auditd_daemon_fixes

t-contreras · t-contreras · commit 518c86f2e5b9 · 2025-06-10T10:43:25.000+02:00
diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: 45519f06-5645-11ef-b567-acde48001122
-date: '2024-08-09'
+id: 6f8a621e-45d5-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux auditd cron file audited in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_auditd_cron_file_audited2.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
-- https://attack.mitre.org/techniques/T1053/003/
+- https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log b/datasets/attack_techniques/T1053.003/linux_auditd_cron_file_audited/linux_path_cron.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eca54b2aecb6a55dd1b57437c99fe106d631e2fa7515a005893bdb2d66f96f63
+size 10247
diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_nopasswd.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: 436bd412-5646-11ef-b567-acde48001122
-date: '2024-08-09'
+id: ccf196f8-45d4-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux auditd nopasswd in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_auditd_ssh_config.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
 - https://www.hackingarticles.in/ssh-penetration-testing-port-22/
diff --git a/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log b/datasets/attack_techniques/T1098.004/linux_auditd_nopasswd/linux_path_ssh_config.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8bba8bf433dc7a54aa26411092ecc6946e635fd282bffa63f36c2076246bba9c
+size 227
diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: 04925540-5e07-11ef-b158-acde48001122
-date: '2024-08-19'
+id: 6a85a94e-45d6-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux auditd unix shell mod config in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_auditd_unix_shell_mod_config.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config//linux_path_profile_d.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
 - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
diff --git a/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_path_profile_d.log b/datasets/attack_techniques/T1546.004/linux_auditd_unix_shell_mod_config/linux_path_profile_d.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c232815151609ba6854ae5e90b08ee8bfb83cf2c75ea783ac28986f92b9d1cba
+size 655
diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: 8e9fc6d2-5646-11ef-b567-acde48001122
-date: '2024-08-09'
+id: f47e0ecc-45d4-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux auditd sudoers access in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_auditd_sudoers_access.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
 - https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf
diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log b/datasets/attack_techniques/T1548.003/linux_auditd_sudoers_access/linux_path_sudoers.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66ddf50daa9a4e2fab2548e98f7a82cc9bd3c78d04789f7e5afa1ba54cd66de8
+size 660
diff --git a/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml b/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: 2460964a-5644-11ef-b567-acde48001122
-date: '2024-08-09'
+id: 5a60f016-45d4-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux audited doas conf in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_audited_doas_conf.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_path_doas_config.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
 - https://www.makeuseof.com/how-to-install-and-use-doas/
diff --git a/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_path_doas_config.log b/datasets/attack_techniques/T1548.003/linux_audited_doas_conf/linux_path_doas_config.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ba31285c7a7736077a9768cd16ac8125c6eff66ce9795350bed373b71f30e915
+size 222
diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_end/auditd_daemon_end.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 9d345078-45d3-11f0-9bec-629be3538068
+date: '2025-06-10'
+description: Generated datasets for auditd daemon end in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.012/auditd_daemon_end/linux_daemon_end.log
+sourcetypes:
+- 'auditd'
+references:
+- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types
diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_end/linux_daemon_end.log b/datasets/attack_techniques/T1562.012/auditd_daemon_end/linux_daemon_end.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3cdf867e571d67baaa6f88269f524f82dd34c101ceca3939b9e8a10f7d47a2db
+size 348
diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml b/datasets/attack_techniques/T1562.012/auditd_daemon_type/auditd_daemon_type.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: cb20a2e8-45d3-11f0-9bec-629be3538068
+date: '2025-06-10'
+description: Generated datasets for auditd daemon type in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log
+sourcetypes:
+- 'auditd'
+references:
+- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types
diff --git a/datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log b/datasets/attack_techniques/T1562.012/auditd_daemon_type/linux_auditd_daemon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:711ee340179d64281c7d018b1aea954b17d68bfc4baf557adb0c39d6996de4c6
+size 11762
diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.yml
@@ -1,11 +1,11 @@
 author: Teoderick Contreras, Splunk
-id: a953b890-5a23-11ef-927e-acde48001122
-date: '2024-08-14'
+id: 9e682288-45d5-11f0-9bec-629be3538068
+date: '2025-06-10'
 description: Generated datasets for linux auditd preload file in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_auditd_preload_file.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log
 sourcetypes:
-- 'linux:audit'
+- 'auditd'
 references:
 - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
diff --git a/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log b/datasets/attack_techniques/T1574.006/linux_auditd_preload_file/linux_path_preload.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:81fb829014c6a0a08024a304c9f25ae5380054b5060e3768ffeb31b664566d08
+size 227

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:eca54b2aecb6a55dd1b57437c99fe106d631e2fa7515a005893bdb2d66f96f63`
	`3`	`+size 10247`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:8bba8bf433dc7a54aa26411092ecc6946e635fd282bffa63f36c2076246bba9c`
	`3`	`+size 227`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:c232815151609ba6854ae5e90b08ee8bfb83cf2c75ea783ac28986f92b9d1cba`
	`3`	`+size 655`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:66ddf50daa9a4e2fab2548e98f7a82cc9bd3c78d04789f7e5afa1ba54cd66de8`
	`3`	`+size 660`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:ba31285c7a7736077a9768cd16ac8125c6eff66ce9795350bed373b71f30e915`
	`3`	`+size 222`