Merge branch 'master' into mirror_compressed_archive_to_s3

pyth0n1c · pyth0n1c · commit 8f5601455921 · 2025-05-01T16:01:38.000-07:00
diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7b0f24e6f490a5f59bb92aa09740b6f0d1b5898cca788f00aff5c3efb80199a3
+size 265569
diff --git a/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml b/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 05399f54-1ab2-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd net tool new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/linux_auditd_net_tool_new/linux_auditd_net_tool_bucket_new.log
+sourcetypes:
+- 'auditd'
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc26e035942fb454da59b44fb73ea95ddcc5abcb8f9fa739ab69dad15f0c3456
+size 716
diff --git a/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml b/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_split_syscall_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 7d0ae338-1aaf-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd split syscall new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/linux_auditd_split_syscall_new/linux_auditd_new_split.log
+sourcetypes:
+- 'auditd'
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:431929147fc4596b4e48f911a06543036a9c91546eacf10d00ad3b085afa8348
+size 1127
diff --git a/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml b/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_whoami_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 4cb6c050-1ab2-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd whoami new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/linux_auditd_whoami_new/linux_auditd_new_whoami.log
+sourcetypes:
+- 'auditd'
+references:
+- https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f8a8fcd8664f1b2179686e42069bb1e6c0a11e69f0483d95ceec1f5185ba616
+size 3279
diff --git a/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml b/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_new_auditd_at.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: efcf229a-1aae-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux new auditd at in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.002/linux_new_auditd_at/linux_auditd_new_at.log
+sourcetypes:
+- 'auditd'
+references:
+- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_crontab_edit_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 4bed5528-1ab0-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd crontab edit new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log
+sourcetypes:
+- 'auditd'
+references:
+- https://attack.mitre.org/techniques/T1053/003/
diff --git a/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log b/datasets/attack_techniques/T1053.003/linux_auditd_crontab_edit_new/linux_auditd_new_crontab.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:85029e322d6526382d393a06fa1b08263d673774c6060805c4a9fe5c9db5fe15
+size 1116
diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml b/datasets/attack_techniques/T1059.001/atomic_red_team/atomic_red_team.yml
@@ -16,6 +16,7 @@ dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/get_ciminstance_windows-powershell.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/enableat_windows-sysmon.log/win32_scheduledjob_windows-powershell.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/irm_powershell.log
 sourcetypes:
 - XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 - WinEventLog:Microsoft-Windows-PowerShell/Operational
diff --git a/datasets/attack_techniques/T1059.001/atomic_red_team/irm_powershell.log b/datasets/attack_techniques/T1059.001/atomic_red_team/irm_powershell.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b9112d39b0e88759dd221629b829668947521132bce155812830d29093e728ce
+size 9053
diff --git a/datasets/attack_techniques/T1059.001/powershell_script_block_logging/single_event_delete_shadowcopy.log b/datasets/attack_techniques/T1059.001/powershell_script_block_logging/single_event_delete_shadowcopy.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:17928635e5b9155232e07977b274b5c2cfa949b099dafebfbe28e894c839cad8
+size 987
diff --git a/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.log b/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7f35270f16a81ac348de41c253f409a0ce8120eb2bef1d60d6e128b04922b3f5
+size 1079
diff --git a/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml b/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.yml
@@ -0,0 +1,12 @@
+author: Nasreddine Bencherchali
+id: f389cba7-e9bd-4452-b933-46a4b6915806
+date: '2025-04-25'
+description: Generated dataset for amos stealer execution with osquery and endpoint security
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.log
+sourcetypes:
+- osquery:results
+references:
+- https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+- https://attack.mitre.org/techniques/T1059/002/
diff --git a/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/wevtutil_clear_log.log b/datasets/attack_techniques/T1070.001/windows_pwh_log_cleared/wevtutil_clear_log.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5a809bbef864556ab87c8243bb0143a9f1b481c7d0e75af93efbfd5b218b45fc
-size 26591
+oid sha256:663e23a177f175a8f6f1ce2cfa276e63d2e8acf910812eed6906cb3db8a56d81
+size 26589
diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_lsmod_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 10da084a-1ab1-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd lsmod new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log
+sourcetypes:
+- 'auditd'
+references:
+- https://man7.org/linux/man-pages/man8/kmod.8.html
diff --git a/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log b/datasets/attack_techniques/T1082/linux_auditd_lsmod_new/linux_auditd_new_lsmod.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:abf7f579f94d3e6f0298870555cb985f36e65c29eb9b470b50e1d1f94ed54a9a
+size 355
diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml
@@ -0,0 +1,11 @@
+author: Bhavin Patel
+id: c467c7d4-5b8d-44c8-9259-8847e1e4df7a
+date: '2024-03-07'
+description: This dataset is generated in a AWS Bedrock Lab Environment by simulating events using AWS API calls
+environment: NA
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/
diff --git a/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json b/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8da5f22e842c0c8cad3213028beffb8893e1de186ae07012c5b262390b98c112
+size 1509
diff --git a/datasets/attack_techniques/T1190/crushftp/crushftp.yml b/datasets/attack_techniques/T1190/crushftp/crushftp.yml
@@ -1,13 +1,17 @@
 author: Michael Haag, Splunk
 id: 1e1c1f1c-0b0b-4b0b-8b0b-0b0b0b0b0b0d
 date: '2024-05-23'
-description: Generated event logs from CrushFTP server from simulated attack leveraging CVE-2024-4040.
+description: Generated event logs from CrushFTP server from simulated attack leveraging CVE-2024-4040 and CVE-2025-31161,.
 environment: attack_range
 dataset:
 - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/crushftp/windows-sysmon.log
 sourcetypes:
 - crushftp:sessionlogs
+
 references:
   - https://attack.mitre.org/techniques/T1190
   - https://github.com/airbus-cert/CVE-2024-4040
-  - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
+  - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
+  - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
diff --git a/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log b/datasets/attack_techniques/T1190/crushftp/crushftp11_session.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:540647b42c934ae59d139c2a3344c1056a412875bf0d04770540e1920d2c6420
+size 289353
diff --git a/datasets/attack_techniques/T1190/crushftp/windows-sysmon.log b/datasets/attack_techniques/T1190/crushftp/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e9efea0d5421db1f9f2889ba418fc5f868fd38cb9654dc7312a9d31c0e28d0c
+size 1931
diff --git a/datasets/attack_techniques/T1190/sap/sap.yml b/datasets/attack_techniques/T1190/sap/sap.yml
@@ -0,0 +1,13 @@
+author: Michael Haag, Splunk
+id: ca1b266c-23c9-11eb-926b-220bf0943fbb
+date: '2025-04-28'
+description: Attack data related to NetWeaver CVE-2025-31324
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/windows-sysmon.log
+sourcetypes:
+- suricata
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+  - https://attack.mitre.org/techniques/T1190
diff --git a/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log b/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b4be9d27f2d2728e4674c824c0fd7b5c0eee9d82363cf07874285d23d2144c99
+size 31990
diff --git a/datasets/attack_techniques/T1190/sap/windows-sysmon.log b/datasets/attack_techniques/T1190/sap/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f8e0bfd644360e21f49b528561e48d5482fd85f9407dab77cf13bb2d5ea57387
+size 2267
diff --git a/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml b/datasets/attack_techniques/T1218/eviltwin/eviltwin.yml
@@ -0,0 +1,11 @@
+author: Michael Haag
+id: k22b2623-abd5-11eb-926b-120zf0943f11
+date: '2024-04-17'
+description: Events related to Evil Twin msc.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log
+sourcetypes:
+- WinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1218
diff --git a/datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log b/datasets/attack_techniques/T1218/eviltwin/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f8fb1dbecd032334fde0464bd96abb51ffb23968068ea29a88618567adeaafb1
+size 6147
diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml
@@ -0,0 +1,11 @@
+author: Bhavin Patel
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+date: '2025-04-10'
+description: Dataset generated from AWS CloudTrail logs capturing the activity of a malicious actor deleting a knowledge base from AWS Bedrock.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1485/
diff --git a/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json b/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0074532dade6167059a8b32c6fc31cf16e545d2668686e5c636818b9c77742b5
+size 1415
diff --git a/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log b/datasets/attack_techniques/T1490/shadowcopy_del/wmicshadowcopydelete_sysmon.log
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:94d79d186a94c50f924c4ef22c36ce091b8fcefb3375779b7d64d231c520498f
-size 3905
+oid sha256:b943f1ca687118745fae96c11af10a07f8d91f7b34d6c24757579ee55ad539b7
+size 2004
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_insmod_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 9d807532-1ab0-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd insmod new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log
+sourcetypes:
+- 'auditd'
+references:
+- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log b/datasets/attack_techniques/T1547.006/linux_auditd_insmod_new/linux_auditd_new_insmod.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f939165e2452c6059498b09a1a5da8be7d26588c68ac022b11402b5010266799
+size 356
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_modprobe_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: db4b9b9e-1ab0-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd modprobe new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log
+sourcetypes:
+- 'auditd'
+references:
+- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log b/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_new/linux_auditd_new_modprobe.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66aefc5e9518639993c9739948451a6593899d63e6ee93b0b685191c02627caf
+size 358
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e91fbe80f2070c0d70f873469594e82bec126c58dab5e5e678417a78ff08336f
+size 355
diff --git a/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml b/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_rmmod_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 460dec20-1ab1-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd rmmod new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_rmmod_new/linux_auditd_new_rmmod.log
+sourcetypes:
+- 'auditd'
+references:
+- https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_doas_new.yml
@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: d79ea71c-1aaf-11f0-a1c6-629be3538069
+date: '2025-04-16'
+description: Generated datasets for linux auditd doas new in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log
+sourcetypes:
+- 'auditd'
+references:
+- https://www.makeuseof.com/how-to-install-and-use-doas/
diff --git a/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log b/datasets/attack_techniques/T1548.003/linux_auditd_doas_new/linux_auditd_new_doas.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4fb92111f170a7d99ce7e151a1a99edd3d99510b0c7f44735a8f6dd9fcc352e0
+size 2906
diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml
@@ -0,0 +1,11 @@
+author: Bhavin Patel, Splunk
+id: cdd4205f-e570-42ee-add9-048f2ac48a62
+date: '2025-04-10'
+description: Dataset which contains cloudtrail events with a deletes of AWS Bedrock GuardRails
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1562/008/
diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:593e72338b0aa503a829c75cd5393be3da83b5b98922905915351395e71ea05b
+size 1546
diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml
@@ -0,0 +1,12 @@
+author: Bhavin Patel, Splunk
+id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
+date: '2025-04-10'
+description: Dataset which contains cloudtrail logs for aws delete model invocation logging
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1562/008/
+- https://github.com/aquasecurity/cloudsploit
diff --git a/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json b/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8866bb9fffc8ee5aa0251f38e3d622e3f77fb075400dd7ccd2a44eef93500db7
+size 1410
diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml
@@ -0,0 +1,12 @@
+author: Bhavin Patel, Splunk
+id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
+date: '2025-04-10'
+description: Dataset which contains cloudtrail logs for aws invoke foundation model failures
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1580
+- https://github.com/aquasecurity/cloudsploit
diff --git a/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json b/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9e9d2a8e6eb06cc322f9065556a374ee77fa43b659141de7c2e99473c60b40e3
+size 15851
diff --git a/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.log b/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7d86de9df27311dfc987ce78cb0fc1ea1a70a479d758fad350c438065f72131
+size 18657
diff --git a/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml b/datasets/attack_techniques/T1654/eventlog_enumeration/eventlog_enumeration.yml
@@ -0,0 +1,11 @@
+author: Nasreddine Bencherchali
+id: 0d34f1fc-b4f4-463c-8512-e0cb9e027cd6
+date: '2025-04-24'
+description: This dataset contains multiple events that simulate event log enumeration on a windows machine, using built-in utilities.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1621/eventlog_enumeration/eventlog_enumeration.yml
+sourcetypes:
+- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+references:
+- https://attack.mitre.org/techniques/T1654
diff --git a/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log b/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:68a27ada1d55941b39da6c33038189ea6e2bef7680d7061dafc52930a517b6bb
+size 192983
diff --git a/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml b/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.yml
@@ -0,0 +1,10 @@
+author: Nasreddine Bencherchali, Splunk
+id: 23d68f64-426a-4774-9282-e2d01f4ad5f3
+date: '2025-04-03'
+description: Generated datasets for Cisco Secure Firewall Threat Defense Connection Event EventType.
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
+sourcetypes:
+- cisco:sfw:estreamer
+references:
+- https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
diff --git a/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.log b/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.log
diff --git a/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml b/datasets/cisco_secure_firewall_threat_defense/file_event/file_events.yml
diff --git a/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log b/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log
diff --git a/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml b/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.yml
diff --git a/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log b/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
diff --git a/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml b/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.yml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:7b0f24e6f490a5f59bb92aa09740b6f0d1b5898cca788f00aff5c3efb80199a3`
	`3`	`+size 265569`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:cc26e035942fb454da59b44fb73ea95ddcc5abcb8f9fa739ab69dad15f0c3456`
	`3`	`+size 716`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:431929147fc4596b4e48f911a06543036a9c91546eacf10d00ad3b085afa8348`
	`3`	`+size 1127`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:8f8a8fcd8664f1b2179686e42069bb1e6c0a11e69f0483d95ceec1f5185ba616`
	`3`	`+size 3279`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:85029e322d6526382d393a06fa1b08263d673774c6060805c4a9fe5c9db5fe15`
	`3`	`+size 1116`