Skip to content

Commit

Permalink
Merge branch 'splunk:master' into nterl0k-T1219-screenconnect-update
Browse files Browse the repository at this point in the history
  • Loading branch information
nterl0k authored Mar 1, 2024
2 parents 954fc78 + af36df8 commit cfcc0b9
Show file tree
Hide file tree
Showing 29 changed files with 203 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Patrick Bareiss
id: b57a97b8-bf1c-48fd-990a-e82fc13dd7ed
date: '2024-02-27'
description: 'Remote Desktop Connection'
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.001/remote_desktop_connection/zeek_conn.log
sourcetypes:
- bro:conn:json
references:
- https://attack.mitre.org/techniques/T1021/001/
Git LFS file not shown
10 changes: 10 additions & 0 deletions datasets/attack_techniques/T1048/ftp_connection/ftp_connection.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
author: Patrick Bareiss
id: 83752ecc-e349-11ec-8e0c-acde48001123
date: '2024-02-27'
description: ftp connection
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log
sourcetypes:
- bro:conn:json
references: []
3 changes: 3 additions & 0 deletions datasets/attack_techniques/T1048/ftp_connection/zeek_conn.log
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Patrick Bareiss
id: 219c898a-39d5-4d63-ad1d-07bec9cabc5c
date: '2024-02-27'
description: Outbound smb traffic to another server
environment: Attack range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.002/outbound_smb_traffic/zeek_conn.log
sourcetypes:
- bro:conn:json
references:
- https://attack.mitre.org/techniques/T1071/002/
Git LFS file not shown
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Mauricio Velazco
id: b4a3cd3d-c91a-4883-81b4-8b3d9b72d557
date: '2024-02-21'
description: Deleted multiple users using a PowerShell script.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_deleted/windows_multiple_accounts_deleted.log
sourcetypes:
- XmlWinEventLog
references:
- https://attack.mitre.org/techniques/T1098/
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Mauricio Velazco
id: f206d1da-d4f1-4e2c-ab5f-41d8f96aa388
date: '2024-02-21'
description: Disabled multiple users using a PowerShell script.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_accounts_disabled/windows_multiple_accounts_disabled.log
sourcetypes:
- XmlWinEventLog
references:
- https://attack.mitre.org/techniques/T1098/
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Mauricio Velazco
id: 383918f9-182a-4355-9f4f-edec858dfcad
date: '2024-02-21'
description: Updated multiple accounts passwords using a PowerShell script.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/windows_multiple_passwords_changed/windows_multiple_passwords_changed.log
sourcetypes:
- XmlWinEventLog
references:
- https://attack.mitre.org/techniques/T1098/
Git LFS file not shown
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
author: Mauricio Velazco
id: 84f64eb3-722c-4fe7-857c-c8e15bb96ef1
date: '2022-02-29'
description: 'Used a tool to spray Okta users'
environment: Okta
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/okta_multiple_users_from_ip/okta_multiple_users_from_ip.log
sourcetypes:
- OktaIM2:log
references:
- https://attack.mitre.org/techniques/T1110/003/
Git LFS file not shown
Git LFS file not shown
Git LFS file not shown
16 changes: 16 additions & 0 deletions datasets/attack_techniques/T1190/screenconnect/screenconnect.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
author: Michael Haag, Splunk
id: b0d3cc46-f74d-462b-b5db-71eba68d6912
date: '2024-02-21'
description: Manual generation of attack data related to ConnectWise Screenconnect CVE-2024-1708 CVE-2024-1709.
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/4663_connectwise_aspx_app_extensions.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log
sourcetypes:
- suricata
- XmlWinEventLog:Security
- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
references:
- https://attack.mitre.org/techniques/T1190
Git LFS file not shown
Git LFS file not shown
14 changes: 14 additions & 0 deletions datasets/attack_techniques/T1190/wordpress/wordpress.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
author: Michael Haag, Splunk
id: 1e1c1f1c-0b0b-4b0b-8b0b-0b0b0b0b0b0c
date: '2024-02-22'
description: Generation of attack data related to CVE-2024-25600 - Wordpress Bricks Builder plugin RCE
environment: attack_range
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/wordpress/bricks_cve_2024_25600.log
sourcetypes:
- nginx:plus:kv
references:
- https://attack.mitre.org/techniques/T1190
- https://github.com/Tornad0007/CVE-2024-25600-Bricks-Builder-plugin-for-WordPress/blob/main/exploit.py
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25600
- https://op-c.net/blog/cve-2024-25600-wordpresss-bricks-builder-rce-flaw-under-active-exploitation/
Git LFS file not shown
Loading

0 comments on commit cfcc0b9

Please sign in to comment.