Merge branch 'master' into mirror_compressed_archive_to_s3

pyth0n1c · pyth0n1c · commit 5a336f8f6ebd · 2025-04-01T10:27:23.000-07:00
diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml b/datasets/attack_techniques/T1059.001/encoded_powershell/encoded_powershell.yml
@@ -6,6 +6,8 @@ environment: attack_range
 dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-sysmon.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/windows-security.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log
 sourcetypes:
 - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 references:
diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log b/datasets/attack_techniques/T1059.001/encoded_powershell/explorer_spawns_windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9200692ad74037b5234fe6f7da733d3e416b0ea8bb7f6d8ebb5bd16fc39b8b22
+size 13142
diff --git a/datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log b/datasets/attack_techniques/T1059.001/encoded_powershell/padded_windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0324ee4e5f2cb4c761e10862808c37a046097a2ad800d034490e3980c3e86dec
+size 11135
diff --git a/datasets/attack_techniques/T1190/tomcat/tomcat.yml b/datasets/attack_techniques/T1190/tomcat/tomcat.yml
@@ -0,0 +1,11 @@
+author: Michael Haag, Splunk
+id: 9535ef60-d182-212c-bxbb-6d1bd61e83be
+date: '2025-03-26'
+description: Manual generation of attack data related to Tomcat with nginx proxypass. 
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log
+sourcetypes:
+- nginx:plus:kv
+references:
+- https://attack.mitre.org/techniques/T1190
diff --git a/datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log b/datasets/attack_techniques/T1190/tomcat/tomcat_nginx_access.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:752e19d3a09418f7d2ebbf779f54ed7d1127045f7023138176f33e189ed28536
+size 29219
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4946.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4946.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4947.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4947.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4948.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4948.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log b/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f712cfe84c2aa58513654cafe8355be921aa7436fa9ad9782a9c80575b29624
+size 2371
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml
@@ -4,7 +4,7 @@ date: '2025-03-19'
 description: Generated datasets for added rule in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log.txt
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log
 sourcetypes:
 - 'XmlWinEventLog:Security'
 references:
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log b/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae7eb20a84350d696b605bb540e9f93fb545ed4b6f2f31a247ed9819df19f54d
+size 1580
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml
@@ -4,7 +4,7 @@ date: '2025-03-19'
 description: Generated datasets for delete rule in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log.txt
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log
 sourcetypes:
 - 'XmlWinEventLog:Security'
 references:
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log b/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5ea1e5b07df7c08eaacdc2eee310b91e83738c2b3587976d3c99e8a1df95ed8a
+size 792
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log.txt b/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log.txt
diff --git a/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml b/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml
@@ -4,7 +4,7 @@ date: '2025-03-19'
 description: Generated datasets for modify rule in attack range.
 environment: attack_range
 dataset:
-- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log.txt
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log
 sourcetypes:
 - 'XmlWinEventLog:Security'
 references:
diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml b/datasets/attack_techniques/T1572/ssh_proxy_command/ssh.yml
@@ -0,0 +1,11 @@
+author: Michael Haag
+id: cc9b2667-efc9-11eb-926b-660bf0943fbb
+date: '2021-11-15'
+description: Simulation of plink activity.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1572
diff --git a/datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log b/datasets/attack_techniques/T1572/ssh_proxy_command/sshproxycommand_windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:19ba4ba374556d3b04abbd22867dfac95a68a6efc4f68fafb741f2500d922d1f
+size 6748
diff --git a/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.json b/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.json
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f6f67baf75989e69ee7963ddcf756f3520237bd03f889cd5ed32bb9a6b55fd28
-size 8754
+oid sha256:1a04b1e34ac93143e65403b31bcc656418675fc339191bb8dc71532664f54eb4
+size 2091

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:9200692ad74037b5234fe6f7da733d3e416b0ea8bb7f6d8ebb5bd16fc39b8b22`
	`3`	`+size 13142`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:0324ee4e5f2cb4c761e10862808c37a046097a2ad800d034490e3980c3e86dec`
	`3`	`+size 11135`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:752e19d3a09418f7d2ebbf779f54ed7d1127045f7023138176f33e189ed28536`
	`3`	`+size 29219`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:3f712cfe84c2aa58513654cafe8355be921aa7436fa9ad9782a9c80575b29624`
	`3`	`+size 2371`