Merge pull request #931 from nterl0k/nterl0k-t1033-query-remote-usage

patel-bhavin · web-flow · commit da34cadc53c6 · 2025-01-07T10:07:48.000-08:00
Nterl0k - T1033 Query.exe on Remote Devices
diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c0abb08c7fd7ef9a21251f059932a16813c2fdad9c6cb05a0389fcd6aa166820
+size 8122
diff --git a/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml b/datasets/attack_techniques/T1133/rdp/query_remote_usage/query_remote_usage.yml
@@ -0,0 +1,12 @@
+author: Steven Dick
+id: d5ce6a18-1de6-4351-9148-f81d47ae2a44
+date: '2025-01-06'
+description: 'A set of events related the usage of query.exe on remote devices.'
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/query_remote_usage/query_remote_usage.log
+sourcetypes:
+- XmlWinEventLog
+references:
+- https://attack.mitre.org/techniques/T1033/
+- https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:c0abb08c7fd7ef9a21251f059932a16813c2fdad9c6cb05a0389fcd6aa166820`
	`3`	`+size 8122`