981fb6b99c77c89297969b3199f418c3 +size 360 diff --git a/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml new file mode 100644 index 00000000..fd91d27e --- /dev/null +++ b/datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 8f43fa5c-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for process high mem usage in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log +sourcetypes: +- 'ps_metric' +references: +- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log new file mode 100644 index 00000000..f23f0ee1 --- /dev/null +++ b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84650a78ea30b7b4a52cff492efad6060002454684cd08355d27a42452e41ca4 +size 68 diff --git a/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml new file mode 100644 index 00000000..6cf6c747 --- /dev/null +++ b/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: a5357efc-483e-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for linux unix delete user in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log +sourcetypes: +- 'syslog' +references: +- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/cl-tools-userdel diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log b/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log new file mode 100644 index 00000000..95327def --- /dev/null +++ b/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:66463325506c55c1ea047136da1019668c930387d7a1a7bfb44378b224cbcf90 +size 164 diff --git a/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml new file mode 100644 index 00000000..bffbbaf8 --- /dev/null +++ b/datasets/attack_techniques/T1562/disable_linux_firewall/disable_linux_firewall.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cdf41566-483d-11ef-8840-acde48001122 +date: '2024-07-22' +description: Generated datasets for disable linux firewall in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/disable_linux_firewall/Linux_service_inactive.log +sourcetypes: +- 'Unix:Service' +references: +- https://askubuntu.com/questions/260085/how-to-stop-firewall From 5fc94c7133044d4261a4577be27908b4f430ed1e Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 22 Jul 2024 10:21:20 -0700 Subject: [PATCH 25/34] Update data sets --- .../windows-xml.log | 4 ++-- .../T1070.001/windows_event_log_cleared/windows-xml.log | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log index 99107b1e..09779c95 100644 --- a/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log +++ b/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e57a409f5ff8abc7f1dcf66014927f9b3a3f25419b29163827f91a3648625dcf -size 901 +oid sha256:cc3a1fce686c0502eef25c4cae4e1732c2cf59478238bf147404f0195b482fbf +size 1802 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log index 810e9188..f666d881 100644 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8c6c3c5100a96914176ad8fa31b20cb63197cb105779588b090bd0c101c05cae -size 878 +oid sha256:8720a4878af74ec20fdb87d9c7be80564592dcc4ef0582e8935b3d67ab9863b3 +size 1756 From 44b92b438d2045272b4bc3d11f5563c074f9fe72 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:47:58 -0600 Subject: [PATCH 26/34] Moveit SFTP logs --- datasets/attack_techniques/T1190/moveit/SftpServer.log | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 datasets/attack_techniques/T1190/moveit/SftpServer.log diff --git a/datasets/attack_techniques/T1190/moveit/SftpServer.log b/datasets/attack_techniques/T1190/moveit/SftpServer.log new file mode 100644 index 00000000..9a16bff0 --- /dev/null +++ b/datasets/attack_techniques/T1190/moveit/SftpServer.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f76558ab32fcfc27b4f357d40647d4ad62c1d9e396729567e83b490e53b89de1 +size 1361 From c2106e4829a0cba11d638ff33f3de4bf3fb9f6e9 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 23 Jul 2024 09:59:50 -0600 Subject: [PATCH 27/34] Create moveit.yml --- datasets/attack_techniques/T1190/moveit/moveit.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 datasets/attack_techniques/T1190/moveit/moveit.yml diff --git a/datasets/attack_techniques/T1190/moveit/moveit.yml b/datasets/attack_techniques/T1190/moveit/moveit.yml new file mode 100644 index 00000000..c1cdee8e --- /dev/null +++ b/datasets/attack_techniques/T1190/moveit/moveit.yml @@ -0,0 +1,11 @@ +author: Michael Haag, Splunk +id: 9535ef60-d482-434c-b3bb-6d1bd61e83be +date: '2024-07-23' +description: AttackData from WatchTowr blog related to CVE-2024-5806. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log +sourcetypes: +- sftp_server_logs +references: +- https://attack.mitre.org/techniques/T1190 From 0f8e0a3db3908a56d49e1906045fea3b98a8ddfa Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 24 Jul 2024 09:34:42 +0200 Subject: [PATCH 28/34] unix-linux --- .../open_ports_discovery/linux_known_openports.log | 3 +++ .../open_ports_discovery/open_ports_discovery.yml | 11 +++++++++++ .../linux_password_change/linux_password_change.yml | 11 +++++++++++ .../linux_password_change/linux_unix_change_pwd.log | 3 +++ 4 files changed, 28 insertions(+) create mode 100644 datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log create mode 100644 datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml create mode 100644 datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml create mode 100644 datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log b/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log new file mode 100644 index 00000000..1686da4a --- /dev/null +++ b/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ae52bc1f3ed37353bcd70257efc798598ecd28230771debc17fa0c49fb641803 +size 135 diff --git a/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml new file mode 100644 index 00000000..3eabc65d --- /dev/null +++ b/datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: cd47daf6-498e-11ef-aa76-acde48001122 +date: '2024-07-24' +description: Generated datasets for open ports discovery in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log +sourcetypes: +- 'openPorts' +references: +- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48 \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml new file mode 100644 index 00000000..c6127fad --- /dev/null +++ b/datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 09daa138-498f-11ef-aa76-acde48001122 +date: '2024-07-24' +description: Generated datasets for linux password change in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log +sourcetypes: +- 'syslog' +references: +- https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_LINUX_USER_PWD_CHANGED.htm \ No newline at end of file diff --git a/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log b/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log new file mode 100644 index 00000000..a4930405 --- /dev/null +++ b/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:226a9d19ebf60f02e39e1283e02996b6b20396bf6b3c50ee00723d2e2a400abd +size 103 From 47c3c44ddc367fdf09d75a4ddef9df44f079d491 Mon Sep 17 00:00:00 2001 From: tccontre Date: Tue, 30 Jul 2024 17:34:50 +0200 Subject: [PATCH 29/34] opn_port --- .../T1046/open_dns_port/linux_dns_openports.log | 3 +++ .../T1046/open_dns_port/open_dns_port.yml | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log create mode 100644 datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml diff --git a/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log b/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log new file mode 100644 index 00000000..0ccde577 --- /dev/null +++ b/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e00a8337a291b0a901b1f4c1cc03b138fc66ef9b7077722bfb01ab69e1611fd5 +size 13 diff --git a/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml new file mode 100644 index 00000000..cb8540db --- /dev/null +++ b/datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml @@ -0,0 +1,11 @@ +author: Teoderick Contreras, Splunk +id: 2ae6cf24-4e89-11ef-a7ff-acde48001122 +date: '2024-07-30' +description: Generated datasets for open dns port in attack range. +environment: attack_range +dataset: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log +sourcetypes: +- 'openPorts' +references: +- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48 \ No newline at end of file From 93cd6caa9ca017011b163bf7492a5c0ed1418e93 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 30 Jul 2024 09:59:22 -0600 Subject: [PATCH 30/34] Specula Haag - WebView --- .../T1112/atomic_red_team/atomic_red_team.yml | 1 + .../T1112/atomic_red_team/windows-sysmon-webview.log | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log diff --git a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml index ed2d51bd..19782c18 100644 --- a/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml @@ -14,6 +14,7 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-system.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log sourcetypes: - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - WinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log b/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log new file mode 100644 index 00000000..bb4bd2a2 --- /dev/null +++ b/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:891605a31b4cfe03c4f9883663794314dacde05ed07f32f2c87eb31bb6ecaec8 +size 42342 From 963779b9f989b7c1c8dd6cdf515cf824c21028aa Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:37:48 -0600 Subject: [PATCH 31/34] moar esx admins --- .../T1136.001/atomic_red_team/atomic_red_team.yml | 3 +++ .../T1136.001/atomic_red_team/windows-powershell-esxadmins.log | 3 +++ .../T1136.001/atomic_red_team/windows-security-esxadmins.log | 3 +++ .../T1136.001/atomic_red_team/windows-sysmon-esxadmins.log | 3 +++ 4 files changed, 12 insertions(+) create mode 100644 datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log create mode 100644 datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log create mode 100644 datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml index 5e5ee1f8..adde9f4a 100644 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml @@ -13,6 +13,9 @@ dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log sourcetypes: - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - WinEventLog:Microsoft-Windows-PowerShell/Operational diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log new file mode 100644 index 00000000..ef916cdc --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e1b77b283b038e7aa7933dbc6ed77871d1a599ca71e611553ac20fe75c3fccbe +size 5635 diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log new file mode 100644 index 00000000..cf48d01f --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2ca0352643caa2cbf454e30cec28efa1e0f1704ce4ff5983ada4a81491d19b5 +size 7321 diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log new file mode 100644 index 00000000..b782004c --- /dev/null +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04db89547e200b0ff007641941fc5290dbd880562c834f5e470594e532edee60 +size 7992 From 0c70d6292d93f254e2b3bf6985ac4ab4adf412b1 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 30 Jul 2024 15:59:39 -0600 Subject: [PATCH 32/34] Update windows-security-esxadmins.log --- .../T1136.001/atomic_red_team/windows-security-esxadmins.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log index cf48d01f..49c3a903 100644 --- a/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log +++ b/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e2ca0352643caa2cbf454e30cec28efa1e0f1704ce4ff5983ada4a81491d19b5 -size 7321 +oid sha256:c7bde8b973fa27199ece3f04bbf6f99a26e317c77c36cd1249af3cdbe6cae767 +size 10519 From 9cbce54263767b6bf9f439a606ab3880e99f1486 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 2 Aug 2024 08:25:28 -0400 Subject: [PATCH 33/34] Log update for contentctl errors --- .../generic_password_spray/password_spray_attack.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log index 49343dfd..5380f33b 100644 --- a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c380ed0206acea8ae89c400755a3313d99b00e965dee95d8ac2233177ec538f2 -size 57477 +oid sha256:1bb113264ce5a5090db309a36447df5b7160c9df79dc932d9ba596a95852d9b4 +size 59251 From 73890447c50623986c24e0e212435e865c7eb99f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 7 Aug 2024 15:50:45 -0400 Subject: [PATCH 34/34] Another log update --- .../generic_password_spray/password_spray_attack.log | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log index 5380f33b..eab7afcc 100644 --- a/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log +++ b/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1bb113264ce5a5090db309a36447df5b7160c9df79dc932d9ba596a95852d9b4 -size 59251 +oid sha256:0b1f90ae5e05cac0d21aa10dbc921734b74e9259674f79c9484ea54d77930807 +size 59355