updating datasets

splunk · Aug 8, 2024 · 6aac663 · 6aac663
1 parent 8a885f8
commit 6aac663
Show file tree

Hide file tree

Showing 13 changed files with 64 additions and 2 deletions.
diff --git a/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml b/datasets/attack_techniques/T1222.001/dacl_abuse/dacl_abuse.yml
@@ -11,6 +11,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_deletion_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/domain_root_acl_mod_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/owner_updated_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
 sourcetypes:
 - XmlWinEventLog
 references:

diff --git a/...tack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log b/...tack_techniques/T1222.001/dacl_abuse/suspicious_acl_modification-windows-security-xml.log
diff --git a/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml b/datasets/attack_techniques/T1484.001/gpo_modification/group_policy_created.yml
@@ -7,6 +7,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_deletion_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_disabled_windows-security-xml.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/gpo_new_cse_windows-security-xml.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_modification/windows-security.log
 sourcetypes:
 - XmlWinEventLog
 references:

diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml b/datasets/attack_techniques/T1484.001/group_policy_deleted/group_policy_deleted.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: 01da8fac-17b1-4cc2-9a10-b6ae92dd3d9f
+date: '2024-08-07'
+description: Manually deleting an active directory GPO using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-admon.log
diff --git a/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_deleted/windows-security.log
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml b/datasets/attack_techniques/T1484.001/group_policy_disabled/group_policy_disabled.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: b750cea1-b7eb-4ec3-9f6c-7bfec1b7701c
+date: '2024-08-07'
+description: Manually disabling an active directory GPO using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-admon.log
diff --git a/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_disabled/windows-security.log
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml b/datasets/attack_techniques/T1484.001/group_policy_new_cse/group_policy_new_cse.yml
@@ -0,0 +1,13 @@
+author: Dean Luxton
+id: ec16d55d-c0c6-496c-a27f-620ec19db5e5
+date: '2024-08-08'
+description: Manually adding a new client side extension to an existing an active directory group policy using the Group Policy Management Console. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
+sourcetypes:
+- XmlWinEventLog
+- ActiveDirectory
+references:
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-admon.log
diff --git a/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log b/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log
diff --git a/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log b/datasets/attack_techniques/T1484/DCShadowPermissions/windows-security-xml.log