Merge pull request #854 from dluxtron/master

Adding some DACL Abuse datasets

datasets/attack_techniques/T1003.006/mimikatz/dcsync.yml

@@ -7,9 +7,11 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/zeek-dce_rpc.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-security.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/windows-directory_service.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/mimikatz/xml-windows-security.log
 sourcetypes:
 - bro:dce_rpc:json
 - WinEventLog
+- XmlWinEventLog
 references:
 - https://adsecurity.org/?p=1729
 - https://attack.mitre.org/techniques/T1003/006

datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml

@@ -0,0 +1,18 @@
+author: Dean Luxton
+id: 809e0d76-4d6a-46d9-ba5d-0b4a838bb98a
+date: '2023-12-06'
+description: Collection of various DACL abuse events generated manually in Active Directory. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_object_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/hidden_ou_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/group_dacl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/user_dacl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://happycamper84.medium.com/sneaky-persistence-via-hidden-objects-in-ad-1c91fc37bf54
+- https://trustedsec.com/blog/a-hitchhackers-guide-to-dacl-based-detections-part-1-a

datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml

@@ -0,0 +1,16 @@
+author: Dean Luxton
+id: eaf30c7d-bff6-4273-8d5e-83154ffe25d0
+date: '2023-12-18'
+description: Manual Group Policy Object modification on a domain controller.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://github.com/PowerShellMafia/PowerSploit/blob/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1#L5907-L6122
+- https://wald0.com/?p=179
+- https://learn.microsoft.com/en-gb/archive/blogs/mempson/group-policy-client-side-extension-list
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory