-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
46 changed files
with
324 additions
and
0 deletions.
There are no files selected for viewing
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: be89c0f4-5a20-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd split b exec in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_b_exec/linux_auditd_split_b_exec.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: aa1d025c-5a20-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd split syscall in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall/linux_auditd_split_syscall.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 56a7207c-5a24-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd whoami in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami/linux_auditd_whoami.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: deda69c6-5a20-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find db in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_db/linux_auditd_find_db.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 173b555a-5a21-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find document in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_document/linux_auditd_find_document.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 422179f4-5a24-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find virtual disk in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1083/linux_auditd_find_virtual_disk/linux_auditd_find_virtual_disk.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...ets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...ets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 6f5ae8be-5a20-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd add user type in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/linux_auditd_add_user_type/linux_auditd_add_user_type.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 47bbaf5e-5a21-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd chattr i in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chattr_i/linux_auditd_chattr_i.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...ck_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...ck_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 30b3f0d2-5a21-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd chmod exec attrib in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.002/linux_auditd_chmod_exec_attrib/linux_auditd_chmod_exec_attrib.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...ck_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...ck_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 66554f98-5a25-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd auditd service stop in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_auditd_service_stop/linux_auditd_auditd_service_stop.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
..._techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
..._techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: d9926de0-5a22-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd osquerd service stop in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_osquerd_service_stop/linux_auditd_osquerd_service_stop.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...echniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...iques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: dfe57ad8-5a23-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd sysmon service stop.log in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...iques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...iques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 154a3b82-5a24-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd unix shell mod config in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...ues/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...ues/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 2cb9d3ae-5a24-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd modprobe unload module in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/linux_auditd_modprobe_unload_module.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 8ceb8526-5a22-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd rmmod in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod/linux_auditd_rmmod.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 3d1eba04-5a22-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find gpg in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_gpg/linux_auditd_find_gpg.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...s/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...s/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 5c848496-5a22-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find ssh files in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.004/linux_auditd_find_ssh_files/linux_auditd_find_ssh_files.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...tack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...tack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: b358d5c0-5a21-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find credentials in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_credentials/linux_auditd_find_credentials.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
5 changes: 5 additions & 0 deletions
5
...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
type=EXECVE msg=audit(1723209251.519:128180): argc=3 a0="grep" a1="-Ev" a2=".Xauthority|.bashrc|.bluemix|.boto|.cer|.cloudflared|.credentials.json|.crt|.csr|.db|.der|.docker|.env|.erlang.cookie|.flyrc|.ftpconfig|.git|.git-credentials|.gitconfig|.github|.gnupg|.google_authenticator|.gpg|.htpasswd|.irssi|.jks|.k5login|.kdbx|.key|.keyring|.keystore|.keytab|.kube|.ldaprc|.lesshst|.mozilla|.msmtprc|.ovpn|.p12|.password-store|.pem|.pfx|.pgp|.plan|.profile|.psk|.pub|.pypirc|.rdg|.recently-used.xbel|.rhosts|.roadtools_auth|.secrets.mkey|.service|.socket|.sqlite|.sqlite3|.sudo_as_admin_successful|.svn|.swp|.tf|.tfstate|.timer|.vault-token|.vhd|.vhdx|.viminfo|.vmdk|.vnc|.wgetrc" | ||
type=EXECVE msg=audit(1723209151.427:89620): argc=3 a0="grep" a1="-E" a2="passbolt\.php$" | ||
type=EXECVE msg=audit(1723209151.311:89593): argc=3 a0="grep" a1="-E" a2=".*\.kdbx$|KeePass\.config.*$|KeePass\.ini$|KeePass\.enforced.*$" | ||
type=EXECVE msg=audit(1723209150.803:89498): argc=3 a0="grep" a1="-E" a2="\.vault-token$" | ||
type=EXECVE msg=audit(1723209150.795:89497): argc=3 a0="grep" a1="-E" a2="vault-ssh-helper\.hcl$" |
11 changes: 11 additions & 0 deletions
11
...hniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: d72ba4fa-5a21-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd find password db.log in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555.005/linux_auditd_find_password_db.log/linux_auditd_find_password_db.log.txt | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
...tack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
...tack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: f7eb4f16-5a20-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd disable firewall in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/linux_auditd_disable_firewall/linux_auditd_disable_firewall.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: 765100c0-5a22-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd hidden file in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1564.001/linux_auditd_hidden_file/linux_auditd_hidden_file.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: c3041618-5a23-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux service start in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1569.002/linux_service_start/linux_service_start.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |
3 changes: 3 additions & 0 deletions
3
datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log
Git LFS file not shown
11 changes: 11 additions & 0 deletions
11
datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
author: Teoderick Contreras, Splunk | ||
id: a953b890-5a23-11ef-927e-acde48001122 | ||
date: '2024-08-14' | ||
description: Generated datasets for linux auditd preload file in attack range. | ||
environment: attack_range | ||
dataset: | ||
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log | ||
sourcetypes: | ||
- 'linux:audit' | ||
references: | ||
- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html |