Merge branch 'splunk:master' into master

splunk · Dec 6, 2023 · f1a28d3 · f1a28d3
2 parents dfa8f2d + 5ef0241
commit f1a28d3
Show file tree

Hide file tree

Showing 43 changed files with 256 additions and 0 deletions.
diff --git a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log
diff --git a/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml b/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_trustedhost.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: a7e8ecfc-4ee6-4869-bd77-0d9fe5bcdc85
+date: '2023-11-23'
+description: Generated datasets for wsman trustedhost in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/wsman_trustedhost/wsman_pwh.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sec.log b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sec.log
diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log
diff --git a/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml b/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_process_param.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 70ab291a-0372-4d70-b256-1b0ec12076a5
+date: '2023-11-21'
+description: Generated datasets for msdtc process param in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/msdtc_process_param/msdtc_a_sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx
diff --git a/datasets/attack_techniques/T1059/defender/asr_audit.log b/datasets/attack_techniques/T1059/defender/asr_audit.log
diff --git a/datasets/attack_techniques/T1059/defender/asr_block.log b/datasets/attack_techniques/T1059/defender/asr_block.log
diff --git a/datasets/attack_techniques/T1059/defender/asr_defender_operational.log b/datasets/attack_techniques/T1059/defender/asr_defender_operational.log
diff --git a/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log b/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log
diff --git a/datasets/attack_techniques/T1059/defender/asr_registry.log b/datasets/attack_techniques/T1059/defender/asr_registry.log
diff --git a/datasets/attack_techniques/T1059/defender/ms_defender.yml b/datasets/attack_techniques/T1059/defender/ms_defender.yml
@@ -0,0 +1,17 @@
+author: Michael Haag, Splunk
+id: 20391e27-3a18-4e89-bf86-dddba22e5b28
+date: '2023-11-20'
+description: Contains Defender logs generated by testing the ASR rules.
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_defender_operational.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_audit.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_block.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_registry.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/defender/asr_disabled_registry.log
+sourcetypes:
+  - xmlwineventlog
+  - wineventlog
+references:
+- https://asrgen.streamlit.app/
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
diff --git a/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log b/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log
diff --git a/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml b/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_delete_files_and_dir.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: c14ca9f1-6b61-46b6-a39c-fbd9c2ab3745
+date: '2023-11-23'
+description: Generated datasets for rmdir delete files and dir in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_sec.log b/datasets/attack_techniques/T1070/rmdir_delete_files_and_dir/rmdir_sec.log
diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/AuthenticationLevelOverride.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 4bfb4b66-673f-4f7e-863d-c812ee74d9a1
+date: '2023-11-23'
+description: Generated datasets for AuthenticationLevelOverride in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log b/datasets/attack_techniques/T1112/AuthenticationLevelOverride/auth_sys.log
diff --git a/...s/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml b/...s/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/DisableRemoteDesktopAntiAlias.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 73d455ee-a0fd-4caf-95dc-879345bc02fb
+date: '2023-11-23'
+description: Generated datasets for DisableRemoteDesktopAntiAlias in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log b/datasets/attack_techniques/T1112/DisableRemoteDesktopAntiAlias/disable_remote_alias.log
diff --git a/datasets/attack_techniques/T1112/T1112.yml b/datasets/attack_techniques/T1112/T1112.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 8a7a0b10-2b72-46bc-9175-77563b02327d
+date: '2023-11-23'
+description: Generated datasets for T1112 in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/disablesecuritysetting.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1112/disablesecuritysetting.log b/datasets/attack_techniques/T1112/disablesecuritysetting.log
diff --git a/datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml b/datasets/attack_techniques/T1112/proxy_enable/proxy_enable.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 4bbe373a-c0b7-4ae7-8554-3708829195b9
+date: '2023-11-23'
+description: Generated datasets for proxy enable in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log b/datasets/attack_techniques/T1112/proxy_enable/proxyenable.log
diff --git a/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log b/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log
diff --git a/datasets/attack_techniques/T1112/proxy_server/proxy_server.yml b/datasets/attack_techniques/T1112/proxy_server/proxy_server.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 451d2d7d-c1a6-4c0b-a21f-7ddcad6a94a6
+date: '2023-11-23'
+description: Generated datasets for proxy server in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/proxy_server/ProxyServer_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log b/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log
diff --git a/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml b/datasets/attack_techniques/T1112/wer_dontshowui/wer_dontshowui.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 1eb6007a-e0e9-4524-a15a-431df16ee467
+date: '2023-11-23'
+description: Generated datasets for wer dontshowui in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/wer_dontshowui/dontshowui_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log b/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log
diff --git a/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml b/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root_proc_cmdline.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: bb9ae7e1-db85-4c98-b73d-8711eda19bfb
+date: '2023-11-21'
+description: Generated datasets for explorer root proc cmdline in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1134/explorer_root_proc_cmdline/explorer_root.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://x.com/CyberRaiju/status/1273597319322058752?s=20
diff --git a/...65_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log b/...65_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log
diff --git a/...65_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml b/...65_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.yml
@@ -0,0 +1,14 @@
+author: Mauricio Velazco
+id: 892ce442-f2e8-4e4c-894e-cb068ffe1fee
+date: '2023-12-04'
+description: 'Used Evilnginx3 to phish an O365 user and steal session cookies. Then, imported the stolen session cookies into a different browser to access M365 resources from a different location and source ip. 
+  Tenant specific details have been replaced in the dataset including tenant id, user names, ips, etc.'
+environment: O365
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/o365_concurrent_sessions_from_different_ips/o365_concurrent_sessions_from_different_ips.log
+sourcetypes:
+- o365:management:activity
+references:
+- https://attack.mitre.org/techniques/T1185/
+- https://github.com/kgretzky/evilginx2
+- https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
diff --git a/...ttack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log b/...ttack_techniques/T1189/splunk/splunk_xss_in_highlighted_json_events_splunkd_ui_access.log
diff --git a/datasets/attack_techniques/T1190/confluence/confluence.yml b/datasets/attack_techniques/T1190/confluence/confluence.yml
@@ -7,6 +7,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_cve-2023-22515.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/confluence_vuln_trigger_cve-2023-22515.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/nginx_plus_kv_confluence.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/confluence/shellservlet.log
 sourcetypes:
 - suricata
 - nginx:plus:kv

diff --git a/datasets/attack_techniques/T1190/confluence/shellservlet.log b/datasets/attack_techniques/T1190/confluence/shellservlet.log
diff --git a/datasets/attack_techniques/T1210/splunk/splunk_rce_via_user_xslt_splunkd_ui_access.log b/datasets/attack_techniques/T1210/splunk/splunk_rce_via_user_xslt_splunkd_ui_access.log
diff --git a/...attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml b/...attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_create_credential_store.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 9ed3255e-c601-46bb-9159-6ccc4d89cef6
+date: '2023-11-23'
+description: Generated datasets for cmdkey create credential store in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sec.log b/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sec.log
diff --git a/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log b/datasets/attack_techniques/T1555/cmdkey_create_credential_store/cmdkey_gen_sys.log
diff --git a/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sec.log b/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sec.log
diff --git a/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log b/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log
diff --git a/...tack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml b/...tack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_delete_credentials_store.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 9e430d87-b8f9-454c-9e8a-debc1e953bd1
+date: '2023-11-23'
+description: Generated datasets for cmdkey delete credentials store in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1555/cmdkey_delete_credentials_store/cmdkey_del_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml b/datasets/attack_techniques/T1560.001/archive_utility_darkgate/archive_utility_darkgate.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 4d1a31eb-6242-4ac8-8ce2-ebdc47733449
+date: '2023-11-23'
+description: Generated datasets for archive utility darkgate in attack range.
+environment: attackrange
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate
diff --git a/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sec.log b/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sec.log
diff --git a/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log b/datasets/attack_techniques/T1560.001/archive_utility_darkgate/rar_sys.log