Merge branch 'splunk:master' into master

README.md

@@ -7,6 +7,9 @@ A Repository of curated datasets from various attacks to:
 * [Replay](#replay-datasets-) into streaming pipelines for validating your detections in your production SIEM
 
 # Installation
+Notes:
+* These steps are inteded to be ran on your actual Splunk host/server (not remotely)
+
 GitHub LFS is used in this project. For Mac users git-lfs can be derived with homebrew (for another OS click [here](https://github.com/git-lfs/git-lfs/wiki/Installation)):
 
 ````

attack_data_service/requirements.txt

@@ -9,7 +9,7 @@ azure-core==1.17.0
 azure-identity==1.7.0
 azure-mgmt-compute==18.2.0
 azure-mgmt-core==1.3.0
-azure-mgmt-network==17.1.0
+azure-mgmt-network==25.1.0
 azure-mgmt-resource==19.0.0
 bcrypt==3.2.0
 boto3==1.20.17
@@ -35,7 +35,7 @@ jmespath==0.10.0
 lockfile==0.12.2
 MarkupSafe==2.1.3
 mock==4.0.3
-more-itertools==8.8.0
+more-itertools==10.1.0
 mysql-connector-python==8.0.29
 nodeenv==1.6.0
 ntlm-auth==1.5.0
@@ -52,7 +52,7 @@ psutil==5.8.0
 ptyprocess==0.7.0
 py==1.11.0
 pycparser==2.20
-PyGithub==1.54.1
+PyGithub==2.1.1
 PyJWT==1.7.1
 PyNaCl==1.4.0
 pyparsing==2.4.7

bin/replay.yml

@@ -7,7 +7,7 @@ splunk:
 datasets:
 #name of data set to replay
 - name: T1003.002_windows_security
-# relative path of raw file
+# relative path of raw file ... NOTE: this path/file has to exist locally on the Splunk server 
   path: datasets/attack_techniques/T1003.002/atomic_red_team/windows-security.log
 # splunk parameters to pass
   replay_parameters:

datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.yml

@@ -0,0 +1,13 @@
+author: Steven Dick
+id: 8c54662e-a3c8-456c-a8bb-928e6c13b641
+date: '2024-5-3'
+description: 'Some simple T1036.003 and T1036.005 tests using moved/renamed cmd.exe'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log
+sourcetypes:
+- xmlwineventlog
+references:
+- https://attack.mitre.org/techniques/T1036/
+- https://attack.mitre.org/techniques/T1036/003/
+- https://attack.mitre.org/techniques/T1036/005/

datasets/attack_techniques/T1046/open_dns_port/open_dns_port.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 2ae6cf24-4e89-11ef-a7ff-acde48001122
+date: '2024-07-30'
+description: Generated datasets for open dns port in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_dns_port/linux_dns_openports.log
+sourcetypes:
+- 'openPorts'
+references:
+- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48

datasets/attack_techniques/T1046/open_ports_discovery/open_ports_discovery.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: cd47daf6-498e-11ef-aa76-acde48001122
+date: '2024-07-24'
+description: Generated datasets for open ports discovery in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/open_ports_discovery/linux_known_openports.log
+sourcetypes:
+- 'openPorts'
+references:
+- https://eric-chow.medium.com/the-risks-of-open-ports-b1da14a7bd48

datasets/attack_techniques/T1098/linux_password_change/linux_password_change.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 09daa138-498f-11ef-aa76-acde48001122
+date: '2024-07-24'
+description: Generated datasets for linux password change in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/linux_password_change/linux_unix_change_pwd.log
+sourcetypes:
+- 'syslog'
+references:
+- https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_1/rules/PH_RULE_LINUX_USER_PWD_CHANGED.htm

datasets/attack_techniques/T1098/o365_azure_workload_events/o365_azure_workload_events.yml

@@ -0,0 +1,25 @@
+author: Steven Dick
+id: a44c84cb-231b-4657-8386-0f5d4b8f183e
+date: '2024-4-13'
+description: 'Various Office 365 events sourced from the Universal Access Log, meant to duplicate other Azure detections without relying on using Azure event hubs in the MS Cloud Services add-on.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/o365_various_events/o365_various_events.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1098
+- https://attack.mitre.org/techniques/T1484/002/
+- https://attack.mitre.org/techniques/T1136/003/
+- https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
+- https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-exchange-online-admin-role?view=o365-worldwide
+- https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal
+- https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5
+- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html
+- https://cyberaffairs.com/news/emerging-attacker-exploit-microsoft-cross-tenant-synchronization/
+- https://www.crowdstrike.com/blog/crowdstrike-defends-against-azure-cross-tenant-synchronization-attacks/
+- https://dirkjanm.io/assets/raw/US-22-Mollema-Backdooring-and-hijacking-Azure-AD-accounts_final.pdf
+- https://www.blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999
+- https://msrc.microsoft.com/blog/2023/03/guidance-on-potential-misconfiguration-of-authorization-of-multi-tenant-applications-that-use-azure-ad/
+- https://www.wiz.io/blog/azure-active-directory-bing-misconfiguration
+- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federation-for-persistence-and-privilege-escalation-df9ca6e58360

datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.yml

@@ -0,0 +1,12 @@
+author: Steven Dick
+id: 1d46ff6c-4a0e-4084-8975-e367e4e92bba
+date: '2023-10-30'
+description: 'Generic detection of password spray behaviors using CIM datamodel.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/generic_password_spray/password_spray_attack.log
+sourcetypes:
+- WinEventLog:Security
+references:
+- https://www.microsoft.com/en-us/security/blog/2020/04/23/protecting-organization-password-spray-attacks/
+- https://github.com/MarkoH17/Spray365

datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.yml

@@ -0,0 +1,16 @@
+author: Steven Dick
+id: 7d0802bd-b870-4a93-96f0-6e8323af425e
+date: '2024-2-19'
+description: 'Detection of suspicious NTLM authentication behavior.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/ntlm_bruteforce/ntlm_bruteforce.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://www.varonis.com/blog/investigate-ntlm-brute-force
+- https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ntlm-blocking-and-you-application-analysis-and-auditing/ba-p/397191
+- https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/enriched-ntlm-authentication-data-using-windows-event-8004/m-p/871827
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560653(v=ws.10)?redirectedfrom=MSDN
+- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f

datasets/attack_techniques/T1112/atomic_red_team/atomic_red_team.yml

@@ -14,6 +14,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/safemode_windows-sysmon.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-system.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/wdigest_windows-sysmon.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon-webview.log
 sourcetypes:
 - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 - WinEventLog:Microsoft-Windows-PowerShell/Operational

datasets/attack_techniques/T1112/firewall_modify_delete/firewall_modify_delete.yml

@@ -1,10 +1,10 @@
 author: Teoderick Contreras, Splunk
-id: 803d6b50-2fbb-11ef-9f66-acde48001122
-date: '2024-06-21'
+id: f3c9a6d2-3f61-11ef-8fb2-acde48001122
+date: '2024-07-11'
 description: Generated datasets for firewall modify delete in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall-mod-delete.log.txt
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/firewall_modify_delete/firewall_mod_delete.log
 sourcetypes:
 - 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
 references:

datasets/attack_techniques/T1136.001/atomic_red_team/atomic_red_team.yml

@@ -13,6 +13,9 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-powershell-esxadmins.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log
 sourcetypes:
 - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 - WinEventLog:Microsoft-Windows-PowerShell/Operational

datasets/attack_techniques/T1136/linux_unix_new_user/linux_unix_new_user.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 47c96cf6-483e-11ef-8840-acde48001122
+date: '2024-07-22'
+description: Generated datasets for linux unix new user in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136/linux_unix_new_user/linux_new_user.log
+sourcetypes:
+- 'syslog'
+references:
+- https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/

datasets/attack_techniques/T1190/moveit/moveit.yml

@@ -0,0 +1,11 @@
+author: Michael Haag, Splunk
+id: 9535ef60-d482-434c-b3bb-6d1bd61e83be
+date: '2024-07-23'
+description: AttackData from WatchTowr blog related to CVE-2024-5806.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/moveit/SftpServer.log
+sourcetypes:
+- sftp_server_logs
+references:
+- https://attack.mitre.org/techniques/T1190

datasets/attack_techniques/T1496/process_high_cpu_usage/process_high_cpu_usage.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 6deb28d0-483d-11ef-8840-acde48001122
+date: '2024-07-22'
+description: Generated datasets for process high cpu usage in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_cpu_usage/linux_max_cpu2.log
+sourcetypes:
+- 'ps_metric'
+references:
+- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load

datasets/attack_techniques/T1496/process_high_mem_usage/process_high_mem_usage.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 8f43fa5c-483d-11ef-8840-acde48001122
+date: '2024-07-22'
+description: Generated datasets for process high mem usage in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1496/process_high_mem_usage/linux_max_mem.log
+sourcetypes:
+- 'ps_metric'
+references:
+- ttps://serverfault.com/questions/674685/kernel-processes-periodically-eating-cpu-during-high-load

datasets/attack_techniques/T1531/linux_unix_delete_user/linux_unix_delete_user.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: a5357efc-483e-11ef-8840-acde48001122
+date: '2024-07-22'
+description: Generated datasets for linux unix delete user in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/linux_unix_delete_user/linux_del_user.log
+sourcetypes:
+- 'syslog'
+references:
+- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/cl-tools-userdel