firewall_event

Author: t-contreras

datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4946.log.txt

@@ -0,0 +1,3 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:37:10.140309700Z'/><EventRecordID>893174</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:35:58.460470800Z'/><EventRecordID>893172</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:34:14.488185300Z'/><EventRecordID>893170</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{F1F45BAC-902B-489E-A811-42D7B2BE27F9}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4947.log.txt

@@ -0,0 +1 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4947</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:38:08.051079400Z'/><EventRecordID>893175</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data Name='RuleName'>Allow Dummy Rules</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4948.log.txt

@@ -0,0 +1,2 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:36:13.470225800Z'/><EventRecordID>893173</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='740'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:35:16.647105700Z'/><EventRecordID>893171</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{F1F45BAC-902B-489E-A811-42D7B2BE27F9}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log.txt

@@ -0,0 +1,3 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:37:10.140309700Z'/><EventRecordID>893174</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:35:58.460470800Z'/><EventRecordID>893172</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:34:14.488185300Z'/><EventRecordID>893170</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{F1F45BAC-902B-489E-A811-42D7B2BE27F9}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/added_rule.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 5da71cca-04d7-11f0-9c6d-629be353806a
+date: '2025-03-19'
+description: Generated datasets for added rule in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/added_rule/MPSSVC_Rule-Level_Policy_Change-4946.log.txt
+sourcetypes:
+- 'XmlWinEventLog:Security'
+references:
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4946

datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log.txt

@@ -0,0 +1,2 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:36:13.470225800Z'/><EventRecordID>893173</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='740'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:35:16.647105700Z'/><EventRecordID>893171</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='632'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{F1F45BAC-902B-489E-A811-42D7B2BE27F9}</Data><Data Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/delete_rule.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 85f5c1ae-04d7-11f0-9c6d-629be353806a
+date: '2025-03-19'
+description: Generated datasets for delete rule in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/delete_rule/MPSSVC_Rule-Level_Policy_Change-4948.log.txt
+sourcetypes:
+- 'XmlWinEventLog:Security'
+references:
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4948

datasets/attack_techniques/T1562.004/firewall_win_event/firewall_win_event.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 49bdd280-04d7-11f0-9c6d-629be353806a
+date: '2025-03-19'
+description: Generated datasets for firewall win event in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/MPSSVC_Rule-Level_Policy_Change-4948.log.txt
+sourcetypes:
+- 'XmlWinEventLog:Security'
+references:
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4948

datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log.txt

@@ -0,0 +1 @@
+<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4947</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-01-15T15:38:08.051079400Z'/><EventRecordID>893175</EventRecordID><Correlation ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592' ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data Name='RuleName'>Allow Dummy Rules</Data></EventData></Event>

datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/modify_rule.yml

@@ -0,0 +1,11 @@
+author: Teoderick Contreras, Splunk
+id: 70213818-04d7-11f0-9c6d-629be353806a
+date: '2025-03-19'
+description: Generated datasets for modify rule in attack range.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/firewall_win_event/modify_rule/MPSSVC_Rule-Level_Policy_Change-4947.log.txt
+sourcetypes:
+- 'XmlWinEventLog:Security'
+references:
+- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4947